Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 12:59
Behavioral task
behavioral1
Sample
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe
-
Size
3.7MB
-
MD5
c722e843ae356cd0764da115f6f55430
-
SHA1
3bb76601ac55c18d393b3ff11b10de85e3c8ef58
-
SHA256
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9
-
SHA512
92effee08d88dc4cf929c8e23380e6f1a9b6643794cf80bafd271af7eaad1a58a446ada6aa14a7fddb9444acaaaa2f0663231f3c01e47226345e4fe4b4ff5ebe
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98w:U6XLq/qPPslzKx/dJg1ErmNv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1516-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1344-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1260-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2952-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/672-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-630-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-658-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-662-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-675-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-761-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-852-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-965-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-1041-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-1738-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1516 lxlllll.exe 3628 vpdvd.exe 3544 rllllll.exe 5000 djjjd.exe 392 3djdv.exe 1712 lllxrrr.exe 2468 7nhtbt.exe 3348 rxrfrlf.exe 4532 xxfxfrl.exe 2372 vvjvv.exe 1700 9pjdv.exe 2408 7xxfxfr.exe 3564 ntbtnh.exe 3844 pvjjd.exe 3132 lxfxrrl.exe 1344 jdvpj.exe 3004 lxllfxx.exe 4420 nhbbbb.exe 3688 hhnnhn.exe 1928 7pppp.exe 4008 5lrrlll.exe 780 7bbnnn.exe 1260 9xfxxxr.exe 2952 hthhbh.exe 2300 1dvpp.exe 1840 3pvpj.exe 3664 bttbbt.exe 4716 bntnhh.exe 1340 7xxxxxf.exe 2768 vjppj.exe 4080 dvjvd.exe 2844 jdpjj.exe 2168 5lxxrrr.exe 3744 3jvjd.exe 1096 vvjdp.exe 456 3tbbtt.exe 3596 hbttnh.exe 3628 tnttnn.exe 2556 ntnhht.exe 1676 bhnnhn.exe 1504 btbbtt.exe 392 nhttnn.exe 1560 5rxxrrl.exe 536 rlllxxx.exe 4208 5frlfrl.exe 1036 rrrlfff.exe 5104 1lxlrxx.exe 548 flxrllr.exe 2816 9jdvv.exe 1476 jdddj.exe 3112 pjvpv.exe 2932 hbtttt.exe 2408 7htnhh.exe 856 btnnnh.exe 2008 5thbtt.exe 2736 9httnn.exe 2628 llrxrxr.exe 1348 lxrlffx.exe 4784 lrfxfxx.exe 5016 vpdvd.exe 3028 pdpdd.exe 3560 jddvd.exe 5080 vjpjd.exe 736 ppdjp.exe -
resource yara_rule behavioral2/memory/3744-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba0-3.dat upx behavioral2/memory/1516-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3744-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba8-10.dat upx behavioral2/files/0x000a000000023ba9-13.dat upx behavioral2/memory/3628-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-21.dat upx behavioral2/memory/5000-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/392-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bab-29.dat upx behavioral2/files/0x000a000000023bac-34.dat upx behavioral2/memory/1712-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/392-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bad-42.dat upx behavioral2/memory/2468-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bae-45.dat upx