Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2024, 02:58
Behavioral task
behavioral1
Sample
5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe
-
Size
3.7MB
-
MD5
d9bf54b14b9997759510353ced67c8f0
-
SHA1
3bc5d2dd168a1594b64127364738b3f73946853a
-
SHA256
5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9
-
SHA512
f9785f7f97d40b934343826e43ef7b7bff0f03f5ca41448734da033bba0233fd6f6a2a4a08760fa440d3fb97899a5e2efcf7bef7164d9ea8e230828a849973f5
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF988:U6XLq/qPPslzKx/dJg1ErmNP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/736-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3028-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1012-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1232-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4240-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3788-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-531-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-685-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-921-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-1100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3028 djjpv.exe 2944 bnnnhh.exe 1012 002208.exe 4084 lxlrrxf.exe 3996 864046.exe 3096 4004244.exe 1232 4004444.exe 3280 40240.exe 4240 tthhnt.exe 1860 664088.exe 2156 lllffrr.exe 2220 8482288.exe 5012 26642.exe 1384 42440.exe 3100 rlrfflf.exe 2480 02242.exe 1072 pvvvp.exe 1448 208040.exe 4112 btntbb.exe 3356 62024.exe 3288 0826280.exe 5080 6284820.exe 3936 8080026.exe 5088 hnnnht.exe 3244 nnnnnt.exe 4468 4640882.exe 4428 660846.exe 4876 rrfffll.exe 4316 rrxrffx.exe 3896 jjvdd.exe 1876 46006.exe 3768 242446.exe 4480 xllxfll.exe 3956 frxflrr.exe 4928 846868.exe 3420 0422288.exe 4208 4864022.exe 3788 28240.exe 2996 vdvpj.exe 4556 nttthh.exe 4444 22646.exe 4300 04448.exe 3264 bbhbhn.exe 2288 86462.exe 516 vpvdj.exe 1856 nttnth.exe 3544 a4020.exe 2356 628246.exe 2860 64284.exe 3304 thhhnb.exe 1656 lrxxrfl.exe 1644 ddvjd.exe 2220 804604.exe 3324 5vjjj.exe 1292 3lffrfx.exe 1676 02628.exe 5016 0606026.exe 1160 3bthnh.exe 1072 rffrllx.exe 1300 22002.exe 3964 4484286.exe 4884 46604.exe 1536 q60284.exe 548 642246.exe -
resource yara_rule behavioral2/memory/736-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/736-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b53-5.dat upx behavioral2/files/0x000a000000023b58-9.dat upx behavioral2/memory/3028-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b59-13.dat upx behavioral2/memory/2944-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1012-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b54-22.dat upx behavioral2/memory/4084-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5a-28.dat upx behavioral2/files/0x000a000000023b5b-34.dat upx behavioral2/files/0x000a000000023b5c-40.dat upx behavioral2/memory/3096-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1232-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5d-45.dat upx behavioral2/files/0x000a000000023b5e-50.dat upx behavioral2/memory/3280-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4240-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5f-58.dat upx behavioral2/memory/1860-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b60-63.dat upx behavioral2/files/0x000a000000023b61-68.dat upx behavioral2/memory/2156-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b62-74.dat