Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2024, 10:27
Behavioral task
behavioral1
Sample
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe
-
Size
3.7MB
-
MD5
6b042ecf7c29ad15534621096520cab6
-
SHA1
a0e7ae80322f62f7fb7c13daf17fa7f4bf2fa401
-
SHA256
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799
-
SHA512
b63817abac66a103cdc10149b2ff62a63a8ec86325e8d2b19936fa375292156a5899298e857cbd4dd4b811ee81ce70383087c26a31b222b51d6cb230fe25cc02
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98o:U6XLq/qPPslzKx/dJg1ErmNl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2200-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/584-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1344-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4164-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1300-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1464-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-585-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-655-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-683-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-1552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-1824-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2200 btttth.exe 4300 frrrxff.exe 5036 bnhhnt.exe 4304 nbttnt.exe 2000 lrxrfrf.exe 4400 vvpjd.exe 220 hbnhhh.exe 1064 lfrlfxr.exe 4720 nhhhbn.exe 5012 9rxlfxr.exe 3344 flfrlll.exe 1828 fxxxfll.exe 3256 nnnhhh.exe 4780 ffrrrxf.exe 584 nbhttb.exe 4004 jppdd.exe 1344 xxrlfff.exe 812 lrxrxff.exe 3280 jpvdp.exe 2704 vvjvd.exe 4616 rffllxf.exe 5008 dvddd.exe 4468 lfxrfxl.exe 1508 hhhbtb.exe 3904 ppppd.exe 1000 vjvvv.exe 2328 tthbbb.exe 3320 1bhhhn.exe 2764 tthhtt.exe 5016 xlrxxxr.exe 2752 tttttb.exe 2360 hbbthb.exe 4380 fxxflll.exe 1680 bhbnnt.exe 3332 9hhnnt.exe 3948 vvpjp.exe 4164 jvvdd.exe 1268 ddppv.exe 4040 xrllrxf.exe 4592 btnttb.exe 2000 nhbbtt.exe 4432 ppddp.exe 5052 ttbttn.exe 2732 jvddd.exe 2248 jvpvj.exe 4116 vpjjv.exe 4256 3ddvp.exe 3912 flrrxxf.exe 2724 xrrxxxr.exe 312 rrrrflf.exe 232 thhbtb.exe 1060 hhbbhh.exe 4780 jjddd.exe 4004 vvvvd.exe 4636 vpdvv.exe 4856 ddjjj.exe 3628 3vddd.exe 1392 jdddj.exe 1956 xxllxxr.exe 4852 ppvjj.exe 3620 1fllflf.exe 2780 rlxxxll.exe 1044 xrrfxfl.exe 3380 xxffxxf.exe -
resource yara_rule behavioral2/memory/3112-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bc8-3.dat upx behavioral2/memory/2200-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3112-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-11.dat upx behavioral2/files/0x0009000000023cb9-13.dat upx behavioral2/memory/4300-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-21.dat upx behavioral2/memory/5036-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-27.dat upx behavioral2/memory/4304-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2000-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-33.dat upx behavioral2/memory/4400-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-40.dat upx behavioral2/files/0x0007000000023cc2-46.dat upx behavioral2/files/0x0007000000023cc3-50.dat upx behavioral2/memory/1064-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-56.dat upx behavioral2/memory/4720-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-62.dat upx