Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe
-
Size
456KB
-
MD5
ce616d0e95f6bf127c2030a012fb9917
-
SHA1
bab75147e55fbe6770809b9649f6d7011b31425a
-
SHA256
53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c
-
SHA512
bc08ffd51ae34657d972edfc0287e7db058b66f58874b1275723721865c3f9ae990a3c3daa88012b76acf2d72bb5c55683f6fe4863dd3925749e94a59d23a96c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2784-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1096-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-238-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-427-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/332-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-530-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1228-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1832-550-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/892-558-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2812-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-600-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2784 1dpjp.exe 2008 vvjpv.exe 2384 thhnnt.exe 2736 ffflrrf.exe 1312 tnhhnn.exe 2592 1vvjj.exe 2196 rxfrrrx.exe 1096 bthhhh.exe 2648 fxrxlrr.exe 2104 1jppp.exe 620 nhttbb.exe 344 xxrfxfr.exe 1684 flflfrl.exe 1304 dvvdj.exe 2888 3rrxxfr.exe 536 pppvd.exe 1028 lrlxffr.exe 2184 jjdpj.exe 1720 xxrrxxf.exe 2444 7htbnt.exe 444 5ppvv.exe 2424 tbbhnt.exe 1372 dddjj.exe 1716 hhbhbh.exe 640 dvdjj.exe 664 ffffrrx.exe 1224 9nhhnh.exe 688 nnbthh.exe 2452 1pjjp.exe 1944 lrxxxfl.exe 2416 nhtbhh.exe 2120 1vjpv.exe 1692 9frrxxf.exe 2920 ppppd.exe 2916 vppvj.exe 2828 lflllfr.exe 888 tnhhnt.exe 2560 ppjpv.exe 1312 xxrrffr.exe 2020 3fxflrx.exe 3056 nhtbhb.exe 3012 jvjvd.exe 2396 xrflffx.exe 1152 nhhhhh.exe 1664 ttnthh.exe 2044 vvpvd.exe 308 xxxxffr.exe 2868 rlflrxl.exe 2764 1bnnbt.exe 1484 9pppd.exe 2652 fxxflrf.exe 2004 9thhnt.exe 332 btthbn.exe 2280 jjjvp.exe 2180 fxxlrrx.exe 2924 ntthtb.exe 1984 nhhnbn.exe 408 ppddj.exe 2364 rlllxfr.exe 1968 3nhhnn.exe 1604 dvpvj.exe 1864 7jdjd.exe 1716 lrxlrlx.exe 1228 nhtbhn.exe -
resource yara_rule behavioral1/memory/2784-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-74-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1096-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-723-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2784 2144 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 30 PID 2144 wrote to memory of 2784 2144 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 30 PID 2144 wrote to memory of 2784 2144 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 30 PID 2144 wrote to memory of 2784 2144 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 30 PID 2784 wrote to memory of 2008 2784 1dpjp.exe 31 PID 2784 wrote to memory of 2008 2784 1dpjp.exe 31 PID 2784 wrote to memory of 2008 2784 1dpjp.exe 31 PID 2784 wrote to memory of 2008 2784 1dpjp.exe 31 PID 2008 wrote to memory of 2384 2008 vvjpv.exe 32 PID 2008 wrote to memory of 2384 2008 vvjpv.exe 32 PID 2008 wrote to memory of 2384 2008 vvjpv.exe 32 PID 2008 wrote to memory of 2384 2008 vvjpv.exe 32 PID 2384 wrote to memory of 2736 2384 thhnnt.exe 33 PID 2384 wrote to memory of 2736 2384 thhnnt.exe 33 PID 2384 wrote to memory of 2736 2384 thhnnt.exe 33 PID 