Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:52
Behavioral task
behavioral1
Sample
c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe
-
Size
3.7MB
-
MD5
c7953e04fb00f0f42568fb2a203e7d60
-
SHA1
3da5a5395db02005d26ae80aa3daa920930c78b8
-
SHA256
c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448
-
SHA512
7ae19e93f97ffb9587fb8a54c99dc6f4081d7f3b4f5dd3895e937dca2fa9cf884a6d6dc029ee9949ac6af6f077e16d94097d857aec3280365dde05b2a70a4cc4
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98d:U6XLq/qPPslzKx/dJg1ErmNQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1940-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2808-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3816-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-692-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-777-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-796-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-803-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-813-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 920 djpjj.exe 5108 1thhhh.exe 3688 9dpdv.exe 2440 tnhntb.exe 4828 3jddv.exe 2712 pvjpp.exe 372 dppdp.exe 864 lxxlxrl.exe 3796 flrrlrf.exe 3956 9xrfrrf.exe 2524 7bhhbt.exe 3644 thttnn.exe 4796 vpdvv.exe 1276 bbhhbb.exe 3740 vjddj.exe 400 9frfxrf.exe 3432 lffxrlf.exe 5064 lrlrlfr.exe 1736 llfllrr.exe 1844 rrlfrlf.exe 3864 hhhtnh.exe 1152 5vdvj.exe 3004 9vvpd.exe 4068 nhnbbt.exe 4304 9bnbnh.exe 1552 5vvjp.exe 5096 djvdv.exe 4592 ddppv.exe 4812 flrrllx.exe 3968 vjdvv.exe 3304 jdpdp.exe 1936 vdjdv.exe 2096 pjvpp.exe 3152 vdpjp.exe 2860 ffffxrl.exe 2504 7flfflf.exe 3700 fxlxlfx.exe 4648 nnbtnt.exe 4264 pjdvp.exe 1616 nhtntn.exe 1296 7hnttt.exe 920 hhntnt.exe 5052 thhtnn.exe 2576 nnnbhb.exe 4660 dpdpj.exe 2908 tbhbbt.exe 3116 9jpjj.exe 4384 5vvdp.exe 3016 1frffxl.exe 4904 xxfxrrf.exe 1156 llrllrr.exe 4712 jvvjd.exe 4168 dpvjd.exe 2524 3jddv.exe 5068 nbbbnn.exe 3440 7tnhbb.exe 4792 bhhthb.exe 540 tnnttt.exe 2808 7lrfrlx.exe 3816 xrflfrl.exe 5056 9djvp.exe 1188 jddvp.exe 4824 ttbbbb.exe 1996 httnbb.exe -
resource yara_rule behavioral2/memory/1940-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b25-3.dat upx behavioral2/memory/1940-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-9.dat upx behavioral2/memory/920-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-13.dat upx behavioral2/memory/5108-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-21.dat upx behavioral2/memory/3688-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-30.dat upx behavioral2/memory/2440-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4828-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b85-34.dat upx behavioral2/memory/372-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2712-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-41.dat upx behavioral2/memory/372-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-47.dat upx behavioral2/files/0x000a000000023b8f-52.dat upx behavioral2/files/0x000a000000023b90-59.dat upx behavioral2/files/0x000a000000023b91-64.dat upx behavioral2/files/0x000b000000023b92-67.dat upx behavioral2/memory/2524-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3644-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b93-74.dat