Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 08:29
Behavioral task
behavioral1
Sample
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe
-
Size
3.7MB
-
MD5
e03763091b6d1399381027a081994736
-
SHA1
04b4cdf7141cdd3c287fa601d58eeabf81cf4582
-
SHA256
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400
-
SHA512
bbd7207889c3a0c4fb4f0143dc51101e3a92d1fe26ed858f6b763d3ec6902ff709ef01ba805114fd9ed55c13984c12bab38e04b8c41dc1fdb26ba2403bec08ca
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98H:U6XLq/qPPslzKx/dJg1ErmNi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/548-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3364-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1968-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-807-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-1873-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2904 ttbtnt.exe 2028 lxfrfxl.exe 3172 rxrrxxx.exe 812 1xfxrrl.exe 3232 fxfrxrr.exe 1368 httnbt.exe 1468 bthbtn.exe 4368 bntnhb.exe 2804 djvpp.exe 3668 pddvp.exe 5068 xlfxrlr.exe 4844 rfxrllf.exe 3120 ppvjd.exe 2260 7xxlfxr.exe 2252 5ffxrll.exe 2056 tnhnhb.exe 1556 llxrlrl.exe 2628 xlfflll.exe 1972 nhntnn.exe 3992 xrrlfff.exe 3148 jjdvv.exe 4860 frllrlr.exe 3236 ffffxfx.exe 4956 pppjd.exe 3228 xrxlfxx.exe 1404 nthtnn.exe 4192 rxxxrrr.exe 2216 pjpjj.exe 2408 xxxrrrl.exe 2976 llrlrlx.exe 4732 rfxrfff.exe 680 xxfffff.exe 5016 lxfxrrl.exe 1500 tbtnhh.exe 1044 ppppp.exe 3712 pjppj.exe 1220 ddjdd.exe 208 lfllfff.exe 4660 xrfrfrf.exe 1060 lfffxfx.exe 4092 xflfxxx.exe 4876 rfrllfx.exe 2476 lfllffx.exe 2552 rllflfx.exe 3256 7lxrxff.exe 1752 xrfxxrx.exe 4744 rllfxrl.exe 3644 frxxffx.exe 3232 frrxrrl.exe 4616 rxxfxxr.exe 4584 7hnthh.exe 1848 xrrlllf.exe 808 xxxfxrx.exe 5000 frrrxrl.exe 228 3ffxrlf.exe 4676 lrfxxfx.exe 1912 rllfxxr.exe 4928 ddjdd.exe 1708 jjjjd.exe 4404 5hbbbn.exe 1948 3nhnhh.exe 4504 frxfxxl.exe 2628 1xrlllf.exe 4376 1lxrllx.exe -
resource yara_rule behavioral2/memory/548-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba8-3.dat upx behavioral2/memory/548-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb3-9.dat upx behavioral2/memory/2904-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bba-12.dat upx behavioral2/memory/2028-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc3-22.dat upx behavioral2/memory/3172-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3232-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/812-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc8-26.dat upx behavioral2/files/0x0009000000023bc9-32.dat upx behavioral2/memory/1368-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba9-39.dat upx behavioral2/files/0x000e000000023bce-43.dat upx behavioral2/memory/1468-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd0-49.dat upx behavioral2/memory/2804-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4368-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd3-57.dat upx behavioral2/memory/3668-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd4-63.dat upx behavioral2/memory/5068-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd5-68.dat upx behavioral2/memory/4844-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd6-76.dat