Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 10:30
Behavioral task
behavioral1
Sample
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
General
-
Target
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe
-
Size
3.7MB
-
MD5
b2c4e5410373864a8694f5e3aaee1e21
-
SHA1
0bff784fd0b215a22414f6ab941a58f2ffbcd805
-
SHA256
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433
-
SHA512
6bc4bb815036cfa76b2cb531f99ecf5da4018ca831332203dca86ac461f7cd5c938cba73632d0f44bcdd0d792f947d051b2290bd5078000594372d580c714df2
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98Q:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1728-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/892-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2812-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2812-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-609-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-613-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-745-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-863-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-1924-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1280 ppddv.exe 4684 rxfxfxl.exe 2364 rxrllxx.exe 648 nhtnbb.exe 1160 tbhbtn.exe 2652 hhhtnt.exe 892 hnhhbb.exe 3852 hbbbtt.exe 4216 pjddv.exe 984 ntbttt.exe 1780 fxfxrrl.exe 4000 vpvvp.exe 2992 hhbbtt.exe 2840 vpvpj.exe 60 bbbbnt.exe 4964 fxxrllf.exe 4200 pdpjj.exe 1868 xxrrrrl.exe 116 thnhhh.exe 3424 lxffxxr.exe 712 htbtbt.exe 4448 hnnhhh.exe 4020 pjpjd.exe 2820 ddjdj.exe 2204 jdpjj.exe 4320 lflfffx.exe 1228 djddd.exe 3124 xfrxxxx.exe 2812 xxflfll.exe 4596 tbbtbt.exe 5112 djppp.exe 3272 dvdvp.exe 1400 hhtnnt.exe 5016 hnbtnn.exe 1456 rrxrrrl.exe 1556 ntbtnt.exe 3760 hhhhhh.exe 5040 nttbht.exe 3224 nhtnnh.exe 408 ttbtnh.exe 4340 tnbtnn.exe 4956 bnbtnn.exe 4840 btbbbb.exe 5012 ntbttn.exe 1624 nnnhbb.exe 3608 nhnttt.exe 1164 nbhbbt.exe 1264 hbtnnn.exe 1104 rllfxlx.exe 648 fxxxxxx.exe 1160 frxxxff.exe 2540 rllrlff.exe 2148 frrlrrr.exe 3416 fllffff.exe 4152 xlrlfxr.exe 3128 ddpjj.exe 4216 ffxfxrf.exe 3528 jvdvv.exe 3260 vdpjd.exe 1652 ppvpd.exe 60 jdjjd.exe 3264 pvpjd.exe 348 ddddv.exe 2744 ddpjp.exe -
resource yara_rule behavioral2/memory/1728-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000228f4-3.dat upx behavioral2/memory/1728-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b37-8.dat upx behavioral2/memory/1280-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b38-13.dat upx behavioral2/memory/2364-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4684-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b2d-22.dat upx behavioral2/memory/2364-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/648-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b39-28.dat upx behavioral2/files/0x000a000000023b3b-34.dat upx behavioral2/files/0x000a000000023b3c-40.dat upx behavioral2/memory/892-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2652-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3d-46.dat upx behavioral2/files/0x000a000000023b3e-51.dat upx behavioral2/memory/3852-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3f-57.dat upx behavioral2/memory/4216-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b40-63.dat