Analysis
-
max time kernel
120s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 19:47
Behavioral task
behavioral1
Sample
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
-
Size
343KB
-
MD5
5082415ef661e85e83e37fde8ac6e570
-
SHA1
028e1bae6569ad5c2f655ff5fc00153cc403e3cf
-
SHA256
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536
-
SHA512
0688b46fd9ef72ed0fb2f24bcb9dfa22b558bd6b846565e5e6ccc5fda4a4764c833133f1931655510b73a056e8c428c2961ba91560054bc31d9d95c4a9f6c487
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAc:R4wFHoS3WXZshJX2VGdc
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4268-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1004-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/436-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/848-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-505-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-636-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-1102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 736 dvjvj.exe 4056 xlxlfrl.exe 3936 ntthbt.exe 1876 pvpjp.exe 4728 xllxrrl.exe 2320 7tnhtn.exe 3108 xrfrxxx.exe 2356 hhbtbb.exe 1540 dvdvp.exe 3676 btbbtt.exe 3320 tbtnbt.exe 4740 xrxllfl.exe 4964 vpvpv.exe 2296 rxxlxlr.exe 3172 vjjdd.exe 1004 1rrflfx.exe 3540 hbnbnb.exe 2020 jvvjd.exe 4828 hhhbnh.exe 3100 vpvjp.exe 1604 jdjvp.exe 1192 xrxlxrf.exe 3416 jpppj.exe 1092 5rrffxf.exe 940 nnthnh.exe 4776 ppjdp.exe 3208 3ffxxxr.exe 4956 nbtnbb.exe 4220 nnntbh.exe 1632 lxlfllr.exe 1032 htbbhn.exe 4528 llfxxxx.exe 2984 hhhnbn.exe 2272 pvvpj.exe 1328 tnttnt.exe 528 nnbttn.exe 4080 dvppj.exe 3632 ffrlxfx.exe 436 htttnn.exe 1876 bbbbbb.exe 3424 jvvpv.exe 1712 rxxxrrr.exe 1780 fxflllr.exe 388 thtnnh.exe 3908 vpdvp.exe 544 xlxlllx.exe 5112 nnnnhh.exe 744 vvvvj.exe 4752 lfxxlrl.exe 3960 frlfxrf.exe 4464 1bbttt.exe 3672 pjjpj.exe 960 9xrlrrx.exe 4088 flrlfff.exe 3088 thnthb.exe 3612 dvdjj.exe 2484 fxxfxfx.exe 5036 lrfxfxx.exe 4884 3hnbnh.exe 3964 ppdvd.exe 4860 lxlllfx.exe 2164 rlrlrxx.exe 3172 bhhbnt.exe 5012 jjppv.exe -
resource yara_rule behavioral2/memory/4268-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b4d-3.dat upx behavioral2/memory/4268-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b58-8.dat upx behavioral2/memory/4056-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/736-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b5c-11.dat upx behavioral2/files/0x0031000000023b5d-18.dat upx behavioral2/memory/3936-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5e-23.dat upx behavioral2/memory/1876-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5f-28.dat upx behavioral2/files/0x000a000000023b60-32.dat upx behavioral2/memory/2320-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b61-37.dat upx behavioral2/memory/3108-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2356-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b63-43.dat upx behavioral2/memory/1540-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-48.dat upx behavioral2/memory/3676-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3676-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b65-53.dat upx