Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 01:11
Behavioral task
behavioral1
Sample
92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe
-
Size
3.7MB
-
MD5
e0eff6d0a82d2c91cf69f8a93ea44fc7
-
SHA1
3d11aaae04000028fca1c554871e92013fc28049
-
SHA256
92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb
-
SHA512
d7505b7cd77fd559965cf78fc313e1433698087dc7231a3c983508efbdd028871b5df7bef22b3efe4d204a40b586f9f639d0cbcaee38997e332bb37bbf13ff00
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98l:U6XLq/qPPslzKx/dJg1ErmNc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5040-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1652-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3396-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-558-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2900-587-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-714-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-812-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-828-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-1000-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-1152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-1183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-1556-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-1605-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3644 3nnhbb.exe 3048 vpppj.exe 4928 bnhbtt.exe 2936 jddvv.exe 2544 ppvpp.exe 3468 lxffxrl.exe 1316 vpjjd.exe 2272 vpddv.exe 680 ddppp.exe 5072 3lxxxff.exe 1132 llfxxfx.exe 3300 9tbnhh.exe 2788 hbbbtt.exe 1448 fxfxxlf.exe 1608 hbtnhn.exe 1672 thhbhn.exe 4968 jvpjp.exe 552 frrrrrr.exe 2040 fxffffx.exe 968 nnttbh.exe 3252 flrrxxf.exe 3540 lrlflrl.exe 1652 lrllflf.exe 4404 lxfxrxr.exe 4500 tthhhn.exe 4892 9ttnnt.exe 1848 vdpjd.exe 2556 jddvv.exe 3332 5lrrrxx.exe 2960 nhbbbh.exe 544 hbbtbb.exe 4024 djddd.exe 3400 rxllrxx.exe 2656 dpvvv.exe 3408 pdpjj.exe 3164 ddjjv.exe 1788 jvjjv.exe 3228 pdvdj.exe 4912 jdvdv.exe 3300 ppvvp.exe 1880 jjpdd.exe 4400 nhbttt.exe 2824 nbhbbb.exe 2348 bbtttt.exe 4596 btnthn.exe 4584 tthhhn.exe 228 xflrrxx.exe 2692 fffrlll.exe 4388 nbttht.exe 5064 llflflr.exe 648 nntttb.exe 5068 ntnhhn.exe 4524 llllfll.exe 3664 rlllxrx.exe 1792 1bbttt.exe 2180 ttbbbh.exe 1436 nbhhtt.exe 1136 hhhbbh.exe 4072 bhtttt.exe 3668 btnhtt.exe 2016 hnthbb.exe 4016 nhbbtn.exe 4960 xlxrllf.exe 2648 hhhbbh.exe -
resource yara_rule behavioral2/memory/5040-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bdf-3.dat upx behavioral2/memory/5040-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3644-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-9.dat upx behavioral2/files/0x0007000000023cac-13.dat upx behavioral2/memory/4928-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3048-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-22.dat upx behavioral2/memory/4928-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-31.dat upx behavioral2/memory/2936-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-35.dat upx behavioral2/memory/3468-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0002000000022ae8-40.dat upx behavioral2/files/0x0002000000022af2-45.dat upx behavioral2/memory/2272-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b70-51.dat