Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 22:16
Behavioral task
behavioral1
Sample
30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
General
-
Target
30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe
-
Size
1.9MB
-
MD5
739a4cc33f07c69c7a37b5848967ce9b
-
SHA1
a2aab686705709fa39475da23b327a4c919867d9
-
SHA256
30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747
-
SHA512
886d831ef51a8c5709fc818080f6262f71a1fd9ad954704d49812fd7485af6fe7719c2a676203fb2b04385f0d26627edd7ff25449bf40e8e39e55d8d2a39a564
-
SSDEEP
24576:gC8d36kLBXlnB8j7v5Ta+hLLQ20JmXSeWwa1oWJQjk0svTS/PPsbb1hwR4j:gCOfN6X5tLLQTg20ITS/PPs/1kk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/528-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2104-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1976-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1668-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1380-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1380-101-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2688-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1936-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3044-133-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2168-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/844-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/756-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/924-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-243-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2296-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1148-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2076-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-308-0x0000000076CB0000-0x0000000076DAA000-memory.dmp family_blackmoon behavioral1/memory/2440-307-0x0000000076DB0000-0x0000000076ECF000-memory.dmp family_blackmoon behavioral1/memory/1448-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1984-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2832-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-419-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2012-456-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2532-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1160-537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-648-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2056-773-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3044-1000-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1852-1087-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3024 5hhnht.exe 2104 jjppp.exe 2972 jjjdj.exe 2220 jpdpv.exe 1976 pjpdd.exe 3012 rrxlfrf.exe 2996 5btttn.exe 1668 xfrlrlf.exe 2528 frxrrlx.exe 1380 jdjdv.exe 2688 5rrfxfr.exe 2132 xfxflxr.exe 1936 jdpdp.exe 3044 bbthht.exe 1796 ttthtn.exe 2304 flrllxf.exe 1016 vjdvd.exe 844 ffrxrfr.exe 2168 rflflxx.exe 2988 tthnhn.exe 2192 rlfrffx.exe 2776 flrrlff.exe 756 ppvjj.exe 924 jdvpd.exe 1076 bthtth.exe 1920 nbthtn.exe 2296 rflxrfx.exe 1868 rfffrrf.exe 2352 rlfxlrl.exe 764 lrrxllx.exe 1148 httbhh.exe 2076 xxxfxll.exe 2440 xfrlfrl.exe 1548 xfxrxlr.exe 1984 pdpvj.exe 2964 tbbthh.exe 2832 xxrfrrf.exe 2840 vjdvv.exe 2848 hbhnbh.exe 2728 rlrlxfl.exe 2796 dvvdp.exe 2708 3nntnh.exe 1556 rrllflx.exe 1524 jjjdv.exe 2528 tttnht.exe 1520 lrffrfl.exe 1980 ppvjd.exe 2120 7bhnbb.exe 2340 xlfxlrr.exe 2280 xxffffx.exe 1948 btttbt.exe 3040 llllxxx.exe 1592 jjddv.exe 2304 hbnhtn.exe 2012 rxffrlf.exe 2232 vpjdd.exe 1880 hnntnh.exe 2324 lllrxfx.exe 2148 jjjjp.exe 2532 bbnnhh.exe 1040 rrrllfl.exe 2084 hnbhbh.exe 580 rlfxflf.exe 2472 jjjdv.exe -