behavioral2/files/0x000a000000023b66-58.dat upx behavioral2/memory/4740-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3320-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b67-63.dat upx behavioral2/memory/4740-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b68-69.dat upx behavioral2/memory/4964-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2296-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-75.dat upx behavioral2/files/0x000a000000023b6a-79.dat upx behavioral2/memory/3172-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6b-84.dat upx behavioral2/memory/1004-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b59-89.dat upx behavioral2/memory/3540-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-95.dat upx behavioral2/files/0x000a000000023b6d-98.dat upx behavioral2/memory/3100-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6e-104.dat upx behavioral2/files/0x000a000000023b6f-107.dat upx behavioral2/files/0x000a000000023b70-112.dat upx behavioral2/memory/1192-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b71-116.dat upx behavioral2/memory/3416-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-121.dat upx behavioral2/memory/1092-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-127.dat upx behavioral2/memory/940-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-131.dat upx behavioral2/memory/3208-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4776-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-137.dat upx behavioral2/memory/4956-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-143.dat upx behavioral2/files/0x000a000000023b78-147.dat upx behavioral2/files/0x000a000000023b79-153.dat upx behavioral2/memory/1632-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4220-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-157.dat upx behavioral2/memory/2984-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4080-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfrxf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4268 wrote to memory of 736 4268 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 84 PID 4268 wrote to memory of 736 4268 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 84 PID 4268 wrote to memory of 736 4268 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 84 PID 736 wrote to memory of 4056 736 dvjvj.exe 85 PID 736 wrote to memory of 4056 736 dvjvj.exe 85 PID 736 wrote to memory of 4056 736 dvjvj.exe 85 PID 4056 wrote to memory of 3936 4056 xlxlfrl.exe 86 PID 4056 wrote to memory of 3936 4056 xlxlfrl.exe 86 PID 4056 wrote to memory of 3936 4056 xlxlfrl.exe 86 PID 3936 wrote to memory of 1876 3936 ntthbt.exe 87 PID 3936 wrote to memory of 1876 3936 ntthbt.exe 87 PID 3936 wrote to memory of 1876 3936 ntthbt.exe 87 PID 1876 wrote to memory of 4728 1876 pvpjp.exe 88 PID 1876 wrote to memory of 4728 1876 pvpjp.exe 88 PID 1876 wrote to memory of 4728 1876 pvpjp.exe 88 PID 4728 wrote to memory of 2320 4728 xllxrrl.exe 89 PID 4728 wrote to memory of 2320 4728 xllxrrl.exe 89 PID 4728 wrote to memory of 2320 4728 xllxrrl.exe 89 PID 2320 wrote to memory of 3108 2320 7tnhtn.exe 90 PID 2320 wrote to memory