Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe
-
Size
455KB
-
MD5
05769cbd90436f8dcda4bf4da1d26de2
-
SHA1
a23a5d5353fc4eb3c069f29f4c48c6c57696370e
-
SHA256
4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5
-
SHA512
4526942b1dbec11ce75478047596c2caffff29349b782d20ed683cb21ac9f337514d7936469d7c53fefd376357130447aa8e49ecc078fbe16b8edd133ed63f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4344-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-1237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2040 djdpj.exe 1036 nttnbh.exe 4648 jjpjp.exe 1528 vjjvj.exe 2388 lfrfffl.exe 1860 thnhhb.exe 3544 5ppjd.exe 4460 jjvjp.exe 332 lllfxrr.exe 3792 jdddv.exe 2464 jjddp.exe 2768 thnnbt.exe 4340 lxrlffx.exe 1760 btbtnn.exe 5064 jvpdv.exe 1784 ffrlrrf.exe 1912 xflfxfx.exe 3640 xffxlfx.exe 2332 lxxllfx.exe 1740 thtnhb.exe 4576 rrfrlxr.exe 2224 hhbnhb.exe 4948 1jjdv.exe 916 nhbtnh.exe 4616 jdvdd.exe 4728 xrlxlrx.exe 460 vjdpv.exe 1916 1rlxrrl.exe 2084 bnthbt.exe 4500 1tnnhh.exe 3612 djvjv.exe 3204 frfflxl.exe 1980 tbbnhb.exe 2696 pdjdp.exe 3292 7lrrllx.exe 3084 httbtn.exe 4204 pdjdp.exe 5048 xxlflrl.exe 3668 ntthth.exe 4520 hbbbbn.exe 4664 5jjdj.exe 3724 xlflllf.exe 1668 9hhtnh.exe 4704 ddjpp.exe 3972 7bhbtn.exe 4832 hnhbtt.exe 1356 pvpjd.exe 3372 lllfxfx.exe 2688 xxrxfrx.exe 4856 nntnbh.exe 3012 jjdvv.exe 1932 xffxrrl.exe 4528 bhhbtn.exe 4696 bbhntn.exe 1836 1dvpd.exe 1496 xxrfffl.exe 2660 thbtnb.exe 748 hhnnbt.exe 5100 9vdvv.exe 3836 5xrlffx.exe 2948 bhnbtt.exe 620 vjjdv.exe 4640 1jpdd.exe 2944 fxfxrrl.exe -
resource yara_rule behavioral2/memory/4344-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-643-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4344 wrote to memory of 2040 4344 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 82 PID 4344 wrote to memory of 2040 4344 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 82 PID 4344 wrote to memory of 2040 4344 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 82 PID 2040 wrote to memory of 1036 2040 djdpj.exe 83 PID 2040 wrote to memory of 1036 2040 djdpj.exe 83 PID 2040 wrote to memory of 1036 2040 djdpj.exe 83 PID 1036 wrote to memory of 4648 1036 nttnbh.exe 84 PID 1036 wrote to memory of 4648 1036 nttnbh.exe 84 PID 1036 wrote to memory of 4648 1036 nttnbh.exe 84 PID 4648 wrote to memory of 1528 4648 jjpjp.exe 85 PID 4648 wrote to memory of 1528 4648 jjpjp.exe 85 PID 4648 wrote to memory of 1528 4648 jjpjp.exe 85 PID 1528 wrote to memory of 2388 1528 vjjvj.exe 86 PID 1528 wrote to memory of 2388 1528 vjjvj.exe 86 PID 1528 wrote to memory of 2388 1528 vjjvj.exe 86 PID 2388 wrote to memory of 1860 2388 lfrfffl.exe 87 PID 2388 wrote to memory of 1860 2388 lfrfffl.exe 87 PID 2388 wrote to memory of 1860 2388 lfrfffl.exe 87 PID 1860 wrote to memory of 3544 1860 thnhhb.exe 88 PID 1860 wrote to memory of 3544 1860 thnhhb.exe 88 PID 1860 wrote to memory of 3544 1860 thnhhb.exe 88 PID 3544 wrote to memory of 4460 3544 5ppjd.exe 89 PID 3544 wrote to memory of 4460 3544 5ppjd.exe 89 PID 3544 wrote to memory of 4460 3544 5ppjd.exe 89 PID 4460 wrote to memory of 332 4460 jjvjp.exe 90 PID 