Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 23:51
Behavioral task
behavioral1
Sample
fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe
-
Size
3.7MB
-
MD5
791dcaac2e4fdcdeebe66a3fb363173c
-
SHA1
7f56c44a71ede39cd132adb87864ec827f5b42b4
-
SHA256
fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130
-
SHA512
bfd4c89d9602562e5f393a1685c58ce52dafb8c3a0473cb47ce40dddd5be125045b2584d91db1fe4c0b95439d07de1ebb57a5f2c53ea261a95dbdbf5bdb13446
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98u:U6XLq/qPPslzKx/dJg1ErmNP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/448-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2292-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/960-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1460-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-569-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1764-684-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3204-960-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4512 htntbh.exe 2692 flrrrrr.exe 1992 bnhttt.exe 224 xrllffl.exe 2112 rrrlllr.exe 4452 tbbbbh.exe 2608 3hhbtt.exe 4756 jjjpj.exe 3892 vpjdv.exe 1692 lfflxrx.exe 1500 ttbbtt.exe 5036 dvjpd.exe 2748 1lrlllx.exe 5008 9lllfxx.exe 4656 tnnhhn.exe 4972 bbhhhh.exe 836 pvddj.exe 220 xxrrrll.exe 2184 7bttnh.exe 1420 tttntt.exe 4776 tnnhbn.exe 3188 fllfxfl.exe 3688 1flxrxx.exe 4924 rfxrlrl.exe 4140 xffxfrf.exe 2452 ddvpj.exe 2708 dvvjd.exe 2012 1xlxrrr.exe 4488 ffllfff.exe 3628 3vjdd.exe 1612 djjdj.exe 2132 pjvvv.exe 2412 jpvpj.exe 4768 dpddj.exe 4332 frrrrlr.exe 3712 lfrrlff.exe 432 fxrrllf.exe 3480 5flrrrf.exe 4076 rlfffxf.exe 4780 5lfxllx.exe 2260 1fxlfll.exe 508 1rlfxlf.exe 2208 ffrrffx.exe 4540 vjdjp.exe 1432 jjvdv.exe 3580 pjpjd.exe 3124 llfxxrr.exe 4820 3rxrllf.exe 2292 rrxrrll.exe 1616 ppvpj.exe 636 pdvpp.exe 4668 dvddd.exe 1692 1pvvv.exe 4316 bhtttt.exe 3208 hbhtnn.exe 3852 hthbbb.exe 2268 3htttt.exe 2252 7hhhbn.exe 1768 thtttt.exe 3484 nhnhbb.exe 3708 bbnnhh.exe 532 7ntnbb.exe 708 hhhtnh.exe 4932 nbnbtt.exe -
resource yara_rule behavioral2/memory/448-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b4f-3.dat upx behavioral2/memory/448-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baf-9.dat upx behavioral2/memory/4512-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bac-13.dat upx behavioral2/memory/1992-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2692-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb1-22.dat upx behavioral2/memory/224-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb2-28.dat upx behavioral2/memory/2112-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb3-34.dat upx behavioral2/memory/4452-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2608-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb4-40.dat upx behavioral2/files/0x000a000000023bb5-46.dat upx behavioral2/files/0x000a000000023bb6-51.dat upx behavioral2/memory/4756-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb8-57.dat upx behavioral2/memory/3892-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb9-63.dat upx behavioral2/memory/1692-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bba-68.dat upx behavioral2/memory/1500-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bbb-76.dat