behavioral2/files/0x000b000000023baf-51.dat upx behavioral2/memory/3348-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4532-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bb0-58.dat upx behavioral2/memory/2372-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb8-64.dat upx behavioral2/files/0x000e000000023bbf-69.dat upx behavioral2/memory/1700-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bcd-76.dat upx behavioral2/memory/3564-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2408-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bce-82.dat upx behavioral2/memory/3564-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bcf-88.dat upx behavioral2/memory/3844-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bd3-94.dat upx behavioral2/memory/3132-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd5-100.dat upx behavioral2/memory/1344-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd8-106.dat upx behavioral2/memory/4420-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3004-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd9-113.dat upx behavioral2/files/0x0008000000023bda-118.dat upx behavioral2/files/0x0008000000023bdb-123.dat upx behavioral2/memory/1928-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0b-128.dat upx behavioral2/memory/4008-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0c-134.dat upx behavioral2/files/0x0008000000023c0d-139.dat upx behavioral2/memory/1260-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0e-145.dat upx behavioral2/memory/2952-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0f-151.dat upx behavioral2/memory/2300-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1840-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c14-157.dat upx behavioral2/files/0x0008000000023c15-164.dat upx behavioral2/memory/3664-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c16-168.dat upx behavioral2/memory/4716-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c28-175.dat upx behavioral2/files/0x0008000000023c2e-181.dat upx behavioral2/memory/2768-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2f-186.dat upx behavioral2/memory/2844-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4080-188-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrrll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3744 wrote to memory of 1516 3744 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 83 PID 3744 wrote to memory of 1516 3744 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 83 PID 3744 wrote to memory of 1516 3744 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 83 PID 1516 wrote to memory of 3628 1516 lxlllll.exe 84 PID 1516 wrote to memory of 3628 1516 lxlllll.exe 84 PID 1516 wrote to memory of 3628 1516 lxlllll.exe 84 PID 3628 wrote to memory of 3544 3628 vpdvd.exe 85 PID 3628 wrote to memory of 3544 3628 vpdvd.exe 85 PID 3628 wrote to memory of 3544 3628 vpdvd.exe 85 PID 3544 wrote to memory of 5000 3544 rllllll.exe 86 PID 3544 wrote to memory of 5000 3544 rllllll.exe 86 PID 3544 wrote to memory of 5000 3544 rllllll.exe 86 PID 5000 wrote to memory of 392 5000 djjjd.exe 87 PID 5000 wrote to memory of 392 5000 djjjd.exe 87 PID 5000 wrote to memory of 392 5000 djjjd.exe 87 PID 392 wrote to memory of 1712 392 3djdv.exe 