Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 23:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe
-
Size
453KB
-
MD5
6029bb04d46dcdc5f0d27a361b031e57
-
SHA1
7000331caaebb3f8c5d2dbc7c1ce064a262ef422
-
SHA256
52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c
-
SHA512
1db65470ba6d9277ba10430b6989b6d40ba7502887143fedb52fb78e6b1e7452849f7701448cedee268869282d6544fe769d75f815712dd412c9adb3749cd624
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1152-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-54-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/980-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2940-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-308-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2700-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-350-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2016-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-512-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1560-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-745-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2516-744-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2696 nhhnhh.exe 2120 5lxxfll.exe 2368 nhtbtb.exe 2596 btbbhn.exe 2624 hhtbtt.exe 2640 pjvdj.exe 2272 tnhnht.exe 980 vpjvd.exe 2200 5rlflll.exe 2428 9tnthh.exe 1776 lfrfrfl.exe 2940 lfflfxl.exe 2964 5pjpd.exe 2848 vvpvd.exe 2452 lfffxxf.exe 2656 frlrxxl.exe 476 ddvdp.exe 1944 xrrrffl.exe 2880 tnhntb.exe 1140 fxflxrl.exe 2472 btnnhb.exe 1612 rlflrrf.exe 2444 bhhbnt.exe 1728 9pjpp.exe 1876 5rxlrrx.exe 2312 3vddj.exe 1528 llxlxxr.exe 2668 jvpvj.exe 2032 vppvj.exe 1732 hbtbnh.exe 1224 pvjvd.exe 2708 hthhnn.exe 2776 tnnbtt.exe 1232 fxffffl.exe 2700 1nthnb.exe 2684 nbbntb.exe 2480 ppdpv.exe 2992 rlffllr.exe 2680 ntnthn.exe 2208 pjvdd.exe 1652 5fxfrrf.exe 2920 tntbhn.exe 2284 hnhthn.exe 2016 jdddj.exe 2180 lfxfrxl.exe 2528 hbnhhh.exe 2996 btnhtt.exe 2960 dvjdj.exe 2744 xrrfffx.exe 3020 bthntb.exe 2848 9vpjj.exe 324 jvddj.exe 988 9flfllr.exe 568 tnbbnn.exe 2320 ppvvj.exe 1508 ddjdp.exe 2088 3fxfrxr.exe 1932 rrlrrxl.exe 1996 5bhnnt.exe 1340 9dddj.exe 1672 fxxxflx.exe 2536 1hthnb.exe 2160 btntnn.exe 1736 5jdpj.exe -
resource yara_rule behavioral1/memory/1152-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-111-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2940-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-742-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1508-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2696 1152 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 31 PID 1152 wrote to memory of 2696 1152 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 31 PID 1152 wrote to memory of 2696 1152 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 31 PID 1152 wrote to memory of 2696 1152 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 31 PID 2696 wrote to memory of 2120 2696 nhhnhh.exe 32 PID 2696 wrote to memory of 2120 2696 nhhnhh.exe 32 PID 2696 wrote to memory of 2120 2696 nhhnhh.exe 32 PID 2696 wrote to memory of 2120 2696 nhhnhh.exe 32 PID 2120 wrote to memory of 2368 2120 5lxxfll.exe 33 PID 2120 wrote to memory of 2368 2120 5lxxfll.exe 33 PID 2120 wrote to memory of 2368 2120 5lxxfll.exe 33 PID 2120 wrote to memory of 2368 2120 5lxxfll.exe 33 PID 2368 wrote