upx behavioral2/memory/2748-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bbc-82.dat upx behavioral2/files/0x000a000000023bbd-85.dat upx behavioral2/memory/5008-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4656-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bbe-92.dat upx behavioral2/files/0x000a000000023bbf-97.dat upx behavioral2/files/0x000a000000023bc0-102.dat upx behavioral2/memory/220-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/836-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bc1-109.dat upx behavioral2/files/0x000a000000023bc2-114.dat upx behavioral2/memory/2184-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bc3-120.dat upx behavioral2/memory/1420-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e75d-125.dat upx behavioral2/memory/3188-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bc5-131.dat upx behavioral2/memory/3688-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bc6-137.dat upx behavioral2/files/0x000a000000023bc8-143.dat upx behavioral2/files/0x000a000000023bc9-147.dat upx behavioral2/memory/4140-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bca-152.dat upx behavioral2/memory/2452-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bcb-159.dat upx behavioral2/memory/2012-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2708-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bcc-165.dat upx behavioral2/files/0x000a000000023bcd-170.dat upx behavioral2/memory/3628-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bce-176.dat upx behavioral2/files/0x000a000000023bcf-182.dat upx behavioral2/memory/2132-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4768-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4332-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4076-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4780-214-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllfxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 448 wrote to memory of 4512 448 fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe 83 PID 448 wrote to memory of 4512 448 fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe 83 PID 448 wrote to memory of 4512 448 fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe 83 PID 4512 wrote to memory of 2692 4512 htntbh.exe 84 PID 4512 wrote to memory of 2692 4512 htntbh.exe 84 PID 4512 wrote to memory of 2692 4512 htntbh.exe 84 PID 2692 wrote to memory of 1992 2692 flrrrrr.exe 85 PID 2692 wrote to memory of 1992 2692 flrrrrr.exe 85 PID 2692 wrote to memory of 1992 2692 flrrrrr.exe 85 PID 1992 wrote to memory of 224 1992 bnhttt.exe 86 PID 1992 wrote to memory of 224 1992 bnhttt.exe 86 PID 1992 wrote to memory of 224 1992 bnhttt.exe 86 PID 224 wrote to memory of 2112 224 xrllffl.exe 87 PID 224 wrote to memory of 2112 224 xrllffl.exe 87 PID 224 wrote to memory of 2112 224 xrllffl.exe 87 PID 2112 wrote to memory of 4452 2112 rrrlllr.exe 88 PID 2112 wrote to memory of 4452 2112 rrrlllr.exe 88 PID 2112 wrote to memory of 4452 2112 rrrlllr.exe 88 PID 4452 wrote to memory of 2608 4452 tbbbbh.exe 89 PID 4452 wrote to memory of 2608 4452 tbbbbh.exe 89 PID 4452 wrote to memory of 2608 4452 tbbbbh.exe 89 PID 2608 wrote to memory of 4756 2608 3hhbtt.exe 90 PID 2608 