Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/12/2024, 12:53
Behavioral task
behavioral1
Sample
c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe
-
Size
3.7MB
-
MD5
0471825561814a2acc015825ab2e3f70
-
SHA1
3bfeae5057bb1675b973b2cedf00107fec01aede
-
SHA256
c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caa
-
SHA512
8078cd0d3c22bfdde2076614ed87f89a7fad208ad21c2c29afb7088c87ba3825a69ee82c471f952dfff60d71faad1a580de5319c22c87b2a5c8e3d2578a6d67b
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98/:U6XLq/qPPslzKx/dJg1ErmNy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2432-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2404-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-22-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1900-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2180-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2236-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/804-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-91-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2592-107-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2456-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-122-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1616-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1616-137-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/340-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1636-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1636-153-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1628-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1292-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1316-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/692-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1756-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2204-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2204-296-0x00000000773E0000-0x00000000774FF000-memory.dmp family_blackmoon behavioral1/memory/1900-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2268-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2640-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2396-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1820-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1624-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/960-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1688-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1364-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2196-638-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2396-651-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2704-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-724-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/296-794-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1772-803-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1772-801-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/112-810-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/844-842-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2156-854-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1488-860-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2224-876-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-933-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2612-931-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2624-946-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1732-995-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2944-1087-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1612-1254-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2404 nttbht.exe 1900 020622.exe 2180 pvjvv.exe 2108 46242.exe 2236 hhhhbb.exe 804 82864.exe 2648 tttnhb.exe 2612 xfrllrr.exe 2588 62806.exe 2696 02642.exe 2592 4662208.exe 2456 xrxlrlf.exe 2528 flrxlrr.exe 1616 0404826.exe 340 rxflrfx.exe 1636 06000.exe 1628 046840.exe 