Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 00:59
Behavioral task
behavioral1
Sample
867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe
-
Size
3.7MB
-
MD5
eed70076e7aaaff681ce2a491d92fd80
-
SHA1
3bbaa24306ffa9b4ee874e6b3c2d51a631d465dc
-
SHA256
867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5a
-
SHA512
d19332bc028b73ff20779793df9645ac70d4efbc1c8278779ffe13db4be41b57b6811915554577084b9f3d02d692610a73c0d77781c4cdd0e2102746382fe98a
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98H:U6XLq/qPPslzKx/dJg1ErmNY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1056-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3824-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/416-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-556-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-606-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-622-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-684-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-721-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-827-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-987-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3824-1027-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-1536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-1678-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-1742-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 5096 dvdpj.exe 1844 pjjjj.exe 4100 hnthbb.exe 5000 pvppj.exe 2300 tntbtb.exe 3400 9tnnbh.exe 2964 bthhhn.exe 2376 bhbbbh.exe 4024 hnbbtt.exe 3824 xxlxxff.exe 416 7tnthh.exe 3812 jjdjd.exe 1080 3nnhbb.exe 2920 7lrrflr.exe 2428 jpdvd.exe 3856 xxrrlrl.exe 4180 5pvpd.exe 3740 vjpjj.exe 3444 5pppp.exe 4832 jppjd.exe 3124 jjvdd.exe 3048 1pvpp.exe 528 dvddp.exe 5008 ddppp.exe 1780 jdppj.exe 4752 ttbtnt.exe 2148 1lfffff.exe 4996 nbhbbb.exe 2716 bbttbh.exe 2000 hhbtbb.exe 5004 thhhhh.exe 5092 vppjj.exe 3120 vppjd.exe 2824 htbnbb.exe 4208 hnhbtn.exe 3920 ppdvj.exe 1032 jdpjj.exe 1972 dvjjj.exe 4352 pdppp.exe 1056 pvvpp.exe 1636 vvpjv.exe 216 ddddd.exe 2708 dpdvp.exe 2192 vvddj.exe 464 jjdvv.exe 1936 btbhhh.exe 1436 3vddd.exe 4448 bbhbbb.exe 3888 5bhhtt.exe 4824 nnhhbb.exe 2296 bntnhb.exe 4512 thhhhn.exe 1660 lrfffff.exe 972 fxllfff.exe 1060 rxfxxrr.exe 2404 xxxxrxr.exe 868 xlfxxxx.exe 368 llxxxxx.exe 2828 pjdpj.exe 2920 jdvpj.exe 3848 vdjdp.exe 4384 9vdpd.exe 1940 vvddp.exe 4180 hhnnnn.exe -
resource yara_rule behavioral2/memory/1056-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c0f-3.dat upx behavioral2/memory/1056-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-9.dat upx behavioral2/memory/5096-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-13.dat upx behavioral2/memory/1844-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ca5-21.dat upx behavioral2/memory/5000-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-27.dat upx behavioral2/memory/2300-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-33.dat upx behavioral2/memory/3400-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-39.dat upx behavioral2/memory/2964-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-45.dat upx behavioral2/files/0x0007000000023cb4-50.dat upx behavioral2/memory/2376-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-56.dat