Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:33
Behavioral task
behavioral1
Sample
4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe
-
Size
3.7MB
-
MD5
dd046b69e8d48ebf28c12b52eb1d4d0b
-
SHA1
234697c421a46f588c2674bad6a0ce2328c2751e
-
SHA256
4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d
-
SHA512
cc910d67380e2f62fb26d702f11c05ef2f73035f85ac8a166571335dfc089234a6127ee273e07622cadabfc783312329464ff313df6e0fafeb79ad927d1c98e2
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98O:U6XLq/qPPslzKx/dJg1ErmNx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1752-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/708-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1324-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1156-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/616-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-729-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-772-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-833-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-1014-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-1608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4656 hnhhhn.exe 2464 3tthht.exe 4176 3lxrrrl.exe 4864 dvppv.exe 1972 1pddd.exe 2272 hhnttb.exe 2112 vjpjd.exe 60 dpjvp.exe 2780 vjppp.exe 3388 rrxflrx.exe 964 ppppp.exe 4960 ppjjv.exe 1504 jdpjj.exe 3048 7bhtnh.exe 4832 tntnnh.exe 2032 1ffxrfr.exe 2056 1nbnhn.exe 2804 9bhbtn.exe 2888 httnbt.exe 2456 jvvpj.exe 2504 tnnhnh.exe 4588 hbbbtt.exe 3584 nhbbbn.exe 2368 hnbttn.exe 2876 9tttht.exe 708 djvvj.exe 4428 dvddp.exe 1856 pjpjd.exe 1904 nbnntn.exe 4740 nnnnhb.exe 3432 djdpj.exe 2748 5vpjd.exe 4824 9tbtnt.exe 3744 xfrlxxl.exe 5108 nntnhb.exe 3324 vdjdj.exe 2184 vpjdp.exe 4660 btbtnh.exe 4404 htbnnh.exe 2868 xffxfrr.exe 2956 xxxrfxr.exe 1096 xfrlllr.exe 1324 1xffllr.exe 4968 xlxxfrx.exe 4984 1rrxflr.exe 852 frxlffr.exe 3392 xfrlrxf.exe 2256 vjjdj.exe 1156 dvjjd.exe 744 frfxrlf.exe 5088 dddvv.exe 3652 1jvpp.exe 1388 djpjj.exe 3376 nnnnnh.exe 3956 nbbttt.exe 2212 nbbtnh.exe 2532 dpppj.exe 4864 ppjjv.exe 1972 pjjjj.exe 3904 jjjpj.exe 4736 vjjpp.exe 2796 dpvjv.exe 1632 tthbbt.exe 4532 hhttnn.exe -
resource yara_rule behavioral2/memory/1752-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1752-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c8f-4.dat upx behavioral2/files/0x0007000000023c93-9.dat upx behavioral2/memory/4656-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2464-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-17.dat upx behavioral2/files/0x0007000000023c95-21.dat upx behavioral2/memory/4176-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-29.dat upx behavioral2/memory/4864-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1972-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c90-34.dat upx behavioral2/memory/2112-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2272-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-39.dat upx behavioral2/files/0x0007000000023c98-45.dat upx behavioral2/files/0x0007000000023c99-50.dat upx behavioral2/memory/2780-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/60-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-59.dat