upx behavioral2/files/0x000b000000023b94-81.dat upx behavioral2/memory/1276-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-86.dat upx behavioral2/files/0x000e000000023ba3-91.dat upx behavioral2/memory/3740-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/400-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bac-98.dat upx behavioral2/memory/3432-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb1-106.dat upx behavioral2/memory/5064-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb2-111.dat upx behavioral2/memory/1736-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb3-117.dat upx behavioral2/memory/1844-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bb7-123.dat upx behavioral2/memory/3864-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb9-129.dat upx behavioral2/memory/1152-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbc-135.dat upx behavioral2/files/0x0008000000023bbd-142.dat upx behavioral2/memory/3004-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbe-145.dat upx behavioral2/memory/4304-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbf-152.dat upx behavioral2/files/0x0008000000023bee-159.dat upx behavioral2/memory/1552-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5096-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bef-164.dat upx behavioral2/files/0x0008000000023bf0-169.dat upx behavioral2/memory/4592-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf1-176.dat upx behavioral2/files/0x0008000000023bf2-182.dat upx behavioral2/memory/3968-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf3-187.dat upx behavioral2/memory/1936-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2096-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2860-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3700-209-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbnbn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 920 1940 c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe 83 PID 1940 wrote to memory of 920 1940 c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe 83 PID 1940 wrote to memory of 920 1940 c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe 83 PID 920 wrote to memory of 5108 920 djpjj.exe 84 PID 920 wrote to memory of 5108 920 djpjj.exe 84 PID 920 wrote to memory of 5108 920 djpjj.exe 84 PID 5108 wrote to memory of 3688 5108 1thhhh.exe 85 PID 5108 wrote to memory of 3688 5108 1thhhh.exe 85 PID 5108 wrote to memory of 3688 5108 1thhhh.exe 85 PID 3688 wrote to memory of 2440 3688 9dpdv.exe 86 PID 3688 wrote to memory of 2440 3688 9dpdv.exe 86 PID 3688 wrote to memory of 2440 3688 9dpdv.exe 86 PID 2440 wrote to memory of 4828 2440 tnhntb.exe 87 PID 2440 wrote to memory of 4828 2440 tnhntb.exe 87 PID 2440 wrote to memory of 4828 2440 tnhntb.exe 87 PID 4828 wrote to memory of 2712 4828 3jddv.exe 88 PID 4828 wrote to memory of 2712 4828 3jddv.exe 88 PID 4828 wrote to memory of 2712 4828 3jddv.exe 88 PID 2712 wrote to memory of 372 2712 pvjpp.exe 188 PID 2712 wrote to memory of 372 2712 pvjpp.exe 188 PID 2712 wrote to memory of 372 2712 pvjpp.exe 188 PID 372 wrote to memory