Analysis
-
max time kernel
120s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 07:36
Behavioral task
behavioral1
Sample
5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe
-
Size
1.8MB
-
MD5
ddb2703449e217facb200cfd32b304e0
-
SHA1
3c6c5072519570047e6533d2b8c658c4309f04a5
-
SHA256
5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fb
-
SHA512
33dbd5fe2f6f0ac515b81c6d65615b529968b4017c4b7014c28a19b23656a88aa4405dd613ae7c4b513c11d0566d9a00d373ad003b31645dae15f6b4afce161e
-
SSDEEP
24576:gC8d36kLBXlnB8j7v5Ta+hLLQ20JmXSeWwa1oWJQjk0svTS/PT:gCOfN6X5tLLQTg20ITS/PT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/712-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1240-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/712-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3064-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3224-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3080-592-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2688-634-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-650-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-675-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-963-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-1070-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-1107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
tbhhhh.exerrfxfxr.exelrfrlll.exepjpjj.exedjddp.exebnhtbt.exetbtttn.exexxlfffl.exejdjjj.exe7jvvv.exejjjdv.exe3hhbtn.exeflxrxxr.exelxlfllf.exevpppp.exenbbnht.exe3flfxxr.exe9nbtnt.exelrfxrrl.exe9nbtbb.exefrlfxxx.exepppvd.exenbtbbb.exe7frfxfx.exenbhhht.exehhhhbt.exettbthb.exepppjd.exenhbtnh.exexffxrlx.exe3htbnh.exe7ffxlfr.exelfxllxx.exeflfrfrf.exehtnbtn.exefxfxrfx.exejjpjv.exe9hbttn.exexflxrlf.exe7hbtnh.exellxrfxf.exebtthtb.exenthhhn.exeppvjj.exe3tnnbn.exejvvjd.exe1hhttn.exexllfrrl.exehtbhhn.exeflrrffl.exedvvpp.exebhnhtn.exeffllfxr.exebbnhhh.exelfrllfx.exejdjdv.exerffxllf.exevdpjj.exe3thbnt.exe1xllllf.exehbhbht.exe9xxxlff.exe9pvpd.exe3nbthb.exepid Process 4056 tbhhhh.exe 2008 rrfxfxr.exe 116 lrfrlll.exe 2676 pjpjj.exe 2956 djddp.exe 4124 bnhtbt.exe 1060 tbtttn.exe 4828 xxlfffl.exe 712 jdjjj.exe 2000 7jvvv.exe 948 jjjdv.exe 396 3hhbtn.exe 4644 flxrxxr.exe 3288 lxlfllf.exe 2824 vpppp.exe 5048 nbbnht.exe 856 3flfxxr.exe 1468 9nbtnt.exe 2892 lrfxrrl.exe 3164 9nbtbb.exe 2120 frlfxxx.exe 2312 pppvd.exe 1068 nbtbbb.exe 3400 7frfxfx.exe 1636 nbhhht.exe 1448 hhhhbt.exe 2464 ttbthb.exe 2620 pppjd.exe 452 nhbtnh.exe 4948 xffxrlx.exe 1240 3htbnh.exe 640 7ffxlfr.exe 4956 lfxllxx.exe 2328 flfrfrf.exe 5068 htnbtn.exe 2692 fxfxrfx.exe 3964 jjpjv.exe 2904 9hbttn.exe 2380 xflxrlf.exe 3896 7hbtnh.exe 1952 llxrfxf.exe 1380 btthtb.exe 4556 nthhhn.exe 3144 ppvjj.exe 712 3tnnbn.exe 468 jvvjd.exe 3240 1hhttn.exe 2788 xllfrrl.exe 4364 htbhhn.exe 3664 flrrffl.exe 1504 dvvpp.exe 1628 bhnhtn.exe 5048 ffllfxr.exe 536 bbnhhh.exe 1132 lfrllfx.exe 4440 jdjdv.exe 4244 rffxllf.exe 2844 vdpjj.exe 2624 3thbnt.exe 744 1xllllf.exe 1128 hbhbht.exe 3344 9xxxlff.exe 3776 9pvpd.exe 1284 3nbthb.exe -
Processes:
