Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 08:29
Behavioral task
behavioral1
Sample
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe
-
Size
3.7MB
-
MD5
e03763091b6d1399381027a081994736
-
SHA1
04b4cdf7141cdd3c287fa601d58eeabf81cf4582
-
SHA256
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400
-
SHA512
bbd7207889c3a0c4fb4f0143dc51101e3a92d1fe26ed858f6b763d3ec6902ff709ef01ba805114fd9ed55c13984c12bab38e04b8c41dc1fdb26ba2403bec08ca
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98H:U6XLq/qPPslzKx/dJg1ErmNi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2684-0-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1308-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1820-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2336-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/664-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1316-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1220-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2164-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/908-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3008-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1500-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1320-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2432-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/912-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3052-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/268-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1988-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/292-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-621-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-628-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2388-685-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1340-705-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1340-712-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/692-769-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/576-887-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1716-927-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2564-953-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/836-970-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-983-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2952-992-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2240-1060-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1708-1105-0x0000000001F40000-0x0000000001F67000-memory.dmp family_blackmoon behavioral1/memory/344-1153-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2616-1201-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2176-1223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1388-1254-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/652-1336-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2992-1353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1308 vppdj.exe 1768 djppd.exe 1820 vdpvv.exe 2340 rlxfllx.exe 2336 djpjp.exe 2732 vjjdj.exe 2844 xrrfxlx.exe 2344 rxxxrfx.exe 2772 jdjvv.exe 2676 pdvpv.exe 2176 1bthtb.exe 664 tbhnth.exe 1388 ttnbnh.exe 1316 xxxxfrl.exe 2668 lfxrrfr.exe 1268 bthhnt.exe 2000 bttbtb.exe 1220 pjvvj.exe 2940 ffrrrrf.exe 2268 9xlfxrx.exe 2164 3fxxxrf.exe 908 tbhnnh.exe 3008 tbbnnt.exe 1500 frllllr.exe 2240 3nnbhb.exe 2432 ttnbhh.exe 1320 bbttth.exe 564 rrrllll.exe 912 fxxxxfx.exe 1120 btntht.exe 3016 tthbnb.exe 2516 fxxxfrx.exe 1584 bthbbb.exe 2072 5lfxlrx.exe 2536 fxlffxx.exe 2396 jpvdv.exe 1032 3jpdp.exe 2096 dpjdd.exe 2740 bhhnnb.exe 2988 nhhthh.exe 2708 bhtnbn.exe 2796 lfrrrrl.exe 3052 rfxrxrr.exe 2600 xrrxxxr.exe 2596 djddv.exe 3064 1jdjv.exe 2216 ddvjj.exe 844 hhbhtb.exe 1816 tthbnn.exe 2888 xxlrrxx.exe 2156 lfxflxr.exe 852 rfxflff.exe 1880 llrrxrx.exe 268 5xxxrfx.exe 2788 xrrrrfr.exe 2912 dvvjv.exe 1440 7dvvd.exe 2188 ppjjj.exe 2196 tnhntn.exe 1904 llffxfl.exe 2916 3xxlfrl.exe 1804 ddpdp.exe 692 dvvdd.exe 1744 nnbhtb.exe -
