Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 13:55
Behavioral task
behavioral1
Sample
d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe
-
Size
3.7MB
-
MD5
a09d5d2db3822337e31a97ef32c186a0
-
SHA1
3bfd11c5cccef27fcc52b2af93abecbba072cc4c
-
SHA256
d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724
-
SHA512
9822ba2ae3868e571ad242cd989a30bbdfee750b37440862b78fd5eb4821aff77b4da807ea2775add0d52bc1c9a7673380f9c2dd49f3b98b7c45dcc3e438b78d
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF983:U6XLq/qPPslzKx/dJg1ErmNy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2596-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3792-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/992-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/688-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-720-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-730-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-800-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-814-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-1280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-1372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-1490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-1512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-1597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-1869-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4188 lrffxff.exe 4928 ppjdv.exe 1440 3lxfrlx.exe 3792 rxffrrf.exe 3328 3pddv.exe 4528 vdpjv.exe 3056 hhbtnh.exe 2232 9fxrllf.exe 4000 3rxxxxr.exe 2728 fxrlxxr.exe 2120 fflxrlx.exe 3024 rfxlllf.exe 4664 lrrllll.exe 4016 xrrlfxr.exe 3852 frfxlfx.exe 4028 hhhbnn.exe 4808 5pdpj.exe 1896 lrxrlfx.exe 4384 lrrllfr.exe 5016 lrfxrrr.exe 992 dvjjd.exe 688 xxrrffx.exe 3972 rxfxlfx.exe 2020 5ntbtn.exe 4140 bbtnhb.exe 2772 3httnn.exe 4668 lfxrlfx.exe 4540 rrxrffr.exe 4828 ffxrlfx.exe 1680 9lxrfxf.exe 1192 rfrlrrl.exe 3696 5rxrrrr.exe 5036 3bnhbt.exe 2688 nhbtnh.exe 452 nbhtnh.exe 4648 bbbtnh.exe 2792 nbbtnb.exe 728 bntnhb.exe 632 bthbtn.exe 2604 nbhbtb.exe 1356 ttbnhh.exe 3144 nttnbt.exe 4944 5nnhtt.exe 1604 tnnhbt.exe 1872 btnhbt.exe 2944 7bhbnn.exe 1376 thnhtt.exe 1232 tnbnhh.exe 1600 jdjdv.exe 4480 nhbhbt.exe 4268 7hhtnn.exe 3472 hbtnhb.exe 1688 7bbttb.exe 2200 flfxrlf.exe 5052 7fxxrlx.exe 4008 lflfxrl.exe 3532 lrxrllf.exe 2108 rffxlfx.exe 4868 dppjd.exe 4436 1jppj.exe 4924 9dpjd.exe 3312 vjpjd.exe 396 pvjdp.exe 3576 thnbnb.exe -
resource yara_rule behavioral2/memory/2596-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c07-3.dat upx behavioral2/memory/2596-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-9.dat upx behavioral2/memory/4188-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-13.dat upx behavioral2/memory/1440-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cab-23.dat upx behavioral2/memory/3792-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-28.dat upx behavioral2/files/0x0007000000023cb2-33.dat upx behavioral2/memory/3328-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-38.dat upx behavioral2/memory/4528-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-45.dat upx behavioral2/files/0x0007000000023cb5-50.dat upx behavioral2/memory/2232-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-56.dat