resource yara_rule behavioral1/memory/528-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fd-10.dat upx behavioral1/memory/528-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x002e000000019604-18.dat upx behavioral1/memory/3024-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2104-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0011000000019606-27.dat upx behavioral1/files/0x0007000000019608-38.dat upx behavioral1/memory/2972-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2220-46-0x00000000005C0000-0x00000000005E7000-memory.dmp upx behavioral1/memory/2220-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001960a-47.dat upx behavioral1/files/0x000700000001961c-58.dat upx behavioral1/memory/1976-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019667-65.dat upx behavioral1/memory/2996-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000196a1-76.dat upx behavioral1/memory/2996-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1668-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000019c34-85.dat upx behavioral1/files/0x0008000000019c3c-94.dat upx behavioral1/memory/2528-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c7-102.dat upx behavioral1/memory/1380-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c9-112.dat upx behavioral1/memory/2688-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4cb-120.dat upx behavioral1/memory/1936-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4cd-129.dat upx behavioral1/files/0x000500000001a4cf-138.dat upx behavioral1/memory/1796-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d1-147.dat upx behavioral1/files/0x000500000001a4d3-156.dat upx behavioral1/files/0x000500000001a4d5-164.dat upx behavioral1/files/0x000500000001a4d7-174.dat upx behavioral1/memory/2168-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/844-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d9-184.dat upx behavioral1/files/0x000500000001a4de-200.dat upx behavioral1/memory/2192-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4db-192.dat upx behavioral1/files/0x000500000001a4e0-207.dat upx behavioral1/memory/756-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4e2-218.dat upx behavioral1/memory/756-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/924-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4e4-228.dat upx behavioral1/files/0x000500000001a4e6-236.dat upx behavioral1/memory/1920-247-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4e8-245.dat upx behavioral1/files/0x000500000001a4eb-256.dat upx behavioral1/memory/2296-255-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ed-265.dat upx behavioral1/files/0x000500000001a4ef-277.dat upx behavioral1/memory/2352-276-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2352-273-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1148-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4f1-287.dat upx behavioral1/files/0x000500000001a4f7-294.dat upx behavioral1/memory/2076-304-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1448-316-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1984-329-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2832-342-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2840-349-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 528 wrote to memory of 3024 528 30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe 30 PID 528 wrote to memory of 3024 528 30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe 30 PID 528 wrote to memory of 3024 528 