Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 22:48
Behavioral task
behavioral1
Sample
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe
-
Size
3.7MB
-
MD5
4062f74bf62046004298ebcb3629f2d4
-
SHA1
9f7d9c6ee3f7881ba821fb7e2ab44004cc73afe8
-
SHA256
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5
-
SHA512
a580ea4e5491135652c054ae252638b57636fea294bd2406d5a7920a5274caeb3c03cc38ab21f29b9fa33e6469e1ae70add16a1c3abf6d7079f7922e3a4f9058
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98+:U6XLq/qPPslzKx/dJg1ErmNd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1056-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/852-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1660-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2952-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-510-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-696-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-754-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-803-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-1978-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 852 2828288.exe 3140 24468.exe 4680 286888.exe 4268 80260.exe 1168 vvppv.exe 1660 20888.exe 4452 llrrrxx.exe 3280 044882.exe 2952 frxlxrl.exe 5044 402266.exe 3044 24860.exe 4768 pjpjd.exe 556 xrfflxf.exe 2660 nnbtnn.exe 2532 4664260.exe 4900 xrffxfl.exe 4168 rxfxllf.exe 2564 646486.exe 3132 664866.exe 2012 vvdpj.exe 4076 hbbtht.exe 4556 68820.exe 4464 4660484.exe 216 0682064.exe 1420 0666666.exe 812 rlxlfxr.exe 4724 vjjvv.exe 3060 g8882.exe 3388 bhbtbb.exe 2452 6026060.exe 4000 66446.exe 2100 bbbtnh.exe 1892 frrllll.exe 4908 bthtnh.exe 3812 lxlfxff.exe 1144 86440.exe 4300 008406.exe 1720 66626.exe 1496 06820.exe 3532 bntbtn.exe 3876 pjjdd.exe 4264 46826.exe 468 4028624.exe 4988 2046026.exe 3964 684044.exe 3480 0882604.exe 4320 0460606.exe 5112 pdpjv.exe 4444 862888.exe 4588 vvvvp.exe 4152 thnhbb.exe 776 888462.exe 2220 rrxxrrr.exe 4124 26000.exe 2140 640488.exe 3676 pddvp.exe 1168 828848.exe 4256 bttntn.exe 3120 84200.exe 3644 lfxlfxl.exe 4428 nnnnhn.exe 4980 8022000.exe 2496 484226.exe 5080 jpjvp.exe -
resource yara_rule behavioral2/memory/1056-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c60-3.dat upx behavioral2/memory/1056-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-9.dat upx behavioral2/memory/852-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023cb2-13.dat upx behavioral2/memory/4680-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3140-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-23.dat upx behavioral2/memory/4268-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4268-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1168-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-29.dat upx behavioral2/memory/1660-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-37.dat upx behavioral2/files/0x0007000000023cba-41.dat upx behavioral2/memory/1660-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-48.dat upx behavioral2/files/0x000400000001e762-53.dat upx behavioral2/memory/3280-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-59.dat upx behavioral2/memory/2952-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-65.dat upx behavioral2/memory/3044-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-72.dat upx behavioral2/files/0x0007000000023cbf-76.dat upx behavioral2/memory/4768-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-82.dat upx behavioral2/memory/556-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-88.dat upx behavioral2/memory/2660-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-96.dat upx behavioral2/files/0x0007000000023cc3-99.dat upx behavioral2/memory/4900-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4168-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-105.dat upx behavioral2/files/0x0007000000023cc5-111.dat upx behavioral2/memory/2564-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-117.dat upx behavioral2/memory/2012-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3132-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-126.dat upx behavioral2/files/0x0007000000023cc8-130.dat upx behavioral2/memory/4556-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-136.dat