Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 19:49
Behavioral task
behavioral1
Sample
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
Resource
win7-20240729-en
6 signatures
150 seconds
General
-
Target
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
-
Size
343KB
-
MD5
5082415ef661e85e83e37fde8ac6e570
-
SHA1
028e1bae6569ad5c2f655ff5fc00153cc403e3cf
-
SHA256
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536
-
SHA512
0688b46fd9ef72ed0fb2f24bcb9dfa22b558bd6b846565e5e6ccc5fda4a4764c833133f1931655510b73a056e8c428c2961ba91560054bc31d9d95c4a9f6c487
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAc:R4wFHoS3WXZshJX2VGdc
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4164-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1412-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-510-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-666-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-929-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-948-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4860 xflxrlf.exe 760 5xfxxrr.exe 2728 vjvjd.exe 3580 jdvjv.exe 2072 5xllrfr.exe 3576 nhbthb.exe 2376 nhnhhb.exe 4444 xffrlfr.exe 2676 3hnhbt.exe 1764 nbbtnn.exe 2832 flxlxlx.exe 952 thbtbt.exe 1432 rxlrflf.exe 5068 ffxrfxl.exe 2920 xrfxlxr.exe 4840 xxllxxl.exe 3184 jdvjv.exe 2596 5tbtnn.exe 368 jdjvp.exe 1916 djjdj.exe 2836 lxlrlxx.exe 3652 tnhthb.exe 792 vddpd.exe 836 ppvjv.exe 5116 1lxrfrf.exe 4880 tttnbt.exe 4140 pvdvj.exe 3200 jdpdj.exe 1412 lxxlxrf.exe 1272 hnhthb.exe 516 htbtnh.exe 1372 ppdvd.exe 1696 jppjv.exe 1492 lxlfxrl.exe 916 htthbh.exe 3784 pvvjd.exe 1720 lxfxllf.exe 1508 vvdvj.exe 5092 jppdp.exe 4548 fxxlxrl.exe 5004 3nbnnb.exe 1368 7tthbt.exe 4656 jvpdj.exe 3320 5xfxllx.exe 4728 xfxrfxl.exe 3836 nbbnbh.exe 3240 hthhht.exe 4476 jppdp.exe 4940 fxfrfrr.exe 4900 ththth.exe 2512 tntnbt.exe 1396 vjjvp.exe 2100 xllxrlx.exe 2804 thhtbt.exe 4664 vpjdp.exe 3600 jvvjp.exe 1340 rffxlfr.exe 2828 hbthtn.exe 1988 vpjvd.exe 1936 pjdpv.exe 4572 5llflxr.exe 3420 xxfxlfl.exe 3152 9bbnhb.exe 3084 pdjdj.exe -
resource yara_rule behavioral2/memory/4164-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bac-3.dat upx behavioral2/memory/4164-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c84-8.dat upx behavioral2/memory/760-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4860-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-14.dat upx behavioral2/memory/2728-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-19.dat upx behavioral2/files/0x0007000000023c8c-24.dat upx behavioral2/memory/2072-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-28.dat upx behavioral2/memory/3576-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2072-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-35.dat upx behavioral2/files/0x0007000000023c90-38.dat upx behavioral2/memory/2376-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-44.dat upx behavioral2/memory/4444-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-48.dat upx behavioral2/memory/2676-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-53.dat upx behavioral2/files/0x0007000000023c94-57.dat upx behavioral2/files/0x0007000000023c95-61.dat