Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 03:23
Behavioral task
behavioral1
Sample
ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe
-
Size
3.7MB
-
MD5
ae0fc95b71170c92dc1df2f92664a50f
-
SHA1
3cfe597bf7564404a7a67c987cd1d70416d6a4c4
-
SHA256
ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4
-
SHA512
02cad3cd87ce608c941149542bff752e99030c33f032278e91c43ee013d0fd1ea36f3a96e1a4d6860378d9cc6e2f7eadc41b1a09a5ad87751ec4d8b4d29ab40f
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF981:U6XLq/qPPslzKx/dJg1ErmNo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2372-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2184-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1440-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-76-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2684-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2672-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/784-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1824-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1824-128-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1976-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/540-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-185-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1892-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1216-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1668-226-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/352-235-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1548-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1792-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/988-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/496-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2920-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1576-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2328-314-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2356-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1440-335-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1440-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/864-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-452-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2996-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-492-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1684-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1012-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1012-520-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1000-567-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-601-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-679-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1132-715-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1628-833-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-940-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/264-984-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2000-1040-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2184 82026.exe 2356 2808804.exe 1440 4262860.exe 2144 5xxxlxr.exe 2844 frxrlfr.exe 2756 464008.exe 2740 s6448.exe 2684 82048.exe 2672 tntnnt.exe 2688 268280.exe 784 3bbbhh.exe 2940 04828.exe 1824 660604.exe 1976 6080802.exe 2936 thbthh.exe 540 lllrlxr.exe 1988 822846.exe 2996 hhhtnb.exe 2264 bhtbbt.exe 1892 666460.exe 1216 02604.exe 680 68646.exe 1260 20068.exe 1668 6226682.exe 352 tttbtb.exe 1548 vvddp.exe 1792 jjvvv.exe 1956 80206.exe 988 bhnbhh.exe 496 062462.exe 2920 jdjpd.exe 1576 dvpvj.exe 2328 flflrxl.exe 348 jdjpv.exe 2356 xflllxf.exe 1440 jdpvd.exe 2852 6462666.exe 2772 600624.exe 2912 lrlflrr.exe 2236 5nhnbh.exe 1752 o202068.exe 2804 26462.exe 2660 dpdvv.exe 1368 htbbhh.exe 628 2642602.exe 1044 tnnbnt.exe 1356 rxrxfll.exe 2116 lxlxxrr.exe 2952 60400.exe 1984 0840482.exe 2876 s8828.exe 864 2064646.exe 2016 7htnbb.exe 2708 jjpvj.exe 2988 hhnbnn.exe 2996 4228468.exe 2596 tbtbtt.exe 2044 vppdp.exe 380 ttthbh.exe 832 dppdj.exe 1592 62288.exe 760 nbnbnb.exe 1684 jjpdv.exe 1012 20028.exe -
