Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe
-
Size
454KB
-
MD5
c08cae73261da112c1fa0bfd4111bd7d
-
SHA1
83f5e53605b13ad93454984445ebc1ed2dfed100
-
SHA256
3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574
-
SHA512
19aea5ec0c69166999297c4a30d62a30cd755d1ba40898c47c59206bb400e569d2cd51509bcb72516bfd455d043f8409403c5f5cab2480b0a9abac101ab6be32
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/880-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-1458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-1595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-1821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4860 vpjpd.exe 3944 bnbnbt.exe 1924 ffffxrl.exe 2804 jvdpv.exe 1700 lfrlxxl.exe 2680 1tthnn.exe 3056 1jdjv.exe 3396 pjdpj.exe 2924 1rrfxrl.exe 400 1tnntt.exe 4052 ppppd.exe 4460 htnbnn.exe 980 vppvd.exe 4440 lrrxllf.exe 3668 ppdvj.exe 1548 lrrfrlx.exe 1200 btbntn.exe 4204 pdvjp.exe 1680 hnhbtn.exe 4944 3jdvp.exe 4592 lxrfxrl.exe 4780 thnhhb.exe 3908 pjjdj.exe 916 3pdjv.exe 1516 lfxlfxr.exe 4360 7vdvd.exe 3628 dpjdp.exe 864 pdddp.exe 2348 rllxlfr.exe 2000 xlfrlxr.exe 1408 5hthht.exe 2780 7ffrxlx.exe 3204 pjjvp.exe 3980 xlfrlff.exe 2152 9hhtnh.exe 3588 7nnbbt.exe 1132 5vpjv.exe 1384 rffrxrl.exe 952 frxrfxx.exe 5084 3bbthb.exe 2600 jdpvj.exe 3100 7llxflx.exe 1860 xlfrlxl.exe 1124 hhhbnb.exe 184 nbtnhb.exe 4936 7pdpp.exe 5012 rffrfxr.exe 1964 9tbnnh.exe 5016 5jddv.exe 5044 vjpvd.exe 440 7xlxffr.exe 3716 hnbnbt.exe 1180 vddvj.exe 4860 1rxlfxx.exe 2620 9ththb.exe 1628 7bnbnh.exe 452 1ppdp.exe 2648 fxllxll.exe 4712 rlxrrll.exe 3016 nhhttn.exe 2532 pvvjv.exe 908 rfrllfr.exe 3192 fxfxfrr.exe 2424 ntnhth.exe -
resource yara_rule behavioral2/memory/880-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-1141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-1232-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 4860 880 3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe 84 PID 880 wrote to memory of 4860 880 3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe 84 PID 880 wrote to memory of 4860 880 3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe 84 PID 4860 wrote to memory of 3944 4860 vpjpd.exe 85 PID 4860 wrote to memory of 3944 4860 vpjpd.exe 85 PID 4860 wrote to memory of 3944 4860 vpjpd.exe 85 PID 3944 wrote to memory of 1924 3944 bnbnbt.exe 86 PID 3944 wrote to memory of 1924 3944 bnbnbt.exe 86 PID 3944 wrote to memory of 1924 3944 bnbnbt.exe 86 PID 1924 wrote to memory of 2804 1924 ffffxrl.exe 87 PID 1924 wrote to memory of 2804 1924 ffffxrl.exe 87 PID 1924 wrote to memory of 2804 1924 ffffxrl.exe 87 PID 2804 wrote to memory of 1700 2804 jvdpv.exe 88 PID 2804 wrote to memory of 1700 2804 jvdpv.exe 88 PID 2804 wrote to memory of 1700 2804 jvdpv.exe 88 PID 1700 wrote to memory of 2680 1700 lfrlxxl.exe 89 PID 1700 wrote to memory of 2680 1700 lfrlxxl.exe 89 PID 1700 wrote to memory of 2680 1700 lfrlxxl.exe 89 PID 2680 wrote to memory of 3056 2680 1tthnn.exe 90 PID 2680 wrote to memory of 3056 2680 1tthnn.exe 90 PID 2680 wrote to memory of 3056 2680 1tthnn.exe 90 PID 3056 wrote to memory of 3396 3056 