upx behavioral2/memory/5012-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2220-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b63-81.dat upx behavioral2/memory/1384-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-88.dat upx behavioral2/memory/3100-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e72a-93.dat upx behavioral2/memory/2480-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b67-99.dat upx behavioral2/files/0x000a000000023b68-104.dat upx behavioral2/memory/1072-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-112.dat upx behavioral2/memory/1448-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4112-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6a-119.dat upx behavioral2/files/0x000a000000023b6b-122.dat upx behavioral2/memory/3288-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-129.dat upx behavioral2/memory/5080-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-134.dat upx behavioral2/memory/3936-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-141.dat upx behavioral2/memory/5088-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-147.dat upx behavioral2/files/0x000a000000023b71-153.dat upx behavioral2/memory/3244-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-157.dat upx behavioral2/memory/4468-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4428-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-163.dat upx behavioral2/files/0x000a000000023b75-168.dat upx behavioral2/memory/4876-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-174.dat upx behavioral2/memory/4316-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-181.dat upx behavioral2/files/0x000a000000023b78-185.dat upx behavioral2/memory/1876-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4480-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-201-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lffrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q60284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8462628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e00268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6628066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlrxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6828864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6240448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8800284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllfrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 736 wrote to memory of 3028 736 5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe 82 PID 736 wrote to memory of 3028 736 5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe 82 PID 736 wrote to memory of 3028 736 5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe 82 PID 3028 wrote to memory of 2944 3028 djjpv.exe 83 PID 3028 wrote to memory of 2944 3028 djjpv.exe 83 PID 3028 wrote to memory of 2944 3028 djjpv.exe 83 PID 2944 wrote to memory of 1012 2944 bnnnhh.exe 84 PID 2944 wrote to memory of 1012 2944 bnnnhh.exe 84 PID 2944 wrote to memory of 1012 2944 bnnnhh.exe 84 PID 1012 wrote to memory of 4084 1012 002208.exe 85 PID 1012 wrote to memory of 4084 1012 002208.exe 85 PID 1012 wrote to memory of 4084 1012 002208.exe 85 PID 4084 wrote to memory of 3996 4084 lxlrrxf.exe 86 PID 4084 wrote to memory of 3996 4084 lxlrrxf.exe 86 PID 4084 wrote to memory of 3996 