88 PID 392 wrote to memory of 1712 392 3djdv.exe 88 PID 392 wrote to memory of 1712 392 3djdv.exe 88 PID 1712 wrote to memory of 2468 1712 lllxrrr.exe 89 PID 1712 wrote to memory of 2468 1712 lllxrrr.exe 89 PID 1712 wrote to memory of 2468 1712 lllxrrr.exe 89 PID 2468 wrote to memory of 3348 2468 7nhtbt.exe 90 PID 2468 wrote to memory of 3348 2468 7nhtbt.exe 90 PID 2468 wrote to memory of 3348 2468 7nhtbt.exe 90 PID 3348 wrote to memory of 4532 3348 rxrfrlf.exe 91 PID 3348 wrote to memory of 4532 3348 rxrfrlf.exe 91 PID 3348 wrote to memory of 4532 3348 rxrfrlf.exe 91 PID 4532 wrote to memory of 2372 4532 xxfxfrl.exe 92 PID 4532 wrote to memory of 2372 4532 xxfxfrl.exe 92 PID 4532 wrote to memory of 2372 4532 xxfxfrl.exe 92 PID 2372 wrote to memory of 1700 2372 vvjvv.exe 95 PID 2372 wrote to memory of 1700 2372 vvjvv.exe 95 PID 2372 wrote to memory of 1700 2372 vvjvv.exe 95 PID 1700 wrote to memory of 2408 1700 9pjdv.exe 96 PID 1700 wrote to memory of 2408 1700 9pjdv.exe 96 PID 1700 wrote to memory of 2408 1700 9pjdv.exe 96 PID 2408 wrote to memory of 3564 2408 7xxfxfr.exe 98 PID 2408 wrote to memory of 3564 2408 7xxfxfr.exe 98 PID 2408 wrote to memory of 3564 2408 7xxfxfr.exe 98 PID 3564 wrote to memory of 3844 3564 ntbtnh.exe 100 PID 3564 wrote to memory of 3844 3564 ntbtnh.exe 100 PID 3564 wrote to memory of 3844 3564 ntbtnh.exe 100 PID 3844 wrote to memory of 3132 3844 pvjjd.exe 101 PID 3844 wrote to memory of 3132 3844 pvjjd.exe 101 PID 3844 wrote to memory of 3132 3844 pvjjd.exe 101 PID 3132 wrote to memory of 1344 3132 lxfxrrl.exe 102 PID 3132 wrote to memory of 1344 3132 lxfxrrl.exe 102 PID 3132 wrote to memory of 1344 3132 lxfxrrl.exe 102 PID 1344 wrote to memory of 3004 1344 jdvpj.exe 103 PID 1344 wrote to memory of 3004 1344 jdvpj.exe 103 PID 1344 wrote to memory of 3004 1344 jdvpj.exe 103 PID 3004 wrote to memory of 4420 3004 lxllfxx.exe 104 PID 3004 wrote to memory of 4420 3004 lxllfxx.exe 104 PID 3004 wrote to memory of 4420 3004 lxllfxx.exe 104 PID 4420 wrote to memory of 3688 4420 nhbbbb.exe 105 PID 4420 wrote to memory of 3688 4420 nhbbbb.exe 105 PID 4420 wrote to memory of 3688 4420 nhbbbb.exe 105 PID 3688 wrote to memory of 1928 3688 hhnnhn.exe 106 PID 3688 wrote to memory of 1928 3688 hhnnhn.exe 106 PID 3688 wrote to memory of 1928 3688 hhnnhn.exe 106 PID 1928 wrote to memory of 4008 1928 7pppp.exe 107 PID 1928 wrote to memory of 4008 1928 7pppp.exe 107 PID 1928 wrote to memory of 4008 1928 7pppp.exe 107 PID 4008 wrote to memory of 780 4008 5lrrlll.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe"C:\Users\Admin\AppData\Local\Temp\b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\lxlllll.exec:\lxlllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\vpdvd.exec:\vpdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\rllllll.exec:\rllllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\djjjd.exec:\djjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\3djdv.exec:\3djdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\lllxrrr.exec:\lllxrrr.