upx behavioral2/memory/680-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b73-57.dat upx behavioral2/memory/5072-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0010000000023b7b-63.dat upx behavioral2/files/0x000f000000023b7c-68.dat upx behavioral2/memory/1132-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cb2-77.dat upx behavioral2/memory/3300-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-80.dat upx behavioral2/memory/2788-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-86.dat upx behavioral2/memory/1448-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-92.dat upx behavioral2/memory/1608-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-98.dat upx behavioral2/memory/1672-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-103.dat upx behavioral2/memory/4968-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-110.dat upx behavioral2/files/0x0007000000023cba-115.dat upx behavioral2/memory/2040-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-121.dat upx behavioral2/memory/3252-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-128.dat upx behavioral2/files/0x0007000000023cbe-131.dat upx behavioral2/memory/3540-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-138.dat upx behavioral2/memory/1652-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-144.dat upx behavioral2/memory/4404-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-150.dat upx behavioral2/memory/4500-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-156.dat upx behavioral2/memory/4892-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-162.dat upx behavioral2/files/0x0007000000023cc3-167.dat upx behavioral2/memory/2556-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-173.dat upx behavioral2/memory/3332-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2960-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-181.dat upx behavioral2/memory/4024-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-186.dat upx behavioral2/memory/3164-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1788-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4400-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5040 wrote to memory of 3644 5040 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 86 PID 5040 wrote to memory of 3644 5040 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 86 PID 5040 wrote to memory of 3644 5040 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 86 PID 3644 wrote to memory of 3048 3644 3nnhbb.exe 87 PID 3644 wrote to memory of 3048 3644 3nnhbb.exe 87 PID 3644 wrote to memory of 3048 3644 3nnhbb.exe 87 PID 3048 wrote to memory of 4928 3048 vpppj.exe 90 PID 3048 wrote to memory of 4928 3048 vpppj.exe 90 PID 3048 wrote to memory of 4928 3048 vpppj.exe 90 PID 4928 wrote to memory of 2936 4928 bnhbtt.exe 91 PID 4928 wrote to memory of 2936 4928 bnhbtt.exe 91 PID 4928 wrote to memory of 2936 4928 bnhbtt.exe 91 PID 2936 wrote to memory of 2544 2936 jddvv.exe 92 PID 2936 wrote to memory of 2544 2936 jddvv.exe 92 PID 2936 wrote to memory of 2544 2936 jddvv.exe 92 PID 2544 wrote to memory of 3468 2544 ppvpp.exe 93 PID 2544 wrote to memory of 3468 2544 ppvpp.exe 93 PID 2544 wrote to memory of 3468 2544 ppvpp.exe 93 PID 3468 wrote