Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 16:47
Behavioral task
behavioral1
Sample
362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe
-
Size
91KB
-
MD5
969999502fbf8f8cac0c66568203cfb0
-
SHA1
8f3b34c17fc7e9dbc86a3f21c2c68d1a268a9b23
-
SHA256
362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91
-
SHA512
930ddeaa4ddb32c74c0c4fc63774f6fc530c77a7387f3a160940bbbdda82f0a1a2eac7a53f25b56ecea55a3bc9b9b39e8775215a2e2f8b0459b40e23c95b599d
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8vzVQQ/fF2V8rY9gcxePABa1J+qM/6:chOmTsF93UYfwC6GIout5pi8rY9AABad
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4840-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2388-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-556-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-570-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-624-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1544-685-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-761-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-774-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-799-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-903-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-1091-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-1110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-1408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4840 bbttbt.exe 736 bthtnh.exe 2932 jdjjp.exe 1700 frrfxrl.exe 2328 xrrfxrl.exe 2320 vpjdp.exe 1472 vdjdp.exe 2696 xlxrfxx.exe 2388 nhhtth.exe 1940 vppjd.exe 2604 dpjjd.exe 3324 xrlllrf.exe 1796 7fffrrf.exe 2776 hhbbhn.exe 4048 jvvvd.exe 2572 lrrlxxr.exe 4616 nbnthh.exe 1292 jdvvv.exe 1936 fxxlxlf.exe 316 tbnhnt.exe 3740 jvddv.exe 4704 5pdpj.exe 1608 rfrfllr.exe 768 bttnhh.exe 3488 pjjdp.exe 1276 jpppd.exe 536 3fxrlfx.exe 4824 nbbtbb.exe 2916 ntntbn.exe 1724 jpvvp.exe 1068 lfrffxx.exe 4112 fxlflfr.exe 3988 nhnhtn.exe 5048 jvvpj.exe 540 ppdvj.exe 1820 rffxlfx.exe 3244 lffffxf.exe 232 tbbbbt.exe 552 btthhh.exe 3340 vpdvp.exe 2084 3xxxrrl.exe 4656 5ffrfxr.exe 4340 nnbbbb.exe 3032 tntnbn.exe 4092 djdpd.exe 2740 dvdvp.exe 1044 lrfxrlf.exe 1116 tbbthh.exe 3564 bnhtnb.exe 3948 pjvvj.exe 532 1pddv.exe 2320 rrxfxxf.exe 4528 hnnhtt.exe 4532 pddvp.exe 4152 3pvjv.exe 4296 xxxrlfx.exe 1940 lxrxrxr.exe 3636 bbtbht.exe 4544 ppdvd.exe 3044 5xxlxfx.exe 2428 rxrrllf.exe 5116 hnhbtb.exe 2924 ntnhtb.exe 1792 pddvp.exe -
resource yara_rule behavioral2/memory/2736-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023473-3.dat upx behavioral2/memory/4840-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234cf-9.dat upx behavioral2/files/0x00070000000234d3-12.dat upx behavioral2/memory/736-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2932-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d4-20.dat upx behavioral2/files/0x00070000000234d5-25.dat upx behavioral2/memory/1700-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d6-31.dat upx behavioral2/memory/2328-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2320-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d7-38.dat upx behavioral2/files/0x00070000000234d8-42.dat upx behavioral2/memory/1472-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d9-48.dat