Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
-
Size
456KB
-
MD5
b8b06189ddbb0454b6b3fd2c8261bd22
-
SHA1
a011dc28a25e5eef6deb7470f087a9a6f63d158b
-
SHA256
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb
-
SHA512
e25cd2652e59b314e54b4920690f697dcec1f66eee3cb7eddeb3934577f6b9afe94ac2f54d16dcce91727f56ef7753bb8106d0d91ba09ae8e62cf44372de4d4b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSi:q7Tc2NYHUrAwfMp3CDSi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2196-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1808-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/492-216-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1056-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-246-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1148-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-271-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2104-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-302-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1712-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-388-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-466-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1720-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-621-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/480-673-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2636-684-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1072-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-1233-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2272 9fffxxl.exe 2488 nhbhht.exe 1252 lfflfrl.exe 2964 pjppv.exe 2024 hnbthn.exe 2768 djpdp.exe 2976 rllfrlx.exe 2880 hbhntt.exe 2016 bbtbth.exe 2572 ppjjp.exe 1808 hbtthh.exe 1820 vdvjp.exe 1108 7tnbnt.exe 1852 dvjpd.exe 780 tnbhnt.exe 1004 flffrrf.exe 1948 nnthbt.exe 1804 vpjjp.exe 2904 hbnntb.exe 2248 thbnth.exe 1168 rlxxflx.exe 492 jjvjv.exe 868 9nbhbb.exe 1056 9nhhtn.exe 1720 bnhhth.exe 1148 ththtt.exe 1528 3btbhn.exe 1724 5thnhh.exe 2164 hbnnbh.exe 2104 dvdjv.exe 2412 nhbbhh.exe 2300 pjvvp.exe 1784 hhbnbn.exe 2352 7vpvj.exe 1712 vpvvv.exe 1428 lfxxrxl.exe 2116 5nbhhh.exe 2672 pvpdd.exe 2980 5vpvj.exe 2876 xxxfrfx.exe 2892 5nhbhh.exe 2756 ttbnhn.exe 2680 3vvvv.exe 2584 rlrflrr.exe 2564 nnhnbn.exe 316 ttnbth.exe 944 vppvj.exe 1820 frxrffl.exe 1264 tnhhnb.exe 592 httthn.exe 588 9vjjp.exe 780 flxxlxl.exe 2184 7htbhh.exe 2668 vvpdp.exe 1156 1xxxllx.exe 2932 fxrxrfr.exe 2284 hnhnbh.exe 2956 pvppv.exe 1876 xrllffr.exe 1496 lxllrxf.exe 1008 bbntbh.exe 1688 ppdjv.exe 1680 pdppd.exe 1056 lxrrfxl.exe -
resource yara_rule behavioral1/memory/2196-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-102-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1808-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-113-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1820-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-142-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1948-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-388-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2584-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-466-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/960-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-621-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2976-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-673-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/532-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-1165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-1252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-1265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-1277-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthtb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2272 