Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe
-
Size
453KB
-
MD5
f7c7677aea13b955ac9b92850c70e7ea
-
SHA1
d93dc45442005380b4747915175509277dd4ce2a
-
SHA256
40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14
-
SHA512
135bc00ac2d6e20757cd8981d64877124c4ff798a96e60c025603af8b0f9c62eec5cd5a23e596aa1d8c4fffc91fa881919b48d9b6fe108a67d3cbd8527cebb96
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4864-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-1203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 636 vjjdd.exe 4828 3rxlxrl.exe 3084 1bbbnn.exe 4808 3bbthh.exe 2300 jvvpj.exe 2152 9fxfxrf.exe 3496 thnnhh.exe 2876 vpdpj.exe 3960 9rxlrlr.exe 624 djpjj.exe 4832 lrxrffx.exe 1352 vjdpd.exe 3028 tttbbb.exe 1336 lllflfx.exe 4176 xllfxxf.exe 2408 btbttb.exe 1456 pdvvp.exe 692 xllrfxr.exe 1012 dvddd.exe 3552 nbnbnn.exe 3636 lfrxrxr.exe 4168 dpvjd.exe 2208 hbbnhb.exe 4012 dpdpv.exe 4220 jvddd.exe 2544 pjjjd.exe 1620 flllfrl.exe 392 3bbtnn.exe 3676 jddvv.exe 3448 lrxxrrl.exe 4596 dvdvv.exe 3336 3nnnhb.exe 4356 5rrlflf.exe 4944 bnnhbt.exe 908 jjvpv.exe 3076 frrlfxr.exe 3312 ntnnnh.exe 3864 btbhbh.exe 2840 jvdpd.exe 1684 3llfxrl.exe 1616 3btttt.exe 4228 jdppp.exe 4600 rfxlfff.exe 768 1jvpd.exe 1636 rllxrff.exe 2360 5bhhbb.exe 1936 tnnhbt.exe 2476 1vvjd.exe 4808 lxfxxxr.exe 2300 btnhtt.exe 5016 vdvjd.exe 3872 pvdvv.exe 4248 9xrlffx.exe 4340 5jjvj.exe 2096 llxrxxx.exe 3724 rlrlfxr.exe 5068 nbbtnn.exe 512 jjjdv.exe 624 rlrlxxr.exe 2896 hbnbtn.exe 2424 jjppv.exe 4172 rlrlrrx.exe 3956 nbhbbt.exe 1336 jdjdv.exe -
resource yara_rule behavioral2/memory/4864-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-754-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 636 4864 40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe 82 PID 4864 wrote to memory of 636 4864 40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe 82 PID 4864 wrote to memory of 636 4864 40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe 82 PID 636 wrote to memory of 4828 636 vjjdd.exe 83 PID 636 wrote to memory of 4828 636 vjjdd.exe 83 PID 636 wrote to memory of 4828 636 vjjdd.exe 83 PID 4828 wrote to memory of 3084 4828 3rxlxrl.exe 84 PID 4828 wrote to memory of 3084 4828 3rxlxrl.exe 84 PID 4828 wrote to memory of 3084 4828 3rxlxrl.exe 84 PID 3084 wrote to memory of 4808 3084 1bbbnn.exe 85 PID 3084 wrote to memory of 4808 3084 1bbbnn.exe 85 PID 3084 wrote to memory of 4808 3084 1bbbnn.exe 85 PID 4808 wrote to memory of 2300 4808 3bbthh.exe 86 PID 4808 wrote to memory of 2300 4808 3bbthh.exe 86 PID 4808 wrote to memory of 2300 4808 3bbthh.exe 86 PID 2300 wrote to memory of 2152 2300 jvvpj.exe 87 PID 2300 wrote to memory of 2152 2300 jvvpj.exe 87 PID 2300 wrote to memory of 2152 2300 jvvpj.exe 87 PID 2152 wrote to memory of 3496 2152 9fxfxrf.exe 88 PID 2152 wrote to memory of 3496 2152 9fxfxrf.exe 88 PID 2152 wrote to memory of 3496 2152 9fxfxrf.exe 88 PID 3496 wrote to memory of 2876 3496 thnnhh.exe 89 PID 3496 wrote to memory of 2876 3496 thnnhh.exe 89 PID 3496 wrote to memory of 2876 3496 thnnhh.exe 89 PID 2876 wrote to memory of 3960 2876 