2748 vvdpv.exe 348 8226028.exe 2788 8046426.exe 2772 fllxlll.exe 2900 jpjdv.exe 1624 4084248.exe 1472 48284.exe 1292 068466.exe 2776 424062.exe 1316 042020.exe 692 hnbhbb.exe 864 nnhtbh.exe 1756 84024.exe 648 4446446.exe 880 8606648.exe 2204 ffrxrlf.exe 1540 222024.exe 1768 djpdj.exe 1900 6062408.exe 2268 42288.exe 1948 rxlxlxl.exe 2372 04624.exe 1888 i226464.exe 2640 488242.exe 2396 60024.exe 2328 5nhtbt.exe 2928 88848.exe 2668 4664286.exe 2696 4004202.exe 2736 vvpdp.exe 2476 208644.exe 2576 1llxrlx.exe 2704 880246.exe 2292 4284886.exe 1200 jpvdj.exe 872 jdjdd.exe 2516 26468.exe 1644 xxfxfrl.exe 1820 1dvpj.exe 1044 flxflfl.exe 1760 jjdvd.exe 2852 02082.exe 2804 rrlrflx.exe 2764 3bhtbb.exe 2900 xxflfrf.exe 1624 26402.exe 1960 rllrrrf.exe -
resource yara_rule behavioral1/memory/2432-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000120d6-5.dat upx behavioral1/memory/2404-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2432-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001660e-16.dat upx behavioral1/memory/2404-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000162e4-28.dat upx behavioral1/memory/1900-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2180-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016689-37.dat upx behavioral1/files/0x0007000000016b86-46.dat upx behavioral1/memory/2108-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2236-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/804-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c89-56.dat upx behavioral1/files/0x0007000000016ca0-64.dat upx behavioral1/memory/2648-68-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/memory/2648-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016cf0-74.dat upx behavioral1/files/0x0007000000016edc-83.dat upx behavioral1/memory/2612-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174b4-92.dat upx behavioral1/files/0x00060000000174f8-100.dat upx behavioral1/files/0x0006000000017570-108.dat upx behavioral1/files/0x00060000000175f1-118.dat upx behavioral1/memory/2456-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2528-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175f7-130.dat upx behavioral1/memory/1616-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000018683-140.dat upx behavioral1/memory/1616-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1616-136-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000018697-149.dat upx behavioral1/memory/340-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018706-159.dat upx behavioral1/memory/1636-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1636-153-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/memory/1628-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001870c-167.dat upx behavioral1/files/0x000500000001871c-176.dat upx behavioral1/files/0x0005000000018745-185.dat upx behavioral1/files/0x0006000000018be7-192.dat upx behavioral1/files/0x0006000000018d7b-201.dat upx behavioral1/memory/2772-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018d83-209.dat upx behavioral1/files/0x0006000000018fdf-218.dat upx behavioral1/memory/1292-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019056-226.dat upx behavioral1/memory/2776-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1316-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/692-254-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001924f-253.dat upx behavioral1/files/0x0005000000019261-262.dat upx behavioral1/files/0x0005000000019237-244.dat upx behavioral1/files/0x0005000000019203-235.dat upx behavioral1/memory/1756-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019299-279.dat upx behavioral1/files/0x0005000000019274-270.dat upx behavioral1/files/0x00050000000192a1-287.dat upx behavioral1/memory/2204-294-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1968-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2204-296-0x00000000773E0000-0x00000000774FF000-memory.dmp