upx behavioral2/memory/4464-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-142.dat upx behavioral2/files/0x0007000000023ccb-148.dat upx behavioral2/files/0x0007000000023ccc-151.dat upx behavioral2/memory/1420-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/812-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-158.dat upx behavioral2/memory/3060-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4724-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-164.dat upx behavioral2/files/0x0007000000023ccf-170.dat upx behavioral2/files/0x0007000000023cd0-176.dat upx behavioral2/files/0x0007000000023cd1-182.dat upx behavioral2/files/0x0007000000023cd2-186.dat upx behavioral2/memory/2100-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3812-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4300-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4264-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4442042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2824826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2820820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4246420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u088288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 022208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8288886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6626448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0620004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4404444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26806.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1056 wrote to memory of 852 1056 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 83 PID 1056 wrote to memory of 852 1056 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 83 PID 1056 wrote to memory of 852 1056 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 83 PID 852 wrote to memory of 3140 852 2828288.exe 84 PID 852 wrote to memory of 3140 852 2828288.exe 84 PID 852 wrote to memory of 3140 852 2828288.exe 84 PID 3140 wrote to memory of 4680 3140 24468.exe 85 PID 3140 wrote to memory of 4680 3140 24468.exe 85 PID 3140 wrote to memory of 4680 3140 24468.exe 85 PID 4680 wrote to memory of 4268 4680 286888.exe 86 PID 4680 wrote to memory of 4268 4680 286888.exe 86 PID 4680 wrote to memory of 4268 4680 286888.exe 86 PID 4268 wrote to memory of 1168 4268 80260.exe 87 PID 4268 wrote to memory of 1168 4268 80260.exe 87 PID 4268 wrote to memory of 1168 4268 80260.exe 87 PID 1168 wrote to memory of 1660 1168 vvppv.exe 88 PID 1168 wrote to memory of 1660 1168 vvppv.exe 88 PID 1168 wrote to memory of 1660 1168 vvppv.exe 88 PID 1660 wrote to memory of 4452 1660 20888.exe 89 PID 1660 wrote to memory of 4452 1660 20888.exe 89 PID 1660 wrote to memory of 4452 1660 20888.exe 89 PID 4452 wrote to memory of 3280 4452 llrrrxx.exe 90 PID 4452 wrote to memory of 3280 4452 llrrrxx.exe 90 PID 4452 wrote to memory of 3280 4452 llrrrxx.exe 90 PID 3280 wrote to memory of 2952 3280 044882.exe 91 PID 3280 wrote to memory of 2952 3280 044882.exe 91 PID 3280 wrote to memory of 2952 3280 044882.exe 91 PID 2952 wrote to memory of 5044 2952 frxlxrl.exe 92 PID 2952 wrote to memory of 5044 2952 frxlxrl.exe 92 PID 2952 wrote to memory of 5044 2952 frxlxrl.exe 92 PID 5044 wrote to memory of 3044 5044 402266.exe 93 PID 5044 wrote to memory of 3044 5044 402266.exe 93 PID 5044 wrote to memory of 3044 5044 402266.exe 93 PID 3044 wrote to memory of 4768 3044 24860.exe 94 PID 3044 wrote to memory of 4768 3044 24860.exe 94 PID 3044 wrote to memory of 4768 3044 24860.exe 94 PID 4768 wrote to memory of 556 4768 pjpjd.exe 95 PID 4768 wrote to memory of 556 4768 pjpjd.exe 95 PID 4768 wrote to memory of 556 4768 pjpjd.exe 95 PID 556 wrote to memory of 2660 556 xrfflxf.exe 96 PID 556 wrote to memory of 2660 556 xrfflxf.exe 96 PID 556 wrote to memory of 2660 556 xrfflxf.exe 96 PID 2660 wrote to memory of 2532 2660 nnbtnn.exe 97 PID 2660 wrote to memory of 2532 2660 nnbtnn.exe 97 PID 2660 wrote to memory of 2532 2660 nnbtnn.exe 97 PID 2532 wrote to memory of 4900 2532 4664260.exe 98 PID 2532 wrote to memory of 4900 2532 4664260.exe 98 PID 2532 wrote to memory