Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe
Resource
win7-20240729-en
7 signatures
120 seconds
General
-
Target
ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe
-
Size
455KB
-
MD5
c559eca3659a3eee10b29ef422cc0c80
-
SHA1
2d5039bf61c4014cd91d7c2517084e71e72d68a8
-
SHA256
ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65
-
SHA512
b11d13a4faa46a2cd6985458c19f6af49dff2968ba9fbb6895a4b2b49758ca3ddf2983c0e48c806ad18ef64f5d430210645c0363c6754b64fc707a6bc1b0ca29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTj:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2264-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-24-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/548-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-39-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-129-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1736-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-241-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2328-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-383-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3068-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-397-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2196-400-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1632-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-446-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2228-445-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1816-458-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/408-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-474-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2968-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-725-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2116-738-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1928-755-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1928-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-791-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2320-815-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1516-850-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1620-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 hhnhhn.exe 548 3lrlllf.exe 2796 bbnntb.exe 2748 5llxrrx.exe 2760 1jppv.exe 2892 djvvv.exe 2876 5bhbbb.exe 484 ttnhtt.exe 2608 hbnhtn.exe 2680 hbnthn.exe 2196 vppjp.exe 1096 hhttbh.exe 2032 hhnttb.exe 1324 pjppv.exe 1736 jjjvj.exe 1480 3rlxlrx.exe 1980 thnntt.exe 1384 llfxrfl.exe 2856 hhnhnn.exe 2332 pjvvp.exe 448 9rxllfx.exe 1400 3rllrrx.exe 2376 1hbhtb.exe 1560 llxfrrx.exe 1444 lxfrflx.exe 2328 llrrrrf.exe 3012 7nbhth.exe 1500 ffrxflf.exe 1508 lfxrxff.exe 896 xxlffxf.exe 2368 5lflrrf.exe 2364 jjpvj.exe 2416 5ffxllr.exe 2700 5djpj.exe 1716 vjvdp.exe 2800 9fxrflx.exe 2736 hnhhth.exe 2732 ddjdp.exe 2616 jpppv.exe 2892 3ffxffr.exe 2792 9hntnt.exe 2656 nnttth.exe 2620 pvjjp.exe 2672 llxfrxl.exe 3068 tnntnt.exe 2016 tbntht.exe 2196 pvddj.exe 1140 lrxrlrx.exe 1372 bhttnt.exe 2228 5tbhnn.exe 2144 jdpvv.exe 1768 llrrrrf.exe 1924 5rxxlfl.exe 1632 3thttb.exe 1816 jjvdj.exe 2848 flrlrrx.exe 2856 xxlrlrf.exe 408 nthnnn.exe 2440 5jdpv.exe 1684 3lxxxxf.exe 2220 tbhhtb.exe 1740 hnhnbt.exe 2972 jjjpv.exe 2968 xfxfrxl.exe -