upx behavioral1/memory/1900-323-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2268-324-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8264242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0286008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6006486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u282460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c486846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 460266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c802064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6600662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4842648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o642402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2404 2432 c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe 28 PID 2432 wrote to memory of 2404 2432 c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe 28 PID 2432 wrote to memory of 2404 2432 c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe 28 PID 2432 wrote to memory of 2404 2432 c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe 28 PID 2404 wrote to memory of 1900 2404 nttbht.exe 29 PID 2404 wrote to memory of 1900 2404 nttbht.exe 29 PID 2404 wrote to memory of 1900 2404 nttbht.exe 29 PID 2404 wrote to memory of 1900 2404 nttbht.exe 29 PID 1900 wrote to memory of 2180 1900 020622.exe 30 PID 1900 wrote to memory of 2180 1900 020622.exe 30 PID 1900 wrote to memory of 2180 1900 020622.exe 30 PID 1900 wrote to memory of 2180 1900 020622.exe 30 PID 2180 wrote to memory of 2108 2180 pvjvv.exe 31 PID 2180 wrote to memory of 2108 2180 pvjvv.exe 31 PID 2180 wrote to memory of 2108 2180 pvjvv.exe 31 PID 2180 wrote to memory of 2108 2180 pvjvv.exe 31 PID 2108 wrote to memory of 2236 2108 46242.exe 32 PID 2108 wrote to memory of 2236 2108 46242.exe 32 PID 2108 wrote to memory of 2236 2108 46242.exe 32 PID 2108 wrote to memory of 2236 2108 46242.exe 32 PID 2236 wrote to memory of 804 2236 hhhhbb.exe 33 PID 2236 wrote to memory of 804 2236 hhhhbb.exe 33 PID 2236 wrote to memory of 804 2236 hhhhbb.exe 33 PID 2236 wrote to memory of 804 2236 hhhhbb.exe 33 PID 804 wrote to memory of 2648 804 82864.exe 34 PID 804 wrote to memory of 2648 804 82864.exe 34 PID 804 wrote to memory of 2648 804 82864.exe 34 PID 804 wrote to memory of 2648 804 82864.exe 34 PID 2648 wrote to memory of 2612 2648 tttnhb.exe 35 PID 2648 wrote to memory of 2612 2648 tttnhb.exe 35 PID 2648 wrote to memory of 2612 2648 tttnhb.exe 35 PID 2648 wrote to memory of 2612 2648 tttnhb.exe 35 PID 2612 wrote to memory of 2588 2612 xfrllrr.exe 36 PID 2612 wrote to memory of 2588 2612 xfrllrr.exe 36 PID 2612 wrote to memory of 2588 2612 xfrllrr.exe 36 PID 2612 wrote to memory of 2588 2612 xfrllrr.exe 36 PID 2588 wrote to memory of 2696 2588 62806.exe 37 PID 2588 wrote to memory of 2696 2588 62806.exe 37 PID 2588 wrote to memory of 2696 2588 62806.exe 37 PID 2588 wrote to memory of 2696 2588 62806.exe 37 PID 2696 wrote to memory of 2592 2696 02642.exe 38 PID 2696 wrote to memory of 2592 2696 02642.exe 38 PID 2696 wrote to memory of 2592 2696 02642.exe 38 PID 2696 wrote to memory of 2592 2696 02642.exe 38 PID 2592 wrote to memory of 2456 2592 4662208.exe 39 PID 2592 wrote to memory of 2456 2592 4662208.exe 39 PID 2592 wrote to memory of 2456 2592 4662208.exe 39 PID 2592 wrote to memory of 2456 2592 4662208.exe 39 PID 2456 wrote to memory of 2528 2456 xrxlrlf.exe 40 PID 2456 wrote to memory of 2528 2456 xrxlrlf.exe 40 PID 2456 wrote to memory of 2528 2456 xrxlrlf.exe 40 PID 2456 wrote to memory of 2528 2456 xrxlrlf.exe 40 PID 2528 wrote to memory of 1616 2528 flrxlrr.exe 41 PID 2528 wrote to memory of 1616 2528 flrxlrr.exe 41 PID 2528 wrote to memory of 1616 2528 flrxlrr.exe 41 PID 2528 wrote to memory of 1616 2528 flrxlrr.exe 41 PID 1616 wrote to memory of 340 1616 0404826.exe 42 PID 1616 wrote to memory of 340 1616 0404826.exe 42 PID 1616 wrote to memory of 340 1616 0404826.exe 42 PID 1616 wrote to memory of 340 1616 0404826.exe 42 PID 340 wrote to memory of 1636 340 rxflrfx.exe 43 PID 340 wrote to memory of 1636 340 rxflrfx.exe 43 PID 340 wrote to memory of 1636 340 rxflrfx.exe 43 PID 340 wrote to memory of 1636 340 rxflrfx.