2196 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2196 wrote to memory of 2272 2196 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2196 wrote to memory of 2272 2196 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2196 wrote to memory of 2272 2196 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2272 wrote to memory of 2488 2272 9fffxxl.exe 31 PID 2272 wrote to memory of 2488 2272 9fffxxl.exe 31 PID 2272 wrote to memory of 2488 2272 9fffxxl.exe 31 PID 2272 wrote to memory of 2488 2272 9fffxxl.exe 31 PID 2488 wrote to memory of 1252 2488 nhbhht.exe 32 PID 2488 wrote to memory of 1252 2488 nhbhht.exe 32 PID 2488 wrote to memory of 1252 2488 nhbhht.exe 32 PID 2488 wrote to memory of 1252 2488 nhbhht.exe 32 PID 1252 wrote to memory of 2964 1252 lfflfrl.exe 33 PID 1252 wrote to memory of 2964 1252 lfflfrl.exe 33 PID 1252 wrote to memory of 2964 1252 lfflfrl.exe 33 PID 1252 wrote to memory of 2964 1252 lfflfrl.exe 33 PID 2964 wrote to memory of 2024 2964 pjppv.exe 34 PID 2964 wrote to memory of 2024 2964 pjppv.exe 34 PID 2964 wrote to memory of 2024 2964 pjppv.exe 34 PID 2964 wrote to memory of 2024 2964 pjppv.exe 34 PID 2024 wrote to memory of 2768 2024 hnbthn.exe 35 PID 2024 wrote to memory of 2768 2024 hnbthn.exe 35 PID 2024 wrote to memory of 2768 2024 hnbthn.exe 35 PID 2024 wrote to memory of 2768 2024 hnbthn.exe 35 PID 2768 wrote to memory of 2976 2768 djpdp.exe 36 PID 2768 wrote to memory of 2976 2768 djpdp.exe 36 PID 2768 wrote to memory of 2976 2768 djpdp.exe 36 PID 2768 wrote to memory of 2976 2768 djpdp.exe 36 PID 2976 wrote to memory of 2880 2976 rllfrlx.exe 37 PID 2976 wrote to memory of 2880 2976 rllfrlx.exe 37 PID 2976 wrote to memory of 2880 2976 rllfrlx.exe 37 PID 2976 wrote to memory of 2880 2976 rllfrlx.exe 37 PID 2880 wrote to memory of 2016 2880 hbhntt.exe 38 PID 2880 wrote to memory of 2016 2880 hbhntt.exe 38 PID 2880 wrote to memory of 2016 2880 hbhntt.exe 38 PID 2880 wrote to memory of 2016 2880 hbhntt.exe 38 PID 2016 wrote to memory of 2572 2016 bbtbth.exe 39 PID 2016 wrote to memory of 2572 2016 bbtbth.exe 39 PID 2016 wrote to memory of 2572 2016 bbtbth.exe 39 PID 2016 wrote to memory of 2572 2016 bbtbth.exe 39 PID 2572 wrote to memory of 1808 2572 ppjjp.exe 40 PID 2572 wrote to memory of 1808 2572 ppjjp.exe 40 PID 2572 wrote to memory of 1808 2572 ppjjp.exe 40 PID 2572 wrote to memory of 1808 2572 ppjjp.exe 40 PID 1808 wrote to memory of 1820 1808 hbtthh.exe 41 PID 1808 wrote to memory of 1820 1808 hbtthh.exe 41 PID 1808 wrote to memory of 1820 1808 hbtthh.exe 41 PID 1808 wrote to memory of 1820 1808 hbtthh.exe 41 PID 1820 wrote to memory of 1108 1820 vdvjp.exe 42 PID 1820 wrote to memory of 1108 1820 vdvjp.exe 42 PID 1820 wrote to memory of 1108 1820 vdvjp.exe 42 PID 1820 wrote to memory of 1108 1820 vdvjp.exe 42 PID 1108 wrote to memory of 1852 1108 7tnbnt.exe 43 PID 1108 wrote to memory of 1852 1108 7tnbnt.exe 43 PID 1108 wrote to memory of 1852 1108 7tnbnt.exe 43 PID 1108 wrote to memory of 1852 1108 7tnbnt.exe 43 PID 1852 wrote to memory of 780 1852 dvjpd.exe 44 PID 1852 wrote to memory of 780 1852 dvjpd.exe 44 PID 1852 wrote to memory of 780 1852 dvjpd.exe 44 PID 1852 wrote to memory of 780 1852 dvjpd.exe 44 PID 780 wrote to memory of 1004 780 tnbhnt.exe 45 PID 780 wrote to memory of 1004 780 tnbhnt.exe 45 PID 780 wrote to memory of 1004 780 tnbhnt.exe 45 PID 780 wrote to memory of 1004 780 tnbhnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\9fffxxl.exec:\9fffxxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\nhbhht.exec:\nhbhht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\lfflfrl.exec:\lfflfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\pjppv.exec:\pjppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\hnbthn.exec:\hnbthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\djpdp.exec:\djpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rllfrlx.exec:\rllfrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\hbhntt.exec:\hbhntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\bbtbth.exec:\bbtbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\ppjjp.exec:\ppjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\hbtthh.exec:\hbtthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\vdvjp.exec:\vdvjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\7tnbnt.exec:\7tnbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\dvjpd.exec:\dvjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\tnbhnt.exec:\tnbhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\flffrrf.exec:\flffrrf.exe17⤵
- Executes dropped EXE
PID:1004 -
\??\c:\nnthbt.exec:\nnthbt.exe18⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vpjjp.exec:\vpjjp.exe19⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hbnntb.exec:\hbnntb.exe20⤵
- Executes dropped EXE
PID:2904 -
\??\c:\thbnth.exec:\thbnth.exe21⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rlxxflx.exec:\rlxxflx.exe22⤵
- Executes dropped EXE
PID:1168 -
\??\c:\jjvjv.exec:\jjvjv.exe23⤵
- Executes dropped EXE
PID:492 -
\??\c:\9nbhbb.exec:\9nbhbb.exe24⤵
- Executes dropped EXE
PID:868 -
\??\c:\9nhhtn.exec:\9nhhtn.exe25⤵
- Executes dropped EXE
PID:1056 -
\??\c:\bnhhth.exec:\bnhhth.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ththtt.exec:\ththtt.exe27⤵
- Executes dropped EXE
PID:1148 -
\??\c:\3btbhn.exec:\3btbhn.exe28⤵
- Executes dropped EXE
PID:1528 -
\??\c:\5thnhh.exec:\5thnhh.exe29⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hbnnbh.exec:\hbnnbh.exe30⤵
- Executes dropped EXE
PID:2164 -
\??\c:\dvdjv.exec:\dvdjv.exe31⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nhbbhh.exec:\nhbbhh.exe32⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pjvvp.exec:\pjvvp.exe33⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hhbnbn.exec:\hhbnbn.exe34⤵
- Executes dropped EXE
PID:1784 -
\??\c:\7vpvj.exec:\7vpvj.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\vpvvv.exec:\vpvvv.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\lfxxrxl.exec:\lfxxrxl.exe37⤵
- Executes dropped EXE
PID:1428 -
\??\c:\5nbhhh.exec:\5nbhhh.exe38⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pvpdd.exec:\pvpdd.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\5vpvj.exec:\5vpvj.exe40⤵
- Executes dropped EXE
PID:2980 -
\??\c:\xxxfrfx.exec:\xxxfrfx.exe41⤵
- Executes dropped EXE
PID:2876 -
\??\c:\5nhbhh.exec:\5nhbhh.exe42⤵
- Executes dropped EXE
PID:2892 -
\??\c:\ttbnhn.exec:\ttbnhn.exe43⤵
- Executes dropped EXE
PID:2756 -
\??\c:\3vvvv.exec:\3vvvv.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\rlrflrr.exec:\rlrflrr.exe45⤵
- Executes dropped EXE
PID:2584 -
\??\c:\nnhnbn.exec:\nnhnbn.exe46⤵
- Executes dropped EXE
PID:2564 -
\??\c:\ttnbth.exec:\ttnbth.exe47⤵
- Executes dropped EXE
PID:316 -
\??\c:\vppvj.exec:\vppvj.exe48⤵
- Executes dropped EXE
PID:944 -
\??\c:\frxrffl.exec:\frxrffl.exe49⤵
- Executes dropped EXE
PID:1820 -
\??\c:\tnhhnb.exec:\tnhhnb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1264 -
\??\c:\httthn.exec:\httthn.exe51⤵