to memory of 1316 3468 lxffxrl.exe 95 PID 3468 wrote to memory of 1316 3468 lxffxrl.exe 95 PID 3468 wrote to memory of 1316 3468 lxffxrl.exe 95 PID 1316 wrote to memory of 2272 1316 vpjjd.exe 96 PID 1316 wrote to memory of 2272 1316 vpjjd.exe 96 PID 1316 wrote to memory of 2272 1316 vpjjd.exe 96 PID 2272 wrote to memory of 680 2272 vpddv.exe 97 PID 2272 wrote to memory of 680 2272 vpddv.exe 97 PID 2272 wrote to memory of 680 2272 vpddv.exe 97 PID 680 wrote to memory of 5072 680 ddppp.exe 98 PID 680 wrote to memory of 5072 680 ddppp.exe 98 PID 680 wrote to memory of 5072 680 ddppp.exe 98 PID 5072 wrote to memory of 1132 5072 3lxxxff.exe 101 PID 5072 wrote to memory of 1132 5072 3lxxxff.exe 101 PID 5072 wrote to memory of 1132 5072 3lxxxff.exe 101 PID 1132 wrote to memory of 3300 1132 llfxxfx.exe 102 PID 1132 wrote to memory of 3300 1132 llfxxfx.exe 102 PID 1132 wrote to memory of 3300 1132 llfxxfx.exe 102 PID 3300 wrote to memory of 2788 3300 9tbnhh.exe 103 PID 3300 wrote to memory of 2788 3300 9tbnhh.exe 103 PID 3300 wrote to memory of 2788 3300 9tbnhh.exe 103 PID 2788 wrote to memory of 1448 2788 hbbbtt.exe 106 PID 2788 wrote to memory of 1448 2788 hbbbtt.exe 106 PID 2788 wrote to memory of 1448 2788 hbbbtt.exe 106 PID 1448 wrote to memory of 1608 1448 fxfxxlf.exe 107 PID 1448 wrote to memory of 1608 1448 fxfxxlf.exe 107 PID 1448 wrote to memory of 1608 1448 fxfxxlf.exe 107 PID 1608 wrote to memory of 1672 1608 hbtnhn.exe 108 PID 1608 wrote to memory of 1672 1608 hbtnhn.exe 108 PID 1608 wrote to memory of 1672 1608 hbtnhn.exe 108 PID 1672 wrote to memory of 4968 1672 thhbhn.exe 109 PID 1672 wrote to memory of 4968 1672 thhbhn.exe 109 PID 1672 wrote to memory of 4968 1672 thhbhn.exe 109 PID 4968 wrote to memory of 552 4968 jvpjp.exe 110 PID 4968 wrote to memory of 552 4968 jvpjp.exe 110 PID 4968 wrote to memory of 552 4968 jvpjp.exe 110 PID 552 wrote to memory of 2040 552 frrrrrr.exe 111 PID 552 wrote to memory of 2040 552 frrrrrr.exe 111 PID 552 wrote to memory of 2040 552 frrrrrr.exe 111 PID 2040 wrote to memory of 968 2040 fxffffx.exe 112 PID 2040 wrote to memory of 968 2040 fxffffx.exe 112 PID 2040 wrote to memory of 968 2040 fxffffx.exe 112 PID 968 wrote to memory of 3252 968 nnttbh.exe 114 PID 968 wrote to memory of 3252 968 nnttbh.exe 114 PID 968 wrote to memory of 3252 968 nnttbh.exe 114 PID 3252 wrote to memory of 3540 3252 flrrxxf.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe"C:\Users\Admin\AppData\Local\Temp\92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\3nnhbb.exec:\3nnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\vpppj.exec:\vpppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\bnhbtt.exec:\bnhbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\jddvv.exec:\jddvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\ppvpp.exec:\ppvpp.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\lxffxrl.exec:\lxffxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\vpjjd.exec:\vpjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\vpddv.exec:\vpddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\ddppp.exec:\ddppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\3lxxxff.exec:\3lxxxff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\llfxxfx.exec:\llfxxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\9tbnhh.exec:\9tbnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\hbbbtt.exec:\hbbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\fxfxxlf.exec:\fxfxxlf.