Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe
-
Size
455KB
-
MD5
29441309fd9894ce61c113141e692f26
-
SHA1
55dc32b030931e4e829c2e6aa49b452fe1bc0bde
-
SHA256
1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8
-
SHA512
cbaf7c1bf70884b749a017eeacf9800f789e9b1a15c35c866f0cf9da105483acfacebba92762cda9c4cc7407b6ddaaa0a024bc0aedfaf35f9ff6d482a54225cb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/688-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-976-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-1079-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-1194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4728 1hbhtn.exe 2296 ppjvp.exe 1376 hnhtnt.exe 2348 5ppdp.exe 2332 thnbhn.exe 2544 ddpdj.exe 2532 9ttnnh.exe 468 xlrffrr.exe 5064 3llxxlx.exe 3140 nbnhtn.exe 720 jvpdp.exe 5020 lrxrxlr.exe 5060 bthntb.exe 3132 7nhthh.exe 3300 bbhthb.exe 4428 rllxlfr.exe 2096 jvpdp.exe 4032 1bhthn.exe 2944 9vvjp.exe 1864 nnthnh.exe 180 frlxxxx.exe 316 5hhbnh.exe 1164 1hthnh.exe 3108 ppdjv.exe 3272 lrlxrlx.exe 3128 nnthth.exe 3764 pjpdj.exe 3520 rrlrfxr.exe 2732 thnbhb.exe 980 pjjdv.exe 1420 xflxlxl.exe 2004 thhtht.exe 828 pjdpd.exe 3196 5llxfxr.exe 2440 hnhbbn.exe 2768 bhhbth.exe 2688 pppdp.exe 4592 xxfxfxl.exe 3980 lfffxlx.exe 5012 thnbtn.exe 4152 jpjvj.exe 1648 xrlrfxl.exe 1204 lflxxrr.exe 4464 5hnhbt.exe 400 7jdjj.exe 5116 llxrfxr.exe 4332 hhbhnn.exe 396 7ddpp.exe 1056 jdjvj.exe 1540 rllxlrf.exe 1476 bnhbtn.exe 3964 htbtbt.exe 4304 vjdjv.exe 5000 rllxfxr.exe 2344 xfxxlfx.exe 3512 thbthb.exe 1368 tnbnhb.exe 1512 dddvd.exe 3936 xxflfxl.exe 4272 bhhbnh.exe 3452 7nbntn.exe 3680 7pjvp.exe 2544 3ppjp.exe 648 xfflllr.exe -
resource yara_rule behavioral2/memory/688-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-891-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9httht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 688 wrote to memory of 4728 688 1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe 82 PID 688 wrote to memory of 4728 688 1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe 82 PID 688 wrote to memory of 4728 688 1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe 82 PID 4728 wrote to memory of 2296 4728 1hbhtn.exe 83 PID 4728 wrote to memory of 2296 4728 1hbhtn.exe 83 PID 4728 wrote to memory of 2296 4728 1hbhtn.exe 83 PID 2296 wrote to memory of 1376 2296 ppjvp.exe 84 PID 2296 wrote to memory of 1376 2296 ppjvp.exe 84 PID 2296 wrote to memory of 1376 2296 ppjvp.exe 84 PID 1376 wrote to memory of 2348 1376 hnhtnt.exe 85 PID 1376 wrote to memory of 2348 1376 hnhtnt.exe 85 PID 1376 wrote to memory of 2348 1376 hnhtnt.exe 85 PID 2348 wrote to memory of 2332 2348 5ppdp.exe 86 PID 2348 wrote to memory of 2332 2348 5ppdp.exe 86 PID 2348 wrote to memory of 2332 2348 5ppdp.exe 86 PID 2332 wrote to memory of 2544 2332 thnbhn.exe 87 PID 2332 wrote to memory of 2544 2332 thnbhn.exe 87 PID 2332 wrote to memory of 2544 2332 thnbhn.exe 87 PID 2544 wrote to memory of 2532 2544 ddpdj.exe 88 PID 2544 wrote to memory of 2532 2544 ddpdj.exe 88 PID 2544 wrote to memory of 2532 2544 ddpdj.exe 88 PID 2532 wrote to memory of 468 2532 9ttnnh.exe 89 