Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe
-
Size
453KB
-
MD5
77de7dca40d32bdf68aa05e5896c0927
-
SHA1
1c4de4d3137661ba3be3e862afe5cb5ee0ff16a6
-
SHA256
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816
-
SHA512
c40def558feafd4f4ca74b4f3263da803daf3c49aa76486389c44ac8ec3d3dd230af08f40a48f77cb735bd8a0825b6684c0056bf9d37ae86bdc0a03bbb79f59f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4740-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-1197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-1653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4120 3hnnhb.exe 1060 jvppd.exe 1976 bhntbb.exe 3840 rrlllxf.exe 1856 tbhhhh.exe 2076 pvddd.exe 2208 xlxffrr.exe 2872 vjppj.exe 1196 bbtnbt.exe 3940 xrrxffr.exe 1988 hthnhb.exe 4236 xxffffx.exe 4892 xrfrfll.exe 3512 nbhnnb.exe 1136 xfxrfxr.exe 3548 jpdvp.exe 3392 jvdpd.exe 3456 jpjdj.exe 4344 rrrxfxl.exe 412 pjdjv.exe 1664 bbhhtb.exe 872 vvvvv.exe 2256 rrxxrxr.exe 4752 nnnhnb.exe 1676 pjpjd.exe 1832 ddpvv.exe 3540 hnnhbb.exe 1672 tbbnhh.exe 4196 vdvpd.exe 3352 vpdpv.exe 2244 xllxlrf.exe 3528 9hbhhh.exe 948 fffffll.exe 2152 vddvj.exe 3588 3rfllff.exe 1132 tbhbbh.exe 4432 vddpd.exe 952 bbhnnn.exe 5084 bhtnhh.exe 2624 jpppp.exe 3100 rllllrx.exe 1860 hthhnh.exe 4508 vpddj.exe 2612 1flllll.exe 4496 ppjvv.exe 1260 ppvdd.exe 3736 rrlffff.exe 3716 hhtthn.exe 3544 ddjdj.exe 4740 5nbbtb.exe 2108 bntnbb.exe 4088 xrrlffx.exe 1060 nbhhhh.exe 856 xrlfllx.exe 5000 fxffllf.exe 748 5tbbtb.exe 4896 dddvd.exe 2680 lrffflr.exe 4524 nntbbt.exe 2076 5tttht.exe 2924 3jppj.exe 3192 tttttb.exe 3476 bnnnht.exe 1196 ddvpd.exe -
resource yara_rule behavioral2/memory/4740-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhttt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4120 4740 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 84 PID 4740 wrote to memory of 4120 4740 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 84 PID 4740 wrote to memory of 4120 4740 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 84 PID 4120 wrote to memory of 1060 4120 3hnnhb.exe 85 PID 4120 wrote to memory of 1060 4120 3hnnhb.exe 85 PID 4120 wrote to memory of 1060 4120 3hnnhb.exe 85 PID 1060 wrote to memory of 1976 1060 jvppd.exe 86 PID 1060 wrote to memory of 1976 1060 jvppd.exe 86 PID 1060 wrote to memory of 1976 1060 jvppd.exe 86 PID 1976 wrote to memory of 3840 1976 bhntbb.exe 87 PID 1976 wrote to memory of 3840 1976 bhntbb.exe 87 PID 1976 wrote to memory of 3840 1976 bhntbb.exe 87 PID 3840 wrote to memory of 1856 3840 rrlllxf.exe 88 PID 3840 wrote to memory of 1856 3840 rrlllxf.exe 88 PID 3840 wrote to memory of 1856 3840 rrlllxf.exe 88 PID 1856 wrote to memory of 2076 1856 tbhhhh.exe 89 PID 1856 wrote to memory of 2076 1856 tbhhhh.exe 89 PID 1856 wrote to memory of 2076 1856 tbhhhh.exe 89 PID 2076 wrote to memory of 2208 2076 pvddd.exe 90 PID 2076 wrote to memory of 2208 2076 pvddd.exe 90 PID 2076 wrote to memory of 2208 2076 pvddd.exe 90 PID 2208 wrote to memory of 2872 2208 xlxffrr.exe 91 PID 2208 wrote to memory of 2872 2208 xlxffrr.exe 91 PID 2208 wrote to memory of 2872 2208 xlxffrr.exe 91 