Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 06:46
Behavioral task
behavioral1
Sample
0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe
-
Size
3.7MB
-
MD5
b4b7e930ecbb6afa203edfa78465486c
-
SHA1
cbd1ecbb960f51deaa4380bdf1f8ca4084360ba0
-
SHA256
0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47
-
SHA512
9acf8a1c0397d6f884257cc5af9085492adad9bba46dcf0c9e33ba02193bf07d860cce4455dbc7ff4d9864aebd4ea062cff18b0589a1de50fa71316ec711a45f
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98H:U6XLq/qPPslzKx/dJg1ErmNg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2068-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/804-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2652-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-96-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/684-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/864-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/316-135-0x00000000002D0000-0x00000000002F7000-memory.dmp family_blackmoon behavioral1/memory/316-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2036-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/468-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1340-248-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1340-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/900-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1876-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1280-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/808-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/604-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1596-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1596-483-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2396-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2396-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-512-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1544-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-537-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2244-545-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1660-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2608-567-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2476-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-621-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2916-634-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-643-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2752-656-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/600-692-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-720-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2544-822-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2548-849-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1372-856-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-884-0x0000000001F10000-0x0000000001F37000-memory.dmp family_blackmoon behavioral1/memory/2676-952-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2676-971-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/580-972-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1044-999-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1976-1032-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 804 xrrxlff.exe 2264 xrlllrx.exe 2252 lfrfxxl.exe 2912 5pjdp.exe 2212 1lflfxl.exe 2304 jjjvp.exe 2844 xrlxflx.exe 2680 1hbnth.exe 2652 lrxxllf.exe 2352 xfrlllf.exe 684 llfrrlf.exe 864 nhhbth.exe 2824 7dpvd.exe 316 lxrrrrl.exe 2036 hhhbnb.exe 1796 hnnbtb.exe 1668 9tthhh.exe 3052 ttbbbn.exe 3008 nbhttn.exe 2296 vjdjd.exe 2220 jjvjv.exe 3036 ttttbh.exe 2836 3tbnhn.exe 1680 thbbtb.exe 468 hbntnn.exe 2000 1htthh.exe 1340 fxfxrxf.exe 2144 djdjj.exe 1860 thbthb.exe 832 pdvpj.exe 620 rfrrxrr.exe 900 7xrfrll.exe 1732 jdvpv.exe 2084 vpjvv.exe 1876 jjpjj.exe 2316 hhthnt.exe 2724 nnhbbn.exe 2908 tbnhbt.exe 2784 fxfxxll.exe 2216 rrrfxff.exe 2212 rxlflfx.exe 2948 jjjpj.exe 2988 jppvj.exe 2940 vvvdp.exe 2704 vddvp.exe 2492 ppjdp.exe 2444 1vvpp.exe 556 5hbnhb.exe 1280 hhbbnh.exe 1516 bnnbnh.exe 808 hbnhnt.exe 1260 xfrrllf.exe 604 ffrlxlx.exe 2848 lfxxxll.exe 1796 rrffrfl.exe 2044 9dpdd.exe 3012 jdjdp.exe 2400 hthbbb.exe 3008 bntthb.exe 2532 7tnbnh.exe 1596 lffxlfr.exe 2208 lrxxlfr.exe 2396 1rxrlrl.exe 1384 rfxrrrx.exe -
resource yara_rule behavioral1/memory/2068-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/804-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d00000001226d-8.dat upx behavioral1/memory/2068-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/804-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2264-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d9a-19.dat upx behavioral1/files/0x0007000000015da7-27.dat upx behavioral1/files/0x0009000000015d7e-36.dat upx behavioral1/memory/2252-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015e18-46.dat upx behavioral1/memory/2912-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015e71-55.dat upx behavioral1/memory/2212-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015f81-64.dat upx