Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 06:28
Behavioral task
behavioral1
Sample
92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe
-
Size
3.7MB
-
MD5
bcb7fbe544a5cb5cce83b81a3387fa51
-
SHA1
fdb957330a0ceece59d7b9d493a568eeed95a178
-
SHA256
92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b
-
SHA512
3c44b0ff6a207f9bb325d59b13e2e8891a34ef6619c647a49edf2bc673ca2d55ce0af87df615d429a83edd6543d249ecf3a8ff89ca6e5c81bc99cc7b10e156cc
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98P:U6XLq/qPPslzKx/dJg1ErmNY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3720-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/820-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3704-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1312-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/348-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4240-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-541-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-583-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-710-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-735-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-925-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-992-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-1122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4408 jvvpd.exe 2080 llllxrr.exe 1912 3dvpj.exe 2880 1xlfrrf.exe 3144 tnnhtn.exe 2564 nbbnbt.exe 3732 nbthtt.exe 2232 xxflxrl.exe 4980 3lrfxrf.exe 224 9bbnbn.exe 2844 pdjdd.exe 4296 rlfxllf.exe 2744 ppvpd.exe 2332 nbtnbb.exe 4976 btbtnh.exe 1648 vvpdv.exe 1348 jpvjv.exe 1212 thhbnh.exe 2736 nnnhtt.exe 4708 vddvv.exe 820 7ppjv.exe 408 llrlfrr.exe 4636 djjdp.exe 4840 vpjjd.exe 316 llrfxxr.exe 3704 5nhbbb.exe 1972 tbnnbn.exe 3444 rllfxxl.exe 1512 hnttnn.exe 2132 pjjdj.exe 2700 5xrffxf.exe 1312 rffrlfx.exe 4188 7lxllfr.exe 1664 rrfxlrl.exe 632 lrlrffx.exe 1832 5lrllfl.exe 3244 lllfxrl.exe 4428 jpvpj.exe 4440 pddvp.exe 4616 vppjd.exe 2588 pvddp.exe 3336 3ddvp.exe 3316 ddjvp.exe 3864 djdpd.exe 2080 ddddp.exe 2140 hhhbnh.exe 2456 htthtn.exe 2364 7tnhbt.exe 1480 tttttn.exe 1968 ttnbbt.exe 3740 nbhnhb.exe 348 9xllxrf.exe 1548 3ffxrrl.exe 2884 llxxrll.exe 1960 rrxrffx.exe 4128 flxlfxx.exe 684 rffrlxr.exe 4056 3jdvv.exe 3836 djjdp.exe 4248 9pvpj.exe 3340 vddjj.exe 3220 ppdpp.exe 5092 nntnnt.exe 5068 bnnbht.exe -
resource yara_rule behavioral2/memory/3720-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-3.dat upx behavioral2/memory/3720-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4408-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-10.dat upx behavioral2/files/0x000a000000023b94-14.dat upx behavioral2/memory/2080-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1912-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-22.dat upx behavioral2/memory/2880-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-27.dat upx behavioral2/memory/3144-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-35.dat upx behavioral2/memory/2564-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-39.dat upx behavioral2/memory/3732-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-44.dat upx behavioral2/files/0x000a000000023b9a-50.dat upx behavioral2/files/0x000a000000023b9b-55.dat