resource yara_rule behavioral1/memory/2264-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-24-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/548-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-400-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/1632-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-890-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxllx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2100 2264 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 30 PID 2264 wrote to memory of 2100 2264 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 30 PID 2264 wrote to memory of 2100 2264 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 30 PID 2264 wrote to memory of 2100 2264 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 30 PID 2100 wrote to memory of 548 2100 hhnhhn.exe 31 PID 2100 wrote to memory of 548 2100 hhnhhn.exe 31 PID 2100 wrote to memory of 548 2100 hhnhhn.exe 31 PID 2100 wrote to memory of 548 2100 hhnhhn.exe 31 PID 548 wrote to memory of 2796 548 3lrlllf.exe 32 PID 548 wrote to memory of 2796 548 3lrlllf.exe 32 PID 548 wrote to memory of 2796 548 3lrlllf.exe 32 PID 548 wrote to memory of 2796 548 3lrlllf.exe 32 PID 2796 wrote to memory of 2748 2796 bbnntb.exe 33 PID 2796 wrote to memory of 2748 2796 bbnntb.exe 33 PID 2796 wrote to memory of 2748 2796 bbnntb.exe 33 PID 2796 wrote to memory of 2748 2796 bbnntb.exe 33 PID 2748 wrote to memory of 2760 2748 5llxrrx.exe 34 PID 2748 wrote to memory of 2760 2748 5llxrrx.exe 34 PID 2748 wrote to memory of 2760 2748 5llxrrx.exe 34 PID 2748 wrote to memory of 2760 2748 5llxrrx.exe 34 PID 2760 wrote to memory of 2892 2760 1jppv.exe 35 PID 2760 wrote to memory of 2892 2760 1jppv.exe 35 PID 2760 wrote to memory of 2892 2760 1jppv.exe 35 PID 2760 wrote to memory of 2892 2760 1jppv.exe 35 PID 2892 wrote to memory of 2876 2892 djvvv.exe 36 PID 2892 wrote to memory of 2876 2892 djvvv.exe 36 PID 2892 wrote to memory of 2876 2892 djvvv.exe 36 PID 2892 wrote to memory of 2876 2892 djvvv.exe 36 PID 2876 wrote to memory of 484 2876 5bhbbb.exe 37 PID 2876 wrote to memory of 484 2876 5bhbbb.exe 37 PID 2876 wrote to memory of 484 2876 5bhbbb.exe 37 PID 2876 wrote to memory of 484 2876 5bhbbb.exe 37 PID 484 wrote to memory of 2608 484 ttnhtt.exe 38 PID 484 wrote to memory of 2608 484 ttnhtt.exe 38 PID 484 wrote to memory of 2608 484 ttnhtt.exe 38 PID 484 wrote to memory of 2608 484 ttnhtt.exe 38 PID 2608 wrote to memory of 2680 2608 hbnhtn.exe 39 PID 2608 wrote to memory of 2680 2608 hbnhtn.exe 39 PID 2608 wrote to memory of 2680 2608 hbnhtn.exe 39 PID 2608 wrote to memory of 2680 2608 hbnhtn.exe 39 PID 2680 wrote to memory of 2196 2680 hbnthn.exe 40 PID 2680 wrote to memory of 2196 2680 hbnthn.exe 40 PID 2680 wrote to memory of 2196 2680 hbnthn.exe 40 PID 2680 wrote to memory of 2196 2680 hbnthn.exe 40 PID 2196 wrote to memory of 1096 2196 vppjp.exe 41 PID 2196 wrote to memory of 1096 2196 vppjp.exe 41 PID 2196 wrote to memory of 1096 2196 vppjp.exe 41 PID 2196 wrote to memory of 1096 2196 vppjp.exe 41 PID 1096 wrote to memory of 2032 1096 hhttbh.exe 42 PID 1096 wrote to memory of 2032 1096 hhttbh.exe 42 PID 1096 wrote to memory of 2032 1096 hhttbh.exe 42 PID 1096 wrote to memory of 2032 1096 hhttbh.exe 42 PID 2032 wrote to memory of 1324 2032 hhnttb.exe 43 PID 2032 wrote to memory of 1324 2032 hhnttb.exe 43 PID 2032 wrote to memory of 1324 2032 hhnttb.exe 43 PID 2032 wrote to memory of 1324 2032 hhnttb.exe 43 PID 1324 wrote to memory of 1736 1324 pjppv.exe 44 PID 1324 wrote to memory of 1736 1324 pjppv.exe 44 PID 1324 wrote to memory of 1736 1324 pjppv.exe 44 PID 1324 wrote to memory of 1736 1324 pjppv.exe 44 PID 1736 wrote to memory of 1480 1736 jjjvj.exe 45 PID 1736 wrote to memory of 1480 1736 jjjvj.exe 45 PID 1736 wrote to memory of 1480 1736 jjjvj.exe 45 PID 1736 wrote to memory of 1480 1736 jjjvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe"C:\Users\Admin\AppData\Local\Temp\ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\hhnhhn.exec:\hhnhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\3lrlllf.exec:\3lrlllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\bbnntb.exec:\bbnntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\5llxrrx.exec:\5llxrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\1jppv.exec:\1jppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\djvvv.exec:\djvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\5bhbbb.exec:\5bhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\ttnhtt.exec:\ttnhtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\hbnhtn.exec:\hbnhtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\hbnthn.exec:\hbnthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vppjp.exec:\vppjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\hhttbh.exec:\hhttbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\hhnttb.exec:\hhnttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\pjppv.exec:\pjppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\jjjvj.exec:\jjjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\3rlxlrx.exec:\3rlxlrx.exe17⤵
- Executes dropped EXE
PID:1480 -
\??\c:\thnntt.exec:\thnntt.exe18⤵
- Executes dropped EXE
PID:1980 -
\??\c:\llfxrfl.exec:\llfxrfl.exe19⤵
- Executes dropped EXE
PID:1384 -
\??\c:\hhnhnn.exec:\hhnhnn.exe20⤵
- Executes dropped EXE
PID:2856 -
\??\c:\pjvvp.exec:\pjvvp.exe21⤵
- Executes dropped EXE
PID:2332 -
\??\c:\9rxllfx.exec:\9rxllfx.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\3rllrrx.exec:\3rllrrx.exe23⤵
- Executes dropped EXE
PID:1400 -
\??\c:\1hbhtb.exec:\1hbhtb.exe24⤵
- Executes dropped EXE
PID:2376 -
\??\c:\llxfrrx.exec:\llxfrrx.exe25⤵
- Executes dropped EXE
PID:1560 -
\??\c:\lxfrflx.exec:\lxfrflx.exe26⤵
- Executes dropped EXE
PID:1444 -
\??\c:\llrrrrf.exec:\llrrrrf.exe27⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7nbhth.exec:\7nbhth.exe28⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ffrxflf.exec:\ffrxflf.exe29⤵
- Executes dropped EXE
PID:1500 -
\??\c:\lfxrxff.exec:\lfxrxff.exe30⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xxlffxf.exec:\xxlffxf.exe31⤵
- Executes dropped EXE
PID:896 -
\??\c:\5lflrrf.exec:\5lflrrf.exe32⤵
- Executes dropped EXE
PID:2368 -
\??\c:\jjpvj.exec:\jjpvj.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\5ffxllr.exec:\5ffxllr.exe34⤵
- Executes dropped EXE
PID:2416 -
\??\c:\5djpj.exec:\5djpj.exe35⤵
- Executes dropped EXE
PID:2700 -
\??\c:\vjvdp.exec:\vjvdp.exe36⤵
- Executes dropped EXE
PID:1716 -
\??\c:\9fxrflx.exec:\9fxrflx.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hnhhth.exec:\hnhhth.exe38⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ddjdp.exec:\ddjdp.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jpppv.exec:\jpppv.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\3ffxffr.exec:\3ffxffr.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9hntnt.exec:\9hntnt.exe42⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nnttth.exec:\nnttth.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pvjjp.exec:\pvjjp.exe44⤵
- Executes dropped EXE
PID:2620 -
\??\c:\llxfrxl.exec:\llxfrxl.exe45⤵
- Executes dropped EXE
PID:2672 -
\??\c:\tnntnt.exec:\tnntnt.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\tbntht.exec:\tbntht.exe47⤵
- Executes dropped EXE
PID:2016 -
\??\c:\pvddj.exec:\pvddj.exe48⤵
- Executes dropped EXE
PID:2196 -
\??\c:\lrxrlrx.exec:\lrxrlrx.exe49⤵
- Executes dropped EXE
PID:1140 -
\??\c:\bhttnt.exec:\bhttnt.exe50⤵
- Executes dropped EXE
PID:1372 -
\??\c:\5tbhnn.exec:\5tbhnn.exe51⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jdpvv.exec:\jdpvv.exe52⤵
- Executes dropped EXE