upx behavioral2/memory/984-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e764-69.dat upx behavioral2/memory/1780-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b41-75.dat upx behavioral2/memory/4000-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b42-81.dat upx behavioral2/memory/2992-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b43-87.dat upx behavioral2/memory/2840-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/60-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b44-96.dat upx behavioral2/files/0x000a000000023b45-99.dat upx behavioral2/memory/4964-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b46-104.dat upx behavioral2/memory/4200-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b47-110.dat upx behavioral2/memory/1868-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b48-116.dat upx behavioral2/memory/116-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b49-122.dat upx behavioral2/memory/3424-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4a-129.dat upx behavioral2/memory/4448-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4b-134.dat upx behavioral2/files/0x000a000000023b4c-139.dat upx behavioral2/files/0x000a000000023b4d-144.dat upx behavioral2/files/0x000a000000023b4f-149.dat upx behavioral2/memory/2204-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b50-155.dat upx behavioral2/memory/4320-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b51-160.dat upx behavioral2/files/0x000a000000023b52-166.dat upx behavioral2/memory/3124-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b53-172.dat upx behavioral2/memory/2812-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b54-178.dat upx behavioral2/files/0x000a000000023b55-183.dat upx behavioral2/memory/1400-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5016-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1556-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3760-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5040-211-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1280 1728 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 81 PID 1728 wrote to memory of 1280 1728 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 81 PID 1728 wrote to memory of 1280 1728 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 81 PID 1280 wrote to memory of 4684 1280 ppddv.exe 82 PID 1280 wrote to memory of 4684 1280 ppddv.exe 82 PID 1280 wrote to memory of 4684 1280 ppddv.exe 82 PID 4684 wrote to memory of 2364 4684 rxfxfxl.exe 83 PID 4684 wrote to memory of 2364 4684 rxfxfxl.exe 83 PID 4684 wrote to memory of 2364 4684 rxfxfxl.exe 83 PID 2364 wrote to memory of 648 2364 rxrllxx.exe 84 PID 2364 wrote to memory of 648 2364 rxrllxx.exe 84 PID 2364 wrote to memory of 648 2364 rxrllxx.exe 84 PID 648 wrote to memory of 1160 648 nhtnbb.exe 85 PID 648 wrote to memory of 1160 648 nhtnbb.exe 85 PID 648 wrote to memory of 1160 648 nhtnbb.exe 85 PID 1160 wrote to memory of 2652 1160 tbhbtn.exe 86 PID 1160 wrote to memory of 2652 1160 tbhbtn.exe 86 PID 1160 wrote to memory of 2652 1160 tbhbtn.exe 86 PID 2652 wrote to memory of 892 2652 hhhtnt.exe 87 PID 2652 wrote to memory of 892 2652 hhhtnt.exe 87 PID 2652 wrote to memory of 892 