upx behavioral2/memory/4980-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-61.dat upx behavioral2/memory/224-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-67.dat upx behavioral2/memory/2844-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9e-73.dat upx behavioral2/files/0x000a000000023b9f-78.dat upx behavioral2/memory/2744-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba0-85.dat upx behavioral2/memory/4976-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2332-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba1-91.dat upx behavioral2/files/0x000a000000023ba2-96.dat upx behavioral2/memory/1348-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1648-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e72a-103.dat upx behavioral2/files/0x000b000000023ba4-108.dat upx behavioral2/memory/2736-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bad-116.dat upx behavioral2/files/0x000e000000023bb4-119.dat upx behavioral2/memory/4708-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/820-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbd-126.dat upx behavioral2/files/0x0009000000023bc2-132.dat upx behavioral2/files/0x0009000000023bc3-136.dat upx behavioral2/memory/4636-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4840-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc4-143.dat upx behavioral2/files/0x000e000000023bc8-148.dat upx behavioral2/memory/316-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bca-154.dat upx behavioral2/memory/3704-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bce-161.dat upx behavioral2/files/0x0008000000023bcf-165.dat upx behavioral2/memory/3444-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd0-170.dat upx behavioral2/files/0x0008000000023bff-176.dat upx behavioral2/memory/2132-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c00-182.dat upx behavioral2/memory/1312-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1664-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/632-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1832-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4428-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3336-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3720 wrote to memory of 4408 3720 92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe 82 PID 3720 wrote to memory of 4408 3720 92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe 82 PID 3720 wrote to memory of 4408 3720 92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe 82 PID 4408 wrote to memory of 2080 4408 jvvpd.exe 83 PID 4408 wrote to memory of 2080 4408 jvvpd.exe 83 PID 4408 wrote to memory of 2080 4408 jvvpd.exe 83 PID 2080 wrote to memory of 1912 2080 llllxrr.exe 84 PID 2080 wrote to memory of 1912 2080 llllxrr.exe 84 PID 2080 wrote to memory of 1912 2080 llllxrr.exe 84 PID 1912 wrote to memory of 2880 1912 3dvpj.exe 85 PID 1912 wrote to memory of 2880 1912 3dvpj.exe 85 PID 1912 wrote to memory of 2880 1912 3dvpj.exe 85 PID 2880 wrote to memory of 3144 2880 1xlfrrf.exe 86 PID 2880 wrote to memory of 3144 2880 1xlfrrf.exe 86 PID 2880 wrote to memory of 3144 2880 1xlfrrf.exe 86 PID 3144 wrote to memory of 2564 3144 tnnhtn.exe 87 PID 3144 wrote to memory of 2564 3144 