upx behavioral2/memory/1432-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/952-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-67.dat upx behavioral2/files/0x0007000000023c97-71.dat upx behavioral2/files/0x0007000000023c98-76.dat upx behavioral2/memory/4840-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2920-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-81.dat upx behavioral2/memory/4840-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c87-87.dat upx behavioral2/files/0x0007000000023c9a-91.dat upx behavioral2/memory/2596-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-96.dat upx behavioral2/memory/368-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-101.dat upx behavioral2/files/0x0007000000023c9d-106.dat upx behavioral2/memory/2836-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3652-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-110.dat upx behavioral2/files/0x0007000000023c9f-116.dat upx behavioral2/files/0x0007000000023ca0-119.dat upx behavioral2/files/0x0007000000023ca1-124.dat upx behavioral2/files/0x0007000000023ca2-129.dat upx behavioral2/memory/4140-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3200-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1412-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1696-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1372-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-153.dat upx behavioral2/files/0x0007000000023ca6-149.dat upx behavioral2/memory/1272-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-144.dat upx behavioral2/files/0x0007000000023ca4-139.dat upx behavioral2/files/0x0007000000023ca3-134.dat upx behavioral2/memory/5116-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5092-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5004-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1368-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3320-185-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xllrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4164 wrote to memory of 4860 4164 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 84 PID 4164 wrote to memory of 4860 4164 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 84 PID 4164 wrote to memory of 4860 4164 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 84 PID 4860 wrote to memory of 760 4860 xflxrlf.exe 85 PID 4860 wrote to memory of 760 4860 xflxrlf.exe 85 PID 4860 wrote to memory of 760 4860 xflxrlf.exe 85 PID 760 wrote to memory of 2728 760 5xfxxrr.exe 86 PID 760 wrote to memory of 2728 760 5xfxxrr.exe 86 PID 760 wrote to memory of 2728 760 5xfxxrr.exe 86 PID 2728 wrote to memory of 3580 2728 vjvjd.exe 87 PID 2728 wrote to memory of 3580 2728 vjvjd.exe 87 PID 2728 wrote to memory of 3580 2728 vjvjd.exe 87 PID 3580 wrote to memory of 2072 3580 jdvjv.exe 88 PID 3580 wrote to memory of 2072 3580 jdvjv.exe 88 PID 3580 wrote to memory of 2072 3580 jdvjv.exe 88 PID 2072 wrote to memory of 3576 2072 5xllrfr.exe 89 PID 2072 wrote to memory of 3576 2072 5xllrfr.exe 89 PID 2072 wrote to memory of 3576 2072 5xllrfr.exe 89 PID 3576 wrote to memory of 2376 3576 nhbthb.exe 90 PID 3576 wrote to