Analysis
-
max time kernel
89s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 04:53
Behavioral task
behavioral1
Sample
b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe
-
Size
59KB
-
MD5
f41242eb9bb0c0bdc1436de10618329c
-
SHA1
c3d66223d5791fdceaa8ebbfb0a758b9226f4a7e
-
SHA256
b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b
-
SHA512
6682e46e0beb2b132727d976a3c273830d14ea58ef6f7eb316428b6cfd4f7b94a4835519415ebc3ff1bdcd1b6e074a89a52cd4a5c90847d10881592ccd86cc01
-
SSDEEP
1536:kvQBeOGtrYS3srx93UBWfwC6Ggnouy8p5yAXNG1mjtREVM7:khOmTsF93UYfwC6GIoutpY918c+
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/996-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-618-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-644-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-709-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-883-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-852-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-824-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-791-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-613-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-0-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/996-19-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\thnhnh.exe UPX C:\rlllflf.exe UPX behavioral2/memory/5096-62-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2104-73-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hbhbbt.exe UPX \??\c:\bthhbb.exe UPX C:\xxrrlll.exe UPX C:\nnbtbt.exe UPX \??\c:\flllfff.exe UPX behavioral2/memory/3260-182-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5076-191-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2848-219-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3012-239-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4688-243-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2108-283-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/864-298-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1444-315-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/736-337-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4320-357-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/636-393-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5112-448-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/828-476-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4032-618-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4804-626-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/208-644-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/944-709-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1900-945-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2720-938-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3280-928-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3684-894-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1288-890-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1124-883-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1796-852-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3632-824-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/588-814-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3552-807-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3032-791-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1252-781-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4000-774-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3148-755-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/944-706-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4032-614-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4060-613-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2300-591-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5044-579-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1392-559-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/640-552-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3720-527-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3780-520-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1644-519-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5112-444-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3252-437-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4372-413-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2492-390-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4140-388-