Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 10:25
Behavioral task
behavioral1
Sample
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe
Resource
win7-20241023-en
windows7-x64
9 signatures
120 seconds
General
-
Target
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe
-
Size
3.7MB
-
MD5
b2c4e5410373864a8694f5e3aaee1e21
-
SHA1
0bff784fd0b215a22414f6ab941a58f2ffbcd805
-
SHA256
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433
-
SHA512
6bc4bb815036cfa76b2cb531f99ecf5da4018ca831332203dca86ac461f7cd5c938cba73632d0f44bcdd0d792f947d051b2290bd5078000594372d580c714df2
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98Q:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/384-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/684-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/980-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3008-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1212-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/980-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/668-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-529-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-603-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-1028-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-1128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-1138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-1142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-1239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 684 thtbbn.exe 1512 bthnhh.exe 4996 jjvvv.exe 980 hnntbh.exe 4956 frlrxfl.exe 2192 ffxxxxx.exe 4152 bhhnhn.exe 2648 nbnnnn.exe 1936 bhnnnt.exe 3008 5nhhnb.exe 2044 ddjjj.exe 216 vdvdj.exe 1576 vvjvv.exe 1996 3lxfllr.exe 1212 pjdvv.exe 3596 5ddvv.exe 5064 xrxxxxr.exe 1300 pjpvv.exe 2596 llllrxf.exe 2196 jpvvd.exe 440 tnbnnb.exe 3240 hthnth.exe 2388 jdvpv.exe 3892 hnbhnn.exe 2024 dddvv.exe 4780 dvvpj.exe 640 lrlfxrf.exe 4864 rrlffrl.exe 4168 djvvv.exe 4580 flrrrxf.exe 4656 flffrrx.exe 2736 rrlrxxx.exe 2972 1ttnhn.exe 3948 xffflrx.exe 1396 fxlfrlx.exe 512 5ttttb.exe 3424 5ppvj.exe 4808 ddjjj.exe 1776 jjpvd.exe 2280 llrxxff.exe 4820 xfxxxfr.exe 1536 bhhntb.exe 4608 vvdjj.exe 3472 vjvdd.exe 3904 djjvv.exe 408 rxxfrlx.exe 1812 fflflrr.exe 980 fxrrlll.exe 1364 frlrfxf.exe 4212 lrfrxrr.exe 3992 tttttb.exe 3616 bhbbhn.exe 4860 dpjjj.exe 4440 ffrxxff.exe 3444 rxllrfl.exe 2284 xfrrxxx.exe 4624 lllffll.exe 2424 htnhnb.exe 2940 bbtbbh.exe 3808 nhnnbh.exe 2980 vvvdp.exe 220 vvvvv.exe 1244 frfxfxx.exe 668 lxrfffx.exe -
resource yara_rule behavioral2/memory/384-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b1b-3.dat upx behavioral2/memory/384-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-8.dat upx behavioral2/memory/684-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-12.dat upx behavioral2/memory/4996-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1512-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b6c-21.dat upx behavioral2/memory/980-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-27.dat upx behavioral2/files/0x000a000000023b7c-32.dat upx behavioral2/memory/4956-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2192-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-39.dat upx