4084 lxlrrxf.exe 86 PID 3996 wrote to memory of 3096 3996 864046.exe 87 PID 3996 wrote to memory of 3096 3996 864046.exe 87 PID 3996 wrote to memory of 3096 3996 864046.exe 87 PID 3096 wrote to memory of 1232 3096 4004244.exe 88 PID 3096 wrote to memory of 1232 3096 4004244.exe 88 PID 3096 wrote to memory of 1232 3096 4004244.exe 88 PID 1232 wrote to memory of 3280 1232 4004444.exe 89 PID 1232 wrote to memory of 3280 1232 4004444.exe 89 PID 1232 wrote to memory of 3280 1232 4004444.exe 89 PID 3280 wrote to memory of 4240 3280 40240.exe 90 PID 3280 wrote to memory of 4240 3280 40240.exe 90 PID 3280 wrote to memory of 4240 3280 40240.exe 90 PID 4240 wrote to memory of 1860 4240 tthhnt.exe 91 PID 4240 wrote to memory of 1860 4240 tthhnt.exe 91 PID 4240 wrote to memory of 1860 4240 tthhnt.exe 91 PID 1860 wrote to memory of 2156 1860 664088.exe 92 PID 1860 wrote to memory of 2156 1860 664088.exe 92 PID 1860 wrote to memory of 2156 1860 664088.exe 92 PID 2156 wrote to memory of 2220 2156 lllffrr.exe 93 PID 2156 wrote to memory of 2220 2156 lllffrr.exe 93 PID 2156 wrote to memory of 2220 2156 lllffrr.exe 93 PID 2220 wrote to memory of 5012 2220 8482288.exe 94 PID 2220 wrote to memory of 5012 2220 8482288.exe 94 PID 2220 wrote to memory of 5012 2220 8482288.exe 94 PID 5012 wrote to memory of 1384 5012 26642.exe 95 PID 5012 wrote to memory of 1384 5012 26642.exe 95 PID 5012 wrote to memory of 1384 5012 26642.exe 95 PID 1384 wrote to memory of 3100 1384 42440.exe 96 PID 1384 wrote to memory of 3100 1384 42440.exe 96 PID 1384 wrote to memory of 3100 1384 42440.exe 96 PID 3100 wrote to memory of 2480 3100 rlrfflf.exe 97 PID 3100 wrote to memory of 2480 3100 rlrfflf.exe 97 PID 3100 wrote to memory of 2480 3100 rlrfflf.exe 97 PID 2480 wrote to memory of 1072 2480 02242.exe 98 PID 2480 wrote to memory of 1072 2480 02242.exe 98 PID 2480 wrote to memory of 1072 2480 02242.exe 98 PID 1072 wrote to memory of 1448 1072 pvvvp.exe 99 PID 1072 wrote to memory of 1448 1072 pvvvp.exe 99 PID 1072 wrote to memory of 1448 1072 pvvvp.exe 99 PID 1448 wrote to memory of 4112 1448 208040.exe 100 PID 1448 wrote to memory of 4112 1448 208040.exe 100 PID 1448 wrote to memory of 4112 1448 208040.exe 100 PID 4112 wrote to memory of 3356 4112 btntbb.exe 101 PID 4112 wrote to memory of 3356 4112 btntbb.exe 101 PID 4112 wrote to memory of 3356 4112 btntbb.exe 101 PID 3356 wrote to memory of 3288 3356 62024.exe 102 PID 3356 wrote to memory of 3288 3356 62024.exe 102 PID 3356 wrote to memory of 3288 3356 62024.exe 102 PID 3288 wrote to memory of 5080 3288 0826280.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe"C:\Users\Admin\AppData\Local\Temp\5d312b073e628a940f300343bfdd7ee1c5a2dda766f9314b049f857a8d90cbf9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\djjpv.exec:\djjpv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\bnnnhh.exec:\bnnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\002208.exec:\002208.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\lxlrrxf.exec:\lxlrrxf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\864046.exec:\864046.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\4004244.exec:\4004244.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\4004444.exec:\4004444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\40240.exec:\40240.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\tthhnt.exec:\tthhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\664088.exec:\664088.