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2772-378-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2292-374-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2176-373-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4320-353-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1268-352-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1268-348-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1944-341-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3308-311-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rrlrrxf.exeffxrrrx.exebtbtnb.exebtbbtt.exethnhnh.exepjvdd.exevdppp.exerlllflf.exe9lxxxff.exexrrrxfl.exetnbbbh.exehbhbbt.exeddddv.exeppjjv.exeffrrrrr.exerrrrllr.exebthhbb.exenthhbh.exevdddd.exevjpjv.exevdvdj.exexxrrlll.exelrxrrxx.exennbtbt.exehhnnhn.exepdjdd.exevvjjj.exerrxrxxl.exeflllfff.exebhhnnn.exebbtthh.exebtbhnh.exevvvvj.exejvdjp.exelxlrlxr.exe3xrlffx.exetttttb.exehthbtt.exehhhbbn.exedvjdp.exeppdvv.exefxlffll.exelxxrrrl.exexrffxxx.exe5ntnhh.exebttnhh.exe7djpj.exevvppd.exejdjpj.exexlrrfrr.exe3lffllr.exetnhttb.exebnhbth.exedjvvp.exejvjjj.exexxxxrrl.exelrxxlfx.exebbttnb.exebttttb.exenthnnt.exevdvpd.exejjjdv.exellfxrlf.exe5lllflx.exepid process 4532 rrlrrxf.exe 996 ffxrrrx.exe 4028 btbtnb.exe 4208 btbbtt.exe 1288 thnhnh.exe 2484 pjvdd.exe 1360 vdppp.exe 2616 rlllflf.exe 4072 9lxxxff.exe 5096 xrrrxfl.exe 2328 tnbbbh.exe 2104 hbhbbt.exe 4936 ddddv.exe 3128 ppjjv.exe 3756 ffrrrrr.exe 4032 rrrrllr.exe 3548 bthhbb.exe 4352 nthhbh.exe 4728 vdddd.exe 4316 vjpjv.exe 4456 vdvdj.exe 2396 xxrrlll.exe 3952 lrxrrxx.exe 736 nnbtbt.exe 2764 hhnnhn.exe 1436 pdjdd.exe 3740 vvjjj.exe 5040 rrxrxxl.exe 4204 flllfff.exe 4608 bhhnnn.exe 3260 bbtthh.exe 5076 btbhnh.exe 2176 vvvvj.exe 3596 jvdjp.exe 912 lxlrlxr.exe 2608 3xrlffx.exe 1276 tttttb.exe 1300 hthbtt.exe 3124 hhhbbn.exe 1984 dvjdp.exe 2848 ppdvv.exe 1392 fxlffll.exe 4508 lxxrrrl.exe 3244 xrffxxx.exe 1144 5ntnhh.exe 3012 bttnhh.exe 4688 7djpj.exe 3716 vvppd.exe 2484 jdjpj.exe 2412 xlrrfrr.exe 2864 3lffllr.exe 872 tnhttb.exe 4588 bnhbth.exe 880 djvvp.exe 2328 jvjjj.exe 3532 xxxxrrl.exe 4936 lrxxlfx.exe 2108 bbttnb.exe 2760 bttttb.exe 3304 nthnnt.exe 4248 vdvpd.exe 864 jjjdv.exe 4236 llfxrlf.exe 2140 5lllflx.exe -
Processes:
resource yara_rule behavioral2/memory/996-19-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\thnhnh.exe upx C:\rlllflf.exe upx behavioral2/memory/5096-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2104-73-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hbhbbt.exe upx \??\c:\bthhbb.exe upx C:\xxrrlll.exe upx C:\nnbtbt.exe upx \??\c:\flllfff.exe upx behavioral2/memory/3260-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5076-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2848-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3012-239-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4688-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2108-283-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/864-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1444-315-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/736-337-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4320-357-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/636-393-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5112-448-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/828-476-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4032-618-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4804-626-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/208-644-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/944-709-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1900-945-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2720-938-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3280-928-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3684-894-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1288-890-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1124-883-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1796-852-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3632-824-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/588-814-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3552-807-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3032-791-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1252-781-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