upx behavioral2/files/0x0008000000023c05-81.dat upx behavioral2/memory/3120-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c06-87.dat upx behavioral2/memory/2260-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c07-92.dat upx behavioral2/memory/2252-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2056-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c08-98.dat upx behavioral2/files/0x0008000000023c09-103.dat upx behavioral2/memory/1556-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0a-107.dat upx behavioral2/memory/1972-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2628-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0f-115.dat upx behavioral2/memory/3148-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c10-119.dat upx behavioral2/files/0x0008000000023c11-125.dat upx behavioral2/files/0x0008000000023c23-130.dat upx behavioral2/files/0x0008000000023c29-136.dat upx behavioral2/files/0x0008000000023c2a-141.dat upx behavioral2/files/0x0008000000023c2b-145.dat upx behavioral2/memory/1404-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1404-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2c-151.dat upx behavioral2/files/0x0008000000023c2d-158.dat upx behavioral2/memory/2216-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2e-162.dat upx behavioral2/memory/2408-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c43-169.dat upx behavioral2/files/0x0016000000023c44-175.dat upx behavioral2/memory/4732-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e746-179.dat upx behavioral2/memory/680-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1500-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1220-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4660-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1060-213-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 2904 548 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 82 PID 548 wrote to memory of 2904 548 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 82 PID 548 wrote to memory of 2904 548 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 82 PID 2904 wrote to memory of 2028 2904 ttbtnt.exe 83 PID 2904 wrote to memory of 2028 2904 ttbtnt.exe 83 PID 2904 wrote to memory of 2028 2904 ttbtnt.exe 83 PID 2028 wrote to memory of 3172 2028 lxfrfxl.exe 84 PID 2028 wrote to memory of 3172 2028 lxfrfxl.exe 84 PID 2028 wrote to memory of 3172 2028 lxfrfxl.exe 84 PID 3172 wrote to memory of 812 3172 rxrrxxx.exe 85 PID 3172 wrote to memory of 812 3172 rxrrxxx.exe 85 PID 3172 wrote to memory of 812 3172 rxrrxxx.exe 85 PID 812 wrote to memory of 3232 812 1xfxrrl.exe 132 PID 812 wrote to memory of 3232 812 1xfxrrl.exe 132 PID 812 wrote to memory of 3232 812 1xfxrrl.exe 132 PID 3232 wrote to memory of 1368 3232 fxfrxrr.exe 87 PID 3232 wrote to memory of 1368 3232 fxfrxrr.exe 87 PID 3232 wrote to memory of 1368 3232 fxfrxrr.exe 87 PID 1368 wrote to memory of 1468 1368 httnbt.exe 88 PID 1368 wrote to memory of 1468 1368 httnbt.exe 88 PID 1368 wrote to memory of 1468 1368 httnbt.exe 88 PID 1468 wrote to memory of 4368 1468 bthbtn.exe 89 PID 1468 wrote to memory of 4368 1468 