resource yara_rule behavioral2/memory/3440-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca5-3.dat upx behavioral2/memory/3440-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-11.dat upx behavioral2/memory/4056-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-13.dat upx behavioral2/memory/116-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2008-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-22.dat upx behavioral2/memory/2676-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/116-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-29.dat upx behavioral2/files/0x0007000000023cad-37.dat upx behavioral2/memory/2956-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4124-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca6-42.dat upx behavioral2/files/0x0007000000023caf-46.dat upx behavioral2/memory/1060-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-52.dat upx behavioral2/memory/712-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4828-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-59.dat upx behavioral2/files/0x0007000000023cb2-65.dat upx behavioral2/files/0x0007000000023cb3-69.dat upx behavioral2/memory/396-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-75.dat upx behavioral2/files/0x0007000000023cb5-80.dat upx behavioral2/memory/4644-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-86.dat upx behavioral2/memory/2824-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-92.dat upx behavioral2/files/0x0007000000023cb8-98.dat upx behavioral2/files/0x0007000000023cb9-103.dat upx behavioral2/memory/1468-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-109.dat upx behavioral2/memory/856-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2892-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-120.dat upx behavioral2/files/0x0007000000023cbd-126.dat upx behavioral2/files/0x0007000000023cbe-131.dat upx behavioral2/files/0x0007000000023cbb-116.dat upx behavioral2/files/0x000d000000023b65-134.dat upx behavioral2/memory/1068-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3400-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b67-142.dat upx behavioral2/files/0x000d000000023b64-148.dat upx behavioral2/files/0x0003000000022a8a-155.dat upx behavioral2/memory/1448-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2464-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-159.dat upx behavioral2/files/0x0007000000023cc0-166.dat upx behavioral2/memory/2620-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-170.dat upx behavioral2/memory/452-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4948-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-179.dat upx behavioral2/files/0x0007000000023cc5-182.dat upx behavioral2/memory/1240-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/640-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3964-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2904-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2380-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1952-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-226-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5frfrlf.exevdjjd.exehthbbt.exe3fxlxfx.exelrrllff.exejdddv.exe5bbnhn.exe9nbtnt.exebtbhbt.exejvdpd.exenbhhnn.exexrrffxl.exe5nbtnn.exepdpjd.exeddvpd.exe7jjjj.exefrrrfrl.exenthhhb.exejdvvp.exebtbttt.exe5ffxlxl.exelfrllfx.exevjppp.exefrxllfr.exe3ppjd.exerlrlfxr.exelfxxxxf.exefflffff.exe1pvpv.exexrrfrlx.exexrfxrrr.exeflfxlfx.exelflfffx.exennhhbb.exehnnbnb.exe1dvjp.exebbtnhh.exelllfrrl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exetbhhhh.exerrfxfxr.exelrfrlll.exepjpjj.exedjddp.exebnhtbt.exetbtttn.exexxlfffl.exejdjjj.exe7jvvv.exejjjdv.exe3hhbtn.exeflxrxxr.exelxlfllf.exevpppp.exenbbnht.exe3flfxxr.exe9nbtnt.exelrfxrrl.exe9nbtbb.exefrlfxxx.exedescription pid Process procid_target PID 3440 wrote to memory of 4056 3440 5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe 84 PID 3440 wrote to memory of 4056 3440 5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe 84 PID 3440 wrote to memory of 4056 3440 5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe 84 PID 4056 wrote to memory of 2008 4056 tbhhhh.exe 85 PID 4056 wrote to memory of 2008 4056 tbhhhh.exe 85 PID 4056 wrote to memory of 2008 4056 tbhhhh.exe 85 PID 2008 wrote to memory of 116 2008 rrfxfxr.exe 87 PID 2008 wrote to memory of 116 2008 rrfxfxr.exe 87 PID 2008 wrote to memory of 116 2008 rrfxfxr.exe 87 PID 116 wrote to memory of 2676 116 lrfrlll.exe 90 PID 116 wrote to memory of 2676 116 lrfrlll.exe 90 PID 116 wrote to memory of 2676 116 lrfrlll.exe 90 PID 2676 wrote to memory of 2956 2676 pjpjj.exe 91 PID 2676 wrote to memory of 2956 2676 pjpjj.exe 91 PID 2676 wrote to memory of 2956 2676 pjpjj.exe 91 PID 2956 wrote to memory of 4124 2956 djddp.exe 92 PID 2956 wrote to memory of 4124 2956 djddp.exe 92 PID 2956 wrote to memory of 4124 2956 djddp.exe 92 PID 4124 wrote to memory of 1060 4124 bnhtbt.exe 93 PID 4124 wrote to memory of 1060 4124 bnhtbt.exe 93 PID 4124 wrote to memory of 1060 4124 bnhtbt.exe 93 PID 1060 wrote to memory of 4828 1060 tbtttn.exe 94 PID 1060 wrote to memory of 4828 1060 tbtttn.exe 94 PID 1060 wrote to memory of 4828 1060 tbtttn.exe 94 PID 4828 wrote to memory of 712 4828 xxlfffl.exe 95 PID 4828 wrote to memory of 712 4828 xxlfffl.exe 95 PID 4828 wrote to memory of 712 4828 xxlfffl.exe 95 PID 712 wrote to memory of 2000 712 jdjjj.exe 96 PID 712 wrote to memory of 2000 712 jdjjj.exe 96 PID 712 wrote to memory of 2000 712 jdjjj.exe 96 PID 2000 wrote to memory of 948 2000 7jvvv.exe 97 PID 2000 wrote to memory of 948 2000 7jvvv.exe 97 PID 2000 wrote to memory of 948 2000 7jvvv.exe 97 PID 948 wrote to memory of 396 948 jjjdv.exe 98 PID 948 wrote to memory of 396 948 jjjdv.exe 98 PID 948 wrote to memory of 396 948 jjjdv.exe 98 PID 396 wrote to memory of 4644 396 3hhbtn.exe 99 PID 396 wrote to memory of 4644 396 3hhbtn.exe 99 PID 396 wrote to memory of 4644 396 3hhbtn.exe 99 PID 4644 wrote to memory of 3288 4644 flxrxxr.exe 100 PID 4644 wrote to memory of 3288 4644 flxrxxr.exe 100 PID 4644 wrote to memory of 3288 4644 flxrxxr.exe 100 PID 3288 wrote to memory of 2824 3288 lxlfllf.exe 101 PID 3288 wrote to memory of 2824 3288 lxlfllf.exe 101 PID 3288 wrote to memory of 2824 3288 lxlfllf.exe 101 PID 2824 wrote to memory of 5048 2824 vpppp.exe 102 PID 2824 wrote to memory of 5048 2824 vpppp.exe 102 PID 2824 wrote to memory of 5048 2824 vpppp.exe 102 PID 5048 wrote to memory of 856 5048 nbbnht.exe 103 PID 5048 wrote to memory of 856 5048 nbbnht.exe 103 PID 5048 wrote to memory of 856 5048 nbbnht.exe 103 PID 856 wrote to memory of 1468 856 3flfxxr.exe 104 PID 856 wrote to memory of 1468 856 3flfxxr.exe 104 PID 856 wrote to memory of 1468 856 3flfxxr.exe 104 PID 1468 wrote to memory of 2892 1468 9nbtnt.exe 105 PID 1468 wrote to memory of 2892 1468 9nbtnt.exe 105 PID 1468 wrote to memory of 2892 1468 9nbtnt.exe 105 PID 2892 wrote to memory of 3164 2892 lrfxrrl.exe 106 PID 2892 wrote to memory of 3164 2892 lrfxrrl.exe 106 PID 2892 wrote to memory of 3164 2892 lrfxrrl.exe 106 PID 3164 wrote to memory of 2120 3164 9nbtbb.exe 107 PID 3164 wrote to memory of 2120 3164 9nbtbb.exe 107 PID 3164 wrote to memory of 2120 3164 9nbtbb.exe 107 PID 2120 wrote to memory of 2312 2120 frlfxxx.