2384 wrote to memory of 2736 2384 thhnnt.exe 33 PID 2736 wrote to memory of 1312 2736 ffflrrf.exe 34 PID 2736 wrote to memory of 1312 2736 ffflrrf.exe 34 PID 2736 wrote to memory of 1312 2736 ffflrrf.exe 34 PID 2736 wrote to memory of 1312 2736 ffflrrf.exe 34 PID 1312 wrote to memory of 2592 1312 tnhhnn.exe 35 PID 1312 wrote to memory of 2592 1312 tnhhnn.exe 35 PID 1312 wrote to memory of 2592 1312 tnhhnn.exe 35 PID 1312 wrote to memory of 2592 1312 tnhhnn.exe 35 PID 2592 wrote to memory of 2196 2592 1vvjj.exe 36 PID 2592 wrote to memory of 2196 2592 1vvjj.exe 36 PID 2592 wrote to memory of 2196 2592 1vvjj.exe 36 PID 2592 wrote to memory of 2196 2592 1vvjj.exe 36 PID 2196 wrote to memory of 1096 2196 rxfrrrx.exe 37 PID 2196 wrote to memory of 1096 2196 rxfrrrx.exe 37 PID 2196 wrote to memory of 1096 2196 rxfrrrx.exe 37 PID 2196 wrote to memory of 1096 2196 rxfrrrx.exe 37 PID 1096 wrote to memory of 2648 1096 bthhhh.exe 38 PID 1096 wrote to memory of 2648 1096 bthhhh.exe 38 PID 1096 wrote to memory of 2648 1096 bthhhh.exe 38 PID 1096 wrote to memory of 2648 1096 bthhhh.exe 38 PID 2648 wrote to memory of 2104 2648 fxrxlrr.exe 39 PID 2648 wrote to memory of 2104 2648 fxrxlrr.exe 39 PID 2648 wrote to memory of 2104 2648 fxrxlrr.exe 39 PID 2648 wrote to memory of 2104 2648 fxrxlrr.exe 39 PID 2104 wrote to memory of 620 2104 1jppp.exe 40 PID 2104 wrote to memory of 620 2104 1jppp.exe 40 PID 2104 wrote to memory of 620 2104 1jppp.exe 40 PID 2104 wrote to memory of 620 2104 1jppp.exe 40 PID 620 wrote to memory of 344 620 nhttbb.exe 41 PID 620 wrote to memory of 344 620 nhttbb.exe 41 PID 620 wrote to memory of 344 620 nhttbb.exe 41 PID 620 wrote to memory of 344 620 nhttbb.exe 41 PID 344 wrote to memory of 1684 344 xxrfxfr.exe 42 PID 344 wrote to memory of 1684 344 xxrfxfr.exe 42 PID 344 wrote to memory of 1684 344 xxrfxfr.exe 42 PID 344 wrote to memory of 1684 344 xxrfxfr.exe 42 PID 1684 wrote to memory of 1304 1684 flflfrl.exe 43 PID 1684 wrote to memory of 1304 1684 flflfrl.exe 43 PID 1684 wrote to memory of 1304 1684 flflfrl.exe 43 PID 1684 wrote to memory of 1304 1684 flflfrl.exe 43 PID 1304 wrote to memory of 2888 1304 dvvdj.exe 44 PID 1304 wrote to memory of 2888 1304 dvvdj.exe 44 PID 1304 wrote to memory of 2888 1304 dvvdj.exe 44 PID 1304 wrote to memory of 2888 1304 dvvdj.exe 44 PID 2888 wrote to memory of 536 2888 3rrxxfr.exe 45 PID 2888 wrote to memory of 536 2888 3rrxxfr.exe 45 PID 2888 wrote to memory of 536 2888 3rrxxfr.exe 45 PID 2888 wrote to memory of 536 2888 3rrxxfr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe"C:\Users\Admin\AppData\Local\Temp\53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\1dpjp.exec:\1dpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vvjpv.exec:\vvjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\thhnnt.exec:\thhnnt.