Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:06
Behavioral task
behavioral1
Sample
95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe
-
Size
3.7MB
-
MD5
abe04a5143418c4bf41fba56344e507d
-
SHA1
3db0daea625c1dcdf860ce7ce079dac7014f954d
-
SHA256
95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a
-
SHA512
d1762e470038fd9b919ed0b817206a10215348f49767db40e5ffb9ba420ba0d7c58ca7ab495bc65ae0d6304362a2f1f05abd69ebfbc06325ab7b4d7f7adb174f
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98q:U6XLq/qPPslzKx/dJg1ErmN3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1236-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4672-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1652-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/908-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-636-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-664-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-671-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-693-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-821-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-867-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-1060-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3068 jjppj.exe 3468 6608226.exe 3604 86848.exe 3524 xxfxxfx.exe 4336 ntbttb.exe 1632 lrxxrxx.exe 2172 2628200.exe 2080 fxrlflx.exe 4552 bttnhh.exe 3668 httntt.exe 3012 7dddd.exe 3568 266666.exe 1064 pvvpv.exe 4232 20000.exe 4540 dvpjj.exe 4616 w28882.exe 4168 pppdp.exe 3092 6664260.exe 1244 o448604.exe 3120 m8082.exe 3520 nbhhnn.exe 2740 thbtnn.exe 1884 jvvvd.exe 3400 vjjvp.exe 904 460860.exe 2400 0808260.exe 3572 u248888.exe 868 jdvpj.exe 2752 6600860.exe 1556 g2482.exe 1708 864406.exe 2600 660024.exe 4300 8682260.exe 1080 jjpjd.exe 1520 jdppj.exe 3228 4240044.exe 652 7pvpd.exe 908 46886.exe 1448 868482.exe 716 4640264.exe 116 2688042.exe 4604 pddvp.exe 4144 26082.exe 348 46426.exe 4292 xlfrfxl.exe 4672 jvdvd.exe 1480 0828686.exe 1956 xlrlfxx.exe 4312 44820.exe 3936 bntnnn.exe 4476 c866660.exe 3436 bhnhbb.exe 3648 6282604.exe 4812 626628.exe 1632 pdvjd.exe 2172 7nhbnh.exe 4008 44086.exe 1928 46266.exe 2916 6248664.exe 5060 pdvjd.exe 4968 nhthbt.exe 2436 dddpj.exe 612 pjpjd.exe 3968 2082222.exe -
resource yara_rule behavioral2/memory/1236-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c97-3.dat upx behavioral2/memory/1236-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-9.dat upx behavioral2/memory/3068-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-13.dat upx behavioral2/memory/3604-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3468-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c98-22.dat upx behavioral2/files/0x0007000000023c9e-27.dat upx behavioral2/memory/3524-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4336-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1632-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4336-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9f-35.dat upx behavioral2/files/0x0007000000023ca0-42.dat upx behavioral2/files/0x0007000000023ca2-49.dat upx behavioral2/memory/2172-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-54.dat upx behavioral2/memory/2080-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3668-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-59.dat upx behavioral2/files/0x0007000000023ca5-64.dat upx behavioral2/memory/3668-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3012-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-72.dat upx behavioral2/files/0x0007000000023ca7-77.dat upx behavioral2/memory/3568-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1064-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-83.dat upx behavioral2/files/0x0007000000023ca9-88.dat upx behavioral2/memory/4540-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4232-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-96.dat upx behavioral2/memory/4616-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-103.dat upx behavioral2/memory/4168-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-108.dat