upx behavioral2/memory/4024-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-62.dat upx behavioral2/memory/3824-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-67.dat upx behavioral2/memory/416-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-73.dat upx behavioral2/memory/3812-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-79.dat upx behavioral2/memory/1080-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-84.dat upx behavioral2/memory/2920-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-91.dat upx behavioral2/memory/3856-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2428-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-97.dat upx behavioral2/memory/3856-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-103.dat upx behavioral2/memory/3740-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-109.dat upx behavioral2/files/0x0007000000023cbf-115.dat upx behavioral2/memory/3444-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-120.dat upx behavioral2/memory/4832-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-126.dat upx behavioral2/memory/3048-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3124-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-134.dat upx behavioral2/memory/528-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-139.dat upx behavioral2/files/0x000300000001e754-144.dat upx behavioral2/memory/5008-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-150.dat upx behavioral2/files/0x0007000000023cc7-156.dat upx behavioral2/files/0x0007000000023cc8-160.dat upx behavioral2/memory/2148-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-166.dat upx behavioral2/memory/2716-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-172.dat upx behavioral2/files/0x0007000000023ccb-177.dat upx behavioral2/memory/2000-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-183.dat upx behavioral2/memory/5004-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3120-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2824-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4208-200-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1056 wrote to memory of 5096 1056 867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe 82 PID 1056 wrote to memory of 5096 1056 867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe 82 PID 1056 wrote to memory of 5096 1056 867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe 82 PID 5096 wrote to memory of 1844 5096 dvdpj.exe 83 PID 5096 wrote to memory of 1844 5096 dvdpj.exe 83 PID 5096 wrote to memory of 1844 5096 dvdpj.exe 83 PID 1844 wrote to memory of 4100 1844 pjjjj.exe 84 PID 1844 wrote to memory of 4100 1844 pjjjj.exe 84 PID 1844 wrote to memory of 4100 1844 pjjjj.exe 84 PID 4100 wrote to memory of 5000 4100 hnthbb.exe 85 PID 4100 wrote to memory of 5000 4100 hnthbb.exe 85 PID 4100 wrote to memory of 5000 4100 hnthbb.exe 85 PID 5000 wrote to memory of 2300 5000 pvppj.exe 86 PID 5000 wrote to memory of 2300 5000 pvppj.exe 86 PID 5000 wrote to memory of 2300 5000 pvppj.exe 86 PID 2300 wrote to memory of 3400 2300 tntbtb.exe 87 PID 2300 wrote to memory of 3400 2300 tntbtb.exe 87 PID 2300 wrote to memory of 3400 2300 tntbtb.exe 87 PID 3400 wrote to memory of 2964 3400 9tnnbh.exe 88 PID 3400 wrote to memory