4000-774-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3148-755-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/944-706-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4032-614-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4060-613-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2300-591-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5044-579-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1392-559-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/640-552-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3720-527-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3780-520-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1644-519-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5112-444-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3252-437-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4372-413-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2492-390-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4140-388-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2772-378-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2292-374-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2176-373-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4320-353-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1268-352-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1268-348-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1944-341-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3308-311-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exerrlrrxf.exeffxrrrx.exebtbtnb.exebtbbtt.exethnhnh.exepjvdd.exevdppp.exerlllflf.exe9lxxxff.exexrrrxfl.exetnbbbh.exehbhbbt.exeddddv.exeppjjv.exeffrrrrr.exerrrrllr.exebthhbb.exenthhbh.exevdddd.exevjpjv.exevdvdj.exedescription pid process target process PID 4704 wrote to memory of 4532 4704 b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe rrlrrxf.exe PID 4704 wrote to memory of 4532 4704 b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe rrlrrxf.exe PID 4704 wrote to memory of 4532 4704 b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe rrlrrxf.exe PID 4532 wrote to memory of 996 4532 rrlrrxf.exe ffxrrrx.exe PID 4532 wrote to memory of 996 4532 rrlrrxf.exe ffxrrrx.exe PID 4532 wrote to memory of 996 4532 rrlrrxf.exe ffxrrrx.exe PID 996 wrote to memory of 4028 996 ffxrrrx.exe btbtnb.exe PID 996 wrote to memory of 4028 996 ffxrrrx.exe btbtnb.exe PID 996 wrote to memory of 4028 996 ffxrrrx.exe btbtnb.exe PID 4028 wrote to memory of 4208 4028 btbtnb.exe btbbtt.exe PID 4028 wrote to memory of 4208 4028 btbtnb.exe btbbtt.exe PID 4028 wrote to memory of 4208 4028 btbtnb.exe btbbtt.exe PID 4208 wrote to memory of 1288 4208 btbbtt.exe thnhnh.exe PID 4208 wrote to memory of 1288 4208 btbbtt.exe thnhnh.exe PID 4208 wrote to memory of 1288 4208 btbbtt.exe thnhnh.exe PID 1288 wrote to memory of 2484 1288 thnhnh.exe pjvdd.exe PID 1288 wrote to memory of 2484 1288 thnhnh.exe pjvdd.exe PID 1288 wrote to memory of 2484 1288 thnhnh.exe pjvdd.exe PID 2484 wrote to memory of 1360 2484 pjvdd.exe vdppp.exe PID 2484 wrote to memory of 1360 2484 pjvdd.exe vdppp.exe PID 2484 wrote to memory of 1360 2484 pjvdd.exe vdppp.exe PID 1360 wrote to memory of 2616 1360 vdppp.exe rlllflf.exe PID 1360 wrote to memory of 2616 1360 vdppp.exe rlllflf.exe PID 1360 wrote to memory of 2616 1360 vdppp.exe rlllflf.exe PID 2616 wrote to memory of 4072 2616 rlllflf.exe 9lxxxff.exe PID 2616 wrote to memory of 4072 2616 rlllflf.exe 9lxxxff.exe PID 2616 wrote to memory of 4072 2616 rlllflf.exe 9lxxxff.exe PID 4072 wrote to memory of 5096 4072 9lxxxff.exe xrrrxfl.exe PID 4072 wrote to memory of 5096 4072 9lxxxff.exe xrrrxfl.exe PID 4072 wrote to memory of 5096 4072 9lxxxff.exe xrrrxfl.exe PID 5096 wrote to memory of 2328 5096 xrrrxfl.exe tnbbbh.exe PID 5096 wrote to memory of 2328 5096 xrrrxfl.exe tnbbbh.exe PID 5096 wrote to memory of 2328 5096 xrrrxfl.exe tnbbbh.exe PID 2328 wrote to memory of 2104 2328 tnbbbh.exe hbhbbt.exe PID 2328 wrote to memory of 2104 2328 tnbbbh.exe hbhbbt.exe PID 2328 wrote to memory of 2104 2328 tnbbbh.exe hbhbbt.exe PID 2104 wrote to memory of 4936 2104 hbhbbt.exe lrxxlfx.exe PID 2104 wrote to memory of 4936 2104 hbhbbt.exe lrxxlfx.exe PID 2104 wrote to memory of 4936 2104 hbhbbt.exe lrxxlfx.exe PID 4936 wrote to memory of 3128 4936 ddddv.exe ppjjv.exe