PID 2532 wrote to memory of 468 2532 9ttnnh.exe 89 PID 2532 wrote to memory of 468 2532 9ttnnh.exe 89 PID 468 wrote to memory of 5064 468 xlrffrr.exe 90 PID 468 wrote to memory of 5064 468 xlrffrr.exe 90 PID 468 wrote to memory of 5064 468 xlrffrr.exe 90 PID 5064 wrote to memory of 3140 5064 3llxxlx.exe 91 PID 5064 wrote to memory of 3140 5064 3llxxlx.exe 91 PID 5064 wrote to memory of 3140 5064 3llxxlx.exe 91 PID 3140 wrote to memory of 720 3140 nbnhtn.exe 92 PID 3140 wrote to memory of 720 3140 nbnhtn.exe 92 PID 3140 wrote to memory of 720 3140 nbnhtn.exe 92 PID 720 wrote to memory of 5020 720 jvpdp.exe 93 PID 720 wrote to memory of 5020 720 jvpdp.exe 93 PID 720 wrote to memory of 5020 720 jvpdp.exe 93 PID 5020 wrote to memory of 5060 5020 lrxrxlr.exe 94 PID 5020 wrote to memory of 5060 5020 lrxrxlr.exe 94 PID 5020 wrote to memory of 5060 5020 lrxrxlr.exe 94 PID 5060 wrote to memory of 3132 5060 bthntb.exe 95 PID 5060 wrote to memory of 3132 5060 bthntb.exe 95 PID 5060 wrote to memory of 3132 5060 bthntb.exe 95 PID 3132 wrote to memory of 3300 3132 7nhthh.exe 96 PID 3132 wrote to memory of 3300 3132 7nhthh.exe 96 PID 3132 wrote to memory of 3300 3132 7nhthh.exe 96 PID 3300 wrote to memory of 4428 3300 bbhthb.exe 97 PID 3300 wrote to memory of 4428 3300 bbhthb.exe 97 PID 3300 wrote to memory of 4428 3300 bbhthb.exe 97 PID 4428 wrote to memory of 2096 4428 rllxlfr.exe 98 PID 4428 wrote to memory of 2096 4428 rllxlfr.exe 98 PID 4428 wrote to memory of 2096 4428 rllxlfr.exe 98 PID 2096 wrote to memory of 4032 2096 jvpdp.exe 99 PID 2096 wrote to memory of 4032 2096 jvpdp.exe 99 PID 2096 wrote to memory of 4032 2096 jvpdp.exe 99 PID 4032 wrote to memory of 2944 4032 1bhthn.exe 100 PID 4032 wrote to memory of 2944 4032 1bhthn.exe 100 PID 4032 wrote to memory of 2944 4032 1bhthn.exe 100 PID 2944 wrote to memory of 1864 2944 9vvjp.exe 101 PID 2944 wrote to memory of 1864 2944 9vvjp.exe 101 PID 2944 wrote to memory of 1864 2944 9vvjp.exe 101 PID 1864 wrote to memory of 180 1864 nnthnh.exe 102 PID 1864 wrote to memory of 180 1864 nnthnh.exe 102 PID 1864 wrote to memory of 180 1864 nnthnh.exe 102 PID 180 wrote to memory of 316 180 frlxxxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe"C:\Users\Admin\AppData\Local\Temp\1e52c4bbed1097ce7136dea62142a92a7e8e03923f34d2b19cc9669e7ebc63b8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\1hbhtn.exec:\1hbhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\ppjvp.exec:\ppjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\hnhtnt.exec:\hnhtnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\5ppdp.exec:\5ppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\thnbhn.exec:\thnbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\ddpdj.exec:\ddpdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\9ttnnh.exec:\9ttnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\xlrffrr.exec:\xlrffrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\3llxxlx.exec:\3llxxlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\nbnhtn.exec:\nbnhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\jvpdp.exec:\jvpdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