of 2964 3400 9tnnbh.exe 88 PID 3400 wrote to memory of 2964 3400 9tnnbh.exe 88 PID 2964 wrote to memory of 2376 2964 bthhhn.exe 89 PID 2964 wrote to memory of 2376 2964 bthhhn.exe 89 PID 2964 wrote to memory of 2376 2964 bthhhn.exe 89 PID 2376 wrote to memory of 4024 2376 bhbbbh.exe 90 PID 2376 wrote to memory of 4024 2376 bhbbbh.exe 90 PID 2376 wrote to memory of 4024 2376 bhbbbh.exe 90 PID 4024 wrote to memory of 3824 4024 hnbbtt.exe 91 PID 4024 wrote to memory of 3824 4024 hnbbtt.exe 91 PID 4024 wrote to memory of 3824 4024 hnbbtt.exe 91 PID 3824 wrote to memory of 416 3824 xxlxxff.exe 92 PID 3824 wrote to memory of 416 3824 xxlxxff.exe 92 PID 3824 wrote to memory of 416 3824 xxlxxff.exe 92 PID 416 wrote to memory of 3812 416 7tnthh.exe 93 PID 416 wrote to memory of 3812 416 7tnthh.exe 93 PID 416 wrote to memory of 3812 416 7tnthh.exe 93 PID 3812 wrote to memory of 1080 3812 jjdjd.exe 94 PID 3812 wrote to memory of 1080 3812 jjdjd.exe 94 PID 3812 wrote to memory of 1080 3812 jjdjd.exe 94 PID 1080 wrote to memory of 2920 1080 3nnhbb.exe 95 PID 1080 wrote to memory of 2920 1080 3nnhbb.exe 95 PID 1080 wrote to memory of 2920 1080 3nnhbb.exe 95 PID 2920 wrote to memory of 2428 2920 7lrrflr.exe 96 PID 2920 wrote to memory of 2428 2920 7lrrflr.exe 96 PID 2920 wrote to memory of 2428 2920 7lrrflr.exe 96 PID 2428 wrote to memory of 3856 2428 jpdvd.exe 97 PID 2428 wrote to memory of 3856 2428 jpdvd.exe 97 PID 2428 wrote to memory of 3856 2428 jpdvd.exe 97 PID 3856 wrote to memory of 4180 3856 xxrrlrl.exe 98 PID 3856 wrote to memory of 4180 3856 xxrrlrl.exe 98 PID 3856 wrote to memory of 4180 3856 xxrrlrl.exe 98 PID 4180 wrote to memory of 3740 4180 5pvpd.exe 99 PID 4180 wrote to memory of 3740 4180 5pvpd.exe 99 PID 4180 wrote to memory of 3740 4180 5pvpd.exe 99 PID 3740 wrote to memory of 3444 3740 vjpjj.exe 100 PID 3740 wrote to memory of 3444 3740 vjpjj.exe 100 PID 3740 wrote to memory of 3444 3740 vjpjj.exe 100 PID 3444 wrote to memory of 4832 3444 5pppp.exe 101 PID 3444 wrote to memory of 4832 3444 5pppp.exe 101 PID 3444 wrote to memory of 4832 3444 5pppp.exe 101 PID 4832 wrote to memory of 3124 4832 jppjd.exe 102 PID 4832 wrote to memory of 3124 4832 jppjd.exe 102 PID 4832 wrote to memory of 3124 4832 jppjd.exe 102 PID 3124 wrote to memory of 3048 3124 jjvdd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe"C:\Users\Admin\AppData\Local\Temp\867edef80a9c2eb2f86a5ad9afde87a5d1a923959a131fb3a1452d58a7963b5aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\dvdpj.exec:\dvdpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\pjjjj.exec:\pjjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\hnthbb.exec:\hnthbb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\pvppj.exec:\pvppj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\tntbtb.exec:\tntbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\9tnnbh.exec:\9tnnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\bthhhn.exec:\bthhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\bhbbbh.exec:\bhbbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\hnbbtt.exec:\hnbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\xxlxxff.exec:\xxlxxff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\7tnthh.exec:\7tnthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