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\lllffrr.exec:\lllffrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\8482288.exec:\8482288.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\26642.exec:\26642.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\42440.exec:\42440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\rlrfflf.exec:\rlrfflf.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\02242.exec:\02242.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\pvvvp.exec:\pvvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\208040.exec:\208040.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\btntbb.exec:\btntbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\62024.exec:\62024.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\0826280.exec:\0826280.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\6284820.exec:\6284820.exe23⤵
- Executes dropped EXE
PID:5080 -
\??\c:\8080026.exec:\8080026.exe24⤵
- Executes dropped EXE
PID:3936 -
\??\c:\hnnnht.exec:\hnnnht.exe25⤵
- Executes dropped EXE
PID:5088 -
\??\c:\nnnnnt.exec:\nnnnnt.exe26⤵
- Executes dropped EXE
PID:3244 -
\??\c:\4640882.exec:\4640882.exe27⤵
- Executes dropped EXE
PID:4468 -
\??\c:\660846.exec:\660846.exe28⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rrfffll.exec:\rrfffll.exe29⤵
- Executes dropped EXE
PID:4876 -
\??\c:\rrxrffx.exec:\rrxrffx.exe30⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jjvdd.exec:\jjvdd.exe31⤵
- Executes dropped EXE
PID:3896 -
\??\c:\46006.exec:\46006.exe32⤵
- Executes dropped EXE
PID:1876 -
\??\c:\242446.exec:\242446.exe33⤵
- Executes dropped EXE
PID:3768 -
\??\c:\xllxfll.exec:\xllxfll.exe34⤵
- Executes dropped EXE
PID:4480 -
\??\c:\frxflrr.exec:\frxflrr.exe35⤵
- Executes dropped EXE
PID:3956 -
\??\c:\846868.exec:\846868.exe36⤵
- Executes dropped EXE
PID:4928 -
\??\c:\0422288.exec:\0422288.exe37⤵
- Executes dropped EXE
PID:3420 -
\??\c:\4864022.exec:\4864022.exe38⤵
- Executes dropped EXE
PID:4208 -
\??\c:\28240.exec:\28240.exe39⤵
- Executes dropped EXE
PID:3788 -
\??\c:\vdvpj.exec:\vdvpj.exe40⤵
- Executes dropped EXE
PID:2996 -
\??\c:\nttthh.exec:\nttthh.exe41⤵
- Executes dropped EXE
PID:4556 -
\??\c:\22646.exec:\22646.exe42⤵
- Executes dropped EXE
PID:4444 -
\??\c:\04448.exec:\04448.exe43⤵
- Executes dropped EXE
PID:4300 -
\??\c:\bbhbhn.exec:\bbhbhn.exe44⤵
- Executes dropped EXE
PID:3264 -
\??\c:\86462.exec:\86462.exe45⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vpvdj.exec:\vpvdj.exe46⤵
- Executes dropped EXE
PID:516 -
\??\c:\nttnth.exec:\nttnth.exe47⤵
- Executes dropped EXE
PID:1856 -
\??\c:\a4020.exec:\a4020.exe48⤵
- Executes dropped EXE
PID:3544 -
\??\c:\628246.exec:\628246.exe49⤵
- Executes dropped EXE
PID:2356 -
\??\c:\64284.exec:\64284.exe50⤵
- Executes dropped EXE
PID:2860 -
\??\c:\thhhnb.exec:\thhhnb.exe51⤵
- Executes dropped EXE
PID:3304 -
\??\c:\lrxxrfl.exec:\lrxxrfl.exe52⤵
- Executes dropped EXE
PID:1656 -
\??\c:\ddvjd.exec:\ddvjd.exe53⤵
- Executes dropped EXE
PID:1644 -
\??\c:\804604.exec:\804604.exe54⤵
- Executes dropped EXE
PID:2220 -
\??\c:\5vjjj.exec:\5vjjj.exe55⤵
- Executes dropped EXE
PID:3324 -
\??\c:\3lffrfx.exec:\3lffrfx.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1292 -
\??\c:\02628.exec:\02628.exe57⤵
- Executes dropped EXE
PID:1676 -