upx behavioral2/memory/2696-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234db-54.dat upx behavioral2/memory/2388-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234dc-60.dat upx behavioral2/files/0x00070000000234dd-65.dat upx behavioral2/memory/2604-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234de-71.dat upx behavioral2/memory/3324-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234df-77.dat upx behavioral2/memory/1796-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e0-85.dat upx behavioral2/memory/2776-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4048-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e1-89.dat upx behavioral2/memory/2572-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e2-97.dat upx behavioral2/files/0x00070000000234e3-103.dat upx behavioral2/memory/4616-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e4-107.dat upx behavioral2/memory/1292-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e5-113.dat upx behavioral2/memory/1936-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/316-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e6-121.dat upx behavioral2/memory/3740-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e7-127.dat upx behavioral2/files/0x00070000000234e8-132.dat upx behavioral2/files/0x00070000000234e9-136.dat upx behavioral2/memory/1608-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ea-142.dat upx behavioral2/memory/768-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234eb-149.dat upx behavioral2/files/0x00070000000234ec-153.dat upx behavioral2/memory/536-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ed-161.dat upx behavioral2/files/0x00080000000234d0-164.dat upx behavioral2/memory/4824-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ee-170.dat upx behavioral2/memory/2916-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ef-177.dat upx behavioral2/files/0x00070000000234f0-181.dat upx behavioral2/memory/540-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1820-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3244-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/232-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/552-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2084-216-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 4840 2736 362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe 83 PID 2736 wrote to memory of 4840 2736 362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe 83 PID 2736 wrote to memory of 4840 2736 362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe 83 PID 4840 wrote to memory of 736 4840 bbttbt.exe 84 PID 4840 wrote to memory of 736 4840 bbttbt.exe 84 PID 4840 wrote to memory of 736 4840 bbttbt.exe 84 PID 736 wrote to memory of 2932 736 bthtnh.exe 85 PID 736 wrote to memory of 2932 736 bthtnh.exe 85 PID 736 wrote to memory of 2932 736 bthtnh.exe 85 PID 2932 wrote to memory of 1700 2932 jdjjp.exe 86 PID 2932 wrote to memory of 1700 2932 jdjjp.exe 86 PID 2932 wrote to memory of 1700 2932 jdjjp.exe 86 PID 1700 wrote to memory of 2328 1700 frrfxrl.exe 87 PID 1700 wrote to memory of 2328 1700 frrfxrl.exe 87 PID 1700 wrote to memory of 2328 1700 frrfxrl.exe 87 PID 2328 wrote to