Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 23:56
Behavioral task
behavioral1
Sample
fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe
-
Size
3.7MB
-
MD5
791dcaac2e4fdcdeebe66a3fb363173c
-
SHA1
7f56c44a71ede39cd132adb87864ec827f5b42b4
-
SHA256
fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130
-
SHA512
bfd4c89d9602562e5f393a1685c58ce52dafb8c3a0473cb47ce40dddd5be125045b2584d91db1fe4c0b95439d07de1ebb57a5f2c53ea261a95dbdbf5bdb13446
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98u:U6XLq/qPPslzKx/dJg1ErmNP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1080-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1312-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1252-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2568-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1020-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/708-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-525-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-593-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-690-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-700-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-740-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-1160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-1738-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2444 686228.exe 1360 0484822.exe 2236 thnhtt.exe 2804 006082.exe 1588 64600.exe 3132 0460088.exe 4280 46604.exe 3844 2002820.exe 5080 42262.exe 528 246660.exe 1852 ffxxrxx.exe 3356 dvpjj.exe 1312 lffxrrl.exe 2948 jdpdv.exe 2568 60260.exe 1252 1rllfff.exe 4440 862622.exe 4448 fflfxrl.exe 4204 002822.exe 2732 2864488.exe 4660 62482.exe 396 402604.exe 2896 pvjjd.exe 4884 ffffxlf.exe 3560 8644000.exe 2748 q04444.exe 2956 2868282.exe 2012 04624.exe 4980 lrxfrrl.exe 212 066008.exe 3764 202660.exe 3768 0026482.exe 4856 282082.exe 1020 nbtbnb.exe 2932 680842.exe 4936 vjjdp.exe 1956 006426.exe 3628 djpjp.exe 224 86486.exe 708 k06642.exe 2248 86262.exe 400 ntbnbn.exe 1432 86622.exe 4800 jdvvp.exe 2596 268826.exe 3888 thbtbh.exe 1232 666420.exe 4832 408282.exe 4376 hbthnb.exe 4040 lllxfxl.exe 1792 m8220.exe 1808 0828646.exe 4572 62208.exe 4668 q60864.exe 2684 frlxxrl.exe 4736 822486.exe 4196 6408426.exe 2940 xxfxxxl.exe 2028 vvpjv.exe 1856 hnhthb.exe 668 nbhthb.exe 4716 8622262.exe 1352 hhnhhb.exe 4796 004440.exe -
resource yara_rule behavioral2/memory/1080-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023af7-3.dat upx behavioral2/memory/1080-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b56-9.dat upx behavioral2/memory/2444-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b5b-13.dat upx behavioral2/memory/1360-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b5c-22.dat upx behavioral2/memory/2236-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2804-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b5d-29.dat upx behavioral2/memory/1588-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2804-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5e-35.dat upx behavioral2/memory/3132-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5f-41.dat upx behavioral2/memory/4280-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b60-48.dat upx behavioral2/memory/3844-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b62-52.dat upx behavioral2/files/0x000a000000023b63-58.dat upx behavioral2/memory/5080-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-67.dat upx behavioral2/memory/528-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1852-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b65-71.dat upx behavioral2/memory/3356-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b66-78.dat upx behavioral2/memory/1312-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b67-84.dat upx behavioral2/files/0x000a000000023b68-90.dat upx behavioral2/memory/2948-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-93.dat upx behavioral2/memory/1252-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2568-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6a-101.dat upx behavioral2/files/0x000700000001e104-106.dat upx behavioral2/memory/4448-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-113.dat upx