upx behavioral2/memory/4000-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-62.dat upx behavioral2/memory/2728-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-68.dat upx behavioral2/memory/2120-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-75.dat upx behavioral2/memory/4664-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3024-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-80.dat upx behavioral2/memory/4664-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-87.dat upx behavioral2/files/0x0007000000023cbc-92.dat upx behavioral2/memory/3852-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-98.dat upx behavioral2/memory/4028-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-103.dat upx behavioral2/memory/4808-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-110.dat upx behavioral2/memory/1896-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-116.dat upx behavioral2/memory/4384-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-122.dat upx behavioral2/files/0x0007000000023cc2-127.dat upx behavioral2/memory/992-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/688-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-134.dat upx behavioral2/memory/3972-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-139.dat upx behavioral2/files/0x000500000001e747-145.dat upx behavioral2/memory/2020-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-151.dat upx behavioral2/memory/4140-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-157.dat upx behavioral2/files/0x0007000000023cc9-162.dat upx behavioral2/memory/4540-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4668-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-170.dat upx behavioral2/files/0x0007000000023ccb-176.dat upx behavioral2/memory/4828-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-179.dat upx behavioral2/memory/1680-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-186.dat upx behavioral2/memory/3696-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5036-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/452-203-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4188 2596 d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe 83 PID 2596 wrote to memory of 4188 2596 d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe 83 PID 2596 wrote to memory of 4188 2596 d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe 83 PID 4188 wrote to memory of 4928 4188 lrffxff.exe 84 PID 4188 wrote to memory of 4928 4188 lrffxff.exe 84 PID 4188 wrote to memory of 4928 4188 lrffxff.exe 84 PID 4928 wrote to memory of 1440 4928 ppjdv.exe 85 PID 4928 wrote to memory of 1440 4928 ppjdv.exe 85 PID 4928 wrote to memory of 1440 4928 ppjdv.exe 85 PID 1440 wrote to memory of 3792 1440 3lxfrlx.exe 86 PID 1440 wrote to memory of 3792 1440 3lxfrlx.exe 86 PID 1440 wrote to memory of 3792 1440 3lxfrlx.exe 86 PID 3792 wrote to memory of 3328 3792 rxffrrf.exe 87 PID 3792 wrote to memory of 3328 3792 rxffrrf.exe 87 PID 3792 wrote to memory of 3328 3792 rxffrrf.exe 87 PID 3328 wrote to memory of 4528 3328 3pddv.exe 88 PID 3328 wrote to memory of 4528 3328 3pddv.exe 88 PID 3328 wrote to memory of 4528 3328 3pddv.exe 88 PID 4528 wrote to memory of 3056 4528 