Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe
-
Size
453KB
-
MD5
6029bb04d46dcdc5f0d27a361b031e57
-
SHA1
7000331caaebb3f8c5d2dbc7c1ce064a262ef422
-
SHA256
52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c
-
SHA512
1db65470ba6d9277ba10430b6989b6d40ba7502887143fedb52fb78e6b1e7452849f7701448cedee268869282d6544fe769d75f815712dd412c9adb3749cd624
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3092-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-1178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4028 lxfxrfx.exe 4340 7bhtht.exe 1196 1vvjv.exe 1188 flfxlfx.exe 3688 nbthbn.exe 2956 tntnnh.exe 1040 bnnhtn.exe 1412 tbbtnh.exe 3332 xlxrfxf.exe 3648 tbbntt.exe 4332 rfxlrlx.exe 4032 3pjjv.exe 3164 3fxlxrf.exe 2232 hhnbth.exe 3232 7frfrrf.exe 2128 hhnnhb.exe 4500 djpdp.exe 1396 1jdjd.exe 2256 bhnhht.exe 3252 djpdv.exe 4816 ttbtnn.exe 1916 rfffxxx.exe 1524 tbbbtn.exe 2972 pjppj.exe 1228 tbhhbt.exe 4476 pvppj.exe 1408 pvdvv.exe 1780 rlllllf.exe 2444 tnnhbt.exe 3612 3bbhbh.exe 2308 vpvvv.exe 4568 vpjvp.exe 4700 xxfxrrr.exe 2008 vdppv.exe 1464 fxfxrrf.exe 2420 5bnhhh.exe 3284 vjdvj.exe 3200 lxxrlll.exe 1112 nhhnhn.exe 2296 bttnhb.exe 208 jvjdd.exe 4404 fxlfllr.exe 348 rfrlfxr.exe 4036 7jpvp.exe 3324 xrxrrll.exe 4464 xxfxffl.exe 3564 thnhbb.exe 4860 jdpjv.exe 1380 lxfxrrl.exe 3988 nbbbnh.exe 3948 hbbttn.exe 2772 jvdvv.exe 4548 rrrrrll.exe 1412 nthhhb.exe 1036 ppjjd.exe 3332 lrfxrfr.exe 4788 7hhhht.exe 3648 dpjvp.exe 1928 jddvv.exe 1556 fxrlffx.exe 1656 9ntttt.exe 400 dpvpj.exe 632 9lfxrrl.exe 4420 hhhbbb.exe -
resource yara_rule behavioral2/memory/3092-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-952-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3092 wrote to memory of 4028 3092 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 82 PID 3092 wrote to memory of 4028 3092 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 82 PID 3092 wrote to memory of 4028 3092 52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe 82 PID 4028 wrote to memory of 4340 4028 lxfxrfx.exe 83 PID 4028 wrote to memory of 4340 4028 lxfxrfx.exe 83 PID 4028 wrote to memory of 4340 4028 lxfxrfx.exe 83 PID 4340 wrote to memory of 1196 4340 7bhtht.exe 84 PID 4340 wrote to memory of 1196 4340 7bhtht.exe 84 PID 4340 wrote to memory of 1196 4340 7bhtht.exe 84 PID 1196 wrote to memory of 1188 1196 1vvjv.exe 85 PID 1196 wrote to memory of 1188 1196 1vvjv.exe 85 PID 1196 wrote to memory of 1188 1196 1vvjv.exe 85 PID 1188 wrote to memory of 3688 1188 flfxlfx.exe 86 PID 1188 wrote to memory of 3688 1188 flfxlfx.exe 86 PID 1188 wrote to memory of 3688 1188 flfxlfx.exe 86 PID 3688 wrote to memory of 2956 3688 nbthbn.exe 87 PID 3688 wrote to memory of 2956 3688 nbthbn.exe 87 PID 3688 wrote to memory of 2956 3688 nbthbn.exe 87 PID 2956 wrote to memory of 1040 2956 tntnnh.exe 88 PID 2956 wrote to memory of 1040 2956 tntnnh.exe 88 PID 2956 wrote to memory of 1040 2956 tntnnh.exe 88 PID 1040 wrote to memory of 1412 1040 bnnhtn.exe 89 PID 1040 wrote to memory of 1412 1040 bnnhtn.exe 89 PID 1040 wrote to memory of 1412 1040 bnnhtn.exe 89 PID 1412 wrote to memory of 3332 