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\ffflrrf.exec:\ffflrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\tnhhnn.exec:\tnhhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\1vvjj.exec:\1vvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\rxfrrrx.exec:\rxfrrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\bthhhh.exec:\bthhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\fxrxlrr.exec:\fxrxlrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\1jppp.exec:\1jppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\nhttbb.exec:\nhttbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\xxrfxfr.exec:\xxrfxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\flflfrl.exec:\flflfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\dvvdj.exec:\dvvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\3rrxxfr.exec:\3rrxxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\pppvd.exec:\pppvd.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\lrlxffr.exec:\lrlxffr.exe18⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jjdpj.exec:\jjdpj.exe19⤵
- Executes dropped EXE
PID:2184 -
\??\c:\xxrrxxf.exec:\xxrrxxf.exe20⤵
- Executes dropped EXE
PID:1720 -
\??\c:\7htbnt.exec:\7htbnt.exe21⤵
- Executes dropped EXE
PID:2444 -
\??\c:\5ppvv.exec:\5ppvv.exe22⤵
- Executes dropped EXE
PID:444 -
\??\c:\tbbhnt.exec:\tbbhnt.exe23⤵
- Executes dropped EXE
PID:2424 -
\??\c:\dddjj.exec:\dddjj.exe24⤵
- Executes dropped EXE
PID:1372 -
\??\c:\hhbhbh.exec:\hhbhbh.exe25⤵
- Executes dropped EXE
PID:1716 -
\??\c:\dvdjj.exec:\dvdjj.exe26⤵
- Executes dropped EXE
PID:640 -
\??\c:\ffffrrx.exec:\ffffrrx.exe27⤵
- Executes dropped EXE
PID:664 -
\??\c:\9nhhnh.exec:\9nhhnh.exe28⤵
- Executes dropped EXE
PID:1224 -
\??\c:\nnbthh.exec:\nnbthh.exe29⤵
- Executes dropped EXE
PID:688 -
\??\c:\1pjjp.exec:\1pjjp.exe30⤵
- Executes dropped EXE
PID:2452 -
\??\c:\lrxxxfl.exec:\lrxxxfl.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\nhtbhh.exec:\nhtbhh.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\1vjpv.exec:\1vjpv.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\9frrxxf.exec:\9frrxxf.exe34⤵
- Executes dropped EXE
PID:1692 -
\??\c:\ppppd.exec:\ppppd.exe35⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vppvj.exec:\vppvj.exe36⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lflllfr.exec:\lflllfr.exe37⤵
- Executes dropped EXE
PID:2828 -
\??\c:\tnhhnt.exec:\tnhhnt.exe38⤵
- Executes dropped EXE
PID:888 -
\??\c:\ppjpv.exec:\ppjpv.exe39⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xxrrffr.exec:\xxrrffr.exe40⤵
- Executes dropped EXE
PID:1312 -
\??\c:\3fxflrx.exec:\3fxflrx.exe41⤵
- Executes dropped EXE
PID:2020 -
\??\c:\nhtbhb.exec:\nhtbhb.exe42⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jvjvd.exec:\jvjvd.exe43⤵
- Executes dropped EXE
PID:3012 -
\??\c:\xrflffx.exec:\xrflffx.exe44⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nhhhhh.exec:\nhhhhh.exe45⤵
- Executes dropped EXE
PID:1152 -
\??\c:\ttnthh.exec:\ttnthh.exe46⤵
- Executes dropped EXE
PID:1664 -
\??\c:\vvpvd.exec:\vvpvd.exe47⤵
- Executes dropped EXE
PID:2044 -
\??\c:\xxxxffr.exec:\xxxxffr.exe48⤵
- Executes dropped EXE
PID:308 -
\??\c:\rlflrxl.exec:\rlflrxl.exe49⤵
- Executes dropped EXE
PID:2868 -
\??\c:\1bnnbt.exec:\1bnnbt.exe50⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9pppd.exec:\9pppd.exe51⤵
- Executes dropped EXE
PID:1484 -
\??\c:\fxxflrf.exec:\fxxflrf.exe52⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9thhnt.exec:\9thhnt.exe53⤵
- Executes dropped EXE
PID:2004 -
\??\c:\btthbn.exec:\btthbn.exe54⤵
- Executes dropped EXE
PID:332 -
\??\c:\jjjvp.exec:\jjjvp.exe55⤵
- Executes dropped EXE
PID:2280 -