vdpjv.exe 89 PID 4528 wrote to memory of 3056 4528 vdpjv.exe 89 PID 4528 wrote to memory of 3056 4528 vdpjv.exe 89 PID 3056 wrote to memory of 2232 3056 hhbtnh.exe 90 PID 3056 wrote to memory of 2232 3056 hhbtnh.exe 90 PID 3056 wrote to memory of 2232 3056 hhbtnh.exe 90 PID 2232 wrote to memory of 4000 2232 9fxrllf.exe 91 PID 2232 wrote to memory of 4000 2232 9fxrllf.exe 91 PID 2232 wrote to memory of 4000 2232 9fxrllf.exe 91 PID 4000 wrote to memory of 2728 4000 3rxxxxr.exe 92 PID 4000 wrote to memory of 2728 4000 3rxxxxr.exe 92 PID 4000 wrote to memory of 2728 4000 3rxxxxr.exe 92 PID 2728 wrote to memory of 2120 2728 fxrlxxr.exe 93 PID 2728 wrote to memory of 2120 2728 fxrlxxr.exe 93 PID 2728 wrote to memory of 2120 2728 fxrlxxr.exe 93 PID 2120 wrote to memory of 3024 2120 fflxrlx.exe 94 PID 2120 wrote to memory of 3024 2120 fflxrlx.exe 94 PID 2120 wrote to memory of 3024 2120 fflxrlx.exe 94 PID 3024 wrote to memory of 4664 3024 rfxlllf.exe 95 PID 3024 wrote to memory of 4664 3024 rfxlllf.exe 95 PID 3024 wrote to memory of 4664 3024 rfxlllf.exe 95 PID 4664 wrote to memory of 4016 4664 lrrllll.exe 96 PID 4664 wrote to memory of 4016 4664 lrrllll.exe 96 PID 4664 wrote to memory of 4016 4664 lrrllll.exe 96 PID 4016 wrote to memory of 3852 4016 xrrlfxr.exe 97 PID 4016 wrote to memory of 3852 4016 xrrlfxr.exe 97 PID 4016 wrote to memory of 3852 4016 xrrlfxr.exe 97 PID 3852 wrote to memory of 4028 3852 frfxlfx.exe 98 PID 3852 wrote to memory of 4028 3852 frfxlfx.exe 98 PID 3852 wrote to memory of 4028 3852 frfxlfx.exe 98 PID 4028 wrote to memory of 4808 4028 hhhbnn.exe 99 PID 4028 wrote to memory of 4808 4028 hhhbnn.exe 99 PID 4028 wrote to memory of 4808 4028 hhhbnn.exe 99 PID 4808 wrote to memory of 1896 4808 5pdpj.exe 101 PID 4808 wrote to memory of 1896 4808 5pdpj.exe 101 PID 4808 wrote to memory of 1896 4808 5pdpj.exe 101 PID 1896 wrote to memory of 4384 1896 lrxrlfx.exe 102 PID 1896 wrote to memory of 4384 1896 lrxrlfx.exe 102 PID 1896 wrote to memory of 4384 1896 lrxrlfx.exe 102 PID 4384 wrote to memory of 5016 4384 lrrllfr.exe 103 PID 4384 wrote to memory of 5016 4384 lrrllfr.exe 103 PID 4384 wrote to memory of 5016 4384 lrrllfr.exe 103 PID 5016 wrote to memory of 992 5016 lrfxrrr.exe 104 PID 5016 wrote to memory of 992 5016 lrfxrrr.exe 104 PID 5016 wrote to memory of 992 5016 lrfxrrr.exe 104 PID 992 wrote to memory of 688 992 dvjjd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe"C:\Users\Admin\AppData\Local\Temp\d8e7c62b5843d356f3af0d9ea0fbaa9da1d9af80dcc8448d4720b523b5201724N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\lrffxff.exec:\lrffxff.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\ppjdv.exec:\ppjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\3lxfrlx.exec:\3lxfrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\rxffrrf.exec:\rxffrrf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\3pddv.exec:\3pddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\vdpjv.exec:\vdpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\hhbtnh.exec:\hhbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\9fxrllf.exec:\9fxrllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\3rxxxxr.exec:\3rxxxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\fflxrlx.exec:\fflxrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\rfxlllf.exec:\rfxlllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\lrrllll.exec:\lrrllll.