Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/12/2024, 06:47
Behavioral task
behavioral1
Sample
e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
General
-
Target
e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe
-
Size
3.7MB
-
MD5
1e766839d720066b199c94c9b2f97d50
-
SHA1
3bfbe2548853151f9ecc706812281ccfbee831ec
-
SHA256
e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29a
-
SHA512
b199afb6f7ebcb8b0a7bff4d1a1cec6a35693743ad724af7e59d86b0e69f2b3643c76c9bc873a4a08fba6007b53d718938058d1616a199e27935d5c658454744
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98g:U6XLq/qPPslzKx/dJg1ErmN9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1928-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1060-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1928-39-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/1864-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2716-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2640-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1668-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1576-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-136-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1948-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1752-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2196-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-193-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1772-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-221-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1260-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2560-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-494-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2696-502-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1928-570-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2808-594-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-607-0x00000000003D0000-0x00000000003F7000-memory.dmp family_blackmoon behavioral1/memory/2892-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-648-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/380-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-670-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2660-683-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-753-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3012-769-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2036-793-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2284-801-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-821-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2016-835-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2384-855-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1960-862-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2344-869-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2968-949-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2960-968-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2412 thbhtn.exe 1060 lfxfxxr.exe 1864 9rlxllr.exe 2704 vvpdp.exe 2708 m8686.exe 2716 a0646.exe 2640 djvvp.exe 1668 3vpdv.exe 2676 llflrlx.exe 2464 6682466.exe 1136 jvjvv.exe 2948 llrxllf.exe 1576 888446.exe 2776 hnnbhb.exe 1948 5jdjv.exe 1816 26424.exe 1752 rlrxrxl.exe 3004 200244.exe 2196 g4286.exe 2056 hhbntt.exe 1268 4428488.exe 1772 08408.exe 1800 9bnthn.exe 1252 fxlrxfl.exe 1260 04468.exe 1532 6640668.exe 3000 xllrflr.exe 2524 004244.exe 784 tnthtb.exe 1360 9bbnbh.exe 1684 048028.exe 1756 lrrfrfx.exe 2168 6040680.exe 3020 4806466.exe 2680 a6684.exe 1060 4806802.exe 1864 4224628.exe 2704 jvvvv.exe 2876 822468.exe 2192 m8686.exe 3008 fflrrxl.exe 2904 tntnth.exe 2600 22246.exe 2720 vjjvv.exe 380 bhbtht.exe 1484 thnbnb.exe 2560 7fllxfl.exe 2588 60244.exe 2784 426840.exe 1700 a0464.exe 2424 nhtttn.exe 1608 60642.exe 1648 42068.exe 2652 w02862.exe 2956 7pjvv.exe 2164 8224246.exe 2144 jpdvj.exe 2080 hbhbht.exe 1856 bhtbtb.exe 1704 608468.exe 1328 e44808.exe 3068 2206402.exe 2696 5bhhth.exe 1984 04620.exe -