to memory of 2596 2368 nhtbtb.exe 34 PID 2368 wrote to memory of 2596 2368 nhtbtb.exe 34 PID 2368 wrote to memory of 2596 2368 nhtbtb.exe 34 PID 2368 wrote to memory of 2596 2368 nhtbtb.exe 34 PID 2596 wrote to memory of 2624 2596 btbbhn.exe 35 PID 2596 wrote to memory of 2624 2596 btbbhn.exe 35 PID 2596 wrote to memory of 2624 2596 btbbhn.exe 35 PID 2596 wrote to memory of 2624 2596 btbbhn.exe 35 PID 2624 wrote to memory of 2640 2624 hhtbtt.exe 36 PID 2624 wrote to memory of 2640 2624 hhtbtt.exe 36 PID 2624 wrote to memory of 2640 2624 hhtbtt.exe 36 PID 2624 wrote to memory of 2640 2624 hhtbtt.exe 36 PID 2640 wrote to memory of 2272 2640 pjvdj.exe 37 PID 2640 wrote to memory of 2272 2640 pjvdj.exe 37 PID 2640 wrote to memory of 2272 2640 pjvdj.exe 37 PID 2640 wrote to memory of 2272 2640 pjvdj.exe 37 PID 2272 wrote to memory of 980 2272 tnhnht.exe 38 PID 2272 wrote to memory of 980 2272 tnhnht.exe 38 PID 2272 wrote to memory of 980 2272 tnhnht.exe 38 PID 2272 wrote to memory of 980 2272 tnhnht.exe 38 PID 980 wrote to memory of 2200 980 vpjvd.exe 39 PID 980 wrote to memory of 2200 980 vpjvd.exe 39 PID 980 wrote to memory of 2200 980 vpjvd.exe 39 PID 980 wrote to memory of 2200 980 vpjvd.exe 39 PID 2200 wrote to memory of 2428 2200 5rlflll.exe 40 PID 2200 wrote to memory of 2428 2200 5rlflll.exe 40 PID 2200 wrote to memory of 2428 2200 5rlflll.exe 40 PID 2200 wrote to memory of 2428 2200 5rlflll.exe 40 PID 2428 wrote to memory of 1776 2428 9tnthh.exe 41 PID 2428 wrote to memory of 1776 2428 9tnthh.exe 41 PID 2428 wrote to memory of 1776 2428 9tnthh.exe 41 PID 2428 wrote to memory of 1776 2428 9tnthh.exe 41 PID 1776 wrote to memory of 2940 1776 lfrfrfl.exe 42 PID 1776 wrote to memory of 2940 1776 lfrfrfl.exe 42 PID 1776 wrote to memory of 2940 1776 lfrfrfl.exe 42 PID 1776 wrote to memory of 2940 1776 lfrfrfl.exe 42 PID 2940 wrote to memory of 2964 2940 lfflfxl.exe 43 PID 2940 wrote to memory of 2964 2940 lfflfxl.exe 43 PID 2940 wrote to memory of 2964 2940 lfflfxl.exe 43 PID 2940 wrote to memory of 2964 2940 lfflfxl.exe 43 PID 2964 wrote to memory of 2848 2964 5pjpd.exe 44 PID 2964 wrote to memory of 2848 2964 5pjpd.exe 44 PID 2964 wrote to memory of 2848 2964 5pjpd.exe 44 PID 2964 wrote to memory of 2848 2964 5pjpd.exe 44 PID 2848 wrote to memory of 2452 2848 vvpvd.exe 45 PID 2848 wrote to memory of 2452 2848 vvpvd.exe 45 PID 2848 wrote to memory of 2452 2848 vvpvd.exe 45 PID 2848 wrote to memory of 2452 2848 vvpvd.exe 45 PID 2452 wrote to memory of 2656 2452 lfffxxf.exe 46 PID 2452 wrote to memory of 2656 2452 lfffxxf.exe 46 PID 2452 wrote to memory of 2656 2452 lfffxxf.exe 46 PID 2452 wrote to memory of 2656 2452 lfffxxf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe"C:\Users\Admin\AppData\Local\Temp\52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\nhhnhh.exec:\nhhnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\5lxxfll.exec:\5lxxfll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\nhtbtb.exec:\nhtbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\btbbhn.exec:\btbbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\hhtbtt.exec:\hhtbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\pjvdj.exec:\pjvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\tnhnht.exec:\tnhnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