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012268-5.dat upx behavioral1/memory/2372-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019490-18.dat upx behavioral1/memory/2184-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001949d-28.dat upx behavioral1/memory/2356-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1440-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000019429-36.dat upx behavioral1/files/0x00060000000194d0-47.dat upx behavioral1/memory/2144-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2756-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000194da-57.dat upx behavioral1/memory/2844-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2844-51-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00060000000194e4-67.dat upx behavioral1/memory/2756-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000194e6-77.dat upx behavioral1/memory/2684-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019551-87.dat upx behavioral1/memory/2672-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2688-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a495-95.dat upx behavioral1/files/0x000500000001a4a5-105.dat upx behavioral1/files/0x000500000001a4ab-114.dat upx behavioral1/memory/784-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ad-124.dat upx behavioral1/memory/1824-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4af-133.dat upx behavioral1/memory/1824-128-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1976-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b1-143.dat upx behavioral1/files/0x000500000001a4b3-150.dat upx behavioral1/files/0x000500000001a4b5-160.dat upx behavioral1/memory/540-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b7-168.dat upx behavioral1/memory/2996-172-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a4b9-177.dat upx behavioral1/files/0x000500000001a4bb-186.dat upx behavioral1/memory/2264-185-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x000500000001a4bd-195.dat upx behavioral1/memory/1892-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1216-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bf-204.dat upx behavioral1/files/0x000500000001a4c1-212.dat upx behavioral1/memory/1260-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1260-217-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a4c3-222.dat upx behavioral1/files/0x000500000001a4c5-231.dat upx behavioral1/files/0x000500000001a4c7-240.dat upx behavioral1/memory/352-235-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1548-244-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a4c9-250.dat upx behavioral1/memory/1548-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4cb-261.dat upx behavioral1/memory/1792-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4cd-270.dat upx behavioral1/memory/988-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4cf-279.dat upx behavioral1/memory/988-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/496-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d1-288.