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\7nhtbt.exec:\7nhtbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\rxrfrlf.exec:\rxrfrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\xxfxfrl.exec:\xxfxfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\vvjvv.exec:\vvjvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\9pjdv.exec:\9pjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\7xxfxfr.exec:\7xxfxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\ntbtnh.exec:\ntbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\pvjjd.exec:\pvjjd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\jdvpj.exec:\jdvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\lxllfxx.exec:\lxllfxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\nhbbbb.exec:\nhbbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\hhnnhn.exec:\hhnnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\7pppp.exec:\7pppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\5lrrlll.exec:\5lrrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\7bbnnn.exec:\7bbnnn.exe23⤵
- Executes dropped EXE
PID:780 -
\??\c:\9xfxxxr.exec:\9xfxxxr.exe24⤵
- Executes dropped EXE
PID:1260 -
\??\c:\hthhbh.exec:\hthhbh.exe25⤵
- Executes dropped EXE
PID:2952 -
\??\c:\1dvpp.exec:\1dvpp.exe26⤵
- Executes dropped EXE
PID:2300 -
\??\c:\3pvpj.exec:\3pvpj.exe27⤵
- Executes dropped EXE
PID:1840 -
\??\c:\bttbbt.exec:\bttbbt.exe28⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bntnhh.exec:\bntnhh.exe29⤵
- Executes dropped EXE
PID:4716 -
\??\c:\7xxxxxf.exec:\7xxxxxf.exe30⤵
- Executes dropped EXE
PID:1340 -
\??\c:\vjppj.exec:\vjppj.exe31⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dvjvd.exec:\dvjvd.exe32⤵
- Executes dropped EXE
PID:4080 -
\??\c:\jdpjj.exec:\jdpjj.exe33⤵
- Executes dropped EXE
PID:2844 -
\??\c:\5lxxrrr.exec:\5lxxrrr.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\3jvjd.exec:\3jvjd.exe35⤵
- Executes dropped EXE
PID:3744 -
\??\c:\vvjdp.exec:\vvjdp.exe36⤵
- Executes dropped EXE
PID:1096 -
\??\c:\3tbbtt.exec:\3tbbtt.exe37⤵
- Executes dropped EXE
PID:456 -
\??\c:\hbttnh.exec:\hbttnh.exe38⤵
- Executes dropped EXE
PID:3596 -
\??\c:\tnttnn.exec:\tnttnn.exe39⤵
- Executes dropped EXE
PID:3628 -
\??\c:\ntnhht.exec:\ntnhht.exe40⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bhnnhn.exec:\bhnnhn.exe41⤵
- Executes dropped EXE
PID:1676 -
\??\c:\btbbtt.exec:\btbbtt.exe42⤵
- Executes dropped EXE
PID:1504 -
\??\c:\nhttnn.exec:\nhttnn.exe43⤵
- Executes dropped EXE
PID:392 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe44⤵
- Executes dropped EXE
PID:1560 -
\??\c:\rlllxxx.exec:\rlllxxx.exe45⤵
- Executes dropped EXE
PID:536 -
\??\c:\5frlfrl.exec:\5frlfrl.exe46⤵
- Executes dropped EXE
PID:4208 -
\??\c:\rrrlfff.exec:\rrrlfff.exe47⤵
- Executes dropped EXE
PID:1036 -
\??\c:\1lxlrxx.exec:\1lxlrxx.exe48⤵
- Executes dropped EXE
PID:5104 -
\??\c:\flxrllr.exec:\flxrllr.exe49⤵
- Executes dropped EXE
PID:548 -
\??\c:\9jdvv.exec:\9jdvv.exe50⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jdddj.exec:\jdddj.exe51⤵
- Executes dropped EXE
PID:1476 -
\??\c:\pjvpv.exec:\pjvpv.exe52⤵
- Executes dropped EXE
PID:3112 -
\??\c:\hbtttt.exec:\hbtttt.exe53⤵
- Executes dropped EXE
PID:2932 -
\??\c:\7htnhh.exec:\7htnhh.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408 -
\??\c:\btnnnh.exec:\btnnnh.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
\??\c:\5thbtt.exec:\5thbtt.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\9httnn.exec:\9httnn.exe57⤵