tnnhtn.exe 87 PID 3144 wrote to memory of 2564 3144 tnnhtn.exe 87 PID 2564 wrote to memory of 3732 2564 nbbnbt.exe 88 PID 2564 wrote to memory of 3732 2564 nbbnbt.exe 88 PID 2564 wrote to memory of 3732 2564 nbbnbt.exe 88 PID 3732 wrote to memory of 2232 3732 nbthtt.exe 89 PID 3732 wrote to memory of 2232 3732 nbthtt.exe 89 PID 3732 wrote to memory of 2232 3732 nbthtt.exe 89 PID 2232 wrote to memory of 4980 2232 xxflxrl.exe 90 PID 2232 wrote to memory of 4980 2232 xxflxrl.exe 90 PID 2232 wrote to memory of 4980 2232 xxflxrl.exe 90 PID 4980 wrote to memory of 224 4980 3lrfxrf.exe 91 PID 4980 wrote to memory of 224 4980 3lrfxrf.exe 91 PID 4980 wrote to memory of 224 4980 3lrfxrf.exe 91 PID 224 wrote to memory of 2844 224 9bbnbn.exe 92 PID 224 wrote to memory of 2844 224 9bbnbn.exe 92 PID 224 wrote to memory of 2844 224 9bbnbn.exe 92 PID 2844 wrote to memory of 4296 2844 pdjdd.exe 93 PID 2844 wrote to memory of 4296 2844 pdjdd.exe 93 PID 2844 wrote to memory of 4296 2844 pdjdd.exe 93 PID 4296 wrote to memory of 2744 4296 rlfxllf.exe 94 PID 4296 wrote to memory of 2744 4296 rlfxllf.exe 94 PID 4296 wrote to memory of 2744 4296 rlfxllf.exe 94 PID 2744 wrote to memory of 2332 2744 ppvpd.exe 95 PID 2744 wrote to memory of 2332 2744 ppvpd.exe 95 PID 2744 wrote to memory of 2332 2744 ppvpd.exe 95 PID 2332 wrote to memory of 4976 2332 nbtnbb.exe 96 PID 2332 wrote to memory of 4976 2332 nbtnbb.exe 96 PID 2332 wrote to memory of 4976 2332 nbtnbb.exe 96 PID 4976 wrote to memory of 1648 4976 btbtnh.exe 97 PID 4976 wrote to memory of 1648 4976 btbtnh.exe 97 PID 4976 wrote to memory of 1648 4976 btbtnh.exe 97 PID 1648 wrote to memory of 1348 1648 vvpdv.exe 98 PID 1648 wrote to memory of 1348 1648 vvpdv.exe 98 PID 1648 wrote to memory of 1348 1648 vvpdv.exe 98 PID 1348 wrote to memory of 1212 1348 jpvjv.exe 99 PID 1348 wrote to memory of 1212 1348 jpvjv.exe 99 PID 1348 wrote to memory of 1212 1348 jpvjv.exe 99 PID 1212 wrote to memory of 2736 1212 thhbnh.exe 100 PID 1212 wrote to memory of 2736 1212 thhbnh.exe 100 PID 1212 wrote to memory of 2736 1212 thhbnh.exe 100 PID 2736 wrote to memory of 4708 2736 nnnhtt.exe 101 PID 2736 wrote to memory of 4708 2736 nnnhtt.exe 101 PID 2736 wrote to memory of 4708 2736 nnnhtt.exe 101 PID 4708 wrote to memory of 820 4708 vddvv.exe 102 PID 4708 wrote to memory of 820 4708 vddvv.exe 102 PID 4708 wrote to memory of 820 4708 vddvv.exe 102 PID 820 wrote to memory of 408 820 7ppjv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe"C:\Users\Admin\AppData\Local\Temp\92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\jvvpd.exec:\jvvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\llllxrr.exec:\llllxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\3dvpj.exec:\3dvpj.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\1xlfrrf.exec:\1xlfrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\tnnhtn.exec:\tnnhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\nbbnbt.exec:\nbbnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\nbthtt.exec:\nbthtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\xxflxrl.exec:\xxflxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\3lrfxrf.exec:\3lrfxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\9bbnbn.exec:\9bbnbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\pdjdd.exec:\pdjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\rlfxllf.exec:\rlfxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\ppvpd.exec:\ppvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\nbtnbb.exec:\nbtnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\btbtnh.exec:\btbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\vvpdv.exec:\vvpdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\jpvjv.exec:\jpvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\thhbnh.exec:\thhbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\nnnhtt.exec:\nnnhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\vddvv.exec:\vddvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\7ppjv.exec:\7ppjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\llrlfrr.exec:\llrlfrr.exe23⤵
- Executes dropped EXE
PID:408 -
\??\c:\djjdp.exec:\djjdp.exe24⤵
- Executes dropped EXE
PID:4636 -
\??\c:\vpjjd.exec:\vpjjd.exe25⤵
- Executes dropped EXE
PID:4840 -
\??\c:\llrfxxr.exec:\llrfxxr.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\5nhbbb.exec:\5nhbbb.exe27⤵
- Executes dropped EXE
PID:3704 -
\??\c:\tbnnbn.exec:\tbnnbn.exe28⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rllfxxl.exec:\rllfxxl.exe29⤵
- Executes dropped EXE
PID:3444 -
\??\c:\hnttnn.exec:\hnttnn.exe30⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pjjdj.exec:\pjjdj.exe31⤵
- Executes dropped EXE
PID:2132 -
\??\c:\5xrffxf.exec:\5xrffxf.exe32⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rffrlfx.exec:\rffrlfx.exe33⤵
- Executes dropped EXE
PID:1312 -
\??\c:\7lxllfr.exec:\7lxllfr.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4188 -
\??\c:\rrfxlrl.exec:\rrfxlrl.exe35⤵
- Executes dropped EXE
PID:1664 -
\??\c:\lrlrffx.exec:\lrlrffx.exe36⤵
- Executes dropped EXE
PID:632 -
\??\c:\5lrllfl.exec:\5lrllfl.exe37⤵
- Executes dropped EXE
PID:1832 -
\??\c:\lllfxrl.exec:\lllfxrl.exe38⤵
- Executes dropped EXE
PID:3244 -
\??\c:\jpvpj.exec:\jpvpj.exe39⤵
- Executes dropped EXE
PID:4428 -
\??\c:\pddvp.exec:\pddvp.exe40⤵
- Executes dropped EXE
PID:4440 -
\??\c:\vppjd.exec:\vppjd.exe41⤵
- Executes dropped EXE
PID:4616 -
\??\c:\pvddp.exec:\pvddp.exe42⤵
- Executes dropped EXE
PID:2588 -
\??\c:\3ddvp.exec:\3ddvp.exe43⤵
- Executes dropped EXE
PID:3336 -
\??\c:\ddjvp.exec:\ddjvp.exe44⤵
- Executes dropped EXE
PID:3316 -
\??\c:\djdpd.exec:\djdpd.exe45⤵
- Executes dropped EXE
PID:3864 -
\??\c:\ddddp.exec:\ddddp.exe46⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hhhbnh.exec:\hhhbnh.exe47⤵
- Executes dropped EXE
PID:2140 -
\??\c:\htthtn.exec:\htthtn.exe48⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7tnhbt.exec:\7tnhbt.exe49⤵
- Executes dropped EXE
PID:2364 -
\??\c:\tttttn.exec:\tttttn.exe50⤵
- Executes dropped EXE
PID:1480 -
\??\c:\ttnbbt.exec:\ttnbbt.exe51⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nbhnhb.exec:\nbhnhb.exe52⤵
- Executes dropped EXE
PID:3740 -
\??\c:\9xllxrf.exec:\9xllxrf.exe53⤵
- Executes dropped EXE
PID:348 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
\??\c:\llxxrll.exec:\llxxrll.exe55⤵
- Executes dropped EXE
PID:2884 -
\??\c:\rrxrffx.exec:\rrxrffx.exe56⤵
- Executes dropped EXE
PID:1960 -
\??\c:\flxlfxx.exec:\flxlfxx.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128 -