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0826226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2244244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4804020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8860422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8060648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0840482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2824640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4228468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8202028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2422864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c866642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflrxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2184 2372 ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe 31 PID 2372 wrote to memory of 2184 2372 ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe 31 PID 2372 wrote to memory of 2184 2372 ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe 31 PID 2372 wrote to memory of 2184 2372 ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe 31 PID 2184 wrote to memory of 2356 2184 82026.exe 32 PID 2184 wrote to memory of 2356 2184 82026.exe 32 PID 2184 wrote to memory of 2356 2184 82026.exe 32 PID 2184 wrote to memory of 2356 2184 82026.exe 32 PID 2356 wrote to memory of 1440 2356 2808804.exe 33 PID 2356 wrote to memory of 1440 2356 2808804.exe 33 PID 2356 wrote to memory of 1440 2356 2808804.exe 33 PID 2356 wrote to memory of 1440 2356 2808804.exe 33 PID 1440 wrote to memory of 2144 1440 4262860.exe 34 PID 1440 wrote to memory of 2144 1440 4262860.exe 34 PID 1440 wrote to memory of 2144 1440 4262860.exe 34 PID 1440 wrote to memory of 2144 1440 4262860.exe 34 PID 2144 wrote to memory of 2844 2144 5xxxlxr.exe 35 PID 2144 wrote to memory of 2844 2144 5xxxlxr.exe 35 PID 2144 wrote to memory of 2844 2144 5xxxlxr.exe 35 PID 2144 wrote to memory of 2844 2144 5xxxlxr.exe 35 PID 2844 wrote to memory of 2756 2844 frxrlfr.exe 36 PID 2844 wrote to memory of 2756 2844 frxrlfr.exe 36 PID 2844 wrote to memory of 2756 2844 frxrlfr.exe 36 PID 2844 wrote to memory of 2756 2844 frxrlfr.exe 36 PID 2756 wrote to memory of 2740 2756 464008.exe 37 PID 2756 wrote to memory of 2740 2756 464008.exe 37 PID 2756 wrote to memory of 2740 2756 464008.exe 37 PID 2756 wrote to memory of 2740 2756 464008.exe 37 PID 2740 wrote to memory of 2684 2740 s6448.exe 38 PID 2740 wrote to memory of 2684 2740 s6448.exe 38 PID 2740 wrote to memory of 2684 2740 s6448.exe 38 PID 2740 wrote to memory of 2684 2740 s6448.exe 38 PID 2684 wrote to memory of 2672 2684 82048.exe 39 PID 2684 wrote to memory of 2672 2684 82048.exe 39 PID 2684 wrote to memory of 2672 2684 82048.exe 39 PID 2684 wrote to memory of 2672 2684 82048.exe 39 PID 2672 wrote to memory of 2688 2672 tntnnt.exe 40 PID 2672 wrote to memory of 2688 2672 tntnnt.exe 40 PID 2672 wrote to memory of 2688 2672 tntnnt.exe 40 PID 2672 wrote to memory of 2688 2672 tntnnt.exe 40 PID 2688 wrote to memory of 784 2688 268280.exe 41 PID 2688 wrote to memory of 784 2688 268280.exe 41 PID 2688 wrote to memory of 784 2688 268280.exe 41 PID 2688 wrote to memory of 784 2688 268280.exe 41 PID 784 wrote to memory of 2940 784 3bbbhh.exe 42 PID 784 wrote to memory of 2940 784 3bbbhh.exe 42 PID 784 wrote to memory of 2940 784 3bbbhh.exe 42 PID 784 wrote to memory of 2940 784 3bbbhh.exe 42 PID 2940 wrote to memory of 1824 2940 04828.exe 43 PID 2940 wrote to memory of 1824 2940 04828.exe 43 PID 2940 wrote to memory of 1824 2940 04828.exe 43 PID 2940 wrote to memory of 1824 2940 04828.exe 43 PID 1824 wrote to memory of 1976 1824 660604.exe 44 PID 1824 wrote to memory of 1976 1824 660604.exe 44 PID 1824 wrote to memory of 1976 1824 660604.exe 44 PID 1824 wrote to memory of 1976 1824 660604.exe 44 PID 1976 wrote to memory of 2936 1976 6080802.exe 45 PID 1976 wrote to memory of 2936 1976 6080802.exe 45 PID 1976 wrote to memory of 2936 1976 6080802.exe 45 PID 1976 wrote to memory of 2936 1976 6080802.exe 45 PID 2936 wrote to memory of 540 2936 thbthh.exe 46 PID 2936 wrote to memory of 540 2936 thbthh.exe 46 PID 2936 wrote to memory of 540 2936 thbthh.exe 46 PID 2936 wrote to memory of 540 2936 thbthh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe"C:\Users\Admin\AppData\Local\Temp\ae2c769cd1db718e8d4cd488d517941b1a8e3a3926d504bcd1841cf946f94dc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\82026.exec:\82026.