behavioral2/memory/5012-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-68.dat upx behavioral2/files/0x0007000000023cc7-74.dat upx behavioral2/files/0x0007000000023cc8-78.dat upx behavioral2/files/0x0007000000023cc9-83.dat upx behavioral2/files/0x0007000000023cca-88.dat upx behavioral2/memory/584-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-94.dat upx behavioral2/memory/1344-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4004-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-101.dat upx behavioral2/files/0x0007000000023cce-106.dat upx behavioral2/memory/812-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-112.dat upx behavioral2/memory/3280-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd0-118.dat upx behavioral2/files/0x0007000000023cd1-123.dat upx behavioral2/memory/4616-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-129.dat upx behavioral2/memory/5008-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd4-136.dat upx behavioral2/memory/1508-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4468-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd5-142.dat upx behavioral2/memory/3904-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-148.dat upx behavioral2/files/0x0007000000023cd7-153.dat upx behavioral2/files/0x0007000000023cd8-158.dat upx behavioral2/files/0x0007000000023cd9-163.dat upx behavioral2/files/0x0007000000023cda-169.dat upx behavioral2/files/0x0007000000023cdb-173.dat upx behavioral2/memory/5016-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdc-180.dat upx behavioral2/memory/2360-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2752-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1680-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4164-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1268-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1268-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4040-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2000-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2732-228-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4256-238-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 2200 3112 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 83 PID 3112 wrote to memory of 2200 3112 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 83 PID 3112 wrote to memory of 2200 3112 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 83 PID 2200 wrote to memory of 4300 2200 btttth.exe 84 PID 2200 wrote to memory of 4300 2200 btttth.exe 84 PID 2200 wrote to memory of 4300 2200 btttth.exe 84 PID 4300 wrote to memory of 5036 4300 frrrxff.exe 85 PID 4300 wrote to memory of 5036 4300 frrrxff.exe 85 PID 4300 wrote to memory of 5036 4300 frrrxff.exe 85 PID 5036 wrote to memory of 4304 5036 bnhhnt.exe 86 PID 5036 wrote to memory of 4304 5036 bnhhnt.exe 86 PID 5036 wrote to memory of 4304 5036 bnhhnt.exe 86 PID 4304 wrote to memory of 2000 4304 nbttnt.exe 87 PID 4304 wrote to memory of 2000 4304 nbttnt.exe 87 PID 4304 wrote to memory of 2000 4304 nbttnt.exe 87 PID 2000 wrote to memory of 4400 2000 lrxrfrf.exe 88 PID 2000 wrote to memory of 4400 2000 lrxrfrf.exe 88 PID 2000 wrote to memory of 4400 2000 lrxrfrf.exe 88 PID 4400 wrote to memory of 220 4400 vvpjd.exe 89 PID 4400 wrote to memory