4460 wrote to memory of 332 4460 jjvjp.exe 90 PID 4460 wrote to memory of 332 4460 jjvjp.exe 90 PID 332 wrote to memory of 3792 332 lllfxrr.exe 91 PID 332 wrote to memory of 3792 332 lllfxrr.exe 91 PID 332 wrote to memory of 3792 332 lllfxrr.exe 91 PID 3792 wrote to memory of 2464 3792 jdddv.exe 92 PID 3792 wrote to memory of 2464 3792 jdddv.exe 92 PID 3792 wrote to memory of 2464 3792 jdddv.exe 92 PID 2464 wrote to memory of 2768 2464 jjddp.exe 93 PID 2464 wrote to memory of 2768 2464 jjddp.exe 93 PID 2464 wrote to memory of 2768 2464 jjddp.exe 93 PID 2768 wrote to memory of 4340 2768 thnnbt.exe 94 PID 2768 wrote to memory of 4340 2768 thnnbt.exe 94 PID 2768 wrote to memory of 4340 2768 thnnbt.exe 94 PID 4340 wrote to memory of 1760 4340 lxrlffx.exe 95 PID 4340 wrote to memory of 1760 4340 lxrlffx.exe 95 PID 4340 wrote to memory of 1760 4340 lxrlffx.exe 95 PID 1760 wrote to memory of 5064 1760 btbtnn.exe 96 PID 1760 wrote to memory of 5064 1760 btbtnn.exe 96 PID 1760 wrote to memory of 5064 1760 btbtnn.exe 96 PID 5064 wrote to memory of 1784 5064 jvpdv.exe 97 PID 5064 wrote to memory of 1784 5064 jvpdv.exe 97 PID 5064 wrote to memory of 1784 5064 jvpdv.exe 97 PID 1784 wrote to memory of 1912 1784 ffrlrrf.exe 98 PID 1784 wrote to memory of 1912 1784 ffrlrrf.exe 98 PID 1784 wrote to memory of 1912 1784 ffrlrrf.exe 98 PID 1912 wrote to memory of 3640 1912 xflfxfx.exe 99 PID 1912 wrote to memory of 3640 1912 xflfxfx.exe 99 PID 1912 wrote to memory of 3640 1912 xflfxfx.exe 99 PID 3640 wrote to memory of 2332 3640 xffxlfx.exe 100 PID 3640 wrote to memory of 2332 3640 xffxlfx.exe 100 PID 3640 wrote to memory of 2332 3640 xffxlfx.exe 100 PID 2332 wrote to memory of 1740 2332 lxxllfx.exe 101 PID 2332 wrote to memory of 1740 2332 lxxllfx.exe 101 PID 2332 wrote to memory of 1740 2332 lxxllfx.exe 101 PID 1740 wrote to memory of 4576 1740 thtnhb.exe 102 PID 1740 wrote to memory of 4576 1740 thtnhb.exe 102 PID 1740 wrote to memory of 4576 1740 thtnhb.exe 102 PID 4576 wrote to memory of 2224 4576 rrfrlxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe"C:\Users\Admin\AppData\Local\Temp\4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\djdpj.exec:\djdpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\nttnbh.exec:\nttnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\jjpjp.exec:\jjpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\vjjvj.exec:\vjjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\lfrfffl.exec:\lfrfffl.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\thnhhb.exec:\thnhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\5ppjd.exec:\5ppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\jjvjp.exec:\jjvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\lllfxrr.exec:\lllfxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\jdddv.exec:\jdddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\jjddp.exec:\jjddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\thnnbt.exec:\thnnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\lxrlffx.exec:\lxrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\btbtnn.exec:\btbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\jvpdv.exec:\jvpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\ffrlrrf.exec:\ffrlrrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\xflfxfx.exec:\xflfxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\xffxlfx.exec:\xffxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\lxxllfx.exec:\lxxllfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\thtnhb.exec:\thtnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\rrfrlxr.exec:\rrfrlxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\hhbnhb.exec:\hhbnhb.exe23⤵
- Executes dropped EXE
PID:2224 -
\??\c:\1jjdv.exec:\1jjdv.exe24⤵
- Executes dropped EXE
PID:4948 -
\??\c:\nhbtnh.exec:\nhbtnh.exe25⤵
- Executes dropped EXE
PID:916 -
\??\c:\jdvdd.exec:\jdvdd.exe26⤵
- Executes dropped EXE
PID:4616 -
\??\c:\xrlxlrx.exec:\xrlxlrx.exe27⤵
- Executes dropped EXE
PID:4728 -
\??\c:\vjdpv.exec:\vjdpv.exe28⤵
- Executes dropped EXE
PID:460 -
\??\c:\1rlxrrl.exec:\1rlxrrl.exe29⤵
- Executes dropped EXE
PID:1916 -
\??\c:\bnthbt.exec:\bnthbt.exe30⤵
- Executes dropped EXE
PID:2084 -
\??\c:\1tnnhh.exec:\1tnnhh.exe31⤵
- Executes dropped EXE
PID:4500 -
\??\c:\djvjv.exec:\djvjv.exe32⤵
- Executes dropped EXE
PID:3612 -
\??\c:\frfflxl.exec:\frfflxl.exe33⤵
- Executes dropped EXE
PID:3204 -
\??\c:\tbbnhb.exec:\tbbnhb.exe34⤵
- Executes dropped EXE
PID:1980 -
\??\c:\pdjdp.exec:\pdjdp.exe35⤵
- Executes dropped EXE
PID:2696 -
\??\c:\7lrrllx.exec:\7lrrllx.exe36⤵
- Executes dropped EXE
PID:3292 -
\??\c:\httbtn.exec:\httbtn.exe37⤵
- Executes dropped EXE
PID:3084 -
\??\c:\pdjdp.exec:\pdjdp.exe38⤵
- Executes dropped EXE
PID:4204 -
\??\c:\xxlflrl.exec:\xxlflrl.exe39⤵
- Executes dropped EXE
PID:5048 -
\??\c:\ntthth.exec:\ntthth.exe40⤵
- Executes dropped EXE
PID:3668 -
\??\c:\hbbbbn.exec:\hbbbbn.exe41⤵
- Executes dropped EXE
PID:4520 -
\??\c:\5jjdj.exec:\5jjdj.exe42⤵
- Executes dropped EXE
PID:4664 -
\??\c:\xlflllf.exec:\xlflllf.exe43⤵
- Executes dropped EXE
PID:3724 -
\??\c:\9hhtnh.exec:\9hhtnh.exe44⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ddjpp.exec:\ddjpp.exe45⤵
- Executes dropped EXE
PID:4704 -
\??\c:\7bhbtn.exec:\7bhbtn.exe46⤵
- Executes dropped EXE
PID:3972 -
\??\c:\hnhbtt.exec:\hnhbtt.exe47⤵
- Executes dropped EXE
PID:4832 -
\??\c:\pvpjd.exec:\pvpjd.exe48⤵
- Executes dropped EXE
PID:1356 -
\??\c:\lllfxfx.exec:\lllfxfx.exe49⤵
- Executes dropped EXE
PID:3372 -
\??\c:\xxrxfrx.exec:\xxrxfrx.exe50⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nntnbh.exec:\nntnbh.exe51⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jjdvv.exec:\jjdvv.exe52⤵
- Executes dropped EXE
PID:3012 -
\??\c:\xffxrrl.exec:\xffxrrl.exe53⤵
- Executes dropped EXE
PID:1932 -
\??\c:\bhhbtn.exec:\bhhbtn.exe54⤵
- Executes dropped EXE
PID:4528 -
\??\c:\bbhntn.exec:\bbhntn.exe55⤵
- Executes dropped EXE
PID:4696 -
\??\c:\1dvpd.exec:\1dvpd.exe56⤵
- Executes dropped EXE
PID:1836 -
\??\c:\xxrfffl.exec:\xxrfffl.exe57⤵
- Executes dropped EXE
PID:1496 -
\??\c:\thbtnb.exec:\thbtnb.exe58⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hhnnbt.exec:\hhnnbt.exe59⤵
- Executes dropped EXE
PID:748 -
\??\c:\9vdvv.exec:\9vdvv.exe60⤵