behavioral1/memory/2304-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2844-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001612f-73.dat upx behavioral1/memory/2680-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d25-82.dat upx behavioral1/files/0x0006000000016d36-90.dat upx behavioral1/memory/2652-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d3e-101.dat upx behavioral1/memory/684-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d46-111.dat upx behavioral1/memory/684-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d96-121.dat upx behavioral1/memory/864-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2824-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d9a-130.dat upx behavioral1/files/0x0006000000016dbe-141.dat upx behavioral1/memory/2036-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/316-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2036-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dd1-151.dat upx behavioral1/files/0x0006000000016dd7-161.dat upx behavioral1/memory/1796-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016ea4-169.dat upx behavioral1/files/0x0006000000016eca-176.dat upx behavioral1/memory/3008-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001706d-185.dat upx behavioral1/files/0x00060000000173da-193.dat upx behavioral1/memory/3036-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173f1-202.dat upx behavioral1/files/0x00060000000173f4-210.dat upx behavioral1/files/0x00060000000173fc-218.dat upx behavioral1/memory/1680-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017472-227.dat upx behavioral1/files/0x0006000000017487-237.dat upx behavioral1/memory/468-235-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174a2-244.dat upx behavioral1/files/0x0006000000017525-254.dat upx behavioral1/memory/1340-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0014000000018663-262.dat upx behavioral1/files/0x000d00000001866e-270.dat upx behavioral1/files/0x0005000000018687-278.dat upx behavioral1/files/0x0006000000018c1a-286.dat upx behavioral1/memory/900-294-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1876-307-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2724-320-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-333-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2988-359-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-366-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 804 2068 0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe 30 PID 2068 wrote to memory of 804 2068 0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe 30 PID 2068 wrote to memory of 804 2068 0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe 30 PID 2068 wrote to memory of 804 2068 0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe 30 PID 804 wrote to memory of 2264 804 xrrxlff.exe 31 PID 804 wrote to memory of 2264 804 xrrxlff.exe 31 PID 804 wrote to memory of 2264 804 xrrxlff.exe 31 PID 804 wrote to memory of 2264 804 xrrxlff.exe 31 PID 2264 wrote to memory of 2252 2264 xrlllrx.exe 32 PID 2264 wrote to memory of 2252 2264 xrlllrx.exe 32 PID 2264 wrote to memory of 2252 2264 xrlllrx.exe 32 PID 2264 wrote to memory of 2252 2264 xrlllrx.exe 32 PID 2252 wrote to memory of 2912 2252 lfrfxxl.exe 33 PID 2252 wrote to memory of 2912 2252 lfrfxxl.exe 33 PID 2252 wrote to memory of 2912 2252 lfrfxxl.exe 33 PID 2252 wrote to memory of 2912 2252 lfrfxxl.exe 33 PID 2912 wrote to memory of 2212 2912 5pjdp.exe 34 PID 2912 wrote to memory of 2212 2912 5pjdp.exe 34 PID 2912 wrote to memory of 2212 2912 5pjdp.exe 34 PID 2912 wrote to memory of 2212 2912 5pjdp.exe 34 PID 2212 wrote to memory of 2304 2212 1lflfxl.exe 35 PID 2212 wrote to memory of 2304 2212 1lflfxl.exe 35 PID 2212 wrote to memory of 2304 2212 1lflfxl.exe 35 PID 2212 wrote to memory of 2304 2212 1lflfxl.exe 35 PID 2304 wrote to memory of 2844 2304 jjjvp.exe 36 PID 2304 wrote to memory of 2844 2304 jjjvp.exe 36 PID 2304 wrote to memory of 2844 2304 jjjvp.exe 36 PID 2304 wrote to memory of 2844 2304 jjjvp.exe 36 PID 2844 wrote to memory of 2680 2844 xrlxflx.exe 37 PID 2844 wrote to memory of 2680 2844 xrlxflx.exe 37 PID 2844 wrote to memory of 2680 2844 xrlxflx.exe 37 PID 2844 wrote to memory of 2680 2844 xrlxflx.exe 37 PID 2680 wrote to memory of 2652 2680 1hbnth.exe 38 PID 2680 wrote to memory of 2652 2680 1hbnth.exe 38 PID 2680 wrote to memory of 2652 2680 1hbnth.exe 38 PID 2680 wrote to memory of 2652 2680 1hbnth.exe 38 PID 2652 wrote to memory of 2352 2652 lrxxllf.exe 39 PID 2652 wrote to memory of 2352 2652 lrxxllf.exe 39 PID 2652 wrote to memory of 2352 2652 lrxxllf.exe 39 PID 2652 wrote to memory of 2352 2652 lrxxllf.exe 39 PID 2352 wrote to memory of 684 2352 xfrlllf.exe 40 PID 2352 wrote to memory of 684 2352 xfrlllf.exe 40 PID 2352 wrote to memory of 684 2352 xfrlllf.exe 40 PID 2352 wrote to memory of 684 2352 xfrlllf.exe 40 PID 684 wrote to memory of 864 684 llfrrlf.exe 41 PID 684 wrote to memory of 864 684 llfrrlf.exe 41 PID 684 wrote to memory of 864 684 llfrrlf.exe 