of 220 4400 vvpjd.exe 89 PID 4400 wrote to memory of 220 4400 vvpjd.exe 89 PID 220 wrote to memory of 1064 220 hbnhhh.exe 90 PID 220 wrote to memory of 1064 220 hbnhhh.exe 90 PID 220 wrote to memory of 1064 220 hbnhhh.exe 90 PID 1064 wrote to memory of 4720 1064 lfrlfxr.exe 91 PID 1064 wrote to memory of 4720 1064 lfrlfxr.exe 91 PID 1064 wrote to memory of 4720 1064 lfrlfxr.exe 91 PID 4720 wrote to memory of 5012 4720 nhhhbn.exe 92 PID 4720 wrote to memory of 5012 4720 nhhhbn.exe 92 PID 4720 wrote to memory of 5012 4720 nhhhbn.exe 92 PID 5012 wrote to memory of 3344 5012 9rxlfxr.exe 93 PID 5012 wrote to memory of 3344 5012 9rxlfxr.exe 93 PID 5012 wrote to memory of 3344 5012 9rxlfxr.exe 93 PID 3344 wrote to memory of 1828 3344 flfrlll.exe 94 PID 3344 wrote to memory of 1828 3344 flfrlll.exe 94 PID 3344 wrote to memory of 1828 3344 flfrlll.exe 94 PID 1828 wrote to memory of 3256 1828 fxxxfll.exe 95 PID 1828 wrote to memory of 3256 1828 fxxxfll.exe 95 PID 1828 wrote to memory of 3256 1828 fxxxfll.exe 95 PID 3256 wrote to memory of 4780 3256 nnnhhh.exe 98 PID 3256 wrote to memory of 4780 3256 nnnhhh.exe 98 PID 3256 wrote to memory of 4780 3256 nnnhhh.exe 98 PID 4780 wrote to memory of 584 4780 ffrrrxf.exe 99 PID 4780 wrote to memory of 584 4780 ffrrrxf.exe 99 PID 4780 wrote to memory of 584 4780 ffrrrxf.exe 99 PID 584 wrote to memory of 4004 584 nbhttb.exe 101 PID 584 wrote to memory of 4004 584 nbhttb.exe 101 PID 584 wrote to memory of 4004 584 nbhttb.exe 101 PID 4004 wrote to memory of 1344 4004 jppdd.exe 103 PID 4004 wrote to memory of 1344 4004 jppdd.exe 103 PID 4004 wrote to memory of 1344 4004 jppdd.exe 103 PID 1344 wrote to memory of 812 1344 xxrlfff.exe 104 PID 1344 wrote to memory of 812 1344 xxrlfff.exe 104 PID 1344 wrote to memory of 812 1344 xxrlfff.exe 104 PID 812 wrote to memory of 3280 812 lrxrxff.exe 105 PID 812 wrote to memory of 3280 812 lrxrxff.exe 105 PID 812 wrote to memory of 3280 812 lrxrxff.exe 105 PID 3280 wrote to memory of 2704 3280 jpvdp.exe 106 PID 3280 wrote to memory of 2704 3280 jpvdp.exe 106 PID 3280 wrote to memory of 2704 3280 jpvdp.exe 106 PID 2704 wrote to memory of 4616 2704 vvjvd.exe 108 PID 2704 wrote to memory of 4616 2704 vvjvd.exe 108 PID 2704 wrote to memory of 4616 2704 vvjvd.exe 108 PID 4616 wrote to memory of 5008 4616 rffllxf.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe"C:\Users\Admin\AppData\Local\Temp\7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\btttth.exec:\btttth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\frrrxff.exec:\frrrxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\bnhhnt.exec:\bnhhnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\nbttnt.exec:\nbttnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\lrxrfrf.exec:\lrxrfrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\vvpjd.exec:\vvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\hbnhhh.exec:\hbnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\nhhhbn.exec:\nhhhbn.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\9rxlfxr.exec:\9rxlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\flfrlll.exec:\flfrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\fxxxfll.exec:\fxxxfll.