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe"C:\Users\Admin\AppData\Local\Temp\5b36db45baf14439ebe5d527edbb572c69297af6659c3d230780e242e45ab8fbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\tbhhhh.exec:\tbhhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\rrfxfxr.exec:\rrfxfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\lrfrlll.exec:\lrfrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\pjpjj.exec:\pjpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\djddp.exec:\djddp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\bnhtbt.exec:\bnhtbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\tbtttn.exec:\tbtttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\xxlfffl.exec:\xxlfffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\jdjjj.exec:\jdjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\7jvvv.exec:\7jvvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\jjjdv.exec:\jjjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\3hhbtn.exec:\3hhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\flxrxxr.exec:\flxrxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\lxlfllf.exec:\lxlfllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\vpppp.exec:\vpppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\nbbnht.exec:\nbbnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\3flfxxr.exec:\3flfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\9nbtnt.exec:\9nbtnt.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\9nbtbb.exec:\9nbtbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\frlfxxx.exec:\frlfxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\pppvd.exec:\pppvd.exe23⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nbtbbb.exec:\nbtbbb.exe24⤵
- Executes dropped EXE
PID:1068 -
\??\c:\7frfxfx.exec:\7frfxfx.exe25⤵
- Executes dropped EXE
PID:3400 -
\??\c:\nbhhht.exec:\nbhhht.exe26⤵
- Executes dropped EXE
PID:1636 -
\??\c:\hhhhbt.exec:\hhhhbt.exe27⤵
- Executes dropped EXE
PID:1448 -
\??\c:\ttbthb.exec:\ttbthb.exe28⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pppjd.exec:\pppjd.exe29⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nhbtnh.exec:\nhbtnh.exe30⤵
- Executes dropped EXE
PID:452 -
\??\c:\xffxrlx.exec:\xffxrlx.exe31⤵
- Executes dropped EXE
PID:4948 -
\??\c:\3htbnh.exec:\3htbnh.exe32⤵
- Executes dropped EXE
PID:1240 -
\??\c:\7ffxlfr.exec:\7ffxlfr.exe33⤵
- Executes dropped EXE
PID:640 -
\??\c:\lfxllxx.exec:\lfxllxx.exe34⤵
- Executes dropped EXE
PID:4956 -
\??\c:\flfrfrf.exec:\flfrfrf.exe35⤵
- Executes dropped EXE
PID:2328 -
\??\c:\htnbtn.exec:\htnbtn.exe36⤵
- Executes dropped EXE
PID:5068 -
\??\c:\fxfxrfx.exec:\fxfxrfx.exe37⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jjpjv.exec:\jjpjv.exe38⤵
- Executes dropped EXE
PID:3964 -
\??\c:\9hbttn.exec:\9hbttn.exe39⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xflxrlf.exec:\xflxrlf.exe40⤵
- Executes dropped EXE
PID:2380 -
\??\c:\7hbtnh.exec:\7hbtnh.exe41⤵
- Executes dropped EXE
PID:3896 -
\??\c:\llxrfxf.exec:\llxrfxf.exe42⤵
- Executes dropped EXE
PID:1952 -
\??\c:\btthtb.exec:\btthtb.exe43⤵
- Executes dropped EXE
PID:1380 -
\??\c:\nthhhn.exec:\nthhhn.exe44⤵
- Executes dropped EXE
PID:4556 -
\??\c:\ppvjj.exec:\ppvjj.exe45⤵
- Executes dropped EXE
PID:3144 -
\??\c:\3tnnbn.exec:\3tnnbn.exe46⤵
- Executes dropped EXE
PID:712 -
\??\c:\jvvjd.exec:\jvvjd.exe47⤵
- Executes dropped EXE
PID:468 -
\??\c:\1hhttn.exec:\1hhttn.exe48⤵
- Executes dropped EXE
PID:3240 -
\??\c:\xllfrrl.exec:\xllfrrl.exe49⤵
- Executes dropped EXE
PID:2788 -
\??\c:\htbhhn.exec:\htbhhn.exe50⤵
- Executes dropped EXE
PID:4364 -
\??\c:\flrrffl.exec:\flrrffl.exe51⤵
- Executes dropped EXE
PID:3664 -
\??\c:\dvvpp.exec:\dvvpp.exe52⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bhnhtn.exec:\bhnhtn.exe53⤵
- Executes dropped EXE
PID:1628 -