resource yara_rule behavioral1/memory/2684-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1308-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012117-7.dat upx behavioral1/files/0x0008000000015fc4-16.dat upx behavioral1/memory/1308-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016031-26.dat upx behavioral1/files/0x0008000000015daa-35.dat upx behavioral1/memory/1820-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001620e-42.dat upx behavioral1/memory/2336-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001650a-53.dat upx behavioral1/memory/2732-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016593-61.dat upx behavioral1/memory/2336-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000167dc-71.dat upx behavioral1/memory/2844-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c3d-78.dat upx behavioral1/files/0x0007000000016d50-88.dat upx behavioral1/memory/2772-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2676-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d9f-98.dat upx behavioral1/memory/2176-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2676-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dad-110.dat upx behavioral1/memory/664-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2176-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dc8-118.dat upx behavioral1/memory/664-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016e74-127.dat upx behavioral1/memory/1316-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016f9c-137.dat upx behavioral1/files/0x000600000001739a-147.dat upx behavioral1/files/0x000600000001739c-154.dat upx behavioral1/files/0x00060000000173aa-162.dat upx behavioral1/memory/1220-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173e4-172.dat upx behavioral1/files/0x0006000000017403-190.dat upx behavioral1/memory/2164-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173fb-181.dat upx behavioral1/memory/908-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3008-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017409-199.dat upx behavioral1/files/0x000600000001747b-208.dat upx behavioral1/memory/1500-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001752f-234.dat upx behavioral1/memory/1320-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000018678-252.dat upx behavioral1/memory/2432-235-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x001500000001866d-243.dat upx behavioral1/files/0x000600000001748f-217.dat upx behavioral1/files/0x00060000000174ac-226.dat upx behavioral1/files/0x0005000000018690-260.dat upx behavioral1/memory/912-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190cd-269.dat upx behavioral1/files/0x00060000000190d6-279.dat upx behavioral1/memory/3016-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2516-288-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000191f3-287.dat upx behavioral1/memory/2536-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-333-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2708-347-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5httnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 1308 2684 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2684 wrote to memory of 1308 2684 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2684 