Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe
-
Size
454KB
-
MD5
69646fb445a679869d2742383a19a98f
-
SHA1
ad82a79a01e7895d856b29a1cd52360e81b37d53
-
SHA256
e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b
-
SHA512
dd965dc1d901c3889dc3db17e6037a327218b032c0fc2cf7c1b09fbb3e1f6c9e4048a3f87e40790960ad8344656bd51fac7bdf7baaf7ab1b598751c08126dee5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2592-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/520-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-1275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-1399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-1451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-1899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4924 hnhnbt.exe 3880 vddpj.exe 3656 pdddv.exe 3460 jdvjv.exe 4728 hhhbbh.exe 3640 ddppp.exe 3540 ppvvp.exe 4452 lrffffr.exe 3472 fxfxxrf.exe 1740 3nhhhh.exe 1016 1bhbhh.exe 2860 tnhhnn.exe 1856 dvdvp.exe 1888 5fffxlr.exe 2348 ppjjd.exe 640 tnnhbb.exe 4664 dvvpp.exe 2352 frfflrr.exe 1508 llrlrfx.exe 2464 vpppj.exe 4544 thtttt.exe 400 5jpjj.exe 800 hbhhhh.exe 2188 llxxrrf.exe 4396 vjddd.exe 1976 lrllrxl.exe 4244 rrxrlll.exe 900 jpdvv.exe 2300 dddvp.exe 1672 xxllrlf.exe 1376 vvppv.exe 2808 fxrfrlx.exe 2024 bbbtnn.exe 2556 3vvpp.exe 2972 1xxrlrl.exe 4340 hbhtnt.exe 2408 nthbbb.exe 2432 rrxxrrr.exe 1940 lfxrllf.exe 2932 hbbnhb.exe 3884 jddvp.exe 532 jdjdv.exe 5076 xllxrlx.exe 908 hbtntt.exe 4604 vppjd.exe 1528 djpvv.exe 2304 xflfrlf.exe 2680 bnthtn.exe 4700 9jppp.exe 4328 rfllrxr.exe 376 5htnhb.exe 1804 vpdvd.exe 4120 fxlrrrr.exe 4768 rlxxxxx.exe 3616 hbhbtt.exe 1192 ddvjd.exe 1808 7ffxllf.exe 3812 tbtnhh.exe 2960 jdjdd.exe 3220 lllxlfr.exe 2116 tnnbbb.exe 1716 tnbthb.exe 2884 7pvjj.exe 3976 xrrlffx.exe -
resource yara_rule behavioral2/memory/2592-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-1275-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bthbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 4924 2592 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 83 PID 2592 wrote to memory of 4924 2592 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 83 PID 2592 wrote to memory of 4924 2592 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 83 PID 4924 wrote to memory of 3880 4924 hnhnbt.exe 84 PID 4924 wrote to memory of 3880 4924 hnhnbt.exe 84 PID 4924 wrote to memory of 3880 4924 hnhnbt.exe 84 PID 3880 wrote to memory of 3656 3880 vddpj.exe 85 PID 3880 wrote to memory of 3656 3880 vddpj.exe 85 PID 3880 wrote to memory of 3656 3880 vddpj.exe 85 PID 3656 wrote to memory of 3460 3656 pdddv.exe 86 PID 3656 wrote to memory of 3460 3656 pdddv.exe 86 PID 3656 wrote to memory of 3460 3656 pdddv.exe 86 PID 3460 wrote to memory of 4728 3460 jdvjv.exe 87 PID 3460 wrote to memory of 4728 3460 jdvjv.exe 87 PID 3460 wrote to memory of 4728 3460 jdvjv.exe 87 PID 4728 wrote to memory of 3640 4728 hhhbbh.exe 88 PID 4728 wrote to memory of 3640 4728 hhhbbh.exe 88 PID 4728 wrote to memory of 3640 4728 hhhbbh.exe 88 PID 3640 wrote to memory of 3540 3640 ddppp.exe 89 PID 3640 wrote to memory of 3540 3640 ddppp.exe 89 PID 3640 wrote to memory of 3540 3640 ddppp.exe 89 PID 