of 4900 2532 4664260.exe 98 PID 4900 wrote to memory of 4168 4900 xrffxfl.exe 99 PID 4900 wrote to memory of 4168 4900 xrffxfl.exe 99 PID 4900 wrote to memory of 4168 4900 xrffxfl.exe 99 PID 4168 wrote to memory of 2564 4168 rxfxllf.exe 100 PID 4168 wrote to memory of 2564 4168 rxfxllf.exe 100 PID 4168 wrote to memory of 2564 4168 rxfxllf.exe 100 PID 2564 wrote to memory of 3132 2564 646486.exe 101 PID 2564 wrote to memory of 3132 2564 646486.exe 101 PID 2564 wrote to memory of 3132 2564 646486.exe 101 PID 3132 wrote to memory of 2012 3132 664866.exe 102 PID 3132 wrote to memory of 2012 3132 664866.exe 102 PID 3132 wrote to memory of 2012 3132 664866.exe 102 PID 2012 wrote to memory of 4076 2012 vvdpj.exe 103 PID 2012 wrote to memory of 4076 2012 vvdpj.exe 103 PID 2012 wrote to memory of 4076 2012 vvdpj.exe 103 PID 4076 wrote to memory of 4556 4076 hbbtht.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe"C:\Users\Admin\AppData\Local\Temp\a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\2828288.exec:\2828288.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\24468.exec:\24468.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\286888.exec:\286888.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\80260.exec:\80260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\vvppv.exec:\vvppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\20888.exec:\20888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\llrrrxx.exec:\llrrrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\044882.exec:\044882.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\frxlxrl.exec:\frxlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\402266.exec:\402266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\24860.exec:\24860.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\pjpjd.exec:\pjpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\xrfflxf.exec:\xrfflxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\nnbtnn.exec:\nnbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\4664260.exec:\4664260.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\xrffxfl.exec:\xrffxfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\rxfxllf.exec:\rxfxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\646486.exec:\646486.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\664866.exec:\664866.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\vvdpj.exec:\vvdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\hbbtht.exec:\hbbtht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\68820.exec:\68820.exe23⤵
- Executes dropped EXE
PID:4556 -
\??\c:\4660484.exec:\4660484.exe24⤵
- Executes dropped EXE
PID:4464 -
\??\c:\0682064.exec:\0682064.exe25⤵
- Executes dropped EXE
PID:216 -
\??\c:\0666666.exec:\0666666.exe26⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rlxlfxr.exec:\rlxlfxr.exe27⤵
- Executes dropped EXE
PID:812 -
\??\c:\vjjvv.exec:\vjjvv.exe28⤵
- Executes dropped EXE
PID:4724 -
\??\c:\g8882.exec:\g8882.exe29⤵
- Executes dropped EXE
PID:3060 -
\??\c:\bhbtbb.exec:\bhbtbb.exe30⤵
- Executes dropped EXE
PID:3388 -
\??\c:\6026060.exec:\6026060.exe31⤵
- Executes dropped EXE
PID:2452 -
\??\c:\66446.exec:\66446.exe32⤵
- Executes dropped EXE
PID:4000 -
\??\c:\bbbtnh.exec:\bbbtnh.exe33⤵
- Executes dropped EXE
PID:2100 -
\??\c:\frrllll.exec:\frrllll.exe34⤵
- Executes dropped EXE
PID:1892 -
\??\c:\bthtnh.exec:\bthtnh.exe35⤵
- Executes dropped EXE
PID:4908 -
\??\c:\lxlfxff.exec:\lxlfxff.exe36⤵
- Executes dropped EXE
PID:3812 -
\??\c:\86440.exec:\86440.exe37⤵
- Executes dropped EXE
PID:1144 -
\??\c:\008406.exec:\008406.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4300 -
\??\c:\66626.exec:\66626.exe39⤵
- Executes dropped EXE
PID:1720 -
\??\c:\06820.exec:\06820.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
\??\c:\bntbtn.exec:\bntbtn.exe41⤵
- Executes dropped EXE
PID:3532 -
\??\c:\pjjdd.exec:\pjjdd.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876 -
\??\c:\46826.exec:\46826.exe43⤵
- Executes dropped EXE
PID:4264 -
\??\c:\4028624.exec:\4028624.exe44⤵
- Executes dropped EXE
PID:468 -
\??\c:\2046026.exec:\2046026.exe45⤵
- Executes dropped EXE
PID:4988 -
\??\c:\684044.exec:\684044.exe46⤵
- Executes dropped EXE