memory of 2376 3576 nhbthb.exe 90 PID 3576 wrote to memory of 2376 3576 nhbthb.exe 90 PID 2376 wrote to memory of 4444 2376 nhnhhb.exe 91 PID 2376 wrote to memory of 4444 2376 nhnhhb.exe 91 PID 2376 wrote to memory of 4444 2376 nhnhhb.exe 91 PID 4444 wrote to memory of 2676 4444 xffrlfr.exe 92 PID 4444 wrote to memory of 2676 4444 xffrlfr.exe 92 PID 4444 wrote to memory of 2676 4444 xffrlfr.exe 92 PID 2676 wrote to memory of 1764 2676 3hnhbt.exe 93 PID 2676 wrote to memory of 1764 2676 3hnhbt.exe 93 PID 2676 wrote to memory of 1764 2676 3hnhbt.exe 93 PID 1764 wrote to memory of 2832 1764 nbbtnn.exe 94 PID 1764 wrote to memory of 2832 1764 nbbtnn.exe 94 PID 1764 wrote to memory of 2832 1764 nbbtnn.exe 94 PID 2832 wrote to memory of 952 2832 flxlxlx.exe 95 PID 2832 wrote to memory of 952 2832 flxlxlx.exe 95 PID 2832 wrote to memory of 952 2832 flxlxlx.exe 95 PID 952 wrote to memory of 1432 952 thbtbt.exe 96 PID 952 wrote to memory of 1432 952 thbtbt.exe 96 PID 952 wrote to memory of 1432 952 thbtbt.exe 96 PID 1432 wrote to memory of 5068 1432 rxlrflf.exe 97 PID 1432 wrote to memory of 5068 1432 rxlrflf.exe 97 PID 1432 wrote to memory of 5068 1432 rxlrflf.exe 97 PID 5068 wrote to memory of 2920 5068 ffxrfxl.exe 98 PID 5068 wrote to memory of 2920 5068 ffxrfxl.exe 98 PID 5068 wrote to memory of 2920 5068 ffxrfxl.exe 98 PID 2920 wrote to memory of 4840 2920 xrfxlxr.exe 99 PID 2920 wrote to memory of 4840 2920 xrfxlxr.exe 99 PID 2920 wrote to memory of 4840 2920 xrfxlxr.exe 99 PID 4840 wrote to memory of 3184 4840 xxllxxl.exe 101 PID 4840 wrote to memory of 3184 4840 xxllxxl.exe 101 PID 4840 wrote to memory of 3184 4840 xxllxxl.exe 101 PID 3184 wrote to memory of 2596 3184 jdvjv.exe 103 PID 3184 wrote to memory of 2596 3184 jdvjv.exe 103 PID 3184 wrote to memory of 2596 3184 jdvjv.exe 103 PID 2596 wrote to memory of 368 2596 5tbtnn.exe 104 PID 2596 wrote to memory of 368 2596 5tbtnn.exe 104 PID 2596 wrote to memory of 368 2596 5tbtnn.exe 104 PID 368 wrote to memory of 1916 368 jdjvp.exe 105 PID 368 wrote to memory of 1916 368 jdjvp.exe 105 PID 368 wrote to memory of 1916 368 jdjvp.exe 105 PID 1916 wrote to memory of 2836 1916 djjdj.exe 106 PID 1916 wrote to memory of 2836 1916 djjdj.exe 106 PID 1916 wrote to memory of 2836 1916 djjdj.exe 106 PID 2836 wrote to memory of 3652 2836 lxlrlxx.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\xflxrlf.exec:\xflxrlf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\5xfxxrr.exec:\5xfxxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\vjvjd.exec:\vjvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\jdvjv.exec:\jdvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\5xllrfr.exec:\5xllrfr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\nhbthb.exec:\nhbthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\nhnhhb.exec:\nhnhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\xffrlfr.exec:\xffrlfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\3hnhbt.exec:\3hnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\nbbtnn.exec:\nbbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\flxlxlx.exec:\flxlxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\thbtbt.exec