Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
-
Size
453KB
-
MD5
69d35afa0f8e66aef8d7de5d121e1f01
-
SHA1
95e2f0d62cf580a004e4458935e3469c434804ca
-
SHA256
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f
-
SHA512
bd7861a3164dd892c9fd23457e68ef7418582f6965587998e32019b3f315cc070b2a82def4d75fa2d69cdce119263089e368198de920f08e957d6d2894eeca2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetn:q7Tc2NYHUrAwfMp3CDtn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1760-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/68-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4940 9dddv.exe 3248 thnbbn.exe 4068 frlffrr.exe 4136 tbhbtt.exe 1092 xrlxlxf.exe 3904 9lffxxx.exe 68 bbtnhn.exe 4472 hhnbbh.exe 1180 djvpj.exe 1292 xlxrxxx.exe 1820 pjdvp.exe 1344 bttnhh.exe 3124 vjpjd.exe 4020 vjpvv.exe 3732 vddvj.exe 4380 xxrlfll.exe 1972 nhbbnn.exe 3624 rflxrlf.exe 3832 nbhnbh.exe 1244 jvdvj.exe 1464 thhbtn.exe 4824 7jpdj.exe 4088 9lxlfrl.exe 4660 hntnhh.exe 4116 dppjj.exe 4532 bbtnhb.exe 2176 1pjvv.exe 3224 bttnhb.exe 5068 vdvjd.exe 3540 rllffxx.exe 1996 jpjdv.exe 3756 xrxrxrl.exe 1764 5tttnb.exe 3024 1lllxxl.exe 412 frrrlll.exe 4428 jdjdv.exe 2728 lfrllrl.exe 264 xlfffxf.exe 2168 ntttnh.exe 2428 dppdv.exe 3436 xllfxxr.exe 1824 rlxlxfl.exe 2440 9tnnhn.exe 4984 pddvp.exe 2388 xlxrlll.exe 3500 bhnhht.exe 2544 jdjjd.exe 4044 xlllffx.exe 3152 nhttbb.exe 4760 5jpjd.exe 4816 frfrxrf.exe 4084 5hhbtt.exe 4888 5ppjd.exe 2932 pppdv.exe 3616 fxllfxx.exe 2504 3nnnhh.exe 3104 djvpp.exe 1636 rffxlfx.exe 3480 ffrxrrl.exe 1292 tbtnhh.exe 1820 hbbbnh.exe 2512 1jjdv.exe 4392 rrrfxrl.exe 5040 bbbtnh.exe -
resource yara_rule behavioral2/memory/1760-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/68-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-597-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 4940 1760 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 82 PID 1760 wrote to memory of 4940 1760 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 82 PID 1760 wrote to memory of 4940 1760 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 82 PID 4940 wrote to memory of 3248 4940 9dddv.exe 83 PID 4940 wrote to memory of 3248 4940 9dddv.exe 83 PID 4940 wrote to memory of 3248 4940 9dddv.exe 83 PID 3248 wrote to memory of 4068 3248 thnbbn.exe 84 PID 3248 wrote to memory of 4068 3248 thnbbn.exe 84 PID 3248 wrote to memory of 4068 3248 thnbbn.exe 84 PID 4068 wrote to memory of 4136 4068 frlffrr.exe 85 PID 4068 wrote to memory of 4136 4068 frlffrr.exe 85 PID 4068 wrote to memory of 4136 4068 frlffrr.exe 85 PID 4136 wrote to memory of 1092 4136 tbhbtt.exe 86 PID 4136 wrote to memory of 1092 4136 tbhbtt.exe 86 PID 4136 wrote to memory of 1092 4136 tbhbtt.exe 86 PID 1092 wrote to memory of 3904 1092 xrlxlxf.exe 87 PID 1092 wrote to memory of 3904 1092 xrlxlxf.exe 87 PID 1092 wrote to memory of 3904 1092 xrlxlxf.exe 87 PID 3904 wrote to memory of 68 3904 9lffxxx.exe 88 PID 3904 wrote to memory of 68 3904 9lffxxx.exe 88 PID 3904 wrote to memory of 68 3904 9lffxxx.exe 88 PID 68 wrote to memory of 4472 68 bbtnhn.exe 89 PID 68 wrote to memory