Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe
-
Size
453KB
-
MD5
142798714da101a030f0e3d0d44bc62d
-
SHA1
3a84dd84be087ae132e3cad9fc337ae7f17db3e9
-
SHA256
feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b
-
SHA512
16fbfbfb73266e4c2b569c9190870405c2fde5ad41eeed68f11472f39755e6e54157e3d8bcd84c2bc8123fa4c6a71253f5d7a9927bd6a8aa14eb5e7404a988a8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1148-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-1541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1960 nnhbnn.exe 2248 vpjdj.exe 3716 vdjpj.exe 3564 xflrxxr.exe 2520 hbtbtt.exe 4284 7jdvd.exe 60 rlrlfff.exe 4900 1xrllll.exe 1132 bnbtnn.exe 852 djvpp.exe 4544 xfrllll.exe 4628 lrfxxxx.exe 3204 nbnhbb.exe 3212 jjvvj.exe 3708 rlxrllf.exe 3936 tntbbb.exe 2448 hthhbh.exe 4300 5vdvp.exe 3220 rrxxrrr.exe 1304 tnbbtt.exe 3800 bhnhhb.exe 4908 jjpjj.exe 1644 lflffxl.exe 4228 nbnbnb.exe 3356 1jjjd.exe 3068 frlffff.exe 2124 htbbnn.exe 1240 nntnhh.exe 4036 pjjdv.exe 1092 fxlfxxx.exe 680 bhtnhb.exe 3464 vpdvv.exe 3572 1xxxrrr.exe 4112 rlxlfll.exe 1424 vpvpj.exe 3680 dvddv.exe 4588 ffrrflx.exe 3920 tnttnt.exe 1156 jjpjj.exe 1336 9lrrlrx.exe 4580 hbhnht.exe 2144 btbbtb.exe 2088 ddjjj.exe 1440 xrfxrrr.exe 1272 tnhnnn.exe 4612 bttttt.exe 1580 pjpdv.exe 5100 rrrxxff.exe 4904 tbnttb.exe 4364 ppjvj.exe 1452 fxxrrxr.exe 1148 hbbtth.exe 64 bntthh.exe 2288 vjdvp.exe 1164 fffxfxl.exe 2796 hbhhbb.exe 4868 5ppjd.exe 3016 rlrrlll.exe 2056 1lrrrxr.exe 4284 hhhhnn.exe 100 pdjjd.exe 2488 llrlllf.exe 1132 ntnhnn.exe 4060 jvpjj.exe -
resource yara_rule behavioral2/memory/1148-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1960 1148 feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe 83 PID 1148 wrote to memory of 1960 1148 feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe 83 PID 1148 wrote to memory of 1960 1148 feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe 83 PID 1960 wrote to memory of 2248 1960 nnhbnn.exe 84 PID 1960 wrote to memory of 2248 1960 nnhbnn.exe 84 PID 1960 wrote to memory of 2248 1960 nnhbnn.exe 84 PID 2248 wrote to memory of 3716 2248 vpjdj.exe 85 PID 2248 wrote to memory of 3716 2248 vpjdj.exe 85 PID 2248 wrote to memory of 3716 2248 vpjdj.exe 85 PID 3716 wrote to memory of 3564 3716 vdjpj.exe 86 PID 3716 wrote to memory of 3564 3716 vdjpj.exe 86 PID 3716 wrote to memory of 3564 3716 vdjpj.exe 86 PID 3564 wrote to memory of 2520 3564 xflrxxr.exe 87 PID 3564 wrote to memory of 2520 3564 xflrxxr.exe 87 PID 3564 wrote to memory of 2520 3564 xflrxxr.exe 87 PID 2520 wrote to memory of 4284 2520 hbtbtt.exe 88 PID 2520 wrote to memory of 4284 2520 hbtbtt.exe 88 PID 2520 wrote to memory of 4284 2520 hbtbtt.exe 88 PID 4284 wrote to memory of 60 4284 7jdvd.exe 89 PID 4284 wrote to memory of 60 4284 7jdvd.exe 89 PID 4284 wrote to memory of 60 4284 7jdvd.exe 89 PID 60 wrote to memory of 4900 60 rlrlfff.exe 90 PID 60 wrote to memory of 4900 60 rlrlfff.exe 90 PID 60 wrote to memory of 4900 60 rlrlfff.exe 90 PID 4900 wrote to memory of 1132 4900 1xrllll.exe 91 PID 4900 wrote to memory of 1132 4900 1xrllll.exe 