upx behavioral2/memory/964-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3388-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-63.dat upx behavioral2/files/0x0007000000023c9c-72.dat upx behavioral2/memory/964-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-78.dat upx behavioral2/memory/4960-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-84.dat upx behavioral2/memory/1504-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-87.dat upx behavioral2/memory/3048-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4832-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-94.dat upx behavioral2/memory/2032-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-101.dat upx behavioral2/files/0x0007000000023ca2-108.dat upx behavioral2/memory/2056-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2804-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-112.dat upx behavioral2/files/0x0007000000023ca4-117.dat upx behavioral2/files/0x0007000000023ca5-124.dat upx behavioral2/files/0x0007000000023ca6-128.dat upx behavioral2/memory/4588-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-133.dat upx behavioral2/files/0x0007000000023ca8-139.dat upx behavioral2/memory/2368-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3584-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-147.dat upx behavioral2/files/0x0007000000023caa-151.dat upx behavioral2/memory/708-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-157.dat upx behavioral2/memory/4428-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-164.dat upx behavioral2/files/0x0007000000023cad-169.dat upx behavioral2/files/0x0007000000023cae-173.dat upx behavioral2/memory/4740-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-180.dat upx behavioral2/memory/2748-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-186.dat upx behavioral2/memory/3432-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2748-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4824-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3744-198-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4656 1752 4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe 82 PID 1752 wrote to memory of 4656 1752 4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe 82 PID 1752 wrote to memory of 4656 1752 4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe 82 PID 4656 wrote to memory of 2464 4656 hnhhhn.exe 83 PID 4656 wrote to memory of 2464 4656 hnhhhn.exe 83 PID 4656 wrote to memory of 2464 4656 hnhhhn.exe 83 PID 2464 wrote to memory of 4176 2464 3tthht.exe 84 PID 2464 wrote to memory of 4176 2464 3tthht.exe 84 PID 2464 wrote to memory of 4176 2464 3tthht.exe 84 PID 4176 wrote to memory of 4864 4176 3lxrrrl.exe 139 PID 4176 wrote to memory of 4864 4176 3lxrrrl.exe 139 PID 4176 wrote to memory of 4864 4176 3lxrrrl.exe 139 PID 4864 wrote to memory of 1972 4864 dvppv.exe 140 PID 4864 wrote to memory of 1972 4864 dvppv.exe 140 PID 4864 wrote to memory of 1972 4864 dvppv.exe 140 PID 1972 wrote to memory of 2272 1972 1pddd.exe 87 PID 1972 wrote to memory of 2272 1972 1pddd.exe 87 PID 1972 wrote to memory of 2272 1972 1pddd.exe 87 PID 2272 wrote to memory of 2112 2272 hhnttb.exe 88 PID 2272 