wrote to memory of 1308 2684 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2684 wrote to memory of 1308 2684 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 1308 wrote to memory of 1768 1308 vppdj.exe 31 PID 1308 wrote to memory of 1768 1308 vppdj.exe 31 PID 1308 wrote to memory of 1768 1308 vppdj.exe 31 PID 1308 wrote to memory of 1768 1308 vppdj.exe 31 PID 1768 wrote to memory of 1820 1768 djppd.exe 32 PID 1768 wrote to memory of 1820 1768 djppd.exe 32 PID 1768 wrote to memory of 1820 1768 djppd.exe 32 PID 1768 wrote to memory of 1820 1768 djppd.exe 32 PID 1820 wrote to memory of 2340 1820 vdpvv.exe 33 PID 1820 wrote to memory of 2340 1820 vdpvv.exe 33 PID 1820 wrote to memory of 2340 1820 vdpvv.exe 33 PID 1820 wrote to memory of 2340 1820 vdpvv.exe 33 PID 2340 wrote to memory of 2336 2340 rlxfllx.exe 34 PID 2340 wrote to memory of 2336 2340 rlxfllx.exe 34 PID 2340 wrote to memory of 2336 2340 rlxfllx.exe 34 PID 2340 wrote to memory of 2336 2340 rlxfllx.exe 34 PID 2336 wrote to memory of 2732 2336 djpjp.exe 35 PID 2336 wrote to memory of 2732 2336 djpjp.exe 35 PID 2336 wrote to memory of 2732 2336 djpjp.exe 35 PID 2336 wrote to memory of 2732 2336 djpjp.exe 35 PID 2732 wrote to memory of 2844 2732 vjjdj.exe 36 PID 2732 wrote to memory of 2844 2732 vjjdj.exe 36 PID 2732 wrote to memory of 2844 2732 vjjdj.exe 36 PID 2732 wrote to memory of 2844 2732 vjjdj.exe 36 PID 2844 wrote to memory of 2344 2844 xrrfxlx.exe 37 PID 2844 wrote to memory of 2344 2844 xrrfxlx.exe 37 PID 2844 wrote to memory of 2344 2844 xrrfxlx.exe 37 PID 2844 wrote to memory of 2344 2844 xrrfxlx.exe 37 PID 2344 wrote to memory of 2772 2344 rxxxrfx.exe 38 PID 2344 wrote to memory of 2772 2344 rxxxrfx.exe 38 PID 2344 wrote to memory of 2772 2344 rxxxrfx.exe 38 PID 2344 wrote to memory of 2772 2344 rxxxrfx.exe 38 PID 2772 wrote to memory of 2676 2772 jdjvv.exe 39 PID 2772 wrote to memory of 2676 2772 jdjvv.exe 39 PID 2772 wrote to memory of 2676 2772 jdjvv.exe 39 PID 2772 wrote to memory of 2676 2772 jdjvv.exe 39 PID 2676 wrote to memory of 2176 2676 pdvpv.exe 40 PID 2676 wrote to memory of 2176 2676 pdvpv.exe 40 PID 2676 wrote to memory of 2176 2676 pdvpv.exe 40 PID 2676 wrote to memory of 2176 2676 pdvpv.exe 40 PID 2176 wrote to memory of 664 2176 1bthtb.exe 41 PID 2176 wrote to memory of 664 2176 1bthtb.exe 41 PID 2176 wrote to memory of 664 2176 1bthtb.exe 41 PID 2176 wrote to memory of 664 2176 1bthtb.exe 41 PID 664 wrote to memory of 1388 664 tbhnth.exe 42 PID 664 wrote to memory of 1388 664 tbhnth.exe 42 PID 664 wrote to memory of 1388 664 tbhnth.exe 42 PID 664 wrote to memory of 1388 664 tbhnth.exe 42 PID 1388 wrote to memory of 1316 1388 ttnbnh.exe 43 PID 1388 wrote to memory of 1316 1388 ttnbnh.exe 43 PID 1388 wrote to memory of 1316 1388 ttnbnh.exe 43 PID 1388 wrote to memory of 1316 1388 ttnbnh.exe 43 PID 1316 wrote to memory of 2668 1316 xxxxfrl.exe 45 PID 1316 wrote to memory of 2668 1316 xxxxfrl.exe 45 PID 1316 wrote to memory of 2668 1316 xxxxfrl.exe 45 PID 1316 wrote to memory of 2668 1316 xxxxfrl.exe 45 PID 2668 wrote to memory of 1268 2668 lfxrrfr.exe 46 PID 2668 wrote to memory of 1268 2668 lfxrrfr.exe 46 PID 2668 wrote to memory of 1268 2668 lfxrrfr.exe 46 PID 2668 wrote to memory of 1268 2668 