behavioral2/memory/4152-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-45.dat upx behavioral2/memory/2648-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-52.dat upx behavioral2/files/0x000a000000023b80-56.dat upx behavioral2/memory/1936-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3008-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-64.dat upx behavioral2/files/0x000a000000023b82-68.dat upx behavioral2/memory/216-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2044-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-75.dat upx behavioral2/memory/1576-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-83.dat upx behavioral2/files/0x000a000000023b85-86.dat upx behavioral2/memory/1996-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-92.dat upx behavioral2/memory/1212-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-101.dat upx behavioral2/memory/3596-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b88-104.dat upx behavioral2/memory/5064-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b89-111.dat upx behavioral2/files/0x0031000000023b8a-115.dat upx behavioral2/memory/2196-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-121.dat upx behavioral2/files/0x000a000000023b8c-129.dat upx behavioral2/memory/440-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3240-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2388-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-133.dat upx behavioral2/files/0x000a000000023b8f-140.dat upx behavioral2/files/0x000300000001e754-144.dat upx behavioral2/files/0x000a000000023b91-150.dat upx behavioral2/memory/4780-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2024-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-157.dat upx behavioral2/files/0x000a000000023b93-163.dat upx behavioral2/files/0x000a000000023b94-166.dat upx behavioral2/memory/4864-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-175.dat upx behavioral2/memory/4168-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-178.dat upx behavioral2/files/0x000a000000023b97-183.dat upx behavioral2/memory/2972-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1396-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3424-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4808-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1776-214-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 384 wrote to memory of 684 384 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 82 PID 384 wrote to memory of 684 384 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 82 PID 384 wrote to memory of 684 384 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 82 PID 684 wrote to memory of 1512 684 thtbbn.exe 83 PID 684 wrote to memory of 1512 684 thtbbn.exe 83 PID 684 wrote to memory of 1512 684 thtbbn.exe 83 PID 1512 wrote to memory of 4996 1512 bthnhh.exe 84 PID 1512 wrote to memory of 4996 1512 bthnhh.exe 84 PID 1512 wrote to memory of 4996 1512 bthnhh.exe 84 PID 4996 wrote to memory of 980 4996 jjvvv.exe 85 PID 4996 wrote to memory of 980 4996 jjvvv.exe 85 PID 4996 wrote to memory of 980 4996 jjvvv.exe 85 PID 980 wrote to memory of 4956 980 hnntbh.exe 86 PID 980 wrote to memory of 4956 980 hnntbh.exe 86 PID 980 wrote to memory of 4956 980 