Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-01-2025 03:36
Behavioral task
behavioral1
Sample
b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe
-
Size
3.7MB
-
MD5
04614e669e761c5b813b07790275bb96
-
SHA1
3bf1ba4f587ff8f26d843a0cf4e09bf1f42e08a8
-
SHA256
b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005
-
SHA512
8474cf8ef7d5a2b979cec500253e3bdacc8c3852b1eb29face54108672365ffad9c6f48603bc4ac8513889608f3da462dd87b2c813392b9b58937fbafe5b016e
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98O:U6XLq/qPPslzKx/dJg1ErmNL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2380-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2540-22-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2540-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-32-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2288-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3008-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-53-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2736-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2624-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1968-116-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1968-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1472-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1472-152-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1556-171-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/480-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1092-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2792-256-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/2792-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1780-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1780-276-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1000-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-308-0x0000000076CD0000-0x0000000076DEF000-memory.dmp family_blackmoon behavioral1/memory/2164-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1880-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2068-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2068-436-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2000-443-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1068-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1068-451-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2856-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1360-485-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2896-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-498-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-637-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2000-709-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1648-851-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2684-923-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1972-965-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1860-971-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2224-1039-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-1101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-1355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2368 9lrxfrx.exe 2540 xrrlxxf.exe 2288 rlxxrrl.exe 3008 xrxfflr.exe 2708 jpjvd.exe 2736 jjdjv.exe 2824 9thnbb.exe 2692 lrrfrxl.exe 2596 nhtbht.exe 2624 fxrrfrf.exe 1884 ttthhh.exe 1968 hbhnbb.exe 2360 hnnhht.exe 1848 vvpjj.exe 1812 ttbnnb.exe 1472 vdvvj.exe 1816 dpdpp.exe 1556 nnhnhh.exe 2896 rrxlxfr.exe 1732 hnhbbt.exe 480 ddpdp.exe 1416 dvpdp.exe 2932 bttbnt.exe 1092 bnbnnn.exe 1316 1httbb.exe 3060 nnhbht.exe 2792 ddpvj.exe 2568 tbbbnn.exe 1780 5pddp.exe 2328 dvppd.exe 1000 xrlrflr.exe 880 3btttb.exe 2428 nnhnbh.exe 2164 5lxxflr.exe 2408 vvppd.exe 1628 btttbn.exe 2264 tbnnbb.exe 2184 rfrrxfr.exe 2784 pjvdj.exe 2832 ttnbhh.exe 2820 btthbb.exe 2756 ffxxlrf.exe 2680 jdvjp.exe 2620 bnhnth.exe 2632 tnbttt.exe 2996 1xrrffl.exe 2276 pjddj.exe 1668 9jdjp.exe 2024 bbtntb.exe 2000 5flrxlx.exe 1880 jpppv.exe 2068 vppvj.exe 1224 bbbnbh.exe 1068 5fxrxfl.exe 2856 ppdvd.exe 1360 dvvjv.exe 1376 1ththt.exe 2868 rrrxllx.exe 2896 3rlrrrf.exe 1088 9pjpp.exe 480 dvjvp.exe 1724 7hntbh.exe 1576 fxxrlrr.exe 1228 rlxxrfr.exe -