memory of 2320 2328 xrrfxrl.exe 88 PID 2328 wrote to memory of 2320 2328 xrrfxrl.exe 88 PID 2328 wrote to memory of 2320 2328 xrrfxrl.exe 88 PID 2320 wrote to memory of 1472 2320 vpjdp.exe 89 PID 2320 wrote to memory of 1472 2320 vpjdp.exe 89 PID 2320 wrote to memory of 1472 2320 vpjdp.exe 89 PID 1472 wrote to memory of 2696 1472 vdjdp.exe 90 PID 1472 wrote to memory of 2696 1472 vdjdp.exe 90 PID 1472 wrote to memory of 2696 1472 vdjdp.exe 90 PID 2696 wrote to memory of 2388 2696 xlxrfxx.exe 91 PID 2696 wrote to memory of 2388 2696 xlxrfxx.exe 91 PID 2696 wrote to memory of 2388 2696 xlxrfxx.exe 91 PID 2388 wrote to memory of 1940 2388 nhhtth.exe 92 PID 2388 wrote to memory of 1940 2388 nhhtth.exe 92 PID 2388 wrote to memory of 1940 2388 nhhtth.exe 92 PID 1940 wrote to memory of 2604 1940 vppjd.exe 93 PID 1940 wrote to memory of 2604 1940 vppjd.exe 93 PID 1940 wrote to memory of 2604 1940 vppjd.exe 93 PID 2604 wrote to memory of 3324 2604 dpjjd.exe 94 PID 2604 wrote to memory of 3324 2604 dpjjd.exe 94 PID 2604 wrote to memory of 3324 2604 dpjjd.exe 94 PID 3324 wrote to memory of 1796 3324 xrlllrf.exe 95 PID 3324 wrote to memory of 1796 3324 xrlllrf.exe 95 PID 3324 wrote to memory of 1796 3324 xrlllrf.exe 95 PID 1796 wrote to memory of 2776 1796 7fffrrf.exe 96 PID 1796 wrote to memory of 2776 1796 7fffrrf.exe 96 PID 1796 wrote to memory of 2776 1796 7fffrrf.exe 96 PID 2776 wrote to memory of 4048 2776 hhbbhn.exe 97 PID 2776 wrote to memory of 4048 2776 hhbbhn.exe 97 PID 2776 wrote to memory of 4048 2776 hhbbhn.exe 97 PID 4048 wrote to memory of 2572 4048 jvvvd.exe 98 PID 4048 wrote to memory of 2572 4048 jvvvd.exe 98 PID 4048 wrote to memory of 2572 4048 jvvvd.exe 98 PID 2572 wrote to memory of 4616 2572 lrrlxxr.exe 99 PID 2572 wrote to memory of 4616 2572 lrrlxxr.exe 99 PID 2572 wrote to memory of 4616 2572 lrrlxxr.exe 99 PID 4616 wrote to memory of 1292 4616 nbnthh.exe 100 PID 4616 wrote to memory of 1292 4616 nbnthh.exe 100 PID 4616 wrote to memory of 1292 4616 nbnthh.exe 100 PID 1292 wrote to memory of 1936 1292 jdvvv.exe 101 PID 1292 wrote to memory of 1936 1292 jdvvv.exe 101 PID 1292 wrote to memory of 1936 1292 jdvvv.exe 101 PID 1936 wrote to memory of 316 1936 fxxlxlf.exe 102 PID 1936 wrote to memory of 316 1936 fxxlxlf.exe 102 PID 1936 wrote to memory of 316 1936 fxxlxlf.exe 102 PID 316 wrote to memory of 3740 316 tbnhnt.exe 103 PID 316 wrote to memory of 3740 316 tbnhnt.exe 103 PID 316 wrote to memory of 3740 316 tbnhnt.exe 103 PID 3740 wrote to memory of 4704 3740 jvddv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe"C:\Users\Admin\AppData\Local\Temp\362737eecd2b9b93555b7b521ef77b49400b7f0804dd1666be1ff49991b2cf91N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\bbttbt.exec:\bbttbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\bthtnh.exec:\bthtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\jdjjp.exec:\jdjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\frrfxrl.exec:\frrfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\vpjdp.exec:\vpjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\vdjdp.exec:\vdjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\xlxrfxx.exec:\xlxrfxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