of 864 372 dppdp.exe 189 PID 372 wrote to memory of 864 372 dppdp.exe 189 PID 372 wrote to memory of 864 372 dppdp.exe 189 PID 864 wrote to memory of 3796 864 lxxlxrl.exe 91 PID 864 wrote to memory of 3796 864 lxxlxrl.exe 91 PID 864 wrote to memory of 3796 864 lxxlxrl.exe 91 PID 3796 wrote to memory of 3956 3796 flrrlrf.exe 92 PID 3796 wrote to memory of 3956 3796 flrrlrf.exe 92 PID 3796 wrote to memory of 3956 3796 flrrlrf.exe 92 PID 3956 wrote to memory of 2524 3956 9xrfrrf.exe 193 PID 3956 wrote to memory of 2524 3956 9xrfrrf.exe 193 PID 3956 wrote to memory of 2524 3956 9xrfrrf.exe 193 PID 2524 wrote to memory of 3644 2524 7bhhbt.exe 138 PID 2524 wrote to memory of 3644 2524 7bhhbt.exe 138 PID 2524 wrote to memory of 3644 2524 7bhhbt.exe 138 PID 3644 wrote to memory of 4796 3644 thttnn.exe 95 PID 3644 wrote to memory of 4796 3644 thttnn.exe 95 PID 3644 wrote to memory of 4796 3644 thttnn.exe 95 PID 4796 wrote to memory of 1276 4796 vpdvv.exe 96 PID 4796 wrote to memory of 1276 4796 vpdvv.exe 96 PID 4796 wrote to memory of 1276 4796 vpdvv.exe 96 PID 1276 wrote to memory of 3740 1276 bbhhbb.exe 97 PID 1276 wrote to memory of 3740 1276 bbhhbb.exe 97 PID 1276 wrote to memory of 3740 1276 bbhhbb.exe 97 PID 3740 wrote to memory of 400 3740 vjddj.exe 98 PID 3740 wrote to memory of 400 3740 vjddj.exe 98 PID 3740 wrote to memory of 400 3740 vjddj.exe 98 PID 400 wrote to memory of 3432 400 9frfxrf.exe 209 PID 400 wrote to memory of 3432 400 9frfxrf.exe 209 PID 400 wrote to memory of 3432 400 9frfxrf.exe 209 PID 3432 wrote to memory of 5064 3432 lffxrlf.exe 100 PID 3432 wrote to memory of 5064 3432 lffxrlf.exe 100 PID 3432 wrote to memory of 5064 3432 lffxrlf.exe 100 PID 5064 wrote to memory of 1736 5064 lrlrlfr.exe 101 PID 5064 wrote to memory of 1736 5064 lrlrlfr.exe 101 PID 5064 wrote to memory of 1736 5064 lrlrlfr.exe 101 PID 1736 wrote to memory of 1844 1736 llfllrr.exe 102 PID 1736 wrote to memory of 1844 1736 llfllrr.exe 102 PID 1736 wrote to memory of 1844 1736 llfllrr.exe 102 PID 1844 wrote to memory of 3864 1844 rrlfrlf.exe 103 PID 1844 wrote to memory of 3864 1844 rrlfrlf.exe 103 PID 1844 wrote to memory of 3864 1844 rrlfrlf.exe 103 PID 3864 wrote to memory of 1152 3864 hhhtnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe"C:\Users\Admin\AppData\Local\Temp\c310f2a65fa807c9ce8f8f265f5c714daa951d149db9b3de3fbab124e51b2448N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\djpjj.exec:\djpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\1thhhh.exec:\1thhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\9dpdv.exec:\9dpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\tnhntb.exec:\tnhntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\3jddv.exec:\3jddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\pvjpp.exec:\pvjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\dppdp.exec:\dppdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\flrrlrf.exec:\flrrlrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\9xrfrrf.exec:\9xrfrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\7bhhbt.exec:\7bhhbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\thttnn.exec:\thttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