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe"C:\Users\Admin\AppData\Local\Temp\c93912b5901e85e99142fcbf15a2cb596c98c5e61b52ad998f695a99f4075caaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\nttbht.exec:\nttbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\020622.exec:\020622.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\pvjvv.exec:\pvjvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\46242.exec:\46242.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\hhhhbb.exec:\hhhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\82864.exec:\82864.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\tttnhb.exec:\tttnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\xfrllrr.exec:\xfrllrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\62806.exec:\62806.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\02642.exec:\02642.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\4662208.exec:\4662208.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\xrxlrlf.exec:\xrxlrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\flrxlrr.exec:\flrxlrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\0404826.exec:\0404826.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\rxflrfx.exec:\rxflrfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\06000.exec:\06000.exe17⤵
- Executes dropped EXE
PID:1636 -
\??\c:\046840.exec:\046840.exe18⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vvdpv.exec:\vvdpv.exe19⤵
- Executes dropped EXE
PID:2748 -
\??\c:\8226028.exec:\8226028.exe20⤵
- Executes dropped EXE
PID:348 -
\??\c:\8046426.exec:\8046426.exe21⤵
- Executes dropped EXE
PID:2788 -
\??\c:\fllxlll.exec:\fllxlll.exe22⤵
- Executes dropped EXE
PID:2772 -
\??\c:\jpjdv.exec:\jpjdv.exe23⤵
- Executes dropped EXE
PID:2900 -
\??\c:\4084248.exec:\4084248.exe24⤵
- Executes dropped EXE
PID:1624 -
\??\c:\48284.exec:\48284.exe25⤵
- Executes dropped EXE
PID:1472 -
\??\c:\068466.exec:\068466.exe26⤵
- Executes dropped EXE
PID:1292 -
\??\c:\424062.exec:\424062.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
\??\c:\042020.exec:\042020.exe28⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hnbhbb.exec:\hnbhbb.exe29⤵
- Executes dropped EXE
PID:692 -
\??\c:\nnhtbh.exec:\nnhtbh.exe30⤵
- Executes dropped EXE
PID:864 -
\??\c:\84024.exec:\84024.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\4446446.exec:\4446446.exe32⤵
- Executes dropped EXE
PID:648 -
\??\c:\8606648.exec:\8606648.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\ffrxrlf.exec:\ffrxrlf.exe34⤵
- Executes dropped EXE
PID:2204 -
\??\c:\lxfxxfx.exec:\lxfxxfx.exe35⤵PID:1968
-
\??\c:\222024.exec:\222024.exe36⤵
- Executes dropped EXE
PID:1540 -
\??\c:\djpdj.exec:\djpdj.exe37⤵
- Executes dropped EXE
PID:1768 -
\??\c:\6062408.exec:\6062408.exe38⤵
- Executes dropped EXE
PID:1900 -
\??\c:\42288.exec:\42288.exe39⤵
- Executes dropped EXE
PID:2268 -
\??\c:\rxlxlxl.exec:\rxlxlxl.exe40⤵
- Executes dropped EXE
PID:1948 -
\??\c:\04624.exec:\04624.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\i226464.exec:\i226464.exe42⤵
- Executes dropped EXE
PID:1888 -
\??\c:\488242.exec:\488242.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\60024.exec:\60024.exe44⤵
- Executes dropped EXE
PID:2396 -
\??\c:\5nhtbt.exec:\5nhtbt.exe45⤵
- Executes dropped EXE
PID:2328 -
\??\c:\88848.exec:\88848.exe46⤵
- Executes dropped EXE
PID:2928 -
\??\c:\4664286.exec:\4664286.exe47⤵
- Executes dropped EXE
PID:2668 -