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\hbtnhn.exec:\hbtnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\thhbhn.exec:\thhbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\jvpjp.exec:\jvpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\frrrrrr.exec:\frrrrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\fxffffx.exec:\fxffffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\nnttbh.exec:\nnttbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\flrrxxf.exec:\flrrxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\lrlflrl.exec:\lrlflrl.exe23⤵
- Executes dropped EXE
PID:3540 -
\??\c:\lrllflf.exec:\lrllflf.exe24⤵
- Executes dropped EXE
PID:1652 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe25⤵
- Executes dropped EXE
PID:4404 -
\??\c:\tthhhn.exec:\tthhhn.exe26⤵
- Executes dropped EXE
PID:4500 -
\??\c:\9ttnnt.exec:\9ttnnt.exe27⤵
- Executes dropped EXE
PID:4892 -
\??\c:\vdpjd.exec:\vdpjd.exe28⤵
- Executes dropped EXE
PID:1848 -
\??\c:\jddvv.exec:\jddvv.exe29⤵
- Executes dropped EXE
PID:2556 -
\??\c:\5lrrrxx.exec:\5lrrrxx.exe30⤵
- Executes dropped EXE
PID:3332 -
\??\c:\nhbbbh.exec:\nhbbbh.exe31⤵
- Executes dropped EXE
PID:2960 -
\??\c:\hbbtbb.exec:\hbbtbb.exe32⤵
- Executes dropped EXE
PID:544 -
\??\c:\djddd.exec:\djddd.exe33⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rxllrxx.exec:\rxllrxx.exe34⤵
- Executes dropped EXE
PID:3400 -
\??\c:\dpvvv.exec:\dpvvv.exe35⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pdpjj.exec:\pdpjj.exe36⤵
- Executes dropped EXE
PID:3408 -
\??\c:\ddjjv.exec:\ddjjv.exe37⤵
- Executes dropped EXE
PID:3164 -
\??\c:\jvjjv.exec:\jvjjv.exe38⤵
- Executes dropped EXE
PID:1788 -
\??\c:\pdvdj.exec:\pdvdj.exe39⤵
- Executes dropped EXE
PID:3228 -
\??\c:\jdvdv.exec:\jdvdv.exe40⤵
- Executes dropped EXE
PID:4912 -
\??\c:\ppvvp.exec:\ppvvp.exe41⤵
- Executes dropped EXE
PID:3300 -
\??\c:\jjpdd.exec:\jjpdd.exe42⤵
- Executes dropped EXE
PID:1880 -
\??\c:\nhbttt.exec:\nhbttt.exe43⤵
- Executes dropped EXE
PID:4400 -
\??\c:\nbhbbb.exec:\nbhbbb.exe44⤵
- Executes dropped EXE
PID:2824 -
\??\c:\bbtttt.exec:\bbtttt.exe45⤵
- Executes dropped EXE
PID:2348 -
\??\c:\btnthn.exec:\btnthn.exe46⤵
- Executes dropped EXE
PID:4596 -
\??\c:\tthhhn.exec:\tthhhn.exe47⤵
- Executes dropped EXE
PID:4584 -
\??\c:\xflrrxx.exec:\xflrrxx.exe48⤵
- Executes dropped EXE
PID:228 -
\??\c:\fffrlll.exec:\fffrlll.exe49⤵
- Executes dropped EXE
PID:2692 -
\??\c:\nbttht.exec:\nbttht.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4388 -
\??\c:\llflflr.exec:\llflflr.exe51⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nntttb.exec:\nntttb.exe52⤵
- Executes dropped EXE
PID:648 -
\??\c:\ntnhhn.exec:\ntnhhn.exe53⤵
- Executes dropped EXE
PID:5068 -
\??\c:\llllfll.exec:\llllfll.exe54⤵
- Executes dropped EXE
PID:4524 -
\??\c:\rlllxrx.exec:\rlllxrx.exe55⤵
- Executes dropped EXE
PID:3664 -
\??\c:\1bbttt.exec:\1bbttt.exe56⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ttbbbh.exec:\ttbbbh.exe57⤵
- Executes dropped EXE
PID:2180 -