wrote to memory of 4756 2608 3hhbtt.exe 90 PID 2608 wrote to memory of 4756 2608 3hhbtt.exe 90 PID 4756 wrote to memory of 3892 4756 jjjpj.exe 91 PID 4756 wrote to memory of 3892 4756 jjjpj.exe 91 PID 4756 wrote to memory of 3892 4756 jjjpj.exe 91 PID 3892 wrote to memory of 1692 3892 vpjdv.exe 92 PID 3892 wrote to memory of 1692 3892 vpjdv.exe 92 PID 3892 wrote to memory of 1692 3892 vpjdv.exe 92 PID 1692 wrote to memory of 1500 1692 lfflxrx.exe 93 PID 1692 wrote to memory of 1500 1692 lfflxrx.exe 93 PID 1692 wrote to memory of 1500 1692 lfflxrx.exe 93 PID 1500 wrote to memory of 5036 1500 ttbbtt.exe 94 PID 1500 wrote to memory of 5036 1500 ttbbtt.exe 94 PID 1500 wrote to memory of 5036 1500 ttbbtt.exe 94 PID 5036 wrote to memory of 2748 5036 dvjpd.exe 95 PID 5036 wrote to memory of 2748 5036 dvjpd.exe 95 PID 5036 wrote to memory of 2748 5036 dvjpd.exe 95 PID 2748 wrote to memory of 5008 2748 1lrlllx.exe 96 PID 2748 wrote to memory of 5008 2748 1lrlllx.exe 96 PID 2748 wrote to memory of 5008 2748 1lrlllx.exe 96 PID 5008 wrote to memory of 4656 5008 9lllfxx.exe 97 PID 5008 wrote to memory of 4656 5008 9lllfxx.exe 97 PID 5008 wrote to memory of 4656 5008 9lllfxx.exe 97 PID 4656 wrote to memory of 4972 4656 tnnhhn.exe 98 PID 4656 wrote to memory of 4972 4656 tnnhhn.exe 98 PID 4656 wrote to memory of 4972 4656 tnnhhn.exe 98 PID 4972 wrote to memory of 836 4972 bbhhhh.exe 99 PID 4972 wrote to memory of 836 4972 bbhhhh.exe 99 PID 4972 wrote to memory of 836 4972 bbhhhh.exe 99 PID 836 wrote to memory of 220 836 pvddj.exe 100 PID 836 wrote to memory of 220 836 pvddj.exe 100 PID 836 wrote to memory of 220 836 pvddj.exe 100 PID 220 wrote to memory of 2184 220 xxrrrll.exe 102 PID 220 wrote to memory of 2184 220 xxrrrll.exe 102 PID 220 wrote to memory of 2184 220 xxrrrll.exe 102 PID 2184 wrote to memory of 1420 2184 7bttnh.exe 103 PID 2184 wrote to memory of 1420 2184 7bttnh.exe 103 PID 2184 wrote to memory of 1420 2184 7bttnh.exe 103 PID 1420 wrote to memory of 4776 1420 tttntt.exe 104 PID 1420 wrote to memory of 4776 1420 tttntt.exe 104 PID 1420 wrote to memory of 4776 1420 tttntt.exe 104 PID 4776 wrote to memory of 3188 4776 tnnhbn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe"C:\Users\Admin\AppData\Local\Temp\fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\htntbh.exec:\htntbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\flrrrrr.exec:\flrrrrr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\bnhttt.exec:\bnhttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\xrllffl.exec:\xrllffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\rrrlllr.exec:\rrrlllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\tbbbbh.exec:\tbbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\3hhbtt.exec:\3hhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\jjjpj.exec:\jjjpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\vpjdv.exec:\vpjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\lfflxrx.exec:\lfflxrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\ttbbtt.exec:\ttbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\dvjpd.exec:\dvjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\1lrlllx.exec:\1lrlllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\9lllfxx.exec:\9lllfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\tnnhhn.exec:\tnnhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\bbhhhh.exec:\bbhhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\pvddj.exec:\pvddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\xxrrrll.exec:\xxrrrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\7bttnh.exec:\7bttnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\tttntt.exec:\tttntt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\tnnhbn.exec:\tnnhbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\fllfxfl.exec:\fllfxfl.exe23⤵
- Executes dropped EXE
PID:3188 -
\??\c:\1flxrxx.exec:\1flxrxx.exe24⤵
- Executes dropped EXE
PID:3688 -
\??\c:\rfxrlrl.exec:\rfxrlrl.exe25⤵
- Executes dropped EXE
PID:4924 -
\??\c:\xffxfrf.exec:\xffxfrf.exe26⤵
- Executes dropped EXE
PID:4140 -
\??\c:\ddvpj.exec:\ddvpj.exe27⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dvvjd.exec:\dvvjd.exe28⤵
- Executes dropped EXE
PID:2708 -
\??\c:\1xlxrrr.exec:\1xlxrrr.exe29⤵
- Executes dropped EXE
PID:2012 -
\??\c:\ffllfff.exec:\ffllfff.exe30⤵
- Executes dropped EXE
PID:4488 -
\??\c:\3vjdd.exec:\3vjdd.exe31⤵
- Executes dropped EXE
PID:3628 -
\??\c:\djjdj.exec:\djjdj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\pjvvv.exec:\pjvvv.exe33⤵
- Executes dropped EXE
PID:2132 -
\??\c:\jpvpj.exec:\jpvpj.exe34⤵
- Executes dropped EXE
PID:2412 -
\??\c:\dpddj.exec:\dpddj.exe35⤵
- Executes dropped EXE
PID:4768 -
\??\c:\frrrrlr.exec:\frrrrlr.exe36⤵
- Executes dropped EXE
PID:4332 -
\??\c:\lfrrlff.exec:\lfrrlff.exe37⤵
- Executes dropped EXE
PID:3712 -
\??\c:\fxrrllf.exec:\fxrrllf.exe38⤵
- Executes dropped EXE
PID:432 -
\??\c:\5flrrrf.exec:\5flrrrf.exe39⤵
- Executes dropped EXE
PID:3480 -
\??\c:\rlfffxf.exec:\rlfffxf.exe40⤵
- Executes dropped EXE
PID:4076 -
\??\c:\5lfxllx.exec:\5lfxllx.exe41⤵
- Executes dropped EXE
PID:4780 -
\??\c:\1fxlfll.exec:\1fxlfll.exe42⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1rlfxlf.exec:\1rlfxlf.exe43⤵
- Executes dropped EXE
PID:508 -
\??\c:\ffrrffx.exec:\ffrrffx.exe44⤵
- Executes dropped EXE
PID:2208 -
\??\c:\vjdjp.exec:\vjdjp.exe45⤵
- Executes dropped EXE
PID:4540 -
\??\c:\jjvdv.exec:\jjvdv.exe46⤵
- Executes dropped EXE
PID:1432 -
\??\c:\pjpjd.exec:\pjpjd.exe47⤵
- Executes dropped EXE
PID:3580 -
\??\c:\llfxxrr.exec:\llfxxrr.exe48⤵
- Executes dropped EXE
PID:3124 -
\??\c:\3rxrllf.exec:\3rxrllf.exe49⤵
- Executes dropped EXE
PID:4820 -
\??\c:\rrxrrll.exec:\rrxrrll.exe50⤵
- Executes dropped EXE
PID:2292 -
\??\c:\ppvpj.exec:\ppvpj.exe51⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pdvpp.exec:\pdvpp.exe52⤵
- Executes dropped EXE
PID:636 -
\??\c:\dvddd.exec:\dvddd.exe53⤵
- Executes dropped EXE
PID:4668 -
\??\c:\1pvvv.exec:\1pvvv.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bhtttt.exec:\bhtttt.exe55⤵
- Executes dropped EXE
PID:4316 -
\??\c:\hbhtnn.exec:\hbhtnn.exe56⤵
- Executes dropped EXE
PID:3208 -
\??\c:\hthbbb.exec:\hthbbb.exe57⤵
- Executes dropped EXE
PID:3852 -
\??\c:\3htttt.exec:\3htttt.exe58⤵
- Executes dropped EXE
PID:2268 -
\??\c:\7hhhbn.exec:\7hhhbn.exe59⤵
- Executes dropped EXE
PID:2252 -
\??\c:\thtttt.exec:\thtttt.exe60⤵
- Executes dropped EXE
PID:1768 -
\??\c:\nhnhbb.exec:\nhnhbb.exe61⤵
- Executes dropped EXE