- Executes dropped EXE
PID:5100 -
\??\c:\5xrlffx.exec:\5xrlffx.exe61⤵
- Executes dropped EXE
PID:3836 -
\??\c:\bhnbtt.exec:\bhnbtt.exe62⤵
- Executes dropped EXE
PID:2948 -
\??\c:\vjjdv.exec:\vjjdv.exe63⤵
- Executes dropped EXE
PID:620 -
\??\c:\1jpdd.exec:\1jpdd.exe64⤵
- Executes dropped EXE
PID:4640 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe65⤵
- Executes dropped EXE
PID:2944 -
\??\c:\3tbbbb.exec:\3tbbbb.exe66⤵PID:4776
-
\??\c:\nbhbhh.exec:\nbhbhh.exe67⤵PID:4140
-
\??\c:\3jdpd.exec:\3jdpd.exe68⤵PID:2080
-
\??\c:\fxffxrr.exec:\fxffxrr.exe69⤵PID:5000
-
\??\c:\bntnhh.exec:\bntnhh.exe70⤵PID:4352
-
\??\c:\vjpjd.exec:\vjpjd.exe71⤵PID:2052
-
\??\c:\fxxxrxr.exec:\fxxxrxr.exe72⤵PID:1344
-
\??\c:\htnbhn.exec:\htnbhn.exe73⤵PID:3200
-
\??\c:\hbnnhb.exec:\hbnnhb.exe74⤵PID:2768
-
\??\c:\dvvvp.exec:\dvvvp.exe75⤵PID:5116
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe76⤵PID:3504
-
\??\c:\nntnhb.exec:\nntnhb.exe77⤵PID:2912
-
\??\c:\hbtnbb.exec:\hbtnbb.exe78⤵PID:5064
-
\??\c:\jvjdv.exec:\jvjdv.exe79⤵
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\frxrrll.exec:\frxrrll.exe80⤵PID:216
-
\??\c:\1hbttt.exec:\1hbttt.exe81⤵PID:1912
-
\??\c:\9pvvd.exec:\9pvvd.exe82⤵PID:3640
-
\??\c:\pjvpp.exec:\pjvpp.exe83⤵
- System Location Discovery: System Language Discovery
PID:212 -
\??\c:\rxffxrl.exec:\rxffxrl.exe84⤵PID:4924
-
\??\c:\nbbbth.exec:\nbbbth.exe85⤵PID:3244
-
\??\c:\rrrlffx.exec:\rrrlffx.exe86⤵PID:4576
-
\??\c:\3nhthb.exec:\3nhthb.exe87⤵PID:2320
-
\??\c:\jddvv.exec:\jddvv.exe88⤵PID:3028
-
\??\c:\1fxlxrl.exec:\1fxlxrl.exe89⤵PID:3672
-
\??\c:\5nbnhb.exec:\5nbnhb.exe90⤵PID:916
-
\??\c:\htbttn.exec:\htbttn.exe91⤵PID:1336
-
\??\c:\jvdpp.exec:\jvdpp.exe92⤵PID:2644
-
\??\c:\xfxrfrf.exec:\xfxrfrf.exe93⤵PID:3044
-
\??\c:\ttnbnh.exec:\ttnbnh.exe94⤵PID:884
-
\??\c:\ddvjd.exec:\ddvjd.exe95⤵PID:1916
-
\??\c:\vvdpp.exec:\vvdpp.exe96⤵PID:4800
-
\??\c:\lxffllf.exec:\lxffllf.exe97⤵PID:1840
-
\??\c:\3nthtn.exec:\3nthtn.exe98⤵PID:4568
-
\??\c:\5ddvp.exec:\5ddvp.exe99⤵PID:4824
-
\??\c:\jvdpd.exec:\jvdpd.exe100⤵PID:2632
-
\??\c:\fffxrlf.exec:\fffxrlf.exe101⤵PID:2436
-
\??\c:\9htbhn.exec:\9htbhn.exe102⤵PID:3032
-
\??\c:\pvvjv.exec:\pvvjv.exe103⤵PID:4508
-
\??\c:\rflxxlr.exec:\rflxxlr.exe104⤵PID:3092
-
\??\c:\7hbtbb.exec:\7hbtbb.exe105⤵PID:3648
-
\??\c:\5djvj.exec:\5djvj.exe106⤵PID:2544
-
\??\c:\7pdvd.exec:\7pdvd.exe107⤵PID:3464
-
\??\c:\xllfrlx.exec:\xllfrlx.exe108⤵PID:1688
-
\??\c:\3tthtt.exec:\3tthtt.exe109⤵PID:1016
-
\??\c:\vdpdp.exec:\vdpdp.exe110⤵PID:2136
-
\??\c:\jdvjv.exec:\jdvjv.exe111⤵PID:3484
-
\??\c:\rrlrflx.exec:\rrlrflx.exe112⤵PID:2076
-
\??\c:\thhtbn.exec:\thhtbn.exe113⤵PID:4404
-
\??\c:\dvdpp.exec:\dvdpp.exe114⤵PID:3328
-
\??\c:\5frfrlx.exec:\5frfrlx.exe115⤵PID:2508
-
\??\c:\3ntbht.exec:\3ntbht.exe116⤵PID:4116
-
\??\c:\7jjvp.exec:\7jjvp.exe117⤵PID:3984
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe118⤵PID:536
-
\??\c:\nhbhtb.exec:\nhbhtb.exe119⤵
- System Location Discovery: System Language Discovery
PID:812 -
\??\c:\pjjvp.exec:\pjjvp.exe120⤵PID:2228
-
\??\c:\jvjpv.exec:\jvjpv.exe121⤵PID:1232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-