1412 tbbtnh.exe 90 PID 1412 wrote to memory of 3332 1412 tbbtnh.exe 90 PID 1412 wrote to memory of 3332 1412 tbbtnh.exe 90 PID 3332 wrote to memory of 3648 3332 xlxrfxf.exe 91 PID 3332 wrote to memory of 3648 3332 xlxrfxf.exe 91 PID 3332 wrote to memory of 3648 3332 xlxrfxf.exe 91 PID 3648 wrote to memory of 4332 3648 tbbntt.exe 92 PID 3648 wrote to memory of 4332 3648 tbbntt.exe 92 PID 3648 wrote to memory of 4332 3648 tbbntt.exe 92 PID 4332 wrote to memory of 4032 4332 rfxlrlx.exe 93 PID 4332 wrote to memory of 4032 4332 rfxlrlx.exe 93 PID 4332 wrote to memory of 4032 4332 rfxlrlx.exe 93 PID 4032 wrote to memory of 3164 4032 3pjjv.exe 94 PID 4032 wrote to memory of 3164 4032 3pjjv.exe 94 PID 4032 wrote to memory of 3164 4032 3pjjv.exe 94 PID 3164 wrote to memory of 2232 3164 3fxlxrf.exe 95 PID 3164 wrote to memory of 2232 3164 3fxlxrf.exe 95 PID 3164 wrote to memory of 2232 3164 3fxlxrf.exe 95 PID 2232 wrote to memory of 3232 2232 hhnbth.exe 96 PID 2232 wrote to memory of 3232 2232 hhnbth.exe 96 PID 2232 wrote to memory of 3232 2232 hhnbth.exe 96 PID 3232 wrote to memory of 2128 3232 7frfrrf.exe 97 PID 3232 wrote to memory of 2128 3232 7frfrrf.exe 97 PID 3232 wrote to memory of 2128 3232 7frfrrf.exe 97 PID 2128 wrote to memory of 4500 2128 hhnnhb.exe 98 PID 2128 wrote to memory of 4500 2128 hhnnhb.exe 98 PID 2128 wrote to memory of 4500 2128 hhnnhb.exe 98 PID 4500 wrote to memory of 1396 4500 djpdp.exe 99 PID 4500 wrote to memory of 1396 4500 djpdp.exe 99 PID 4500 wrote to memory of 1396 4500 djpdp.exe 99 PID 1396 wrote to memory of 2256 1396 1jdjd.exe 100 PID 1396 wrote to memory of 2256 1396 1jdjd.exe 100 PID 1396 wrote to memory of 2256 1396 1jdjd.exe 100 PID 2256 wrote to memory of 3252 2256 bhnhht.exe 101 PID 2256 wrote to memory of 3252 2256 bhnhht.exe 101 PID 2256 wrote to memory of 3252 2256 bhnhht.exe 101 PID 3252 wrote to memory of 4816 3252 djpdv.exe 102 PID 3252 wrote to memory of 4816 3252 djpdv.exe 102 PID 3252 wrote to memory of 4816 3252 djpdv.exe 102 PID 4816 wrote to memory of 1916 4816 ttbtnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe"C:\Users\Admin\AppData\Local\Temp\52dd66f4a3d733dda728be1fc9f4f6829a66c6f9be78f206dc0c34e6149dbf5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lxfxrfx.exec:\lxfxrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\7bhtht.exec:\7bhtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\1vvjv.exec:\1vvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\flfxlfx.exec:\flfxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\nbthbn.exec:\nbthbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\tntnnh.exec:\tntnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\bnnhtn.exec:\bnnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\tbbtnh.exec:\tbbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\xlxrfxf.exec:\xlxrfxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\tbbntt.exec:\tbbntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\rfxlrlx.exec:\rfxlrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\3pjjv.exec:\3pjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\3fxlxrf.exec:\3fxlxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\hhnbth.exec:\hhnbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\7frfrrf.exec:\7frfrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\hhnnhb.exec:\hhnnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\djpdp.exec:\djpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\1jdjd.exec:\1jdjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\bhnhht.exec:\bhnhht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\djpdv.exec:\djpdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\ttbtnn.exec:\ttbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\rfffxxx.exec:\rfffxxx.exe23⤵
- Executes dropped EXE
PID:1916 -
\??\c:\tbbbtn.exec:\tbbbtn.exe24⤵
- Executes dropped EXE
PID:1524 -
\??\c:\pjppj.exec:\pjppj.exe25⤵
- Executes dropped EXE
PID:2972 -
\??\c:\tbhhbt.exec:\tbhhbt.exe26⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pvppj.exec:\pvppj.exe27⤵
- Executes dropped EXE
PID:4476 -
\??\c:\pvdvv.exec:\pvdvv.exe28⤵
- Executes dropped EXE
PID:1408 -
\??\c:\rlllllf.exec:\rlllllf.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\tnnhbt.exec:\tnnhbt.exe30⤵
- Executes dropped EXE
PID:2444 -
\??\c:\3bbhbh.exec:\3bbhbh.exe31⤵
- Executes dropped EXE
PID:3612 -
\??\c:\vpvvv.exec:\vpvvv.exe32⤵
- Executes dropped EXE
PID:2308 -
\??\c:\vpjvp.exec:\vpjvp.exe33⤵
- Executes dropped EXE
PID:4568 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe34⤵
- Executes dropped EXE
PID:4700 -
\??\c:\vdppv.exec:\vdppv.exe35⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxfxrrf.exec:\fxfxrrf.exe36⤵
- Executes dropped EXE
PID:1464 -
\??\c:\5bnhhh.exec:\5bnhhh.exe37⤵
- Executes dropped EXE
PID:2420 -
\??\c:\vjdvj.exec:\vjdvj.exe38⤵
- Executes dropped EXE
PID:3284 -
\??\c:\lxxrlll.exec:\lxxrlll.exe39⤵
- Executes dropped EXE
PID:3200 -
\??\c:\nhhnhn.exec:\nhhnhn.exe40⤵
- Executes dropped EXE
PID:1112 -
\??\c:\bttnhb.exec:\bttnhb.exe41⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jvjdd.exec:\jvjdd.exe42⤵
- Executes dropped EXE
PID:208 -
\??\c:\fxlfllr.exec:\fxlfllr.exe43⤵
- Executes dropped EXE
PID:4404 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe44⤵
- Executes dropped EXE
PID:348 -
\??\c:\ntbbtt.exec:\ntbbtt.exe45⤵PID:3092
-
\??\c:\7jpvp.exec:\7jpvp.exe46⤵
- Executes dropped EXE
PID:4036 -
\??\c:\xrxrrll.exec:\xrxrrll.exe47⤵
- Executes dropped EXE
PID:3324 -
\??\c:\xxfxffl.exec:\xxfxffl.exe48⤵
- Executes dropped EXE
PID:4464 -
\??\c:\thnhbb.exec:\thnhbb.exe49⤵
- Executes dropped EXE
PID:3564 -
\??\c:\jdpjv.exec:\jdpjv.exe50⤵
- Executes dropped EXE
PID:4860 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe51⤵
- Executes dropped EXE
PID:1380 -
\??\c:\nbbbnh.exec:\nbbbnh.exe52⤵
- Executes dropped EXE
PID:3988 -
\??\c:\hbbttn.exec:\hbbttn.exe53⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jvdvv.exec:\jvdvv.exe54⤵
- Executes dropped EXE
PID:2772 -
\??\c:\rrrrrll.exec:\rrrrrll.exe55⤵
- Executes dropped EXE
PID:4548 -
\??\c:\nthhhb.exec:\nthhhb.exe56⤵
- Executes dropped EXE
PID:1412 -
\??\c:\ppjjd.exec:\ppjjd.exe57⤵
- Executes dropped EXE
PID:1036 -
\??\c:\lrfxrfr.exec:\lrfxrfr.exe58⤵