- Executes dropped EXE
PID:592 -
\??\c:\9vjjp.exec:\9vjjp.exe52⤵
- Executes dropped EXE
PID:588 -
\??\c:\flxxlxl.exec:\flxxlxl.exe53⤵
- Executes dropped EXE
PID:780 -
\??\c:\7htbhh.exec:\7htbhh.exe54⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vvpdp.exec:\vvpdp.exe55⤵
- Executes dropped EXE
PID:2668 -
\??\c:\1xxxllx.exec:\1xxxllx.exe56⤵
- Executes dropped EXE
PID:1156 -
\??\c:\fxrxrfr.exec:\fxrxrfr.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hnhnbh.exec:\hnhnbh.exe58⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pvppv.exec:\pvppv.exe59⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xrllffr.exec:\xrllffr.exe60⤵
- Executes dropped EXE
PID:1876 -
\??\c:\lxllrxf.exec:\lxllrxf.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\bbntbh.exec:\bbntbh.exe62⤵
- Executes dropped EXE
PID:1008 -
\??\c:\ppdjv.exec:\ppdjv.exe63⤵
- Executes dropped EXE
PID:1688 -
\??\c:\pdppd.exec:\pdppd.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\lxrrfxl.exec:\lxrrfxl.exe65⤵
- Executes dropped EXE
PID:1056 -
\??\c:\bbnthn.exec:\bbnthn.exe66⤵PID:960
-
\??\c:\9vddj.exec:\9vddj.exe67⤵PID:1720
-
\??\c:\dpjpd.exec:\dpjpd.exe68⤵PID:1148
-
\??\c:\rllrffr.exec:\rllrffr.exe69⤵PID:3012
-
\??\c:\1nhntb.exec:\1nhntb.exe70⤵PID:1136
-
\??\c:\7vvvd.exec:\7vvvd.exe71⤵PID:1684
-
\??\c:\vjppp.exec:\vjppp.exe72⤵PID:344
-
\??\c:\3fxlrxf.exec:\3fxlrxf.exe73⤵PID:2124
-
\??\c:\nbtthh.exec:\nbtthh.exe74⤵PID:3032
-
\??\c:\5jpvd.exec:\5jpvd.exe75⤵PID:2292
-
\??\c:\ddvdp.exec:\ddvdp.exe76⤵PID:2512
-
\??\c:\lxlxrfx.exec:\lxlxrfx.exe77⤵PID:1584
-
\??\c:\9bnnbh.exec:\9bnnbh.exe78⤵PID:2652
-
\??\c:\9jjvj.exec:\9jjvj.exe79⤵PID:2660
-
\??\c:\7ddpv.exec:\7ddpv.exe80⤵PID:2964
-
\??\c:\xrrrxxr.exec:\xrrrxxr.exe81⤵PID:2760
-
\??\c:\9xfrrrr.exec:\9xfrrrr.exe82⤵PID:2856
-
\??\c:\5hnbbt.exec:\5hnbbt.exe83⤵PID:2868
-
\??\c:\jvjjv.exec:\jvjjv.exe84⤵PID:2976
-
\??\c:\1xxlrlf.exec:\1xxlrlf.exe85⤵PID:2912
-
\??\c:\xxlrflx.exec:\xxlrflx.exe86⤵PID:2788
-
\??\c:\nhtthb.exec:\nhtthb.exe87⤵PID:2580
-
\??\c:\vdvjv.exec:\vdvjv.exe88⤵PID:2688
-
\??\c:\dvjjd.exec:\dvjjd.exe89⤵PID:3064
-
\??\c:\lfxxflx.exec:\lfxxflx.exe90⤵PID:480
-
\??\c:\btntnt.exec:\btntnt.exe91⤵PID:2636
-
\??\c:\jvjjv.exec:\jvjjv.exe92⤵PID:532
-
\??\c:\xxlrflr.exec:\xxlrflr.exe93⤵PID:1108
-
\??\c:\frlrffx.exec:\frlrffx.exe94⤵PID:1856
-
\??\c:\ntnthn.exec:\ntnthn.exe95⤵PID:1036
-
\??\c:\ddjdp.exec:\ddjdp.exe96⤵PID:1164
-
\??\c:\jdvpv.exec:\jdvpv.exe97⤵PID:1412
-
\??\c:\flfxxrl.exec:\flfxxrl.exe98⤵PID:1764
-
\??\c:\bthhnn.exec:\bthhnn.exe99⤵PID:1456
-
\??\c:\9vjpd.exec:\9vjpd.exe100⤵PID:2252
-
\??\c:\5lxxxfr.exec:\5lxxxfr.exe101⤵PID:3028
-
\??\c:\rfrfrxl.exec:\rfrfrxl.exe102⤵PID:2260
-
\??\c:\nnbhbt.exec:\nnbhbt.exe103⤵PID:1096
-
\??\c:\pjvvj.exec:\pjvvj.exe104⤵PID:1876
-
\??\c:\xxrrrxl.exec:\xxrrrxl.exe105⤵PID:1072
-
\??\c:\7xfxrxr.exec:\7xfxrxr.exe106⤵PID:1748
-
\??\c:\btbnbt.exec:\btbnbt.exe107⤵PID:2080
-
\??\c:\ppjjp.exec:\ppjjp.exe108⤵PID:1772
-
\??\c:\1fxlxfl.exec:\1fxlxfl.exe109⤵PID:928
-
\??\c:\flflffr.exec:\flflffr.exe110⤵PID:960
-
\??\c:\1bhhnn.exec:\1bhhnn.exe111⤵PID:2268
-
\??\c:\5vdpd.exec:\5vdpd.exe112⤵PID:1148
-
\??\c:\fxlrllx.exec:\fxlrllx.exe113⤵PID:2040
-
\??\c:\3rrrlrl.exec:\3rrrlrl.exe114⤵PID:2208
-
\??\c:\djdjp.exec:\djdjp.exe115⤵PID:2076
-
\??\c:\xxlrfff.exec:\xxlrfff.exe116⤵PID:2396
-
\??\c:\hbthhn.exec:\hbthhn.exe117⤵PID:2524
-
\??\c:\jjdjv.exec:\jjdjv.exe118⤵PID:3032
-
\??\c:\vvvdd.exec:\vvvdd.exe119⤵PID:1576
-
\??\c:\1ffrffr.exec:\1ffrffr.exe120⤵PID:2244
-
\??\c:\1nhnnn.exec:\1nhnnn.exe121⤵PID:1252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-