30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe 30 PID 528 wrote to memory of 3024 528 30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe 30 PID 3024 wrote to memory of 2104 3024 5hhnht.exe 31 PID 3024 wrote to memory of 2104 3024 5hhnht.exe 31 PID 3024 wrote to memory of 2104 3024 5hhnht.exe 31 PID 3024 wrote to memory of 2104 3024 5hhnht.exe 31 PID 2104 wrote to memory of 2972 2104 jjppp.exe 32 PID 2104 wrote to memory of 2972 2104 jjppp.exe 32 PID 2104 wrote to memory of 2972 2104 jjppp.exe 32 PID 2104 wrote to memory of 2972 2104 jjppp.exe 32 PID 2972 wrote to memory of 2220 2972 jjjdj.exe 33 PID 2972 wrote to memory of 2220 2972 jjjdj.exe 33 PID 2972 wrote to memory of 2220 2972 jjjdj.exe 33 PID 2972 wrote to memory of 2220 2972 jjjdj.exe 33 PID 2220 wrote to memory of 1976 2220 jpdpv.exe 34 PID 2220 wrote to memory of 1976 2220 jpdpv.exe 34 PID 2220 wrote to memory of 1976 2220 jpdpv.exe 34 PID 2220 wrote to memory of 1976 2220 jpdpv.exe 34 PID 1976 wrote to memory of 3012 1976 pjpdd.exe 35 PID 1976 wrote to memory of 3012 1976 pjpdd.exe 35 PID 1976 wrote to memory of 3012 1976 pjpdd.exe 35 PID 1976 wrote to memory of 3012 1976 pjpdd.exe 35 PID 3012 wrote to memory of 2996 3012 rrxlfrf.exe 36 PID 3012 wrote to memory of 2996 3012 rrxlfrf.exe 36 PID 3012 wrote to memory of 2996 3012 rrxlfrf.exe 36 PID 3012 wrote to memory of 2996 3012 rrxlfrf.exe 36 PID 2996 wrote to memory of 1668 2996 5btttn.exe 37 PID 2996 wrote to memory of 1668 2996 5btttn.exe 37 PID 2996 wrote to memory of 1668 2996 5btttn.exe 37 PID 2996 wrote to memory of 1668 2996 5btttn.exe 37 PID 1668 wrote to memory of 2528 1668 xfrlrlf.exe 38 PID 1668 wrote to memory of 2528 1668 xfrlrlf.exe 38 PID 1668 wrote to memory of 2528 1668 xfrlrlf.exe 38 PID 1668 wrote to memory of 2528 1668 xfrlrlf.exe 38 PID 2528 wrote to memory of 1380 2528 frxrrlx.exe 39 PID 2528 wrote to memory of 1380 2528 frxrrlx.exe 39 PID 2528 wrote to memory of 1380 2528 frxrrlx.exe 39 PID 2528 wrote to memory of 1380 2528 frxrrlx.exe 39 PID 1380 wrote to memory of 2688 1380 jdjdv.exe 40 PID 1380 wrote to memory of 2688 1380 jdjdv.exe 40 PID 1380 wrote to memory of 2688 1380 jdjdv.exe 40 PID 1380 wrote to memory of 2688 1380 jdjdv.exe 40 PID 2688 wrote to memory of 2132 2688 5rrfxfr.exe 41 PID 2688 wrote to memory of 2132 2688 5rrfxfr.exe 41 PID 2688 wrote to memory of 2132 2688 5rrfxfr.exe 41 PID 2688 wrote to memory of 2132 2688 5rrfxfr.exe 41 PID 2132 wrote to memory of 1936 2132 xfxflxr.exe 42 PID 2132 wrote to memory of 1936 2132 xfxflxr.exe 42 PID 2132 wrote to memory of 1936 2132 xfxflxr.exe 42 PID 2132 wrote to memory of 1936 2132 xfxflxr.exe 42 PID 1936 wrote to memory of 3044 1936 jdpdp.exe 43 PID 1936 wrote to memory of 3044 1936 jdpdp.exe 43 PID 1936 wrote to memory of 3044 1936 jdpdp.exe 43 PID 1936 wrote to memory of 3044 1936 jdpdp.exe 43 PID 3044 wrote to memory of 1796 3044 bbthht.exe 44 PID 3044 wrote to memory of 1796 3044 bbthht.exe 44 PID 3044 wrote to memory of 1796 3044 bbthht.exe 44 PID 3044 wrote to memory of 1796 3044 bbthht.exe 44 PID 1796 wrote to memory of 2304 1796 ttthtn.exe 45 PID 1796 wrote to memory of 2304 1796 ttthtn.exe 45 PID 1796 wrote to memory of 2304 1796 ttthtn.exe 45 PID 1796 wrote to memory of 2304 1796 