bthbtn.exe 89 PID 1468 wrote to memory of 4368 1468 bthbtn.exe 89 PID 4368 wrote to memory of 2804 4368 bntnhb.exe 90 PID 4368 wrote to memory of 2804 4368 bntnhb.exe 90 PID 4368 wrote to memory of 2804 4368 bntnhb.exe 90 PID 2804 wrote to memory of 3668 2804 djvpp.exe 91 PID 2804 wrote to memory of 3668 2804 djvpp.exe 91 PID 2804 wrote to memory of 3668 2804 djvpp.exe 91 PID 3668 wrote to memory of 5068 3668 pddvp.exe 92 PID 3668 wrote to memory of 5068 3668 pddvp.exe 92 PID 3668 wrote to memory of 5068 3668 pddvp.exe 92 PID 5068 wrote to memory of 4844 5068 xlfxrlr.exe 93 PID 5068 wrote to memory of 4844 5068 xlfxrlr.exe 93 PID 5068 wrote to memory of 4844 5068 xlfxrlr.exe 93 PID 4844 wrote to memory of 3120 4844 rfxrllf.exe 94 PID 4844 wrote to memory of 3120 4844 rfxrllf.exe 94 PID 4844 wrote to memory of 3120 4844 rfxrllf.exe 94 PID 3120 wrote to memory of 2260 3120 ppvjd.exe 95 PID 3120 wrote to memory of 2260 3120 ppvjd.exe 95 PID 3120 wrote to memory of 2260 3120 ppvjd.exe 95 PID 2260 wrote to memory of 2252 2260 7xxlfxr.exe 96 PID 2260 wrote to memory of 2252 2260 7xxlfxr.exe 96 PID 2260 wrote to memory of 2252 2260 7xxlfxr.exe 96 PID 2252 wrote to memory of 2056 2252 5ffxrll.exe 97 PID 2252 wrote to memory of 2056 2252 5ffxrll.exe 97 PID 2252 wrote to memory of 2056 2252 5ffxrll.exe 97 PID 2056 wrote to memory of 1556 2056 tnhnhb.exe 98 PID 2056 wrote to memory of 1556 2056 tnhnhb.exe 98 PID 2056 wrote to memory of 1556 2056 tnhnhb.exe 98 PID 1556 wrote to memory of 2628 1556 llxrlrl.exe 148 PID 1556 wrote to memory of 2628 1556 llxrlrl.exe 148 PID 1556 wrote to memory of 2628 1556 llxrlrl.exe 148 PID 2628 wrote to memory of 1972 2628 xlfflll.exe 150 PID 2628 wrote to memory of 1972 2628 xlfflll.exe 150 PID 2628 wrote to memory of 1972 2628 xlfflll.exe 150 PID 1972 wrote to memory of 3992 1972 nhntnn.exe 101 PID 1972 wrote to memory of 3992 1972 nhntnn.exe 101 PID 1972 wrote to memory of 3992 1972 nhntnn.exe 101 PID 3992 wrote to memory of 3148 3992 xrrlfff.exe 102 PID 3992 wrote to memory of 3148 3992 xrrlfff.exe 102 PID 3992 wrote to memory of 3148 3992 xrrlfff.exe 102 PID 3148 wrote to memory of 4860 3148 jjdvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe"C:\Users\Admin\AppData\Local\Temp\2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\ttbtnt.exec:\ttbtnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\lxfrfxl.exec:\lxfrfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\rxrrxxx.exec:\rxrrxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\1xfxrrl.exec:\1xfxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\fxfrxrr.exec:\fxfrxrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\httnbt.exec:\httnbt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\bthbtn.exec:\bthbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\bntnhb.exec:\bntnhb.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\djvpp.exec:\djvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pddvp.exec:\pddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\xlfxrlr.exec:\xlfxrlr.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\rfxrllf.exec:\rfxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\ppvjd.exec:\ppvjd.