of 4472 68 bbtnhn.exe 89 PID 68 wrote to memory of 4472 68 bbtnhn.exe 89 PID 4472 wrote to memory of 1180 4472 hhnbbh.exe 90 PID 4472 wrote to memory of 1180 4472 hhnbbh.exe 90 PID 4472 wrote to memory of 1180 4472 hhnbbh.exe 90 PID 1180 wrote to memory of 1292 1180 djvpj.exe 91 PID 1180 wrote to memory of 1292 1180 djvpj.exe 91 PID 1180 wrote to memory of 1292 1180 djvpj.exe 91 PID 1292 wrote to memory of 1820 1292 xlxrxxx.exe 92 PID 1292 wrote to memory of 1820 1292 xlxrxxx.exe 92 PID 1292 wrote to memory of 1820 1292 xlxrxxx.exe 92 PID 1820 wrote to memory of 1344 1820 pjdvp.exe 93 PID 1820 wrote to memory of 1344 1820 pjdvp.exe 93 PID 1820 wrote to memory of 1344 1820 pjdvp.exe 93 PID 1344 wrote to memory of 3124 1344 bttnhh.exe 94 PID 1344 wrote to memory of 3124 1344 bttnhh.exe 94 PID 1344 wrote to memory of 3124 1344 bttnhh.exe 94 PID 3124 wrote to memory of 4020 3124 vjpjd.exe 95 PID 3124 wrote to memory of 4020 3124 vjpjd.exe 95 PID 3124 wrote to memory of 4020 3124 vjpjd.exe 95 PID 4020 wrote to memory of 3732 4020 vjpvv.exe 96 PID 4020 wrote to memory of 3732 4020 vjpvv.exe 96 PID 4020 wrote to memory of 3732 4020 vjpvv.exe 96 PID 3732 wrote to memory of 4380 3732 vddvj.exe 97 PID 3732 wrote to memory of 4380 3732 vddvj.exe 97 PID 3732 wrote to memory of 4380 3732 vddvj.exe 97 PID 4380 wrote to memory of 1972 4380 xxrlfll.exe 98 PID 4380 wrote to memory of 1972 4380 xxrlfll.exe 98 PID 4380 wrote to memory of 1972 4380 xxrlfll.exe 98 PID 1972 wrote to memory of 3624 1972 nhbbnn.exe 99 PID 1972 wrote to memory of 3624 1972 nhbbnn.exe 99 PID 1972 wrote to memory of 3624 1972 nhbbnn.exe 99 PID 3624 wrote to memory of 3832 3624 rflxrlf.exe 100 PID 3624 wrote to memory of 3832 3624 rflxrlf.exe 100 PID 3624 wrote to memory of 3832 3624 rflxrlf.exe 100 PID 3832 wrote to memory of 1244 3832 nbhnbh.exe 101 PID 3832 wrote to memory of 1244 3832 nbhnbh.exe 101 PID 3832 wrote to memory of 1244 3832 nbhnbh.exe 101 PID 1244 wrote to memory of 1464 1244 jvdvj.exe 102 PID 1244 wrote to memory of 1464 1244 jvdvj.exe 102 PID 1244 wrote to memory of 1464 1244 jvdvj.exe 102 PID 1464 wrote to memory of 4824 1464 thhbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\9dddv.exec:\9dddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\thnbbn.exec:\thnbbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\frlffrr.exec:\frlffrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\tbhbtt.exec:\tbhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\xrlxlxf.exec:\xrlxlxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\9lffxxx.exec:\9lffxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\bbtnhn.exec:\bbtnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:68 -