1jdjv.exe 91 PID 3056 wrote to memory of 3396 3056 1jdjv.exe 91 PID 3056 wrote to memory of 3396 3056 1jdjv.exe 91 PID 3396 wrote to memory of 2924 3396 pjdpj.exe 92 PID 3396 wrote to memory of 2924 3396 pjdpj.exe 92 PID 3396 wrote to memory of 2924 3396 pjdpj.exe 92 PID 2924 wrote to memory of 400 2924 1rrfxrl.exe 93 PID 2924 wrote to memory of 400 2924 1rrfxrl.exe 93 PID 2924 wrote to memory of 400 2924 1rrfxrl.exe 93 PID 400 wrote to memory of 4052 400 1tnntt.exe 94 PID 400 wrote to memory of 4052 400 1tnntt.exe 94 PID 400 wrote to memory of 4052 400 1tnntt.exe 94 PID 4052 wrote to memory of 4460 4052 ppppd.exe 95 PID 4052 wrote to memory of 4460 4052 ppppd.exe 95 PID 4052 wrote to memory of 4460 4052 ppppd.exe 95 PID 4460 wrote to memory of 980 4460 htnbnn.exe 96 PID 4460 wrote to memory of 980 4460 htnbnn.exe 96 PID 4460 wrote to memory of 980 4460 htnbnn.exe 96 PID 980 wrote to memory of 4440 980 vppvd.exe 97 PID 980 wrote to memory of 4440 980 vppvd.exe 97 PID 980 wrote to memory of 4440 980 vppvd.exe 97 PID 4440 wrote to memory of 3668 4440 lrrxllf.exe 98 PID 4440 wrote to memory of 3668 4440 lrrxllf.exe 98 PID 4440 wrote to memory of 3668 4440 lrrxllf.exe 98 PID 3668 wrote to memory of 1548 3668 ppdvj.exe 99 PID 3668 wrote to memory of 1548 3668 ppdvj.exe 99 PID 3668 wrote to memory of 1548 3668 ppdvj.exe 99 PID 1548 wrote to memory of 1200 1548 lrrfrlx.exe 100 PID 1548 wrote to memory of 1200 1548 lrrfrlx.exe 100 PID 1548 wrote to memory of 1200 1548 lrrfrlx.exe 100 PID 1200 wrote to memory of 4204 1200 btbntn.exe 101 PID 1200 wrote to memory of 4204 1200 btbntn.exe 101 PID 1200 wrote to memory of 4204 1200 btbntn.exe 101 PID 4204 wrote to memory of 1680 4204 pdvjp.exe 102 PID 4204 wrote to memory of 1680 4204 pdvjp.exe 102 PID 4204 wrote to memory of 1680 4204 pdvjp.exe 102 PID 1680 wrote to memory of 4944 1680 hnhbtn.exe 103 PID 1680 wrote to memory of 4944 1680 hnhbtn.exe 103 PID 1680 wrote to memory of 4944 1680 hnhbtn.exe 103 PID 4944 wrote to memory of 4592 4944 3jdvp.exe 104 PID 4944 wrote to memory of 4592 4944 3jdvp.exe 104 PID 4944 wrote to memory of 4592 4944 3jdvp.exe 104 PID 4592 wrote to memory of 4780 4592 lxrfxrl.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe"C:\Users\Admin\AppData\Local\Temp\3cc3a7def4554796bd9efce69a0cbecf8be5c0308d3f26099331b9cd6b1e4574.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\vpjpd.exec:\vpjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\bnbnbt.exec:\bnbnbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\ffffxrl.exec:\ffffxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\jvdpv.exec:\jvdpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\lfrlxxl.exec:\lfrlxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\1tthnn.exec:\1tthnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\1jdjv.exec:\1jdjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\pjdpj.exec:\pjdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\1rrfxrl.exec:\1rrfxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\1tnntt.exec:\1tnntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\ppppd.exec:\ppppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\htnbnn.exec:\htnbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\vppvd.exec:\vppvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\lrrxllf.exec:\lrrxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\ppdvj.exec:\ppdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\btbntn.exec:\btbntn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\pdvjp.exec:\pdvjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\hnhbtn.exec:\hnhbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\3jdvp.exec:\3jdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\thnhhb.exec:\thnhhb.exe23⤵
- Executes dropped EXE
PID:4780 -
\??\c:\pjjdj.exec:\pjjdj.exe24⤵
- Executes dropped EXE
PID:3908 -
\??\c:\3pdjv.exec:\3pdjv.exe25⤵
- Executes dropped EXE
PID:916 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe26⤵
- Executes dropped EXE
PID:1516 -
\??\c:\7vdvd.exec:\7vdvd.exe27⤵
- Executes dropped EXE
PID:4360 -
\??\c:\dpjdp.exec:\dpjdp.exe28⤵
- Executes dropped EXE
PID:3628 -
\??\c:\pdddp.exec:\pdddp.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\rllxlfr.exec:\rllxlfr.exe30⤵
- Executes dropped EXE
PID:2348 -
\??\c:\xlfrlxr.exec:\xlfrlxr.exe31⤵
- Executes dropped EXE
PID:2000 -
\??\c:\5hthht.exec:\5hthht.exe32⤵
- Executes dropped EXE
PID:1408 -
\??\c:\7ffrxlx.exec:\7ffrxlx.exe33⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pjjvp.exec:\pjjvp.exe34⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xlfrlff.exec:\xlfrlff.exe35⤵
- Executes dropped EXE
PID:3980 -
\??\c:\9hhtnh.exec:\9hhtnh.exe36⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7nnbbt.exec:\7nnbbt.exe37⤵
- Executes dropped EXE
PID:3588 -
\??\c:\5vpjv.exec:\5vpjv.exe38⤵
- Executes dropped EXE
PID:1132 -
\??\c:\rffrxrl.exec:\rffrxrl.exe39⤵
- Executes dropped EXE
PID:1384 -
\??\c:\frxrfxx.exec:\frxrfxx.exe40⤵
- Executes dropped EXE
PID:952 -
\??\c:\3bbthb.exec:\3bbthb.exe41⤵
- Executes dropped EXE
PID:5084 -
\??\c:\jdpvj.exec:\jdpvj.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\7llxflx.exec:\7llxflx.exe43⤵
- Executes dropped EXE
PID:3100 -
\??\c:\xlfrlxl.exec:\xlfrlxl.exe44⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hhhbnb.exec:\hhhbnb.exe45⤵
- Executes dropped EXE
PID:1124 -
\??\c:\nbtnhb.exec:\nbtnhb.exe46⤵
- Executes dropped EXE
PID:184 -
\??\c:\7pdpp.exec:\7pdpp.exe47⤵
- Executes dropped EXE
PID:4936 -
\??\c:\rffrfxr.exec:\rffrfxr.exe48⤵
- Executes dropped EXE
PID:5012 -
\??\c:\9tbnnh.exec:\9tbnnh.exe49⤵
- Executes dropped EXE
PID:1964 -
\??\c:\5jddv.exec:\5jddv.exe50⤵
- Executes dropped EXE
PID:5016 -
\??\c:\vjpvd.exec:\vjpvd.exe51⤵
- Executes dropped EXE
PID:5044 -
\??\c:\7xlxffr.exec:\7xlxffr.exe52⤵
- Executes dropped EXE
PID:440 -
\??\c:\hnbnbt.exec:\hnbnbt.exe53⤵
- Executes dropped EXE
PID:3716 -
\??\c:\vddvj.exec:\vddvj.exe54⤵
- Executes dropped EXE
PID:1180 -
\??\c:\1rxlfxx.exec:\1rxlfxx.exe55⤵
- Executes dropped EXE
PID:4860 -
\??\c:\9ththb.exec:\9ththb.exe56⤵
- Executes dropped EXE
PID:2620 -
\??\c:\7bnbnh.exec:\7bnbnh.exe57⤵
- Executes dropped EXE
PID:1628 -
\??\c:\1ppdp.exec:\1ppdp.exe58⤵