\vpdvv.exec:\vpdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\bbhhbb.exec:\bbhhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\vjddj.exec:\vjddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\9frfxrf.exec:\9frfxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\lffxrlf.exec:\lffxrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\lrlrlfr.exec:\lrlrlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\llfllrr.exec:\llfllrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\rrlfrlf.exec:\rrlfrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\hhhtnh.exec:\hhhtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\5vdvj.exec:\5vdvj.exe23⤵
- Executes dropped EXE
PID:1152 -
\??\c:\9vvpd.exec:\9vvpd.exe24⤵
- Executes dropped EXE
PID:3004 -
\??\c:\nhnbbt.exec:\nhnbbt.exe25⤵
- Executes dropped EXE
PID:4068 -
\??\c:\9bnbnh.exec:\9bnbnh.exe26⤵
- Executes dropped EXE
PID:4304 -
\??\c:\5vvjp.exec:\5vvjp.exe27⤵
- Executes dropped EXE
PID:1552 -
\??\c:\djvdv.exec:\djvdv.exe28⤵
- Executes dropped EXE
PID:5096 -
\??\c:\ddppv.exec:\ddppv.exe29⤵
- Executes dropped EXE
PID:4592 -
\??\c:\flrrllx.exec:\flrrllx.exe30⤵
- Executes dropped EXE
PID:4812 -
\??\c:\vjdvv.exec:\vjdvv.exe31⤵
- Executes dropped EXE
PID:3968 -
\??\c:\jdpdp.exec:\jdpdp.exe32⤵
- Executes dropped EXE
PID:3304 -
\??\c:\vdjdv.exec:\vdjdv.exe33⤵
- Executes dropped EXE
PID:1936 -
\??\c:\pjvpp.exec:\pjvpp.exe34⤵
- Executes dropped EXE
PID:2096 -
\??\c:\vdpjp.exec:\vdpjp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3152 -
\??\c:\ffffxrl.exec:\ffffxrl.exe36⤵
- Executes dropped EXE
PID:2860 -
\??\c:\7flfflf.exec:\7flfflf.exe37⤵
- Executes dropped EXE
PID:2504 -
\??\c:\fxlxlfx.exec:\fxlxlfx.exe38⤵
- Executes dropped EXE
PID:3700 -
\??\c:\nnbtnt.exec:\nnbtnt.exe39⤵
- Executes dropped EXE
PID:4648 -
\??\c:\pjdvp.exec:\pjdvp.exe40⤵
- Executes dropped EXE
PID:4264 -
\??\c:\nhtntn.exec:\nhtntn.exe41⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7hnttt.exec:\7hnttt.exe42⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hhntnt.exec:\hhntnt.exe43⤵
- Executes dropped EXE
PID:920 -
\??\c:\thhtnn.exec:\thhtnn.exe44⤵
- Executes dropped EXE
PID:5052 -
\??\c:\nnnbhb.exec:\nnnbhb.exe45⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dpdpj.exec:\dpdpj.exe46⤵
- Executes dropped EXE
PID:4660 -
\??\c:\tbhbbt.exec:\tbhbbt.exe47⤵
- Executes dropped EXE
PID:2908 -
\??\c:\9jpjj.exec:\9jpjj.exe48⤵
- Executes dropped EXE
PID:3116 -
\??\c:\5vvdp.exec:\5vvdp.exe49⤵
- Executes dropped EXE
PID:4384 -
\??\c:\1frffxl.exec:\1frffxl.exe50⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xxfxrrf.exec:\xxfxrrf.exe51⤵
- Executes dropped EXE
PID:4904 -
\??\c:\llrllrr.exec:\llrllrr.exe52⤵
- Executes dropped EXE
PID:1156 -
\??\c:\jvvjd.exec:\jvvjd.exe53⤵
- Executes dropped EXE
PID:4712 -
\??\c:\dpvjd.exec:\dpvjd.exe54⤵
- Executes dropped EXE
PID:4168 -
\??\c:\3jddv.exec:\3jddv.exe55⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nbbbnn.exec:\nbbbnn.exe56⤵
- Executes dropped EXE
PID:5068 -
\??\c:\7tnhbb.exec:\7tnhbb.exe57⤵
- Executes dropped EXE
PID:3440 -
\??\c:\bhhthb.exec:\bhhthb.exe58⤵
- Executes dropped EXE
PID:4792 -
