Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 16:35
Behavioral task
behavioral1
Sample
c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe
-
Size
3.8MB
-
MD5
d0501ac2c9d1e495e9c67666f8aaee40
-
SHA1
3cd59eb00c8473018bd68be0d685c7e6a5639a06
-
SHA256
c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712
-
SHA512
8e23012928fb3d4e959a3d5e73fa17e20a37d3c56bc2c3dbe90ce1ff51a9070de1aa32812303d9752b4bc665f451e962f94299498bcddf3566aad11259c2f114
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98g:U6XLq/qPPslzKx/dJg1ErmNn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2044-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1616-137-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2464-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1304-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2112-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/528-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/740-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/948-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/296-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/372-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-99-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/3068-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-79-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2684-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2164-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2716-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1764-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1636-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1612-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2068-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2480-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-493-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1636-567-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1660-641-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2416-727-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1664-740-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2180-747-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-766-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2932-793-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-792-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2932-790-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2272-809-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2692-858-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-891-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2300-890-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2176-910-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1128-981-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1896-1022-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2620-1026-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1648-1052-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2976-1228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/540-1260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2252 vjdjj.exe 1636 djpjv.exe 1764 btnttn.exe 2224 nbtnth.exe 2780 flrrfxr.exe 3032 bhttbn.exe 2684 tnntbt.exe 2912 thhnth.exe 2804 jjpjp.exe 2040 9rxfrxl.exe 1660 xrlfrlr.exe 2744 thntnn.exe 2464 1pjvj.exe 1616 7pvdp.exe 2044 rfxxlfr.exe 2980 lflffff.exe 1304 llxxfll.exe 528 hhhntb.exe 2112 jvvjd.exe 740 pvjvj.exe 272 ffrrllf.exe 948 rlxrrlf.exe 1984 lxllrxx.exe 296 xlrlxxx.exe 2444 nbttbb.exe 1772 vpjvd.exe 372 vdjdd.exe 3068 hhtthh.exe 2340 bnbbnt.exe 1008 hbtttn.exe 1652 htnnnh.exe 1588 pdddv.exe 2204 lxrfrff.exe 2192 5pjdd.exe 2164 rxxlfrl.exe 2384 1tnbnb.exe 2696 tthhhh.exe 2716 rxflfll.exe 2788 lllxrfl.exe 2172 frlflff.exe 2944 rfrfffx.exe 2568 dvddj.exe 2572 7pjjv.exe 2632 tbbnhh.exe 1612 bhnbbt.exe 2908 flxffxx.exe 2900 xfxlrlf.exe 2464 xxfrlrl.exe 1920 xrxxlrx.exe 1428 3vvdp.exe 2968 ddvvp.exe 2980 jppdv.exe 480 vdjdd.exe 264 bnnbth.exe 1964 tbhtnt.exe 3028 fxfxfll.exe 2104 xflflrf.exe 2480 ppjdp.exe 3056 pppvj.exe 1668 7pjvp.exe 2640 hntbbt.exe 1952 9nbnnh.exe 1720 bttbbt.exe 2500 hbntht.exe -