behavioral2/files/0x000a000000023b6e-116.dat upx behavioral2/memory/4204-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-124.dat upx behavioral2/memory/4660-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2732-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-129.dat upx behavioral2/memory/4660-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-135.dat upx behavioral2/files/0x000a000000023b73-140.dat upx behavioral2/memory/2896-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-146.dat upx behavioral2/files/0x000a000000023b75-151.dat upx behavioral2/memory/3560-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-157.dat upx behavioral2/files/0x000a000000023b77-163.dat upx behavioral2/memory/2012-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-169.dat upx behavioral2/files/0x000a000000023b7a-173.dat upx behavioral2/memory/4980-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-179.dat upx behavioral2/memory/212-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-186.dat upx behavioral2/memory/1020-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2932-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4936-205-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2806668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 686228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w80448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q44860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6004226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0624622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 686486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u226002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 460820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4442042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q46088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 2444 1080 fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe 83 PID 1080 wrote to memory of 2444 1080 fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe 83 PID 1080 wrote to memory of 2444 1080 fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe 83 PID 2444 wrote to memory of 1360 2444 686228.exe 84 PID 2444 wrote to memory of 1360 2444 686228.exe 84 PID 2444 wrote to memory of 1360 2444 686228.exe 84 PID 1360 wrote to memory of 2236 1360 0484822.exe 85 PID 1360 wrote to memory of 2236 1360 0484822.exe 85 PID 1360 wrote to memory of 2236 1360 0484822.exe 85 PID 2236 wrote to memory of 2804 2236 thnhtt.exe 86 PID 2236 wrote to memory of 2804 2236 thnhtt.exe 86 PID 2236 wrote to memory of 2804 2236 thnhtt.exe 86 PID 2804 wrote to memory of 1588 2804 006082.exe 87 PID 2804 wrote to memory of 1588 2804 006082.exe 87 PID 2804 wrote to memory of 1588 2804 006082.exe 87 PID 1588 wrote to memory of 3132 1588 64600.exe 88 PID 1588 wrote to memory of 3132 1588 64600.exe 88 PID 1588 wrote to memory of 3132 1588 64600.exe 88 PID 3132 wrote to memory of 4280 3132 0460088.exe 89 PID 3132 wrote to memory of 4280 3132 0460088.exe 89 PID 3132 wrote to memory of 4280 3132 0460088.exe 89 PID 4280 wrote to memory of 3844 4280 46604.exe 90 PID 4280 wrote to memory of 3844 4280 46604.exe 90 PID 4280 wrote to memory of 3844 4280 46604.exe 90 PID 3844 wrote to memory of 5080 3844 2002820.exe 91 PID 3844 wrote to memory of 5080 3844 2002820.exe 91 PID 3844 wrote to memory of 5080 3844 2002820.exe 91 PID 5080 wrote to memory of 528 5080 42262.exe 92 PID 5080 wrote to memory of 528 5080 42262.exe 92 PID 5080 wrote to memory of 528 5080 42262.exe 92 PID 528 wrote to memory of 1852 528 246660.exe 93 PID 528 wrote to memory of 1852 528 246660.exe 93 PID 528 wrote to memory of 1852 528 246660.exe 93 PID 1852 wrote to memory of 3356 1852 ffxxrxx.exe 94 PID 1852 wrote to memory of 3356 1852 ffxxrxx.exe 94 PID 1852 wrote to memory of 3356 1852 ffxxrxx.exe 94 PID 3356 wrote to memory of 1312 3356 dvpjj.exe 95 PID 3356 wrote to memory of 1312 3356 dvpjj.exe 95 PID 3356 wrote to memory of 1312 3356 dvpjj.exe 95 PID 1312 wrote to memory of 2948 1312 lffxrrl.exe 96 PID 1312 wrote to memory of 2948 1312 lffxrrl.exe 96 PID 1312 wrote to memory of 2948 1312 lffxrrl.exe 96 PID 2948 wrote to memory of 2568 2948 jdpdv.exe 97 PID 2948 wrote to memory of 2568 2948 jdpdv.exe 