PID 2872 wrote to memory of 1196 2872 vjppj.exe 92 PID 2872 wrote to memory of 1196 2872 vjppj.exe 92 PID 2872 wrote to memory of 1196 2872 vjppj.exe 92 PID 1196 wrote to memory of 3940 1196 bbtnbt.exe 93 PID 1196 wrote to memory of 3940 1196 bbtnbt.exe 93 PID 1196 wrote to memory of 3940 1196 bbtnbt.exe 93 PID 3940 wrote to memory of 1988 3940 xrrxffr.exe 94 PID 3940 wrote to memory of 1988 3940 xrrxffr.exe 94 PID 3940 wrote to memory of 1988 3940 xrrxffr.exe 94 PID 1988 wrote to memory of 4236 1988 hthnhb.exe 95 PID 1988 wrote to memory of 4236 1988 hthnhb.exe 95 PID 1988 wrote to memory of 4236 1988 hthnhb.exe 95 PID 4236 wrote to memory of 4892 4236 xxffffx.exe 96 PID 4236 wrote to memory of 4892 4236 xxffffx.exe 96 PID 4236 wrote to memory of 4892 4236 xxffffx.exe 96 PID 4892 wrote to memory of 3512 4892 xrfrfll.exe 97 PID 4892 wrote to memory of 3512 4892 xrfrfll.exe 97 PID 4892 wrote to memory of 3512 4892 xrfrfll.exe 97 PID 3512 wrote to memory of 1136 3512 nbhnnb.exe 98 PID 3512 wrote to memory of 1136 3512 nbhnnb.exe 98 PID 3512 wrote to memory of 1136 3512 nbhnnb.exe 98 PID 1136 wrote to memory of 3548 1136 xfxrfxr.exe 99 PID 1136 wrote to memory of 3548 1136 xfxrfxr.exe 99 PID 1136 wrote to memory of 3548 1136 xfxrfxr.exe 99 PID 3548 wrote to memory of 3392 3548 jpdvp.exe 100 PID 3548 wrote to memory of 3392 3548 jpdvp.exe 100 PID 3548 wrote to memory of 3392 3548 jpdvp.exe 100 PID 3392 wrote to memory of 3456 3392 jvdpd.exe 101 PID 3392 wrote to memory of 3456 3392 jvdpd.exe 101 PID 3392 wrote to memory of 3456 3392 jvdpd.exe 101 PID 3456 wrote to memory of 4344 3456 jpjdj.exe 102 PID 3456 wrote to memory of 4344 3456 jpjdj.exe 102 PID 3456 wrote to memory of 4344 3456 jpjdj.exe 102 PID 4344 wrote to memory of 412 4344 rrrxfxl.exe 103 PID 4344 wrote to memory of 412 4344 rrrxfxl.exe 103 PID 4344 wrote to memory of 412 4344 rrrxfxl.exe 103 PID 412 wrote to memory of 1664 412 pjdjv.exe 104 PID 412 wrote to memory of 1664 412 pjdjv.exe 104 PID 412 wrote to memory of 1664 412 pjdjv.exe 104 PID 1664 wrote to memory of 872 1664 bbhhtb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe"C:\Users\Admin\AppData\Local\Temp\b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\3hnnhb.exec:\3hnnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\jvppd.exec:\jvppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\bhntbb.exec:\bhntbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\rrlllxf.exec:\rrlllxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\tbhhhh.exec:\tbhhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\pvddd.exec:\pvddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\xlxffrr.exec:\xlxffrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\vjppj.exec:\vjppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bbtnbt.exec:\bbtnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\xrrxffr.exec:\xrrxffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\hthnhb.exec:\hthnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\xxffffx.exec:\xxffffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\xrfrfll.exec:\xrfrfll