vpdpj.exe 90 PID 2876 wrote to memory of 3960 2876 vpdpj.exe 90 PID 2876 wrote to memory of 3960 2876 vpdpj.exe 90 PID 3960 wrote to memory of 624 3960 9rxlrlr.exe 91 PID 3960 wrote to memory of 624 3960 9rxlrlr.exe 91 PID 3960 wrote to memory of 624 3960 9rxlrlr.exe 91 PID 624 wrote to memory of 4832 624 djpjj.exe 92 PID 624 wrote to memory of 4832 624 djpjj.exe 92 PID 624 wrote to memory of 4832 624 djpjj.exe 92 PID 4832 wrote to memory of 1352 4832 lrxrffx.exe 93 PID 4832 wrote to memory of 1352 4832 lrxrffx.exe 93 PID 4832 wrote to memory of 1352 4832 lrxrffx.exe 93 PID 1352 wrote to memory of 3028 1352 vjdpd.exe 94 PID 1352 wrote to memory of 3028 1352 vjdpd.exe 94 PID 1352 wrote to memory of 3028 1352 vjdpd.exe 94 PID 3028 wrote to memory of 1336 3028 tttbbb.exe 95 PID 3028 wrote to memory of 1336 3028 tttbbb.exe 95 PID 3028 wrote to memory of 1336 3028 tttbbb.exe 95 PID 1336 wrote to memory of 4176 1336 lllflfx.exe 96 PID 1336 wrote to memory of 4176 1336 lllflfx.exe 96 PID 1336 wrote to memory of 4176 1336 lllflfx.exe 96 PID 4176 wrote to memory of 2408 4176 xllfxxf.exe 97 PID 4176 wrote to memory of 2408 4176 xllfxxf.exe 97 PID 4176 wrote to memory of 2408 4176 xllfxxf.exe 97 PID 2408 wrote to memory of 1456 2408 btbttb.exe 98 PID 2408 wrote to memory of 1456 2408 btbttb.exe 98 PID 2408 wrote to memory of 1456 2408 btbttb.exe 98 PID 1456 wrote to memory of 692 1456 pdvvp.exe 99 PID 1456 wrote to memory of 692 1456 pdvvp.exe 99 PID 1456 wrote to memory of 692 1456 pdvvp.exe 99 PID 692 wrote to memory of 1012 692 xllrfxr.exe 100 PID 692 wrote to memory of 1012 692 xllrfxr.exe 100 PID 692 wrote to memory of 1012 692 xllrfxr.exe 100 PID 1012 wrote to memory of 3552 1012 dvddd.exe 101 PID 1012 wrote to memory of 3552 1012 dvddd.exe 101 PID 1012 wrote to memory of 3552 1012 dvddd.exe 101 PID 3552 wrote to memory of 3636 3552 nbnbnn.exe 102 PID 3552 wrote to memory of 3636 3552 nbnbnn.exe 102 PID 3552 wrote to memory of 3636 3552 nbnbnn.exe 102 PID 3636 wrote to memory of 4168 3636 lfrxrxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe"C:\Users\Admin\AppData\Local\Temp\40b1539773c07e50d55df097e1c2aa555aad8501d1252ec88ecc55fef2afcb14.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\vjjdd.exec:\vjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\3rxlxrl.exec:\3rxlxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\1bbbnn.exec:\1bbbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\3bbthh.exec:\3bbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\jvvpj.exec:\jvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\9fxfxrf.exec:\9fxfxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\thnnhh.exec:\thnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\vpdpj.exec:\vpdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\9rxlrlr.exec:\9rxlrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\djpjj.exec:\djpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\lrxrffx.exec:\lrxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\vjdpd.exec:\vjdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\tttbbb.exec:\tttbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\lllflfx.exec:\lllflfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\xllfxxf.exec:\xllfxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\btbttb.exec:\btbttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\pdvvp.exec:\pdvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\xllrfxr.exec:\xllrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\dvddd.exec:\dvddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\nbnbnn.exec:\nbnbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\lfrxrxr.exec:\lfrxrxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\dpvjd.exec:\dpvjd.exe23⤵
- Executes dropped EXE
PID:4168 -
\??\c:\hbbnhb.exec:\hbbnhb.exe24⤵
- Executes dropped EXE
PID:2208 -
\??\c:\dpdpv.exec:\dpdpv.exe25⤵
- Executes dropped EXE
PID:4012 -
\??\c:\jvddd.exec:\jvddd.exe26⤵
- Executes dropped EXE
PID:4220 -
\??\c:\pjjjd.exec:\pjjjd.exe27⤵
- Executes dropped EXE
PID:2544 -
\??\c:\flllfrl.exec:\flllfrl.exe28⤵
- Executes dropped EXE
PID:1620 -
\??\c:\3bbtnn.exec:\3bbtnn.exe29⤵
- Executes dropped EXE
PID:392 -
\??\c:\jddvv.exec:\jddvv.exe30⤵
- Executes dropped EXE
PID:3676 -
\??\c:\lrxxrrl.exec:\lrxxrrl.exe31⤵
- Executes dropped EXE
PID:3448 -
\??\c:\dvdvv.exec:\dvdvv.exe32⤵
- Executes dropped EXE
PID:4596 -
\??\c:\3nnnhb.exec:\3nnnhb.exe33⤵
- Executes dropped EXE
PID:3336 -
\??\c:\5rrlflf.exec:\5rrlflf.exe34⤵
- Executes dropped EXE
PID:4356 -
\??\c:\bnnhbt.exec:\bnnhbt.exe35⤵
- Executes dropped EXE
PID:4944 -
\??\c:\jjvpv.exec:\jjvpv.exe36⤵
- Executes dropped EXE
PID:908 -
\??\c:\frrlfxr.exec:\frrlfxr.exe37⤵
- Executes dropped EXE
PID:3076 -
\??\c:\ntnnnh.exec:\ntnnnh.exe38⤵
- Executes dropped EXE
PID:3312 -
\??\c:\btbhbh.exec:\btbhbh.exe39⤵
- Executes dropped EXE
PID:3864 -
\??\c:\jvdpd.exec:\jvdpd.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\3llfxrl.exec:\3llfxrl.exe41⤵
- Executes dropped EXE
PID:1684 -
\??\c:\3btttt.exec:\3btttt.exe42⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jdppp.exec:\jdppp.exe43⤵
- Executes dropped EXE
PID:4228 -
\??\c:\rfxlfff.exec:\rfxlfff.exe44⤵
- Executes dropped EXE
PID:4600 -
\??\c:\1bnttb.exec:\1bnttb.exe45⤵PID:956
-
\??\c:\1jvpd.exec:\1jvpd.exe46⤵
- Executes dropped EXE
PID:768 -
\??\c:\rllxrff.exec:\rllxrff.exe47⤵
- Executes dropped EXE
PID:1636 -
\??\c:\5bhhbb.exec:\5bhhbb.exe48⤵
- Executes dropped EXE
PID:2360 -
\??\c:\tnnhbt.exec:\tnnhbt.exe49⤵
- Executes dropped EXE
PID:1936 -
\??\c:\1vvjd.exec:\1vvjd.exe50⤵
- Executes dropped EXE
PID:2476 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe51⤵
- Executes dropped EXE
PID:4808 -
\??\c:\btnhtt.exec:\btnhtt.exe52⤵
- Executes dropped EXE
PID:2300 -
\??\c:\vdvjd.exec:\vdvjd.exe53⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pvdvv.exec:\pvdvv.exe54⤵
- Executes dropped EXE
PID:3872 -
\??\c:\9xrlffx.exec:\9xrlffx.exe55⤵
- Executes dropped EXE
PID:4248 -
\??\c:\5jjvj.exec:\5jjvj.exe56⤵
- Executes dropped EXE
PID:4340 -
\??\c:\llxrxxx.exec:\llxrxxx.exe57⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe58⤵
- Executes dropped EXE
PID:3724 -
\??\c:\nbbtnn.exec:\nbbtnn.exe59⤵
