Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:48
Behavioral task
behavioral1
Sample
9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe
-
Size
3.7MB
-
MD5
9967b66c5da03db3c33b432aea338980
-
SHA1
3d61254a00f9599b772151636b0c2ae5735ad95c
-
SHA256
9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8
-
SHA512
41c355d7bbeec44e09014b2f940b3b816d1a7912a9eab89707cde6618c20d6e876ac12646373f51984bb90761903857599d38bcf15cafd4f5a115cec3d9735c7
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98a:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3356-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4164-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/656-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-529-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-686-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-833-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-1288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-1343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2564 64486.exe 2200 xxrffll.exe 4968 frrrxxr.exe 3344 00842.exe 3376 42680.exe 4800 8602404.exe 3480 226600.exe 1576 800666.exe 2040 6606446.exe 4376 rlllfff.exe 1340 24820.exe 3492 bbnnnh.exe 1836 2066082.exe 2208 40860.exe 100 xlrrrxx.exe 1540 k66622.exe 4080 06000.exe 3860 084662.exe 4024 nntnhh.exe 752 6444224.exe 4568 bnbbtb.exe 5008 dvppj.exe 552 820060.exe 4164 4008282.exe 4760 5bhntt.exe 4628 086226.exe 3056 686222.exe 4696 448002.exe 4340 26620.exe 2256 pdvvd.exe 2804 tnntnt.exe 2084 jdjdd.exe 3104 nnbbtb.exe 656 ppjvj.exe 4480 862468.exe 544 llxxffx.exe 1980 400424.exe 4116 httnnb.exe 3616 204864.exe 2496 vddvd.exe 3908 bhhhhh.exe 3492 68266.exe 4748 68046.exe 220 660444.exe 2208 68828.exe 2332 428868.exe 2624 0462266.exe 4080 0824444.exe 3136 dddpj.exe 4528 pjjdv.exe 3264 866600.exe 4472 6028448.exe 4000 flxxrfl.exe 4564 606062.exe 1704 bbhnnh.exe 3904 24424.exe 4768 hbhbtt.exe 5004 hbnnth.exe 1692 vdppj.exe 1588 jjppj.exe 2560 tttnhb.exe 4476 88462.exe 532 fxfxxfx.exe 4572 02046.exe -
resource yara_rule behavioral2/memory/3356-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca4-3.dat upx behavioral2/memory/3356-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-8.dat upx behavioral2/memory/2564-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-12.dat upx behavioral2/memory/2200-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4968-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca5-22.dat upx behavioral2/files/0x0007000000023cab-25.dat upx behavioral2/memory/3376-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3344-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-33.dat upx behavioral2/memory/4800-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3376-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0002000000022a9f-41.dat upx behavioral2/files/0x000e000000023b5c-45.dat upx behavioral2/memory/3480-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1576-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0002000000022a9d-51.dat upx behavioral2/memory/2040-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0013000000011959-57.dat upx behavioral2/files/0x000400000001e56e-64.dat upx behavioral2/memory/4376-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a00000001e5c5-70.dat upx behavioral2/memory/1340-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-75.dat upx behavioral2/memory/3492-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1836-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-80.dat upx behavioral2/files/0x0007000000023caf-87.dat upx behavioral2/files/0x0007000000023cb0-90.dat upx behavioral2/memory/1540-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-98.dat upx behavioral2/files/0x0007000000023cb3-103.dat upx behavioral2/files/0x0007000000023cb4-109.dat upx behavioral2/memory/3860-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-112.dat upx behavioral2/memory/4024-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4568-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-119.dat upx behavioral2/files/0x0007000000023cb7-124.dat upx behavioral2/memory/5008-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-130.dat upx behavioral2/files/0x0007000000023cb9-135.dat