:\thbtbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\rxlrflf.exec:\rxlrflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\ffxrfxl.exec:\ffxrfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\xrfxlxr.exec:\xrfxlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\xxllxxl.exec:\xxllxxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\jdvjv.exec:\jdvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\5tbtnn.exec:\5tbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\jdjvp.exec:\jdjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\djjdj.exec:\djjdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\lxlrlxx.exec:\lxlrlxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\tnhthb.exec:\tnhthb.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3652 -
\??\c:\vddpd.exec:\vddpd.exe24⤵
- Executes dropped EXE
PID:792 -
\??\c:\ppvjv.exec:\ppvjv.exe25⤵
- Executes dropped EXE
PID:836 -
\??\c:\1lxrfrf.exec:\1lxrfrf.exe26⤵
- Executes dropped EXE
PID:5116 -
\??\c:\tttnbt.exec:\tttnbt.exe27⤵
- Executes dropped EXE
PID:4880 -
\??\c:\pvdvj.exec:\pvdvj.exe28⤵
- Executes dropped EXE
PID:4140 -
\??\c:\jdpdj.exec:\jdpdj.exe29⤵
- Executes dropped EXE
PID:3200 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe30⤵
- Executes dropped EXE
PID:1412 -
\??\c:\hnhthb.exec:\hnhthb.exe31⤵
- Executes dropped EXE
PID:1272 -
\??\c:\htbtnh.exec:\htbtnh.exe32⤵
- Executes dropped EXE
PID:516 -
\??\c:\ppdvd.exec:\ppdvd.exe33⤵
- Executes dropped EXE
PID:1372 -
\??\c:\jppjv.exec:\jppjv.exe34⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe35⤵
- Executes dropped EXE
PID:1492 -
\??\c:\htthbh.exec:\htthbh.exe36⤵
- Executes dropped EXE
PID:916 -
\??\c:\pvvjd.exec:\pvvjd.exe37⤵
- Executes dropped EXE
PID:3784 -
\??\c:\lxfxllf.exec:\lxfxllf.exe38⤵
- Executes dropped EXE
PID:1720 -
\??\c:\vvdvj.exec:\vvdvj.exe39⤵
- Executes dropped EXE
PID:1508 -
\??\c:\jppdp.exec:\jppdp.exe40⤵
- Executes dropped EXE
PID:5092 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe41⤵
- Executes dropped EXE
PID:4548 -
\??\c:\3nbnnb.exec:\3nbnnb.exe42⤵
- Executes dropped EXE
PID:5004 -
\??\c:\7tthbt.exec:\7tthbt.exe43⤵
- Executes dropped EXE
PID:1368 -
\??\c:\jvpdj.exec:\jvpdj.exe44⤵
- Executes dropped EXE
PID:4656 -
\??\c:\5xfxllx.exec:\5xfxllx.exe45⤵
- Executes dropped EXE
PID:3320 -
\??\c:\xfxrfxl.exec:\xfxrfxl.exe46⤵
- Executes dropped EXE
PID:4728 -
\??\c:\nbbnbh.exec:\nbbnbh.exe47⤵
- Executes dropped EXE
PID:3836 -
\??\c:\hthhht.exec:\hthhht.exe48⤵
- Executes dropped EXE
PID:3240 -
\??\c:\jppdp.exec:\jppdp.exe49⤵
- Executes dropped EXE
PID:4476 -
\??\c:\fxfrfrr.exec:\fxfrfrr.exe50⤵
- Executes dropped EXE
PID:4940 -
\??\c:\ththth.exec:\ththth.exe51⤵
- Executes dropped EXE
PID:4900 -
\??\c:\tntnbt.exec:\tntnbt.exe52⤵
- Executes dropped EXE
PID:2512 -
\??\c:\vjjvp.exec:\vjjvp.exe53⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xllxrlx.exec:\xllxrlx.exe54⤵
- Executes dropped EXE
PID:2100 -
\??\c:\thhtbt.exec:\thhtbt.exe55⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vpjdp.exec:\vpjdp.exe56⤵
- Executes dropped EXE
PID:4664 -
\??\c:\jvvjp.exec:\jvvjp.exe57⤵
- Executes dropped EXE
PID:3600 -
\??\c:\rffxlfr.exec:\rffxlfr.exe58⤵