wrote to memory of 2112 2272 hhnttb.exe 88 PID 2272 wrote to memory of 2112 2272 hhnttb.exe 88 PID 2112 wrote to memory of 60 2112 vjpjd.exe 89 PID 2112 wrote to memory of 60 2112 vjpjd.exe 89 PID 2112 wrote to memory of 60 2112 vjpjd.exe 89 PID 60 wrote to memory of 2780 60 dpjvp.exe 90 PID 60 wrote to memory of 2780 60 dpjvp.exe 90 PID 60 wrote to memory of 2780 60 dpjvp.exe 90 PID 2780 wrote to memory of 3388 2780 vjppp.exe 91 PID 2780 wrote to memory of 3388 2780 vjppp.exe 91 PID 2780 wrote to memory of 3388 2780 vjppp.exe 91 PID 3388 wrote to memory of 964 3388 rrxflrx.exe 92 PID 3388 wrote to memory of 964 3388 rrxflrx.exe 92 PID 3388 wrote to memory of 964 3388 rrxflrx.exe 92 PID 964 wrote to memory of 4960 964 ppppp.exe 93 PID 964 wrote to memory of 4960 964 ppppp.exe 93 PID 964 wrote to memory of 4960 964 ppppp.exe 93 PID 4960 wrote to memory of 1504 4960 ppjjv.exe 94 PID 4960 wrote to memory of 1504 4960 ppjjv.exe 94 PID 4960 wrote to memory of 1504 4960 ppjjv.exe 94 PID 1504 wrote to memory of 3048 1504 jdpjj.exe 95 PID 1504 wrote to memory of 3048 1504 jdpjj.exe 95 PID 1504 wrote to memory of 3048 1504 jdpjj.exe 95 PID 3048 wrote to memory of 4832 3048 7bhtnh.exe 96 PID 3048 wrote to memory of 4832 3048 7bhtnh.exe 96 PID 3048 wrote to memory of 4832 3048 7bhtnh.exe 96 PID 4832 wrote to memory of 2032 4832 tntnnh.exe 97 PID 4832 wrote to memory of 2032 4832 tntnnh.exe 97 PID 4832 wrote to memory of 2032 4832 tntnnh.exe 97 PID 2032 wrote to memory of 2056 2032 1ffxrfr.exe 98 PID 2032 wrote to memory of 2056 2032 1ffxrfr.exe 98 PID 2032 wrote to memory of 2056 2032 1ffxrfr.exe 98 PID 2056 wrote to memory of 2804 2056 1nbnhn.exe 99 PID 2056 wrote to memory of 2804 2056 1nbnhn.exe 99 PID 2056 wrote to memory of 2804 2056 1nbnhn.exe 99 PID 2804 wrote to memory of 2888 2804 9bhbtn.exe 100 PID 2804 wrote to memory of 2888 2804 9bhbtn.exe 100 PID 2804 wrote to memory of 2888 2804 9bhbtn.exe 100 PID 2888 wrote to memory of 2456 2888 httnbt.exe 157 PID 2888 wrote to memory of 2456 2888 httnbt.exe 157 PID 2888 wrote to memory of 2456 2888 httnbt.exe 157 PID 2456 wrote to memory of 2504 2456 jvvpj.exe 158 PID 2456 wrote to memory of 2504 2456 jvvpj.exe 158 PID 2456 wrote to memory of 2504 2456 jvvpj.exe 158 PID 2504 wrote to memory of 4588 2504 tnnhnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe"C:\Users\Admin\AppData\Local\Temp\4ec200b1e8fcdbd55e44610c1d73482d8b3b96f5c24be9c9fd31133a7b7e6a5d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\hnhhhn.exec:\hnhhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\3tthht.exec:\3tthht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\3lxrrrl.exec:\3lxrrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\dvppv.exec:\dvppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\1pddd.exec:\1pddd.