of 3108 2320 7tnhtn.exe 90 PID 2320 wrote to memory of 3108 2320 7tnhtn.exe 90 PID 3108 wrote to memory of 2356 3108 xrfrxxx.exe 91 PID 3108 wrote to memory of 2356 3108 xrfrxxx.exe 91 PID 3108 wrote to memory of 2356 3108 xrfrxxx.exe 91 PID 2356 wrote to memory of 1540 2356 hhbtbb.exe 92 PID 2356 wrote to memory of 1540 2356 hhbtbb.exe 92 PID 2356 wrote to memory of 1540 2356 hhbtbb.exe 92 PID 1540 wrote to memory of 3676 1540 dvdvp.exe 93 PID 1540 wrote to memory of 3676 1540 dvdvp.exe 93 PID 1540 wrote to memory of 3676 1540 dvdvp.exe 93 PID 3676 wrote to memory of 3320 3676 btbbtt.exe 94 PID 3676 wrote to memory of 3320 3676 btbbtt.exe 94 PID 3676 wrote to memory of 3320 3676 btbbtt.exe 94 PID 3320 wrote to memory of 4740 3320 tbtnbt.exe 95 PID 3320 wrote to memory of 4740 3320 tbtnbt.exe 95 PID 3320 wrote to memory of 4740 3320 tbtnbt.exe 95 PID 4740 wrote to memory of 4964 4740 xrxllfl.exe 97 PID 4740 wrote to memory of 4964 4740 xrxllfl.exe 97 PID 4740 wrote to memory of 4964 4740 xrxllfl.exe 97 PID 4964 wrote to memory of 2296 4964 vpvpv.exe 98 PID 4964 wrote to memory of 2296 4964 vpvpv.exe 98 PID 4964 wrote to memory of 2296 4964 vpvpv.exe 98 PID 2296 wrote to memory of 3172 2296 rxxlxlr.exe 100 PID 2296 wrote to memory of 3172 2296 rxxlxlr.exe 100 PID 2296 wrote to memory of 3172 2296 rxxlxlr.exe 100 PID 3172 wrote to memory of 1004 3172 vjjdd.exe 101 PID 3172 wrote to memory of 1004 3172 vjjdd.exe 101 PID 3172 wrote to memory of 1004 3172 vjjdd.exe 101 PID 1004 wrote to memory of 3540 1004 1rrflfx.exe 102 PID 1004 wrote to memory of 3540 1004 1rrflfx.exe 102 PID 1004 wrote to memory of 3540 1004 1rrflfx.exe 102 PID 3540 wrote to memory of 2020 3540 hbnbnb.exe 104 PID 3540 wrote to memory of 2020 3540 hbnbnb.exe 104 PID 3540 wrote to memory of 2020 3540 hbnbnb.exe 104 PID 2020 wrote to memory of 4828 2020 jvvjd.exe 105 PID 2020 wrote to memory of 4828 2020 jvvjd.exe 105 PID 2020 wrote to memory of 4828 2020 jvvjd.exe 105 PID 4828 wrote to memory of 3100 4828 hhhbnh.exe 106 PID 4828 wrote to memory of 3100 4828 hhhbnh.exe 106 PID 4828 wrote to memory of 3100 4828 hhhbnh.exe 106 PID 3100 wrote to memory of 1604 3100 vpvjp.exe 107 PID 3100 wrote to memory of 1604 3100 vpvjp.exe 107 PID 3100 wrote to memory of 1604 3100 vpvjp.exe 107 PID 1604 wrote to memory of 1192 1604 jdjvp.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\dvjvj.exec:\dvjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\xlxlfrl.exec:\xlxlfrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\ntthbt.exec:\ntthbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\pvpjp.exec:\pvpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\xllxrrl.exec:\xllxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\7tnhtn.exec:\7tnhtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\xrfrxxx.exec:\xrfrxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\hhbtbb.exec:\hhbtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\dvdvp.exec:\dvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\btbbtt.exec:\btbbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\tbtnbt.exec:\tbtnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