Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe
-
Size
453KB
-
MD5
c2ee58d53d342e7bd743c9dcabcd9468
-
SHA1
f3c06388d89b039b4a3443dc0b8874d6d57c8ec7
-
SHA256
b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0
-
SHA512
07eb2d68a61fcc519bf6fd4f0acf1ce24c8c8ae73d69e5cac9d201685a389131933501f489fff56699c3bb3724d069d7d81ce3f53fecdfd3815babbee202c7f7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5008-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-1156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-1401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-1405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 448 tntnbt.exe 456 vppjj.exe 412 llxrrxx.exe 628 fflffff.exe 2152 hhhhbb.exe 4576 bbbbtt.exe 980 fllflrx.exe 5012 7ntnhh.exe 1584 djvpj.exe 3700 jppjd.exe 2312 hbbttn.exe 2468 djjdd.exe 696 xlxlxfl.exe 1256 bbhbtn.exe 4416 dvddj.exe 2628 rlrlfff.exe 2024 nthnbh.exe 1512 xfrxffx.exe 3180 dvdvj.exe 4152 llrlrlr.exe 3616 jpppj.exe 4104 frxlfrl.exe 4756 dvpjv.exe 4264 5btnhb.exe 2188 7xrlxxr.exe 1924 pjvpj.exe 708 3nnhbt.exe 3316 5hhthh.exe 4844 hbhbbb.exe 3128 bntnhn.exe 2840 pvdpj.exe 1444 1bhbtt.exe 976 vjvjj.exe 848 xllxrlx.exe 2912 tnnhbb.exe 2056 pjjjd.exe 4444 xllffxr.exe 2516 xrrfxxr.exe 2120 9bthtb.exe 4848 vjddv.exe 1192 xlfrrrf.exe 2696 lrlrlll.exe 824 dvvpp.exe 3788 pvjdv.exe 1520 fxrlrlr.exe 2288 tttnhh.exe 4344 vpjjd.exe 4348 jvvpj.exe 4952 rxlfffx.exe 1956 nbnbtn.exe 5020 5vvpv.exe 3732 xxrllll.exe 4996 tttnbb.exe 4976 9ntnbh.exe 2624 jdvpj.exe 3716 9lffxfx.exe 3584 9hhbtb.exe 3188 vvpjd.exe 1368 9vvpj.exe 1636 frrfrrl.exe 2140 ntttnn.exe 640 jvvpj.exe 3612 9frlllf.exe 1044 dvppj.exe -
resource yara_rule behavioral2/memory/5008-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-1156-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5008 wrote to memory of 448 5008 b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe 83 PID 5008 wrote to memory of 448 5008 b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe 83 PID 5008 wrote to memory of 448 5008 b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe 83 PID 448 wrote to memory of 456 448 tntnbt.exe 84 PID 448 wrote to memory of 456 448 tntnbt.exe 84 PID 448 wrote to memory of 456 448 tntnbt.exe 84 PID 456 wrote to memory of 412 456 vppjj.exe 85 PID 456 wrote to memory of 412 456 vppjj.exe 85 PID 456 wrote to memory of 412 456 vppjj.exe 85 PID 412 wrote to memory of 628 412 llxrrxx.exe 86 PID 412 wrote to memory of 628 412 llxrrxx.exe 86 PID 412 wrote to memory of 628 412 llxrrxx.exe 86 PID 628 wrote to memory of 2152 628 fflffff.exe 87 PID 628 wrote to memory of 2152 628 fflffff.exe 87 PID 628 wrote to memory of 2152 628 fflffff.exe 87 PID 2152 wrote to memory of 4576 2152 hhhhbb.exe 88 PID 2152 wrote to memory of 4576 2152 hhhhbb.exe 88 PID 2152 wrote to memory of 4576 2152 hhhhbb.exe 88 PID 4576 wrote to memory of 980 4576 bbbbtt.exe 89 PID 4576 wrote to memory of 980 4576 bbbbtt.exe 89 PID 4576 wrote to memory of 980 4576 bbbbtt.exe 89 PID 980 wrote to memory of 5012 980 fllflrx.exe 90 PID 980 wrote to memory of 5012 980 fllflrx.exe 90 PID 980 wrote to memory of 5012 980 fllflrx.exe 90 PID 5012 wrote to memory of 1584 