\vpjvd.exec:\vpjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\5rlflll.exec:\5rlflll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\9tnthh.exec:\9tnthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\lfrfrfl.exec:\lfrfrfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\lfflfxl.exec:\lfflfxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\5pjpd.exec:\5pjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vvpvd.exec:\vvpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\lfffxxf.exec:\lfffxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\frlrxxl.exec:\frlrxxl.exe17⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ddvdp.exec:\ddvdp.exe18⤵
- Executes dropped EXE
PID:476 -
\??\c:\xrrrffl.exec:\xrrrffl.exe19⤵
- Executes dropped EXE
PID:1944 -
\??\c:\tnhntb.exec:\tnhntb.exe20⤵
- Executes dropped EXE
PID:2880 -
\??\c:\fxflxrl.exec:\fxflxrl.exe21⤵
- Executes dropped EXE
PID:1140 -
\??\c:\btnnhb.exec:\btnnhb.exe22⤵
- Executes dropped EXE
PID:2472 -
\??\c:\rlflrrf.exec:\rlflrrf.exe23⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bhhbnt.exec:\bhhbnt.exe24⤵
- Executes dropped EXE
PID:2444 -
\??\c:\9pjpp.exec:\9pjpp.exe25⤵
- Executes dropped EXE
PID:1728 -
\??\c:\5rxlrrx.exec:\5rxlrrx.exe26⤵
- Executes dropped EXE
PID:1876 -
\??\c:\3vddj.exec:\3vddj.exe27⤵
- Executes dropped EXE
PID:2312 -
\??\c:\llxlxxr.exec:\llxlxxr.exe28⤵
- Executes dropped EXE
PID:1528 -
\??\c:\jvpvj.exec:\jvpvj.exe29⤵
- Executes dropped EXE
PID:2668 -
\??\c:\vppvj.exec:\vppvj.exe30⤵
- Executes dropped EXE
PID:2032 -
\??\c:\hbtbnh.exec:\hbtbnh.exe31⤵
- Executes dropped EXE
PID:1732 -
\??\c:\pvjvd.exec:\pvjvd.exe32⤵
- Executes dropped EXE
PID:1224 -
\??\c:\hthhnn.exec:\hthhnn.exe33⤵
- Executes dropped EXE
PID:2708 -
\??\c:\tnnbtt.exec:\tnnbtt.exe34⤵
- Executes dropped EXE
PID:2776 -
\??\c:\fxffffl.exec:\fxffffl.exe35⤵
- Executes dropped EXE
PID:1232 -
\??\c:\1nthnb.exec:\1nthnb.exe36⤵
- Executes dropped EXE
PID:2700 -
\??\c:\nbbntb.exec:\nbbntb.exe37⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ppdpv.exec:\ppdpv.exe38⤵
- Executes dropped EXE
PID:2480 -
\??\c:\rlffllr.exec:\rlffllr.exe39⤵
- Executes dropped EXE
PID:2992 -
\??\c:\ntnthn.exec:\ntnthn.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pjvdd.exec:\pjvdd.exe41⤵
- Executes dropped EXE
PID:2208 -
\??\c:\5fxfrrf.exec:\5fxfrrf.exe42⤵
- Executes dropped EXE
PID:1652 -
\??\c:\tntbhn.exec:\tntbhn.exe43⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hnhthn.exec:\hnhthn.exe44⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jdddj.exec:\jdddj.exe45⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lfxfrxl.exec:\lfxfrxl.exe46⤵
- Executes dropped EXE
PID:2180 -
\??\c:\hbnhhh.exec:\hbnhhh.exe47⤵
- Executes dropped EXE
PID:2528 -
\??\c:\btnhtt.exec:\btnhtt.exe48⤵
- Executes dropped EXE
PID:2996 -
\??\c:\dvjdj.exec:\dvjdj.exe49⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xrrfffx.exec:\xrrfffx.exe50⤵
- Executes dropped EXE
PID:2744 -
\??\c:\bthntb.exec:\bthntb.exe51⤵
- Executes dropped EXE
PID:3020 -
\??\c:\9vpjj.exec:\9vpjj.exe52⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jvddj.exec:\jvddj.exe53⤵
- Executes dropped EXE
PID:324 -
\??\c:\9flfllr.exec:\9flfllr.exe54⤵
- Executes dropped EXE
PID:988 -
\??\c:\tnbbnn.exec:\tnbbnn.exe55⤵
- Executes dropped EXE