\??\c:\ffllfxr.exec:\ffllfxr.exe54⤵
- Executes dropped EXE
PID:5048 -
\??\c:\bbnhhh.exec:\bbnhhh.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\lfrllfx.exec:\lfrllfx.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
\??\c:\jdjdv.exec:\jdjdv.exe57⤵
- Executes dropped EXE
PID:4440 -
\??\c:\rffxllf.exec:\rffxllf.exe58⤵
- Executes dropped EXE
PID:4244 -
\??\c:\vdpjj.exec:\vdpjj.exe59⤵
- Executes dropped EXE
PID:2844 -
\??\c:\3thbnt.exec:\3thbnt.exe60⤵
- Executes dropped EXE
PID:2624 -
\??\c:\1xllllf.exec:\1xllllf.exe61⤵
- Executes dropped EXE
PID:744 -
\??\c:\hbhbht.exec:\hbhbht.exe62⤵
- Executes dropped EXE
PID:1128 -
\??\c:\9xxxlff.exec:\9xxxlff.exe63⤵
- Executes dropped EXE
PID:3344 -
\??\c:\9pvpd.exec:\9pvpd.exe64⤵
- Executes dropped EXE
PID:3776 -
\??\c:\3nbthb.exec:\3nbthb.exe65⤵
- Executes dropped EXE
PID:1284 -
\??\c:\lfrffrx.exec:\lfrffrx.exe66⤵PID:1512
-
\??\c:\pdppp.exec:\pdppp.exe67⤵PID:4180
-
\??\c:\rrrlfxx.exec:\rrrlfxx.exe68⤵PID:2852
-
\??\c:\9vvdd.exec:\9vvdd.exe69⤵PID:2356
-
\??\c:\rlrfrll.exec:\rlrfrll.exe70⤵PID:2880
-
\??\c:\vvpjd.exec:\vvpjd.exe71⤵PID:3064
-
\??\c:\thhhhh.exec:\thhhhh.exe72⤵PID:920
-
\??\c:\3llfxxf.exec:\3llfxxf.exe73⤵PID:2556
-
\??\c:\btthbt.exec:\btthbt.exe74⤵PID:2304
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe75⤵PID:2340
-
\??\c:\dddjj.exec:\dddjj.exe76⤵PID:4552
-
\??\c:\bbtnhh.exec:\bbtnhh.exe77⤵
- System Location Discovery: System Language Discovery
PID:628 -
\??\c:\vpvpp.exec:\vpvpp.exe78⤵PID:4188
-
\??\c:\bbbttt.exec:\bbbttt.exe79⤵PID:5068
-
\??\c:\rfxlfxr.exec:\rfxlfxr.exe80⤵PID:2972
-
\??\c:\jpvdj.exec:\jpvdj.exe81⤵PID:4076
-
\??\c:\9fffffx.exec:\9fffffx.exe82⤵PID:3520
-
\??\c:\ddpdv.exec:\ddpdv.exe83⤵PID:4968
-
\??\c:\1thbnt.exec:\1thbnt.exe84⤵PID:4736
-
\??\c:\fxxlfxf.exec:\fxxlfxf.exe85⤵PID:3840
-
\??\c:\3ttnnn.exec:\3ttnnn.exe86⤵PID:3420
-
\??\c:\5xffxfx.exec:\5xffxfx.exe87⤵PID:2224
-
\??\c:\pddpj.exec:\pddpj.exe88⤵PID:3052
-
\??\c:\hnnbtb.exec:\hnnbtb.exe89⤵PID:2000
-
\??\c:\9jppj.exec:\9jppj.exe90⤵PID:4980
-
\??\c:\tthhht.exec:\tthhht.exe91⤵PID:860
-
\??\c:\ffrfxxr.exec:\ffrfxxr.exe92⤵PID:3268
-
\??\c:\9jjdd.exec:\9jjdd.exe93⤵PID:2392
-
\??\c:\lllfrrl.exec:\lllfrrl.exe94⤵
- System Location Discovery: System Language Discovery
PID:4708 -
\??\c:\5jddv.exec:\5jddv.exe95⤵PID:1916
-
\??\c:\7ffxxxr.exec:\7ffxxxr.exe96⤵PID:3788
-
\??\c:\7pvvp.exec:\7pvvp.exe97⤵PID:4232
-
\??\c:\frlxrrr.exec:\frlxrrr.exe98⤵PID:4116
-
\??\c:\7vjdp.exec:\7vjdp.exe99⤵PID:1692
-
\??\c:\bbnhhh.exec:\bbnhhh.exe100⤵PID:1688
-
\??\c:\9jpdv.exec:\9jpdv.exe101⤵PID:4924
-
\??\c:\nbnhth.exec:\nbnhth.exe102⤵PID:3740
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe103⤵PID:2876
-
\??\c:\9nhbtt.exec:\9nhbtt.exe104⤵PID:2892
-
\??\c:\xrrlllf.exec:\xrrlllf.exe105⤵PID:1740
-
\??\c:\thnhhh.exec:\thnhhh.exe106⤵PID:3556
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe107⤵PID:2844
-
\??\c:\hthbtt.exec:\hthbtt.exe108⤵PID:3380
-
\??\c:\1lrrllf.exec:\1lrrllf.exe109⤵PID:744
-
\??\c:\jvppp.exec:\jvppp.exe110⤵PID:1676
-
\??\c:\ffxllxf.exec:\ffxllxf.exe111⤵PID:1336
-
\??\c:\jjddv.exec:\jjddv.exe112⤵PID:3776
-
\??\c:\lrxxlfr.exec:\lrxxlfr.exe113⤵PID:1636
-
\??\c:\9vpdp.exec:\9vpdp.exe114⤵PID:4208
-
\??\c:\nbtnbt.exec:\nbtnbt.exe115⤵PID:3060
-
\??\c:\pdvvp.exec:\pdvvp.exe116⤵PID:4428
-
\??\c:\thhthb.exec:\thhthb.exe117⤵PID:4656
-
\??\c:\pvdvj.exec:\pvdvj.exe118⤵PID:2880
-
\??\c:\7tbttt.exec:\7tbttt.exe119⤵PID:3320
-
\??\c:\flxxffl.exec:\flxxffl.exe120⤵PID:2884
-
\??\c:\hbnbtb.exec:\hbnbtb.exe121⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-