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\hhnttb.exec:\hhnttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\vjpjd.exec:\vjpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\dpjvp.exec:\dpjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\vjppp.exec:\vjppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\rrxflrx.exec:\rrxflrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\ppppp.exec:\ppppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\ppjjv.exec:\ppjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\jdpjj.exec:\jdpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\7bhtnh.exec:\7bhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\tntnnh.exec:\tntnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\1ffxrfr.exec:\1ffxrfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\1nbnhn.exec:\1nbnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\9bhbtn.exec:\9bhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\httnbt.exec:\httnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\jvvpj.exec:\jvvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\tnnhnh.exec:\tnnhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\hbbbtt.exec:\hbbbtt.exe23⤵
- Executes dropped EXE
PID:4588 -
\??\c:\nhbbbn.exec:\nhbbbn.exe24⤵
- Executes dropped EXE
PID:3584 -
\??\c:\hnbttn.exec:\hnbttn.exe25⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9tttht.exec:\9tttht.exe26⤵
- Executes dropped EXE
PID:2876 -
\??\c:\djvvj.exec:\djvvj.exe27⤵
- Executes dropped EXE
PID:708 -
\??\c:\dvddp.exec:\dvddp.exe28⤵
- Executes dropped EXE
PID:4428 -
\??\c:\pjpjd.exec:\pjpjd.exe29⤵
- Executes dropped EXE
PID:1856 -
\??\c:\nbnntn.exec:\nbnntn.exe30⤵
- Executes dropped EXE
PID:1904 -
\??\c:\nnnnhb.exec:\nnnnhb.exe31⤵
- Executes dropped EXE
PID:4740 -
\??\c:\djdpj.exec:\djdpj.exe32⤵
- Executes dropped EXE
PID:3432 -
\??\c:\5vpjd.exec:\5vpjd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
\??\c:\9tbtnt.exec:\9tbtnt.exe34⤵
- Executes dropped EXE
PID:4824 -
\??\c:\xfrlxxl.exec:\xfrlxxl.exe35⤵
- Executes dropped EXE
PID:3744 -
\??\c:\nntnhb.exec:\nntnhb.exe36⤵
- Executes dropped EXE
PID:5108 -
\??\c:\vdjdj.exec:\vdjdj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3324 -
\??\c:\vpjdp.exec:\vpjdp.exe38⤵
- Executes dropped EXE
PID:2184 -
\??\c:\btbtnh.exec:\btbtnh.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660 -
\??\c:\htbnnh.exec:\htbnnh.exe40⤵
- Executes dropped EXE
PID:4404 -
\??\c:\xffxfrr.exec:\xffxfrr.exe41⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xxxrfxr.exec:\xxxrfxr.exe42⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xfrlllr.exec:\xfrlllr.exe43⤵
- Executes dropped EXE
PID:1096 -
\??\c:\1xffllr.exec:\1xffllr.exe44⤵
- Executes dropped EXE
PID:1324 -
\??\c:\xlxxfrx.exec:\xlxxfrx.exe45⤵
- Executes dropped EXE
PID:4968 -
\??\c:\1rrxflr.exec:\1rrxflr.exe46⤵
- Executes dropped EXE
PID:4984 -
\??\c:\frxlffr.exec:\frxlffr.exe47⤵
- Executes dropped EXE
PID:852 -
\??\c:\xfrlrxf.exec:\xfrlrxf.exe48⤵
- Executes dropped EXE
PID:3392 -
\??\c:\vjjdj.exec:\vjjdj.exe49⤵
- Executes dropped EXE
PID:2256 -
\??\c:\dvjjd.exec:\dvjjd.exe50⤵
- Executes dropped EXE
PID:1156 -
\??\c:\frfxrlf.exec:\frfxrlf.exe51⤵
- Executes dropped EXE
PID:744 -
\??\c:\dddvv.exec:\dddvv.exe52⤵
- Executes dropped EXE
PID:5088 -
\??\c:\1jvpp.exec:\1jvpp.exe53⤵
- Executes dropped EXE
PID:3652 -
\??\c:\djpjj.exec:\djpjj.exe54⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nnnnnh.exec:\nnnnnh.exe55⤵
- Executes dropped EXE
PID:3376 -
\??\c:\nbbttt.exec:\nbbttt.exe56⤵
- Executes dropped EXE
PID:3956 -
