Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 18:17
Behavioral task
behavioral1
Sample
ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe
-
Size
3.7MB
-
MD5
42bb15c291efb67575c921348bdc442f
-
SHA1
c31d54b949677456e34f1a17161019dffd08546a
-
SHA256
ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54
-
SHA512
5bd269f0706b783b809e41d2621d871372da67a3f1726770255f47b236d5c2ef407171d1b06dae828cc83e5497718357c8e97eeb2597817806c47146d6d33468
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF985:U6XLq/qPPslzKx/dJg1ErmNy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral1/memory/1204-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1888-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-24-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2540-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1448-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-105-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2896-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-119-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/764-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/832-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/592-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2424-191-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2424-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/448-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2204-230-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1608-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2508-253-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2232-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2236-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1892-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2928-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/476-411-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/3008-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/476-439-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2220-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/900-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/408-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/912-494-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1596-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1884-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-587-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-632-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-659-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-712-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/236-749-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2872-880-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-918-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2672-931-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-938-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2488-1050-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-1057-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2236-1107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1120-1121-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1528-1134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1888 bthhbb.exe 2492 4046462.exe 2540 82840.exe 2864 vvjjv.exe 2732 btnbnt.exe 2756 k66840.exe 2648 40840.exe 2760 2202024.exe 2636 864062.exe 1448 bnntbh.exe 2892 264646.exe 2896 bhhnht.exe 764 26804.exe 2916 20622.exe 3012 7djvj.exe 2436 42822.exe 592 664246.exe 832 xxrrxxf.exe 2424 vpdjd.exe 2396 2008424.exe 2092 3xrxxfl.exe 448 e606406.exe 2188 q08062.exe 2204 nhtthh.exe 1608 k20644.exe 2508 06624.exe 2272 fxrrffr.exe 1976 g8064.exe 2236 7xllxrx.exe 2232 bbthnh.exe 1728 6000008.exe 1636 4862880.exe 1892 htnbnb.exe 2476 thbtbh.exe 2492 tnnnbh.exe 2928 dvpjp.exe 2920 42640.exe 2840 rfxlrlr.exe 2172 6080662.exe 2756 xrrrxfx.exe 2216 042284.exe 2676 htbtbt.exe 2672 1lxxxfx.exe 2680 7htntt.exe 2664 rlxxlrl.exe 2368 2084602.exe 3036 jdjdp.exe 476 7nnnbh.exe 3008 pjpdj.exe 2948 lfxxffr.exe 2356 xrrfxlr.exe 2692 nhthnh.exe 2000 llffrrx.exe 2220 nhbbtt.exe 2128 rlflrxx.exe 1640 3nhtbh.exe 1236 9nhnbn.exe 588 5xflrxx.exe 900 g4284.exe 408 hthnnn.exe 912 7bhnhn.exe 2600 080022.exe 2188 xxrxrrl.exe 1596 862282.exe -