\??\c:\0606026.exec:\0606026.exe58⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3bthnh.exec:\3bthnh.exe59⤵
- Executes dropped EXE
PID:1160 -
\??\c:\rffrllx.exec:\rffrllx.exe60⤵
- Executes dropped EXE
PID:1072 -
\??\c:\22002.exec:\22002.exe61⤵
- Executes dropped EXE
PID:1300 -
\??\c:\4484286.exec:\4484286.exe62⤵
- Executes dropped EXE
PID:3964 -
\??\c:\46604.exec:\46604.exe63⤵
- Executes dropped EXE
PID:4884 -
\??\c:\q60284.exec:\q60284.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
\??\c:\642246.exec:\642246.exe65⤵
- Executes dropped EXE
PID:548 -
\??\c:\02026.exec:\02026.exe66⤵PID:5080
-
\??\c:\22264.exec:\22264.exe67⤵PID:4864
-
\??\c:\fllrlxl.exec:\fllrlxl.exe68⤵PID:624
-
\??\c:\xlrrlrl.exec:\xlrrlrl.exe69⤵PID:4600
-
\??\c:\ttbhnn.exec:\ttbhnn.exe70⤵PID:4820
-
\??\c:\846222.exec:\846222.exe71⤵PID:2168
-
\??\c:\66444.exec:\66444.exe72⤵PID:4076
-
\??\c:\08084.exec:\08084.exe73⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\5nnnnt.exec:\5nnnnt.exe74⤵PID:4808
-
\??\c:\24628.exec:\24628.exe75⤵PID:668
-
\??\c:\djvdd.exec:\djvdd.exe76⤵PID:4876
-
\??\c:\xfllfff.exec:\xfllfff.exe77⤵PID:1832
-
\??\c:\66668.exec:\66668.exe78⤵PID:3248
-
\??\c:\jpppv.exec:\jpppv.exe79⤵PID:2700
-
\??\c:\bbbhnt.exec:\bbbhnt.exe80⤵PID:4972
-
\??\c:\224668.exec:\224668.exe81⤵PID:3284
-
\??\c:\00808.exec:\00808.exe82⤵PID:4568
-
\??\c:\6828864.exec:\6828864.exe83⤵
- System Location Discovery: System Language Discovery
PID:2308 -
\??\c:\lxllfff.exec:\lxllfff.exe84⤵PID:4732
-
\??\c:\60600.exec:\60600.exe85⤵PID:2704
-
\??\c:\hnhnhn.exec:\hnhnhn.exe86⤵PID:2944
-
\??\c:\28606.exec:\28606.exe87⤵PID:3780
-
\??\c:\bbtbth.exec:\bbtbth.exe88⤵PID:1972
-
\??\c:\fxrrrfx.exec:\fxrrrfx.exe89⤵PID:4352
-
\??\c:\442208.exec:\442208.exe90⤵PID:2816
-
\??\c:\nnntbn.exec:\nnntbn.exe91⤵
- System Location Discovery: System Language Discovery
PID:4292 -
\??\c:\6422800.exec:\6422800.exe92⤵PID:1812
-
\??\c:\80244.exec:\80244.exe93⤵PID:220
-
\??\c:\xrffrrr.exec:\xrffrrr.exe94⤵PID:2080
-
\??\c:\62084.exec:\62084.exe95⤵PID:2288
-
\??\c:\844646.exec:\844646.exe96⤵PID:516
-
\??\c:\bbbttn.exec:\bbbttn.exe97⤵PID:1780
-
\??\c:\lrlxlrr.exec:\lrlxlrr.exe98⤵PID:3796
-
\??\c:\46248.exec:\46248.exe99⤵PID:4080
-
\??\c:\hthhnn.exec:\hthhnn.exe100⤵PID:3736
-
\??\c:\vjvpv.exec:\vjvpv.exe101⤵PID:2772
-
\??\c:\846048.exec:\846048.exe102⤵
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\flrrffr.exec:\flrrffr.exe103⤵PID:3324
-
\??\c:\ffxxlxf.exec:\ffxxlxf.exe104⤵PID:4572
-
\??\c:\8066626.exec:\8066626.exe105⤵PID:4500
-
\??\c:\808680.exec:\808680.exe106⤵PID:1164
-
\??\c:\nbnhbt.exec:\nbnhbt.exe107⤵
- System Location Discovery: System Language Discovery
PID:644 -
\??\c:\llfrxfx.exec:\llfrxfx.exe108⤵PID:2920
-
\??\c:\rxflfrx.exec:\rxflfrx.exe109⤵
- System Location Discovery: System Language Discovery
PID:4228 -
\??\c:\0228864.exec:\0228864.exe110⤵PID:2912
-
\??\c:\nbnnhh.exec:\nbnnhh.exe111⤵PID:1516
-
\??\c:\bthntn.exec:\bthntn.exe112⤵
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\djjpv.exec:\djjpv.exe113⤵PID:4288
-
\??\c:\844484.exec:\844484.exe114⤵PID:4624
-
\??\c:\vvpvv.exec:\vvpvv.exe115⤵PID:3024
-
\??\c:\04480.exec:\04480.exe116⤵PID:4452
-
\??\c:\bbntbn.exec:\bbntbn.exe117⤵PID:1036
-
\??\c:\8044622.exec:\8044622.exe118⤵PID:3976
-
\??\c:\fffflxf.exec:\fffflxf.exe119⤵PID:388
-
\??\c:\1lrrfrr.exec:\1lrrfrr.exe120⤵PID:3228
-
\??\c:\40622.exec:\40622.exe121⤵PID:956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-