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\2808804.exec:\2808804.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\4262860.exec:\4262860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\5xxxlxr.exec:\5xxxlxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\frxrlfr.exec:\frxrlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\464008.exec:\464008.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\s6448.exec:\s6448.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\82048.exec:\82048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\tntnnt.exec:\tntnnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\268280.exec:\268280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\3bbbhh.exec:\3bbbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\04828.exec:\04828.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\660604.exec:\660604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\6080802.exec:\6080802.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\thbthh.exec:\thbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\lllrlxr.exec:\lllrlxr.exe17⤵
- Executes dropped EXE
PID:540 -
\??\c:\822846.exec:\822846.exe18⤵
- Executes dropped EXE
PID:1988 -
\??\c:\hhhtnb.exec:\hhhtnb.exe19⤵
- Executes dropped EXE
PID:2996 -
\??\c:\bhtbbt.exec:\bhtbbt.exe20⤵
- Executes dropped EXE
PID:2264 -
\??\c:\666460.exec:\666460.exe21⤵
- Executes dropped EXE
PID:1892 -
\??\c:\02604.exec:\02604.exe22⤵
- Executes dropped EXE
PID:1216 -
\??\c:\68646.exec:\68646.exe23⤵
- Executes dropped EXE
PID:680 -
\??\c:\20068.exec:\20068.exe24⤵
- Executes dropped EXE
PID:1260 -
\??\c:\6226682.exec:\6226682.exe25⤵
- Executes dropped EXE
PID:1668 -
\??\c:\tttbtb.exec:\tttbtb.exe26⤵
- Executes dropped EXE
PID:352 -
\??\c:\vvddp.exec:\vvddp.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\jjvvv.exec:\jjvvv.exe28⤵
- Executes dropped EXE
PID:1792 -
\??\c:\80206.exec:\80206.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\bhnbhh.exec:\bhnbhh.exe30⤵
- Executes dropped EXE
PID:988 -
\??\c:\062462.exec:\062462.exe31⤵
- Executes dropped EXE
PID:496 -
\??\c:\jdjpd.exec:\jdjpd.exe32⤵
- Executes dropped EXE
PID:2920 -
\??\c:\dvpvj.exec:\dvpvj.exe33⤵
- Executes dropped EXE
PID:1576 -
\??\c:\flflrxl.exec:\flflrxl.exe34⤵
- Executes dropped EXE
PID:2328 -
\??\c:\jdjpv.exec:\jdjpv.exe35⤵
- Executes dropped EXE
PID:348 -
\??\c:\xflllxf.exec:\xflllxf.exe36⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jdpvd.exec:\jdpvd.exe37⤵
- Executes dropped EXE
PID:1440 -
\??\c:\6462666.exec:\6462666.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\600624.exec:\600624.exe39⤵
- Executes dropped EXE
PID:2772 -
\??\c:\lrlflrr.exec:\lrlflrr.exe40⤵
- Executes dropped EXE
PID:2912 -
\??\c:\5nhnbh.exec:\5nhnbh.exe41⤵
- Executes dropped EXE
PID:2236 -
\??\c:\o202068.exec:\o202068.exe42⤵
- Executes dropped EXE
PID:1752 -
\??\c:\26462.exec:\26462.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\dpdvv.exec:\dpdvv.exe44⤵
- Executes dropped EXE
PID:2660 -
\??\c:\htbbhh.exec:\htbbhh.exe45⤵
- Executes dropped EXE
PID:1368 -
\??\c:\2642602.exec:\2642602.exe46⤵
- Executes dropped EXE
PID:628 -
\??\c:\tnnbnt.exec:\tnnbnt.exe47⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rxrxfll.exec:\rxrxfll.exe48⤵
- Executes dropped EXE
PID:1356 -
\??\c:\lxlxxrr.exec:\lxlxxrr.exe49⤵
- Executes dropped EXE
PID:2116 -
\??\c:\60400.exec:\60400.exe50⤵