\??\c:\jjdjd.exec:\jjdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\3nnhbb.exec:\3nnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\7lrrflr.exec:\7lrrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\jpdvd.exec:\jpdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\xxrrlrl.exec:\xxrrlrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\5pvpd.exec:\5pvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\vjpjj.exec:\vjpjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\5pppp.exec:\5pppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\jppjd.exec:\jppjd.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\jjvdd.exec:\jjvdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\1pvpp.exec:\1pvpp.exe23⤵
- Executes dropped EXE
PID:3048 -
\??\c:\dvddp.exec:\dvddp.exe24⤵
- Executes dropped EXE
PID:528 -
\??\c:\ddppp.exec:\ddppp.exe25⤵
- Executes dropped EXE
PID:5008 -
\??\c:\jdppj.exec:\jdppj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
\??\c:\ttbtnt.exec:\ttbtnt.exe27⤵
- Executes dropped EXE
PID:4752 -
\??\c:\1lfffff.exec:\1lfffff.exe28⤵
- Executes dropped EXE
PID:2148 -
\??\c:\nbhbbb.exec:\nbhbbb.exe29⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bbttbh.exec:\bbttbh.exe30⤵
- Executes dropped EXE
PID:2716 -
\??\c:\hhbtbb.exec:\hhbtbb.exe31⤵
- Executes dropped EXE
PID:2000 -
\??\c:\thhhhh.exec:\thhhhh.exe32⤵
- Executes dropped EXE
PID:5004 -
\??\c:\vppjj.exec:\vppjj.exe33⤵
- Executes dropped EXE
PID:5092 -
\??\c:\vppjd.exec:\vppjd.exe34⤵
- Executes dropped EXE
PID:3120 -
\??\c:\htbnbb.exec:\htbnbb.exe35⤵
- Executes dropped EXE
PID:2824 -
\??\c:\hnhbtn.exec:\hnhbtn.exe36⤵
- Executes dropped EXE
PID:4208 -
\??\c:\ppdvj.exec:\ppdvj.exe37⤵
- Executes dropped EXE
PID:3920 -
\??\c:\jdpjj.exec:\jdpjj.exe38⤵
- Executes dropped EXE
PID:1032 -
\??\c:\dvjjj.exec:\dvjjj.exe39⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pdppp.exec:\pdppp.exe40⤵
- Executes dropped EXE
PID:4352 -
\??\c:\vppvp.exec:\vppvp.exe41⤵PID:4368
-
\??\c:\pvvpp.exec:\pvvpp.exe42⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vvpjv.exec:\vvpjv.exe43⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ddddd.exec:\ddddd.exe44⤵
- Executes dropped EXE
PID:216 -
\??\c:\dpdvp.exec:\dpdvp.exe45⤵
- Executes dropped EXE
PID:2708 -
\??\c:\vvddj.exec:\vvddj.exe46⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jjdvv.exec:\jjdvv.exe47⤵
- Executes dropped EXE
PID:464 -
\??\c:\btbhhh.exec:\btbhhh.exe48⤵
- Executes dropped EXE
PID:1936 -
\??\c:\3vddd.exec:\3vddd.exe49⤵
- Executes dropped EXE
PID:1436 -
\??\c:\bbhbbb.exec:\bbhbbb.exe50⤵
- Executes dropped EXE
PID:4448 -
\??\c:\5bhhtt.exec:\5bhhtt.exe51⤵
- Executes dropped EXE
PID:3888 -
\??\c:\nnhhbb.exec:\nnhhbb.exe52⤵
- Executes dropped EXE
PID:4824 -
\??\c:\bntnhb.exec:\bntnhb.exe53⤵
- Executes dropped EXE
PID:2296 -
\??\c:\thhhhn.exec:\thhhhn.exe54⤵
- Executes dropped EXE
PID:4512 -
\??\c:\lrfffff.exec:\lrfffff.exe55⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fxllfff.exec:\fxllfff.exe56⤵
- Executes dropped EXE
PID:972 -
\??\c:\rxfxxrr.exec:\rxfxxrr.exe57⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xxxxrxr.exec:\xxxxrxr.exe58⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe59⤵
- Executes dropped EXE
PID:868 -
\??\c:\llxxxxx.exec:\llxxxxx.exe60⤵