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\7xxlfxr.exec:\7xxlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\5ffxrll.exec:\5ffxrll.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\tnhnhb.exec:\tnhnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\llxrlrl.exec:\llxrlrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\xlfflll.exec:\xlfflll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\nhntnn.exec:\nhntnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\xrrlfff.exec:\xrrlfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\jjdvv.exec:\jjdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\frllrlr.exec:\frllrlr.exe23⤵
- Executes dropped EXE
PID:4860 -
\??\c:\ffffxfx.exec:\ffffxfx.exe24⤵
- Executes dropped EXE
PID:3236 -
\??\c:\pppjd.exec:\pppjd.exe25⤵
- Executes dropped EXE
PID:4956 -
\??\c:\xrxlfxx.exec:\xrxlfxx.exe26⤵
- Executes dropped EXE
PID:3228 -
\??\c:\nthtnn.exec:\nthtnn.exe27⤵
- Executes dropped EXE
PID:1404 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe28⤵
- Executes dropped EXE
PID:4192 -
\??\c:\pjpjj.exec:\pjpjj.exe29⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe30⤵
- Executes dropped EXE
PID:2408 -
\??\c:\llrlrlx.exec:\llrlrlx.exe31⤵
- Executes dropped EXE
PID:2976 -
\??\c:\rfxrfff.exec:\rfxrfff.exe32⤵
- Executes dropped EXE
PID:4732 -
\??\c:\xxfffff.exec:\xxfffff.exe33⤵
- Executes dropped EXE
PID:680 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe34⤵
- Executes dropped EXE
PID:5016 -
\??\c:\tbtnhh.exec:\tbtnhh.exe35⤵
- Executes dropped EXE
PID:1500 -
\??\c:\ppppp.exec:\ppppp.exe36⤵
- Executes dropped EXE
PID:1044 -
\??\c:\pjppj.exec:\pjppj.exe37⤵
- Executes dropped EXE
PID:3712 -
\??\c:\ddjdd.exec:\ddjdd.exe38⤵
- Executes dropped EXE
PID:1220 -
\??\c:\lfllfff.exec:\lfllfff.exe39⤵
- Executes dropped EXE
PID:208 -
\??\c:\xrfrfrf.exec:\xrfrfrf.exe40⤵
- Executes dropped EXE
PID:4660 -
\??\c:\lfffxfx.exec:\lfffxfx.exe41⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xflfxxx.exec:\xflfxxx.exe42⤵
- Executes dropped EXE
PID:4092 -
\??\c:\rfrllfx.exec:\rfrllfx.exe43⤵
- Executes dropped EXE
PID:4876 -
\??\c:\lfllffx.exec:\lfllffx.exe44⤵
- Executes dropped EXE
PID:2476 -
\??\c:\rllflfx.exec:\rllflfx.exe45⤵
- Executes dropped EXE
PID:2552 -
\??\c:\7lxrxff.exec:\7lxrxff.exe46⤵
- Executes dropped EXE
PID:3256 -
\??\c:\xrfxxrx.exec:\xrfxxrx.exe47⤵
- Executes dropped EXE
PID:1752 -
\??\c:\rllfxrl.exec:\rllfxrl.exe48⤵
- Executes dropped EXE
PID:4744 -
\??\c:\frxxffx.exec:\frxxffx.exe49⤵
- Executes dropped EXE
PID:3644 -
\??\c:\frrxrrl.exec:\frrxrrl.exe50⤵
- Executes dropped EXE
PID:3232 -
\??\c:\rxxfxxr.exec:\rxxfxxr.exe51⤵
- Executes dropped EXE
PID:4616 -
\??\c:\7hnthh.exec:\7hnthh.exe52⤵
- Executes dropped EXE
PID:4584 -
\??\c:\xrrlllf.exec:\xrrlllf.exe53⤵
- Executes dropped EXE
PID:1848 -
\??\c:\xxxfxrx.exec:\xxxfxrx.exe54⤵
- Executes dropped EXE
PID:808 -
\??\c:\frrrxrl.exec:\frrrxrl.exe55⤵
- Executes dropped EXE
PID:5000 -
\??\c:\3ffxrlf.exec:\3ffxrlf.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:228 -
\??\c:\lrfxxfx.exec:\lrfxxfx.exe57⤵
- Executes dropped EXE
PID:4676 -
\??\c:\rllfxxr.exec:\rllfxxr.exe58⤵
- Executes dropped EXE