\??\c:\4004202.exec:\4004202.exe48⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vvpdp.exec:\vvpdp.exe49⤵
- Executes dropped EXE
PID:2736 -
\??\c:\208644.exec:\208644.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\1llxrlx.exec:\1llxrlx.exe51⤵
- Executes dropped EXE
PID:2576 -
\??\c:\880246.exec:\880246.exe52⤵
- Executes dropped EXE
PID:2704 -
\??\c:\4284886.exec:\4284886.exe53⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jpvdj.exec:\jpvdj.exe54⤵
- Executes dropped EXE
PID:1200 -
\??\c:\jdjdd.exec:\jdjdd.exe55⤵
- Executes dropped EXE
PID:872 -
\??\c:\26468.exec:\26468.exe56⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xxfxfrl.exec:\xxfxfrl.exe57⤵
- Executes dropped EXE
PID:1644 -
\??\c:\1dvpj.exec:\1dvpj.exe58⤵
- Executes dropped EXE
PID:1820 -
\??\c:\flxflfl.exec:\flxflfl.exe59⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jjdvd.exec:\jjdvd.exe60⤵
- Executes dropped EXE
PID:1760 -
\??\c:\02082.exec:\02082.exe61⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rrlrflx.exec:\rrlrflx.exe62⤵
- Executes dropped EXE
PID:2804 -
\??\c:\3bhtbb.exec:\3bhtbb.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
\??\c:\xxflfrf.exec:\xxflfrf.exe64⤵
- Executes dropped EXE
PID:2900 -
\??\c:\26402.exec:\26402.exe65⤵
- Executes dropped EXE
PID:1624 -
\??\c:\rllrrrf.exec:\rllrrrf.exe66⤵
- Executes dropped EXE
PID:1960 -
\??\c:\1jdjj.exec:\1jdjj.exe67⤵PID:2868
-
\??\c:\666486.exec:\666486.exe68⤵PID:2664
-
\??\c:\hhtbbh.exec:\hhtbbh.exe69⤵PID:960
-
\??\c:\6422200.exec:\6422200.exe70⤵PID:2172
-
\??\c:\djvdj.exec:\djvdj.exe71⤵PID:2956
-
\??\c:\g0846.exec:\g0846.exe72⤵PID:1688
-
\??\c:\2640280.exec:\2640280.exe73⤵PID:2216
-
\??\c:\20246.exec:\20246.exe74⤵PID:684
-
\??\c:\608402.exec:\608402.exe75⤵PID:880
-
\??\c:\llflrrl.exec:\llflrrl.exe76⤵PID:924
-
\??\c:\jjjvj.exec:\jjjvj.exe77⤵PID:2052
-
\??\c:\w44644.exec:\w44644.exe78⤵PID:1364
-
\??\c:\000244.exec:\000244.exe79⤵PID:1968
-
\??\c:\7lflfrf.exec:\7lflfrf.exe80⤵PID:2432
-
\??\c:\c486846.exec:\c486846.exe81⤵
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\00884.exec:\00884.exe82⤵PID:2720
-
\??\c:\2646806.exec:\2646806.exe83⤵PID:1980
-
\??\c:\26468.exec:\26468.exe84⤵PID:2280
-
\??\c:\08680.exec:\08680.exe85⤵PID:2368
-
\??\c:\jjjvj.exec:\jjjvj.exe86⤵PID:2344
-
\??\c:\vpvvv.exec:\vpvvv.exe87⤵PID:2676
-
\??\c:\dvvdv.exec:\dvvdv.exe88⤵PID:2196
-
\??\c:\hnhhnh.exec:\hnhhnh.exe89⤵
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\vvdpj.exec:\vvdpj.exe90⤵PID:2328
-
\??\c:\66402.exec:\66402.exe91⤵PID:1512
-
\??\c:\pppvj.exec:\pppvj.exe92⤵PID:2692
-
\??\c:\nhnhbt.exec:\nhnhbt.exe93⤵PID:2688
-
\??\c:\688422.exec:\688422.exe94⤵PID:2592
-
\??\c:\246486.exec:\246486.exe95⤵
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\k60866.exec:\k60866.exe96⤵PID:2532
-
\??\c:\jvpjj.exec:\jvpjj.exe97⤵PID:2704
-
\??\c:\826428.exec:\826428.exe98⤵PID:1776
-
\??\c:\ppjvj.exec:\ppjvj.exe99⤵PID:1200
-
\??\c:\tbhtht.exec:\tbhtht.exe100⤵PID:2760
-
\??\c:\lllxlxf.exec:\lllxlxf.exe101⤵PID:2516
-
\??\c:\e00200.exec:\e00200.exe102⤵PID:1644
-
\??\c:\vjdvj.exec:\vjdvj.exe103⤵PID:2748
-
\??\c:\04408.exec:\04408.exe104⤵PID:2808
-
\??\c:\06426.exec:\06426.exe105⤵PID:2872
-
\??\c:\4422844.exec:\4422844.exe106⤵PID:2848
-
\??\c:\20408.exec:\20408.exe107⤵PID:2804
-
\??\c:\bbnthn.exec:\bbnthn.exe108⤵PID:2772
-
\??\c:\xlxfxff.exec:\xlxfxff.exe109⤵PID:2544
-
\??\c:\rffrfrf.exec:\rffrfrf.exe110⤵PID:1396
-
\??\c:\2026624.exec:\2026624.exe111⤵PID:1292
-
\??\c:\08864.exec:\08864.exe112⤵PID:296
-
\??\c:\rrlxxrr.exec:\rrlxxrr.exe113⤵PID:1772
-
\??\c:\hhhhnh.exec:\hhhhnh.exe114⤵PID:112
-
\??\c:\jjjjp.exec:\jjjjp.exe115⤵PID:1196
-
\??\c:\fxrxxfr.exec:\fxrxxfr.exe116⤵PID:1092
-
\??\c:\hnntnh.exec:\hnntnh.exe117⤵PID:1688
-
\??\c:\pjdjp.exec:\pjdjp.exe118⤵PID:2552
-
\??\c:\pdvvd.exec:\pdvvd.exe119⤵PID:2068
-
\??\c:\86280.exec:\86280.exe120⤵PID:844
-
\??\c:\bhnhht.exec:\bhnhht.exe121⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-