97 PID 2948 wrote to memory of 2568 2948 jdpdv.exe 97 PID 2568 wrote to memory of 1252 2568 60260.exe 98 PID 2568 wrote to memory of 1252 2568 60260.exe 98 PID 2568 wrote to memory of 1252 2568 60260.exe 98 PID 1252 wrote to memory of 4440 1252 1rllfff.exe 99 PID 1252 wrote to memory of 4440 1252 1rllfff.exe 99 PID 1252 wrote to memory of 4440 1252 1rllfff.exe 99 PID 4440 wrote to memory of 4448 4440 862622.exe 100 PID 4440 wrote to memory of 4448 4440 862622.exe 100 PID 4440 wrote to memory of 4448 4440 862622.exe 100 PID 4448 wrote to memory of 4204 4448 fflfxrl.exe 101 PID 4448 wrote to memory of 4204 4448 fflfxrl.exe 101 PID 4448 wrote to memory of 4204 4448 fflfxrl.exe 101 PID 4204 wrote to memory of 2732 4204 002822.exe 104 PID 4204 wrote to memory of 2732 4204 002822.exe 104 PID 4204 wrote to memory of 2732 4204 002822.exe 104 PID 2732 wrote to memory of 4660 2732 2864488.exe 105 PID 2732 wrote to memory of 4660 2732 2864488.exe 105 PID 2732 wrote to memory of 4660 2732 2864488.exe 105 PID 4660 wrote to memory of 396 4660 62482.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe"C:\Users\Admin\AppData\Local\Temp\fd9300813703fe36bfee43d2eeb6b0a955964ab367c18bef326759fa7bd23130.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\686228.exec:\686228.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\0484822.exec:\0484822.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\thnhtt.exec:\thnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\006082.exec:\006082.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\64600.exec:\64600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\0460088.exec:\0460088.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\46604.exec:\46604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\2002820.exec:\2002820.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\42262.exec:\42262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\246660.exec:\246660.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\ffxxrxx.exec:\ffxxrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\dvpjj.exec:\dvpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\lffxrrl.exec:\lffxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\jdpdv.exec:\jdpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\60260.exec:\60260.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\1rllfff.exec:\1rllfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\862622.exec:\862622.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\fflfxrl.exec:\fflfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\002822.exec:\002822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\2864488.exec:\2864488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\62482.exec:\62482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\402604.exec:\402604.exe23⤵
- Executes dropped EXE
PID:396 -
\??\c:\pvjjd.exec:\pvjjd.exe24⤵
- Executes dropped EXE
PID:2896 -
\??\c:\ffffxlf.exec:\ffffxlf.exe25⤵
- Executes dropped EXE
PID:4884 -
\??\c:\8644000.exec:\8644000.exe26⤵
- Executes dropped EXE
PID:3560 -
\??\c:\q04444.exec:\q04444.exe27⤵
- Executes dropped EXE
PID:2748 -
\??\c:\2868282.exec:\2868282.exe28⤵
- Executes dropped EXE
PID:2956 -
\??\c:\04624.exec:\04624.exe29⤵
- Executes dropped EXE
PID:2012 -
\??\c:\lrxfrrl.exec:\lrxfrrl.exe30⤵
- Executes dropped EXE
PID:4980 -
\??\c:\066008.exec:\066008.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212 -
\??\c:\202660.exec:\202660.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764 -
\??\c:\0026482.exec:\0026482.exe33⤵
- Executes dropped EXE
PID:3768 -
\??\c:\282082.exec:\282082.exe34⤵
- Executes dropped EXE
PID:4856 -
\??\c:\nbtbnb.exec:\nbtbnb.exe35⤵
- Executes dropped EXE
PID:1020 -
\??\c:\680842.exec:\680842.exe36⤵
- Executes dropped EXE
PID:2932 -
\??\c:\vjjdp.exec:\vjjdp.exe37⤵
- Executes dropped EXE
PID:4936 -
\??\c:\006426.exec:\006426.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\djpjp.exec:\djpjp.exe39⤵
- Executes dropped EXE
PID:3628 -
\??\c:\86486.exec:\86486.exe40⤵
- Executes dropped EXE
PID:224 -
\??\c:\k06642.exec:\k06642.exe41⤵
- Executes dropped EXE
PID:708 -
\??\c:\86262.exec:\86262.exe42⤵
- Executes dropped EXE
PID:2248 -
\??\c:\ntbnbn.exec:\ntbnbn.exe43⤵
- Executes dropped EXE
PID:400 -