resource yara_rule behavioral1/memory/1928-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1928-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000014348-9.dat upx behavioral1/files/0x000800000001919c-16.dat upx behavioral1/memory/2412-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1060-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000191ad-28.dat upx behavioral1/memory/1060-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2704-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000191cf-41.dat upx behavioral1/memory/1864-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018741-50.dat upx behavioral1/memory/2704-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2708-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000191d1-58.dat upx behavioral1/memory/2640-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000019219-69.dat upx behavioral1/memory/2716-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193d1-79.dat upx behavioral1/memory/2640-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1668-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193e6-88.dat upx behavioral1/files/0x00050000000193f0-97.dat upx behavioral1/memory/2676-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2464-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001945c-106.dat upx behavioral1/files/0x000500000001948d-116.dat upx behavioral1/memory/2948-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e2-123.dat upx behavioral1/files/0x000500000001958b-132.dat upx behavioral1/memory/1576-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c2-141.dat upx behavioral1/files/0x00050000000195c4-152.dat upx behavioral1/memory/1816-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c6-159.dat upx behavioral1/memory/1948-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c7-169.dat upx behavioral1/memory/1752-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c8-180.dat upx behavioral1/memory/3004-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3004-176-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/memory/2056-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195ca-189.dat upx behavioral1/memory/2196-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195cc-198.dat upx behavioral1/memory/1772-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195d0-216.dat upx behavioral1/files/0x00050000000195ce-208.dat upx behavioral1/files/0x00050000000195e0-227.dat upx behavioral1/memory/1252-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019624-234.dat upx behavioral1/files/0x00050000000196a0-244.dat upx behavioral1/memory/1260-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019931-251.dat upx behavioral1/files/0x0005000000019bec-262.dat upx behavioral1/memory/2524-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3000-259-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf0-270.dat upx behavioral1/memory/2524-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf2-278.dat upx behavioral1/files/0x0005000000019c0b-287.dat upx behavioral1/files/0x0005000000019cd5-295.dat upx behavioral1/memory/1684-294-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2680-321-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k22080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2802000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8080284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c000240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6280846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6288242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2420082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8046086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i468020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 