resource yara_rule behavioral1/memory/1204-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120f9-5.dat upx behavioral1/memory/1888-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1204-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1888-13-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000900000001707f-17.dat upx behavioral1/memory/1888-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2540-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000174b4-30.dat upx behavioral1/files/0x0009000000016df8-38.dat upx behavioral1/files/0x0007000000017570-46.dat upx behavioral1/memory/2732-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000175f1-55.dat upx behavioral1/memory/2756-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000175f7-64.dat upx behavioral1/files/0x000f000000018683-74.dat upx behavioral1/memory/2648-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2760-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2636-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018697-83.dat upx behavioral1/files/0x0005000000019274-90.dat upx behavioral1/memory/1448-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001927a-101.dat upx behavioral1/memory/1448-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2896-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019299-112.dat upx behavioral1/memory/2892-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000192a1-122.dat upx behavioral1/memory/2896-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/764-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019354-130.dat upx behavioral1/files/0x0005000000019358-140.dat upx behavioral1/memory/3012-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001938e-151.dat upx behavioral1/files/0x000500000001939f-159.dat upx behavioral1/files/0x00050000000193cc-171.dat upx behavioral1/memory/832-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193d0-179.dat upx behavioral1/memory/832-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/592-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193dc-186.dat upx behavioral1/memory/2424-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193f9-198.dat upx behavioral1/memory/448-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019426-209.dat upx behavioral1/memory/2092-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019428-217.dat upx behavioral1/memory/2188-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194ad-227.dat upx behavioral1/files/0x00050000000194c3-235.dat upx behavioral1/files/0x00050000000194d5-245.dat upx behavioral1/memory/1608-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e1-254.dat upx behavioral1/files/0x0005000000019502-263.dat upx behavioral1/files/0x0005000000019508-272.dat upx behavioral1/memory/2232-283-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019510-282.dat upx behavioral1/memory/2236-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019520-290.dat upx behavioral1/files/0x000500000001952b-298.dat upx