- Executes dropped EXE
PID:368 -
\??\c:\pjdpj.exec:\pjdpj.exe61⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jdvpj.exec:\jdvpj.exe62⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vdjdp.exec:\vdjdp.exe63⤵
- Executes dropped EXE
PID:3848 -
\??\c:\9vdpd.exec:\9vdpd.exe64⤵
- Executes dropped EXE
PID:4384 -
\??\c:\vvddp.exec:\vvddp.exe65⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hhnnnn.exec:\hhnnnn.exe66⤵
- Executes dropped EXE
PID:4180 -
\??\c:\nbbtnt.exec:\nbbtnt.exe67⤵PID:3476
-
\??\c:\hnthtn.exec:\hnthtn.exe68⤵PID:4040
-
\??\c:\nnbthb.exec:\nnbthb.exe69⤵PID:4724
-
\??\c:\5xfflrl.exec:\5xfflrl.exe70⤵PID:4924
-
\??\c:\1fxrlfx.exec:\1fxrlfx.exe71⤵
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\rffrlfx.exec:\rffrlfx.exe72⤵PID:1656
-
\??\c:\xxffxxx.exec:\xxffxxx.exe73⤵PID:3304
-
\??\c:\9rlxrrx.exec:\9rlxrrx.exe74⤵
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\dpdpj.exec:\dpdpj.exe75⤵PID:1592
-
\??\c:\pvjdp.exec:\pvjdp.exe76⤵PID:4504
-
\??\c:\vjjpj.exec:\vjjpj.exe77⤵PID:1976
-
\??\c:\pjpjd.exec:\pjpjd.exe78⤵PID:3656
-
\??\c:\3pdvv.exec:\3pdvv.exe79⤵PID:2128
-
\??\c:\1thbtn.exec:\1thbtn.exe80⤵PID:4464
-
\??\c:\tnnhbb.exec:\tnnhbb.exe81⤵
- System Location Discovery: System Language Discovery
PID:4920 -
\??\c:\thtnnn.exec:\thtnnn.exe82⤵PID:2712
-
\??\c:\btnnhh.exec:\btnnhh.exe83⤵PID:2716
-
\??\c:\nhbnbt.exec:\nhbnbt.exe84⤵PID:3384
-
\??\c:\nthbtb.exec:\nthbtb.exe85⤵PID:3120
-
\??\c:\nbhbtt.exec:\nbhbtt.exe86⤵PID:1700
-
\??\c:\nnnnhn.exec:\nnnnhn.exe87⤵PID:4864
-
\??\c:\ffxffrr.exec:\ffxffrr.exe88⤵PID:2588
-
\??\c:\ffrlfll.exec:\ffrlfll.exe89⤵PID:2176
-
\??\c:\7xffxxr.exec:\7xffxxr.exe90⤵PID:4396
-
\??\c:\9djjj.exec:\9djjj.exe91⤵PID:4416
-
\??\c:\1vdvp.exec:\1vdvp.exe92⤵
- System Location Discovery: System Language Discovery
PID:2664 -
\??\c:\dvjdd.exec:\dvjdd.exe93⤵PID:624
-
\??\c:\djdpj.exec:\djdpj.exe94⤵PID:508
-
\??\c:\pppjj.exec:\pppjj.exe95⤵PID:1572
-
\??\c:\pddpj.exec:\pddpj.exe96⤵PID:1844
-
\??\c:\ppddv.exec:\ppddv.exe97⤵PID:4556
-
\??\c:\7bhnnh.exec:\7bhnnh.exe98⤵PID:4100
-
\??\c:\3hhtnn.exec:\3hhtnn.exe99⤵PID:824
-
\??\c:\9bbnbt.exec:\9bbnbt.exe100⤵PID:2300
-
\??\c:\3fllflr.exec:\3fllflr.exe101⤵PID:4080
-
\??\c:\rlrllll.exec:\rlrllll.exe102⤵PID:4036
-
\??\c:\9lrrrrx.exec:\9lrrrrx.exe103⤵PID:1476
-
\??\c:\1fxlffx.exec:\1fxlffx.exe104⤵PID:4300
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe105⤵PID:2248
-
\??\c:\jddvd.exec:\jddvd.exe106⤵
- System Location Discovery: System Language Discovery
PID:412 -
\??\c:\vvvpj.exec:\vvvpj.exe107⤵PID:4820
-
\??\c:\jpvpj.exec:\jpvpj.exe108⤵PID:4928
-
\??\c:\vjddv.exec:\vjddv.exe109⤵PID:4988
-
\??\c:\pjdvd.exec:\pjdvd.exe110⤵PID:3788
-
\??\c:\nbbthb.exec:\nbbthb.exe111⤵
- System Location Discovery: System Language Discovery
PID:2996 -
\??\c:\nbnttn.exec:\nbnttn.exe112⤵PID:404
-
\??\c:\nnnnhh.exec:\nnnnhh.exe113⤵PID:2144
-
\??\c:\nbtntb.exec:\nbtntb.exe114⤵PID:3220
-
\??\c:\bbhbhh.exec:\bbhbhh.exe115⤵PID:3276
-
\??\c:\hhbtnn.exec:\hhbtnn.exe116⤵PID:4832
-
\??\c:\lxfrllf.exec:\lxfrllf.exe117⤵PID:3124
-
\??\c:\xrlfxll.exec:\xrlfxll.exe118⤵PID:4852
-
\??\c:\9xxxxxx.exec:\9xxxxxx.exe119⤵PID:4052
-
\??\c:\ffxxllf.exec:\ffxxllf.exe120⤵PID:3304
-
\??\c:\pjpdj.exec:\pjpdj.exe121⤵PID:1392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-