PID 4936 wrote to memory of 3128 4936 ddddv.exe ppjjv.exe PID 4936 wrote to memory of 3128 4936 ddddv.exe ppjjv.exe PID 3128 wrote to memory of 3756 3128 ppjjv.exe ffrrrrr.exe PID 3128 wrote to memory of 3756 3128 ppjjv.exe ffrrrrr.exe PID 3128 wrote to memory of 3756 3128 ppjjv.exe ffrrrrr.exe PID 3756 wrote to memory of 4032 3756 ffrrrrr.exe rrrrllr.exe PID 3756 wrote to memory of 4032 3756 ffrrrrr.exe rrrrllr.exe PID 3756 wrote to memory of 4032 3756 ffrrrrr.exe rrrrllr.exe PID 4032 wrote to memory of 3548 4032 rrrrllr.exe bthhbb.exe PID 4032 wrote to memory of 3548 4032 rrrrllr.exe bthhbb.exe PID 4032 wrote to memory of 3548 4032 rrrrllr.exe bthhbb.exe PID 3548 wrote to memory of 4352 3548 bthhbb.exe nthhbh.exe PID 3548 wrote to memory of 4352 3548 bthhbb.exe nthhbh.exe PID 3548 wrote to memory of 4352 3548 bthhbb.exe nthhbh.exe PID 4352 wrote to memory of 4728 4352 nthhbh.exe vdddd.exe PID 4352 wrote to memory of 4728 4352 nthhbh.exe vdddd.exe PID 4352 wrote to memory of 4728 4352 nthhbh.exe vdddd.exe PID 4728 wrote to memory of 4316 4728 vdddd.exe vjpjv.exe PID 4728 wrote to memory of 4316 4728 vdddd.exe vjpjv.exe PID 4728 wrote to memory of 4316 4728 vdddd.exe vjpjv.exe PID 4316 wrote to memory of 4456 4316 vjpjv.exe vdvdj.exe PID 4316 wrote to memory of 4456 4316 vjpjv.exe vdvdj.exe PID 4316 wrote to memory of 4456 4316 vjpjv.exe vdvdj.exe PID 4456 wrote to memory of 2396 4456 vdvdj.exe xxrrlll.exe
Processes
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe"C:\Users\Admin\AppData\Local\Temp\b139754a7adc499d719d282740902102dcdb5fba099e0c0851dda453d114bb5b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\rrlrrxf.exec:\rrlrrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\ffxrrrx.exec:\ffxrrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\btbtnb.exec:\btbtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\btbbtt.exec:\btbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\thnhnh.exec:\thnhnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\pjvdd.exec:\pjvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\vdppp.exec:\vdppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\rlllflf.exec:\rlllflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\9lxxxff.exec:\9lxxxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\xrrrxfl.exec:\xrrrxfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\tnbbbh.exec:\tnbbbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\hbhbbt.exec:\hbhbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\ddddv.exec:\ddddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\ppjjv.exec:\ppjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\rrrrllr.exec:\rrrrllr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\bthhbb.exec:\bthhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\nthhbh.exec:\nthhbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\vdddd.exec:\vdddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\vjpjv.exec:\vjpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\vdvdj.exec:\vdvdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\xxrrlll.exec:\xxrrlll.exe23⤵
- Executes dropped EXE
PID:2396 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe24⤵
- Executes dropped EXE
PID:3952 -
\??\c:\nnbtbt.exec:\nnbtbt.exe25⤵
- Executes dropped EXE
PID:736 -
\??\c:\hhnnhn.exec:\hhnnhn.exe26⤵
- Executes dropped EXE
PID:2764 -
\??\c:\pdjdd.exec:\pdjdd.exe27⤵
- Executes dropped EXE
PID:1436 -
\??\c:\vvjjj.exec:\vvjjj.exe28⤵
- Executes dropped EXE
PID:3740 -
\??\c:\rrxrxxl.exec:\rrxrxxl.exe29⤵
- Executes dropped EXE
PID:5040 -
\??\c:\flllfff.exec:\flllfff.exe30⤵
- Executes dropped EXE
PID:4204 -
\??\c:\bhhnnn.exec:\bhhnnn.exe31⤵
- Executes dropped EXE
PID:4608 -
\??\c:\bbtthh.exec:\bbtthh.exe32⤵
- Executes dropped EXE
PID:3260 -
\??\c:\btbhnh.exec:\btbhnh.exe33⤵
- Executes dropped EXE
PID:5076 -
\??\c:\vvvvj.exec:\vvvvj.exe34⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jvdjp.exec:\jvdjp.exe35⤵
- Executes dropped EXE
PID:3596 -
\??\c:\lxlrlxr.exec:\lxlrlxr.exe36⤵
- Executes dropped EXE
PID:912 -
\??\c:\3xrlffx.exec:\3xrlffx.exe37⤵
- Executes dropped EXE
PID:2608 -
\??\c:\tttttb.exec:\tttttb.exe38⤵
- Executes dropped EXE
PID:1276 -
\??\c:\hthbtt.exec:\hthbtt.exe39⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hhhbbn.exec:\hhhbbn.exe40⤵
- Executes dropped EXE
PID:3124 -