\??\c:\nbhhtt.exec:\nbhhtt.exe58⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hhhbbh.exec:\hhhbbh.exe59⤵
- Executes dropped EXE
PID:1136 -
\??\c:\bhtttt.exec:\bhtttt.exe60⤵
- Executes dropped EXE
PID:4072 -
\??\c:\btnhtt.exec:\btnhtt.exe61⤵
- Executes dropped EXE
PID:3668 -
\??\c:\hnthbb.exec:\hnthbb.exe62⤵
- Executes dropped EXE
PID:2016 -
\??\c:\nhbbtn.exec:\nhbbtn.exe63⤵
- Executes dropped EXE
PID:4016 -
\??\c:\xlxrllf.exec:\xlxrllf.exe64⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hhhbbh.exec:\hhhbbh.exe65⤵
- Executes dropped EXE
PID:2648 -
\??\c:\3fffxlf.exec:\3fffxlf.exe66⤵PID:4708
-
\??\c:\5xxxxxx.exec:\5xxxxxx.exe67⤵PID:4948
-
\??\c:\rfllxfx.exec:\rfllxfx.exe68⤵PID:2308
-
\??\c:\ffxlfxr.exec:\ffxlfxr.exe69⤵PID:3208
-
\??\c:\btbbhn.exec:\btbbhn.exe70⤵PID:3872
-
\??\c:\bbtttt.exec:\bbtttt.exe71⤵PID:2036
-
\??\c:\rffllrr.exec:\rffllrr.exe72⤵PID:1668
-
\??\c:\bnhhbb.exec:\bnhhbb.exe73⤵PID:3548
-
\??\c:\fllxflr.exec:\fllxflr.exe74⤵PID:1476
-
\??\c:\llrrrrx.exec:\llrrrrx.exe75⤵PID:220
-
\??\c:\frllrrx.exec:\frllrrx.exe76⤵PID:2672
-
\??\c:\xfxxxrf.exec:\xfxxxrf.exe77⤵PID:3396
-
\??\c:\7dpjj.exec:\7dpjj.exe78⤵PID:5060
-
\??\c:\xlrrxfl.exec:\xlrrxfl.exe79⤵PID:4716
-
\??\c:\7xffflr.exec:\7xffflr.exe80⤵PID:4884
-
\??\c:\9fflrxx.exec:\9fflrxx.exe81⤵PID:260
-
\??\c:\ppvvv.exec:\ppvvv.exe82⤵PID:2668
-
\??\c:\jdjjd.exec:\jdjjd.exe83⤵PID:1456
-
\??\c:\ddjjj.exec:\ddjjj.exe84⤵PID:440
-
\??\c:\jjjdd.exec:\jjjdd.exe85⤵PID:4128
-
\??\c:\jdppp.exec:\jdppp.exe86⤵PID:708
-
\??\c:\nnhntn.exec:\nnhntn.exe87⤵PID:2412
-
\??\c:\ttnnnb.exec:\ttnnnb.exe88⤵PID:4576
-
\??\c:\9nbttt.exec:\9nbttt.exe89⤵
- System Location Discovery: System Language Discovery
PID:2572 -
\??\c:\7ttnhh.exec:\7ttnhh.exe90⤵PID:3948
-
\??\c:\tnbbnn.exec:\tnbbnn.exe91⤵PID:3792
-
\??\c:\thtttt.exec:\thtttt.exe92⤵PID:376
-
\??\c:\bhttnt.exec:\bhttnt.exe93⤵PID:968
-
\??\c:\fllfrlx.exec:\fllfrlx.exe94⤵PID:3572
-
\??\c:\fxlrfrx.exec:\fxlrfrx.exe95⤵PID:4364
-
\??\c:\lflrrrr.exec:\lflrrrr.exe96⤵PID:1652
-
\??\c:\xxxxffl.exec:\xxxxffl.exe97⤵PID:4484
-
\??\c:\fflllrr.exec:\fflllrr.exe98⤵PID:3304
-
\??\c:\1frrrlf.exec:\1frrrlf.exe99⤵PID:828
-
\??\c:\lffxxrr.exec:\lffxxrr.exe100⤵PID:1436
-
\??\c:\rxllrff.exec:\rxllrff.exe101⤵PID:1136
-
\??\c:\xllffll.exec:\xllffll.exe102⤵PID:1012
-
\??\c:\dddjd.exec:\dddjd.exe103⤵PID:2676
-
\??\c:\7dvdp.exec:\7dvdp.exe104⤵PID:1408
-
\??\c:\ddvjd.exec:\ddvjd.exe105⤵PID:4016
-
\??\c:\pvppp.exec:\pvppp.exe106⤵PID:4960
-
\??\c:\pdpdp.exec:\pdpdp.exe107⤵PID:2664
-
\??\c:\nhhhhh.exec:\nhhhhh.exe108⤵PID:4708
-
\??\c:\1bbbtt.exec:\1bbbtt.exe109⤵PID:4948
-
\??\c:\5bnhbb.exec:\5bnhbb.exe110⤵PID:2960
-
\??\c:\tntbbh.exec:\tntbbh.exe111⤵PID:4040
-
\??\c:\ttbbbb.exec:\ttbbbb.exe112⤵PID:2000
-
\??\c:\ttthbb.exec:\ttthbb.exe113⤵PID:908
-
\??\c:\hhtnnn.exec:\hhtnnn.exe114⤵PID:3400
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe115⤵PID:4496
-
\??\c:\fflrrff.exec:\fflrrff.exe116⤵PID:3408
-
\??\c:\rlfllff.exec:\rlfllff.exe117⤵PID:5072
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe118⤵PID:3164
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe119⤵PID:1788
-
\??\c:\djpjd.exec:\djpjd.exe120⤵PID:1324
-
\??\c:\vpvvp.exec:\vpvvp.exe121⤵PID:3656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-