026460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i264684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6646806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0226484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6206466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6042802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2412 1928 e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe 30 PID 1928 wrote to memory of 2412 1928 e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe 30 PID 1928 wrote to memory of 2412 1928 e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe 30 PID 1928 wrote to memory of 2412 1928 e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe 30 PID 2412 wrote to memory of 1060 2412 thbhtn.exe 31 PID 2412 wrote to memory of 1060 2412 thbhtn.exe 31 PID 2412 wrote to memory of 1060 2412 thbhtn.exe 31 PID 2412 wrote to memory of 1060 2412 thbhtn.exe 31 PID 1060 wrote to memory of 1864 1060 lfxfxxr.exe 32 PID 1060 wrote to memory of 1864 1060 lfxfxxr.exe 32 PID 1060 wrote to memory of 1864 1060 lfxfxxr.exe 32 PID 1060 wrote to memory of 1864 1060 lfxfxxr.exe 32 PID 1864 wrote to memory of 2704 1864 9rlxllr.exe 68 PID 1864 wrote to memory of 2704 1864 9rlxllr.exe 68 PID 1864 wrote to memory of 2704 1864 9rlxllr.exe 68 PID 1864 wrote to memory of 2704 1864 9rlxllr.exe 68 PID 2704 wrote to memory of 2708 2704 vvpdp.exe 34 PID 2704 wrote to memory of 2708 2704 vvpdp.exe 34 PID 2704 wrote to memory of 2708 2704 vvpdp.exe 34 PID 2704 wrote to memory of 2708 2704 vvpdp.exe 34 PID 2708 wrote to memory of 2716 2708 m8686.exe 35 PID 2708 wrote to memory of 2716 2708 m8686.exe 35 PID 2708 wrote to memory of 2716 2708 m8686.exe 35 PID 2708 wrote to memory of 2716 2708 m8686.exe 35 PID 2716 wrote to memory of 2640 2716 a0646.exe 36 PID 2716 wrote to memory of 2640 2716 a0646.exe 36 PID 2716 wrote to memory of 2640 2716 a0646.exe 36 PID 2716 wrote to memory of 2640 2716 a0646.exe 36 PID 2640 wrote to memory of 1668 2640 djvvp.exe 37 PID 2640 wrote to memory of 1668 2640 djvvp.exe 37 PID 2640 wrote to memory of 1668 2640 djvvp.exe 37 PID 2640 wrote to memory of 1668 2640 djvvp.exe 37 PID 1668 wrote to memory of 2676 1668 3vpdv.exe 38 PID 1668 wrote to memory of 2676 1668 3vpdv.exe 38 PID 1668 wrote to memory of 2676 1668 3vpdv.exe 38 PID 1668 wrote to memory of 2676 1668 3vpdv.exe 38 PID 2676 wrote to memory of 2464 2676 llflrlx.exe 39 PID 2676 wrote to memory of 2464 2676 llflrlx.exe 39 PID 2676 wrote to memory of 2464 2676 llflrlx.exe 39 PID 2676 wrote to memory of 2464 2676 llflrlx.exe 39 PID 2464 wrote to memory of 1136 2464 6682466.exe 40 PID 2464 wrote to memory of 1136 2464 6682466.exe 40 PID 2464 wrote to memory of 1136 2464 6682466.exe 40 PID 2464 wrote to memory of 1136 2464 6682466.exe 40 PID 1136 wrote to memory of 2948 1136 jvjvv.exe 41 PID 1136 wrote to memory of 2948 1136 jvjvv.exe 41 PID 1136 wrote to memory of 2948 1136 jvjvv.exe 41 PID 1136 wrote to memory of 2948 1136 jvjvv.exe 41 PID 2948 wrote to memory of 1576 2948 llrxllf.exe 42 PID 2948 wrote to memory of 1576 2948 llrxllf.exe 42 PID 2948 wrote to memory of 1576 2948 llrxllf.exe 42 PID 2948 wrote to memory of 1576 2948 llrxllf.exe 42 PID 1576 wrote to memory of 2776 1576 888446.exe 43 PID 1576 wrote to memory of 2776 1576 888446.exe 43 PID 1576 wrote to memory of 2776 1576 888446.exe 43 PID 1576 wrote to memory of 2776 1576 888446.exe 43 PID 2776 wrote to memory of 1948 2776 hnnbhb.exe 44 PID 2776 wrote to memory of 1948 2776 hnnbhb.exe 44 PID 2776 wrote to memory of 1948 2776 hnnbhb.exe 44 PID 2776 wrote to memory of 1948 2776 hnnbhb.exe 44 PID 1948 