- Executes dropped EXE
PID:1340 -
\??\c:\hbthtn.exec:\hbthtn.exe59⤵
- Executes dropped EXE
PID:2828 -
\??\c:\vpjvd.exec:\vpjvd.exe60⤵
- Executes dropped EXE
PID:1988 -
\??\c:\pjdpv.exec:\pjdpv.exe61⤵
- Executes dropped EXE
PID:1936 -
\??\c:\5llflxr.exec:\5llflxr.exe62⤵
- Executes dropped EXE
PID:4572 -
\??\c:\xxfxlfl.exec:\xxfxlfl.exe63⤵
- Executes dropped EXE
PID:3420 -
\??\c:\9bbnhb.exec:\9bbnhb.exe64⤵
- Executes dropped EXE
PID:3152 -
\??\c:\pdjdj.exec:\pdjdj.exe65⤵
- Executes dropped EXE
PID:3084 -
\??\c:\vdjvp.exec:\vdjvp.exe66⤵PID:952
-
\??\c:\7xrfrlx.exec:\7xrfrlx.exe67⤵PID:2256
-
\??\c:\nhnhhb.exec:\nhnhhb.exe68⤵PID:5044
-
\??\c:\jdvjd.exec:\jdvjd.exe69⤵PID:968
-
\??\c:\vjdpv.exec:\vjdpv.exe70⤵PID:4932
-
\??\c:\rfrfxrr.exec:\rfrfxrr.exe71⤵PID:1528
-
\??\c:\hbhthh.exec:\hbhthh.exe72⤵PID:1460
-
\??\c:\5hhnbb.exec:\5hhnbb.exe73⤵PID:4688
-
\??\c:\pvvjv.exec:\pvvjv.exe74⤵PID:640
-
\??\c:\pjpvj.exec:\pjpvj.exe75⤵PID:808
-
\??\c:\xxxrxfr.exec:\xxxrxfr.exe76⤵PID:3428
-
\??\c:\htnthn.exec:\htnthn.exe77⤵PID:3628
-
\??\c:\dpdpj.exec:\dpdpj.exe78⤵PID:1744
-
\??\c:\vjjvd.exec:\vjjvd.exe79⤵PID:4124
-
\??\c:\rxxlffx.exec:\rxxlffx.exe80⤵PID:2696
-
\??\c:\fxrrlfx.exec:\fxrrlfx.exe81⤵PID:4832
-
\??\c:\htthth.exec:\htthth.exe82⤵PID:4428
-
\??\c:\jjpvp.exec:\jjpvp.exe83⤵PID:532
-
\??\c:\pvppd.exec:\pvppd.exe84⤵PID:212
-
\??\c:\3fxlxrf.exec:\3fxlxrf.exe85⤵PID:2148
-
\??\c:\nntnbt.exec:\nntnbt.exe86⤵PID:4944
-
\??\c:\nhhhbh.exec:\nhhhbh.exe87⤵PID:2372
-
\??\c:\jjjdv.exec:\jjjdv.exe88⤵PID:440
-
\??\c:\xlxrfxr.exec:\xlxrfxr.exe89⤵PID:4632
-
\??\c:\btnbnh.exec:\btnbnh.exe90⤵PID:516
-
\??\c:\bnhbnh.exec:\bnhbnh.exe91⤵PID:3668
-
\??\c:\vpppd.exec:\vpppd.exe92⤵PID:4892
-
\??\c:\1pjjv.exec:\1pjjv.exe93⤵PID:4808
-
\??\c:\xxxrlfr.exec:\xxxrlfr.exe94⤵PID:2964
-
\??\c:\nnnnhh.exec:\nnnnhh.exe95⤵PID:4712
-
\??\c:\3bnhnh.exec:\3bnhnh.exe96⤵PID:2808
-
\??\c:\1dvpj.exec:\1dvpj.exe97⤵PID:4300
-
\??\c:\jpjdp.exec:\jpjdp.exe98⤵PID:4320
-
\??\c:\flxflxf.exec:\flxflxf.exe99⤵PID:1236
-
\??\c:\tbhthb.exec:\tbhthb.exe100⤵PID:5096
-
\??\c:\pdjvp.exec:\pdjvp.exe101⤵PID:2164
-
\??\c:\pjdpd.exec:\pjdpd.exe102⤵PID:3052
-
\??\c:\fxlxrrl.exec:\fxlxrrl.exe103⤵PID:3412
-
\??\c:\xrllflf.exec:\xrllflf.exe104⤵PID:2092
-
\??\c:\hbhbtt.exec:\hbhbtt.exe105⤵PID:456
-
\??\c:\ffffxrf.exec:\ffffxrf.exe106⤵PID:3096
-
\??\c:\thnnhh.exec:\thnnhh.exe107⤵PID:3900
-
\??\c:\vppjd.exec:\vppjd.exe108⤵PID:4896
-
\??\c:\ddjdp.exec:\ddjdp.exe109⤵PID:3620
-
\??\c:\fxlfffx.exec:\fxlfffx.exe110⤵PID:2656
-
\??\c:\nbhbtn.exec:\nbhbtn.exe111⤵PID:4900
-
\??\c:\nnnhbn.exec:\nnnhbn.exe112⤵PID:2912
-
\??\c:\pvpjp.exec:\pvpjp.exe113⤵PID:2360
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe114⤵PID:2100
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe115⤵PID:384
-
\??\c:\jvvjv.exec:\jvvjv.exe116⤵PID:2252
-
\??\c:\pjjvj.exec:\pjjvj.exe117⤵PID:3600
-
\??\c:\frxrlll.exec:\frxrlll.exe118⤵PID:1340
-
\??\c:\nnbnhb.exec:\nnbnhb.exe119⤵PID:1052
-
\??\c:\7nbtbb.exec:\7nbtbb.exe120⤵PID:3804
-
\??\c:\pvvjd.exec:\pvvjd.exe121⤵
- System Location Discovery: System Language Discovery
PID:2332 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe122⤵PID:4572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-