PID:3484 -
\??\c:\bbnnhh.exec:\bbnnhh.exe62⤵
- Executes dropped EXE
PID:3708 -
\??\c:\7ntnbb.exec:\7ntnbb.exe63⤵
- Executes dropped EXE
PID:532 -
\??\c:\hhhtnh.exec:\hhhtnh.exe64⤵
- Executes dropped EXE
PID:708 -
\??\c:\nbnbtt.exec:\nbnbtt.exe65⤵
- Executes dropped EXE
PID:4932 -
\??\c:\3tnbtn.exec:\3tnbtn.exe66⤵
- System Location Discovery: System Language Discovery
PID:4652 -
\??\c:\ntbtnn.exec:\ntbtnn.exe67⤵PID:2212
-
\??\c:\5hhbnt.exec:\5hhbnt.exe68⤵PID:4108
-
\??\c:\ttbtbb.exec:\ttbtbb.exe69⤵PID:2920
-
\??\c:\5bhnbb.exec:\5bhnbb.exe70⤵PID:2956
-
\??\c:\bbnnht.exec:\bbnnht.exe71⤵PID:4396
-
\??\c:\hbtbnb.exec:\hbtbnb.exe72⤵PID:1712
-
\??\c:\rrllffx.exec:\rrllffx.exe73⤵PID:3964
-
\??\c:\rlxflll.exec:\rlxflll.exe74⤵PID:4060
-
\??\c:\5lxxxxx.exec:\5lxxxxx.exe75⤵
- System Location Discovery: System Language Discovery
PID:4612 -
\??\c:\3lxfflf.exec:\3lxfflf.exe76⤵PID:4976
-
\??\c:\xffffrr.exec:\xffffrr.exe77⤵PID:4816
-
\??\c:\frrxlrf.exec:\frrxlrf.exe78⤵
- System Location Discovery: System Language Discovery
PID:5112 -
\??\c:\lxrrrxr.exec:\lxrrrxr.exe79⤵PID:4356
-
\??\c:\rfffrxl.exec:\rfffrxl.exe80⤵
- System Location Discovery: System Language Discovery
PID:2628 -
\??\c:\7llffff.exec:\7llffff.exe81⤵PID:4492
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe82⤵PID:664
-
\??\c:\1fxlllf.exec:\1fxlllf.exe83⤵PID:3444
-
\??\c:\lxfffff.exec:\lxfffff.exe84⤵PID:3816
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe85⤵PID:1488
-
\??\c:\3llfxrl.exec:\3llfxrl.exe86⤵PID:3160
-
\??\c:\llxrrrx.exec:\llxrrrx.exe87⤵PID:3988
-
\??\c:\fffxffl.exec:\fffxffl.exe88⤵PID:4736
-
\??\c:\fxfffff.exec:\fxfffff.exe89⤵PID:1772
-
\??\c:\pjdpp.exec:\pjdpp.exe90⤵PID:4200
-
\??\c:\dvjdv.exec:\dvjdv.exe91⤵PID:1892
-
\??\c:\7jjjj.exec:\7jjjj.exe92⤵PID:3956
-
\??\c:\pjvvp.exec:\pjvvp.exe93⤵PID:2112
-
\??\c:\pdvvp.exec:\pdvvp.exe94⤵PID:4388
-
\??\c:\3tthtb.exec:\3tthtb.exe95⤵PID:3580
-
\??\c:\nnhbnn.exec:\nnhbnn.exe96⤵PID:1568
-
\??\c:\pjjpj.exec:\pjjpj.exe97⤵PID:4756
-
\??\c:\dpvpv.exec:\dpvpv.exe98⤵PID:1180
-
\??\c:\jpjjv.exec:\jpjjv.exe99⤵
- System Location Discovery: System Language Discovery
PID:444 -
\??\c:\jjvvv.exec:\jjvvv.exe100⤵PID:1704
-
\??\c:\jjppj.exec:\jjppj.exe101⤵PID:4472
-
\??\c:\djpjj.exec:\djpjj.exe102⤵
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\5dpvp.exec:\5dpvp.exe103⤵PID:960
-
\??\c:\dpvvv.exec:\dpvvv.exe104⤵PID:2348
-
\??\c:\djjdp.exec:\djjdp.exe105⤵PID:2268
-
\??\c:\nnhhbb.exec:\nnhhbb.exe106⤵PID:2252
-
\??\c:\hhnnnb.exec:\hhnnnb.exe107⤵PID:1768
-
\??\c:\1bbttb.exec:\1bbttb.exe108⤵PID:3484
-
\??\c:\bbhbbt.exec:\bbhbbt.exe109⤵PID:4944
-
\??\c:\htbbht.exec:\htbbht.exe110⤵PID:532
-
\??\c:\rlfffll.exec:\rlfffll.exe111⤵PID:708
-
\??\c:\xflrllf.exec:\xflrllf.exe112⤵PID:1092
-
\??\c:\xxllrlx.exec:\xxllrlx.exe113⤵PID:1420
-
\??\c:\fxlxlxr.exec:\fxlxlxr.exe114⤵PID:1984
-
\??\c:\fxrrlrx.exec:\fxrrlrx.exe115⤵PID:3896
-
\??\c:\fxlfflf.exec:\fxlfflf.exe116⤵PID:540
-
\??\c:\5fffffr.exec:\5fffffr.exe117⤵PID:1460
-
\??\c:\ffrxrxx.exec:\ffrxrxx.exe118⤵PID:904
-
\??\c:\dpjjv.exec:\dpjjv.exe119⤵
- System Location Discovery: System Language Discovery
PID:3240 -
\??\c:\djjpp.exec:\djjpp.exe120⤵PID:4148
-
\??\c:\1nhbhh.exec:\1nhbhh.exe121⤵PID:4052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-