\xrxllfl.exec:\xrxllfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\vpvpv.exec:\vpvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\rxxlxlr.exec:\rxxlxlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\vjjdd.exec:\vjjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\1rrflfx.exec:\1rrflfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\hbnbnb.exec:\hbnbnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\jvvjd.exec:\jvvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\hhhbnh.exec:\hhhbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\vpvjp.exec:\vpvjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\jdjvp.exec:\jdjvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\xrxlxrf.exec:\xrxlxrf.exe23⤵
- Executes dropped EXE
PID:1192 -
\??\c:\jpppj.exec:\jpppj.exe24⤵
- Executes dropped EXE
PID:3416 -
\??\c:\5rrffxf.exec:\5rrffxf.exe25⤵
- Executes dropped EXE
PID:1092 -
\??\c:\nnthnh.exec:\nnthnh.exe26⤵
- Executes dropped EXE
PID:940 -
\??\c:\ppjdp.exec:\ppjdp.exe27⤵
- Executes dropped EXE
PID:4776 -
\??\c:\3ffxxxr.exec:\3ffxxxr.exe28⤵
- Executes dropped EXE
PID:3208 -
\??\c:\nbtnbb.exec:\nbtnbb.exe29⤵
- Executes dropped EXE
PID:4956 -
\??\c:\nnntbh.exec:\nnntbh.exe30⤵
- Executes dropped EXE
PID:4220 -
\??\c:\lxlfllr.exec:\lxlfllr.exe31⤵
- Executes dropped EXE
PID:1632 -
\??\c:\htbbhn.exec:\htbbhn.exe32⤵
- Executes dropped EXE
PID:1032 -
\??\c:\llfxxxx.exec:\llfxxxx.exe33⤵
- Executes dropped EXE
PID:4528 -
\??\c:\hhhnbn.exec:\hhhnbn.exe34⤵
- Executes dropped EXE
PID:2984 -
\??\c:\pvvpj.exec:\pvvpj.exe35⤵
- Executes dropped EXE
PID:2272 -
\??\c:\tnttnt.exec:\tnttnt.exe36⤵
- Executes dropped EXE
PID:1328 -
\??\c:\nnbttn.exec:\nnbttn.exe37⤵
- Executes dropped EXE
PID:528 -
\??\c:\dvppj.exec:\dvppj.exe38⤵
- Executes dropped EXE
PID:4080 -
\??\c:\ffrlxfx.exec:\ffrlxfx.exe39⤵
- Executes dropped EXE
PID:3632 -
\??\c:\htttnn.exec:\htttnn.exe40⤵
- Executes dropped EXE
PID:436 -
\??\c:\bbbbbb.exec:\bbbbbb.exe41⤵
- Executes dropped EXE
PID:1876 -
\??\c:\jvvpv.exec:\jvvpv.exe42⤵
- Executes dropped EXE
PID:3424 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe43⤵
- Executes dropped EXE
PID:1712 -
\??\c:\fxflllr.exec:\fxflllr.exe44⤵
- Executes dropped EXE
PID:1780 -
\??\c:\thtnnh.exec:\thtnnh.exe45⤵
- Executes dropped EXE
PID:388 -
\??\c:\vpdvp.exec:\vpdvp.exe46⤵
- Executes dropped EXE
PID:3908 -
\??\c:\xlxlllx.exec:\xlxlllx.exe47⤵
- Executes dropped EXE
PID:544 -
\??\c:\nnnnhh.exec:\nnnnhh.exe48⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vvvvj.exec:\vvvvj.exe49⤵
- Executes dropped EXE
PID:744 -
\??\c:\lfxxlrl.exec:\lfxxlrl.exe50⤵
- Executes dropped EXE
PID:4752 -
\??\c:\frlfxrf.exec:\frlfxrf.exe51⤵
- Executes dropped EXE
PID:3960 -
\??\c:\1bbttt.exec:\1bbttt.exe52⤵
- Executes dropped EXE
PID:4464 -
\??\c:\pjjpj.exec:\pjjpj.exe53⤵
- Executes dropped EXE
PID:3672 -
\??\c:\9xrlrrx.exec:\9xrlrrx.exe54⤵
- Executes dropped EXE
PID:960 -
\??\c:\flrlfff.exec:\flrlfff.exe55⤵
- Executes dropped EXE
PID:4088 -
\??\c:\thnthb.exec:\thnthb.exe56⤵
- Executes dropped EXE
PID:3088 -
\??\c:\dvdjj.exec:\dvdjj.exe57⤵
- Executes dropped EXE
PID:3612 -
\??\c:\fxxfxfx.exec:\fxxfxfx.exe58⤵