ttthtn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe"C:\Users\Admin\AppData\Local\Temp\30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\5hhnht.exec:\5hhnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\jjppp.exec:\jjppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\jjjdj.exec:\jjjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\jpdpv.exec:\jpdpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\pjpdd.exec:\pjpdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\rrxlfrf.exec:\rrxlfrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\5btttn.exec:\5btttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\xfrlrlf.exec:\xfrlrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\frxrrlx.exec:\frxrrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\jdjdv.exec:\jdjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\5rrfxfr.exec:\5rrfxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\xfxflxr.exec:\xfxflxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\jdpdp.exec:\jdpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\bbthht.exec:\bbthht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\ttthtn.exec:\ttthtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\flrllxf.exec:\flrllxf.exe17⤵
- Executes dropped EXE
PID:2304 -
\??\c:\vjdvd.exec:\vjdvd.exe18⤵
- Executes dropped EXE
PID:1016 -
\??\c:\ffrxrfr.exec:\ffrxrfr.exe19⤵
- Executes dropped EXE
PID:844 -
\??\c:\rflflxx.exec:\rflflxx.exe20⤵
- Executes dropped EXE
PID:2168 -
\??\c:\tthnhn.exec:\tthnhn.exe21⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rlfrffx.exec:\rlfrffx.exe22⤵
- Executes dropped EXE
PID:2192 -
\??\c:\flrrlff.exec:\flrrlff.exe23⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ppvjj.exec:\ppvjj.exe24⤵
- Executes dropped EXE
PID:756 -
\??\c:\jdvpd.exec:\jdvpd.exe25⤵
- Executes dropped EXE
PID:924 -
\??\c:\bthtth.exec:\bthtth.exe26⤵
- Executes dropped EXE
PID:1076 -
\??\c:\nbthtn.exec:\nbthtn.exe27⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rflxrfx.exec:\rflxrfx.exe28⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rfffrrf.exec:\rfffrrf.exe29⤵
- Executes dropped EXE
PID:1868 -
\??\c:\rlfxlrl.exec:\rlfxlrl.exe30⤵
- Executes dropped EXE
PID:2352 -
\??\c:\lrrxllx.exec:\lrrxllx.exe31⤵
- Executes dropped EXE
PID:764 -
\??\c:\httbhh.exec:\httbhh.exe32⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xxxfxll.exec:\xxxfxll.exe33⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xfrlfrl.exec:\xfrlfrl.exe34⤵
- Executes dropped EXE
PID:2440 -
\??\c:\ppjjp.exec:\ppjjp.exe35⤵PID:1448
-
\??\c:\xfxrxlr.exec:\xfxrxlr.exe36⤵
- Executes dropped EXE
PID:1548 -
\??\c:\pdpvj.exec:\pdpvj.exe37⤵
- Executes dropped EXE
PID:1984 -
\??\c:\tbbthh.exec:\tbbthh.exe38⤵
- Executes dropped EXE
PID:2964 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe39⤵
- Executes dropped EXE
PID:2832 -
\??\c:\vjdvv.exec:\vjdvv.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hbhnbh.exec:\hbhnbh.exe41⤵
- Executes dropped EXE
PID:2848 -
\??\c:\rlrlxfl.exec:\rlrlxfl.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\dvvdp.exec:\dvvdp.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\3nntnh.exec:\3nntnh.exe44⤵
- Executes dropped EXE
PID:2708 -
\??\c:\rrllflx.exec:\rrllflx.exe45⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jjjdv.exec:\jjjdv.exe46⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tttnht.exec:\tttnht.exe47⤵
- Executes dropped EXE
PID:2528 -
\??\c:\lrffrfl.exec:\lrffrfl.exe48⤵
- Executes dropped EXE
PID:1520 -
\??\c:\ppvjd.exec:\ppvjd.exe49⤵
- Executes dropped EXE
PID:1980 -
\??\c:\7bhnbb.exec:\7bhnbb.exe50⤵
- Executes dropped EXE
PID:2120 -
\??\c:\xlfxlrr.exec:\xlfxlrr.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\xxffffx.exec:\xxffffx.exe52⤵
- Executes dropped EXE
PID:2280 -
\??\c:\btttbt.exec:\btttbt.exe53⤵