2652 hhhtnt.exe 87 PID 892 wrote to memory of 3852 892 hnhhbb.exe 88 PID 892 wrote to memory of 3852 892 hnhhbb.exe 88 PID 892 wrote to memory of 3852 892 hnhhbb.exe 88 PID 3852 wrote to memory of 4216 3852 hbbbtt.exe 89 PID 3852 wrote to memory of 4216 3852 hbbbtt.exe 89 PID 3852 wrote to memory of 4216 3852 hbbbtt.exe 89 PID 4216 wrote to memory of 984 4216 pjddv.exe 90 PID 4216 wrote to memory of 984 4216 pjddv.exe 90 PID 4216 wrote to memory of 984 4216 pjddv.exe 90 PID 984 wrote to memory of 1780 984 ntbttt.exe 91 PID 984 wrote to memory of 1780 984 ntbttt.exe 91 PID 984 wrote to memory of 1780 984 ntbttt.exe 91 PID 1780 wrote to memory of 4000 1780 fxfxrrl.exe 92 PID 1780 wrote to memory of 4000 1780 fxfxrrl.exe 92 PID 1780 wrote to memory of 4000 1780 fxfxrrl.exe 92 PID 4000 wrote to memory of 2992 4000 vpvvp.exe 93 PID 4000 wrote to memory of 2992 4000 vpvvp.exe 93 PID 4000 wrote to memory of 2992 4000 vpvvp.exe 93 PID 2992 wrote to memory of 2840 2992 hhbbtt.exe 94 PID 2992 wrote to memory of 2840 2992 hhbbtt.exe 94 PID 2992 wrote to memory of 2840 2992 hhbbtt.exe 94 PID 2840 wrote to memory of 60 2840 vpvpj.exe 95 PID 2840 wrote to memory of 60 2840 vpvpj.exe 95 PID 2840 wrote to memory of 60 2840 vpvpj.exe 95 PID 60 wrote to memory of 4964 60 bbbbnt.exe 96 PID 60 wrote to memory of 4964 60 bbbbnt.exe 96 PID 60 wrote to memory of 4964 60 bbbbnt.exe 96 PID 4964 wrote to memory of 4200 4964 fxxrllf.exe 97 PID 4964 wrote to memory of 4200 4964 fxxrllf.exe 97 PID 4964 wrote to memory of 4200 4964 fxxrllf.exe 97 PID 4200 wrote to memory of 1868 4200 pdpjj.exe 98 PID 4200 wrote to memory of 1868 4200 pdpjj.exe 98 PID 4200 wrote to memory of 1868 4200 pdpjj.exe 98 PID 1868 wrote to memory of 116 1868 xxrrrrl.exe 99 PID 1868 wrote to memory of 116 1868 xxrrrrl.exe 99 PID 1868 wrote to memory of 116 1868 xxrrrrl.exe 99 PID 116 wrote to memory of 3424 116 thnhhh.exe 100 PID 116 wrote to memory of 3424 116 thnhhh.exe 100 PID 116 wrote to memory of 3424 116 thnhhh.exe 100 PID 3424 wrote to memory of 712 3424 lxffxxr.exe 101 PID 3424 wrote to memory of 712 3424 lxffxxr.exe 101 PID 3424 wrote to memory of 712 3424 lxffxxr.exe 101 PID 712 wrote to memory of 4448 712 htbtbt.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe"C:\Users\Admin\AppData\Local\Temp\5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\ppddv.exec:\ppddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\rxfxfxl.exec:\rxfxfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\rxrllxx.exec:\rxrllxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\nhtnbb.exec:\nhtnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\tbhbtn.exec:\tbhbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\hhhtnt.exec:\hhhtnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\hnhhbb.exec:\hnhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\hbbbtt.exec:\hbbbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\pjddv.exec:\pjddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\ntbttt.exec:\ntbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\vpvvp.exec:\vpvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\hhbbtt.exec:\hhbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\vpvpj.exec:\vpvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\bbbbnt.exec:\bbbbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\fxxrllf.exec:\fxxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\pdpjj.exec:\pdpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\xxrrrrl.exec:\xxrrrrl.