- Executes dropped EXE
PID:452 -
\??\c:\fxllxll.exec:\fxllxll.exe59⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rlxrrll.exec:\rlxrrll.exe60⤵
- Executes dropped EXE
PID:4712 -
\??\c:\nhhttn.exec:\nhhttn.exe61⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pvvjv.exec:\pvvjv.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rfrllfr.exec:\rfrllfr.exe63⤵
- Executes dropped EXE
PID:908 -
\??\c:\fxfxfrr.exec:\fxfxfrr.exe64⤵
- Executes dropped EXE
PID:3192 -
\??\c:\ntnhth.exec:\ntnhth.exe65⤵
- Executes dropped EXE
PID:2424 -
\??\c:\dpjvd.exec:\dpjvd.exe66⤵PID:5116
-
\??\c:\9llxllx.exec:\9llxllx.exe67⤵PID:4848
-
\??\c:\lllffll.exec:\lllffll.exe68⤵PID:4420
-
\??\c:\bnhtht.exec:\bnhtht.exe69⤵PID:4060
-
\??\c:\1dvjd.exec:\1dvjd.exe70⤵PID:1028
-
\??\c:\fllxlfx.exec:\fllxlfx.exe71⤵PID:676
-
\??\c:\5xrfrlx.exec:\5xrfrlx.exe72⤵PID:5004
-
\??\c:\nhbntn.exec:\nhbntn.exe73⤵PID:4696
-
\??\c:\djjjj.exec:\djjjj.exe74⤵PID:1616
-
\??\c:\pjdpd.exec:\pjdpd.exe75⤵PID:2448
-
\??\c:\flrrxxl.exec:\flrrxxl.exe76⤵PID:1548
-
\??\c:\bnhbnh.exec:\bnhbnh.exe77⤵PID:3784
-
\??\c:\1pvpj.exec:\1pvpj.exe78⤵PID:4668
-
\??\c:\1lxrxrf.exec:\1lxrxrf.exe79⤵PID:4204
-
\??\c:\bbhbtn.exec:\bbhbtn.exe80⤵PID:3656
-
\??\c:\tnhbbn.exec:\tnhbbn.exe81⤵PID:4640
-
\??\c:\7ppdp.exec:\7ppdp.exe82⤵PID:5052
-
\??\c:\frfrfrl.exec:\frfrfrl.exe83⤵PID:2516
-
\??\c:\bnnhtn.exec:\bnnhtn.exe84⤵PID:1312
-
\??\c:\bbbthb.exec:\bbbthb.exe85⤵PID:60
-
\??\c:\vpjvj.exec:\vpjvj.exe86⤵PID:1708
-
\??\c:\xllfxrf.exec:\xllfxrf.exe87⤵PID:2800
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe88⤵PID:2552
-
\??\c:\htnbnb.exec:\htnbnb.exe89⤵PID:2012
-
\??\c:\vdpdp.exec:\vdpdp.exe90⤵PID:1944
-
\??\c:\5lxlxlf.exec:\5lxlxlf.exe91⤵PID:3208
-
\??\c:\xxrfrrr.exec:\xxrfrrr.exe92⤵PID:4760
-
\??\c:\1nbthb.exec:\1nbthb.exe93⤵PID:3316
-
\??\c:\3ppdv.exec:\3ppdv.exe94⤵PID:3824
-
\??\c:\1dddv.exec:\1dddv.exe95⤵PID:2812
-
\??\c:\lxxrflf.exec:\lxxrflf.exe96⤵PID:2176
-
\??\c:\htnbnh.exec:\htnbnh.exe97⤵PID:2876
-
\??\c:\htnbhb.exec:\htnbhb.exe98⤵PID:224
-
\??\c:\7jpdj.exec:\7jpdj.exe99⤵PID:948
-
\??\c:\pdvvd.exec:\pdvvd.exe100⤵PID:3216
-
\??\c:\lrxlrlf.exec:\lrxlrlf.exe101⤵PID:2152
-
\??\c:\hnhbnb.exec:\hnhbnb.exe102⤵PID:3588
-
\??\c:\9ddpd.exec:\9ddpd.exe103⤵PID:1132
-
\??\c:\ppdvp.exec:\ppdvp.exe104⤵PID:3052
-
\??\c:\3xxlxrl.exec:\3xxlxrl.exe105⤵PID:952
-
\??\c:\5hhttn.exec:\5hhttn.exe106⤵PID:5084
-
\??\c:\nbbtnh.exec:\nbbtnh.exe107⤵PID:2600
-
\??\c:\dvvjv.exec:\dvvjv.exe108⤵PID:3100
-
\??\c:\rxfflfr.exec:\rxfflfr.exe109⤵PID:4656
-
\??\c:\7fxlxrf.exec:\7fxlxrf.exe110⤵PID:3224
-
\??\c:\tnbttn.exec:\tnbttn.exe111⤵PID:3736
-
\??\c:\vdjdv.exec:\vdjdv.exe112⤵PID:3504
-
\??\c:\3frflfx.exec:\3frflfx.exe113⤵PID:3120
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe114⤵PID:1572
-
\??\c:\1tbttt.exec:\1tbttt.exe115⤵PID:4480
-
\??\c:\jvpdv.exec:\jvpdv.exe116⤵PID:2704
-
\??\c:\jjdvp.exec:\jjdvp.exe117⤵PID:1484
-
\??\c:\1llfrrl.exec:\1llfrrl.exe118⤵PID:4076
-
\??\c:\nbtnbt.exec:\nbtnbt.exe119⤵PID:4544
-
\??\c:\pvppj.exec:\pvppj.exe120⤵PID:936
-
\??\c:\5rxlfxx.exec:\5rxlfxx.exe121⤵PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-