lfxrrfr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe"C:\Users\Admin\AppData\Local\Temp\2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\vppdj.exec:\vppdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\djppd.exec:\djppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\vdpvv.exec:\vdpvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\rlxfllx.exec:\rlxfllx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\djpjp.exec:\djpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\vjjdj.exec:\vjjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\xrrfxlx.exec:\xrrfxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\rxxxrfx.exec:\rxxxrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\jdjvv.exec:\jdjvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\pdvpv.exec:\pdvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\1bthtb.exec:\1bthtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\tbhnth.exec:\tbhnth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\ttnbnh.exec:\ttnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\xxxxfrl.exec:\xxxxfrl.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\lfxrrfr.exec:\lfxrrfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bthhnt.exec:\bthhnt.exe17⤵
- Executes dropped EXE
PID:1268 -
\??\c:\bttbtb.exec:\bttbtb.exe18⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pjvvj.exec:\pjvvj.exe19⤵
- Executes dropped EXE
PID:1220 -
\??\c:\ffrrrrf.exec:\ffrrrrf.exe20⤵
- Executes dropped EXE
PID:2940 -
\??\c:\9xlfxrx.exec:\9xlfxrx.exe21⤵
- Executes dropped EXE
PID:2268 -
\??\c:\3fxxxrf.exec:\3fxxxrf.exe22⤵
- Executes dropped EXE
PID:2164 -
\??\c:\tbhnnh.exec:\tbhnnh.exe23⤵
- Executes dropped EXE
PID:908 -
\??\c:\tbbnnt.exec:\tbbnnt.exe24⤵
- Executes dropped EXE
PID:3008 -
\??\c:\frllllr.exec:\frllllr.exe25⤵
- Executes dropped EXE
PID:1500 -
\??\c:\3nnbhb.exec:\3nnbhb.exe26⤵
- Executes dropped EXE
PID:2240 -
\??\c:\ttnbhh.exec:\ttnbhh.exe27⤵
- Executes dropped EXE
PID:2432 -
\??\c:\bbttth.exec:\bbttth.exe28⤵
- Executes dropped EXE
PID:1320 -
\??\c:\rrrllll.exec:\rrrllll.exe29⤵
- Executes dropped EXE
PID:564 -
\??\c:\fxxxxfx.exec:\fxxxxfx.exe30⤵
- Executes dropped EXE
PID:912 -
\??\c:\btntht.exec:\btntht.exe31⤵
- Executes dropped EXE
PID:1120 -
\??\c:\tthbnb.exec:\tthbnb.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
\??\c:\fxxxfrx.exec:\fxxxfrx.exe33⤵
- Executes dropped EXE
PID:2516 -
\??\c:\bthbbb.exec:\bthbbb.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5lfxlrx.exec:\5lfxlrx.exe35⤵
- Executes dropped EXE
PID:2072 -
\??\c:\fxlffxx.exec:\fxlffxx.exe36⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jpvdv.exec:\jpvdv.exe37⤵
- Executes dropped EXE
PID:2396 -
\??\c:\3jpdp.exec:\3jpdp.exe38⤵
- Executes dropped EXE
PID:1032 -
\??\c:\dpjdd.exec:\dpjdd.exe39⤵
- Executes dropped EXE
PID:2096 -
\??\c:\bhhnnb.exec:\bhhnnb.exe40⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nhhthh.exec:\nhhthh.exe41⤵
- Executes dropped EXE
PID:2988 -
\??\c:\bhtnbn.exec:\bhtnbn.exe42⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lfrrrrl.exec:\lfrrrrl.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rfxrxrr.exec:\rfxrxrr.exe44⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xrrxxxr.exec:\xrrxxxr.exe45⤵
- Executes dropped EXE
PID:2600 -
\??\c:\djddv.exec:\djddv.exe46⤵
- Executes dropped EXE
PID:2596 -
\??\c:\1jdjv.exec:\1jdjv.exe47⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ddvjj.exec:\ddvjj.exe48⤵
- Executes dropped EXE
PID:2216 -
\??\c:\hhbhtb.exec:\hhbhtb.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\tthbnn.exec:\tthbnn.exe50⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xxlrrxx.exec:\xxlrrxx.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
\??\c:\lfxflxr.exec:\lfxflxr.exe52⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rfxflff.exec:\rfxflff.exe53⤵
- Executes dropped EXE
PID:852 -
\??\c:\llrrxrx.exec:\llrrxrx.exe54⤵
- Executes dropped EXE
PID:1880 -