91 PID 4900 wrote to memory of 1132 4900 1xrllll.exe 91 PID 1132 wrote to memory of 852 1132 bnbtnn.exe 92 PID 1132 wrote to memory of 852 1132 bnbtnn.exe 92 PID 1132 wrote to memory of 852 1132 bnbtnn.exe 92 PID 852 wrote to memory of 4544 852 djvpp.exe 93 PID 852 wrote to memory of 4544 852 djvpp.exe 93 PID 852 wrote to memory of 4544 852 djvpp.exe 93 PID 4544 wrote to memory of 4628 4544 xfrllll.exe 94 PID 4544 wrote to memory of 4628 4544 xfrllll.exe 94 PID 4544 wrote to memory of 4628 4544 xfrllll.exe 94 PID 4628 wrote to memory of 3204 4628 lrfxxxx.exe 95 PID 4628 wrote to memory of 3204 4628 lrfxxxx.exe 95 PID 4628 wrote to memory of 3204 4628 lrfxxxx.exe 95 PID 3204 wrote to memory of 3212 3204 nbnhbb.exe 96 PID 3204 wrote to memory of 3212 3204 nbnhbb.exe 96 PID 3204 wrote to memory of 3212 3204 nbnhbb.exe 96 PID 3212 wrote to memory of 3708 3212 jjvvj.exe 97 PID 3212 wrote to memory of 3708 3212 jjvvj.exe 97 PID 3212 wrote to memory of 3708 3212 jjvvj.exe 97 PID 3708 wrote to memory of 3936 3708 rlxrllf.exe 98 PID 3708 wrote to memory of 3936 3708 rlxrllf.exe 98 PID 3708 wrote to memory of 3936 3708 rlxrllf.exe 98 PID 3936 wrote to memory of 2448 3936 tntbbb.exe 99 PID 3936 wrote to memory of 2448 3936 tntbbb.exe 99 PID 3936 wrote to memory of 2448 3936 tntbbb.exe 99 PID 2448 wrote to memory of 4300 2448 hthhbh.exe 100 PID 2448 wrote to memory of 4300 2448 hthhbh.exe 100 PID 2448 wrote to memory of 4300 2448 hthhbh.exe 100 PID 4300 wrote to memory of 3220 4300 5vdvp.exe 101 PID 4300 wrote to memory of 3220 4300 5vdvp.exe 101 PID 4300 wrote to memory of 3220 4300 5vdvp.exe 101 PID 3220 wrote to memory of 1304 3220 rrxxrrr.exe 102 PID 3220 wrote to memory of 1304 3220 rrxxrrr.exe 102 PID 3220 wrote to memory of 1304 3220 rrxxrrr.exe 102 PID 1304 wrote to memory of 3800 1304 tnbbtt.exe 103 PID 1304 wrote to memory of 3800 1304 tnbbtt.exe 103 PID 1304 wrote to memory of 3800 1304 tnbbtt.exe 103 PID 3800 wrote to memory of 4908 3800 bhnhhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe"C:\Users\Admin\AppData\Local\Temp\feb510fdcd70fca7f5ff632514d108a252fad0c392281e46d6580a9665094e4b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\nnhbnn.exec:\nnhbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\vpjdj.exec:\vpjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\vdjpj.exec:\vdjpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\xflrxxr.exec:\xflrxxr.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\hbtbtt.exec:\hbtbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\7jdvd.exec:\7jdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\rlrlfff.exec:\rlrlfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\1xrllll.exec:\1xrllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\bnbtnn.exec:\bnbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\djvpp.exec:\djvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\xfrllll.exec:\xfrllll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\nbnhbb.exec:\nbnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\jjvvj.exec:\jjvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\rlxrllf.exec:\rlxrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\tntbbb.exec:\tntbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\hthhbh.exec:\hthhbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\5vdvp.exec:\5vdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\tnbbtt.exec:\tnbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\bhnhhb.exec:\bhnhhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\jjpjj.exec:\jjpjj.exe23⤵
- Executes dropped EXE
PID:4908 -
\??\c:\lflffxl.exec:\lflffxl.exe24⤵
- Executes dropped EXE
PID:1644 -
\??\c:\nbnbnb.exec:\nbnbnb.exe25⤵
- Executes dropped EXE
PID:4228 -
\??\c:\1jjjd.exec:\1jjjd.exe26⤵
- Executes dropped EXE
PID:3356 -
\??\c:\frlffff.exec:\frlffff.exe27⤵
- Executes dropped EXE
PID:3068 -
\??\c:\htbbnn.exec:\htbbnn.exe28⤵
- Executes dropped EXE
PID:2124 -
\??\c:\nntnhh.exec:\nntnhh.exe29⤵
- Executes dropped EXE
PID:1240 -
\??\c:\pjjdv.exec:\pjjdv.exe30⤵
- Executes dropped EXE
PID:4036 -
\??\c:\fxlfxxx.exec:\fxlfxxx.exe31⤵
- Executes dropped EXE
PID:1092 -
\??\c:\bhtnhb.exec:\bhtnhb.exe32⤵
- Executes dropped EXE
PID:680 -
\??\c:\vpdvv.exec:\vpdvv.exe33⤵
- Executes dropped EXE
PID:3464 -
\??\c:\1xxxrrr.exec:\1xxxrrr.exe34⤵
- Executes dropped EXE
PID:3572 -
\??\c:\rlxlfll.exec:\rlxlfll.exe35⤵
- Executes dropped EXE
PID:4112 -
\??\c:\vpvpj.exec:\vpvpj.exe36⤵
- Executes dropped EXE
PID:1424 -
\??\c:\dvddv.exec:\dvddv.exe37⤵
- Executes dropped EXE
PID:3680 -
\??\c:\ffrrflx.exec:\ffrrflx.exe38⤵
- Executes dropped EXE
PID:4588 -
\??\c:\tnttnt.exec:\tnttnt.exe39⤵
- Executes dropped EXE
PID:3920 -
\??\c:\jjpjj.exec:\jjpjj.exe40⤵
- Executes dropped EXE
PID:1156 -
\??\c:\9lrrlrx.exec:\9lrrlrx.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336 -
\??\c:\hbhnht.exec:\hbhnht.exe42⤵
- Executes dropped EXE
PID:4580 -
\??\c:\btbbtb.exec:\btbbtb.exe43⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ddjjj.exec:\ddjjj.exe44⤵
- Executes dropped EXE
PID:2088 -
\??\c:\xrfxrrr.exec:\xrfxrrr.exe45⤵
- Executes dropped EXE
PID:1440 -
\??\c:\tnhnnn.exec:\tnhnnn.exe46⤵
- Executes dropped EXE
PID:1272 -
\??\c:\bttttt.exec:\bttttt.exe47⤵
- Executes dropped EXE
PID:4612 -
\??\c:\pjpdv.exec:\pjpdv.exe48⤵
- Executes dropped EXE
PID:1580 -
\??\c:\rrrxxff.exec:\rrrxxff.exe49⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tbnttb.exec:\tbnttb.exe50⤵
- Executes dropped EXE
PID:4904 -
\??\c:\ppjvj.exec:\ppjvj.exe51⤵
- Executes dropped EXE
PID:4364 -
\??\c:\fxxrrxr.exec:\fxxrrxr.exe52⤵
- Executes dropped EXE
PID:1452 -
\??\c:\hbbtth.exec:\hbbtth.exe53⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bntthh.exec:\bntthh.exe54⤵
- Executes dropped EXE
PID:64 -
\??\c:\vjdvp.exec:\vjdvp.exe55⤵
- Executes dropped EXE
PID:2288 -
\??\c:\fffxfxl.exec:\fffxfxl.exe56⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hbhhbb.exec:\hbhhbb.exe57⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5ppjd.exec:\5ppjd.exe58⤵
- Executes dropped EXE
PID:4868 -
\??\c:\rlrrlll.exec:\rlrrlll.exe59⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1lrrrxr.exec:\1lrrrxr.exe60⤵