- Executes dropped EXE
PID:3332 -
\??\c:\7hhhht.exec:\7hhhht.exe59⤵
- Executes dropped EXE
PID:4788 -
\??\c:\dpjvp.exec:\dpjvp.exe60⤵
- Executes dropped EXE
PID:3648 -
\??\c:\jddvv.exec:\jddvv.exe61⤵
- Executes dropped EXE
PID:1928 -
\??\c:\fxrlffx.exec:\fxrlffx.exe62⤵
- Executes dropped EXE
PID:1556 -
\??\c:\9ntttt.exec:\9ntttt.exe63⤵
- Executes dropped EXE
PID:1656 -
\??\c:\dpvpj.exec:\dpvpj.exe64⤵
- Executes dropped EXE
PID:400 -
\??\c:\9lfxrrl.exec:\9lfxrrl.exe65⤵
- Executes dropped EXE
PID:632 -
\??\c:\hhhbbb.exec:\hhhbbb.exe66⤵
- Executes dropped EXE
PID:4420 -
\??\c:\tbhbhh.exec:\tbhbhh.exe67⤵PID:316
-
\??\c:\pjvpv.exec:\pjvpv.exe68⤵PID:2968
-
\??\c:\3rllffx.exec:\3rllffx.exe69⤵PID:4500
-
\??\c:\tbbbtt.exec:\tbbbtt.exe70⤵PID:5080
-
\??\c:\nnbtbb.exec:\nnbtbb.exe71⤵PID:780
-
\??\c:\3pjdv.exec:\3pjdv.exe72⤵PID:2256
-
\??\c:\xflrffx.exec:\xflrffx.exe73⤵PID:1368
-
\??\c:\btttnn.exec:\btttnn.exe74⤵PID:552
-
\??\c:\bbnnnn.exec:\bbnnnn.exe75⤵PID:3132
-
\??\c:\dpvpd.exec:\dpvpd.exe76⤵PID:2876
-
\??\c:\xxlxlll.exec:\xxlxlll.exe77⤵PID:4644
-
\??\c:\bntnhb.exec:\bntnhb.exe78⤵PID:4988
-
\??\c:\vpjjj.exec:\vpjjj.exe79⤵PID:4936
-
\??\c:\rfrlllf.exec:\rfrlllf.exe80⤵PID:4132
-
\??\c:\fflfxxr.exec:\fflfxxr.exe81⤵PID:1688
-
\??\c:\tnbtnh.exec:\tnbtnh.exe82⤵PID:3596
-
\??\c:\jvvpj.exec:\jvvpj.exe83⤵PID:1408
-
\??\c:\7vdvp.exec:\7vdvp.exe84⤵PID:3616
-
\??\c:\7xfxffl.exec:\7xfxffl.exe85⤵PID:2444
-
\??\c:\thbnhb.exec:\thbnhb.exe86⤵PID:3144
-
\??\c:\bntnhh.exec:\bntnhh.exe87⤵PID:3700
-
\??\c:\dvvpj.exec:\dvvpj.exe88⤵PID:4276
-
\??\c:\frrrlll.exec:\frrrlll.exe89⤵PID:4888
-
\??\c:\bhhbnh.exec:\bhhbnh.exe90⤵PID:3148
-
\??\c:\3nhbtb.exec:\3nhbtb.exe91⤵PID:2644
-
\??\c:\jvjdj.exec:\jvjdj.exe92⤵PID:2540
-
\??\c:\lffffff.exec:\lffffff.exe93⤵PID:2836
-
\??\c:\fxxrffx.exec:\fxxrffx.exe94⤵PID:2340
-
\??\c:\5hhbbb.exec:\5hhbbb.exe95⤵PID:1772
-
\??\c:\1pjdd.exec:\1pjdd.exe96⤵PID:1464
-
\??\c:\rrfxrrx.exec:\rrfxrrx.exe97⤵PID:3496
-
\??\c:\1nbbtb.exec:\1nbbtb.exe98⤵PID:3708
-
\??\c:\3bhbnn.exec:\3bhbnn.exe99⤵PID:4556
-
\??\c:\pdpdj.exec:\pdpdj.exe100⤵PID:4588
-
\??\c:\xrxrrrf.exec:\xrxrrrf.exe101⤵PID:3336
-
\??\c:\flrlffx.exec:\flrlffx.exe102⤵PID:4400
-
\??\c:\hbhhhn.exec:\hbhhhn.exe103⤵PID:4528
-
\??\c:\vppvj.exec:\vppvj.exe104⤵PID:5012
-
\??\c:\fxrrllf.exec:\fxrrllf.exe105⤵PID:348
-
\??\c:\xxrlfrr.exec:\xxrlfrr.exe106⤵PID:4028
-
\??\c:\btbtbb.exec:\btbtbb.exe107⤵PID:3516
-
\??\c:\pdpjd.exec:\pdpjd.exe108⤵PID:4580
-
\??\c:\9vpjd.exec:\9vpjd.exe109⤵PID:2616
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe110⤵PID:5108
-
\??\c:\9hnhhb.exec:\9hnhhb.exe111⤵PID:4560
-
\??\c:\jdvvp.exec:\jdvvp.exe112⤵PID:3748
-
\??\c:\7flffxx.exec:\7flffxx.exe113⤵PID:3688
-
\??\c:\fxffrrl.exec:\fxffrrl.exe114⤵PID:3988
-
\??\c:\hbhbbh.exec:\hbhbbh.exe115⤵PID:1040
-
\??\c:\pdjjv.exec:\pdjjv.exe116⤵PID:4084
-
\??\c:\lxfxxrl.exec:\lxfxxrl.exe117⤵PID:4548
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe118⤵PID:3504
-
\??\c:\nhhbnn.exec:\nhhbnn.exe119⤵PID:2944
-
\??\c:\dvpjp.exec:\dvpjp.exe120⤵PID:3112
-
\??\c:\dpvpd.exec:\dpvpd.exe121⤵PID:376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-