upx behavioral2/memory/4164-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/552-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-142.dat upx behavioral2/files/0x0007000000023cbc-147.dat upx behavioral2/files/0x0007000000023cbd-154.dat upx behavioral2/memory/4696-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3056-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-158.dat upx behavioral2/files/0x0007000000023cbf-166.dat upx behavioral2/files/0x0007000000023cc0-169.dat upx behavioral2/files/0x0007000000023cc1-177.dat upx behavioral2/memory/2256-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-182.dat upx behavioral2/memory/656-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/656-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/544-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4480-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3908-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4748-224-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6620804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2662266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k40084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6066622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8042682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8nhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2420000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6224444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8828884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i666040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6882624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4008282.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3356 wrote to memory of 2564 3356 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 83 PID 3356 wrote to memory of 2564 3356 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 83 PID 3356 wrote to memory of 2564 3356 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 83 PID 2564 wrote to memory of 2200 2564 64486.exe 86 PID 2564 wrote to memory of 2200 2564 64486.exe 86 PID 2564 wrote to memory of 2200 2564 64486.exe 86 PID 2200 wrote to memory of 4968 2200 xxrffll.exe 88 PID 2200 wrote to memory of 4968 2200 xxrffll.exe 88 PID 2200 wrote to memory of 4968 2200 xxrffll.exe 88 PID 4968 wrote to memory of 3344 4968 frrrxxr.exe 89 PID 4968 wrote to memory of 3344 4968 frrrxxr.exe 89 PID 4968 wrote to memory of 3344 4968 frrrxxr.exe 89 PID 3344 wrote to memory of 3376 3344 00842.exe 129 PID 3344 wrote to memory of 3376 3344 00842.exe 129 PID 3344 wrote to memory of 3376 3344 00842.exe 129 PID 3376 wrote to memory of 4800 3376 42680.exe 91 PID 3376 wrote to memory of 4800 3376 42680.exe 91 PID 3376 wrote to memory of 4800 3376 42680.exe 91 PID 4800 wrote to memory of 3480 4800 8602404.exe 92 PID 4800 wrote to memory of 3480 4800 8602404.exe 92 PID 4800 wrote to memory of 3480 4800 8602404.exe 92 PID 3480 wrote to memory of 1576 3480 226600.exe 93 PID 3480 wrote to memory of 1576 3480 226600.exe 93 PID 3480 wrote to memory of 1576 3480 226600.exe 93 PID 1576 wrote to memory of 2040 1576 800666.exe 94 PID 1576 wrote to memory of 2040 1576 800666.exe 94 PID 1576 wrote to memory of 2040 1576 800666.exe 94 PID 2040 wrote to memory of 4376 2040 6606446.exe 95 PID 2040 wrote to memory of 4376 2040 6606446.exe 95 PID 2040 wrote to memory of 4376 2040 6606446.exe 95 PID 4376 wrote to memory of 1340 4376 rlllfff.exe 96 PID 4376 wrote to memory of 1340 4376 rlllfff.exe 96 PID 4376 wrote to memory of 1340 4376 rlllfff.exe 96 PID 1340 wrote to memory of 3492 1340 24820.exe 136 PID 1340 wrote to memory of 3492 1340 24820.exe 136 PID 1340 wrote to memory of 3492 1340 24820.exe 136 PID 3492 wrote to memory of 1836 3492 bbnnnh.exe 98 PID 3492 wrote to memory of 1836 3492 bbnnnh.exe 98 PID 3492 wrote to memory of 1836 3492 bbnnnh.exe 98 PID 1836 wrote to memory of 2208 1836 2066082.exe 139 PID 1836 wrote to memory of 2208 1836 2066082.exe 139 PID 1836 wrote to memory of 2208 1836 2066082.exe 139 PID 2208 wrote to memory of 100 2208 40860.exe 102 PID 2208 wrote to memory of 100 2208 40860.exe 102 PID 2208 wrote to memory of 100 2208 40860.exe 102 PID 100 