\??\c:\5xxxrfx.exec:\5xxxrfx.exe55⤵
- Executes dropped EXE
PID:268 -
\??\c:\xrrrrfr.exec:\xrrrrfr.exe56⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dvvjv.exec:\dvvjv.exe57⤵
- Executes dropped EXE
PID:2912 -
\??\c:\7dvvd.exec:\7dvvd.exe58⤵
- Executes dropped EXE
PID:1440 -
\??\c:\ppjjj.exec:\ppjjj.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188 -
\??\c:\tnhntn.exec:\tnhntn.exe60⤵
- Executes dropped EXE
PID:2196 -
\??\c:\llffxfl.exec:\llffxfl.exe61⤵
- Executes dropped EXE
PID:1904 -
\??\c:\3xxlfrl.exec:\3xxlfrl.exe62⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ddpdp.exec:\ddpdp.exe63⤵
- Executes dropped EXE
PID:1804 -
\??\c:\dvvdd.exec:\dvvdd.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\nnbhtb.exec:\nnbhtb.exe65⤵
- Executes dropped EXE
PID:1744 -
\??\c:\nnbhtb.exec:\nnbhtb.exe66⤵PID:2392
-
\??\c:\7rxrfrx.exec:\7rxrfrx.exe67⤵PID:1528
-
\??\c:\1fxlrrf.exec:\1fxlrrf.exe68⤵PID:1988
-
\??\c:\pvdjv.exec:\pvdjv.exe69⤵PID:2260
-
\??\c:\ppjvv.exec:\ppjvv.exe70⤵PID:292
-
\??\c:\vppjv.exec:\vppjv.exe71⤵PID:2440
-
\??\c:\7bnbht.exec:\7bnbht.exe72⤵
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\bnnhht.exec:\bnnhht.exe73⤵PID:1628
-
\??\c:\nnnbth.exec:\nnnbth.exe74⤵PID:1232
-
\??\c:\rxxxrxr.exec:\rxxxrxr.exe75⤵PID:1120
-
\??\c:\xffrlxl.exec:\xffrlxl.exe76⤵PID:3016
-
\??\c:\rlxrfxl.exec:\rlxrfxl.exe77⤵PID:880
-
\??\c:\frxrxfx.exec:\frxrxfx.exe78⤵PID:1696
-
\??\c:\ppppd.exec:\ppppd.exe79⤵PID:2148
-
\??\c:\dvvpj.exec:\dvvpj.exe80⤵PID:2684
-
\??\c:\pvpjv.exec:\pvpjv.exe81⤵PID:2536
-
\??\c:\bbnbbt.exec:\bbnbbt.exe82⤵PID:2104
-
\??\c:\nthhbh.exec:\nthhbh.exe83⤵PID:2692
-
\??\c:\nnthth.exec:\nnthth.exe84⤵PID:2340
-
\??\c:\rlxxlrf.exec:\rlxxlrf.exe85⤵PID:2860
-
\??\c:\lfflxlf.exec:\lfflxlf.exe86⤵PID:2760
-
\??\c:\vvjpd.exec:\vvjpd.exe87⤵PID:2732
-
\??\c:\3vjdv.exec:\3vjdv.exe88⤵PID:2796
-
\??\c:\ppjpd.exec:\ppjpd.exe89⤵
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\hnnbbh.exec:\hnnbbh.exe90⤵
- System Location Discovery: System Language Discovery
PID:2800 -
\??\c:\rrlxfrf.exec:\rrlxfrf.exe91⤵PID:1836
-
\??\c:\fxxrrll.exec:\fxxrrll.exe92⤵PID:1092
-
\??\c:\rrllflf.exec:\rrllflf.exe93⤵PID:1484
-
\??\c:\dvjpj.exec:\dvjpj.exe94⤵PID:544
-
\??\c:\dvjjv.exec:\dvjjv.exe95⤵PID:2388
-
\??\c:\7hthtt.exec:\7hthtt.exe96⤵PID:836
-
\??\c:\tnhhnb.exec:\tnhhnb.exe97⤵PID:1316
-
\??\c:\xffrrxf.exec:\xffrrxf.exe98⤵PID:1720
-
\??\c:\vvvdv.exec:\vvvdv.exe99⤵PID:1340
-
\??\c:\vvddd.exec:\vvddd.exe100⤵
- System Location Discovery: System Language Discovery
PID:1780 -
\??\c:\ppjjp.exec:\ppjjp.exe101⤵PID:2000
-
\??\c:\ppdjv.exec:\ppdjv.exe102⤵PID:1220
-
\??\c:\tttthb.exec:\tttthb.exe103⤵PID:2272
-
\??\c:\bbbtbn.exec:\bbbtbn.exe104⤵PID:2188
-
\??\c:\nnttnb.exec:\nnttnb.exe105⤵PID:2196
-
\??\c:\rxxlxrr.exec:\rxxlxrr.exe106⤵PID:1904
-
\??\c:\xfllrrl.exec:\xfllrrl.exe107⤵PID:636
-
\??\c:\3jjvd.exec:\3jjvd.exe108⤵PID:1740
-
\??\c:\jjvdp.exec:\jjvdp.exe109⤵PID:692
-
\??\c:\bbbnhn.exec:\bbbnhn.exe110⤵PID:2448
-
\??\c:\bhthbh.exec:\bhthbh.exe111⤵PID:700
-
\??\c:\llxlflr.exec:\llxlflr.exe112⤵PID:2992
-
\??\c:\xrxflfx.exec:\xrxflfx.exe113⤵PID:1888
-
\??\c:\xxxlxfl.exec:\xxxlxfl.exe114⤵PID:776
-
\??\c:\jjpdp.exec:\jjpdp.exe115⤵
- System Location Discovery: System Language Discovery
PID:1548 -
\??\c:\jddpv.exec:\jddpv.exe116⤵PID:2228
-
\??\c:\7hthbn.exec:\7hthbn.exe117⤵PID:2460
-
\??\c:\bhbhtt.exec:\bhbhtt.exe118⤵
- System Location Discovery: System Language Discovery
PID:868 -
\??\c:\bbthth.exec:\bbthth.exe119⤵PID:1492
-
\??\c:\xxfrxrr.exec:\xxfrxrr.exe120⤵PID:3024
-
\??\c:\fflllrx.exec:\fflllrx.exe121⤵PID:2116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-