\nhhtth.exec:\nhhtth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\vppjd.exec:\vppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\dpjjd.exec:\dpjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\xrlllrf.exec:\xrlllrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\7fffrrf.exec:\7fffrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\hhbbhn.exec:\hhbbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\jvvvd.exec:\jvvvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\nbnthh.exec:\nbnthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\jdvvv.exec:\jdvvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\fxxlxlf.exec:\fxxlxlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\tbnhnt.exec:\tbnhnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\jvddv.exec:\jvddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\5pdpj.exec:\5pdpj.exe23⤵
- Executes dropped EXE
PID:4704 -
\??\c:\rfrfllr.exec:\rfrfllr.exe24⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bttnhh.exec:\bttnhh.exe25⤵
- Executes dropped EXE
PID:768 -
\??\c:\pjjdp.exec:\pjjdp.exe26⤵
- Executes dropped EXE
PID:3488 -
\??\c:\jpppd.exec:\jpppd.exe27⤵
- Executes dropped EXE
PID:1276 -
\??\c:\3fxrlfx.exec:\3fxrlfx.exe28⤵
- Executes dropped EXE
PID:536 -
\??\c:\nbbtbb.exec:\nbbtbb.exe29⤵
- Executes dropped EXE
PID:4824 -
\??\c:\ntntbn.exec:\ntntbn.exe30⤵
- Executes dropped EXE
PID:2916 -
\??\c:\jpvvp.exec:\jpvvp.exe31⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lfrffxx.exec:\lfrffxx.exe32⤵
- Executes dropped EXE
PID:1068 -
\??\c:\fxlflfr.exec:\fxlflfr.exe33⤵
- Executes dropped EXE
PID:4112 -
\??\c:\nhnhtn.exec:\nhnhtn.exe34⤵
- Executes dropped EXE
PID:3988 -
\??\c:\jvvpj.exec:\jvvpj.exe35⤵
- Executes dropped EXE
PID:5048 -
\??\c:\ppdvj.exec:\ppdvj.exe36⤵
- Executes dropped EXE
PID:540 -
\??\c:\rffxlfx.exec:\rffxlfx.exe37⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lffffxf.exec:\lffffxf.exe38⤵
- Executes dropped EXE
PID:3244 -
\??\c:\tbbbbt.exec:\tbbbbt.exe39⤵
- Executes dropped EXE
PID:232 -
\??\c:\btthhh.exec:\btthhh.exe40⤵
- Executes dropped EXE
PID:552 -
\??\c:\vpdvp.exec:\vpdvp.exe41⤵
- Executes dropped EXE
PID:3340 -
\??\c:\3xxxrrl.exec:\3xxxrrl.exe42⤵
- Executes dropped EXE
PID:2084 -
\??\c:\5ffrfxr.exec:\5ffrfxr.exe43⤵
- Executes dropped EXE
PID:4656 -
\??\c:\nnbbbb.exec:\nnbbbb.exe44⤵
- Executes dropped EXE
PID:4340 -
\??\c:\tntnbn.exec:\tntnbn.exe45⤵
- Executes dropped EXE
PID:3032 -
\??\c:\djdpd.exec:\djdpd.exe46⤵
- Executes dropped EXE
PID:4092 -
\??\c:\dvdvp.exec:\dvdvp.exe47⤵
- Executes dropped EXE
PID:2740 -
\??\c:\lrfxrlf.exec:\lrfxrlf.exe48⤵
- Executes dropped EXE
PID:1044 -
\??\c:\tbbthh.exec:\tbbthh.exe49⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bnhtnb.exec:\bnhtnb.exe50⤵
- Executes dropped EXE
PID:3564 -
\??\c:\pjvvj.exec:\pjvvj.exe51⤵
- Executes dropped EXE
PID:3948 -
\??\c:\1pddv.exec:\1pddv.exe52⤵
- Executes dropped EXE
PID:532 -
\??\c:\rrxfxxf.exec:\rrxfxxf.exe53⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hnnhtt.exec:\hnnhtt.exe54⤵
- Executes dropped EXE
PID:4528 -
\??\c:\pddvp.exec:\pddvp.exe55⤵
- Executes dropped EXE
PID:4532 -
\??\c:\3pvjv.exec:\3pvjv.exe56⤵
- Executes dropped EXE