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\nnnhhh.exec:\nnnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\ffrrrxf.exec:\ffrrrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\nbhttb.exec:\nbhttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\jppdd.exec:\jppdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\xxrlfff.exec:\xxrlfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\lrxrxff.exec:\lrxrxff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\jpvdp.exec:\jpvdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\vvjvd.exec:\vvjvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\rffllxf.exec:\rffllxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\dvddd.exec:\dvddd.exe23⤵
- Executes dropped EXE
PID:5008 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe24⤵
- Executes dropped EXE
PID:4468 -
\??\c:\hhhbtb.exec:\hhhbtb.exe25⤵
- Executes dropped EXE
PID:1508 -
\??\c:\ppppd.exec:\ppppd.exe26⤵
- Executes dropped EXE
PID:3904 -
\??\c:\vjvvv.exec:\vjvvv.exe27⤵
- Executes dropped EXE
PID:1000 -
\??\c:\tthbbb.exec:\tthbbb.exe28⤵
- Executes dropped EXE
PID:2328 -
\??\c:\1bhhhn.exec:\1bhhhn.exe29⤵
- Executes dropped EXE
PID:3320 -
\??\c:\tthhtt.exec:\tthhtt.exe30⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xlrxxxr.exec:\xlrxxxr.exe31⤵
- Executes dropped EXE
PID:5016 -
\??\c:\tttttb.exec:\tttttb.exe32⤵
- Executes dropped EXE
PID:2752 -
\??\c:\hbbthb.exec:\hbbthb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
\??\c:\fxxflll.exec:\fxxflll.exe34⤵
- Executes dropped EXE
PID:4380 -
\??\c:\bhbnnt.exec:\bhbnnt.exe35⤵
- Executes dropped EXE
PID:1680 -
\??\c:\9hhnnt.exec:\9hhnnt.exe36⤵
- Executes dropped EXE
PID:3332 -
\??\c:\vvpjp.exec:\vvpjp.exe37⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jvvdd.exec:\jvvdd.exe38⤵
- Executes dropped EXE
PID:4164 -
\??\c:\ddppv.exec:\ddppv.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268 -
\??\c:\xrllrxf.exec:\xrllrxf.exe40⤵
- Executes dropped EXE
PID:4040 -
\??\c:\btnttb.exec:\btnttb.exe41⤵
- Executes dropped EXE
PID:4592 -
\??\c:\nhbbtt.exec:\nhbbtt.exe42⤵
- Executes dropped EXE
PID:2000 -
\??\c:\ppddp.exec:\ppddp.exe43⤵
- Executes dropped EXE
PID:4432 -
\??\c:\ttbttn.exec:\ttbttn.exe44⤵
- Executes dropped EXE
PID:5052 -
\??\c:\jvddd.exec:\jvddd.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jvpvj.exec:\jvpvj.exe46⤵
- Executes dropped EXE
PID:2248 -
\??\c:\vpjjv.exec:\vpjjv.exe47⤵
- Executes dropped EXE
PID:4116 -
\??\c:\3ddvp.exec:\3ddvp.exe48⤵
- Executes dropped EXE
PID:4256 -
\??\c:\flrrxxf.exec:\flrrxxf.exe49⤵
- Executes dropped EXE
PID:3912 -
\??\c:\xrrxxxr.exec:\xrrxxxr.exe50⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rrrrflf.exec:\rrrrflf.exe51⤵
- Executes dropped EXE
PID:312 -
\??\c:\thhbtb.exec:\thhbtb.exe52⤵
- Executes dropped EXE
PID:232 -
\??\c:\hhbbhh.exec:\hhbbhh.exe53⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jjddd.exec:\jjddd.exe54⤵
- Executes dropped EXE
PID:4780 -
\??\c:\vvvvd.exec:\vvvvd.exe55⤵
- Executes dropped EXE
PID:4004 -
\??\c:\vpdvv.exec:\vpdvv.exe56⤵
- Executes dropped EXE
PID:4636 -
\??\c:\ddjjj.exec:\ddjjj.exe57⤵
- Executes dropped EXE
PID:4856 -
\??\c:\3vddd.exec:\3vddd.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628 -
\??\c:\jdddj.exec:\jdddj.exe59⤵
- Executes dropped EXE
PID:1392 -