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\nbhnnb.exec:\nbhnnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\xfxrfxr.exec:\xfxrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\jpdvp.exec:\jpdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\jvdpd.exec:\jvdpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\jpjdj.exec:\jpjdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\rrrxfxl.exec:\rrrxfxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\pjdjv.exec:\pjdjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\bbhhtb.exec:\bbhhtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\vvvvv.exec:\vvvvv.exe23⤵
- Executes dropped EXE
PID:872 -
\??\c:\rrxxrxr.exec:\rrxxrxr.exe24⤵
- Executes dropped EXE
PID:2256 -
\??\c:\nnnhnb.exec:\nnnhnb.exe25⤵
- Executes dropped EXE
PID:4752 -
\??\c:\pjpjd.exec:\pjpjd.exe26⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ddpvv.exec:\ddpvv.exe27⤵
- Executes dropped EXE
PID:1832 -
\??\c:\hnnhbb.exec:\hnnhbb.exe28⤵
- Executes dropped EXE
PID:3540 -
\??\c:\tbbnhh.exec:\tbbnhh.exe29⤵
- Executes dropped EXE
PID:1672 -
\??\c:\vdvpd.exec:\vdvpd.exe30⤵
- Executes dropped EXE
PID:4196 -
\??\c:\vpdpv.exec:\vpdpv.exe31⤵
- Executes dropped EXE
PID:3352 -
\??\c:\xllxlrf.exec:\xllxlrf.exe32⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9hbhhh.exec:\9hbhhh.exe33⤵
- Executes dropped EXE
PID:3528 -
\??\c:\fffffll.exec:\fffffll.exe34⤵
- Executes dropped EXE
PID:948 -
\??\c:\vddvj.exec:\vddvj.exe35⤵
- Executes dropped EXE
PID:2152 -
\??\c:\3rfllff.exec:\3rfllff.exe36⤵
- Executes dropped EXE
PID:3588 -
\??\c:\tbhbbh.exec:\tbhbbh.exe37⤵
- Executes dropped EXE
PID:1132 -
\??\c:\vddpd.exec:\vddpd.exe38⤵
- Executes dropped EXE
PID:4432 -
\??\c:\bbhnnn.exec:\bbhnnn.exe39⤵
- Executes dropped EXE
PID:952 -
\??\c:\bhtnhh.exec:\bhtnhh.exe40⤵
- Executes dropped EXE
PID:5084 -
\??\c:\jpppp.exec:\jpppp.exe41⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rllllrx.exec:\rllllrx.exe42⤵
- Executes dropped EXE
PID:3100 -
\??\c:\hthhnh.exec:\hthhnh.exe43⤵
- Executes dropped EXE
PID:1860 -
\??\c:\vpddj.exec:\vpddj.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1flllll.exec:\1flllll.exe45⤵
- Executes dropped EXE
PID:2612 -
\??\c:\ppjvv.exec:\ppjvv.exe46⤵
- Executes dropped EXE
PID:4496 -
\??\c:\ppvdd.exec:\ppvdd.exe47⤵
- Executes dropped EXE
PID:1260 -
\??\c:\rrlffff.exec:\rrlffff.exe48⤵
- Executes dropped EXE
PID:3736 -
\??\c:\hhtthn.exec:\hhtthn.exe49⤵
- Executes dropped EXE
PID:3716 -
\??\c:\ddjdj.exec:\ddjdj.exe50⤵
- Executes dropped EXE
PID:3544 -
\??\c:\frllfxf.exec:\frllfxf.exe51⤵PID:2704
-
\??\c:\5nbbtb.exec:\5nbbtb.exe52⤵
- Executes dropped EXE
PID:4740 -
\??\c:\bntnbb.exec:\bntnbb.exe53⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xrrlffx.exec:\xrrlffx.exe54⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nbhhhh.exec:\nbhhhh.exe55⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xrlfllx.exec:\xrlfllx.exe56⤵
- Executes dropped EXE
PID:856 -
\??\c:\fxffllf.exec:\fxffllf.exe57⤵
- Executes dropped EXE
PID:5000 -
\??\c:\5tbbtb.exec:\5tbbtb.exe58⤵
- Executes dropped EXE
PID:748 -