- Executes dropped EXE
PID:5068 -
\??\c:\jjjdv.exec:\jjjdv.exe60⤵
- Executes dropped EXE
PID:512 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe61⤵
- Executes dropped EXE
PID:624 -
\??\c:\hbnbtn.exec:\hbnbtn.exe62⤵
- Executes dropped EXE
PID:2896 -
\??\c:\jjppv.exec:\jjppv.exe63⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe64⤵
- Executes dropped EXE
PID:4172 -
\??\c:\nbhbbt.exec:\nbhbbt.exe65⤵
- Executes dropped EXE
PID:3956 -
\??\c:\jdjdv.exec:\jdjdv.exe66⤵
- Executes dropped EXE
PID:1336 -
\??\c:\pdpjp.exec:\pdpjp.exe67⤵PID:2172
-
\??\c:\fxlrxrx.exec:\fxlrxrx.exe68⤵PID:3120
-
\??\c:\1nnnbb.exec:\1nnnbb.exe69⤵PID:2408
-
\??\c:\9vdjv.exec:\9vdjv.exe70⤵PID:3180
-
\??\c:\vjdvv.exec:\vjdvv.exe71⤵PID:3476
-
\??\c:\7rxlllr.exec:\7rxlllr.exe72⤵PID:4224
-
\??\c:\nbhbtn.exec:\nbhbtn.exe73⤵PID:2984
-
\??\c:\3jddv.exec:\3jddv.exe74⤵PID:3452
-
\??\c:\3xxxrrr.exec:\3xxxrrr.exe75⤵PID:3456
-
\??\c:\tbhnnh.exec:\tbhnnh.exe76⤵PID:876
-
\??\c:\bhthhh.exec:\bhthhh.exe77⤵PID:1240
-
\??\c:\pjdvp.exec:\pjdvp.exe78⤵PID:4168
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe79⤵PID:2228
-
\??\c:\9bbttt.exec:\9bbttt.exe80⤵PID:2664
-
\??\c:\9vjjd.exec:\9vjjd.exe81⤵PID:4012
-
\??\c:\lxxrlrx.exec:\lxxrlrx.exe82⤵PID:3628
-
\??\c:\hnnhhh.exec:\hnnhhh.exe83⤵PID:3344
-
\??\c:\tbhnhb.exec:\tbhnhb.exe84⤵PID:4844
-
\??\c:\pvdvp.exec:\pvdvp.exe85⤵PID:4960
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe86⤵PID:4924
-
\??\c:\llxxffl.exec:\llxxffl.exe87⤵PID:4504
-
\??\c:\hbnhhb.exec:\hbnhhb.exe88⤵PID:3676
-
\??\c:\pjdvv.exec:\pjdvv.exe89⤵PID:3348
-
\??\c:\lxllffx.exec:\lxllffx.exe90⤵PID:4332
-
\??\c:\rfrxrlf.exec:\rfrxrlf.exe91⤵PID:1232
-
\??\c:\nnnnhh.exec:\nnnnhh.exe92⤵PID:1124
-
\??\c:\pdjjd.exec:\pdjjd.exe93⤵PID:4356
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe94⤵PID:3972
-
\??\c:\rlxfxll.exec:\rlxfxll.exe95⤵PID:2932
-
\??\c:\9nhbtt.exec:\9nhbtt.exe96⤵PID:3076
-
\??\c:\7jjpj.exec:\7jjpj.exe97⤵PID:2828
-
\??\c:\flxxflf.exec:\flxxflf.exe98⤵PID:3744
-
\??\c:\bnttbt.exec:\bnttbt.exe99⤵PID:5100
-
\??\c:\pdvjd.exec:\pdvjd.exe100⤵PID:1684
-
\??\c:\rffxffx.exec:\rffxffx.exe101⤵PID:4484
-
\??\c:\1tnbtt.exec:\1tnbtt.exe102⤵PID:4228
-
\??\c:\7tthbt.exec:\7tthbt.exe103⤵PID:3388
-
\??\c:\pjjdv.exec:\pjjdv.exe104⤵PID:4864
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe105⤵PID:4008
-
\??\c:\btbtnn.exec:\btbtnn.exe106⤵PID:3940
-
\??\c:\hbhbbt.exec:\hbhbbt.exe107⤵PID:2360
-
\??\c:\djvpj.exec:\djvpj.exe108⤵PID:2260
-
\??\c:\fffxrrl.exec:\fffxrrl.exe109⤵PID:4056
-
\??\c:\1ntnhh.exec:\1ntnhh.exe110⤵PID:2820
-
\??\c:\tbnhtn.exec:\tbnhtn.exe111⤵PID:3444
-
\??\c:\vjjjd.exec:\vjjjd.exe112⤵PID:3716
-
\??\c:\5flfxxx.exec:\5flfxxx.exe113⤵PID:4968
-
\??\c:\hhnntt.exec:\hhnntt.exe114⤵PID:1316
-
\??\c:\vppjd.exec:\vppjd.exe115⤵PID:2560
-
\??\c:\frxrrlf.exec:\frxrrlf.exe116⤵PID:2096
-
\??\c:\lllflxf.exec:\lllflxf.exe117⤵PID:3724
-
\??\c:\3hbtnn.exec:\3hbtnn.exe118⤵PID:5068
-
\??\c:\9dvjd.exec:\9dvjd.exe119⤵PID:512
-
\??\c:\pddpd.exec:\pddpd.exe120⤵PID:624
-
\??\c:\xflfxrl.exec:\xflfxrl.exe121⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-