5012 7ntnhh.exe 91 PID 5012 wrote to memory of 1584 5012 7ntnhh.exe 91 PID 5012 wrote to memory of 1584 5012 7ntnhh.exe 91 PID 1584 wrote to memory of 3700 1584 djvpj.exe 92 PID 1584 wrote to memory of 3700 1584 djvpj.exe 92 PID 1584 wrote to memory of 3700 1584 djvpj.exe 92 PID 3700 wrote to memory of 2312 3700 jppjd.exe 93 PID 3700 wrote to memory of 2312 3700 jppjd.exe 93 PID 3700 wrote to memory of 2312 3700 jppjd.exe 93 PID 2312 wrote to memory of 2468 2312 hbbttn.exe 94 PID 2312 wrote to memory of 2468 2312 hbbttn.exe 94 PID 2312 wrote to memory of 2468 2312 hbbttn.exe 94 PID 2468 wrote to memory of 696 2468 djjdd.exe 95 PID 2468 wrote to memory of 696 2468 djjdd.exe 95 PID 2468 wrote to memory of 696 2468 djjdd.exe 95 PID 696 wrote to memory of 1256 696 xlxlxfl.exe 96 PID 696 wrote to memory of 1256 696 xlxlxfl.exe 96 PID 696 wrote to memory of 1256 696 xlxlxfl.exe 96 PID 1256 wrote to memory of 4416 1256 bbhbtn.exe 97 PID 1256 wrote to memory of 4416 1256 bbhbtn.exe 97 PID 1256 wrote to memory of 4416 1256 bbhbtn.exe 97 PID 4416 wrote to memory of 2628 4416 dvddj.exe 98 PID 4416 wrote to memory of 2628 4416 dvddj.exe 98 PID 4416 wrote to memory of 2628 4416 dvddj.exe 98 PID 2628 wrote to memory of 2024 2628 rlrlfff.exe 99 PID 2628 wrote to memory of 2024 2628 rlrlfff.exe 99 PID 2628 wrote to memory of 2024 2628 rlrlfff.exe 99 PID 2024 wrote to memory of 1512 2024 nthnbh.exe 100 PID 2024 wrote to memory of 1512 2024 nthnbh.exe 100 PID 2024 wrote to memory of 1512 2024 nthnbh.exe 100 PID 1512 wrote to memory of 3180 1512 xfrxffx.exe 101 PID 1512 wrote to memory of 3180 1512 xfrxffx.exe 101 PID 1512 wrote to memory of 3180 1512 xfrxffx.exe 101 PID 3180 wrote to memory of 4152 3180 dvdvj.exe 102 PID 3180 wrote to memory of 4152 3180 dvdvj.exe 102 PID 3180 wrote to memory of 4152 3180 dvdvj.exe 102 PID 4152 wrote to memory of 3616 4152 llrlrlr.exe 103 PID 4152 wrote to memory of 3616 4152 llrlrlr.exe 103 PID 4152 wrote to memory of 3616 4152 llrlrlr.exe 103 PID 3616 wrote to memory of 4104 3616 jpppj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe"C:\Users\Admin\AppData\Local\Temp\b4ecd8c4a3e1957f154ac9a61b245f351fdd26a1a02698e5be8edd9caff098d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\tntnbt.exec:\tntnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\vppjj.exec:\vppjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\llxrrxx.exec:\llxrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\fflffff.exec:\fflffff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\hhhhbb.exec:\hhhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\bbbbtt.exec:\bbbbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\fllflrx.exec:\fllflrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\7ntnhh.exec:\7ntnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\djvpj.exec:\djvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\jppjd.exec:\jppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\hbbttn.exec:\hbbttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\djjdd.exec:\djjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\xlxlxfl.exec:\xlxlxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\bbhbtn.exec:\bbhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\dvddj.exec:\dvddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\rlrlfff.exec:\rlrlfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\nthnbh.exec:\nthnbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xfrxffx.exec:\xfrxffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\dvdvj.exec:\dvdvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\llrlrlr.exec:\llrlrlr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\jpppj.exec:\jpppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\frxlfrl.exec:\frxlfrl.exe23⤵
- Executes dropped EXE
PID:4104 -
\??\c:\dvpjv.exec:\dvpjv.exe24⤵
- Executes dropped EXE
PID:4756 -
\??\c:\5btnhb.exec:\5btnhb.exe25⤵
- Executes dropped EXE
PID:4264 -
\??\c:\7xrlxxr.exec:\7xrlxxr.exe26⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pjvpj.exec:\pjvpj.exe27⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3nnhbt.exec:\3nnhbt.exe28⤵
- Executes dropped EXE
PID:708 -
\??\c:\5hhthh.exec:\5hhthh.exe29⤵
- Executes dropped EXE
PID:3316 -
\??\c:\hbhbbb.exec:\hbhbbb.exe30⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bntnhn.exec:\bntnhn.exe31⤵
- Executes dropped EXE
PID:3128 -
\??\c:\pvdpj.exec:\pvdpj.exe32⤵
- Executes dropped EXE
PID:2840 -
\??\c:\1bhbtt.exec:\1bhbtt.exe33⤵
- Executes dropped EXE
PID:1444 -
\??\c:\vjvjj.exec:\vjvjj.exe34⤵
- Executes dropped EXE
PID:976 -
\??\c:\xllxrlx.exec:\xllxrlx.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:848 -
\??\c:\tnnhbb.exec:\tnnhbb.exe36⤵
- Executes dropped EXE
PID:2912 -
\??\c:\pjjjd.exec:\pjjjd.exe37⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xllffxr.exec:\xllffxr.exe38⤵
- Executes dropped EXE
PID:4444 -
\??\c:\xrrfxxr.exec:\xrrfxxr.exe39⤵
- Executes dropped EXE
PID:2516 -
\??\c:\9bthtb.exec:\9bthtb.exe40⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vjddv.exec:\vjddv.exe41⤵
- Executes dropped EXE
PID:4848 -
\??\c:\xlfrrrf.exec:\xlfrrrf.exe42⤵
- Executes dropped EXE
PID:1192 -
\??\c:\lrlrlll.exec:\lrlrlll.exe43⤵
- Executes dropped EXE
PID:2696 -
\??\c:\dvvpp.exec:\dvvpp.exe44⤵
- Executes dropped EXE
PID:824 -
\??\c:\pvjdv.exec:\pvjdv.exe45⤵
- Executes dropped EXE
PID:3788 -
\??\c:\fxrlrlr.exec:\fxrlrlr.exe46⤵
- Executes dropped EXE
PID:1520 -
\??\c:\tttnhh.exec:\tttnhh.exe47⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vpjjd.exec:\vpjjd.exe48⤵
- Executes dropped EXE
PID:4344 -
\??\c:\jvvpj.exec:\jvvpj.exe49⤵
- Executes dropped EXE
PID:4348 -
\??\c:\rxlfffx.exec:\rxlfffx.exe50⤵
- Executes dropped EXE
PID:4952 -
\??\c:\nbnbtn.exec:\nbnbtn.exe51⤵
- Executes dropped EXE
PID:1956 -
\??\c:\5vvpv.exec:\5vvpv.exe52⤵
- Executes dropped EXE
PID:5020 -
\??\c:\xxrllll.exec:\xxrllll.exe53⤵
- Executes dropped EXE
PID:3732 -
\??\c:\tttnbb.exec:\tttnbb.exe54⤵
- Executes dropped EXE
PID:4996 -
\??\c:\9ntnbh.exec:\9ntnbh.exe55⤵
- Executes dropped EXE
PID:4976 -
\??\c:\jdvpj.exec:\jdvpj.exe56⤵
- Executes dropped EXE
PID:2624 -
\??\c:\9lffxfx.exec:\9lffxfx.exe57⤵
- Executes dropped EXE
PID:3716 -
\??\c:\9hhbtb.exec:\9hhbtb.exe58⤵
- Executes dropped EXE
PID:3584 -
\??\c:\vvpjd.exec:\vvpjd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188 -
\??\c:\9vvpj.exec:\9vvpj.exe60⤵