resource yara_rule behavioral1/memory/2380-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000120f9-6.dat upx behavioral1/memory/2380-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2368-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001660e-19.dat upx behavioral1/files/0x0008000000016890-28.dat upx behavioral1/memory/2540-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000162e4-38.dat upx behavioral1/memory/2288-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3008-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2708-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c89-49.dat upx behavioral1/memory/2736-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ca0-59.dat upx behavioral1/memory/2824-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cab-68.dat upx behavioral1/files/0x0009000000016d22-77.dat upx behavioral1/memory/2692-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000174b4-88.dat upx behavioral1/files/0x00060000000174f8-95.dat upx behavioral1/files/0x0006000000017570-103.dat upx behavioral1/memory/2624-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1884-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175f1-112.dat upx behavioral1/memory/1968-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2360-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175f7-123.dat upx behavioral1/files/0x000d000000018683-132.dat upx behavioral1/files/0x0005000000018697-140.dat upx behavioral1/files/0x0005000000018706-148.dat upx behavioral1/files/0x000500000001870c-158.dat upx behavioral1/memory/1816-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001871c-167.dat upx behavioral1/memory/1472-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018745-176.dat upx behavioral1/memory/2896-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018be7-186.dat upx behavioral1/files/0x0006000000018d7b-194.dat upx behavioral1/files/0x0006000000018d83-203.dat upx behavioral1/memory/480-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018fdf-212.dat upx behavioral1/memory/2932-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019056-222.dat upx behavioral1/files/0x0005000000019203-231.dat upx behavioral1/memory/1092-233-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3060-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019237-242.dat upx behavioral1/files/0x000500000001924f-252.dat upx behavioral1/memory/3060-251-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019261-262.dat upx behavioral1/memory/2792-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019274-271.dat upx behavioral1/memory/1780-273-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001927a-281.dat upx behavioral1/files/0x0005000000019299-290.dat upx behavioral1/memory/1000-291-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000192a1-299.dat upx behavioral1/memory/2428-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1532-310-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2428-308-0x0000000076CD0000-0x0000000076DEF000-memory.dmp upx behavioral1/memory/2164-317-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2408-330-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-355-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1880-428-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxlx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2368 