wrote to memory of 1816 1948 5jdjv.exe 45 PID 1948 wrote to memory of 1816 1948 5jdjv.exe 45 PID 1948 wrote to memory of 1816 1948 5jdjv.exe 45 PID 1948 wrote to memory of 1816 1948 5jdjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe"C:\Users\Admin\AppData\Local\Temp\e0accdd903924f30ca091201bedf7e65b5260697139ff56a55d8cd302759d29aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\thbhtn.exec:\thbhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\lfxfxxr.exec:\lfxfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\9rlxllr.exec:\9rlxllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\vvpdp.exec:\vvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\m8686.exec:\m8686.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\a0646.exec:\a0646.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\djvvp.exec:\djvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\3vpdv.exec:\3vpdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\llflrlx.exec:\llflrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\6682466.exec:\6682466.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\jvjvv.exec:\jvjvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\llrxllf.exec:\llrxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\888446.exec:\888446.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\hnnbhb.exec:\hnnbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\5jdjv.exec:\5jdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\26424.exec:\26424.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
\??\c:\rlrxrxl.exec:\rlrxrxl.exe18⤵
- Executes dropped EXE
PID:1752 -
\??\c:\200244.exec:\200244.exe19⤵
- Executes dropped EXE
PID:3004 -
\??\c:\g4286.exec:\g4286.exe20⤵
- Executes dropped EXE
PID:2196 -
\??\c:\hhbntt.exec:\hhbntt.exe21⤵
- Executes dropped EXE
PID:2056 -
\??\c:\4428488.exec:\4428488.exe22⤵
- Executes dropped EXE
PID:1268 -
\??\c:\08408.exec:\08408.exe23⤵
- Executes dropped EXE
PID:1772 -
\??\c:\9bnthn.exec:\9bnthn.exe24⤵
- Executes dropped EXE
PID:1800 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe25⤵
- Executes dropped EXE
PID:1252 -
\??\c:\04468.exec:\04468.exe26⤵
- Executes dropped EXE
PID:1260 -
\??\c:\6640668.exec:\6640668.exe27⤵
- Executes dropped EXE
PID:1532 -
\??\c:\xllrflr.exec:\xllrflr.exe28⤵
- Executes dropped EXE
PID:3000 -
\??\c:\004244.exec:\004244.exe29⤵
- Executes dropped EXE
PID:2524 -
\??\c:\tnthtb.exec:\tnthtb.exe30⤵
- Executes dropped EXE
PID:784 -
\??\c:\9bbnbh.exec:\9bbnbh.exe31⤵
- Executes dropped EXE
PID:1360 -
\??\c:\048028.exec:\048028.exe32⤵
- Executes dropped EXE
PID:1684 -
\??\c:\lrrfrfx.exec:\lrrfrfx.exe33⤵
- Executes dropped EXE
PID:1756 -
\??\c:\6040680.exec:\6040680.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\4806466.exec:\4806466.exe35⤵
- Executes dropped EXE
PID:3020 -
\??\c:\a6684.exec:\a6684.exe36⤵
- Executes dropped EXE
PID:2680 -
\??\c:\4806802.exec:\4806802.exe37⤵
- Executes dropped EXE
PID:1060 -
\??\c:\4224628.exec:\4224628.exe38⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jvvvv.exec:\jvvvv.exe39⤵
- Executes dropped EXE
PID:2704 -
\??\c:\822468.exec:\822468.exe40⤵
- Executes dropped EXE
PID:2876 -
\??\c:\m8686.exec:\m8686.exe41⤵
- Executes dropped EXE
PID:2192 -
\??\c:\fflrrxl.exec:\fflrrxl.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\tntnth.exec:\tntnth.exe43⤵
- Executes dropped EXE
PID:2904 -
\??\c:\22246.exec:\22246.exe44⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vjjvv.exec:\vjjvv.exe45⤵
- Executes dropped EXE
PID:2720 -
\??\c:\bhbtht.exec:\bhbtht.exe46⤵
- Executes dropped EXE
PID:380 -
\??\c:\thnbnb.exec:\thnbnb.exe47⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7fllxfl.exec:\7fllxfl.exe48⤵
- Executes dropped EXE
PID:2560 -
\??\c:\60244.exec:\60244.exe49⤵
- Executes dropped EXE
PID:2588 -