\??\c:\nbbtnh.exec:\nbbtnh.exe57⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dpppj.exec:\dpppj.exe58⤵
- Executes dropped EXE
PID:2532 -
\??\c:\ppjjv.exec:\ppjjv.exe59⤵
- Executes dropped EXE
PID:4864 -
\??\c:\pjjjj.exec:\pjjjj.exe60⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jjjpj.exec:\jjjpj.exe61⤵
- Executes dropped EXE
PID:3904 -
\??\c:\vjjpp.exec:\vjjpp.exe62⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dpvjv.exec:\dpvjv.exe63⤵
- Executes dropped EXE
PID:2796 -
\??\c:\tthbbt.exec:\tthbbt.exe64⤵
- Executes dropped EXE
PID:1632 -
\??\c:\hhttnn.exec:\hhttnn.exe65⤵
- Executes dropped EXE
PID:4532 -
\??\c:\nhnnnh.exec:\nhnnnh.exe66⤵PID:864
-
\??\c:\3nbnbb.exec:\3nbnbb.exe67⤵PID:4996
-
\??\c:\tbtntb.exec:\tbtntb.exe68⤵PID:3284
-
\??\c:\3rxrllf.exec:\3rxrllf.exe69⤵PID:616
-
\??\c:\rllfrlf.exec:\rllfrlf.exe70⤵PID:540
-
\??\c:\frfxrll.exec:\frfxrll.exe71⤵PID:3492
-
\??\c:\jpjjv.exec:\jpjjv.exe72⤵PID:3488
-
\??\c:\vjddd.exec:\vjddd.exe73⤵PID:908
-
\??\c:\ppjjv.exec:\ppjjv.exe74⤵PID:1812
-
\??\c:\ddddv.exec:\ddddv.exe75⤵PID:2288
-
\??\c:\nbhbht.exec:\nbhbht.exe76⤵PID:740
-
\??\c:\nnnbhn.exec:\nnnbhn.exe77⤵PID:2456
-
\??\c:\hhttnn.exec:\hhttnn.exe78⤵PID:2504
-
\??\c:\3nbtnh.exec:\3nbtnh.exe79⤵
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\5xlfffl.exec:\5xlfffl.exe80⤵PID:3944
-
\??\c:\fffrlxr.exec:\fffrlxr.exe81⤵PID:304
-
\??\c:\rfllflf.exec:\rfllflf.exe82⤵PID:1192
-
\??\c:\jdddd.exec:\jdddd.exe83⤵PID:4944
-
\??\c:\1vddd.exec:\1vddd.exe84⤵PID:4436
-
\??\c:\vpvpv.exec:\vpvpv.exe85⤵PID:2440
-
\??\c:\jvjjp.exec:\jvjjp.exe86⤵PID:2080
-
\??\c:\pddjj.exec:\pddjj.exe87⤵PID:3636
-
\??\c:\9thnbn.exec:\9thnbn.exe88⤵PID:4148
-
\??\c:\bnhnnt.exec:\bnhnnt.exe89⤵PID:3648
-
\??\c:\7hhbbb.exec:\7hhbbb.exe90⤵
- System Location Discovery: System Language Discovery
PID:2724 -
\??\c:\btbbbb.exec:\btbbbb.exe91⤵PID:3280
-
\??\c:\llrxxxr.exec:\llrxxxr.exe92⤵PID:2480
-
\??\c:\1lxfxxr.exec:\1lxfxxr.exe93⤵PID:3580
-
\??\c:\7xxlxlr.exec:\7xxlxlr.exe94⤵PID:4812
-
\??\c:\xfrlrlf.exec:\xfrlrlf.exe95⤵PID:4452
-
\??\c:\fllrxxx.exec:\fllrxxx.exe96⤵PID:2296
-
\??\c:\1pddj.exec:\1pddj.exe97⤵PID:4208
-
\??\c:\djjvp.exec:\djjvp.exe98⤵PID:1988
-
\??\c:\jvdvp.exec:\jvdvp.exe99⤵PID:4700
-
\??\c:\djddd.exec:\djddd.exe100⤵PID:2164
-
\??\c:\pdppj.exec:\pdppj.exe101⤵PID:4584
-
\??\c:\vvddd.exec:\vvddd.exe102⤵PID:4792
-
\??\c:\ppppp.exec:\ppppp.exe103⤵PID:4512
-
\??\c:\hntttt.exec:\hntttt.exe104⤵PID:504
-
\??\c:\ttnnhn.exec:\ttnnhn.exe105⤵PID:5068
-
\??\c:\nnbbbb.exec:\nnbbbb.exe106⤵PID:2100
-
\??\c:\tttttt.exec:\tttttt.exe107⤵PID:3564
-
\??\c:\jpjdv.exec:\jpjdv.exe108⤵PID:704
-
\??\c:\9pvpp.exec:\9pvpp.exe109⤵PID:3260
-
\??\c:\ppjdd.exec:\ppjdd.exe110⤵PID:5084
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe111⤵PID:3376
-
\??\c:\jjvpp.exec:\jjvpp.exe112⤵PID:2464
-
\??\c:\vdddj.exec:\vdddj.exe113⤵PID:356
-
\??\c:\9jjdv.exec:\9jjdv.exe114⤵PID:2692
-
\??\c:\vpvvv.exec:\vpvvv.exe115⤵PID:1972
-
\??\c:\ddjjj.exec:\ddjjj.exe116⤵PID:3844
-
\??\c:\vjjjj.exec:\vjjjj.exe117⤵PID:2928
-
\??\c:\pdvjv.exec:\pdvjv.exe118⤵PID:424
-
\??\c:\5pdvp.exec:\5pdvp.exe119⤵PID:4888
-
\??\c:\9vdvp.exec:\9vdvp.exe120⤵PID:1396
-
\??\c:\vpvdp.exec:\vpvdp.exe121⤵PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-