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\frfxlfx.exec:\frfxlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\hhhbnn.exec:\hhhbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\5pdpj.exec:\5pdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\lrrllfr.exec:\lrrllfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\lrfxrrr.exec:\lrfxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\dvjjd.exec:\dvjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\xxrrffx.exec:\xxrrffx.exe23⤵
- Executes dropped EXE
PID:688 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe24⤵
- Executes dropped EXE
PID:3972 -
\??\c:\5ntbtn.exec:\5ntbtn.exe25⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bbtnhb.exec:\bbtnhb.exe26⤵
- Executes dropped EXE
PID:4140 -
\??\c:\3httnn.exec:\3httnn.exe27⤵
- Executes dropped EXE
PID:2772 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe28⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rrxrffr.exec:\rrxrffr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe30⤵
- Executes dropped EXE
PID:4828 -
\??\c:\9lxrfxf.exec:\9lxrfxf.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rfrlrrl.exec:\rfrlrrl.exe32⤵
- Executes dropped EXE
PID:1192 -
\??\c:\5rxrrrr.exec:\5rxrrrr.exe33⤵
- Executes dropped EXE
PID:3696 -
\??\c:\3bnhbt.exec:\3bnhbt.exe34⤵
- Executes dropped EXE
PID:5036 -
\??\c:\nhbtnh.exec:\nhbtnh.exe35⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nbhtnh.exec:\nbhtnh.exe36⤵
- Executes dropped EXE
PID:452 -
\??\c:\bbbtnh.exec:\bbbtnh.exe37⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nbbtnb.exec:\nbbtnb.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\bntnhb.exec:\bntnhb.exe39⤵
- Executes dropped EXE
PID:728 -
\??\c:\bthbtn.exec:\bthbtn.exe40⤵
- Executes dropped EXE
PID:632 -
\??\c:\nbhbtb.exec:\nbhbtb.exe41⤵
- Executes dropped EXE
PID:2604 -
\??\c:\ttbnhh.exec:\ttbnhh.exe42⤵
- Executes dropped EXE
PID:1356 -
\??\c:\nttnbt.exec:\nttnbt.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144 -
\??\c:\5nnhtt.exec:\5nnhtt.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\tnnhbt.exec:\tnnhbt.exe45⤵
- Executes dropped EXE
PID:1604 -
\??\c:\btnhbt.exec:\btnhbt.exe46⤵
- Executes dropped EXE
PID:1872 -
\??\c:\7bhbnn.exec:\7bhbnn.exe47⤵
- Executes dropped EXE
PID:2944 -
\??\c:\thnhtt.exec:\thnhtt.exe48⤵
- Executes dropped EXE
PID:1376 -
\??\c:\tnbnhh.exec:\tnbnhh.exe49⤵
- Executes dropped EXE
PID:1232 -
\??\c:\jdjdv.exec:\jdjdv.exe50⤵
- Executes dropped EXE
PID:1600 -
\??\c:\nhbhbt.exec:\nhbhbt.exe51⤵
- Executes dropped EXE
PID:4480 -
\??\c:\7hhtnn.exec:\7hhtnn.exe52⤵
- Executes dropped EXE
PID:4268 -
\??\c:\hbtnhb.exec:\hbtnhb.exe53⤵
- Executes dropped EXE
PID:3472 -
\??\c:\7bbttb.exec:\7bbttb.exe54⤵
- Executes dropped EXE
PID:1688 -
\??\c:\flfxrlf.exec:\flfxrlf.exe55⤵
- Executes dropped EXE
PID:2200 -
\??\c:\7fxxrlx.exec:\7fxxrlx.exe56⤵
- Executes dropped EXE
PID:5052 -
\??\c:\lflfxrl.exec:\lflfxrl.exe57⤵
- Executes dropped EXE
PID:4008 -
\??\c:\lrxrllf.exec:\lrxrllf.exe58⤵
- Executes dropped EXE
PID:3532 -
\??\c:\rffxlfx.exec:\rffxlfx.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\dppjd.exec:\dppjd.exe60⤵