- Executes dropped EXE
PID:2056 -
\??\c:\hhhhnn.exec:\hhhhnn.exe61⤵
- Executes dropped EXE
PID:4284 -
\??\c:\pdjjd.exec:\pdjjd.exe62⤵
- Executes dropped EXE
PID:100 -
\??\c:\llrlllf.exec:\llrlllf.exe63⤵
- Executes dropped EXE
PID:2488 -
\??\c:\ntnhnn.exec:\ntnhnn.exe64⤵
- Executes dropped EXE
PID:1132 -
\??\c:\jvpjj.exec:\jvpjj.exe65⤵
- Executes dropped EXE
PID:4060 -
\??\c:\llxxrlr.exec:\llxxrlr.exe66⤵PID:3276
-
\??\c:\htbbtn.exec:\htbbtn.exe67⤵PID:5048
-
\??\c:\lxffflf.exec:\lxffflf.exe68⤵PID:3896
-
\??\c:\9jppp.exec:\9jppp.exe69⤵PID:5096
-
\??\c:\rllllrr.exec:\rllllrr.exe70⤵PID:468
-
\??\c:\lrlfxff.exec:\lrlfxff.exe71⤵PID:2260
-
\??\c:\ttnttt.exec:\ttnttt.exe72⤵PID:1004
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe73⤵PID:2608
-
\??\c:\3hhhhh.exec:\3hhhhh.exe74⤵PID:2788
-
\??\c:\nbbtnn.exec:\nbbtnn.exe75⤵PID:2064
-
\??\c:\pvppp.exec:\pvppp.exe76⤵PID:1744
-
\??\c:\flfflrf.exec:\flfflrf.exe77⤵PID:5064
-
\??\c:\nnnntt.exec:\nnnntt.exe78⤵PID:3048
-
\??\c:\vdppp.exec:\vdppp.exe79⤵PID:2480
-
\??\c:\pvpjj.exec:\pvpjj.exe80⤵PID:2560
-
\??\c:\rfrlfff.exec:\rfrlfff.exe81⤵PID:1240
-
\??\c:\7tbbnt.exec:\7tbbnt.exe82⤵PID:2764
-
\??\c:\pvdvj.exec:\pvdvj.exe83⤵PID:2256
-
\??\c:\rlrllff.exec:\rlrllff.exe84⤵
- System Location Discovery: System Language Discovery
PID:2880 -
\??\c:\nthhhh.exec:\nthhhh.exe85⤵PID:3972
-
\??\c:\nbnhbb.exec:\nbnhbb.exe86⤵PID:908
-
\??\c:\pjjjv.exec:\pjjjv.exe87⤵PID:3292
-
\??\c:\bbttnn.exec:\bbttnn.exe88⤵PID:4948
-
\??\c:\ppvvd.exec:\ppvvd.exe89⤵PID:3836
-
\??\c:\7flllll.exec:\7flllll.exe90⤵PID:840
-
\??\c:\nntttt.exec:\nntttt.exe91⤵PID:2452
-
\??\c:\pdppp.exec:\pdppp.exe92⤵PID:2684
-
\??\c:\xfxrrrl.exec:\xfxrrrl.exe93⤵PID:4580
-
\??\c:\tbtnhb.exec:\tbtnhb.exe94⤵PID:2144
-
\??\c:\httttt.exec:\httttt.exe95⤵PID:4324
-
\??\c:\nbhbbt.exec:\nbhbbt.exe96⤵
- System Location Discovery: System Language Discovery
PID:2384 -
\??\c:\pvvjp.exec:\pvvjp.exe97⤵PID:3476
-
\??\c:\nttttb.exec:\nttttb.exe98⤵PID:2012
-
\??\c:\ddvdv.exec:\ddvdv.exe99⤵PID:5100
-
\??\c:\llfllfx.exec:\llfllfx.exe100⤵PID:2856
-
\??\c:\btntnt.exec:\btntnt.exe101⤵PID:2120
-
\??\c:\vjjdv.exec:\vjjdv.exe102⤵PID:1236
-
\??\c:\bhtbbh.exec:\bhtbbh.exe103⤵PID:1736
-
\??\c:\jvddv.exec:\jvddv.exe104⤵PID:3544
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe105⤵PID:4880
-
\??\c:\hntttt.exec:\hntttt.exe106⤵PID:4480
-
\??\c:\vpppp.exec:\vpppp.exe107⤵PID:3716
-
\??\c:\ffffffr.exec:\ffffffr.exe108⤵PID:2796
-
\??\c:\bhnhhh.exec:\bhnhhh.exe109⤵PID:3664
-
\??\c:\vvvdv.exec:\vvvdv.exe110⤵PID:1968
-
\??\c:\rflllxx.exec:\rflllxx.exe111⤵PID:548
-
\??\c:\hhbbbh.exec:\hhbbbh.exe112⤵PID:3732
-
\??\c:\djppp.exec:\djppp.exe113⤵PID:2532
-
\??\c:\7hhbnn.exec:\7hhbnn.exe114⤵PID:1300
-
\??\c:\dvjpp.exec:\dvjpp.exe115⤵PID:1740
-
\??\c:\nntbbb.exec:\nntbbb.exe116⤵PID:800
-
\??\c:\ddjvv.exec:\ddjvv.exe117⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\dpddj.exec:\dpddj.exe118⤵PID:2564
-
\??\c:\hhtttt.exec:\hhtttt.exe119⤵PID:2000
-
\??\c:\ddddp.exec:\ddddp.exe120⤵PID:1320
-
\??\c:\hhnhnn.exec:\hhnhnn.exe121⤵PID:5024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-