upx behavioral2/files/0x0007000000023cad-113.dat upx behavioral2/memory/1244-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3092-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-120.dat upx behavioral2/files/0x0007000000023caf-125.dat upx behavioral2/files/0x0007000000023cb0-131.dat upx behavioral2/files/0x0007000000023cb1-135.dat upx behavioral2/memory/1884-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-142.dat upx behavioral2/memory/3400-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/904-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-147.dat upx behavioral2/memory/2740-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-155.dat upx behavioral2/files/0x0007000000023cb5-160.dat upx behavioral2/memory/2400-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-165.dat upx behavioral2/files/0x0007000000023cb7-170.dat upx behavioral2/memory/868-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-176.dat upx behavioral2/memory/1708-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-180.dat upx behavioral2/files/0x0007000000023cba-185.dat upx behavioral2/memory/2600-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4300-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3228-205-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2220482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6204440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0202860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 3068 1236 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 83 PID 1236 wrote to memory of 3068 1236 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 83 PID 1236 wrote to memory of 3068 1236 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 83 PID 3068 wrote to memory of 3468 3068 jjppj.exe 84 PID 3068 wrote to memory of 3468 3068 jjppj.exe 84 PID 3068 wrote to memory of 3468 3068 jjppj.exe 84 PID 3468 wrote to memory of 3604 3468 6608226.exe 85 PID 3468 wrote to memory of 3604 3468 6608226.exe 85 PID 3468 wrote to memory of 3604 3468 6608226.exe 85 PID 3604 wrote to memory of 3524 3604 86848.exe 86 PID 3604 wrote to memory of 3524 3604 86848.exe 86 PID 3604 wrote to memory of 3524 3604 86848.exe 86 PID 3524 wrote to memory of 4336 3524 xxfxxfx.exe 87 PID 3524 wrote to memory of 4336 3524 xxfxxfx.exe 87 PID 3524 wrote to memory of 4336 3524 xxfxxfx.exe 87 PID 4336 wrote to memory of 1632 4336 ntbttb.exe 138 PID 4336 wrote to memory of 1632 4336 ntbttb.exe 138 PID 4336 wrote to memory of 1632 4336 ntbttb.exe 138 PID 1632 wrote to memory of 2172 1632 lrxxrxx.exe 139 PID 1632 wrote to memory of 2172 1632 lrxxrxx.exe 139 PID 1632 wrote to memory of 2172 1632 lrxxrxx.exe 139 PID 2172 wrote to memory of 2080 2172 2628200.exe 90 PID 2172 wrote to memory of 2080 2172 2628200.exe 90 PID 2172 wrote to memory of 2080 2172 2628200.exe 90 PID 2080 wrote to memory of 4552 2080 fxrlflx.exe 91 PID 2080 wrote to memory of 4552 2080 fxrlflx.exe 91 PID 2080 wrote to memory of 4552 2080 fxrlflx.exe 91 PID 4552 wrote to memory of 3668 4552 bttnhh.exe 92 PID 4552 wrote to memory of 3668 4552 bttnhh.exe 92 PID 4552 wrote to memory of 3668 4552 bttnhh.exe 92 PID 3668 wrote to memory of 3012 3668 httntt.exe 93 PID 3668 wrote to memory of 3012 3668 httntt.exe 93 PID 3668 wrote to memory of 3012 3668 httntt.exe 93 PID 3012 wrote to memory of 3568 3012 7dddd.exe 94 PID 3012 wrote to memory of 3568 3012 7dddd.exe 94 PID 3012 wrote to memory of 3568 3012 7dddd.exe 94 PID 3568 wrote to memory of 1064 3568 266666.exe 95 PID 3568 wrote to memory of 1064 3568 266666.exe 95 PID 3568 wrote to memory of 1064 3568 266666.exe 95 PID 1064 wrote to memory of 4232 1064 pvvpv.exe 96 PID 1064 wrote to memory of 4232 1064 pvvpv.exe 96 PID 1064 wrote to memory of 4232 1064 pvvpv.exe 96 PID 4232 wrote to memory of 4540 4232 20000.exe 97 PID 4232 wrote to memory of 4540 4232 20000.exe 97 PID 4232 wrote to memory of 4540 4232 20000.exe 97 PID 4540 wrote to memory of 4616 4540 dvpjj.exe 98 PID 4540 wrote to memory of 4616 4540 dvpjj.exe 98 PID 4540 wrote to memory