PID:3964 -
\??\c:\0882604.exec:\0882604.exe47⤵
- Executes dropped EXE
PID:3480 -
\??\c:\0460606.exec:\0460606.exe48⤵
- Executes dropped EXE
PID:4320 -
\??\c:\pdpjv.exec:\pdpjv.exe49⤵
- Executes dropped EXE
PID:5112 -
\??\c:\862888.exec:\862888.exe50⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vvvvp.exec:\vvvvp.exe51⤵
- Executes dropped EXE
PID:4588 -
\??\c:\thnhbb.exec:\thnhbb.exe52⤵
- Executes dropped EXE
PID:4152 -
\??\c:\888462.exec:\888462.exe53⤵
- Executes dropped EXE
PID:776 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe54⤵
- Executes dropped EXE
PID:2220 -
\??\c:\26000.exec:\26000.exe55⤵
- Executes dropped EXE
PID:4124 -
\??\c:\640488.exec:\640488.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\pddvp.exec:\pddvp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676 -
\??\c:\828848.exec:\828848.exe58⤵
- Executes dropped EXE
PID:1168 -
\??\c:\bttntn.exec:\bttntn.exe59⤵
- Executes dropped EXE
PID:4256 -
\??\c:\84200.exec:\84200.exe60⤵
- Executes dropped EXE
PID:3120 -
\??\c:\lfxlfxl.exec:\lfxlfxl.exe61⤵
- Executes dropped EXE
PID:3644 -
\??\c:\nnnnhn.exec:\nnnnhn.exe62⤵
- Executes dropped EXE
PID:4428 -
\??\c:\8022000.exec:\8022000.exe63⤵
- Executes dropped EXE
PID:4980 -
\??\c:\484226.exec:\484226.exe64⤵
- Executes dropped EXE
PID:2496 -
\??\c:\jpjvp.exec:\jpjvp.exe65⤵
- Executes dropped EXE
PID:5080 -
\??\c:\w06862.exec:\w06862.exe66⤵PID:4616
-
\??\c:\hhbtnh.exec:\hhbtnh.exe67⤵PID:4440
-
\??\c:\ppppj.exec:\ppppj.exe68⤵
- System Location Discovery: System Language Discovery
PID:4768 -
\??\c:\rffrlfx.exec:\rffrlfx.exe69⤵PID:2248
-
\??\c:\480006.exec:\480006.exe70⤵PID:4260
-
\??\c:\s2040.exec:\s2040.exe71⤵
- System Location Discovery: System Language Discovery
PID:4484 -
\??\c:\fflllll.exec:\fflllll.exe72⤵
- System Location Discovery: System Language Discovery
PID:2860 -
\??\c:\ppvvd.exec:\ppvvd.exe73⤵
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\ddvdv.exec:\ddvdv.exe74⤵PID:2604
-
\??\c:\66066.exec:\66066.exe75⤵PID:1164
-
\??\c:\ddjdj.exec:\ddjdj.exe76⤵PID:2564
-
\??\c:\rrxfrrr.exec:\rrxfrrr.exe77⤵PID:1500
-
\??\c:\4244828.exec:\4244828.exe78⤵PID:3880
-
\??\c:\60064.exec:\60064.exe79⤵PID:224
-
\??\c:\5bthbt.exec:\5bthbt.exe80⤵PID:4464
-
\??\c:\dvddj.exec:\dvddj.exe81⤵PID:3492
-
\??\c:\jjvvd.exec:\jjvvd.exe82⤵PID:3908
-
\??\c:\nhnhnh.exec:\nhnhnh.exe83⤵PID:1832
-
\??\c:\88008.exec:\88008.exe84⤵PID:812
-
\??\c:\ttnbtt.exec:\ttnbtt.exe85⤵PID:3388
-
\??\c:\06004.exec:\06004.exe86⤵PID:3496
-
\??\c:\rxxlxlx.exec:\rxxlxlx.exe87⤵PID:516
-
\??\c:\rlffffl.exec:\rlffffl.exe88⤵PID:1144
-
\??\c:\26260.exec:\26260.exe89⤵PID:1784
-
\??\c:\8666482.exec:\8666482.exe90⤵PID:1588
-
\??\c:\hhthth.exec:\hhthth.exe91⤵PID:2420
-
\??\c:\bnbtnn.exec:\bnbtnn.exe92⤵PID:3532
-
\??\c:\62404.exec:\62404.exe93⤵PID:4372
-
\??\c:\424088.exec:\424088.exe94⤵PID:4196
-
\??\c:\nhnnhh.exec:\nhnnhh.exe95⤵PID:372
-
\??\c:\hhnhtt.exec:\hhnhtt.exe96⤵PID:2744
-
\??\c:\pvjpj.exec:\pvjpj.exe97⤵PID:4284
-
\??\c:\4440062.exec:\4440062.exe98⤵PID:3480
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe99⤵
- System Location Discovery: System Language Discovery
PID:5024 -
\??\c:\668448.exec:\668448.exe100⤵PID:2216
-
\??\c:\020626.exec:\020626.exe101⤵PID:4444
-
\??\c:\02044.exec:\02044.exe102⤵PID:4588
-
\??\c:\hntnhn.exec:\hntnhn.exe103⤵PID:4152
-
\??\c:\2684400.exec:\2684400.exe104⤵PID:4844
-
\??\c:\hnhtnn.exec:\hnhtnn.exe105⤵PID:4352
-
\??\c:\400420.exec:\400420.exe106⤵PID:3104
-
\??\c:\vjjdp.exec:\vjjdp.exe107⤵PID:4996
-
\??\c:\thhhbb.exec:\thhhbb.exe108⤵PID:2280
-
\??\c:\ntbttt.exec:\ntbttt.exe109⤵PID:3280
-
\??\c:\802602.exec:\802602.exe110⤵PID:4428
-
\??\c:\btbbtt.exec:\btbbtt.exe111⤵PID:3504
-
\??\c:\htnhhh.exec:\htnhhh.exe112⤵PID:2496
-
\??\c:\42822.exec:\42822.exe113⤵PID:5080
-
\??\c:\tbhbbh.exec:\tbhbbh.exe114⤵PID:2660
-
\??\c:\400648.exec:\400648.exe115⤵PID:2172
-
\??\c:\vpdjp.exec:\vpdjp.exe116⤵PID:4028
-
\??\c:\flfxrrr.exec:\flfxrrr.exe117⤵
- System Location Discovery: System Language Discovery
PID:3928 -
\??\c:\hhhhbb.exec:\hhhhbb.exe118⤵PID:4848
-
\??\c:\jjjjd.exec:\jjjjd.exe119⤵PID:628
-
\??\c:\jvjjp.exec:\jvjjp.exe120⤵PID:4704
-
\??\c:\g0482.exec:\g0482.exe121⤵PID:1704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-