resource yara_rule behavioral1/files/0x000500000001a067-151.dat upx behavioral1/memory/2044-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fb9-142.dat upx behavioral1/files/0x0005000000019f9f-133.dat upx behavioral1/memory/2464-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a07b-160.dat upx behavioral1/memory/1304-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/528-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a0a1-168.dat upx behavioral1/memory/2980-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a301-179.dat upx behavioral1/memory/2112-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/528-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a345-188.dat upx behavioral1/files/0x000500000001a42b-197.dat upx behavioral1/memory/740-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a42d-205.dat upx behavioral1/files/0x0005000000019db8-124.dat upx behavioral1/memory/2744-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a42f-214.dat upx behavioral1/memory/948-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a431-222.dat upx behavioral1/files/0x000500000001a434-231.dat upx behavioral1/memory/296-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46a-239.dat upx behavioral1/files/0x0005000000019da4-114.dat upx behavioral1/memory/372-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a48c-247.dat upx behavioral1/files/0x0005000000019d44-106.dat upx behavioral1/files/0x000500000001a48c-249.dat upx behavioral1/files/0x000500000001a48e-258.dat upx behavioral1/memory/372-257-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2040-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2040-99-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/files/0x0005000000019d20-96.dat upx behavioral1/memory/2040-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a49a-267.dat upx behavioral1/memory/3068-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a49c-276.dat upx behavioral1/memory/2340-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4aa-285.dat upx behavioral1/memory/1652-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b5-293.dat upx behavioral1/files/0x00070000000190c9-87.dat upx behavioral1/memory/2804-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2912-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000190c6-76.dat upx behavioral1/memory/2684-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001878d-67.dat upx behavioral1/memory/2684-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3032-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000017474-57.dat upx behavioral1/memory/2780-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2192-312-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001867d-48.dat upx behavioral1/memory/2164-319-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2224-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-326-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2716-333-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000f000000018662-39.dat upx behavioral1/memory/1764-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0016000000018657-29.dat upx