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\thnhhh.exec:\thnhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\lxffxxr.exec:\lxffxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\htbtbt.exec:\htbtbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\hnnhhh.exec:\hnnhhh.exe23⤵
- Executes dropped EXE
PID:4448 -
\??\c:\pjpjd.exec:\pjpjd.exe24⤵
- Executes dropped EXE
PID:4020 -
\??\c:\ddjdj.exec:\ddjdj.exe25⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jdpjj.exec:\jdpjj.exe26⤵
- Executes dropped EXE
PID:2204 -
\??\c:\lflfffx.exec:\lflfffx.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4320 -
\??\c:\djddd.exec:\djddd.exe28⤵
- Executes dropped EXE
PID:1228 -
\??\c:\xfrxxxx.exec:\xfrxxxx.exe29⤵
- Executes dropped EXE
PID:3124 -
\??\c:\xxflfll.exec:\xxflfll.exe30⤵
- Executes dropped EXE
PID:2812 -
\??\c:\tbbtbt.exec:\tbbtbt.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596 -
\??\c:\djppp.exec:\djppp.exe32⤵
- Executes dropped EXE
PID:5112 -
\??\c:\dvdvp.exec:\dvdvp.exe33⤵
- Executes dropped EXE
PID:3272 -
\??\c:\hhtnnt.exec:\hhtnnt.exe34⤵
- Executes dropped EXE
PID:1400 -
\??\c:\hnbtnn.exec:\hnbtnn.exe35⤵
- Executes dropped EXE
PID:5016 -
\??\c:\rrxrrrl.exec:\rrxrrrl.exe36⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ntbtnt.exec:\ntbtnt.exe37⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hhhhhh.exec:\hhhhhh.exe38⤵
- Executes dropped EXE
PID:3760 -
\??\c:\nttbht.exec:\nttbht.exe39⤵
- Executes dropped EXE
PID:5040 -
\??\c:\nhtnnh.exec:\nhtnnh.exe40⤵
- Executes dropped EXE
PID:3224 -
\??\c:\ttbtnh.exec:\ttbtnh.exe41⤵
- Executes dropped EXE
PID:408 -
\??\c:\tnbtnn.exec:\tnbtnn.exe42⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bnbtnn.exec:\bnbtnn.exe43⤵
- Executes dropped EXE
PID:4956 -
\??\c:\btbbbb.exec:\btbbbb.exe44⤵
- Executes dropped EXE
PID:4840 -
\??\c:\ntbttn.exec:\ntbttn.exe45⤵
- Executes dropped EXE
PID:5012 -
\??\c:\nnnhbb.exec:\nnnhbb.exe46⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nhnttt.exec:\nhnttt.exe47⤵
- Executes dropped EXE
PID:3608 -
\??\c:\nbhbbt.exec:\nbhbbt.exe48⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hbtnnn.exec:\hbtnnn.exe49⤵
- Executes dropped EXE
PID:1264 -
\??\c:\rllfxlx.exec:\rllfxlx.exe50⤵
- Executes dropped EXE
PID:1104 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe51⤵
- Executes dropped EXE
PID:648 -
\??\c:\frxxxff.exec:\frxxxff.exe52⤵
- Executes dropped EXE
PID:1160 -
\??\c:\rllrlff.exec:\rllrlff.exe53⤵
- Executes dropped EXE
PID:2540 -
\??\c:\frrlrrr.exec:\frrlrrr.exe54⤵
- Executes dropped EXE
PID:2148 -
\??\c:\fllffff.exec:\fllffff.exe55⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe56⤵
- Executes dropped EXE
PID:4152 -
\??\c:\ddpjj.exec:\ddpjj.exe57⤵
- Executes dropped EXE
PID:3128 -
\??\c:\ffxfxrf.exec:\ffxfxrf.exe58⤵
- Executes dropped EXE
PID:4216 -
\??\c:\jvdvv.exec:\jvdvv.exe59⤵
- Executes dropped EXE
PID:3528 -
\??\c:\vdpjd.exec:\vdpjd.exe60⤵
- Executes dropped EXE
PID:3260 -