hnntbh.exe 86 PID 4956 wrote to memory of 2192 4956 frlrxfl.exe 87 PID 4956 wrote to memory of 2192 4956 frlrxfl.exe 87 PID 4956 wrote to memory of 2192 4956 frlrxfl.exe 87 PID 2192 wrote to memory of 4152 2192 ffxxxxx.exe 88 PID 2192 wrote to memory of 4152 2192 ffxxxxx.exe 88 PID 2192 wrote to memory of 4152 2192 ffxxxxx.exe 88 PID 4152 wrote to memory of 2648 4152 bhhnhn.exe 89 PID 4152 wrote to memory of 2648 4152 bhhnhn.exe 89 PID 4152 wrote to memory of 2648 4152 bhhnhn.exe 89 PID 2648 wrote to memory of 1936 2648 nbnnnn.exe 90 PID 2648 wrote to memory of 1936 2648 nbnnnn.exe 90 PID 2648 wrote to memory of 1936 2648 nbnnnn.exe 90 PID 1936 wrote to memory of 3008 1936 bhnnnt.exe 91 PID 1936 wrote to memory of 3008 1936 bhnnnt.exe 91 PID 1936 wrote to memory of 3008 1936 bhnnnt.exe 91 PID 3008 wrote to memory of 2044 3008 5nhhnb.exe 92 PID 3008 wrote to memory of 2044 3008 5nhhnb.exe 92 PID 3008 wrote to memory of 2044 3008 5nhhnb.exe 92 PID 2044 wrote to memory of 216 2044 ddjjj.exe 93 PID 2044 wrote to memory of 216 2044 ddjjj.exe 93 PID 2044 wrote to memory of 216 2044 ddjjj.exe 93 PID 216 wrote to memory of 1576 216 vdvdj.exe 94 PID 216 wrote to memory of 1576 216 vdvdj.exe 94 PID 216 wrote to memory of 1576 216 vdvdj.exe 94 PID 1576 wrote to memory of 1996 1576 vvjvv.exe 95 PID 1576 wrote to memory of 1996 1576 vvjvv.exe 95 PID 1576 wrote to memory of 1996 1576 vvjvv.exe 95 PID 1996 wrote to memory of 1212 1996 3lxfllr.exe 96 PID 1996 wrote to memory of 1212 1996 3lxfllr.exe 96 PID 1996 wrote to memory of 1212 1996 3lxfllr.exe 96 PID 1212 wrote to memory of 3596 1212 pjdvv.exe 97 PID 1212 wrote to memory of 3596 1212 pjdvv.exe 97 PID 1212 wrote to memory of 3596 1212 pjdvv.exe 97 PID 3596 wrote to memory of 5064 3596 5ddvv.exe 98 PID 3596 wrote to memory of 5064 3596 5ddvv.exe 98 PID 3596 wrote to memory of 5064 3596 5ddvv.exe 98 PID 5064 wrote to memory of 1300 5064 xrxxxxr.exe 99 PID 5064 wrote to memory of 1300 5064 xrxxxxr.exe 99 PID 5064 wrote to memory of 1300 5064 xrxxxxr.exe 99 PID 1300 wrote to memory of 2596 1300 pjpvv.exe 100 PID 1300 wrote to memory of 2596 1300 pjpvv.exe 100 PID 1300 wrote to memory of 2596 1300 pjpvv.exe 100 PID 2596 wrote to memory of 2196 2596 llllrxf.exe 101 PID 2596 wrote to memory of 2196 2596 llllrxf.exe 101 PID 2596 wrote to memory of 2196 2596 llllrxf.exe 101 PID 2196 wrote to memory of 440 2196 jpvvd.exe 102 PID 2196 wrote to memory of 440 2196 jpvvd.exe 102 PID 2196 wrote to memory of 440 2196 jpvvd.exe 102 PID 440 wrote to memory of 3240 440 tnbnnb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe"C:\Users\Admin\AppData\Local\Temp\5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\thtbbn.exec:\thtbbn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\bthnhh.exec:\bthnhh.