\??\c:\tnnttt.exec:\tnnttt.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
\??\c:\7lrfrlx.exec:\7lrfrlx.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\xrflfrl.exec:\xrflfrl.exe61⤵
- Executes dropped EXE
PID:3816 -
\??\c:\9djvp.exec:\9djvp.exe62⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jddvp.exec:\jddvp.exe63⤵
- Executes dropped EXE
PID:1188 -
\??\c:\ttbbbb.exec:\ttbbbb.exe64⤵
- Executes dropped EXE
PID:4824 -
\??\c:\httnbb.exec:\httnbb.exe65⤵
- Executes dropped EXE
PID:1996 -
\??\c:\hhtnhh.exec:\hhtnhh.exe66⤵PID:5000
-
\??\c:\hnbnbn.exec:\hnbnbn.exe67⤵PID:968
-
\??\c:\hhntnh.exec:\hhntnh.exe68⤵PID:2956
-
\??\c:\lxlllff.exec:\lxlllff.exe69⤵PID:1552
-
\??\c:\rxxlxrf.exec:\rxxlxrf.exe70⤵PID:3172
-
\??\c:\xxrfrrl.exec:\xxrfrrl.exe71⤵PID:388
-
\??\c:\pvdjv.exec:\pvdjv.exe72⤵PID:1352
-
\??\c:\3ppjv.exec:\3ppjv.exe73⤵PID:4896
-
\??\c:\tntnnn.exec:\tntnnn.exe74⤵PID:1064
-
\??\c:\ntbthb.exec:\ntbthb.exe75⤵PID:3232
-
\??\c:\bbthnb.exec:\bbthnb.exe76⤵PID:4432
-
\??\c:\rxlfrlf.exec:\rxlfrlf.exe77⤵PID:4992
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe78⤵PID:4032
-
\??\c:\1vvpd.exec:\1vvpd.exe79⤵PID:4316
-
\??\c:\dvvjv.exec:\dvvjv.exe80⤵PID:1884
-
\??\c:\nnhnbn.exec:\nnhnbn.exe81⤵PID:5004
-
\??\c:\7bhthb.exec:\7bhthb.exe82⤵PID:1700
-
\??\c:\1nnhnb.exec:\1nnhnb.exe83⤵PID:1124
-
\??\c:\rflxlxl.exec:\rflxlxl.exe84⤵PID:2800
-
\??\c:\frxlxlx.exec:\frxlxlx.exe85⤵PID:2700
-
\??\c:\vddpd.exec:\vddpd.exe86⤵
- System Location Discovery: System Language Discovery
PID:4344 -
\??\c:\vjvpd.exec:\vjvpd.exe87⤵PID:4648
-
\??\c:\nhnhhh.exec:\nhnhhh.exe88⤵PID:2320
-
\??\c:\5tbntn.exec:\5tbntn.exe89⤵PID:116
-
\??\c:\ffrfxll.exec:\ffrfxll.exe90⤵PID:3916
-
\??\c:\lfxfrll.exec:\lfxfrll.exe91⤵PID:3080
-
\??\c:\vdpvj.exec:\vdpvj.exe92⤵PID:2032
-
\??\c:\7dpdd.exec:\7dpdd.exe93⤵PID:4808
-
\??\c:\5bhbhb.exec:\5bhbhb.exe94⤵PID:4936
-
\??\c:\btnnhh.exec:\btnnhh.exe95⤵PID:4660
-
\??\c:\7bhnbn.exec:\7bhnbn.exe96⤵PID:1612
-
\??\c:\5ffxfxl.exec:\5ffxfxl.exe97⤵PID:1600
-
\??\c:\9lrxlxl.exec:\9lrxlxl.exe98⤵PID:3560
-
\??\c:\pdpjp.exec:\pdpjp.exe99⤵PID:2148
-
\??\c:\pjppj.exec:\pjppj.exe100⤵PID:372
-
\??\c:\hbhtnb.exec:\hbhtnb.exe101⤵PID:864
-
\??\c:\htnbnb.exec:\htnbnb.exe102⤵PID:4272
-
\??\c:\tbbnhb.exec:\tbbnhb.exe103⤵PID:1284
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe104⤵PID:4040
-
\??\c:\5rrffxr.exec:\5rrffxr.exe105⤵PID:2524
-
\??\c:\vpdjv.exec:\vpdjv.exe106⤵PID:3164
-
\??\c:\dppjj.exec:\dppjj.exe107⤵PID:3076
-
\??\c:\jjpjv.exec:\jjpjv.exe108⤵PID:3364
-
\??\c:\hnntbh.exec:\hnntbh.exe109⤵PID:4376
-
\??\c:\nhnnhb.exec:\nhnnhb.exe110⤵PID:4208
-
\??\c:\lxxrffr.exec:\lxxrffr.exe111⤵PID:2260
-
\??\c:\llfxfxf.exec:\llfxfxf.exe112⤵PID:4140
-
\??\c:\vddpd.exec:\vddpd.exe113⤵
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\jjvpj.exec:\jjvpj.exe114⤵PID:3228
-
\??\c:\vvpjv.exec:\vvpjv.exe115⤵PID:3476
-
\??\c:\9tthtn.exec:\9tthtn.exe116⤵PID:1504
-
\??\c:\bnthth.exec:\bnthth.exe117⤵PID:60
-
\??\c:\5lrfrfr.exec:\5lrfrfr.exe118⤵PID:3432
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe119⤵PID:3668
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe120⤵PID:4488
-
\??\c:\lrlrxlr.exec:\lrlrxlr.exe121⤵PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-