PID:2144 -
\??\c:\llrrrrf.exec:\llrrrrf.exe53⤵
- Executes dropped EXE
PID:1768 -
\??\c:\5rxxlfl.exec:\5rxxlfl.exe54⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3thttb.exec:\3thttb.exe55⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jjvdj.exec:\jjvdj.exe56⤵
- Executes dropped EXE
PID:1816 -
\??\c:\flrlrrx.exec:\flrlrrx.exe57⤵
- Executes dropped EXE
PID:2848 -
\??\c:\xxlrlrf.exec:\xxlrlrf.exe58⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nthnnn.exec:\nthnnn.exe59⤵
- Executes dropped EXE
PID:408 -
\??\c:\5jdpv.exec:\5jdpv.exe60⤵
- Executes dropped EXE
PID:2440 -
\??\c:\3lxxxxf.exec:\3lxxxxf.exe61⤵
- Executes dropped EXE
PID:1684 -
\??\c:\tbhhtb.exec:\tbhhtb.exe62⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hnhnbt.exec:\hnhnbt.exe63⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jjjpv.exec:\jjjpv.exe64⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xfxfrxl.exec:\xfxfrxl.exe65⤵
- Executes dropped EXE
PID:2968 -
\??\c:\llrrlrl.exec:\llrrlrl.exe66⤵PID:1112
-
\??\c:\nnbttb.exec:\nnbttb.exe67⤵PID:1944
-
\??\c:\9djpj.exec:\9djpj.exe68⤵PID:2996
-
\??\c:\rlfxlrf.exec:\rlfxlrf.exe69⤵PID:3056
-
\??\c:\hhttnt.exec:\hhttnt.exe70⤵PID:2484
-
\??\c:\tbbbbb.exec:\tbbbbb.exe71⤵PID:1988
-
\??\c:\vjdvd.exec:\vjdvd.exe72⤵PID:2464
-
\??\c:\1rlrxfr.exec:\1rlrxfr.exe73⤵
- System Location Discovery: System Language Discovery
PID:1388 -
\??\c:\lrxffll.exec:\lrxffll.exe74⤵PID:1908
-
\??\c:\hhtbnn.exec:\hhtbnn.exe75⤵PID:2564
-
\??\c:\ddppj.exec:\ddppj.exe76⤵PID:2520
-
\??\c:\xxrxfrf.exec:\xxrxfrf.exe77⤵PID:2416
-
\??\c:\3xlxlxl.exec:\3xlxlxl.exe78⤵PID:2700
-
\??\c:\tbtntt.exec:\tbtntt.exe79⤵PID:1716
-
\??\c:\ddjdd.exec:\ddjdd.exe80⤵PID:2832
-
\??\c:\lrflrfr.exec:\lrflrfr.exe81⤵PID:2836
-
\??\c:\9fxfxlr.exec:\9fxfxlr.exe82⤵PID:2760
-
\??\c:\7hbtbh.exec:\7hbtbh.exe83⤵PID:2912
-
\??\c:\3dvvd.exec:\3dvvd.exe84⤵PID:2780
-
\??\c:\5fxxxxx.exec:\5fxxxxx.exe85⤵PID:2660
-
\??\c:\lrflxrx.exec:\lrflxrx.exe86⤵PID:2664
-
\??\c:\1tnhhh.exec:\1tnhhh.exe87⤵PID:2608
-
\??\c:\1dpvd.exec:\1dpvd.exe88⤵PID:2680
-
\??\c:\7dvvv.exec:\7dvvv.exe89⤵PID:284
-
\??\c:\5lffrrr.exec:\5lffrrr.exe90⤵PID:2016
-
\??\c:\bbhbbb.exec:\bbhbbb.exe91⤵PID:2196
-
\??\c:\hhntbb.exec:\hhntbb.exe92⤵PID:1232
-
\??\c:\9vvdp.exec:\9vvdp.exe93⤵PID:1372
-
\??\c:\rrfxfll.exec:\rrfxfll.exe94⤵PID:1660
-
\??\c:\flrxxfl.exec:\flrxxfl.exe95⤵PID:2144
-
\??\c:\hbnnnn.exec:\hbnnnn.exe96⤵PID:468
-
\??\c:\5vjpv.exec:\5vjpv.exe97⤵PID:1512
-
\??\c:\5fflxfl.exec:\5fflxfl.exe98⤵PID:2676
-
\??\c:\5bnhth.exec:\5bnhth.exe99⤵PID:2116
-
\??\c:\bhttbb.exec:\bhttbb.exe100⤵PID:2848
-
\??\c:\ppvdj.exec:\ppvdj.exe101⤵PID:2068
-
\??\c:\rflrfrf.exec:\rflrfrf.exe102⤵PID:1928
-
\??\c:\tbttbh.exec:\tbttbh.exe103⤵PID:652
-
\??\c:\hhthbb.exec:\hhthbb.exe104⤵PID:2504
-
\??\c:\vvppj.exec:\vvppj.exe105⤵PID:2260
-
\??\c:\llflffx.exec:\llflffx.exe106⤵PID:1648
-
\??\c:\hnttbt.exec:\hnttbt.exe107⤵PID:1004
-
\??\c:\hnhtht.exec:\hnhtht.exe108⤵PID:1824
-
\??\c:\vjpvd.exec:\vjpvd.exe109⤵PID:920
-
\??\c:\rrxfxrl.exec:\rrxfxrl.exe110⤵PID:352
-
\??\c:\hnttbh.exec:\hnttbh.exe111⤵PID:2320
-
\??\c:\7nnthh.exec:\7nnthh.exe112⤵PID:2012
-
\??\c:\vvjjp.exec:\vvjjp.exe113⤵PID:1516
-
\??\c:\lrllflx.exec:\lrllflx.exe114⤵PID:2020
-
\??\c:\3tnthn.exec:\3tnthn.exe115⤵PID:1644
-
\??\c:\nnbhnb.exec:\nnbhnb.exe116⤵PID:1388
-
\??\c:\vpvdp.exec:\vpvdp.exe117⤵PID:2200
-
\??\c:\rrffflx.exec:\rrffflx.exe118⤵PID:2560
-
\??\c:\hhtntt.exec:\hhtntt.exe119⤵PID:1584
-
\??\c:\jpjdv.exec:\jpjdv.exe120⤵PID:1620
-
\??\c:\ffxxxxf.exec:\ffxxxxf.exe121⤵PID:2820
-
\??\c:\flxxlrx.exec:\flxxlrx.exe122⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-