- Executes dropped EXE
PID:1368 -
\??\c:\frrfrrl.exec:\frrfrrl.exe61⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ntttnn.exec:\ntttnn.exe62⤵
- Executes dropped EXE
PID:2140 -
\??\c:\jvvpj.exec:\jvvpj.exe63⤵
- Executes dropped EXE
PID:640 -
\??\c:\9frlllf.exec:\9frlllf.exe64⤵
- Executes dropped EXE
PID:3612 -
\??\c:\dvppj.exec:\dvppj.exe65⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rlrxxxr.exec:\rlrxxxr.exe66⤵PID:2020
-
\??\c:\xllfxxr.exec:\xllfxxr.exe67⤵PID:2736
-
\??\c:\hhnhhh.exec:\hhnhhh.exe68⤵PID:5100
-
\??\c:\vpvpj.exec:\vpvpj.exe69⤵PID:1256
-
\??\c:\xrxrllf.exec:\xrxrllf.exe70⤵PID:4132
-
\??\c:\tnnhhb.exec:\tnnhhb.exe71⤵PID:2460
-
\??\c:\7dddj.exec:\7dddj.exe72⤵PID:672
-
\??\c:\vdjdp.exec:\vdjdp.exe73⤵PID:2692
-
\??\c:\lflfrlx.exec:\lflfrlx.exe74⤵
- System Location Discovery: System Language Discovery
PID:4816 -
\??\c:\bhnbnn.exec:\bhnbnn.exe75⤵PID:4556
-
\??\c:\btnnhb.exec:\btnnhb.exe76⤵PID:3052
-
\??\c:\dpdvp.exec:\dpdvp.exe77⤵
- System Location Discovery: System Language Discovery
PID:3888 -
\??\c:\rlxxffl.exec:\rlxxffl.exe78⤵PID:704
-
\??\c:\hbtttt.exec:\hbtttt.exe79⤵PID:3896
-
\??\c:\pjjvp.exec:\pjjvp.exe80⤵PID:4564
-
\??\c:\xxfrlll.exec:\xxfrlll.exe81⤵PID:2440
-
\??\c:\hhhttt.exec:\hhhttt.exe82⤵PID:4104
-
\??\c:\jpvpd.exec:\jpvpd.exe83⤵PID:4224
-
\??\c:\xlfrflr.exec:\xlfrflr.exe84⤵PID:2532
-
\??\c:\btbtnn.exec:\btbtnn.exe85⤵PID:2968
-
\??\c:\ttttbt.exec:\ttttbt.exe86⤵PID:736
-
\??\c:\ppdvd.exec:\ppdvd.exe87⤵PID:3020
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe88⤵PID:3248
-
\??\c:\nnnhbb.exec:\nnnhbb.exe89⤵PID:3144
-
\??\c:\hbbthh.exec:\hbbthh.exe90⤵PID:4372
-
\??\c:\jjpjd.exec:\jjpjd.exe91⤵PID:984
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe92⤵PID:4964
-
\??\c:\thnhbh.exec:\thnhbh.exe93⤵PID:1752
-
\??\c:\3hhbtt.exec:\3hhbtt.exe94⤵PID:4020
-
\??\c:\1pjdp.exec:\1pjdp.exe95⤵
- System Location Discovery: System Language Discovery
PID:208 -
\??\c:\rrfxrrx.exec:\rrfxrrx.exe96⤵PID:1844
-
\??\c:\thbbtt.exec:\thbbtt.exe97⤵PID:756
-
\??\c:\7djdd.exec:\7djdd.exe98⤵PID:2060
-
\??\c:\dvpjd.exec:\dvpjd.exe99⤵PID:3680
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe100⤵PID:4676
-
\??\c:\1tbtnn.exec:\1tbtnn.exe101⤵PID:3624
-
\??\c:\bntnnh.exec:\bntnnh.exe102⤵PID:2200
-
\??\c:\vpvvv.exec:\vpvvv.exe103⤵PID:4696
-
\??\c:\lffrlxl.exec:\lffrlxl.exe104⤵PID:1488
-
\??\c:\5thbtt.exec:\5thbtt.exe105⤵PID:5112
-
\??\c:\djvpd.exec:\djvpd.exe106⤵PID:3272
-
\??\c:\fflllrx.exec:\fflllrx.exe107⤵PID:1840
-
\??\c:\btbtnt.exec:\btbtnt.exe108⤵PID:2308
-
\??\c:\ntbbnn.exec:\ntbbnn.exe109⤵PID:5096
-
\??\c:\jddpd.exec:\jddpd.exe110⤵PID:4396
-
\??\c:\rxrrlrx.exec:\rxrrlrx.exe111⤵PID:1784
-
\??\c:\btttnb.exec:\btttnb.exe112⤵PID:3312
-
\??\c:\jdpdp.exec:\jdpdp.exe113⤵PID:3848
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe114⤵PID:4796
-
\??\c:\7llffxx.exec:\7llffxx.exe115⤵PID:2204
-
\??\c:\5bbbnn.exec:\5bbbnn.exe116⤵PID:3900
-
\??\c:\dddvp.exec:\dddvp.exe117⤵PID:1504
-
\??\c:\fxxrffx.exec:\fxxrffx.exe118⤵PID:2536
-
\??\c:\nhbtbb.exec:\nhbtbb.exe119⤵PID:3548
-
\??\c:\tbhbnt.exec:\tbhbnt.exe120⤵PID:3164
-
\??\c:\djddv.exec:\djddv.exe121⤵PID:980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-