- Executes dropped EXE
PID:2952 -
\??\c:\0840482.exec:\0840482.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\s8828.exec:\s8828.exe52⤵
- Executes dropped EXE
PID:2876 -
\??\c:\2064646.exec:\2064646.exe53⤵
- Executes dropped EXE
PID:864 -
\??\c:\7htnbb.exec:\7htnbb.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\jjpvj.exec:\jjpvj.exe55⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hhnbnn.exec:\hhnbnn.exe56⤵
- Executes dropped EXE
PID:2988 -
\??\c:\4228468.exec:\4228468.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
\??\c:\tbtbtt.exec:\tbtbtt.exe58⤵
- Executes dropped EXE
PID:2596 -
\??\c:\vppdp.exec:\vppdp.exe59⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ttthbh.exec:\ttthbh.exe60⤵
- Executes dropped EXE
PID:380 -
\??\c:\dppdj.exec:\dppdj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
\??\c:\62288.exec:\62288.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\nbnbnb.exec:\nbnbnb.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
\??\c:\jjpdv.exec:\jjpdv.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\20028.exec:\20028.exe65⤵
- Executes dropped EXE
PID:1012 -
\??\c:\g0240.exec:\g0240.exe66⤵PID:2152
-
\??\c:\0240004.exec:\0240004.exe67⤵PID:1788
-
\??\c:\42484.exec:\42484.exe68⤵PID:2620
-
\??\c:\pddjv.exec:\pddjv.exe69⤵PID:1628
-
\??\c:\hhbthb.exec:\hhbthb.exe70⤵PID:688
-
\??\c:\426886.exec:\426886.exe71⤵PID:2056
-
\??\c:\4842028.exec:\4842028.exe72⤵PID:1000
-
\??\c:\hnhtht.exec:\hnhtht.exe73⤵PID:2332
-
\??\c:\fxflxlf.exec:\fxflxlf.exe74⤵PID:1604
-
\??\c:\pjpdp.exec:\pjpdp.exe75⤵PID:756
-
\??\c:\60068.exec:\60068.exe76⤵PID:2184
-
\??\c:\220448.exec:\220448.exe77⤵PID:2080
-
\??\c:\824606.exec:\824606.exe78⤵PID:584
-
\??\c:\pjddj.exec:\pjddj.exe79⤵PID:536
-
\??\c:\1ddjj.exec:\1ddjj.exe80⤵PID:2516
-
\??\c:\804424.exec:\804424.exe81⤵PID:2764
-
\??\c:\s2004.exec:\s2004.exe82⤵PID:3024
-
\??\c:\nhbhnt.exec:\nhbhnt.exe83⤵PID:2676
-
\??\c:\vvdpp.exec:\vvdpp.exe84⤵PID:2664
-
\??\c:\0862888.exec:\0862888.exe85⤵PID:2860
-
\??\c:\664868.exec:\664868.exe86⤵PID:2636
-
\??\c:\tbthhb.exec:\tbthhb.exe87⤵PID:2656
-
\??\c:\pdvpp.exec:\pdvpp.exe88⤵PID:2172
-
\??\c:\xxfxfrx.exec:\xxfxfrx.exe89⤵
- System Location Discovery: System Language Discovery
PID:1476 -
\??\c:\rxfrffl.exec:\rxfrffl.exe90⤵PID:628
-
\??\c:\088824.exec:\088824.exe91⤵PID:2728
-
\??\c:\44428.exec:\44428.exe92⤵PID:2088
-
\??\c:\llxflxf.exec:\llxflxf.exe93⤵PID:1960
-
\??\c:\0084224.exec:\0084224.exe94⤵PID:1908
-
\??\c:\402208.exec:\402208.exe95⤵PID:1132
-
\??\c:\a4084.exec:\a4084.exe96⤵PID:2972
-
\??\c:\6084866.exec:\6084866.exe97⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\xxrxllx.exec:\xxrxllx.exe98⤵PID:1952
-
\??\c:\m4428.exec:\m4428.exe99⤵PID:2300
-
\??\c:\0480624.exec:\0480624.exe100⤵PID:1904
-
\??\c:\2268680.exec:\2268680.exe101⤵PID:2996
-
\??\c:\40622.exec:\40622.exe102⤵PID:2596
-
\??\c:\pvvdv.exec:\pvvdv.exe103⤵PID:2148
-
\??\c:\btnbnb.exec:\btnbnb.exe104⤵PID:1892
-
\??\c:\06064.exec:\06064.exe105⤵PID:832
-
\??\c:\w82424.exec:\w82424.exe106⤵PID:1620
-
\??\c:\280606.exec:\280606.exe107⤵PID:1868
-
\??\c:\48200.exec:\48200.exe108⤵PID:1704
-
\??\c:\882462.exec:\882462.exe109⤵PID:944
-
\??\c:\2808642.exec:\2808642.exe110⤵PID:1388
-
\??\c:\0664602.exec:\0664602.exe111⤵PID:2408
-
\??\c:\nhhhtb.exec:\nhhhtb.exe112⤵PID:1788
-
\??\c:\9httbn.exec:\9httbn.exe113⤵PID:2620
-
\??\c:\62680.exec:\62680.exe114⤵PID:1628
-
\??\c:\nnhbtn.exec:\nnhbtn.exe115⤵PID:572
-
\??\c:\tbhnbn.exec:\tbhnbn.exe116⤵PID:2056
-
\??\c:\48248.exec:\48248.exe117⤵PID:1000
-
\??\c:\nntbnn.exec:\nntbnn.exe118⤵PID:1888
-
\??\c:\824684.exec:\824684.exe119⤵PID:872
-
\??\c:\nnnbhn.exec:\nnnbhn.exe120⤵PID:2296
-
\??\c:\vpjvv.exec:\vpjvv.exe121⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-