\??\c:\ppvpd.exec:\ppvpd.exe61⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdjjd.exec:\jdjjd.exe62⤵
- Executes dropped EXE
PID:60 -
\??\c:\pvpjd.exec:\pvpjd.exe63⤵
- Executes dropped EXE
PID:3264 -
\??\c:\ddddv.exec:\ddddv.exe64⤵
- Executes dropped EXE
PID:348 -
\??\c:\ddpjp.exec:\ddpjp.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
\??\c:\jdddv.exec:\jdddv.exe66⤵PID:1764
-
\??\c:\tnnhbb.exec:\tnnhbb.exe67⤵
- System Location Discovery: System Language Discovery
PID:1552 -
\??\c:\btnbtt.exec:\btnbtt.exe68⤵PID:5104
-
\??\c:\hnnnnt.exec:\hnnnnt.exe69⤵PID:840
-
\??\c:\bhbbht.exec:\bhbbht.exe70⤵
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\ttbttt.exec:\ttbttt.exe71⤵PID:2612
-
\??\c:\rlrrllf.exec:\rlrrllf.exe72⤵PID:1532
-
\??\c:\frlrxrr.exec:\frlrxrr.exe73⤵PID:2680
-
\??\c:\xlrrlff.exec:\xlrrlff.exe74⤵PID:2184
-
\??\c:\rllffff.exec:\rllffff.exe75⤵
- System Location Discovery: System Language Discovery
PID:3548 -
\??\c:\rllffxr.exec:\rllffxr.exe76⤵PID:2308
-
\??\c:\ppvpv.exec:\ppvpv.exe77⤵PID:3476
-
\??\c:\pjjjd.exec:\pjjjd.exe78⤵
- System Location Discovery: System Language Discovery
PID:2196 -
\??\c:\vjjjd.exec:\vjjjd.exe79⤵PID:1120
-
\??\c:\vddvv.exec:\vddvv.exe80⤵PID:2812
-
\??\c:\vddvv.exec:\vddvv.exe81⤵PID:2740
-
\??\c:\nnbttt.exec:\nnbttt.exe82⤵PID:2240
-
\??\c:\hhhbtn.exec:\hhhbtn.exe83⤵
- System Location Discovery: System Language Discovery
PID:1832 -
\??\c:\nbhbtb.exec:\nbhbtb.exe84⤵PID:4816
-
\??\c:\nhhhbb.exec:\nhhhbb.exe85⤵PID:4080
-
\??\c:\tnnhbb.exec:\tnnhbb.exe86⤵PID:2276
-
\??\c:\frrrrxx.exec:\frrrrxx.exe87⤵
- System Location Discovery: System Language Discovery
PID:336 -
\??\c:\fxxxxff.exec:\fxxxxff.exe88⤵PID:688
-
\??\c:\rrrrxfx.exec:\rrrrxfx.exe89⤵PID:4880
-
\??\c:\9llfxxr.exec:\9llfxxr.exe90⤵PID:2600
-
\??\c:\xllfxxr.exec:\xllfxxr.exe91⤵PID:2252
-
\??\c:\dppjv.exec:\dppjv.exe92⤵PID:1656
-
\??\c:\dppdj.exec:\dppdj.exe93⤵PID:3044
-
\??\c:\ddppd.exec:\ddppd.exe94⤵PID:4212
-
\??\c:\vdddp.exec:\vdddp.exe95⤵PID:1268
-
\??\c:\jpvvp.exec:\jpvvp.exe96⤵PID:1624
-
\??\c:\vpvpj.exec:\vpvpj.exe97⤵PID:1148
-
\??\c:\vpjvv.exec:\vpjvv.exe98⤵PID:2364
-
\??\c:\jddvv.exec:\jddvv.exe99⤵PID:476
-
\??\c:\pdvpd.exec:\pdvpd.exe100⤵PID:844
-
\??\c:\jpppp.exec:\jpppp.exe101⤵PID:648
-
\??\c:\jvvpj.exec:\jvvpj.exe102⤵PID:924
-
\??\c:\vpppj.exec:\vpppj.exe103⤵PID:636
-
\??\c:\hbtbth.exec:\hbtbth.exe104⤵PID:4760
-
\??\c:\nhnbtn.exec:\nhnbtn.exe105⤵PID:3080
-
\??\c:\nntnnn.exec:\nntnnn.exe106⤵PID:3020
-
\??\c:\hbtnhb.exec:\hbtnhb.exe107⤵PID:3052
-
\??\c:\nhhbtt.exec:\nhhbtt.exe108⤵PID:4280
-
\??\c:\tnbbtt.exec:\tnbbtt.exe109⤵PID:4216
-
\??\c:\lrlfxxx.exec:\lrlfxxx.exe110⤵PID:1440
-
\??\c:\ffxrllf.exec:\ffxrllf.exe111⤵PID:3260
-
\??\c:\fffxxxr.exec:\fffxxxr.exe112⤵
- System Location Discovery: System Language Discovery
PID:1652 -
\??\c:\vpvvd.exec:\vpvvd.exe113⤵PID:2988
-
\??\c:\pddvv.exec:\pddvv.exe114⤵PID:4500
-
\??\c:\pvdvv.exec:\pvdvv.exe115⤵PID:180
-
\??\c:\vpdvp.exec:\vpdvp.exe116⤵PID:3316
-
\??\c:\jvdvp.exec:\jvdvp.exe117⤵PID:3036
-
\??\c:\fllxlfl.exec:\fllxlfl.exe118⤵PID:3404
-
\??\c:\vpjdv.exec:\vpjdv.exe119⤵PID:2420
-
\??\c:\pjdvp.exec:\pjdvp.exe120⤵PID:1552
-
\??\c:\jdvvj.exec:\jdvvj.exe121⤵PID:712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-