PID:1912 -
\??\c:\ddjdd.exec:\ddjdd.exe59⤵
- Executes dropped EXE
PID:4928 -
\??\c:\jjjjd.exec:\jjjjd.exe60⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5hbbbn.exec:\5hbbbn.exe61⤵
- Executes dropped EXE
PID:4404 -
\??\c:\3nhnhh.exec:\3nhnhh.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\frxfxxl.exec:\frxfxxl.exe63⤵
- Executes dropped EXE
PID:4504 -
\??\c:\1xrlllf.exec:\1xrlllf.exe64⤵
- Executes dropped EXE
PID:2628 -
\??\c:\1lxrllx.exec:\1lxrllx.exe65⤵
- Executes dropped EXE
PID:4376 -
\??\c:\ppjjv.exec:\ppjjv.exe66⤵PID:1972
-
\??\c:\9vjpj.exec:\9vjpj.exe67⤵PID:2008
-
\??\c:\jdjdp.exec:\jdjdp.exe68⤵PID:4044
-
\??\c:\7nnbbb.exec:\7nnbbb.exe69⤵PID:1496
-
\??\c:\btnbtn.exec:\btnbtn.exe70⤵PID:4888
-
\??\c:\bbbbtb.exec:\bbbbtb.exe71⤵
- System Location Discovery: System Language Discovery
PID:4684 -
\??\c:\xrlfxxf.exec:\xrlfxxf.exe72⤵PID:4500
-
\??\c:\lxrlxxl.exec:\lxrlxxl.exe73⤵PID:4992
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe74⤵PID:4956
-
\??\c:\3vpvd.exec:\3vpvd.exe75⤵PID:4328
-
\??\c:\vpddd.exec:\vpddd.exe76⤵PID:4580
-
\??\c:\tnnhhb.exec:\tnnhhb.exe77⤵PID:2228
-
\??\c:\hnthbt.exec:\hnthbt.exe78⤵PID:3344
-
\??\c:\9thbtt.exec:\9thbtt.exe79⤵PID:2216
-
\??\c:\nnttbb.exec:\nnttbb.exe80⤵PID:464
-
\??\c:\1llfrrl.exec:\1llfrrl.exe81⤵PID:4284
-
\??\c:\rffxfxx.exec:\rffxfxx.exe82⤵
- System Location Discovery: System Language Discovery
PID:4004 -
\??\c:\xlxlxrx.exec:\xlxlxrx.exe83⤵PID:668
-
\??\c:\jddvp.exec:\jddvp.exe84⤵PID:1540
-
\??\c:\7djjp.exec:\7djjp.exe85⤵PID:4600
-
\??\c:\pvdvv.exec:\pvdvv.exe86⤵PID:4996
-
\??\c:\pvdvv.exec:\pvdvv.exe87⤵PID:4840
-
\??\c:\nhbnbh.exec:\nhbnbh.exe88⤵PID:3716
-
\??\c:\3lfxrlx.exec:\3lfxrlx.exe89⤵PID:2944
-
\??\c:\lxfrlfr.exec:\lxfrlfr.exe90⤵PID:3364
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe91⤵PID:4620
-
\??\c:\vddvp.exec:\vddvp.exe92⤵PID:4724
-
\??\c:\5vvjv.exec:\5vvjv.exe93⤵PID:1664
-
\??\c:\djpdp.exec:\djpdp.exe94⤵PID:4644
-
\??\c:\7hbthb.exec:\7hbthb.exe95⤵PID:1528
-
\??\c:\9bnhbt.exec:\9bnhbt.exe96⤵PID:3416
-
\??\c:\rrfxxxr.exec:\rrfxxxr.exe97⤵PID:4448
-
\??\c:\rfrllfx.exec:\rfrllfx.exe98⤵PID:2308
-
\??\c:\5vdpd.exec:\5vdpd.exe99⤵PID:4400
-
\??\c:\vdpjv.exec:\vdpjv.exe100⤵PID:3464
-
\??\c:\1pvpd.exec:\1pvpd.exe101⤵PID:3312
-
\??\c:\tbhbtn.exec:\tbhbtn.exe102⤵PID:1604
-
\??\c:\tnhbtt.exec:\tnhbtt.exe103⤵PID:2312
-
\??\c:\fflfrlx.exec:\fflfrlx.exe104⤵PID:4568
-
\??\c:\xllfxrl.exec:\xllfxrl.exe105⤵PID:4936
-
\??\c:\rxrfxrf.exec:\rxrfxrf.exe106⤵PID:1332
-
\??\c:\pdvjd.exec:\pdvjd.exe107⤵PID:1904
-
\??\c:\pppdp.exec:\pppdp.exe108⤵PID:2820
-
\??\c:\pjpdj.exec:\pjpdj.exe109⤵PID:5052
-
\??\c:\htbthb.exec:\htbthb.exe110⤵PID:4728
-
\??\c:\5tthhb.exec:\5tthhb.exe111⤵PID:2852
-
\??\c:\tnbnht.exec:\tnbnht.exe112⤵PID:4928
-
\??\c:\1lrlffx.exec:\1lrlffx.exe113⤵PID:4360
-
\??\c:\7lfxlff.exec:\7lfxlff.exe114⤵PID:3776
-
\??\c:\lfxrlxr.exec:\lfxrlxr.exe115⤵PID:4036
-
\??\c:\xlrrllr.exec:\xlrrllr.exe116⤵PID:1776
-
\??\c:\jvvvv.exec:\jvvvv.exe117⤵PID:3708
-
\??\c:\jjjjp.exec:\jjjjp.exe118⤵PID:4128
-
\??\c:\jvpjv.exec:\jvpjv.exe119⤵PID:512
-
\??\c:\bhtnbh.exec:\bhtnbh.exe120⤵PID:1640
-
\??\c:\hthbnh.exec:\hthbnh.exe121⤵PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-