\??\c:\dvjdp.exec:\dvjdp.exe41⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ppdvv.exec:\ppdvv.exe42⤵
- Executes dropped EXE
PID:2848 -
\??\c:\fxlffll.exec:\fxlffll.exe43⤵
- Executes dropped EXE
PID:1392 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\xrffxxx.exec:\xrffxxx.exe45⤵
- Executes dropped EXE
PID:3244 -
\??\c:\5ntnhh.exec:\5ntnhh.exe46⤵
- Executes dropped EXE
PID:1144 -
\??\c:\bttnhh.exec:\bttnhh.exe47⤵
- Executes dropped EXE
PID:3012 -
\??\c:\7djpj.exec:\7djpj.exe48⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vvppd.exec:\vvppd.exe49⤵
- Executes dropped EXE
PID:3716 -
\??\c:\jdjpj.exec:\jdjpj.exe50⤵
- Executes dropped EXE
PID:2484 -
\??\c:\xlrrfrr.exec:\xlrrfrr.exe51⤵
- Executes dropped EXE
PID:2412 -
\??\c:\3lffllr.exec:\3lffllr.exe52⤵
- Executes dropped EXE
PID:2864 -
\??\c:\tnhttb.exec:\tnhttb.exe53⤵
- Executes dropped EXE
PID:872 -
\??\c:\bnhbth.exec:\bnhbth.exe54⤵
- Executes dropped EXE
PID:4588 -
\??\c:\djvvp.exec:\djvvp.exe55⤵
- Executes dropped EXE
PID:880 -
\??\c:\jvjjj.exec:\jvjjj.exe56⤵
- Executes dropped EXE
PID:2328 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe57⤵
- Executes dropped EXE
PID:3532 -
\??\c:\lrxxlfx.exec:\lrxxlfx.exe58⤵
- Executes dropped EXE
PID:4936 -
\??\c:\bbttnb.exec:\bbttnb.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bttttb.exec:\bttttb.exe60⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nthnnt.exec:\nthnnt.exe61⤵
- Executes dropped EXE
PID:3304 -
\??\c:\vdvpd.exec:\vdvpd.exe62⤵
- Executes dropped EXE
PID:4248 -
\??\c:\jjjdv.exec:\jjjdv.exe63⤵
- Executes dropped EXE
PID:864 -
\??\c:\llfxrlf.exec:\llfxrlf.exe64⤵
- Executes dropped EXE
PID:4236 -
\??\c:\5lllflx.exec:\5lllflx.exe65⤵
- Executes dropped EXE
PID:2140 -
\??\c:\thhnhn.exec:\thhnhn.exe66⤵PID:3308
-
\??\c:\bbnhnt.exec:\bbnhnt.exe67⤵PID:2428
-
\??\c:\dddvp.exec:\dddvp.exe68⤵PID:1444
-
\??\c:\7jddv.exec:\7jddv.exe69⤵PID:3372
-
\??\c:\rllfrlr.exec:\rllfrlr.exe70⤵PID:1056
-
\??\c:\xxllxxx.exec:\xxllxxx.exe71⤵PID:3048
-
\??\c:\nhnnhn.exec:\nhnnhn.exe72⤵PID:2964
-
\??\c:\nttnbt.exec:\nttnbt.exe73⤵PID:4996
-
\??\c:\ppvvd.exec:\ppvvd.exe74⤵PID:736
-
\??\c:\frxxxxf.exec:\frxxxxf.exe75⤵PID:1432
-
\??\c:\7xxxxxx.exec:\7xxxxxx.exe76⤵PID:1944
-
\??\c:\nntnhh.exec:\nntnhh.exe77⤵PID:1512
-
\??\c:\nbtthh.exec:\nbtthh.exe78⤵PID:1268
-
\??\c:\pjdvj.exec:\pjdvj.exe79⤵PID:4320
-
\??\c:\dpdvd.exec:\dpdvd.exe80⤵PID:4344
-
\??\c:\llflxrr.exec:\llflxrr.exe81⤵PID:1948
-
\??\c:\xxrrfff.exec:\xxrrfff.exe82⤵PID:3228
-
\??\c:\5nttnt.exec:\5nttnt.exe83⤵PID:5076
-
\??\c:\tnbhth.exec:\tnbhth.exe84⤵PID:2176
-
\??\c:\jppjj.exec:\jppjj.exe85⤵PID:2292
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe86⤵PID:2772
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe87⤵PID:452
-
\??\c:\rxlffff.exec:\rxlffff.exe88⤵PID:4140
-
\??\c:\1nnbtb.exec:\1nnbtb.exe89⤵PID:2492
-
\??\c:\nbbtnh.exec:\nbbtnh.exe90⤵PID:636
-
\??\c:\vpppd.exec:\vpppd.exe91⤵PID:264
-
\??\c:\vdvvj.exec:\vdvvj.exe92⤵PID:1984
-
\??\c:\rrflxfl.exec:\rrflxfl.exe93⤵PID:4464
-
\??\c:\hbnthb.exec:\hbnthb.exe94⤵PID:4872
-
\??\c:\ttthnn.exec:\ttthnn.exe95⤵PID:3136
-
\??\c:\jpvpj.exec:\jpvpj.exe96⤵PID:4372
-
\??\c:\ddddp.exec:\ddddp.exe97⤵PID:2160
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe98⤵PID:1288
-
\??\c:\rlxrrll.exec:\rlxrrll.exe99⤵PID:2956
-
\??\c:\htbtnh.exec:\htbtnh.exe100⤵PID:1360
-
\??\c:\9bhtbn.exec:\9bhtbn.exe101⤵PID:2544
-
\??\c:\vdvjv.exec:\vdvjv.exe102⤵PID:2616
-
\??\c:\pdddv.exec:\pdddv.exe103⤵PID:2640
-
\??\c:\xrxlrfr.exec:\xrxlrfr.exe104⤵PID:3252
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe105⤵PID:3148
-
\??\c:\3nttnn.exec:\3nttnn.exe106⤵PID:5112
-
\??\c:\nhbthh.exec:\nhbthh.exe107⤵PID:4200
-
\??\c:\jdvjp.exec:\jdvjp.exe108⤵PID:400
-
\??\c:\jdjjj.exec:\jdjjj.exe109⤵PID:4068
-
\??\c:\frrlxxl.exec:\frrlxxl.exe110⤵PID:3860
-
\??\c:\ttnbnt.exec:\ttnbnt.exe111⤵PID:4572
-
\??\c:\bbbthn.exec:\bbbthn.exe112⤵PID:3440
-
\??\c:\pdvpj.exec:\pdvpj.exe113⤵PID:2012
-
\??\c:\ppjdp.exec:\ppjdp.exe114⤵PID:460
-
\??\c:\3rfxllf.exec:\3rfxllf.exe115⤵PID:828
-
\??\c:\lrrrllf.exec:\lrrrllf.exe116⤵PID:376
-
\??\c:\nbhhbn.exec:\nbhhbn.exe117⤵PID:2096
-
\??\c:\rxrllll.exec:\rxrllll.exe118⤵PID:4456
-
\??\c:\5ttnhh.exec:\5ttnhh.exe119⤵PID:3972
-
\??\c:\1nbbhh.exec:\1nbbhh.exe120⤵PID:1056
-
\??\c:\jjvvv.exec:\jjvvv.exe121⤵PID:4908
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe122⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-