- Executes dropped EXE
PID:1948 -
\??\c:\llllxxx.exec:\llllxxx.exe54⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jjddv.exec:\jjddv.exe55⤵
- Executes dropped EXE
PID:1592 -
\??\c:\hbnhtn.exec:\hbnhtn.exe56⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rxffrlf.exec:\rxffrlf.exe57⤵
- Executes dropped EXE
PID:2012 -
\??\c:\vpjdd.exec:\vpjdd.exe58⤵
- Executes dropped EXE
PID:2232 -
\??\c:\hnntnh.exec:\hnntnh.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\lllrxfx.exec:\lllrxfx.exe60⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jjjjp.exec:\jjjjp.exe61⤵
- Executes dropped EXE
PID:2148 -
\??\c:\bbnnhh.exec:\bbnnhh.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rrrllfl.exec:\rrrllfl.exe63⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hnbhbh.exec:\hnbhbh.exe64⤵
- Executes dropped EXE
PID:2084 -
\??\c:\rlfxflf.exec:\rlfxflf.exe65⤵
- Executes dropped EXE
PID:580 -
\??\c:\jjjdv.exec:\jjjdv.exe66⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ttbbnt.exec:\ttbbnt.exe67⤵PID:864
-
\??\c:\flrllxf.exec:\flrllxf.exe68⤵PID:1408
-
\??\c:\vjjvp.exec:\vjjvp.exe69⤵PID:1160
-
\??\c:\hnhhnh.exec:\hnhhnh.exe70⤵PID:2296
-
\??\c:\ffllrrr.exec:\ffllrrr.exe71⤵PID:1884
-
\??\c:\9ppdj.exec:\9ppdj.exe72⤵PID:1552
-
\??\c:\ttnhnh.exec:\ttnhnh.exe73⤵PID:2500
-
\??\c:\llllllf.exec:\llllllf.exe74⤵PID:2320
-
\??\c:\jjjdv.exec:\jjjdv.exe75⤵PID:2456
-
\??\c:\5nnhnn.exec:\5nnhnn.exe76⤵PID:1148
-
\??\c:\vpdvd.exec:\vpdvd.exe77⤵PID:1956
-
\??\c:\nhtnbb.exec:\nhtnbb.exe78⤵PID:528
-
\??\c:\lllrlxx.exec:\lllrlxx.exe79⤵PID:1580
-
\??\c:\pvvdd.exec:\pvvdd.exe80⤵PID:576
-
\??\c:\nntntn.exec:\nntntn.exe81⤵PID:1476
-
\??\c:\ffrlrll.exec:\ffrlrll.exe82⤵PID:2992
-
\??\c:\jdjpp.exec:\jdjpp.exe83⤵PID:2976
-
\??\c:\bnntnt.exec:\bnntnt.exe84⤵PID:2812
-
\??\c:\fxrrflr.exec:\fxrrflr.exe85⤵PID:2732
-
\??\c:\pvvpj.exec:\pvvpj.exe86⤵PID:1964
-
\??\c:\nhbhnh.exec:\nhbhnh.exe87⤵PID:3000
-
\??\c:\llrrlff.exec:\llrrlff.exe88⤵PID:2716
-
\??\c:\tbnbbn.exec:\tbnbbn.exe89⤵PID:2764
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe90⤵PID:2720
-
\??\c:\dpdvd.exec:\dpdvd.exe91⤵PID:1200
-
\??\c:\nbhhtn.exec:\nbhhtn.exe92⤵PID:444
-
\??\c:\fffflff.exec:\fffflff.exe93⤵PID:2244
-
\??\c:\pvjjp.exec:\pvjjp.exe94⤵PID:2684
-
\??\c:\ttthhb.exec:\ttthhb.exe95⤵PID:3048
-
\??\c:\5lllllf.exec:\5lllllf.exe96⤵PID:1940
-
\??\c:\vjppp.exec:\vjppp.exe97⤵PID:1936
-
\??\c:\tbtttt.exec:\tbtttt.exe98⤵PID:2128
-
\??\c:\3flffxl.exec:\3flffxl.exe99⤵
- System Location Discovery: System Language Discovery
PID:1924 -
\??\c:\ffrfrxr.exec:\ffrfrxr.exe100⤵PID:2884
-
\??\c:\7nbntn.exec:\7nbntn.exe101⤵PID:1660
-
\??\c:\frrfxxx.exec:\frrfxxx.exe102⤵PID:2408
-
\??\c:\5vvjd.exec:\5vvjd.exe103⤵PID:2556
-
\??\c:\tbhtnb.exec:\tbhtnb.exe104⤵PID:2316
-
\??\c:\3flfxrx.exec:\3flfxrx.exe105⤵PID:1652
-
\??\c:\jpdvp.exec:\jpdvp.exe106⤵PID:2416
-
\??\c:\bbttnh.exec:\bbttnh.exe107⤵PID:2056
-
\??\c:\xrfrlxr.exec:\xrfrlxr.exe108⤵PID:2348
-
\??\c:\pddjv.exec:\pddjv.exe109⤵PID:1040
-
\??\c:\thhhbn.exec:\thhhbn.exe110⤵PID:560
-
\??\c:\9jdjv.exec:\9jdjv.exe111⤵PID:340
-
\??\c:\vdppd.exec:\vdppd.exe112⤵PID:1080
-
\??\c:\lxfrrxl.exec:\lxfrrxl.exe113⤵PID:1616
-
\??\c:\llfxfxr.exec:\llfxfxr.exe114⤵PID:2376
-
\??\c:\nnhbhh.exec:\nnhbhh.exe115⤵PID:2936
-
\??\c:\lxllxlf.exec:\lxllxlf.exe116⤵PID:2152
-
\??\c:\jdjdp.exec:\jdjdp.exe117⤵PID:980
-
\??\c:\hhbnnb.exec:\hhbnnb.exe118⤵PID:1472
-
\??\c:\flfrlfl.exec:\flfrlfl.exe119⤵PID:1748
-
\??\c:\jvdvv.exec:\jvdvv.exe120⤵PID:1780
-
\??\c:\thnhtb.exec:\thnhtb.exe121⤵PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-