\??\c:\xxllxxr.exec:\xxllxxr.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\ppvjj.exec:\ppvjj.exe61⤵
- Executes dropped EXE
PID:4852 -
\??\c:\1fllflf.exec:\1fllflf.exe62⤵
- Executes dropped EXE
PID:3620 -
\??\c:\rlxxxll.exec:\rlxxxll.exe63⤵
- Executes dropped EXE
PID:2780 -
\??\c:\xrrfxfl.exec:\xrrfxfl.exe64⤵
- Executes dropped EXE
PID:1044 -
\??\c:\xxffxxf.exec:\xxffxxf.exe65⤵
- Executes dropped EXE
PID:3380 -
\??\c:\fxlfxlf.exec:\fxlfxlf.exe66⤵PID:404
-
\??\c:\5xxrlrr.exec:\5xxrlrr.exe67⤵PID:4564
-
\??\c:\fflfxrl.exec:\fflfxrl.exe68⤵PID:64
-
\??\c:\5rxxrrr.exec:\5rxxrrr.exe69⤵PID:1688
-
\??\c:\lxrxfll.exec:\lxrxfll.exe70⤵
- System Location Discovery: System Language Discovery
PID:3548 -
\??\c:\bthbtt.exec:\bthbtt.exe71⤵PID:3636
-
\??\c:\rrrllrl.exec:\rrrllrl.exe72⤵PID:4472
-
\??\c:\rrrrrrr.exec:\rrrrrrr.exe73⤵PID:2436
-
\??\c:\frllfff.exec:\frllfff.exe74⤵PID:516
-
\??\c:\xrrlffx.exec:\xrrlffx.exe75⤵PID:2516
-
\??\c:\xlllflf.exec:\xlllflf.exe76⤵PID:2316
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe77⤵PID:4632
-
\??\c:\llrllrr.exec:\llrllrr.exe78⤵PID:2636
-
\??\c:\xffrxfl.exec:\xffrxfl.exe79⤵PID:3348
-
\??\c:\rllfllf.exec:\rllfllf.exe80⤵PID:4868
-
\??\c:\ffrrrfl.exec:\ffrrrfl.exe81⤵PID:4520
-
\??\c:\5rffffl.exec:\5rffffl.exe82⤵PID:1300
-
\??\c:\1xlfxrx.exec:\1xlfxrx.exe83⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\lxxfxfl.exec:\lxxfxfl.exe84⤵PID:1924
-
\??\c:\lffxllf.exec:\lffxllf.exe85⤵PID:1960
-
\??\c:\vpjdv.exec:\vpjdv.exe86⤵PID:4600
-
\??\c:\9pppv.exec:\9pppv.exe87⤵PID:4384
-
\??\c:\dvpjp.exec:\dvpjp.exe88⤵PID:2380
-
\??\c:\xlrlllf.exec:\xlrlllf.exe89⤵PID:836
-
\??\c:\rxflxfl.exec:\rxflxfl.exe90⤵PID:4400
-
\??\c:\lfrrlrl.exec:\lfrrlrl.exe91⤵PID:3836
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe92⤵PID:1124
-
\??\c:\xffxrxr.exec:\xffxrxr.exe93⤵
- System Location Discovery: System Language Discovery
PID:2008 -
\??\c:\xlrllll.exec:\xlrllll.exe94⤵PID:3036
-
\??\c:\vdppj.exec:\vdppj.exe95⤵PID:4568
-
\??\c:\vvppj.exec:\vvppj.exe96⤵PID:5012
-
\??\c:\fllllrr.exec:\fllllrr.exe97⤵PID:556
-
\??\c:\djpdp.exec:\djpdp.exe98⤵PID:1828
-
\??\c:\3dppp.exec:\3dppp.exe99⤵PID:3360
-
\??\c:\1jjdv.exec:\1jjdv.exe100⤵PID:3256
-
\??\c:\vpvvj.exec:\vpvvj.exe101⤵PID:2964
-
\??\c:\btttnn.exec:\btttnn.exe102⤵PID:4084
-
\??\c:\jjjdv.exec:\jjjdv.exe103⤵PID:3172
-
\??\c:\bthhbn.exec:\bthhbn.exe104⤵PID:2388
-
\??\c:\hhbbth.exec:\hhbbth.exe105⤵PID:2520
-
\??\c:\pdjpp.exec:\pdjpp.exe106⤵
- System Location Discovery: System Language Discovery
PID:1344 -
\??\c:\nnhttn.exec:\nnhttn.exe107⤵PID:4060
-
\??\c:\bhhbbb.exec:\bhhbbb.exe108⤵PID:812
-
\??\c:\hntbbn.exec:\hntbbn.exe109⤵PID:3140
-
\??\c:\bbhhhh.exec:\bbhhhh.exe110⤵PID:3040
-
\??\c:\tnnnhb.exec:\tnnnhb.exe111⤵PID:4548
-
\??\c:\nbhhnn.exec:\nbhhnn.exe112⤵PID:4772
-
\??\c:\hhbhth.exec:\hhbhth.exe113⤵PID:2452
-
\??\c:\hthtnh.exec:\hthtnh.exe114⤵PID:228
-
\??\c:\btbbbb.exec:\btbbbb.exe115⤵PID:1236
-
\??\c:\bhtttb.exec:\bhtttb.exe116⤵PID:4468
-
\??\c:\tttnhh.exec:\tttnhh.exe117⤵
- System Location Discovery: System Language Discovery
PID:3232 -
\??\c:\nhtttt.exec:\nhtttt.exe118⤵PID:744
-
\??\c:\hhtntt.exec:\hhtntt.exe119⤵PID:1592
-
\??\c:\1tbttt.exec:\1tbttt.exe120⤵PID:1508
-
\??\c:\3tbtnn.exec:\3tbtnn.exe121⤵PID:4904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-