- Executes dropped EXE
PID:2736 -
\??\c:\llrxrxr.exec:\llrxrxr.exe58⤵
- Executes dropped EXE
PID:2628 -
\??\c:\lxrlffx.exec:\lxrlffx.exe59⤵
- Executes dropped EXE
PID:1348 -
\??\c:\lrfxfxx.exec:\lrfxfxx.exe60⤵
- Executes dropped EXE
PID:4784 -
\??\c:\vpdvd.exec:\vpdvd.exe61⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pdpdd.exec:\pdpdd.exe62⤵
- Executes dropped EXE
PID:3028 -
\??\c:\jddvd.exec:\jddvd.exe63⤵
- Executes dropped EXE
PID:3560 -
\??\c:\vjpjd.exec:\vjpjd.exe64⤵
- Executes dropped EXE
PID:5080 -
\??\c:\ppdjp.exec:\ppdjp.exe65⤵
- Executes dropped EXE
PID:736 -
\??\c:\hhhhnn.exec:\hhhhnn.exe66⤵PID:3168
-
\??\c:\bbhhhh.exec:\bbhhhh.exe67⤵PID:368
-
\??\c:\bnbttn.exec:\bnbttn.exe68⤵PID:1212
-
\??\c:\bhnhtt.exec:\bhnhtt.exe69⤵PID:3332
-
\??\c:\7ttnbb.exec:\7ttnbb.exe70⤵PID:4828
-
\??\c:\frllffl.exec:\frllffl.exe71⤵PID:3308
-
\??\c:\rrxxffr.exec:\rrxxffr.exe72⤵PID:4100
-
\??\c:\frllffl.exec:\frllffl.exe73⤵PID:3140
-
\??\c:\vvvpj.exec:\vvvpj.exe74⤵PID:1412
-
\??\c:\jdppv.exec:\jdppv.exe75⤵PID:4388
-
\??\c:\dvjdp.exec:\dvjdp.exe76⤵PID:2568
-
\??\c:\bhhbnh.exec:\bhhbnh.exe77⤵PID:2572
-
\??\c:\tnhhbn.exec:\tnhhbn.exe78⤵PID:1244
-
\??\c:\1hbthb.exec:\1hbthb.exe79⤵PID:4904
-
\??\c:\lxlflfl.exec:\lxlflfl.exe80⤵PID:2760
-
\??\c:\hhnhbh.exec:\hhnhbh.exe81⤵PID:1164
-
\??\c:\hbbhtn.exec:\hbbhtn.exe82⤵PID:724
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe83⤵PID:3840
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe84⤵PID:2168
-
\??\c:\lxxrlff.exec:\lxxrlff.exe85⤵PID:3648
-
\??\c:\1ffxlff.exec:\1ffxlff.exe86⤵PID:3472
-
\??\c:\dvvpd.exec:\dvvpd.exe87⤵PID:1516
-
\??\c:\pvpjj.exec:\pvpjj.exe88⤵PID:3420
-
\??\c:\ppvpp.exec:\ppvpp.exe89⤵PID:4536
-
\??\c:\ttnbtt.exec:\ttnbtt.exe90⤵PID:3628
-
\??\c:\7nttnn.exec:\7nttnn.exe91⤵PID:2556
-
\??\c:\xrrxrrf.exec:\xrrxrrf.exe92⤵
- System Location Discovery: System Language Discovery
PID:4804 -
\??\c:\xllfrll.exec:\xllfrll.exe93⤵PID:3356
-
\??\c:\ffrlxxl.exec:\ffrlxxl.exe94⤵PID:392
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe95⤵PID:1560
-
\??\c:\ddjvp.exec:\ddjvp.exe96⤵PID:536
-
\??\c:\vppjd.exec:\vppjd.exe97⤵PID:1776
-
\??\c:\5jddv.exec:\5jddv.exe98⤵PID:812
-
\??\c:\3pdpj.exec:\3pdpj.exe99⤵PID:232
-
\??\c:\jvpjp.exec:\jvpjp.exe100⤵PID:2156
-
\??\c:\bbhbbt.exec:\bbhbbt.exe101⤵PID:4076
-
\??\c:\9ththh.exec:\9ththh.exe102⤵PID:2296
-
\??\c:\hthtnh.exec:\hthtnh.exe103⤵PID:452
-
\??\c:\ttnntb.exec:\ttnntb.exe104⤵PID:3864
-
\??\c:\hnbbtt.exec:\hnbbtt.exe105⤵PID:672
-
\??\c:\htbttn.exec:\htbttn.exe106⤵PID:1312
-
\??\c:\nnhhtt.exec:\nnhhtt.exe107⤵PID:2648
-
\??\c:\hhhhhh.exec:\hhhhhh.exe108⤵PID:2736
-
\??\c:\hbtnhb.exec:\hbtnhb.exe109⤵PID:212
-
\??\c:\rlrrfxl.exec:\rlrrfxl.exe110⤵PID:4788
-
\??\c:\9xrfxlx.exec:\9xrfxlx.exe111⤵PID:3116
-
\??\c:\xfrrxrf.exec:\xfrrxrf.exe112⤵PID:4120
-
\??\c:\rxlfxlf.exec:\rxlfxlf.exe113⤵PID:2116
-
\??\c:\rflrrll.exec:\rflrrll.exe114⤵
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\3xxrrrr.exec:\3xxrrrr.exe115⤵PID:3076
-
\??\c:\jpvjd.exec:\jpvjd.exe116⤵PID:752
-
\??\c:\dvjdv.exec:\dvjdv.exe117⤵PID:4156
-
\??\c:\vvjdd.exec:\vvjdd.exe118⤵PID:3532
-
\??\c:\nbnbbt.exec:\nbnbbt.exe119⤵PID:3048
-
\??\c:\hnthbb.exec:\hnthbb.exe120⤵PID:944
-
\??\c:\tnnhhh.exec:\tnnhhh.exe121⤵PID:368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-