PID:4152 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe57⤵
- Executes dropped EXE
PID:4296 -
\??\c:\lxrxrxr.exec:\lxrxrxr.exe58⤵
- Executes dropped EXE
PID:1940 -
\??\c:\bbtbht.exec:\bbtbht.exe59⤵
- Executes dropped EXE
PID:3636 -
\??\c:\ppdvd.exec:\ppdvd.exe60⤵
- Executes dropped EXE
PID:4544 -
\??\c:\5xxlxfx.exec:\5xxlxfx.exe61⤵
- Executes dropped EXE
PID:3044 -
\??\c:\rxrrllf.exec:\rxrrllf.exe62⤵
- Executes dropped EXE
PID:2428 -
\??\c:\hnhbtb.exec:\hnhbtb.exe63⤵
- Executes dropped EXE
PID:5116 -
\??\c:\ntnhtb.exec:\ntnhtb.exe64⤵
- Executes dropped EXE
PID:2924 -
\??\c:\pddvp.exec:\pddvp.exe65⤵
- Executes dropped EXE
PID:1792 -
\??\c:\9pvjv.exec:\9pvjv.exe66⤵PID:1760
-
\??\c:\xffxxrl.exec:\xffxxrl.exe67⤵PID:3956
-
\??\c:\fxfxxlr.exec:\fxfxxlr.exe68⤵PID:4684
-
\??\c:\xrrlrlx.exec:\xrrlrlx.exe69⤵PID:1980
-
\??\c:\bhhbhb.exec:\bhhbhb.exe70⤵PID:2492
-
\??\c:\5vdvj.exec:\5vdvj.exe71⤵PID:4688
-
\??\c:\llrlrrx.exec:\llrlrrx.exe72⤵PID:3976
-
\??\c:\lffxrxr.exec:\lffxrxr.exe73⤵PID:864
-
\??\c:\hhnbtt.exec:\hhnbtt.exe74⤵PID:116
-
\??\c:\nbbbbn.exec:\nbbbbn.exe75⤵PID:4064
-
\??\c:\vpjjv.exec:\vpjjv.exe76⤵PID:3036
-
\??\c:\fxlfrrl.exec:\fxlfrrl.exe77⤵PID:888
-
\??\c:\llrxxrx.exec:\llrxxrx.exe78⤵PID:768
-
\??\c:\bnnhth.exec:\bnnhth.exe79⤵PID:4820
-
\??\c:\bbbhnn.exec:\bbbhnn.exe80⤵PID:3488
-
\??\c:\3tthnh.exec:\3tthnh.exe81⤵PID:1276
-
\??\c:\1djjd.exec:\1djjd.exe82⤵PID:3184
-
\??\c:\ppdpj.exec:\ppdpj.exe83⤵PID:2992
-
\??\c:\flrxxfl.exec:\flrxxfl.exe84⤵PID:1704
-
\??\c:\7ttnnh.exec:\7ttnnh.exe85⤵PID:3828
-
\??\c:\frxrxxx.exec:\frxrxxx.exe86⤵PID:348
-
\??\c:\tbhhbh.exec:\tbhhbh.exe87⤵PID:2044
-
\??\c:\dpppj.exec:\dpppj.exe88⤵PID:928
-
\??\c:\vdpdp.exec:\vdpdp.exe89⤵PID:4116
-
\??\c:\llxlflf.exec:\llxlflf.exe90⤵PID:5036
-
\??\c:\xxllfxl.exec:\xxllfxl.exe91⤵PID:3532
-
\??\c:\hhhbtn.exec:\hhhbtn.exe92⤵PID:4476
-
\??\c:\hbnbnh.exec:\hbnbnh.exe93⤵PID:3276
-
\??\c:\jdvpd.exec:\jdvpd.exe94⤵PID:3244
-
\??\c:\7dvpj.exec:\7dvpj.exe95⤵PID:232
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe96⤵PID:876
-
\??\c:\5tbbtt.exec:\5tbbtt.exe97⤵PID:1972
-
\??\c:\hbbbnn.exec:\hbbbnn.exe98⤵PID:2608
-
\??\c:\ddvdd.exec:\ddvdd.exe99⤵
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\jdjdd.exec:\jdjdd.exe100⤵PID:4328
-
\??\c:\xrllrrf.exec:\xrllrrf.exe101⤵PID:3996
-
\??\c:\xfflrfr.exec:\xfflrfr.exe102⤵PID:4840
-
\??\c:\nnhbtn.exec:\nnhbtn.exe103⤵PID:2988
-
\??\c:\btbtnn.exec:\btbtnn.exe104⤵PID:1372
-
\??\c:\pdjjd.exec:\pdjjd.exe105⤵PID:5096
-
\??\c:\djvvv.exec:\djvvv.exe106⤵PID:5032
-
\??\c:\5frlffx.exec:\5frlffx.exe107⤵PID:2356
-
\??\c:\rfllfxr.exec:\rfllfxr.exe108⤵PID:3364
-
\??\c:\hnbbbn.exec:\hnbbbn.exe109⤵PID:756
-
\??\c:\bnbbnn.exec:\bnbbnn.exe110⤵PID:1908
-
\??\c:\pvjdv.exec:\pvjdv.exe111⤵PID:1452
-
\??\c:\1vvjd.exec:\1vvjd.exe112⤵PID:3256
-
\??\c:\flrlfff.exec:\flrlfff.exe113⤵PID:5088
-
\??\c:\ffflxlf.exec:\ffflxlf.exe114⤵PID:2320
-
\??\c:\httntt.exec:\httntt.exe115⤵PID:3004
-
\??\c:\9djdv.exec:\9djdv.exe116⤵PID:4532
-
\??\c:\ddvpd.exec:\ddvpd.exe117⤵PID:3732
-
\??\c:\llxrllf.exec:\llxrllf.exe118⤵PID:3528
-
\??\c:\rflrxlx.exec:\rflrxlx.exe119⤵PID:1240
-
\??\c:\nttntb.exec:\nttntb.exe120⤵PID:368
-
\??\c:\htthbt.exec:\htthbt.exe121⤵PID:4180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-