\??\c:\rffrlxr.exec:\rffrlxr.exe58⤵
- Executes dropped EXE
PID:684 -
\??\c:\3jdvv.exec:\3jdvv.exe59⤵
- Executes dropped EXE
PID:4056 -
\??\c:\djjdp.exec:\djjdp.exe60⤵
- Executes dropped EXE
PID:3836 -
\??\c:\9pvpj.exec:\9pvpj.exe61⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vddjj.exec:\vddjj.exe62⤵
- Executes dropped EXE
PID:3340 -
\??\c:\ppdpp.exec:\ppdpp.exe63⤵
- Executes dropped EXE
PID:3220 -
\??\c:\nntnnt.exec:\nntnnt.exe64⤵
- Executes dropped EXE
PID:5092 -
\??\c:\bnnbht.exec:\bnnbht.exe65⤵
- Executes dropped EXE
PID:5068 -
\??\c:\bbbtnh.exec:\bbbtnh.exe66⤵PID:3536
-
\??\c:\3lrfrlx.exec:\3lrfrlx.exe67⤵PID:2320
-
\??\c:\frrllfx.exec:\frrllfx.exe68⤵PID:3284
-
\??\c:\lrxrrrf.exec:\lrxrrrf.exe69⤵PID:2408
-
\??\c:\5rlffff.exec:\5rlffff.exe70⤵PID:2944
-
\??\c:\xfrlfrl.exec:\xfrlfrl.exe71⤵PID:4240
-
\??\c:\rffxlfx.exec:\rffxlfx.exe72⤵PID:4636
-
\??\c:\dpvvp.exec:\dpvvp.exe73⤵PID:3200
-
\??\c:\jdpdd.exec:\jdpdd.exe74⤵PID:4840
-
\??\c:\5jdvp.exec:\5jdvp.exe75⤵PID:2416
-
\??\c:\vjdpp.exec:\vjdpp.exe76⤵PID:4244
-
\??\c:\hbhhbh.exec:\hbhhbh.exe77⤵PID:2304
-
\??\c:\bbhhtn.exec:\bbhhtn.exe78⤵PID:4728
-
\??\c:\3bbtnh.exec:\3bbtnh.exe79⤵
- System Location Discovery: System Language Discovery
PID:3444 -
\??\c:\9nnhbt.exec:\9nnhbt.exe80⤵PID:4520
-
\??\c:\9thhbb.exec:\9thhbb.exe81⤵PID:692
-
\??\c:\xrllrlr.exec:\xrllrlr.exe82⤵PID:2112
-
\??\c:\rflxlfx.exec:\rflxlfx.exe83⤵PID:4696
-
\??\c:\lllfrlf.exec:\lllfrlf.exe84⤵
- System Location Discovery: System Language Discovery
PID:4964 -
\??\c:\dvjdd.exec:\dvjdd.exe85⤵PID:4028
-
\??\c:\vppjv.exec:\vppjv.exe86⤵PID:1664
-
\??\c:\pdjdv.exec:\pdjdv.exe87⤵PID:2620
-
\??\c:\vjvpd.exec:\vjvpd.exe88⤵PID:1556
-
\??\c:\jdjdj.exec:\jdjdj.exe89⤵PID:4596
-
\??\c:\7htnhh.exec:\7htnhh.exe90⤵PID:3088
-
\??\c:\bnnhbt.exec:\bnnhbt.exe91⤵PID:4404
-
\??\c:\tthhhb.exec:\tthhhb.exe92⤵PID:1296
-
\??\c:\hbbbtn.exec:\hbbbtn.exe93⤵PID:2168
-
\??\c:\bhtnhb.exec:\bhtnhb.exe94⤵PID:4408
-
\??\c:\lrrlffx.exec:\lrrlffx.exe95⤵PID:1356
-
\??\c:\flflfxf.exec:\flflfxf.exe96⤵PID:2080
-
\??\c:\frxxllf.exec:\frxxllf.exe97⤵PID:2508
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe98⤵PID:2456
-
\??\c:\pdjdd.exec:\pdjdd.exe99⤵PID:1040
-
\??\c:\5vvpj.exec:\5vvpj.exe100⤵PID:5108
-
\??\c:\ppppj.exec:\ppppj.exe101⤵PID:5004
-
\??\c:\bthhnh.exec:\bthhnh.exe102⤵PID:544
-
\??\c:\bhbtnh.exec:\bhbtnh.exe103⤵PID:3000
-
\??\c:\bbnbtt.exec:\bbnbtt.exe104⤵PID:2960
-
\??\c:\ntttnh.exec:\ntttnh.exe105⤵PID:2760
-
\??\c:\7xlfxrl.exec:\7xlfxrl.exe106⤵PID:4500
-
\??\c:\xlffxlx.exec:\xlffxlx.exe107⤵PID:1720
-
\??\c:\rflfxxr.exec:\rflfxxr.exe108⤵PID:224
-
\??\c:\pjddp.exec:\pjddp.exe109⤵PID:4056
-
\??\c:\3dvvp.exec:\3dvvp.exe110⤵PID:3304
-
\??\c:\vvjvd.exec:\vvjvd.exe111⤵PID:4248
-
\??\c:\jvvdv.exec:\jvvdv.exe112⤵PID:3340
-
\??\c:\9pvpp.exec:\9pvpp.exe113⤵PID:3220
-
\??\c:\vpjjp.exec:\vpjjp.exe114⤵PID:2664
-
\??\c:\7ththh.exec:\7ththh.exe115⤵PID:1116
-
\??\c:\nttnnn.exec:\nttnnn.exe116⤵PID:4916
-
\??\c:\nhnhbn.exec:\nhnhbn.exe117⤵PID:4908
-
\??\c:\3tthhh.exec:\3tthhh.exe118⤵PID:4556
-
\??\c:\frrlffx.exec:\frrlffx.exe119⤵PID:1384
-
\??\c:\xrlxfxx.exec:\xrlxfxx.exe120⤵PID:1900
-
\??\c:\rxffxrr.exec:\rxffxrr.exe121⤵PID:1252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-