\??\c:\fxxlrrx.exec:\fxxlrrx.exe56⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ntthtb.exec:\ntthtb.exe57⤵
- Executes dropped EXE
PID:2924 -
\??\c:\nhhnbn.exec:\nhhnbn.exe58⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ppddj.exec:\ppddj.exe59⤵
- Executes dropped EXE
PID:408 -
\??\c:\rlllxfr.exec:\rlllxfr.exe60⤵
- Executes dropped EXE
PID:2364 -
\??\c:\3nhhnn.exec:\3nhhnn.exe61⤵
- Executes dropped EXE
PID:1968 -
\??\c:\dvpvj.exec:\dvpvj.exe62⤵
- Executes dropped EXE
PID:1604 -
\??\c:\7jdjd.exec:\7jdjd.exe63⤵
- Executes dropped EXE
PID:1864 -
\??\c:\lrxlrlx.exec:\lrxlrlx.exe64⤵
- Executes dropped EXE
PID:1716 -
\??\c:\nhtbhn.exec:\nhtbhn.exe65⤵
- Executes dropped EXE
PID:1228 -
\??\c:\jjdjd.exec:\jjdjd.exe66⤵PID:2964
-
\??\c:\ffffrrx.exec:\ffffrrx.exe67⤵PID:1440
-
\??\c:\fxxrflr.exec:\fxxrflr.exe68⤵PID:2388
-
\??\c:\bnnttn.exec:\bnnttn.exe69⤵PID:2944
-
\??\c:\jdvpv.exec:\jdvpv.exe70⤵PID:1832
-
\??\c:\9rlfllx.exec:\9rlfllx.exe71⤵PID:892
-
\??\c:\xxxflrf.exec:\xxxflrf.exe72⤵PID:3048
-
\??\c:\vvpdj.exec:\vvpdj.exe73⤵PID:2812
-
\??\c:\pjvdj.exec:\pjvdj.exe74⤵
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\fxllxxf.exec:\fxllxxf.exe75⤵PID:2680
-
\??\c:\nnhthn.exec:\nnhthn.exe76⤵PID:2052
-
\??\c:\vpjpd.exec:\vpjpd.exe77⤵PID:2136
-
\??\c:\jvpjp.exec:\jvpjp.exe78⤵PID:2664
-
\??\c:\7hbbnt.exec:\7hbbnt.exe79⤵PID:2580
-
\??\c:\3tbnth.exec:\3tbnth.exe80⤵PID:2592
-
\??\c:\jjdpd.exec:\jjdpd.exe81⤵PID:3024
-
\??\c:\xrxxxll.exec:\xrxxxll.exe82⤵PID:2900
-
\??\c:\9bttnb.exec:\9bttnb.exe83⤵PID:2220
-
\??\c:\7tbhth.exec:\7tbhth.exe84⤵PID:2204
-
\??\c:\jjpdv.exec:\jjpdv.exe85⤵PID:1648
-
\??\c:\vvpvd.exec:\vvpvd.exe86⤵PID:236
-
\??\c:\lfxrflx.exec:\lfxrflx.exe87⤵PID:1664
-
\??\c:\nbtbnt.exec:\nbtbnt.exe88⤵PID:984
-
\??\c:\dddjj.exec:\dddjj.exe89⤵PID:484
-
\??\c:\jjvdj.exec:\jjvdj.exe90⤵PID:1700
-
\??\c:\llfxflx.exec:\llfxflx.exe91⤵PID:496
-
\??\c:\1bhbbh.exec:\1bhbbh.exe92⤵PID:2760
-
\??\c:\3pjpd.exec:\3pjpd.exe93⤵PID:592
-
\??\c:\djdjd.exec:\djdjd.exe94⤵PID:1936
-
\??\c:\rlrxxlr.exec:\rlrxxlr.exe95⤵PID:1028
-
\??\c:\tnhhnn.exec:\tnhhnn.exe96⤵PID:2172
-
\??\c:\vvpjp.exec:\vvpjp.exe97⤵PID:2924
-
\??\c:\3rrfllr.exec:\3rrfllr.exe98⤵PID:1076
-
\??\c:\fxrxflr.exec:\fxrxflr.exe99⤵PID:2316
-
\??\c:\9bnbnt.exec:\9bnbnt.exe100⤵PID:1084
-
\??\c:\jdvdv.exec:\jdvdv.exe101⤵PID:1960
-
\??\c:\jjvvj.exec:\jjvvj.exe102⤵PID:1372
-
\??\c:\frxlrfx.exec:\frxlrfx.exe103⤵PID:2436
-
\??\c:\nnhntb.exec:\nnhntb.exe104⤵PID:1740
-
\??\c:\vpdjv.exec:\vpdjv.exe105⤵PID:1756
-
\??\c:\1lxfllx.exec:\1lxfllx.exe106⤵PID:1816
-
\??\c:\thnnbb.exec:\thnnbb.exe107⤵PID:1784
-
\??\c:\hhbbhn.exec:\hhbbhn.exe108⤵PID:2236
-
\??\c:\jdjpp.exec:\jdjpp.exe109⤵PID:2348
-
\??\c:\xrlrrxl.exec:\xrlrrxl.exe110⤵PID:2980
-
\??\c:\llxrxfr.exec:\llxrxfr.exe111⤵PID:1000
-
\??\c:\7hbhth.exec:\7hbhth.exe112⤵PID:2416
-
\??\c:\vpvvd.exec:\vpvvd.exe113⤵PID:1596
-
\??\c:\xffxlxx.exec:\xffxlxx.exe114⤵PID:2676
-
\??\c:\rrflxxf.exec:\rrflxxf.exe115⤵PID:2788
-
\??\c:\9hbthn.exec:\9hbthn.exe116⤵PID:2680
-
\??\c:\jvvpp.exec:\jvvpp.exe117⤵PID:2052
-
\??\c:\rlrxflf.exec:\rlrxflf.exe118⤵PID:2548
-
\??\c:\5ttbhn.exec:\5ttbhn.exe119⤵PID:2604
-
\??\c:\7dpvj.exec:\7dpvj.exe120⤵PID:2616
-
\??\c:\7lffllr.exec:\7lffllr.exe121⤵PID:3020
-
\??\c:\nnhnbb.exec:\nnhnbb.exe122⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-