\lrxrxlr.exec:\lrxrxlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\bthntb.exec:\bthntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\7nhthh.exec:\7nhthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\bbhthb.exec:\bbhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\rllxlfr.exec:\rllxlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\jvpdp.exec:\jvpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\1bhthn.exec:\1bhthn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\9vvjp.exec:\9vvjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\nnthnh.exec:\nnthnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\frlxxxx.exec:\frlxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\5hhbnh.exec:\5hhbnh.exe23⤵
- Executes dropped EXE
PID:316 -
\??\c:\1hthnh.exec:\1hthnh.exe24⤵
- Executes dropped EXE
PID:1164 -
\??\c:\ppdjv.exec:\ppdjv.exe25⤵
- Executes dropped EXE
PID:3108 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe26⤵
- Executes dropped EXE
PID:3272 -
\??\c:\nnthth.exec:\nnthth.exe27⤵
- Executes dropped EXE
PID:3128 -
\??\c:\pjpdj.exec:\pjpdj.exe28⤵
- Executes dropped EXE
PID:3764 -
\??\c:\rrlrfxr.exec:\rrlrfxr.exe29⤵
- Executes dropped EXE
PID:3520 -
\??\c:\thnbhb.exec:\thnbhb.exe30⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pjjdv.exec:\pjjdv.exe31⤵
- Executes dropped EXE
PID:980 -
\??\c:\xflxlxl.exec:\xflxlxl.exe32⤵
- Executes dropped EXE
PID:1420 -
\??\c:\thhtht.exec:\thhtht.exe33⤵
- Executes dropped EXE
PID:2004 -
\??\c:\pjdpd.exec:\pjdpd.exe34⤵
- Executes dropped EXE
PID:828 -
\??\c:\5llxfxr.exec:\5llxfxr.exe35⤵
- Executes dropped EXE
PID:3196 -
\??\c:\hnhbbn.exec:\hnhbbn.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\bhhbth.exec:\bhhbth.exe37⤵
- Executes dropped EXE
PID:2768 -
\??\c:\pppdp.exec:\pppdp.exe38⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xxfxfxl.exec:\xxfxfxl.exe39⤵
- Executes dropped EXE
PID:4592 -
\??\c:\lfffxlx.exec:\lfffxlx.exe40⤵
- Executes dropped EXE
PID:3980 -
\??\c:\thnbtn.exec:\thnbtn.exe41⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jpjvj.exec:\jpjvj.exe42⤵
- Executes dropped EXE
PID:4152 -
\??\c:\xrlrfxl.exec:\xrlrfxl.exe43⤵
- Executes dropped EXE
PID:1648 -
\??\c:\lflxxrr.exec:\lflxxrr.exe44⤵
- Executes dropped EXE
PID:1204 -
\??\c:\5hnhbt.exec:\5hnhbt.exe45⤵
- Executes dropped EXE
PID:4464 -
\??\c:\7jdjj.exec:\7jdjj.exe46⤵
- Executes dropped EXE
PID:400 -
\??\c:\llxrfxr.exec:\llxrfxr.exe47⤵
- Executes dropped EXE
PID:5116 -
\??\c:\hhbhnn.exec:\hhbhnn.exe48⤵
- Executes dropped EXE
PID:4332 -
\??\c:\7ddpp.exec:\7ddpp.exe49⤵
- Executes dropped EXE
PID:396 -
\??\c:\jdjvj.exec:\jdjvj.exe50⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rllxlrf.exec:\rllxlrf.exe51⤵
- Executes dropped EXE
PID:1540 -
\??\c:\bnhbtn.exec:\bnhbtn.exe52⤵
- Executes dropped EXE
PID:1476 -
\??\c:\htbtbt.exec:\htbtbt.exe53⤵
- Executes dropped EXE
PID:3964 -
\??\c:\vjdjv.exec:\vjdjv.exe54⤵
- Executes dropped EXE
PID:4304 -
\??\c:\rllxfxr.exec:\rllxfxr.exe55⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xfxxlfx.exec:\xfxxlfx.exe56⤵
- Executes dropped EXE
PID:2344 -