\??\c:\dddvd.exec:\dddvd.exe59⤵
- Executes dropped EXE
PID:4896 -
\??\c:\lrffflr.exec:\lrffflr.exe60⤵
- Executes dropped EXE
PID:2680 -
\??\c:\nntbbt.exec:\nntbbt.exe61⤵
- Executes dropped EXE
PID:4524 -
\??\c:\5tttht.exec:\5tttht.exe62⤵
- Executes dropped EXE
PID:2076 -
\??\c:\3jppj.exec:\3jppj.exe63⤵
- Executes dropped EXE
PID:2924 -
\??\c:\tttttb.exec:\tttttb.exe64⤵
- Executes dropped EXE
PID:3192 -
\??\c:\bnnnht.exec:\bnnnht.exe65⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ddvpd.exec:\ddvpd.exe66⤵
- Executes dropped EXE
PID:1196 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe67⤵PID:4768
-
\??\c:\tnbhhh.exec:\tnbhhh.exe68⤵PID:1780
-
\??\c:\ppvjd.exec:\ppvjd.exe69⤵PID:4832
-
\??\c:\rrfflrx.exec:\rrfflrx.exe70⤵PID:4032
-
\??\c:\hbhbbb.exec:\hbhbbb.exe71⤵PID:3652
-
\??\c:\vvvvv.exec:\vvvvv.exe72⤵PID:3668
-
\??\c:\ppjdp.exec:\ppjdp.exe73⤵PID:1268
-
\??\c:\xrrxxff.exec:\xrrxxff.exe74⤵PID:5096
-
\??\c:\hnhbbn.exec:\hnhbbn.exe75⤵PID:2936
-
\??\c:\5ddjj.exec:\5ddjj.exe76⤵PID:3660
-
\??\c:\llxfflr.exec:\llxfflr.exe77⤵PID:2708
-
\??\c:\nbnnnn.exec:\nbnnnn.exe78⤵PID:2120
-
\??\c:\pdjdv.exec:\pdjdv.exe79⤵PID:3488
-
\??\c:\ffrrfff.exec:\ffrrfff.exe80⤵PID:4172
-
\??\c:\tbnbtt.exec:\tbnbtt.exe81⤵PID:412
-
\??\c:\1vdjv.exec:\1vdjv.exe82⤵PID:3688
-
\??\c:\lrfxrll.exec:\lrfxrll.exe83⤵PID:2572
-
\??\c:\5nttnt.exec:\5nttnt.exe84⤵PID:3372
-
\??\c:\pdddv.exec:\pdddv.exe85⤵PID:2256
-
\??\c:\vdvdj.exec:\vdvdj.exe86⤵
- System Location Discovery: System Language Discovery
PID:4752 -
\??\c:\xxfffff.exec:\xxfffff.exe87⤵PID:3816
-
\??\c:\1tthth.exec:\1tthth.exe88⤵PID:2728
-
\??\c:\djpjj.exec:\djpjj.exe89⤵PID:4776
-
\??\c:\fflfxxr.exec:\fflfxxr.exe90⤵PID:4760
-
\??\c:\hhnttt.exec:\hhnttt.exe91⤵PID:2856
-
\??\c:\vdppp.exec:\vdppp.exe92⤵PID:1936
-
\??\c:\xxfxxrr.exec:\xxfxxrr.exe93⤵PID:4176
-
\??\c:\nthhhh.exec:\nthhhh.exe94⤵PID:3336
-
\??\c:\vvvjv.exec:\vvvjv.exe95⤵PID:3116
-
\??\c:\xrxrrll.exec:\xrxrrll.exe96⤵PID:4472
-
\??\c:\bthbnn.exec:\bthbnn.exe97⤵PID:3828
-
\??\c:\jjvdj.exec:\jjvdj.exe98⤵PID:948
-
\??\c:\xfrrlxl.exec:\xfrrlxl.exe99⤵PID:1636
-
\??\c:\1thbnn.exec:\1thbnn.exe100⤵PID:1304
-
\??\c:\dvjdv.exec:\dvjdv.exe101⤵PID:2740
-
\??\c:\dpvvp.exec:\dpvvp.exe102⤵PID:4824
-
\??\c:\xxflxlr.exec:\xxflxlr.exe103⤵PID:2112
-
\??\c:\nnthht.exec:\nnthht.exe104⤵PID:2452
-
\??\c:\jpdpp.exec:\jpdpp.exe105⤵PID:2600
-
\??\c:\xlxrllf.exec:\xlxrllf.exe106⤵PID:3220
-
\??\c:\nbbbhn.exec:\nbbbhn.exe107⤵PID:4900
-
\??\c:\vpjpv.exec:\vpjpv.exe108⤵PID:1124
-
\??\c:\rfllfrr.exec:\rfllfrr.exe109⤵PID:5080
-
\??\c:\bbhnhb.exec:\bbhnhb.exe110⤵PID:1840
-
\??\c:\pdvpj.exec:\pdvpj.exe111⤵PID:3672
-
\??\c:\rlfflrr.exec:\rlfflrr.exe112⤵PID:5016
-
\??\c:\hbnhbt.exec:\hbnhbt.exe113⤵PID:3736
-
\??\c:\vpvpp.exec:\vpvpp.exe114⤵PID:4564
-
\??\c:\pvvvv.exec:\pvvvv.exe115⤵PID:2148
-
\??\c:\5frlxfx.exec:\5frlxfx.exe116⤵PID:4280
-
\??\c:\tbnntb.exec:\tbnntb.exe117⤵PID:524
-
\??\c:\pjjjd.exec:\pjjjd.exe118⤵PID:1628
-
\??\c:\rrxxlll.exec:\rrxxlll.exe119⤵PID:1976
-
\??\c:\nttthb.exec:\nttthb.exe120⤵PID:1880
-
\??\c:\ddvdj.exec:\ddvdj.exe121⤵PID:4400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-