behavioral1/memory/1764-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1636-27-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fflrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrlrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2252 2068 c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe 31 PID 2068 wrote to memory of 2252 2068 c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe 31 PID 2068 wrote to memory of 2252 2068 c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe 31 PID 2068 wrote to memory of 2252 2068 c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe 31 PID 2252 wrote to memory of 1636 2252 vjdjj.exe 105 PID 2252 wrote to memory of 1636 2252 vjdjj.exe 105 PID 2252 wrote to memory of 1636 2252 vjdjj.exe 105 PID 2252 wrote to memory of 1636 2252 vjdjj.exe 105 PID 1636 wrote to memory of 1764 1636 djpjv.exe 33 PID 1636 wrote to memory of 1764 1636 djpjv.exe 33 PID 1636 wrote to memory of 1764 1636 djpjv.exe 33 PID 1636 wrote to memory of 1764 1636 djpjv.exe 33 PID 1764 wrote to memory of 2224 1764 btnttn.exe 34 PID 1764 wrote to memory of 2224 1764 btnttn.exe 34 PID 1764 wrote to memory of 2224 1764 btnttn.exe 34 PID 1764 wrote to memory of 2224 1764 btnttn.exe 34 PID 2224 wrote to memory of 2780 2224 nbtnth.exe 35 PID 2224 wrote to memory of 2780 2224 nbtnth.exe 35 PID 2224 wrote to memory of 2780 2224 nbtnth.exe 35 PID 2224 wrote to memory of 2780 2224 nbtnth.exe 35 PID 2780 wrote to memory of 3032 2780 flrrfxr.exe 110 PID 2780 wrote to memory of 3032 2780 flrrfxr.exe 110 PID 2780 wrote to memory of 3032 2780 flrrfxr.exe 110 PID 2780 wrote to memory of 3032 2780 flrrfxr.exe 110 PID 3032 wrote to memory of 2684 3032 bhttbn.exe 37 PID 3032 wrote to memory of 2684 3032 bhttbn.exe 37 PID 3032 wrote to memory of 2684 3032 bhttbn.exe 37 PID 3032 wrote to memory of 2684 3032 bhttbn.exe 37 PID 2684 wrote to memory of 2912 2684 tnntbt.exe 38 PID 2684 wrote to memory of 2912 2684 tnntbt.exe 38 PID 2684 wrote to memory of 2912 2684 tnntbt.exe 38 PID 2684 wrote to memory of 2912 2684 tnntbt.exe 38 PID 2912 wrote to memory of 2804 2912 thhnth.exe 39 PID 2912 wrote to memory of 2804 2912 thhnth.exe 39 PID 2912 wrote to memory of 2804 2912 thhnth.exe 39 PID 2912 wrote to memory of 2804 2912 thhnth.exe 39 PID 2804 wrote to memory of 2040 2804 jjpjp.exe 40 PID 2804 wrote to memory of 2040 2804 jjpjp.exe 40 PID 2804 wrote to memory of 2040 2804 jjpjp.exe 40 PID 2804 wrote to memory of 2040 2804 jjpjp.exe 40 PID 2040 wrote to memory of 1660 2040 9rxfrxl.exe 117 PID 2040 wrote to memory of 1660 2040 9rxfrxl.exe 117 PID 2040 wrote to memory of 1660 2040 9rxfrxl.exe 117 PID 2040 wrote to memory of 1660 2040 9rxfrxl.exe 117 PID 1660 wrote to memory of 2744 1660 xrlfrlr.exe 42 PID 1660 wrote to memory of 2744 1660 xrlfrlr.exe 42 PID 1660 wrote to memory of 2744 1660 xrlfrlr.exe 42 PID 1660 wrote to memory of 2744 1660 xrlfrlr.exe 42 PID 2744 wrote to memory of 2464 2744 thntnn.exe 78 PID 2744 wrote to memory of 2464 2744 thntnn.exe 78 PID 2744 wrote to memory of 2464 2744 thntnn.exe 78 PID 2744 wrote to memory of 2464 2744 thntnn.exe 78 PID 2464 wrote to memory of 1616 2464 1pjvj.exe 44 PID 2464 wrote to memory of 1616 2464 1pjvj.exe 44 PID 2464 wrote to memory of 1616 2464 1pjvj.exe 44 PID 2464 wrote to memory of 1616 2464 1pjvj.exe 44 PID 1616 wrote to memory of 2044 1616 7pvdp.exe 122 PID 1616 wrote to memory of 2044 1616 7pvdp.exe 122 PID 1616 wrote to memory of 2044 1616 7pvdp.exe 122 PID 1616 wrote to memory of 2044 1616 7pvdp.exe 122 PID 2044 wrote to memory of 2980 2044 rfxxlfr.exe 82 PID 2044 wrote to memory of 2980 2044 rfxxlfr.exe 82 PID 2044 wrote to memory of 2980 2044 rfxxlfr.exe 82 PID 2044 wrote to memory of 2980 2044 rfxxlfr.