behavioral1/memory/1976-302-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1892-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2928-327-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u246228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8246668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2264886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6240846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0828026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8684624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o200228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6208468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2088462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 288268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlffll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1888 1204 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 30 PID 1204 wrote to memory of 1888 1204 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 30 PID 1204 wrote to memory of 1888 1204 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 30 PID 1204 wrote to memory of 1888 1204 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 30 PID 1888 wrote to memory of 2492 1888 bthhbb.exe 31 PID 1888 wrote to memory of 2492 1888 bthhbb.exe 31 PID 1888 wrote to memory of 2492 1888 bthhbb.exe 31 PID 1888 wrote to memory of 2492 1888 bthhbb.exe 31 PID 2492 wrote to memory of 2540 2492 4046462.exe 32 PID 2492 wrote to memory of 2540 2492 4046462.exe 32 PID 2492 wrote to memory of 2540 2492 4046462.exe 32 PID 2492 wrote to memory of 2540 2492 4046462.exe 32 PID 2540 wrote to memory of 2864 2540 82840.exe 33 PID 2540 wrote to memory of 2864 2540 82840.exe 33 PID 2540 wrote to memory of 2864 2540 82840.exe 33 PID 2540 wrote to memory of 2864 2540 82840.exe 33 PID 2864 wrote to memory of 2732 2864 vvjjv.exe 34 PID 2864 wrote to memory of 2732 2864 vvjjv.exe 34 PID 2864 wrote to memory of 2732 2864 vvjjv.exe 34 PID 2864 wrote to memory of 2732 2864 vvjjv.exe 34 PID 2732 wrote to memory of 2756 2732 btnbnt.exe 35 PID 2732 wrote to memory of 2756 2732 btnbnt.exe 35 PID 2732 wrote to memory of 2756 2732 btnbnt.exe 35 PID 2732 wrote to memory of 2756 2732 btnbnt.exe 35 PID 2756 wrote to memory of 2648 2756 k66840.exe 36 PID 2756 wrote to memory of 2648 2756 k66840.exe 36 PID 2756 wrote to memory of 2648 2756 k66840.exe 36 PID 2756 wrote to memory of 2648 2756 k66840.exe 36 PID 2648 wrote to memory of 2760 2648 40840.exe 37 PID 2648 wrote to memory of 2760 2648 40840.exe 37 PID 2648 wrote to memory of 2760 2648 40840.exe 37 PID 2648 wrote to memory of 2760 2648 40840.exe 37 PID 2760 wrote to memory of 2636 2760 2202024.exe 38 PID 2760 wrote to memory of 2636 2760 2202024.exe 38 PID 2760 wrote to memory of 2636 2760 2202024.exe 38 PID 2760 wrote to memory of 2636 2760 2202024.exe 38 PID 2636 wrote to memory of 1448 2636 864062.exe 39 PID 2636 wrote to memory of 1448 2636 864062.exe 39 PID 2636 wrote to memory of 1448 2636 864062.exe 39 PID 2636 wrote to memory of 1448 2636 864062.exe 39 PID 1448 wrote to memory of 2892 1448 bnntbh.exe 40 PID 1448 wrote to memory of 2892 1448 bnntbh.exe 40 PID 1448 wrote to memory of 2892 1448 bnntbh.exe 40 PID 1448 wrote to memory of 2892 1448 bnntbh.exe 40 PID 2892 wrote to memory of 2896 2892 264646.exe 41 PID 2892 wrote to memory of 2896 2892 264646.exe 41 PID 2892 wrote to memory of 2896 2892 264646.exe 41 PID 2892 wrote to memory of 2896 2892 264646.exe 41 PID 2896 wrote to memory of 764 2896 bhhnht.exe 42 PID 2896 wrote to memory of 764 2896 bhhnht.exe 42 PID 2896 wrote to memory of 764 2896 bhhnht.exe 42 PID 2896 wrote to memory of 764 2896 bhhnht.exe 42 PID 764 wrote to memory of 2916 764 26804.exe 43 PID 764 wrote to memory of 2916 764 26804.exe 43 PID 764 wrote to memory of 2916 764 26804.exe 43 PID 764 wrote to memory of 2916 764 26804.exe 43 PID 2916 wrote to memory of 3012 2916 20622.exe 44 PID 2916 wrote to memory of 3012 2916 20622.exe 44 PID 2916 wrote to memory of 3012 2916 20622.exe 44 PID 2916 wrote to memory of 3012 2916 20622.exe 44 PID 3012 wrote to memory of 2436 3012 7djvj.exe 45 PID 3012 wrote to memory of 2436 3012 7djvj.exe 45 PID 3012 wrote to memory of 2436 3012 7djvj.exe 45 PID 3012 wrote to memory of 2436 3012 7djvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe"C:\Users\Admin\AppData\Local\Temp\ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\bthhbb.exec:\bthhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\4046462.exec:\4046462.