\??\c:\426840.exec:\426840.exe50⤵
- Executes dropped EXE
PID:2784 -
\??\c:\a0464.exec:\a0464.exe51⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nhtttn.exec:\nhtttn.exe52⤵
- Executes dropped EXE
PID:2424 -
\??\c:\60642.exec:\60642.exe53⤵
- Executes dropped EXE
PID:1608 -
\??\c:\42068.exec:\42068.exe54⤵
- Executes dropped EXE
PID:1648 -
\??\c:\w02862.exec:\w02862.exe55⤵
- Executes dropped EXE
PID:2652 -
\??\c:\7pjvv.exec:\7pjvv.exe56⤵
- Executes dropped EXE
PID:2956 -
\??\c:\8224246.exec:\8224246.exe57⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jpdvj.exec:\jpdvj.exe58⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hbhbht.exec:\hbhbht.exe59⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bhtbtb.exec:\bhtbtb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
\??\c:\608468.exec:\608468.exe61⤵
- Executes dropped EXE
PID:1704 -
\??\c:\e44808.exec:\e44808.exe62⤵
- Executes dropped EXE
PID:1328 -
\??\c:\2206402.exec:\2206402.exe63⤵
- Executes dropped EXE
PID:3068 -
\??\c:\5bhhth.exec:\5bhhth.exe64⤵
- Executes dropped EXE
PID:2696 -
\??\c:\04620.exec:\04620.exe65⤵
- Executes dropped EXE
PID:1984 -
\??\c:\1djvp.exec:\1djvp.exe66⤵PID:964
-
\??\c:\hhhthb.exec:\hhhthb.exe67⤵
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\jvdvd.exec:\jvdvd.exe68⤵PID:2516
-
\??\c:\rxllrlr.exec:\rxllrlr.exe69⤵PID:2148
-
\??\c:\hhnnbn.exec:\hhnnbn.exe70⤵PID:1980
-
\??\c:\xxxfxfr.exec:\xxxfxfr.exe71⤵PID:1736
-
\??\c:\s8688.exec:\s8688.exe72⤵PID:2432
-
\??\c:\nnnbnt.exec:\nnnbnt.exe73⤵PID:1224
-
\??\c:\04646.exec:\04646.exe74⤵PID:344
-
\??\c:\6646806.exec:\6646806.exe75⤵
- System Location Discovery: System Language Discovery
PID:1928 -
\??\c:\bnthtt.exec:\bnthtt.exe76⤵PID:672
-
\??\c:\28208.exec:\28208.exe77⤵PID:3016
-
\??\c:\bthtnb.exec:\bthtnb.exe78⤵PID:2124
-
\??\c:\m0808.exec:\m0808.exe79⤵PID:2808
-
\??\c:\1thnbh.exec:\1thnbh.exe80⤵PID:3032
-
\??\c:\0880246.exec:\0880246.exe81⤵PID:2892
-
\??\c:\6606446.exec:\6606446.exe82⤵PID:2936
-
\??\c:\ppdpv.exec:\ppdpv.exe83⤵PID:2192
-
\??\c:\k66846.exec:\k66846.exe84⤵PID:2656
-
\??\c:\5fxlrxl.exec:\5fxlrxl.exe85⤵PID:2340
-
\??\c:\82260.exec:\82260.exe86⤵PID:2220
-
\??\c:\1hthth.exec:\1hthth.exe87⤵PID:2416
-
\??\c:\rflxrfl.exec:\rflxrfl.exe88⤵PID:2532
-
\??\c:\rrxlfrf.exec:\rrxlfrf.exe89⤵PID:380
-
\??\c:\4486846.exec:\4486846.exe90⤵PID:2692
-
\??\c:\vpjvj.exec:\vpjvj.exe91⤵PID:2660
-
\??\c:\2004684.exec:\2004684.exe92⤵PID:2888
-
\??\c:\8288804.exec:\8288804.exe93⤵PID:2700
-
\??\c:\60202.exec:\60202.exe94⤵PID:2992
-
\??\c:\48624.exec:\48624.exe95⤵PID:2424
-
\??\c:\hbnttt.exec:\hbnttt.exe96⤵PID:1608
-
\??\c:\hntnhn.exec:\hntnhn.exe97⤵PID:1648
-
\??\c:\226862.exec:\226862.exe98⤵PID:2652
-
\??\c:\4868440.exec:\4868440.exe99⤵PID:2956
-
\??\c:\thttbt.exec:\thttbt.exe100⤵
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\04846.exec:\04846.exe101⤵PID:2144
-
\??\c:\rrfxlrf.exec:\rrfxlrf.exe102⤵PID:3012
-
\??\c:\nnthhb.exec:\nnthhb.exe103⤵PID:2572
-
\??\c:\660864.exec:\660864.exe104⤵PID:1704
-
\??\c:\rxlxlxx.exec:\rxlxlxx.exe105⤵PID:1328
-
\??\c:\rrlxrfl.exec:\rrlxrfl.exe106⤵PID:3068
-
\??\c:\tntnht.exec:\tntnht.exe107⤵PID:1688
-
\??\c:\0286648.exec:\0286648.exe108⤵PID:2036
-
\??\c:\28444.exec:\28444.exe109⤵PID:788
-
\??\c:\s8246.exec:\s8246.exe110⤵PID:2284
-
\??\c:\xflfxrl.exec:\xflfxrl.exe111⤵PID:2116
-
\??\c:\jjjvj.exec:\jjjvj.exe112⤵PID:2364
-
\??\c:\46628.exec:\46628.exe113⤵PID:1144
-
\??\c:\rxflxlx.exec:\rxflxlx.exe114⤵PID:2016
-
\??\c:\dpddp.exec:\dpddp.exe115⤵PID:1584
-
\??\c:\flffrxl.exec:\flffrxl.exe116⤵PID:1756
-
\??\c:\600468.exec:\600468.exe117⤵PID:2384
-
\??\c:\22286.exec:\22286.exe118⤵PID:1960
-
\??\c:\40086.exec:\40086.exe119⤵PID:2344
-
\??\c:\4248662.exec:\4248662.exe120⤵PID:1300
-
\??\c:\5xflxlf.exec:\5xflxlf.exe121⤵PID:1864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-