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\jjvvv.exec:\jjvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\hnntbh.exec:\hnntbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\frlrxfl.exec:\frlrxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\bhhnhn.exec:\bhhnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\nbnnnn.exec:\nbnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\bhnnnt.exec:\bhnnnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\5nhhnb.exec:\5nhhnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\ddjjj.exec:\ddjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\vdvdj.exec:\vdvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\vvjvv.exec:\vvjvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\3lxfllr.exec:\3lxfllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\pjdvv.exec:\pjdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\5ddvv.exec:\5ddvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\xrxxxxr.exec:\xrxxxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\pjpvv.exec:\pjpvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\llllrxf.exec:\llllrxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\jpvvd.exec:\jpvvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\tnbnnb.exec:\tnbnnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\hthnth.exec:\hthnth.exe23⤵
- Executes dropped EXE
PID:3240 -
\??\c:\jdvpv.exec:\jdvpv.exe24⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hnbhnn.exec:\hnbhnn.exe25⤵
- Executes dropped EXE
PID:3892 -
\??\c:\dddvv.exec:\dddvv.exe26⤵
- Executes dropped EXE
PID:2024 -
\??\c:\dvvpj.exec:\dvvpj.exe27⤵
- Executes dropped EXE
PID:4780 -
\??\c:\lrlfxrf.exec:\lrlfxrf.exe28⤵
- Executes dropped EXE
PID:640 -
\??\c:\rrlffrl.exec:\rrlffrl.exe29⤵
- Executes dropped EXE
PID:4864 -
\??\c:\djvvv.exec:\djvvv.exe30⤵
- Executes dropped EXE
PID:4168 -
\??\c:\flrrrxf.exec:\flrrrxf.exe31⤵
- Executes dropped EXE
PID:4580 -
\??\c:\flffrrx.exec:\flffrrx.exe32⤵
- Executes dropped EXE
PID:4656 -
\??\c:\rrlrxxx.exec:\rrlrxxx.exe33⤵
- Executes dropped EXE
PID:2736 -
\??\c:\1ttnhn.exec:\1ttnhn.exe34⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xffflrx.exec:\xffflrx.exe35⤵
- Executes dropped EXE
PID:3948 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe36⤵
- Executes dropped EXE
PID:1396 -
\??\c:\5ttttb.exec:\5ttttb.exe37⤵
- Executes dropped EXE
PID:512 -
\??\c:\5ppvj.exec:\5ppvj.exe38⤵
- Executes dropped EXE
PID:3424 -
\??\c:\ddjjj.exec:\ddjjj.exe39⤵
- Executes dropped EXE
PID:4808 -
\??\c:\jjpvd.exec:\jjpvd.exe40⤵
- Executes dropped EXE
PID:1776 -
\??\c:\llrxxff.exec:\llrxxff.exe41⤵
- Executes dropped EXE
PID:2280 -
\??\c:\xfxxxfr.exec:\xfxxxfr.exe42⤵
- Executes dropped EXE
PID:4820 -
\??\c:\bhhntb.exec:\bhhntb.exe43⤵
- Executes dropped EXE
PID:1536 -
\??\c:\vvdjj.exec:\vvdjj.exe44⤵
- Executes dropped EXE
PID:4608 -
\??\c:\vjvdd.exec:\vjvdd.exe45⤵
- Executes dropped EXE
PID:3472 -
\??\c:\djjvv.exec:\djjvv.exe46⤵
- Executes dropped EXE
PID:3904 -
\??\c:\rxxfrlx.exec:\rxxfrlx.exe47⤵
- Executes dropped EXE
PID:408 -
\??\c:\fflflrr.exec:\fflflrr.exe48⤵
- Executes dropped EXE
PID:1812 -
\??\c:\fxrrlll.exec:\fxrrlll.exe49⤵
- Executes dropped EXE
PID:980 -
\??\c:\frlrfxf.exec:\frlrfxf.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364 -
\??\c:\lrfrxrr.exec:\lrfrxrr.exe51⤵
- Executes dropped EXE
PID:4212 -
\??\c:\tttttb.exec:\tttttb.exe52⤵
- Executes dropped EXE
PID:3992 -
\??\c:\bhbbhn.exec:\bhbbhn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
\??\c:\dpjjj.exec:\dpjjj.exe54⤵
- Executes dropped EXE
PID:4860 -
\??\c:\ffrxxff.exec:\ffrxxff.exe55⤵
- Executes dropped EXE
PID:4440 -
\??\c:\rxllrfl.exec:\rxllrfl.exe56⤵
- Executes dropped EXE
PID:3444 -