2380 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 30 PID 2380 wrote to memory of 2368 2380 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 30 PID 2380 wrote to memory of 2368 2380 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 30 PID 2380 wrote to memory of 2368 2380 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 30 PID 2368 wrote to memory of 2540 2368 9lrxfrx.exe 31 PID 2368 wrote to memory of 2540 2368 9lrxfrx.exe 31 PID 2368 wrote to memory of 2540 2368 9lrxfrx.exe 31 PID 2368 wrote to memory of 2540 2368 9lrxfrx.exe 31 PID 2540 wrote to memory of 2288 2540 xrrlxxf.exe 32 PID 2540 wrote to memory of 2288 2540 xrrlxxf.exe 32 PID 2540 wrote to memory of 2288 2540 xrrlxxf.exe 32 PID 2540 wrote to memory of 2288 2540 xrrlxxf.exe 32 PID 2288 wrote to memory of 3008 2288 rlxxrrl.exe 33 PID 2288 wrote to memory of 3008 2288 rlxxrrl.exe 33 PID 2288 wrote to memory of 3008 2288 rlxxrrl.exe 33 PID 2288 wrote to memory of 3008 2288 rlxxrrl.exe 33 PID 3008 wrote to memory of 2708 3008 xrxfflr.exe 34 PID 3008 wrote to memory of 2708 3008 xrxfflr.exe 34 PID 3008 wrote to memory of 2708 3008 xrxfflr.exe 34 PID 3008 wrote to memory of 2708 3008 xrxfflr.exe 34 PID 2708 wrote to memory of 2736 2708 jpjvd.exe 35 PID 2708 wrote to memory of 2736 2708 jpjvd.exe 35 PID 2708 wrote to memory of 2736 2708 jpjvd.exe 35 PID 2708 wrote to memory of 2736 2708 jpjvd.exe 35 PID 2736 wrote to memory of 2824 2736 jjdjv.exe 36 PID 2736 wrote to memory of 2824 2736 jjdjv.exe 36 PID 2736 wrote to memory of 2824 2736 jjdjv.exe 36 PID 2736 wrote to memory of 2824 2736 jjdjv.exe 36 PID 2824 wrote to memory of 2692 2824 9thnbb.exe 37 PID 2824 wrote to memory of 2692 2824 9thnbb.exe 37 PID 2824 wrote to memory of 2692 2824 9thnbb.exe 37 PID 2824 wrote to memory of 2692 2824 9thnbb.exe 37 PID 2692 wrote to memory of 2596 2692 lrrfrxl.exe 38 PID 2692 wrote to memory of 2596 2692 lrrfrxl.exe 38 PID 2692 wrote to memory of 2596 2692 lrrfrxl.exe 38 PID 2692 wrote to memory of 2596 2692 lrrfrxl.exe 38 PID 2596 wrote to memory of 2624 2596 nhtbht.exe 39 PID 2596 wrote to memory of 2624 2596 nhtbht.exe 39 PID 2596 wrote to memory of 2624 2596 nhtbht.exe 39 PID 2596 wrote to memory of 2624 2596 nhtbht.exe 39 PID 2624 wrote to memory of 1884 2624 fxrrfrf.exe 40 PID 2624 wrote to memory of 1884 2624 fxrrfrf.exe 40 PID 2624 wrote to memory of 1884 2624 fxrrfrf.exe 40 PID 2624 wrote to memory of 1884 2624 fxrrfrf.exe 40 PID 1884 wrote to memory of 1968 1884 ttthhh.exe 41 PID 1884 wrote to memory of 1968 1884 ttthhh.exe 41 PID 1884 wrote to memory of 1968 1884 ttthhh.exe 41 PID 1884 wrote to memory of 1968 1884 ttthhh.exe 41 PID 1968 wrote to memory of 2360 1968 hbhnbb.exe 42 PID 1968 wrote to memory of 2360 1968 hbhnbb.exe 42 PID 1968 wrote to memory of 2360 1968 hbhnbb.exe 42 PID 1968 wrote to memory of 2360 1968 hbhnbb.exe 42 PID 2360 wrote to memory of 1848 2360 hnnhht.exe 43 PID 2360 wrote to memory of 1848 2360 hnnhht.exe 43 PID 2360 wrote to memory of 1848 2360 hnnhht.exe 43 PID 2360 wrote to memory of 1848 2360 hnnhht.exe 43 PID 1848 wrote to memory of 1812 1848 vvpjj.exe 44 PID 1848 wrote to memory of 1812 1848 vvpjj.exe 44 PID 1848 wrote to memory of 1812 1848 vvpjj.exe 44 PID 1848 wrote to memory of 1812 1848 vvpjj.exe 44 PID 1812 wrote to memory of 1472 1812 ttbnnb.exe 45 PID 1812 wrote to memory of 1472 1812 ttbnnb.exe 45 PID 1812 wrote to memory of 1472 1812 ttbnnb.exe 45 PID 1812 wrote to memory of 1472 1812 