wrote to memory of 1540 100 xlrrrxx.exe 103 PID 100 wrote to memory of 1540 100 xlrrrxx.exe 103 PID 100 wrote to memory of 1540 100 xlrrrxx.exe 103 PID 1540 wrote to memory of 4080 1540 k66622.exe 142 PID 1540 wrote to memory of 4080 1540 k66622.exe 142 PID 1540 wrote to memory of 4080 1540 k66622.exe 142 PID 4080 wrote to memory of 3860 4080 06000.exe 107 PID 4080 wrote to memory of 3860 4080 06000.exe 107 PID 4080 wrote to memory of 3860 4080 06000.exe 107 PID 3860 wrote to memory of 4024 3860 084662.exe 108 PID 3860 wrote to memory of 4024 3860 084662.exe 108 PID 3860 wrote to memory of 4024 3860 084662.exe 108 PID 4024 wrote to memory of 752 4024 nntnhh.exe 109 PID 4024 wrote to memory of 752 4024 nntnhh.exe 109 PID 4024 wrote to memory of 752 4024 nntnhh.exe 109 PID 752 wrote to memory of 4568 752 6444224.exe 110 PID 752 wrote to memory of 4568 752 6444224.exe 110 PID 752 wrote to memory of 4568 752 6444224.exe 110 PID 4568 wrote to memory of 5008 4568 bnbbtb.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe"C:\Users\Admin\AppData\Local\Temp\9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\64486.exec:\64486.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\xxrffll.exec:\xxrffll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\frrrxxr.exec:\frrrxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\00842.exec:\00842.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\42680.exec:\42680.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\8602404.exec:\8602404.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\226600.exec:\226600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\800666.exec:\800666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\6606446.exec:\6606446.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\rlllfff.exec:\rlllfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\24820.exec:\24820.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\bbnnnh.exec:\bbnnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\2066082.exec:\2066082.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\40860.exec:\40860.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\xlrrrxx.exec:\xlrrrxx.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\k66622.exec:\k66622.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\06000.exec:\06000.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\084662.exec:\084662.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\nntnhh.exec:\nntnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\6444224.exec:\6444224.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\bnbbtb.exec:\bnbbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\dvppj.exec:\dvppj.exe23⤵
- Executes dropped EXE
PID:5008 -
\??\c:\820060.exec:\820060.exe24⤵
- Executes dropped EXE
PID:552 -
\??\c:\4008282.exec:\4008282.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4164 -
\??\c:\5bhntt.exec:\5bhntt.exe26⤵
- Executes dropped EXE
PID:4760 -
\??\c:\086226.exec:\086226.exe27⤵
- Executes dropped EXE
PID:4628 -
\??\c:\686222.exec:\686222.exe28⤵
- Executes dropped EXE
PID:3056 -
\??\c:\448002.exec:\448002.exe29⤵
- Executes dropped EXE
PID:4696 -
\??\c:\26620.exec:\26620.exe30⤵
- Executes dropped EXE
PID:4340 -
\??\c:\pdvvd.exec:\pdvvd.exe31⤵
- Executes dropped EXE
PID:2256 -
\??\c:\tnntnt.exec:\tnntnt.exe32⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jdjdd.exec:\jdjdd.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\nnbbtb.exec:\nnbbtb.exe34⤵
- Executes dropped EXE
PID:3104 -
\??\c:\ppjvj.exec:\ppjvj.exe35⤵
- Executes dropped EXE
PID:656 -
\??\c:\862468.exec:\862468.exe36⤵
- Executes dropped EXE
PID:4480 -
\??\c:\llxxffx.exec:\llxxffx.exe37⤵
- Executes dropped EXE
PID:544 -
\??\c:\400424.exec:\400424.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
\??\c:\httnnb.exec:\httnnb.exe39⤵
- Executes dropped EXE
PID:4116 -
\??\c:\204864.exec:\204864.exe40⤵
- Executes dropped EXE
PID:3616 -
\??\c:\vddvd.exec:\vddvd.exe41⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bhhhhh.exec:\bhhhhh.exe42⤵
- Executes dropped EXE
PID:3908 -
\??\c:\68266.exec:\68266.exe43⤵
- Executes dropped EXE
PID:3492 -
\??\c:\68046.exec:\68046.exe44⤵
- Executes dropped EXE
PID:4748 -
\??\c:\660444.exec:\660444.exe45⤵