- Executes dropped EXE
PID:2484 -
\??\c:\lrfxfxx.exec:\lrfxfxx.exe59⤵
- Executes dropped EXE
PID:5036 -
\??\c:\3hnbnh.exec:\3hnbnh.exe60⤵
- Executes dropped EXE
PID:4884 -
\??\c:\ppdvd.exec:\ppdvd.exe61⤵
- Executes dropped EXE
PID:3964 -
\??\c:\lxlllfx.exec:\lxlllfx.exe62⤵
- Executes dropped EXE
PID:4860 -
\??\c:\rlrlrxx.exec:\rlrlrxx.exe63⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bhhbnt.exec:\bhhbnt.exe64⤵
- Executes dropped EXE
PID:3172 -
\??\c:\jjppv.exec:\jjppv.exe65⤵
- Executes dropped EXE
PID:5012 -
\??\c:\5vdvv.exec:\5vdvv.exe66⤵PID:4576
-
\??\c:\fxxfxrr.exec:\fxxfxrr.exe67⤵PID:4188
-
\??\c:\hhtnbt.exec:\hhtnbt.exe68⤵PID:4920
-
\??\c:\bbtnbb.exec:\bbtnbb.exe69⤵PID:1356
-
\??\c:\jvvpp.exec:\jvvpp.exe70⤵PID:3712
-
\??\c:\ntttnt.exec:\ntttnt.exe71⤵PID:228
-
\??\c:\ddpdd.exec:\ddpdd.exe72⤵PID:1944
-
\??\c:\dvjdv.exec:\dvjdv.exe73⤵PID:3448
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe74⤵PID:2968
-
\??\c:\btntnh.exec:\btntnh.exe75⤵PID:1216
-
\??\c:\hnnnhh.exec:\hnnnhh.exe76⤵PID:2392
-
\??\c:\vpvpj.exec:\vpvpj.exe77⤵PID:1092
-
\??\c:\5rxrrxx.exec:\5rxrrxx.exe78⤵PID:1720
-
\??\c:\hhhhbt.exec:\hhhhbt.exe79⤵PID:5008
-
\??\c:\hthnnt.exec:\hthnnt.exe80⤵PID:1420
-
\??\c:\pjdpj.exec:\pjdpj.exe81⤵PID:2836
-
\??\c:\pdvjj.exec:\pdvjj.exe82⤵PID:1520
-
\??\c:\fflfffx.exec:\fflfffx.exe83⤵PID:3436
-
\??\c:\tbtnnb.exec:\tbtnnb.exe84⤵PID:1220
-
\??\c:\thnhbb.exec:\thnhbb.exe85⤵PID:4480
-
\??\c:\dpppj.exec:\dpppj.exe86⤵PID:1632
-
\??\c:\jpvvv.exec:\jpvvv.exe87⤵PID:4624
-
\??\c:\5rlfxxx.exec:\5rlfxxx.exe88⤵PID:4556
-
\??\c:\xfffflf.exec:\xfffflf.exe89⤵PID:3940
-
\??\c:\7bhbhb.exec:\7bhbhb.exe90⤵PID:2036
-
\??\c:\jjdvp.exec:\jjdvp.exe91⤵PID:3556
-
\??\c:\1ddvv.exec:\1ddvv.exe92⤵PID:3484
-
\??\c:\lrflxlf.exec:\lrflxlf.exe93⤵PID:4040
-
\??\c:\1lxlflf.exec:\1lxlflf.exe94⤵PID:4056
-
\??\c:\7nttnt.exec:\7nttnt.exe95⤵PID:3936
-
\??\c:\dpppj.exec:\dpppj.exe96⤵PID:2372
-
\??\c:\vpvjd.exec:\vpvjd.exe97⤵PID:4536
-
\??\c:\xrlfffx.exec:\xrlfffx.exe98⤵PID:1428
-
\??\c:\rlffllr.exec:\rlffllr.exe99⤵PID:4560
-
\??\c:\tttnhb.exec:\tttnhb.exe100⤵PID:1780
-
\??\c:\3jdvv.exec:\3jdvv.exe101⤵PID:4564
-
\??\c:\ppvvd.exec:\ppvvd.exe102⤵PID:1028
-
\??\c:\xflffff.exec:\xflffff.exe103⤵PID:3132
-
\??\c:\nnbbth.exec:\nnbbth.exe104⤵PID:1900
-
\??\c:\hnntnn.exec:\hnntnn.exe105⤵PID:1172
-
\??\c:\jppjv.exec:\jppjv.exe106⤵PID:4848
-
\??\c:\xrlllff.exec:\xrlllff.exe107⤵PID:2420
-
\??\c:\xflfxxr.exec:\xflfxxr.exe108⤵PID:4740
-
\??\c:\hbbtnh.exec:\hbbtnh.exe109⤵PID:440
-
\??\c:\pjjpj.exec:\pjjpj.exe110⤵PID:3612
-
\??\c:\dvvjv.exec:\dvvjv.exe111⤵PID:2204
-
\??\c:\3lfxrxr.exec:\3lfxrxr.exe112⤵PID:2028
-
\??\c:\pjdvp.exec:\pjdvp.exe113⤵PID:4568
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe114⤵PID:2920
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe115⤵PID:1608
-
\??\c:\btnnhh.exec:\btnnhh.exe116⤵PID:2648
-
\??\c:\vppjd.exec:\vppjd.exe117⤵PID:3736
-
\??\c:\dvdvd.exec:\dvdvd.exe118⤵PID:3152
-
\??\c:\lrrllrr.exec:\lrrllrr.exe119⤵PID:4920
-
\??\c:\rfxrrxx.exec:\rfxrrxx.exe120⤵PID:3100
-
\??\c:\tthtbt.exec:\tthtbt.exe121⤵PID:2368
-
\??\c:\jpvvp.exec:\jpvvp.exe122⤵PID:3680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-