ttbnnb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe"C:\Users\Admin\AppData\Local\Temp\b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\9lrxfrx.exec:\9lrxfrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\xrrlxxf.exec:\xrrlxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\rlxxrrl.exec:\rlxxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\xrxfflr.exec:\xrxfflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\jpjvd.exec:\jpjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\jjdjv.exec:\jjdjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\9thnbb.exec:\9thnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\lrrfrxl.exec:\lrrfrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\nhtbht.exec:\nhtbht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\fxrrfrf.exec:\fxrrfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\ttthhh.exec:\ttthhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\hbhnbb.exec:\hbhnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\hnnhht.exec:\hnnhht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\vvpjj.exec:\vvpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\ttbnnb.exec:\ttbnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\vdvvj.exec:\vdvvj.exe17⤵
- Executes dropped EXE
PID:1472 -
\??\c:\dpdpp.exec:\dpdpp.exe18⤵
- Executes dropped EXE
PID:1816 -
\??\c:\nnhnhh.exec:\nnhnhh.exe19⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rrxlxfr.exec:\rrxlxfr.exe20⤵
- Executes dropped EXE
PID:2896 -
\??\c:\hnhbbt.exec:\hnhbbt.exe21⤵
- Executes dropped EXE
PID:1732 -
\??\c:\ddpdp.exec:\ddpdp.exe22⤵
- Executes dropped EXE
PID:480 -
\??\c:\dvpdp.exec:\dvpdp.exe23⤵
- Executes dropped EXE
PID:1416 -
\??\c:\bttbnt.exec:\bttbnt.exe24⤵
- Executes dropped EXE
PID:2932 -
\??\c:\bnbnnn.exec:\bnbnnn.exe25⤵
- Executes dropped EXE
PID:1092 -
\??\c:\1httbb.exec:\1httbb.exe26⤵
- Executes dropped EXE
PID:1316 -
\??\c:\nnhbht.exec:\nnhbht.exe27⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ddpvj.exec:\ddpvj.exe28⤵
- Executes dropped EXE
PID:2792 -
\??\c:\tbbbnn.exec:\tbbbnn.exe29⤵
- Executes dropped EXE
PID:2568 -
\??\c:\5pddp.exec:\5pddp.exe30⤵
- Executes dropped EXE
PID:1780 -
\??\c:\dvppd.exec:\dvppd.exe31⤵
- Executes dropped EXE
PID:2328 -
\??\c:\xrlrflr.exec:\xrlrflr.exe32⤵
- Executes dropped EXE
PID:1000 -
\??\c:\3btttb.exec:\3btttb.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\nnhnbh.exec:\nnhnbh.exe34⤵
- Executes dropped EXE
PID:2428 -
\??\c:\nhtthn.exec:\nhtthn.exe35⤵PID:1532
-
\??\c:\5lxxflr.exec:\5lxxflr.exe36⤵
- Executes dropped EXE
PID:2164 -
\??\c:\vvppd.exec:\vvppd.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\btttbn.exec:\btttbn.exe38⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tbnnbb.exec:\tbnnbb.exe39⤵
- Executes dropped EXE
PID:2264 -
\??\c:\rfrrxfr.exec:\rfrrxfr.exe40⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pjvdj.exec:\pjvdj.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\ttnbhh.exec:\ttnbhh.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
\??\c:\btthbb.exec:\btthbb.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ffxxlrf.exec:\ffxxlrf.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\jdvjp.exec:\jdvjp.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\bnhnth.exec:\bnhnth.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\tnbttt.exec:\tnbttt.exe47⤵
- Executes dropped EXE
PID:2632 -
\??\c:\1xrrffl.exec:\1xrrffl.exe48⤵
- Executes dropped EXE
PID:2996 -
\??\c:\pjddj.exec:\pjddj.exe49⤵
- Executes dropped EXE
PID:2276 -
\??\c:\9jdjp.exec:\9jdjp.exe50⤵
- Executes dropped EXE
PID:1668 -
\??\c:\bbtntb.exec:\bbtntb.exe51⤵
- Executes dropped EXE
PID:2024 -
\??\c:\5flrxlx.exec:\5flrxlx.exe52⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jpppv.exec:\jpppv.exe53⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vppvj.exec:\vppvj.exe54⤵