of 4616 4540 dvpjj.exe 98 PID 4616 wrote to memory of 4168 4616 w28882.exe 100 PID 4616 wrote to memory of 4168 4616 w28882.exe 100 PID 4616 wrote to memory of 4168 4616 w28882.exe 100 PID 4168 wrote to memory of 3092 4168 pppdp.exe 101 PID 4168 wrote to memory of 3092 4168 pppdp.exe 101 PID 4168 wrote to memory of 3092 4168 pppdp.exe 101 PID 3092 wrote to memory of 1244 3092 6664260.exe 102 PID 3092 wrote to memory of 1244 3092 6664260.exe 102 PID 3092 wrote to memory of 1244 3092 6664260.exe 102 PID 1244 wrote to memory of 3120 1244 o448604.exe 158 PID 1244 wrote to memory of 3120 1244 o448604.exe 158 PID 1244 wrote to memory of 3120 1244 o448604.exe 158 PID 3120 wrote to memory of 3520 3120 m8082.exe 104 PID 3120 wrote to memory of 3520 3120 m8082.exe 104 PID 3120 wrote to memory of 3520 3120 m8082.exe 104 PID 3520 wrote to memory of 2740 3520 nbhhnn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe"C:\Users\Admin\AppData\Local\Temp\95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\jjppj.exec:\jjppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\6608226.exec:\6608226.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\86848.exec:\86848.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\xxfxxfx.exec:\xxfxxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\ntbttb.exec:\ntbttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\lrxxrxx.exec:\lrxxrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\2628200.exec:\2628200.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\fxrlflx.exec:\fxrlflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\bttnhh.exec:\bttnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\httntt.exec:\httntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\7dddd.exec:\7dddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\266666.exec:\266666.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\pvvpv.exec:\pvvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\20000.exec:\20000.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\dvpjj.exec:\dvpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\w28882.exec:\w28882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\pppdp.exec:\pppdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\6664260.exec:\6664260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\o448604.exec:\o448604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\m8082.exec:\m8082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\nbhhnn.exec:\nbhhnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\thbtnn.exec:\thbtnn.exe23⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jvvvd.exec:\jvvvd.exe24⤵
- Executes dropped EXE
PID:1884 -
\??\c:\vjjvp.exec:\vjjvp.exe25⤵
- Executes dropped EXE
PID:3400 -
\??\c:\460860.exec:\460860.exe26⤵
- Executes dropped EXE
PID:904 -
\??\c:\0808260.exec:\0808260.exe27⤵
- Executes dropped EXE
PID:2400 -
\??\c:\u248888.exec:\u248888.exe28⤵
- Executes dropped EXE
PID:3572 -
\??\c:\jdvpj.exec:\jdvpj.exe29⤵
- Executes dropped EXE
PID:868 -
\??\c:\6600860.exec:\6600860.exe30⤵
- Executes dropped EXE
PID:2752 -
\??\c:\g2482.exec:\g2482.exe31⤵
- Executes dropped EXE
PID:1556 -
\??\c:\864406.exec:\864406.exe32⤵
- Executes dropped EXE
PID:1708 -
\??\c:\660024.exec:\660024.exe33⤵
- Executes dropped EXE
PID:2600 -
\??\c:\8682260.exec:\8682260.exe34⤵
- Executes dropped EXE
PID:4300 -
\??\c:\jjpjd.exec:\jjpjd.exe35⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jdppj.exec:\jdppj.exe36⤵
- Executes dropped EXE
PID:1520 -
\??\c:\4240044.exec:\4240044.exe37⤵
- Executes dropped EXE
PID:3228 -
\??\c:\7pvpd.exec:\7pvpd.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:652 -
\??\c:\46886.exec:\46886.exe39⤵
- Executes dropped EXE
PID:908 -
\??\c:\868482.exec:\868482.exe40⤵
- Executes dropped EXE
PID:1448 -
\??\c:\4640264.exec:\4640264.exe41⤵
- Executes dropped EXE
PID:716 -
\??\c:\2688042.exec:\2688042.exe42⤵
- Executes dropped EXE
PID:116 -
\??\c:\pddvp.exec:\pddvp.exe43⤵
- Executes dropped EXE
PID:4604 -
\??\c:\26082.exec:\26082.exe44⤵
- Executes dropped EXE
PID:4144 -