- Executes dropped EXE
PID:4868 -
\??\c:\1jppj.exec:\1jppj.exe61⤵
- Executes dropped EXE
PID:4436 -
\??\c:\9dpjd.exec:\9dpjd.exe62⤵
- Executes dropped EXE
PID:4924 -
\??\c:\vjpjd.exec:\vjpjd.exe63⤵
- Executes dropped EXE
PID:3312 -
\??\c:\pvjdp.exec:\pvjdp.exe64⤵
- Executes dropped EXE
PID:396 -
\??\c:\thnbnb.exec:\thnbnb.exe65⤵
- Executes dropped EXE
PID:3576 -
\??\c:\tntnht.exec:\tntnht.exe66⤵PID:3612
-
\??\c:\1bhtnh.exec:\1bhtnh.exe67⤵PID:4904
-
\??\c:\tttnhh.exec:\tttnhh.exe68⤵PID:3988
-
\??\c:\tnnbnh.exec:\tnnbnh.exe69⤵PID:3136
-
\??\c:\xfrlfll.exec:\xfrlfll.exe70⤵
- System Location Discovery: System Language Discovery
PID:2020 -
\??\c:\rfrllrl.exec:\rfrllrl.exe71⤵PID:64
-
\??\c:\xxllxrx.exec:\xxllxrx.exe72⤵PID:2772
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe73⤵PID:2780
-
\??\c:\9rfxlfx.exec:\9rfxlfx.exe74⤵PID:4900
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe75⤵PID:2084
-
\??\c:\pjjvj.exec:\pjjvj.exe76⤵PID:2876
-
\??\c:\djjdv.exec:\djjdv.exe77⤵PID:3440
-
\??\c:\7vvvp.exec:\7vvvp.exe78⤵PID:1640
-
\??\c:\vjpvp.exec:\vjpvp.exe79⤵PID:2740
-
\??\c:\btnnnt.exec:\btnnnt.exe80⤵PID:1704
-
\??\c:\tnnbtn.exec:\tnnbtn.exe81⤵PID:2100
-
\??\c:\ntbttt.exec:\ntbttt.exe82⤵PID:3540
-
\??\c:\7tbbtt.exec:\7tbbtt.exe83⤵PID:560
-
\??\c:\3tbbtt.exec:\3tbbtt.exe84⤵PID:4488
-
\??\c:\9hbtnb.exec:\9hbtnb.exe85⤵PID:632
-
\??\c:\hntttt.exec:\hntttt.exe86⤵
- System Location Discovery: System Language Discovery
PID:2604 -
\??\c:\xlfxfll.exec:\xlfxfll.exe87⤵PID:1356
-
\??\c:\rlrrffx.exec:\rlrrffx.exe88⤵PID:1580
-
\??\c:\frxxrlf.exec:\frxxrlf.exe89⤵PID:4656
-
\??\c:\djpjv.exec:\djpjv.exe90⤵PID:2920
-
\??\c:\ppdvv.exec:\ppdvv.exe91⤵PID:3488
-
\??\c:\ddvvj.exec:\ddvvj.exe92⤵PID:1120
-
\??\c:\7pddv.exec:\7pddv.exe93⤵PID:3116
-
\??\c:\dppdj.exec:\dppdj.exe94⤵PID:2724
-
\??\c:\hhhtnh.exec:\hhhtnh.exe95⤵PID:1976
-
\??\c:\3btnht.exec:\3btnht.exe96⤵PID:4200
-
\??\c:\tttnnn.exec:\tttnnn.exe97⤵PID:4408
-
\??\c:\7tnhhb.exec:\7tnhhb.exe98⤵PID:3024
-
\??\c:\nthbbn.exec:\nthbbn.exe99⤵PID:4420
-
\??\c:\tbtnhb.exec:\tbtnhb.exe100⤵PID:3824
-
\??\c:\bnnnnt.exec:\bnnnnt.exe101⤵
- System Location Discovery: System Language Discovery
PID:4600 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe102⤵PID:4832
-
\??\c:\5rrxlxl.exec:\5rrxlxl.exe103⤵PID:824
-
\??\c:\rlfrllx.exec:\rlfrllx.exe104⤵
- System Location Discovery: System Language Discovery
PID:3840 -
\??\c:\7vpvv.exec:\7vpvv.exe105⤵PID:3460
-
\??\c:\jdpjv.exec:\jdpjv.exe106⤵PID:3584
-
\??\c:\jpppj.exec:\jpppj.exe107⤵PID:2040
-
\??\c:\dvddj.exec:\dvddj.exe108⤵PID:3688
-
\??\c:\vdvvj.exec:\vdvvj.exe109⤵PID:3044
-
\??\c:\5djdp.exec:\5djdp.exe110⤵PID:1924
-
\??\c:\pddvd.exec:\pddvd.exe111⤵PID:3952
-
\??\c:\bbtttn.exec:\bbtttn.exe112⤵
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\nnnhbt.exec:\nnnhbt.exe113⤵PID:2436
-
\??\c:\3bbthb.exec:\3bbthb.exe114⤵PID:3756
-
\??\c:\bbhbbt.exec:\bbhbbt.exe115⤵PID:3304
-
\??\c:\fxrlrlx.exec:\fxrlrlx.exe116⤵PID:4716
-
\??\c:\rlxxfxr.exec:\rlxxfxr.exe117⤵PID:2824
-
\??\c:\ddjdv.exec:\ddjdv.exe118⤵PID:444
-
\??\c:\pddpp.exec:\pddpp.exe119⤵PID:2780
-
\??\c:\1vpvp.exec:\1vpvp.exe120⤵PID:4900
-
\??\c:\jdpjd.exec:\jdpjd.exe121⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-