- Executes dropped EXE
PID:2068 -
\??\c:\bbbnbh.exec:\bbbnbh.exe55⤵
- Executes dropped EXE
PID:1224 -
\??\c:\5fxrxfl.exec:\5fxrxfl.exe56⤵
- Executes dropped EXE
PID:1068 -
\??\c:\ppdvd.exec:\ppdvd.exe57⤵
- Executes dropped EXE
PID:2856 -
\??\c:\dvvjv.exec:\dvvjv.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
\??\c:\1ththt.exec:\1ththt.exe59⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rrrxllx.exec:\rrrxllx.exe60⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3rlrrrf.exec:\3rlrrrf.exe61⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9pjpp.exec:\9pjpp.exe62⤵
- Executes dropped EXE
PID:1088 -
\??\c:\dvjvp.exec:\dvjvp.exe63⤵
- Executes dropped EXE
PID:480 -
\??\c:\7hntbh.exec:\7hntbh.exe64⤵
- Executes dropped EXE
PID:1724 -
\??\c:\fxxrlrr.exec:\fxxrlrr.exe65⤵
- Executes dropped EXE
PID:1576 -
\??\c:\rlxxrfr.exec:\rlxxrfr.exe66⤵
- Executes dropped EXE
PID:1228 -
\??\c:\ppjdp.exec:\ppjdp.exe67⤵PID:1304
-
\??\c:\bhbhbh.exec:\bhbhbh.exe68⤵PID:536
-
\??\c:\nbbtht.exec:\nbbtht.exe69⤵PID:1516
-
\??\c:\rfflxff.exec:\rfflxff.exe70⤵PID:1716
-
\??\c:\ppvpd.exec:\ppvpd.exe71⤵PID:1660
-
\??\c:\bbntbb.exec:\bbntbb.exe72⤵PID:1692
-
\??\c:\ntnhht.exec:\ntnhht.exe73⤵PID:2160
-
\??\c:\7lfrrfr.exec:\7lfrrfr.exe74⤵PID:1780
-
\??\c:\jjvvj.exec:\jjvvj.exe75⤵PID:828
-
\??\c:\dvjjj.exec:\dvjjj.exe76⤵PID:852
-
\??\c:\5nhnth.exec:\5nhnth.exe77⤵PID:1824
-
\??\c:\hbbnbh.exec:\hbbnbh.exe78⤵PID:2472
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe79⤵PID:1536
-
\??\c:\vvpvj.exec:\vvpvj.exe80⤵PID:2148
-
\??\c:\djjdj.exec:\djjdj.exe81⤵PID:2664
-
\??\c:\nhnhbb.exec:\nhnhbb.exe82⤵PID:1892
-
\??\c:\bbthnn.exec:\bbthnn.exe83⤵PID:112
-
\??\c:\fxxllff.exec:\fxxllff.exe84⤵PID:2456
-
\??\c:\1vjvd.exec:\1vjvd.exe85⤵
- System Location Discovery: System Language Discovery
PID:2776 -
\??\c:\vvpjp.exec:\vvpjp.exe86⤵PID:2788
-
\??\c:\7bhnth.exec:\7bhnth.exe87⤵PID:2704
-
\??\c:\hbthnt.exec:\hbthnt.exe88⤵PID:2840
-
\??\c:\xxfxxrf.exec:\xxfxxrf.exe89⤵PID:2604
-
\??\c:\7vjjj.exec:\7vjjj.exe90⤵PID:2752
-
\??\c:\vpdpj.exec:\vpdpj.exe91⤵PID:2716
-
\??\c:\bntbht.exec:\bntbht.exe92⤵
- System Location Discovery: System Language Discovery
PID:2644 -
\??\c:\bthhbn.exec:\bthhbn.exe93⤵PID:2996
-
\??\c:\rllxxrx.exec:\rllxxrx.exe94⤵PID:2276
-
\??\c:\9xrrrrx.exec:\9xrrrrx.exe95⤵
- System Location Discovery: System Language Discovery
PID:1624 -
\??\c:\lflrflr.exec:\lflrflr.exe96⤵PID:2024
-
\??\c:\ddvjv.exec:\ddvjv.exe97⤵PID:2000
-
\??\c:\vpdjv.exec:\vpdjv.exe98⤵
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\7bntbn.exec:\7bntbn.exe99⤵PID:2068
-
\??\c:\tthhnb.exec:\tthhnb.exe100⤵PID:1404
-
\??\c:\llflxrr.exec:\llflxrr.exe101⤵PID:1080
-
\??\c:\vvpvv.exec:\vvpvv.exe102⤵PID:1684
-
\??\c:\pjdjj.exec:\pjdjj.exe103⤵PID:376
-
\??\c:\3hbbbh.exec:\3hbbbh.exe104⤵PID:2880
-
\??\c:\rrlxrrf.exec:\rrlxrrf.exe105⤵PID:1588
-
\??\c:\llfrflr.exec:\llfrflr.exe106⤵PID:2180
-
\??\c:\djdvj.exec:\djdvj.exe107⤵PID:1732
-
\??\c:\hbthth.exec:\hbthth.exe108⤵PID:2300
-
\??\c:\hnbnhb.exec:\hnbnhb.exe109⤵PID:908
-
\??\c:\xxlxrfx.exec:\xxlxrfx.exe110⤵PID:1632
-
\??\c:\dvpjp.exec:\dvpjp.exe111⤵PID:2932
-
\??\c:\3vppp.exec:\3vppp.exe112⤵PID:2564
-
\??\c:\nhnnbn.exec:\nhnnbn.exe113⤵PID:1572
-
\??\c:\lflrllx.exec:\lflrllx.exe114⤵PID:1548
-
\??\c:\jjpjv.exec:\jjpjv.exe115⤵PID:1112
-
\??\c:\5dvvd.exec:\5dvvd.exe116⤵PID:1648
-
\??\c:\ttthbn.exec:\ttthbn.exe117⤵PID:564
-
\??\c:\tnntbn.exec:\tnntbn.exe118⤵PID:2424
-
\??\c:\xllxxll.exec:\xllxxll.exe119⤵PID:3052
-
\??\c:\ddjdv.exec:\ddjdv.exe120⤵PID:1608
-
\??\c:\ddvdp.exec:\ddvdp.exe121⤵PID:616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-