3540 wrote to memory of 4452 3540 ppvvp.exe 90 PID 3540 wrote to memory of 4452 3540 ppvvp.exe 90 PID 3540 wrote to memory of 4452 3540 ppvvp.exe 90 PID 4452 wrote to memory of 3472 4452 lrffffr.exe 91 PID 4452 wrote to memory of 3472 4452 lrffffr.exe 91 PID 4452 wrote to memory of 3472 4452 lrffffr.exe 91 PID 3472 wrote to memory of 1740 3472 fxfxxrf.exe 92 PID 3472 wrote to memory of 1740 3472 fxfxxrf.exe 92 PID 3472 wrote to memory of 1740 3472 fxfxxrf.exe 92 PID 1740 wrote to memory of 1016 1740 3nhhhh.exe 93 PID 1740 wrote to memory of 1016 1740 3nhhhh.exe 93 PID 1740 wrote to memory of 1016 1740 3nhhhh.exe 93 PID 1016 wrote to memory of 2860 1016 1bhbhh.exe 94 PID 1016 wrote to memory of 2860 1016 1bhbhh.exe 94 PID 1016 wrote to memory of 2860 1016 1bhbhh.exe 94 PID 2860 wrote to memory of 1856 2860 tnhhnn.exe 95 PID 2860 wrote to memory of 1856 2860 tnhhnn.exe 95 PID 2860 wrote to memory of 1856 2860 tnhhnn.exe 95 PID 1856 wrote to memory of 1888 1856 dvdvp.exe 96 PID 1856 wrote to memory of 1888 1856 dvdvp.exe 96 PID 1856 wrote to memory of 1888 1856 dvdvp.exe 96 PID 1888 wrote to memory of 2348 1888 5fffxlr.exe 97 PID 1888 wrote to memory of 2348 1888 5fffxlr.exe 97 PID 1888 wrote to memory of 2348 1888 5fffxlr.exe 97 PID 2348 wrote to memory of 640 2348 ppjjd.exe 98 PID 2348 wrote to memory of 640 2348 ppjjd.exe 98 PID 2348 wrote to memory of 640 2348 ppjjd.exe 98 PID 640 wrote to memory of 4664 640 tnnhbb.exe 99 PID 640 wrote to memory of 4664 640 tnnhbb.exe 99 PID 640 wrote to memory of 4664 640 tnnhbb.exe 99 PID 4664 wrote to memory of 2352 4664 dvvpp.exe 100 PID 4664 wrote to memory of 2352 4664 dvvpp.exe 100 PID 4664 wrote to memory of 2352 4664 dvvpp.exe 100 PID 2352 wrote to memory of 1508 2352 frfflrr.exe 101 PID 2352 wrote to memory of 1508 2352 frfflrr.exe 101 PID 2352 wrote to memory of 1508 2352 frfflrr.exe 101 PID 1508 wrote to memory of 2464 1508 llrlrfx.exe 102 PID 1508 wrote to memory of 2464 1508 llrlrfx.exe 102 PID 1508 wrote to memory of 2464 1508 llrlrfx.exe 102 PID 2464 wrote to memory of 4544 2464 vpppj.exe 103 PID 2464 wrote to memory of 4544 2464 vpppj.exe 103 PID 2464 wrote to memory of 4544 2464 vpppj.exe 103 PID 4544 wrote to memory of 400 4544 thtttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe"C:\Users\Admin\AppData\Local\Temp\e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\hnhnbt.exec:\hnhnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\vddpj.exec:\vddpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\pdddv.exec:\pdddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\jdvjv.exec:\jdvjv.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\hhhbbh.exec:\hhhbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\ddppp.exec:\ddppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\ppvvp.exec:\ppvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\lrffffr.exec:\lrffffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\fxfxxrf.exec:\fxfxxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\3nhhhh.exec:\3nhhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\1bhbhh.exec:\1bhbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\tnhhnn.exec:\tnhhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\dvdvp.exec:\dvdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\5fffxlr.exec:\5fffxlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\ppjjd.exec:\ppjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\tnnhbb.exec:\tnnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\dvvpp.exec:\dvvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\frfflrr.exec:\frfflrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\llrlrfx.exec:\llrlrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\vpppj.exec:\vpppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\thtttt.exec:\thtttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\5jpjj.exec:\5jpjj.exe23⤵
- Executes dropped EXE
PID:400 -
\??\c:\hbhhhh.exec:\hbhhhh.exe24⤵
- Executes dropped EXE
PID:800 -
\??\c:\llxxrrf.exec:\llxxrrf.exe25⤵
- Executes dropped EXE
PID:2188 -
\??\c:\vjddd.exec:\vjddd.exe26⤵
- Executes dropped EXE
PID:4396 -
\??\c:\lrllrxl.exec:\lrllrxl.exe27⤵
- Executes dropped EXE
PID:1976 -
\??\c:\rrxrlll.exec:\rrxrlll.exe28⤵
- Executes dropped EXE
PID:4244 -
\??\c:\jpdvv.exec:\jpdvv.exe29⤵
- Executes dropped EXE
PID:900 -
\??\c:\dddvp.exec:\dddvp.exe30⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xxllrlf.exec:\xxllrlf.exe31⤵
- Executes dropped EXE
PID:1672 -
\??\c:\vvppv.exec:\vvppv.exe32⤵
- Executes dropped EXE
PID:1376 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe33⤵
- Executes dropped EXE
PID:2808 -
\??\c:\bbbtnn.exec:\bbbtnn.exe34⤵
- Executes dropped EXE
PID:2024 -
\??\c:\3vvpp.exec:\3vvpp.exe35⤵
- Executes dropped EXE
PID:2556 -
\??\c:\1xxrlrl.exec:\1xxrlrl.exe36⤵
- Executes dropped EXE
PID:2972 -
\??\c:\hbhtnt.exec:\hbhtnt.exe37⤵
- Executes dropped EXE
PID:4340 -
\??\c:\nthbbb.exec:\nthbbb.exe38⤵
- Executes dropped EXE
PID:2408 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe39⤵
- Executes dropped EXE
PID:2432 -
\??\c:\lfxrllf.exec:\lfxrllf.exe40⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hbbnhb.exec:\hbbnhb.exe41⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jddvp.exec:\jddvp.exe42⤵
- Executes dropped EXE
PID:3884 -
\??\c:\jdjdv.exec:\jdjdv.exe43⤵
- Executes dropped EXE
PID:532 -
\??\c:\xllxrlx.exec:\xllxrlx.exe44⤵
- Executes dropped EXE
PID:5076 -
\??\c:\hbtntt.exec:\hbtntt.exe45⤵
- Executes dropped EXE
PID:908 -
\??\c:\vppjd.exec:\vppjd.exe46⤵
- Executes dropped EXE
PID:4604 -
\??\c:\djpvv.exec:\djpvv.exe47⤵
- Executes dropped EXE
PID:1528 -
\??\c:\xflfrlf.exec:\xflfrlf.exe48⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bnthtn.exec:\bnthtn.exe49⤵
- Executes dropped EXE
PID:2680 -
\??\c:\9jppp.exec:\9jppp.exe50⤵
- Executes dropped EXE
PID:4700 -
\??\c:\rfllrxr.exec:\rfllrxr.exe51⤵
- Executes dropped EXE
PID:4328 -
\??\c:\5htnhb.exec:\5htnhb.exe52⤵
- Executes dropped EXE
PID:376 -
\??\c:\vpdvd.exec:\vpdvd.exe53⤵
- Executes dropped EXE
PID:1804 -
\??\c:\fxlrrrr.exec:\fxlrrrr.exe54⤵
- Executes dropped EXE
PID:4120 -
\??\c:\rlxxxxx.exec:\rlxxxxx.exe55⤵
- Executes dropped EXE
PID:4768 -
\??\c:\hbhbtt.exec:\hbhbtt.exe56⤵
- Executes dropped EXE
PID:3616 -
\??\c:\ddvjd.exec:\ddvjd.exe57⤵
- Executes dropped EXE
PID:1192 -
\??\c:\7ffxllf.exec:\7ffxllf.exe58⤵