\??\c:\thbthb.exec:\thbthb.exe57⤵
- Executes dropped EXE
PID:3512 -
\??\c:\tnbnhb.exec:\tnbnhb.exe58⤵
- Executes dropped EXE
PID:1368 -
\??\c:\dddvd.exec:\dddvd.exe59⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xxflfxl.exec:\xxflfxl.exe60⤵
- Executes dropped EXE
PID:3936 -
\??\c:\bhhbnh.exec:\bhhbnh.exe61⤵
- Executes dropped EXE
PID:4272 -
\??\c:\7nbntn.exec:\7nbntn.exe62⤵
- Executes dropped EXE
PID:3452 -
\??\c:\7pjvp.exec:\7pjvp.exe63⤵
- Executes dropped EXE
PID:3680 -
\??\c:\3ppjp.exec:\3ppjp.exe64⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xfflllr.exec:\xfflllr.exe65⤵
- Executes dropped EXE
PID:648 -
\??\c:\nbnbbt.exec:\nbnbbt.exe66⤵PID:1068
-
\??\c:\dvdvd.exec:\dvdvd.exe67⤵PID:1752
-
\??\c:\3jjvj.exec:\3jjvj.exe68⤵PID:1776
-
\??\c:\xflxfxx.exec:\xflxfxx.exe69⤵PID:3140
-
\??\c:\ntnhtn.exec:\ntnhtn.exe70⤵PID:720
-
\??\c:\vjdpd.exec:\vjdpd.exe71⤵PID:2928
-
\??\c:\dppjv.exec:\dppjv.exe72⤵PID:5020
-
\??\c:\1llxrll.exec:\1llxrll.exe73⤵PID:1016
-
\??\c:\bbbnhb.exec:\bbbnhb.exe74⤵PID:4044
-
\??\c:\bhnbnb.exec:\bhnbnb.exe75⤵PID:4340
-
\??\c:\vjvpv.exec:\vjvpv.exe76⤵PID:636
-
\??\c:\3xxfxlx.exec:\3xxfxlx.exe77⤵PID:1944
-
\??\c:\5xlfxrf.exec:\5xlfxrf.exe78⤵PID:2792
-
\??\c:\bbhbnh.exec:\bbhbnh.exe79⤵PID:4364
-
\??\c:\djjpj.exec:\djjpj.exe80⤵PID:4404
-
\??\c:\lxxxrlx.exec:\lxxxrlx.exe81⤵PID:4316
-
\??\c:\xflxlff.exec:\xflxlff.exe82⤵PID:3880
-
\??\c:\httthb.exec:\httthb.exe83⤵PID:764
-
\??\c:\vpjvj.exec:\vpjvj.exe84⤵PID:4508
-
\??\c:\xfrxxxx.exec:\xfrxxxx.exe85⤵PID:3088
-
\??\c:\9hbhbb.exec:\9hbhbb.exe86⤵PID:628
-
\??\c:\ppdjj.exec:\ppdjj.exe87⤵PID:1696
-
\??\c:\jvvjd.exec:\jvvjd.exe88⤵PID:724
-
\??\c:\xlxfrlr.exec:\xlxfrlr.exe89⤵PID:4560
-
\??\c:\ttbbnh.exec:\ttbbnh.exe90⤵PID:3108
-
\??\c:\1pdpj.exec:\1pdpj.exe91⤵PID:3136
-
\??\c:\vjjdv.exec:\vjjdv.exe92⤵PID:2652
-
\??\c:\ffrflfx.exec:\ffrflfx.exe93⤵PID:3612
-
\??\c:\hbbnbh.exec:\hbbnbh.exe94⤵PID:2036
-
\??\c:\dpjvj.exec:\dpjvj.exe95⤵PID:4836
-
\??\c:\vvvdp.exec:\vvvdp.exe96⤵PID:3392
-
\??\c:\xxxrffr.exec:\xxxrffr.exe97⤵PID:2368
-
\??\c:\htnhtn.exec:\htnhtn.exe98⤵PID:368
-
\??\c:\vpppp.exec:\vpppp.exe99⤵PID:4924
-
\??\c:\vvjvj.exec:\vvjvj.exe100⤵PID:4948
-
\??\c:\1xfrxrf.exec:\1xfrxrf.exe101⤵PID:4308
-
\??\c:\lfrrflx.exec:\lfrrflx.exe102⤵PID:2992
-
\??\c:\5bbnbb.exec:\5bbnbb.exe103⤵PID:1328
-
\??\c:\3pjdp.exec:\3pjdp.exe104⤵PID:2780
-
\??\c:\lrrfxlr.exec:\lrrfxlr.exe105⤵PID:2804
-
\??\c:\hhhthb.exec:\hhhthb.exe106⤵PID:4660
-
\??\c:\nbthtn.exec:\nbthtn.exe107⤵PID:2124
-
\??\c:\jjvjd.exec:\jjvjd.exe108⤵PID:2276
-
\??\c:\pjvjd.exec:\pjvjd.exe109⤵PID:4004
-
\??\c:\7rfxlfr.exec:\7rfxlfr.exe110⤵PID:2212
-
\??\c:\hthtth.exec:\hthtth.exe111⤵PID:2100
-
\??\c:\nhhbtn.exec:\nhhbtn.exe112⤵PID:2904
-
\??\c:\jdvpd.exec:\jdvpd.exe113⤵PID:3120
-
\??\c:\xlfxlrl.exec:\xlfxlrl.exe114⤵PID:4204
-
\??\c:\tnhbhb.exec:\tnhbhb.exe115⤵PID:4644
-
\??\c:\vvvpd.exec:\vvvpd.exe116⤵PID:4292
-
\??\c:\jjddp.exec:\jjddp.exe117⤵PID:2360
-
\??\c:\xlflrff.exec:\xlflrff.exe118⤵PID:3696
-
\??\c:\5nnbnn.exec:\5nnbnn.exe119⤵PID:3224
-
\??\c:\pdjvj.exec:\pdjvj.exe120⤵PID:3596
-
\??\c:\djdpp.exec:\djdpp.exe121⤵PID:3844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-