\??\c:\86622.exec:\86622.exe44⤵
- Executes dropped EXE
PID:1432 -
\??\c:\jdvvp.exec:\jdvvp.exe45⤵
- Executes dropped EXE
PID:4800 -
\??\c:\268826.exec:\268826.exe46⤵
- Executes dropped EXE
PID:2596 -
\??\c:\thbtbh.exec:\thbtbh.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888 -
\??\c:\666420.exec:\666420.exe48⤵
- Executes dropped EXE
PID:1232 -
\??\c:\408282.exec:\408282.exe49⤵
- Executes dropped EXE
PID:4832 -
\??\c:\hbthnb.exec:\hbthnb.exe50⤵
- Executes dropped EXE
PID:4376 -
\??\c:\lllxfxl.exec:\lllxfxl.exe51⤵
- Executes dropped EXE
PID:4040 -
\??\c:\m8220.exec:\m8220.exe52⤵
- Executes dropped EXE
PID:1792 -
\??\c:\0828646.exec:\0828646.exe53⤵
- Executes dropped EXE
PID:1808 -
\??\c:\62208.exec:\62208.exe54⤵
- Executes dropped EXE
PID:4572 -
\??\c:\q60864.exec:\q60864.exe55⤵
- Executes dropped EXE
PID:4668 -
\??\c:\frlxxrl.exec:\frlxxrl.exe56⤵
- Executes dropped EXE
PID:2684 -
\??\c:\822486.exec:\822486.exe57⤵
- Executes dropped EXE
PID:4736 -
\??\c:\6408426.exec:\6408426.exe58⤵
- Executes dropped EXE
PID:4196 -
\??\c:\xxfxxxl.exec:\xxfxxxl.exe59⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vvpjv.exec:\vvpjv.exe60⤵
- Executes dropped EXE
PID:2028 -
\??\c:\hnhthb.exec:\hnhthb.exe61⤵
- Executes dropped EXE
PID:1856 -
\??\c:\nbhthb.exec:\nbhthb.exe62⤵
- Executes dropped EXE
PID:668 -
\??\c:\8622262.exec:\8622262.exe63⤵
- Executes dropped EXE
PID:4716 -
\??\c:\hhnhhb.exec:\hhnhhb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
\??\c:\004440.exec:\004440.exe65⤵
- Executes dropped EXE
PID:4796 -
\??\c:\xfxrrrr.exec:\xfxrrrr.exe66⤵PID:3488
-
\??\c:\hhhbtt.exec:\hhhbtt.exe67⤵PID:2780
-
\??\c:\022604.exec:\022604.exe68⤵PID:3184
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe69⤵PID:2552
-
\??\c:\llfrrfr.exec:\llfrrfr.exe70⤵PID:1748
-
\??\c:\600208.exec:\600208.exe71⤵PID:3008
-
\??\c:\e02264.exec:\e02264.exe72⤵PID:1348
-
\??\c:\08260.exec:\08260.exe73⤵PID:5040
-
\??\c:\pppdd.exec:\pppdd.exe74⤵PID:1776
-
\??\c:\xrxrfxx.exec:\xrxrfxx.exe75⤵PID:3624
-
\??\c:\llfrfxf.exec:\llfrfxf.exe76⤵PID:1652
-
\??\c:\rflxxll.exec:\rflxxll.exe77⤵PID:5076
-
\??\c:\222420.exec:\222420.exe78⤵PID:4008
-
\??\c:\vddpv.exec:\vddpv.exe79⤵PID:3096
-
\??\c:\s8660.exec:\s8660.exe80⤵PID:3024
-
\??\c:\hnnbnt.exec:\hnnbnt.exe81⤵PID:4064
-
\??\c:\c802086.exec:\c802086.exe82⤵PID:1552
-
\??\c:\686486.exec:\686486.exe83⤵
- System Location Discovery: System Language Discovery
PID:1396 -
\??\c:\rfrlxxx.exec:\rfrlxxx.exe84⤵PID:1604
-
\??\c:\228822.exec:\228822.exe85⤵PID:2072
-
\??\c:\24486.exec:\24486.exe86⤵PID:1956
-
\??\c:\666420.exec:\666420.exe87⤵PID:4020
-
\??\c:\c600662.exec:\c600662.exe88⤵PID:1696
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe89⤵PID:3132
-
\??\c:\7tbnbt.exec:\7tbnbt.exe90⤵PID:4280
-
\??\c:\lfflxlf.exec:\lfflxlf.exe91⤵PID:1928
-
\??\c:\684648.exec:\684648.exe92⤵PID:1096
-
\??\c:\48864.exec:\48864.exe93⤵PID:1548
-
\??\c:\jppjd.exec:\jppjd.exe94⤵PID:2608
-
\??\c:\4264264.exec:\4264264.exe95⤵PID:4772
-
\??\c:\6642664.exec:\6642664.exe96⤵PID:2400
-
\??\c:\vjvdp.exec:\vjvdp.exe97⤵PID:1228
-
\??\c:\m0600.exec:\m0600.exe98⤵PID:404
-
\??\c:\ntnhhh.exec:\ntnhhh.exe99⤵PID:3148
-
\??\c:\288648.exec:\288648.exe100⤵PID:4328
-
\??\c:\fxlxfxl.exec:\fxlxfxl.exe101⤵PID:4868
-
\??\c:\dpvjv.exec:\dpvjv.exe102⤵PID:1984
-
\??\c:\46220.exec:\46220.exe103⤵
- System Location Discovery: System Language Discovery
PID:2968 -
\??\c:\408846.exec:\408846.exe104⤵PID:868
-
\??\c:\tnbthh.exec:\tnbthh.exe105⤵PID:3996
-
\??\c:\06044.exec:\06044.exe106⤵PID:1740
-
\??\c:\5ddpd.exec:\5ddpd.exe107⤵PID:2648
-
\??\c:\tthbbn.exec:\tthbbn.exe108⤵PID:4928
-
\??\c:\nnhtnh.exec:\nnhtnh.exe109⤵PID:5116
-
\??\c:\vjvvv.exec:\vjvvv.exe110⤵PID:1600
-
\??\c:\djpjd.exec:\djpjd.exe111⤵PID:4732
-
\??\c:\llrlflf.exec:\llrlflf.exe112⤵PID:800
-
\??\c:\u008640.exec:\u008640.exe113⤵PID:3620
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe114⤵PID:3720
-
\??\c:\020628.exec:\020628.exe115⤵PID:1352
-
\??\c:\5thbhh.exec:\5thbhh.exe116⤵PID:5008
-
\??\c:\86020.exec:\86020.exe117⤵PID:3208
-
\??\c:\3tbhtn.exec:\3tbhtn.exe118⤵PID:2780
-
\??\c:\q80486.exec:\q80486.exe119⤵PID:2384
-
\??\c:\28488.exec:\28488.exe120⤵PID:4568
-
\??\c:\hbtbbn.exec:\hbtbbn.exe121⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-