\??\c:\hhnbbh.exec:\hhnbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\djvpj.exec:\djvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\xlxrxxx.exec:\xlxrxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\pjdvp.exec:\pjdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\bttnhh.exec:\bttnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\vjpjd.exec:\vjpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\vjpvv.exec:\vjpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\vddvj.exec:\vddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\xxrlfll.exec:\xxrlfll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\nhbbnn.exec:\nhbbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\rflxrlf.exec:\rflxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\nbhnbh.exec:\nbhnbh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\jvdvj.exec:\jvdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\thhbtn.exec:\thhbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\7jpdj.exec:\7jpdj.exe23⤵
- Executes dropped EXE
PID:4824 -
\??\c:\9lxlfrl.exec:\9lxlfrl.exe24⤵
- Executes dropped EXE
PID:4088 -
\??\c:\hntnhh.exec:\hntnhh.exe25⤵
- Executes dropped EXE
PID:4660 -
\??\c:\dppjj.exec:\dppjj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116 -
\??\c:\bbtnhb.exec:\bbtnhb.exe27⤵
- Executes dropped EXE
PID:4532 -
\??\c:\1pjvv.exec:\1pjvv.exe28⤵
- Executes dropped EXE
PID:2176 -
\??\c:\bttnhb.exec:\bttnhb.exe29⤵
- Executes dropped EXE
PID:3224 -
\??\c:\vdvjd.exec:\vdvjd.exe30⤵
- Executes dropped EXE
PID:5068 -
\??\c:\rllffxx.exec:\rllffxx.exe31⤵
- Executes dropped EXE
PID:3540 -
\??\c:\jpjdv.exec:\jpjdv.exe32⤵
- Executes dropped EXE
PID:1996 -
\??\c:\xrxrxrl.exec:\xrxrxrl.exe33⤵
- Executes dropped EXE
PID:3756 -
\??\c:\5tttnb.exec:\5tttnb.exe34⤵
- Executes dropped EXE
PID:1764 -
\??\c:\1lllxxl.exec:\1lllxxl.exe35⤵
- Executes dropped EXE
PID:3024 -
\??\c:\frrrlll.exec:\frrrlll.exe36⤵
- Executes dropped EXE
PID:412 -
\??\c:\jdjdv.exec:\jdjdv.exe37⤵
- Executes dropped EXE
PID:4428 -
\??\c:\lfrllrl.exec:\lfrllrl.exe38⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xlfffxf.exec:\xlfffxf.exe39⤵
- Executes dropped EXE
PID:264 -
\??\c:\ntttnh.exec:\ntttnh.exe40⤵
- Executes dropped EXE
PID:2168 -
\??\c:\dppdv.exec:\dppdv.exe41⤵
- Executes dropped EXE
PID:2428 -
\??\c:\xllfxxr.exec:\xllfxxr.exe42⤵
- Executes dropped EXE
PID:3436 -
\??\c:\rlxlxfl.exec:\rlxlxfl.exe43⤵
- Executes dropped EXE
PID:1824 -
\??\c:\9tnnhn.exec:\9tnnhn.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\pddvp.exec:\pddvp.exe45⤵
- Executes dropped EXE
PID:4984 -
\??\c:\xlxrlll.exec:\xlxrlll.exe46⤵
- Executes dropped EXE
PID:2388 -
\??\c:\bhnhht.exec:\bhnhht.exe47⤵
- Executes dropped EXE
PID:3500 -
\??\c:\jdjjd.exec:\jdjjd.exe48⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xlllffx.exec:\xlllffx.exe49⤵
- Executes dropped EXE
PID:4044 -
\??\c:\nhttbb.exec:\nhttbb.exe50⤵
- Executes dropped EXE
PID:3152 -
\??\c:\5jpjd.exec:\5jpjd.exe51⤵
- Executes dropped EXE
PID:4760 -
\??\c:\frfrxrf.exec:\frfrxrf.exe52⤵
- Executes dropped EXE
PID:4816 -
\??\c:\5hhbtt.exec:\5hhbtt.exe53⤵
- Executes dropped EXE
PID:4084 -
\??\c:\5ppjd.exec:\5ppjd.exe54⤵
- Executes dropped EXE
PID:4888 -
\??\c:\pppdv.exec:\pppdv.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fxllfxx.exec:\fxllfxx.exe56⤵
- Executes dropped EXE
PID:3616 -
\??\c:\3nnnhh.exec:\3nnnhh.exe57⤵
- Executes dropped EXE
PID:2504 -
\??\c:\djvpp.exec:\djvpp.exe58⤵
- Executes dropped EXE
PID:3104 -