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\82840.exec:\82840.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vvjjv.exec:\vvjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\btnbnt.exec:\btnbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\k66840.exec:\k66840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\40840.exec:\40840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\2202024.exec:\2202024.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\864062.exec:\864062.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\bnntbh.exec:\bnntbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\264646.exec:\264646.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\bhhnht.exec:\bhhnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\26804.exec:\26804.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\20622.exec:\20622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\7djvj.exec:\7djvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\42822.exec:\42822.exe17⤵
- Executes dropped EXE
PID:2436 -
\??\c:\664246.exec:\664246.exe18⤵
- Executes dropped EXE
PID:592 -
\??\c:\xxrrxxf.exec:\xxrrxxf.exe19⤵
- Executes dropped EXE
PID:832 -
\??\c:\vpdjd.exec:\vpdjd.exe20⤵
- Executes dropped EXE
PID:2424 -
\??\c:\2008424.exec:\2008424.exe21⤵
- Executes dropped EXE
PID:2396 -
\??\c:\3xrxxfl.exec:\3xrxxfl.exe22⤵
- Executes dropped EXE
PID:2092 -
\??\c:\e606406.exec:\e606406.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\q08062.exec:\q08062.exe24⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nhtthh.exec:\nhtthh.exe25⤵
- Executes dropped EXE
PID:2204 -
\??\c:\k20644.exec:\k20644.exe26⤵
- Executes dropped EXE
PID:1608 -
\??\c:\06624.exec:\06624.exe27⤵
- Executes dropped EXE
PID:2508 -
\??\c:\fxrrffr.exec:\fxrrffr.exe28⤵
- Executes dropped EXE
PID:2272 -
\??\c:\g8064.exec:\g8064.exe29⤵
- Executes dropped EXE
PID:1976 -
\??\c:\7xllxrx.exec:\7xllxrx.exe30⤵
- Executes dropped EXE
PID:2236 -
\??\c:\bbthnh.exec:\bbthnh.exe31⤵
- Executes dropped EXE
PID:2232 -
\??\c:\6000008.exec:\6000008.exe32⤵
- Executes dropped EXE
PID:1728 -
\??\c:\4862880.exec:\4862880.exe33⤵
- Executes dropped EXE
PID:1636 -
\??\c:\htnbnb.exec:\htnbnb.exe34⤵
- Executes dropped EXE
PID:1892 -
\??\c:\thbtbh.exec:\thbtbh.exe35⤵
- Executes dropped EXE
PID:2476 -
\??\c:\tnnnbh.exec:\tnnnbh.exe36⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dvpjp.exec:\dvpjp.exe37⤵
- Executes dropped EXE
PID:2928 -
\??\c:\42640.exec:\42640.exe38⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rfxlrlr.exec:\rfxlrlr.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\6080662.exec:\6080662.exe40⤵
- Executes dropped EXE
PID:2172 -
\??\c:\xrrrxfx.exec:\xrrrxfx.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\042284.exec:\042284.exe42⤵
- Executes dropped EXE
PID:2216 -
\??\c:\htbtbt.exec:\htbtbt.exe43⤵
- Executes dropped EXE
PID:2676 -
\??\c:\1lxxxfx.exec:\1lxxxfx.exe44⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7htntt.exec:\7htntt.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\rlxxlrl.exec:\rlxxlrl.exe46⤵
- Executes dropped EXE
PID:2664 -
\??\c:\2084602.exec:\2084602.exe47⤵
- Executes dropped EXE
PID:2368 -
\??\c:\jdjdp.exec:\jdjdp.exe48⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7nnnbh.exec:\7nnnbh.exe49⤵