PID:568 -
\??\c:\ppvvj.exec:\ppvvj.exe56⤵
- Executes dropped EXE
PID:2320 -
\??\c:\ddjdp.exec:\ddjdp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\3fxfrxr.exec:\3fxfrxr.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\rrlrrxl.exec:\rrlrrxl.exe59⤵
- Executes dropped EXE
PID:1932 -
\??\c:\5bhnnt.exec:\5bhnnt.exe60⤵
- Executes dropped EXE
PID:1996 -
\??\c:\9dddj.exec:\9dddj.exe61⤵
- Executes dropped EXE
PID:1340 -
\??\c:\fxxxflx.exec:\fxxxflx.exe62⤵
- Executes dropped EXE
PID:1672 -
\??\c:\1hthnb.exec:\1hthnb.exe63⤵
- Executes dropped EXE
PID:2536 -
\??\c:\btntnn.exec:\btntnn.exe64⤵
- Executes dropped EXE
PID:2160 -
\??\c:\5jdpj.exec:\5jdpj.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\llflxfr.exec:\llflxfr.exe66⤵PID:1876
-
\??\c:\thhnhn.exec:\thhnhn.exe67⤵PID:2312
-
\??\c:\5hhhbt.exec:\5hhhbt.exe68⤵PID:2080
-
\??\c:\9dvvd.exec:\9dvvd.exe69⤵PID:1372
-
\??\c:\ffflxxl.exec:\ffflxxl.exe70⤵PID:300
-
\??\c:\fxrxllf.exec:\fxrxllf.exe71⤵PID:684
-
\??\c:\tbntbb.exec:\tbntbb.exe72⤵PID:1220
-
\??\c:\ddvjp.exec:\ddvjp.exe73⤵PID:880
-
\??\c:\xrffxrx.exec:\xrffxrx.exe74⤵PID:2676
-
\??\c:\thnhhb.exec:\thnhhb.exe75⤵PID:1596
-
\??\c:\nhtbhn.exec:\nhtbhn.exe76⤵
- System Location Discovery: System Language Discovery
PID:2704 -
\??\c:\vppjj.exec:\vppjj.exe77⤵PID:2876
-
\??\c:\7lllrrr.exec:\7lllrrr.exe78⤵PID:2900
-
\??\c:\rlrxffl.exec:\rlrxffl.exe79⤵PID:2392
-
\??\c:\tnhhnb.exec:\tnhhnb.exe80⤵PID:2564
-
\??\c:\pjddj.exec:\pjddj.exe81⤵PID:2992
-
\??\c:\jjdjv.exec:\jjdjv.exe82⤵PID:1560
-
\??\c:\rlxrrrl.exec:\rlxrrrl.exe83⤵PID:1648
-
\??\c:\nntbtb.exec:\nntbtb.exe84⤵PID:1576
-
\??\c:\hhbnbb.exec:\hhbnbb.exe85⤵PID:820
-
\??\c:\3jddd.exec:\3jddd.exe86⤵PID:2224
-
\??\c:\lxllflx.exec:\lxllflx.exe87⤵PID:2508
-
\??\c:\rrffrrx.exec:\rrffrrx.exe88⤵PID:2952
-
\??\c:\7nbbbt.exec:\7nbbbt.exe89⤵PID:2528
-
\??\c:\vpvdd.exec:\vpvdd.exe90⤵PID:2996
-
\??\c:\xrflrfr.exec:\xrflrfr.exe91⤵PID:3012
-
\??\c:\xrxxrxf.exec:\xrxxrxf.exe92⤵PID:2824
-
\??\c:\nbbhtt.exec:\nbbhtt.exe93⤵PID:328
-
\??\c:\pdppp.exec:\pdppp.exe94⤵PID:2796
-
\??\c:\jdvvd.exec:\jdvvd.exe95⤵PID:2516
-
\??\c:\xrffrxl.exec:\xrffrxl.exe96⤵PID:320
-
\??\c:\bnhntb.exec:\bnhntb.exe97⤵PID:1444
-
\??\c:\ppddp.exec:\ppddp.exe98⤵PID:2388
-
\??\c:\rfxxxxl.exec:\rfxxxxl.exe99⤵PID:1508
-
\??\c:\flxlxxl.exec:\flxlxxl.exe100⤵PID:1196
-
\??\c:\hbtthh.exec:\hbtthh.exe101⤵PID:2448
-
\??\c:\jdpvj.exec:\jdpvj.exe102⤵PID:1996
-
\??\c:\3jvpp.exec:\3jvpp.exe103⤵PID:904
-
\??\c:\frffrrx.exec:\frffrrx.exe104⤵PID:1388
-
\??\c:\9nthnn.exec:\9nthnn.exe105⤵PID:2536
-
\??\c:\9bntbb.exec:\9bntbb.exe106⤵PID:2160
-
\??\c:\1vpdd.exec:\1vpdd.exe107⤵PID:1552
-
\??\c:\5rxrxxf.exec:\5rxrxxf.exe108⤵PID:1712
-
\??\c:\lfxxlfr.exec:\lfxxlfr.exe109⤵PID:1168
-
\??\c:\nhnntb.exec:\nhnntb.exe110⤵PID:1956
-
\??\c:\5pdjp.exec:\5pdjp.exe111⤵PID:580
-
\??\c:\3jdjp.exec:\3jdjp.exe112⤵PID:1752
-
\??\c:\ffrrxxl.exec:\ffrrxxl.exe113⤵PID:1732
-
\??\c:\5nbbhh.exec:\5nbbhh.exe114⤵PID:1644
-
\??\c:\hbnthh.exec:\hbnthh.exe115⤵PID:2084
-
\??\c:\7jvpp.exec:\7jvpp.exe116⤵PID:1600
-
\??\c:\rlllrxl.exec:\rlllrxl.exe117⤵PID:2800
-
\??\c:\5lxfrrx.exec:\5lxfrrx.exe118⤵PID:2096
-
\??\c:\nbtthh.exec:\nbtthh.exe119⤵PID:2120
-
\??\c:\nhtnbb.exec:\nhtnbb.exe120⤵PID:2808
-
\??\c:\dpjvj.exec:\dpjvj.exe121⤵PID:752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-