\??\c:\rffxlfx.exec:\rffxlfx.exe59⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ffrxrrl.exec:\ffrxrrl.exe60⤵
- Executes dropped EXE
PID:3480 -
\??\c:\tbtnhh.exec:\tbtnhh.exe61⤵
- Executes dropped EXE
PID:1292 -
\??\c:\hbbbnh.exec:\hbbbnh.exe62⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1jjdv.exec:\1jjdv.exe63⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rrrfxrl.exec:\rrrfxrl.exe64⤵
- Executes dropped EXE
PID:4392 -
\??\c:\bbbtnh.exec:\bbbtnh.exe65⤵
- Executes dropped EXE
PID:5040 -
\??\c:\3jdvp.exec:\3jdvp.exe66⤵PID:3124
-
\??\c:\lrxrlll.exec:\lrxrlll.exe67⤵PID:4580
-
\??\c:\nbnhbh.exec:\nbnhbh.exe68⤵PID:2372
-
\??\c:\djpjj.exec:\djpjj.exe69⤵PID:4348
-
\??\c:\jvdvp.exec:\jvdvp.exe70⤵PID:4684
-
\??\c:\3xrfxrl.exec:\3xrfxrl.exe71⤵PID:456
-
\??\c:\1hhhbh.exec:\1hhhbh.exe72⤵PID:516
-
\??\c:\pddpp.exec:\pddpp.exe73⤵PID:208
-
\??\c:\vdvjp.exec:\vdvjp.exe74⤵PID:4956
-
\??\c:\hhthht.exec:\hhthht.exe75⤵PID:1148
-
\??\c:\thbthh.exec:\thbthh.exe76⤵PID:1540
-
\??\c:\vjpdv.exec:\vjpdv.exe77⤵PID:1632
-
\??\c:\xflrrfl.exec:\xflrrfl.exe78⤵PID:1448
-
\??\c:\1ttnhh.exec:\1ttnhh.exe79⤵PID:4572
-
\??\c:\dvpjj.exec:\dvpjj.exe80⤵PID:3672
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe81⤵PID:636
-
\??\c:\bhnhbt.exec:\bhnhbt.exe82⤵PID:2620
-
\??\c:\jdvpj.exec:\jdvpj.exe83⤵PID:2764
-
\??\c:\pdjdv.exec:\pdjdv.exe84⤵PID:4372
-
\??\c:\xrfrlfr.exec:\xrfrlfr.exe85⤵PID:2868
-
\??\c:\nbhbtt.exec:\nbhbtt.exe86⤵PID:4532
-
\??\c:\pvvpj.exec:\pvvpj.exe87⤵PID:2812
-
\??\c:\flfrlfx.exec:\flfrlfx.exe88⤵PID:2824
-
\??\c:\7xlfxfl.exec:\7xlfxfl.exe89⤵PID:2176
-
\??\c:\5thttt.exec:\5thttt.exe90⤵PID:4708
-
\??\c:\ppvpp.exec:\ppvpp.exe91⤵PID:696
-
\??\c:\lffrflf.exec:\lffrflf.exe92⤵PID:4484
-
\??\c:\hhhnnh.exec:\hhhnnh.exe93⤵PID:3060
-
\??\c:\dddvp.exec:\dddvp.exe94⤵PID:1332
-
\??\c:\lffllfx.exec:\lffllfx.exe95⤵PID:3232
-
\??\c:\rxlfffx.exec:\rxlfffx.exe96⤵PID:376
-
\??\c:\hhthbt.exec:\hhthbt.exe97⤵PID:1976
-
\??\c:\dvjjj.exec:\dvjjj.exe98⤵PID:2180
-
\??\c:\lllllfx.exec:\lllllfx.exe99⤵PID:5056
-
\??\c:\xrflxrf.exec:\xrflxrf.exe100⤵PID:2896
-
\??\c:\thhbbt.exec:\thhbbt.exe101⤵PID:2836
-
\??\c:\vppjd.exec:\vppjd.exe102⤵PID:3392
-
\??\c:\jpdvp.exec:\jpdvp.exe103⤵PID:1492
-
\??\c:\3xfrffx.exec:\3xfrffx.exe104⤵PID:4340
-
\??\c:\nhhbbb.exec:\nhhbbb.exe105⤵PID:2492
-
\??\c:\pvjpv.exec:\pvjpv.exe106⤵PID:4336
-
\??\c:\7xrlrrl.exec:\7xrlrrl.exe107⤵PID:2668
-
\??\c:\xllfrrl.exec:\xllfrrl.exe108⤵PID:1824
-
\??\c:\ntthbb.exec:\ntthbb.exe109⤵PID:2340
-
\??\c:\vddpd.exec:\vddpd.exe110⤵PID:1868
-
\??\c:\ffflflf.exec:\ffflflf.exe111⤵PID:1436
-
\??\c:\bnhbnh.exec:\bnhbnh.exe112⤵PID:3508
-
\??\c:\7dpjd.exec:\7dpjd.exe113⤵PID:5072
-
\??\c:\7rxxffl.exec:\7rxxffl.exe114⤵PID:4712
-
\??\c:\tththb.exec:\tththb.exe115⤵PID:2840
-
\??\c:\dpvpj.exec:\dpvpj.exe116⤵PID:4044
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe117⤵PID:3640
-
\??\c:\5lfxrlr.exec:\5lfxrlr.exe118⤵PID:3596
-
\??\c:\9bttnt.exec:\9bttnt.exe119⤵PID:3904
-
\??\c:\pvdpv.exec:\pvdpv.exe120⤵PID:4084
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe121⤵PID:3972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-