- Executes dropped EXE
PID:476 -
\??\c:\pjpdj.exec:\pjpdj.exe50⤵
- Executes dropped EXE
PID:3008 -
\??\c:\lfxxffr.exec:\lfxxffr.exe51⤵
- Executes dropped EXE
PID:2948 -
\??\c:\xrrfxlr.exec:\xrrfxlr.exe52⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhthnh.exec:\nhthnh.exe53⤵
- Executes dropped EXE
PID:2692 -
\??\c:\llffrrx.exec:\llffrrx.exe54⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nhbbtt.exec:\nhbbtt.exe55⤵
- Executes dropped EXE
PID:2220 -
\??\c:\rlflrxx.exec:\rlflrxx.exe56⤵
- Executes dropped EXE
PID:2128 -
\??\c:\3nhtbh.exec:\3nhtbh.exe57⤵
- Executes dropped EXE
PID:1640 -
\??\c:\9nhnbn.exec:\9nhnbn.exe58⤵
- Executes dropped EXE
PID:1236 -
\??\c:\5xflrxx.exec:\5xflrxx.exe59⤵
- Executes dropped EXE
PID:588 -
\??\c:\g4284.exec:\g4284.exe60⤵
- Executes dropped EXE
PID:900 -
\??\c:\hthnnn.exec:\hthnnn.exe61⤵
- Executes dropped EXE
PID:408 -
\??\c:\7bhnhn.exec:\7bhnhn.exe62⤵
- Executes dropped EXE
PID:912 -
\??\c:\080022.exec:\080022.exe63⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xxrxrrl.exec:\xxrxrrl.exe64⤵
- Executes dropped EXE
PID:2188 -
\??\c:\862282.exec:\862282.exe65⤵
- Executes dropped EXE
PID:1596 -
\??\c:\1dvjj.exec:\1dvjj.exe66⤵PID:1464
-
\??\c:\w20228.exec:\w20228.exe67⤵PID:468
-
\??\c:\bthhnt.exec:\bthhnt.exe68⤵PID:1736
-
\??\c:\486622.exec:\486622.exe69⤵PID:2888
-
\??\c:\6422406.exec:\6422406.exe70⤵PID:2564
-
\??\c:\3djjd.exec:\3djjd.exe71⤵PID:2264
-
\??\c:\3htbhn.exec:\3htbhn.exe72⤵PID:1000
-
\??\c:\k46288.exec:\k46288.exe73⤵PID:2040
-
\??\c:\828462.exec:\828462.exe74⤵PID:2232
-
\??\c:\jdvvd.exec:\jdvvd.exe75⤵PID:1524
-
\??\c:\826622.exec:\826622.exe76⤵PID:1584
-
\??\c:\5jdpv.exec:\5jdpv.exe77⤵PID:1884
-
\??\c:\8266848.exec:\8266848.exe78⤵PID:2932
-
\??\c:\nnhnhn.exec:\nnhnhn.exe79⤵PID:2868
-
\??\c:\2680686.exec:\2680686.exe80⤵PID:2876
-
\??\c:\g2446.exec:\g2446.exe81⤵PID:2728
-
\??\c:\a0288.exec:\a0288.exe82⤵PID:2844
-
\??\c:\ppvdd.exec:\ppvdd.exe83⤵PID:2836
-
\??\c:\w86288.exec:\w86288.exe84⤵PID:3028
-
\??\c:\dvjvd.exec:\dvjvd.exe85⤵PID:2668
-
\??\c:\666688.exec:\666688.exe86⤵PID:2624
-
\??\c:\hbhhnt.exec:\hbhhnt.exe87⤵PID:2676
-
\??\c:\8684284.exec:\8684284.exe88⤵PID:2252
-
\??\c:\bthhtn.exec:\bthhtn.exe89⤵PID:1356
-
\??\c:\hthtnt.exec:\hthtnt.exe90⤵PID:1716
-
\??\c:\rfxxlrx.exec:\rfxxlrx.exe91⤵PID:2320
-
\??\c:\5vppv.exec:\5vppv.exe92⤵PID:2952
-
\??\c:\w68884.exec:\w68884.exe93⤵PID:2608
-
\??\c:\86608.exec:\86608.exe94⤵PID:3004
-
\??\c:\w86464.exec:\w86464.exe95⤵PID:2988
-
\??\c:\822402.exec:\822402.exe96⤵PID:3012
-
\??\c:\ddjjv.exec:\ddjjv.exe97⤵PID:2436
-
\??\c:\1fxfflr.exec:\1fxfflr.exe98⤵PID:1420
-
\??\c:\824060.exec:\824060.exe99⤵PID:2220
-
\??\c:\vvpjj.exec:\vvpjj.exe100⤵PID:2128
-
\??\c:\60402.exec:\60402.exe101⤵PID:236
-
\??\c:\a0624.exec:\a0624.exe102⤵PID:2088
-
\??\c:\vvdvj.exec:\vvdvj.exe103⤵
- System Location Discovery: System Language Discovery
PID:588 -
\??\c:\266244.exec:\266244.exe104⤵PID:1072
-
\??\c:\u466884.exec:\u466884.exe105⤵PID:2580
-
\??\c:\864468.exec:\864468.exe106⤵PID:824
-
\??\c:\xxlfrxf.exec:\xxlfrxf.exe107⤵PID:592
-
\??\c:\lfxxlxf.exec:\lfxxlxf.exe108⤵PID:1540
-
\??\c:\860284.exec:\860284.exe109⤵PID:2376
-
\??\c:\frrxflr.exec:\frrxflr.exe110⤵PID:2400
-
\??\c:\4824668.exec:\4824668.exe111⤵PID:656
-
\??\c:\m2628.exec:\m2628.exe112⤵PID:2240
-
\??\c:\lrrrflx.exec:\lrrrflx.exe113⤵PID:2096
-
\??\c:\rfffrxl.exec:\rfffrxl.exe114⤵PID:2440
-
\??\c:\42440.exec:\42440.exe115⤵PID:2588
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe116⤵PID:1980
-
\??\c:\jdppv.exec:\jdppv.exe117⤵PID:2060
-
\??\c:\ppdpp.exec:\ppdpp.exe118⤵PID:2124
-
\??\c:\jjjjd.exec:\jjjjd.exe119⤵PID:1928
-
\??\c:\6022446.exec:\6022446.exe120⤵PID:2524
-
\??\c:\4266284.exec:\4266284.exe121⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-