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe"C:\Users\Admin\AppData\Local\Temp\c614fbe1ca114ba28a5c6c7f5e55dfb01ee8795998f7844a104783df8b9cb712N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\vjdjj.exec:\vjdjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\djpjv.exec:\djpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\btnttn.exec:\btnttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\nbtnth.exec:\nbtnth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\flrrfxr.exec:\flrrfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\bhttbn.exec:\bhttbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\tnntbt.exec:\tnntbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\thhnth.exec:\thhnth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\jjpjp.exec:\jjpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\9rxfrxl.exec:\9rxfrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\xrlfrlr.exec:\xrlfrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\thntnn.exec:\thntnn.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\1pjvj.exec:\1pjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\7pvdp.exec:\7pvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\rfxxlfr.exec:\rfxxlfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\lflffff.exec:\lflffff.exe17⤵
- Executes dropped EXE
PID:2980 -
\??\c:\llxxfll.exec:\llxxfll.exe18⤵
- Executes dropped EXE
PID:1304 -
\??\c:\hhhntb.exec:\hhhntb.exe19⤵
- Executes dropped EXE
PID:528 -
\??\c:\jvvjd.exec:\jvvjd.exe20⤵
- Executes dropped EXE
PID:2112 -
\??\c:\pvjvj.exec:\pvjvj.exe21⤵
- Executes dropped EXE
PID:740 -
\??\c:\ffrrllf.exec:\ffrrllf.exe22⤵
- Executes dropped EXE
PID:272 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe23⤵
- Executes dropped EXE
PID:948 -
\??\c:\lxllrxx.exec:\lxllrxx.exe24⤵
- Executes dropped EXE
PID:1984 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe25⤵
- Executes dropped EXE
PID:296 -
\??\c:\nbttbb.exec:\nbttbb.exe26⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vpjvd.exec:\vpjvd.exe27⤵
- Executes dropped EXE
PID:1772 -
\??\c:\vdjdd.exec:\vdjdd.exe28⤵
- Executes dropped EXE
PID:372 -
\??\c:\hhtthh.exec:\hhtthh.exe29⤵
- Executes dropped EXE
PID:3068 -
\??\c:\bnbbnt.exec:\bnbbnt.exe30⤵
- Executes dropped EXE
PID:2340 -
\??\c:\hbtttn.exec:\hbtttn.exe31⤵
- Executes dropped EXE
PID:1008 -
\??\c:\htnnnh.exec:\htnnnh.exe32⤵
- Executes dropped EXE
PID:1652 -
\??\c:\pdddv.exec:\pdddv.exe33⤵
- Executes dropped EXE
PID:1588 -
\??\c:\lxrfrff.exec:\lxrfrff.exe34⤵
- Executes dropped EXE
PID:2204 -
\??\c:\5pjdd.exec:\5pjdd.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe36⤵
- Executes dropped EXE
PID:2164 -
\??\c:\1tnbnb.exec:\1tnbnb.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tthhhh.exec:\tthhhh.exe38⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rxflfll.exec:\rxflfll.exe39⤵
- Executes dropped EXE
PID:2716 -
\??\c:\lllxrfl.exec:\lllxrfl.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\frlflff.exec:\frlflff.exe41⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rfrfffx.exec:\rfrfffx.exe42⤵
- Executes dropped EXE
PID:2944 -
\??\c:\dvddj.exec:\dvddj.exe43⤵
- Executes dropped EXE
PID:2568 -
\??\c:\7pjjv.exec:\7pjjv.exe44⤵
- Executes dropped EXE
PID:2572 -
\??\c:\tbbnhh.exec:\tbbnhh.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\bhnbbt.exec:\bhnbbt.exe46⤵
- Executes dropped EXE
PID:1612 -
\??\c:\flxffxx.exec:\flxffxx.exe47⤵
- Executes dropped EXE
PID:2908 -
\??\c:\xfxlrlf.exec:\xfxlrlf.exe48⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xxfrlrl.exec:\xxfrlrl.exe49⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xrxxlrx.exec:\xrxxlrx.exe50⤵
- Executes dropped EXE
PID:1920 -