\??\c:\xfrrxxx.exec:\xfrrxxx.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\lllffll.exec:\lllffll.exe58⤵
- Executes dropped EXE
PID:4624 -
\??\c:\htnhnb.exec:\htnhnb.exe59⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bbtbbh.exec:\bbtbbh.exe60⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nhnnbh.exec:\nhnnbh.exe61⤵
- Executes dropped EXE
PID:3808 -
\??\c:\vvvdp.exec:\vvvdp.exe62⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vvvvv.exec:\vvvvv.exe63⤵
- Executes dropped EXE
PID:220 -
\??\c:\frfxfxx.exec:\frfxfxx.exe64⤵
- Executes dropped EXE
PID:1244 -
\??\c:\lxrfffx.exec:\lxrfffx.exe65⤵
- Executes dropped EXE
PID:668 -
\??\c:\lxxffll.exec:\lxxffll.exe66⤵PID:3360
-
\??\c:\5xrrfrf.exec:\5xrrfrf.exe67⤵PID:3680
-
\??\c:\hnnhbt.exec:\hnnhbt.exe68⤵PID:4556
-
\??\c:\tnbhbb.exec:\tnbhbb.exe69⤵PID:232
-
\??\c:\bnbbbn.exec:\bnbbbn.exe70⤵PID:2476
-
\??\c:\ppjpp.exec:\ppjpp.exe71⤵PID:4180
-
\??\c:\ppppp.exec:\ppppp.exe72⤵PID:800
-
\??\c:\pvjpp.exec:\pvjpp.exe73⤵PID:4540
-
\??\c:\frflrxf.exec:\frflrxf.exe74⤵PID:2264
-
\??\c:\xxlllll.exec:\xxlllll.exe75⤵PID:1012
-
\??\c:\nnhttt.exec:\nnhttt.exe76⤵PID:2124
-
\??\c:\dpjpv.exec:\dpjpv.exe77⤵PID:1516
-
\??\c:\jvvvd.exec:\jvvvd.exe78⤵PID:3744
-
\??\c:\xxrrrff.exec:\xxrrrff.exe79⤵PID:2184
-
\??\c:\xxfrxlr.exec:\xxfrxlr.exe80⤵PID:4864
-
\??\c:\bhtnnh.exec:\bhtnnh.exe81⤵
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\bbhhhn.exec:\bbhhhn.exe82⤵PID:3848
-
\??\c:\vvvvv.exec:\vvvvv.exe83⤵PID:2312
-
\??\c:\ppdvv.exec:\ppdvv.exe84⤵PID:1160
-
\??\c:\xrfffll.exec:\xrfffll.exe85⤵PID:3260
-
\??\c:\frlrxff.exec:\frlrxff.exe86⤵PID:4424
-
\??\c:\hnhhnb.exec:\hnhhnb.exe87⤵PID:2584
-
\??\c:\nhnntb.exec:\nhnntb.exe88⤵PID:3960
-
\??\c:\nnbhnt.exec:\nnbhnt.exe89⤵PID:4060
-
\??\c:\pvjjj.exec:\pvjjj.exe90⤵PID:512
-
\??\c:\frffflr.exec:\frffflr.exe91⤵PID:3820
-
\??\c:\xrrrxff.exec:\xrrrxff.exe92⤵PID:5088
-
\??\c:\bhnhnn.exec:\bhnhnn.exe93⤵PID:4208
-
\??\c:\htthbn.exec:\htthbn.exe94⤵PID:2256
-
\??\c:\9ddjj.exec:\9ddjj.exe95⤵PID:4784
-
\??\c:\pjvpp.exec:\pjvpp.exe96⤵PID:3936
-
\??\c:\rxrxxfl.exec:\rxrxxfl.exe97⤵PID:3904
-
\??\c:\flrxxff.exec:\flrxxff.exe98⤵PID:3308
-
\??\c:\fxlrrfx.exec:\fxlrrfx.exe99⤵PID:908
-
\??\c:\rrllxlx.exec:\rrllxlx.exe100⤵PID:3088
-
\??\c:\lxrxxff.exec:\lxrxxff.exe101⤵PID:872
-
\??\c:\bbnnbn.exec:\bbnnbn.exe102⤵PID:3216
-
\??\c:\htntbh.exec:\htntbh.exe103⤵
- System Location Discovery: System Language Discovery
PID:4152 -
\??\c:\btbbbh.exec:\btbbbh.exe104⤵PID:1660
-
\??\c:\nnbbhn.exec:\nnbbhn.exe105⤵PID:4184
-
\??\c:\pddjd.exec:\pddjd.exe106⤵PID:3508
-
\??\c:\djddd.exec:\djddd.exe107⤵PID:5036
-
\??\c:\dvddd.exec:\dvddd.exe108⤵PID:3856
-
\??\c:\thttnn.exec:\thttnn.exe109⤵PID:2284
-
\??\c:\ddpjp.exec:\ddpjp.exe110⤵PID:3964
-
\??\c:\dvpjj.exec:\dvpjj.exe111⤵PID:4176
-
\??\c:\pjpdj.exec:\pjpdj.exe112⤵PID:2480
-
\??\c:\xxllrxf.exec:\xxllrxf.exe113⤵PID:3808
-
\??\c:\hnhbht.exec:\hnhbht.exe114⤵PID:3396
-
\??\c:\nnnnnt.exec:\nnnnnt.exe115⤵PID:1600
-
\??\c:\bnhhbh.exec:\bnhhbh.exe116⤵PID:1148
-
\??\c:\nbbbbb.exec:\nbbbbb.exe117⤵PID:3332
-
\??\c:\bhnhnt.exec:\bhnhnt.exe118⤵PID:756
-
\??\c:\djjpv.exec:\djjpv.exe119⤵PID:4544
-
\??\c:\7dpvd.exec:\7dpvd.exe120⤵PID:2500
-
\??\c:\ffrxlll.exec:\ffrxlll.exe121⤵PID:3696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-