- Executes dropped EXE
PID:220 -
\??\c:\68828.exec:\68828.exe46⤵
- Executes dropped EXE
PID:2208 -
\??\c:\428868.exec:\428868.exe47⤵
- Executes dropped EXE
PID:2332 -
\??\c:\0462266.exec:\0462266.exe48⤵
- Executes dropped EXE
PID:2624 -
\??\c:\0824444.exec:\0824444.exe49⤵
- Executes dropped EXE
PID:4080 -
\??\c:\dddpj.exec:\dddpj.exe50⤵
- Executes dropped EXE
PID:3136 -
\??\c:\pjjdv.exec:\pjjdv.exe51⤵
- Executes dropped EXE
PID:4528 -
\??\c:\866600.exec:\866600.exe52⤵
- Executes dropped EXE
PID:3264 -
\??\c:\6028448.exec:\6028448.exe53⤵
- Executes dropped EXE
PID:4472 -
\??\c:\flxxrfl.exec:\flxxrfl.exe54⤵
- Executes dropped EXE
PID:4000 -
\??\c:\606062.exec:\606062.exe55⤵
- Executes dropped EXE
PID:4564 -
\??\c:\bbhnnh.exec:\bbhnnh.exe56⤵
- Executes dropped EXE
PID:1704 -
\??\c:\24424.exec:\24424.exe57⤵
- Executes dropped EXE
PID:3904 -
\??\c:\hbhbtt.exec:\hbhbtt.exe58⤵
- Executes dropped EXE
PID:4768 -
\??\c:\hbnnth.exec:\hbnnth.exe59⤵
- Executes dropped EXE
PID:5004 -
\??\c:\vdppj.exec:\vdppj.exe60⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jjppj.exec:\jjppj.exe61⤵
- Executes dropped EXE
PID:1588 -
\??\c:\tttnhb.exec:\tttnhb.exe62⤵
- Executes dropped EXE
PID:2560 -
\??\c:\88462.exec:\88462.exe63⤵
- Executes dropped EXE
PID:4476 -
\??\c:\fxfxxfx.exec:\fxfxxfx.exe64⤵
- Executes dropped EXE
PID:532 -
\??\c:\02046.exec:\02046.exe65⤵
- Executes dropped EXE
PID:4572 -
\??\c:\ttthhb.exec:\ttthhb.exe66⤵PID:4696
-
\??\c:\ntnbth.exec:\ntnbth.exe67⤵PID:3520
-
\??\c:\dpppj.exec:\dpppj.exe68⤵PID:3536
-
\??\c:\ppddd.exec:\ppddd.exe69⤵PID:2288
-
\??\c:\84424.exec:\84424.exe70⤵PID:2660
-
\??\c:\068024.exec:\068024.exe71⤵PID:4728
-
\??\c:\tnbnbt.exec:\tnbnbt.exe72⤵PID:3416
-
\??\c:\4082262.exec:\4082262.exe73⤵PID:2284
-
\??\c:\nbttnb.exec:\nbttnb.exe74⤵PID:2736
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe75⤵PID:2936
-
\??\c:\8004266.exec:\8004266.exe76⤵PID:3680
-
\??\c:\68000.exec:\68000.exe77⤵PID:3956
-
\??\c:\7vpjd.exec:\7vpjd.exe78⤵PID:4428
-
\??\c:\80464.exec:\80464.exe79⤵PID:652
-
\??\c:\a4666.exec:\a4666.exe80⤵PID:1404
-
\??\c:\lflxfrf.exec:\lflxfrf.exe81⤵PID:3616
-
\??\c:\284244.exec:\284244.exe82⤵PID:1652
-
\??\c:\880288.exec:\880288.exe83⤵PID:2868
-
\??\c:\tthnnn.exec:\tthnnn.exe84⤵PID:3844
-
\??\c:\a0822.exec:\a0822.exe85⤵PID:5056
-
\??\c:\0408086.exec:\0408086.exe86⤵PID:4908
-
\??\c:\888668.exec:\888668.exe87⤵PID:528
-
\??\c:\rrlxrlx.exec:\rrlxrlx.exe88⤵PID:2332
-
\??\c:\a2484.exec:\a2484.exe89⤵
- System Location Discovery: System Language Discovery
PID:1196 -
\??\c:\vvddd.exec:\vvddd.exe90⤵PID:3860
-
\??\c:\llrrxff.exec:\llrrxff.exe91⤵PID:3888
-
\??\c:\9vpdp.exec:\9vpdp.exe92⤵PID:224
-
\??\c:\22200.exec:\22200.exe93⤵PID:448
-
\??\c:\0008682.exec:\0008682.exe94⤵PID:1080
-
\??\c:\xflffxr.exec:\xflffxr.exe95⤵PID:4568
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe96⤵PID:3560
-
\??\c:\jddvv.exec:\jddvv.exe97⤵PID:2352
-
\??\c:\vvvdj.exec:\vvvdj.exe98⤵
- System Location Discovery: System Language Discovery
PID:1704 -
\??\c:\s6880.exec:\s6880.exe99⤵PID:1240
-
\??\c:\6848420.exec:\6848420.exe100⤵PID:4492
-
\??\c:\flxxfxr.exec:\flxxfxr.exe101⤵PID:4532
-
\??\c:\26886.exec:\26886.exe102⤵PID:3636
-
\??\c:\flflxff.exec:\flflxff.exe103⤵PID:392
-
\??\c:\422200.exec:\422200.exe104⤵PID:3768
-
\??\c:\28444.exec:\28444.exe105⤵PID:2396
-
\??\c:\0400022.exec:\0400022.exe106⤵PID:3148
-
\??\c:\9pvvd.exec:\9pvvd.exe107⤵PID:1556
-
\??\c:\064646.exec:\064646.exe108⤵PID:1904
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe109⤵PID:4332
-
\??\c:\xxflllf.exec:\xxflllf.exe110⤵PID:4460
-
\??\c:\g6262.exec:\g6262.exe111⤵PID:4572
-
\??\c:\0428844.exec:\0428844.exe112⤵PID:2256
-
\??\c:\fxfrrxr.exec:\fxfrrxr.exe113⤵PID:3520
-
\??\c:\xlfffll.exec:\xlfffll.exe114⤵PID:2448
-
\??\c:\4644404.exec:\4644404.exe115⤵PID:2288
-
\??\c:\7tnhbb.exec:\7tnhbb.exe116⤵PID:4016
-
\??\c:\jpjvj.exec:\jpjvj.exe117⤵
- System Location Discovery: System Language Discovery
PID:1420 -
\??\c:\c268684.exec:\c268684.exe118⤵PID:408
-
\??\c:\0402028.exec:\0402028.exe119⤵PID:4320
-
\??\c:\7lflrfl.exec:\7lflrfl.exe120⤵
- System Location Discovery: System Language Discovery
PID:3480 -
\??\c:\26288.exec:\26288.exe121⤵PID:3932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-