\??\c:\3vvdp.exec:\3vvdp.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428 -
\??\c:\ddvvp.exec:\ddvvp.exe52⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jppdv.exec:\jppdv.exe53⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vdjdd.exec:\vdjdd.exe54⤵
- Executes dropped EXE
PID:480 -
\??\c:\bnnbth.exec:\bnnbth.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264 -
\??\c:\tbhtnt.exec:\tbhtnt.exe56⤵
- Executes dropped EXE
PID:1964 -
\??\c:\fxfxfll.exec:\fxfxfll.exe57⤵
- Executes dropped EXE
PID:3028 -
\??\c:\xflflrf.exec:\xflflrf.exe58⤵
- Executes dropped EXE
PID:2104 -
\??\c:\ppjdp.exec:\ppjdp.exe59⤵
- Executes dropped EXE
PID:2480 -
\??\c:\pppvj.exec:\pppvj.exe60⤵
- Executes dropped EXE
PID:3056 -
\??\c:\7pjvp.exec:\7pjvp.exe61⤵
- Executes dropped EXE
PID:1668 -
\??\c:\hntbbt.exec:\hntbbt.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
\??\c:\9nbnnh.exec:\9nbnnh.exe63⤵
- Executes dropped EXE
PID:1952 -
\??\c:\bttbbt.exec:\bttbbt.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\hbntht.exec:\hbntht.exe65⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7vdjp.exec:\7vdjp.exe66⤵
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\dvpjj.exec:\dvpjj.exe67⤵PID:2868
-
\??\c:\vdjdd.exec:\vdjdd.exe68⤵PID:564
-
\??\c:\pjddv.exec:\pjddv.exe69⤵PID:2364
-
\??\c:\dpppj.exec:\dpppj.exe70⤵
- System Location Discovery: System Language Discovery
PID:1976 -
\??\c:\dpdvd.exec:\dpdvd.exe71⤵PID:2956
-
\??\c:\nbbhnt.exec:\nbbhnt.exe72⤵PID:1580
-
\??\c:\hbbbhb.exec:\hbbbhb.exe73⤵PID:2256
-
\??\c:\tnbbtn.exec:\tnbbtn.exe74⤵PID:2332
-
\??\c:\tbbhht.exec:\tbbhht.exe75⤵PID:2648
-
\??\c:\hbthtn.exec:\hbthtn.exe76⤵PID:1636
-
\??\c:\lxfxlff.exec:\lxfxlff.exe77⤵PID:1288
-
\??\c:\rlxrrfl.exec:\rlxrrfl.exe78⤵PID:784
-
\??\c:\ntbttb.exec:\ntbttb.exe79⤵PID:2784
-
\??\c:\frfrxxx.exec:\frfrxxx.exe80⤵PID:2720
-
\??\c:\1xfxxxx.exec:\1xfxxxx.exe81⤵PID:3032
-
\??\c:\fflrxll.exec:\fflrxll.exe82⤵PID:2300
-
\??\c:\fxrflff.exec:\fxrflff.exe83⤵PID:1980
-
\??\c:\xxxxrxl.exec:\xxxxrxl.exe84⤵PID:2588
-
\??\c:\3jpdp.exec:\3jpdp.exe85⤵PID:1900
-
\??\c:\ppvvp.exec:\ppvvp.exe86⤵PID:2572
-
\??\c:\ddjjj.exec:\ddjjj.exe87⤵PID:2600
-
\??\c:\vjvpp.exec:\vjvpp.exe88⤵PID:1660
-
\??\c:\jddpv.exec:\jddpv.exe89⤵PID:1716
-
\??\c:\jvjjv.exec:\jvjjv.exe90⤵PID:1308
-
\??\c:\vvpvj.exec:\vvpvj.exe91⤵PID:2940
-
\??\c:\hnntnt.exec:\hnntnt.exe92⤵PID:1376
-
\??\c:\tbbbnt.exec:\tbbbnt.exe93⤵PID:2044
-
\??\c:\nhttbb.exec:\nhttbb.exe94⤵PID:1428
-
\??\c:\hhhnht.exec:\hhhnht.exe95⤵PID:2380
-
\??\c:\bhbbhh.exec:\bhbbhh.exe96⤵PID:1776
-
\??\c:\xxxxlxr.exec:\xxxxlxr.exe97⤵PID:1556
-
\??\c:\rrxlfrx.exec:\rrxlfrx.exe98⤵PID:1460
-
\??\c:\5xxxfxl.exec:\5xxxfxl.exe99⤵PID:540
-
\??\c:\xffflxr.exec:\xffflxr.exe100⤵PID:872
-
\??\c:\jjjdv.exec:\jjjdv.exe101⤵PID:2416
-
\??\c:\ntntht.exec:\ntntht.exe102⤵PID:2104
-
\??\c:\btbbbb.exec:\btbbbb.exe103⤵PID:272
-
\??\c:\jvjdv.exec:\jvjdv.exe104⤵PID:1664
-
\??\c:\jjdjp.exec:\jjdjp.exe105⤵PID:2180
-
\??\c:\jvjvd.exec:\jvjvd.exe106⤵PID:1680
-
\??\c:\rxxxffr.exec:\rxxxffr.exe107⤵PID:1564
-
\??\c:\lrxffxr.exec:\lrxffxr.exe108⤵PID:2896
-
\??\c:\ntthtb.exec:\ntthtb.exe109⤵PID:2076
-
\??\c:\bhttbb.exec:\bhttbb.exe110⤵PID:372
-
\??\c:\hnbhhh.exec:\hnbhhh.exe111⤵PID:2932
-
\??\c:\3tthnn.exec:\3tthnn.exe112⤵PID:292
-
\??\c:\hhnhhh.exec:\hhnhhh.exe113⤵PID:1008
-
\??\c:\dvdvv.exec:\dvdvv.exe114⤵PID:2272
-
\??\c:\dvddd.exec:\dvddd.exe115⤵PID:1120
-
\??\c:\pvjvv.exec:\pvjvv.exe116⤵PID:2236
-
\??\c:\jvjpd.exec:\jvjpd.exe117⤵PID:2184
-
\??\c:\dpjpd.exec:\dpjpd.exe118⤵PID:2332
-
\??\c:\pjjdj.exec:\pjjdj.exe119⤵PID:2432
-
\??\c:\dpppv.exec:\dpppv.exe120⤵PID:2424
-
\??\c:\ppvjp.exec:\ppvjp.exe121⤵PID:2224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-