- Executes dropped EXE
PID:1808 -
\??\c:\tbtnhh.exec:\tbtnhh.exe59⤵
- Executes dropped EXE
PID:3812 -
\??\c:\jdjdd.exec:\jdjdd.exe60⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lllxlfr.exec:\lllxlfr.exe61⤵
- Executes dropped EXE
PID:3220 -
\??\c:\tnnbbb.exec:\tnnbbb.exe62⤵
- Executes dropped EXE
PID:2116 -
\??\c:\tnbthb.exec:\tnbthb.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\7pvjj.exec:\7pvjj.exe64⤵
- Executes dropped EXE
PID:2884 -
\??\c:\xrrlffx.exec:\xrrlffx.exe65⤵
- Executes dropped EXE
PID:3976 -
\??\c:\lflflfl.exec:\lflflfl.exe66⤵PID:1336
-
\??\c:\bbhthb.exec:\bbhthb.exe67⤵PID:3004
-
\??\c:\djjjd.exec:\djjjd.exe68⤵PID:1732
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe69⤵PID:4092
-
\??\c:\9fxlxrl.exec:\9fxlxrl.exe70⤵PID:3188
-
\??\c:\bntnhh.exec:\bntnhh.exe71⤵PID:1888
-
\??\c:\1jjjv.exec:\1jjjv.exe72⤵PID:2744
-
\??\c:\5llflfl.exec:\5llflfl.exe73⤵PID:4696
-
\??\c:\3xlfxlx.exec:\3xlfxlx.exe74⤵PID:1720
-
\??\c:\tnnhbt.exec:\tnnhbt.exe75⤵PID:640
-
\??\c:\vpjdv.exec:\vpjdv.exe76⤵PID:4664
-
\??\c:\9jjvj.exec:\9jjvj.exe77⤵PID:1620
-
\??\c:\7frfxrf.exec:\7frfxrf.exe78⤵PID:2644
-
\??\c:\hnhthn.exec:\hnhthn.exe79⤵PID:4988
-
\??\c:\jjdvp.exec:\jjdvp.exe80⤵PID:1472
-
\??\c:\xrrfrlx.exec:\xrrfrlx.exe81⤵PID:4040
-
\??\c:\3hbtnb.exec:\3hbtnb.exe82⤵PID:4544
-
\??\c:\nhnnnh.exec:\nhnnnh.exe83⤵
- System Location Discovery: System Language Discovery
PID:1196 -
\??\c:\9dpjv.exec:\9dpjv.exe84⤵PID:1928
-
\??\c:\frflfxr.exec:\frflfxr.exe85⤵PID:2512
-
\??\c:\nbhtnh.exec:\nbhtnh.exe86⤵PID:4296
-
\??\c:\nhbbbh.exec:\nhbbbh.exe87⤵PID:2908
-
\??\c:\dppdv.exec:\dppdv.exe88⤵PID:3228
-
\??\c:\frxrrlr.exec:\frxrrlr.exe89⤵PID:4580
-
\??\c:\7lflxrl.exec:\7lflxrl.exe90⤵PID:4244
-
\??\c:\tnnbtn.exec:\tnnbtn.exe91⤵PID:832
-
\??\c:\vddpd.exec:\vddpd.exe92⤵PID:4868
-
\??\c:\lrxlfrl.exec:\lrxlfrl.exe93⤵PID:872
-
\??\c:\5rxlfxl.exec:\5rxlfxl.exe94⤵PID:3808
-
\??\c:\bbbthb.exec:\bbbthb.exe95⤵PID:4380
-
\??\c:\tthtnn.exec:\tthtnn.exe96⤵PID:1748
-
\??\c:\dpvpj.exec:\dpvpj.exe97⤵PID:4232
-
\??\c:\lfrfrlf.exec:\lfrfrlf.exe98⤵PID:2024
-
\??\c:\lflxxrr.exec:\lflxxrr.exe99⤵PID:2556
-
\??\c:\hhhtnh.exec:\hhhtnh.exe100⤵PID:2972
-
\??\c:\vjdpj.exec:\vjdpj.exe101⤵PID:2196
-
\??\c:\fflrlxl.exec:\fflrlxl.exe102⤵PID:2408
-
\??\c:\thtbtt.exec:\thtbtt.exe103⤵PID:4444
-
\??\c:\vpjdv.exec:\vpjdv.exe104⤵
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\3pjvp.exec:\3pjvp.exe105⤵PID:2932
-
\??\c:\xfxffll.exec:\xfxffll.exe106⤵PID:3884
-
\??\c:\5nnnhb.exec:\5nnnhb.exe107⤵PID:532
-
\??\c:\pvvpd.exec:\pvvpd.exe108⤵PID:5076
-
\??\c:\rfllllx.exec:\rfllllx.exe109⤵PID:1772
-
\??\c:\5llxfrf.exec:\5llxfrf.exe110⤵PID:1752
-
\??\c:\ttbtnh.exec:\ttbtnh.exe111⤵PID:316
-
\??\c:\jvvpj.exec:\jvvpj.exe112⤵PID:624
-
\??\c:\xffxxrr.exec:\xffxxrr.exe113⤵PID:4320
-
\??\c:\3xrlxxl.exec:\3xrlxxl.exe114⤵PID:4948
-
\??\c:\nbhthb.exec:\nbhthb.exe115⤵PID:3340
-
\??\c:\pdjjd.exec:\pdjjd.exe116⤵PID:376
-
\??\c:\dpvpp.exec:\dpvpp.exe117⤵PID:1804
-
\??\c:\lfxrxrl.exec:\lfxrxrl.exe118⤵PID:5080
-
\??\c:\tttnhb.exec:\tttnhb.exe119⤵PID:4768
-
\??\c:\7djvp.exec:\7djvp.exe120⤵PID:3616
-
\??\c:\pddvp.exec:\pddvp.exe121⤵PID:1192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-