\??\c:\46426.exec:\46426.exe45⤵
- Executes dropped EXE
PID:348 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe46⤵
- Executes dropped EXE
PID:4292 -
\??\c:\jvdvd.exec:\jvdvd.exe47⤵
- Executes dropped EXE
PID:4672 -
\??\c:\0828686.exec:\0828686.exe48⤵
- Executes dropped EXE
PID:1480 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe49⤵
- Executes dropped EXE
PID:1956 -
\??\c:\44820.exec:\44820.exe50⤵
- Executes dropped EXE
PID:4312 -
\??\c:\bntnnn.exec:\bntnnn.exe51⤵
- Executes dropped EXE
PID:3936 -
\??\c:\c866660.exec:\c866660.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\bhnhbb.exec:\bhnhbb.exe53⤵
- Executes dropped EXE
PID:3436 -
\??\c:\6282604.exec:\6282604.exe54⤵
- Executes dropped EXE
PID:3648 -
\??\c:\626628.exec:\626628.exe55⤵
- Executes dropped EXE
PID:4812 -
\??\c:\pdvjd.exec:\pdvjd.exe56⤵
- Executes dropped EXE
PID:1632 -
\??\c:\7nhbnh.exec:\7nhbnh.exe57⤵
- Executes dropped EXE
PID:2172 -
\??\c:\44086.exec:\44086.exe58⤵
- Executes dropped EXE
PID:4008 -
\??\c:\46266.exec:\46266.exe59⤵
- Executes dropped EXE
PID:1928 -
\??\c:\6248664.exec:\6248664.exe60⤵
- Executes dropped EXE
PID:2916 -
\??\c:\pdvjd.exec:\pdvjd.exe61⤵
- Executes dropped EXE
PID:5060 -
\??\c:\nhthbt.exec:\nhthbt.exe62⤵
- Executes dropped EXE
PID:4968 -
\??\c:\dddpj.exec:\dddpj.exe63⤵
- Executes dropped EXE
PID:2436 -
\??\c:\pjpjd.exec:\pjpjd.exe64⤵
- Executes dropped EXE
PID:612 -
\??\c:\2082222.exec:\2082222.exe65⤵
- Executes dropped EXE
PID:3968 -
\??\c:\bthhbt.exec:\bthhbt.exe66⤵PID:1060
-
\??\c:\lffxxxl.exec:\lffxxxl.exe67⤵PID:556
-
\??\c:\vjppp.exec:\vjppp.exe68⤵PID:628
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe69⤵PID:3920
-
\??\c:\frrflfr.exec:\frrflfr.exe70⤵PID:864
-
\??\c:\ffxrrll.exec:\ffxrrll.exe71⤵PID:1312
-
\??\c:\2688042.exec:\2688042.exe72⤵PID:2060
-
\??\c:\vjjvj.exec:\vjjvj.exe73⤵PID:3080
-
\??\c:\vpjpj.exec:\vpjpj.exe74⤵PID:3460
-
\??\c:\8264484.exec:\8264484.exe75⤵PID:3340
-
\??\c:\g4244.exec:\g4244.exe76⤵PID:3120
-
\??\c:\jppjv.exec:\jppjv.exe77⤵PID:3360
-
\??\c:\vjpdv.exec:\vjpdv.exe78⤵PID:3600
-
\??\c:\868204.exec:\868204.exe79⤵PID:1652
-
\??\c:\vjpjj.exec:\vjpjj.exe80⤵PID:944
-
\??\c:\3rrfrxl.exec:\3rrfrxl.exe81⤵PID:4148
-
\??\c:\248642.exec:\248642.exe82⤵PID:1076
-
\??\c:\3rrfrlx.exec:\3rrfrlx.exe83⤵PID:2312
-
\??\c:\044860.exec:\044860.exe84⤵PID:2400
-
\??\c:\bnnbht.exec:\bnnbht.exe85⤵PID:2092
-
\??\c:\2460640.exec:\2460640.exe86⤵PID:1356
-
\??\c:\8846002.exec:\8846002.exe87⤵PID:1984
-
\??\c:\3dpdp.exec:\3dpdp.exe88⤵PID:4360
-
\??\c:\4808226.exec:\4808226.exe89⤵PID:1068
-
\??\c:\s6882.exec:\s6882.exe90⤵PID:3528
-
\??\c:\g0842.exec:\g0842.exe91⤵PID:1168
-
\??\c:\w80206.exec:\w80206.exe92⤵PID:4300
-
\??\c:\hnthbt.exec:\hnthbt.exe93⤵PID:1080
-
\??\c:\806082.exec:\806082.exe94⤵PID:2668
-
\??\c:\6288282.exec:\6288282.exe95⤵PID:908
-
\??\c:\042860.exec:\042860.exe96⤵PID:4400
-
\??\c:\u242648.exec:\u242648.exe97⤵PID:1388
-
\??\c:\6626420.exec:\6626420.exe98⤵PID:1924
-
\??\c:\hnthbt.exec:\hnthbt.exe99⤵PID:4332
-
\??\c:\4286266.exec:\4286266.exe100⤵PID:4324
-
\??\c:\hhhbtn.exec:\hhhbtn.exe101⤵PID:4312
-
\??\c:\1vppj.exec:\1vppj.exe102⤵PID:3624
-
\??\c:\dvvpj.exec:\dvvpj.exe103⤵PID:452
-
\??\c:\lxflfff.exec:\lxflfff.exe104⤵PID:4092
-
\??\c:\624820.exec:\624820.exe105⤵PID:1456
-
\??\c:\rrfxrlx.exec:\rrfxrlx.exe106⤵PID:1736
-
\??\c:\4488822.exec:\4488822.exe107⤵PID:1200
-
\??\c:\64686.exec:\64686.exe108⤵PID:2880
-
\??\c:\5pdpd.exec:\5pdpd.exe109⤵PID:2172
-
\??\c:\2086660.exec:\2086660.exe110⤵PID:1756
-
\??\c:\08480.exec:\08480.exe111⤵PID:1928
-
\??\c:\4844608.exec:\4844608.exe112⤵PID:4140
-
\??\c:\5nthbb.exec:\5nthbb.exe113⤵PID:1372
-
\??\c:\5tbnhb.exec:\5tbnhb.exe114⤵PID:3612
-
\??\c:\frlrfxr.exec:\frlrfxr.exe115⤵PID:3968
-
\??\c:\lflfrlf.exec:\lflfrlf.exe116⤵PID:3908
-
\??\c:\44042.exec:\44042.exe117⤵PID:2616
-
\??\c:\bnthbt.exec:\bnthbt.exe118⤵PID:2516
-
\??\c:\bnhtnh.exec:\bnhtnh.exe119⤵PID:4436
-
\??\c:\2682666.exec:\2682666.exe120⤵PID:4600
-
\??\c:\80288.exec:\80288.exe121⤵PID:4484
-
\??\c:\666488.exec:\666488.exe122⤵PID:1864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-