41 PID 684 wrote to memory of 864 684 llfrrlf.exe 41 PID 864 wrote to memory of 2824 864 nhhbth.exe 42 PID 864 wrote to memory of 2824 864 nhhbth.exe 42 PID 864 wrote to memory of 2824 864 nhhbth.exe 42 PID 864 wrote to memory of 2824 864 nhhbth.exe 42 PID 2824 wrote to memory of 316 2824 7dpvd.exe 43 PID 2824 wrote to memory of 316 2824 7dpvd.exe 43 PID 2824 wrote to memory of 316 2824 7dpvd.exe 43 PID 2824 wrote to memory of 316 2824 7dpvd.exe 43 PID 316 wrote to memory of 2036 316 lxrrrrl.exe 44 PID 316 wrote to memory of 2036 316 lxrrrrl.exe 44 PID 316 wrote to memory of 2036 316 lxrrrrl.exe 44 PID 316 wrote to memory of 2036 316 lxrrrrl.exe 44 PID 2036 wrote to memory of 1796 2036 hhhbnb.exe 45 PID 2036 wrote to memory of 1796 2036 hhhbnb.exe 45 PID 2036 wrote to memory of 1796 2036 hhhbnb.exe 45 PID 2036 wrote to memory of 1796 2036 hhhbnb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe"C:\Users\Admin\AppData\Local\Temp\0a78ee83b6099a9e752a2c9f58c48f3d7ad34a92b4a2019eb50821eee327ee47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\xrrxlff.exec:\xrrxlff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\xrlllrx.exec:\xrlllrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\lfrfxxl.exec:\lfrfxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\5pjdp.exec:\5pjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\1lflfxl.exec:\1lflfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\jjjvp.exec:\jjjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\xrlxflx.exec:\xrlxflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\1hbnth.exec:\1hbnth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\lrxxllf.exec:\lrxxllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\xfrlllf.exec:\xfrlllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\llfrrlf.exec:\llfrrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\nhhbth.exec:\nhhbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\7dpvd.exec:\7dpvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\lxrrrrl.exec:\lxrrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\hhhbnb.exec:\hhhbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\hnnbtb.exec:\hnnbtb.exe17⤵
- Executes dropped EXE
PID:1796 -
\??\c:\9tthhh.exec:\9tthhh.exe18⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ttbbbn.exec:\ttbbbn.exe19⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nbhttn.exec:\nbhttn.exe20⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vjdjd.exec:\vjdjd.exe21⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jjvjv.exec:\jjvjv.exe22⤵
- Executes dropped EXE
PID:2220 -
\??\c:\ttttbh.exec:\ttttbh.exe23⤵
- Executes dropped EXE
PID:3036 -
\??\c:\3tbnhn.exec:\3tbnhn.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
\??\c:\thbbtb.exec:\thbbtb.exe25⤵
- Executes dropped EXE
PID:1680 -
\??\c:\hbntnn.exec:\hbntnn.exe26⤵
- Executes dropped EXE
PID:468 -
\??\c:\1htthh.exec:\1htthh.exe27⤵
- Executes dropped EXE
PID:2000 -
\??\c:\fxfxrxf.exec:\fxfxrxf.exe28⤵
- Executes dropped EXE
PID:1340 -
\??\c:\djdjj.exec:\djdjj.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\thbthb.exec:\thbthb.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860 -
\??\c:\pdvpj.exec:\pdvpj.exe31⤵
- Executes dropped EXE
PID:832 -
\??\c:\rfrrxrr.exec:\rfrrxrr.exe32⤵
- Executes dropped EXE
PID:620 -
\??\c:\7xrfrll.exec:\7xrfrll.exe33⤵
- Executes dropped EXE
PID:900 -
\??\c:\jdvpv.exec:\jdvpv.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vpjvv.exec:\vpjvv.exe35⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jjpjj.exec:\jjpjj.exe36⤵
- Executes dropped EXE
PID:1876 -
\??\c:\hhthnt.exec:\hhthnt.exe37⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nnhbbn.exec:\nnhbbn.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\tbnhbt.exec:\tbnhbt.exe39⤵
- Executes dropped EXE
PID:2908 -
\??\c:\fxfxxll.exec:\fxfxxll.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\rrrfxff.exec:\rrrfxff.exe41⤵
- Executes dropped EXE
PID:2216 -
\??\c:\rxlflfx.exec:\rxlflfx.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
\??\c:\jjjpj.exec:\jjjpj.exe43⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jppvj.exec:\jppvj.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
\??\c:\vvvdp.exec:\vvvdp.exe45⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vddvp.exec:\vddvp.exe46⤵
- Executes dropped EXE
PID:2704 -
\??\c:\ppjdp.exec:\ppjdp.exe47⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1vvpp.exec:\1vvpp.exe48⤵
- Executes dropped EXE
PID:2444 -
\??\c:\5hbnhb.exec:\5hbnhb.exe49⤵
- Executes dropped EXE
PID:556 -
\??\c:\hhbbnh.exec:\hhbbnh.exe50⤵
- Executes dropped EXE
PID:1280 -
\??\c:\bnnbnh.exec:\bnnbnh.exe51⤵
- Executes dropped EXE
PID:1516 -
\??\c:\hbnhnt.exec:\hbnhnt.exe52⤵
- Executes dropped EXE
PID:808 -
\??\c:\xfrrllf.exec:\xfrrllf.exe53⤵
- Executes dropped EXE
PID:1260 -
\??\c:\ffrlxlx.exec:\ffrlxlx.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:604 -
\??\c:\lfxxxll.exec:\lfxxxll.exe55⤵
- Executes dropped EXE
PID:2848 -
\??\c:\rrffrfl.exec:\rrffrfl.exe56⤵
- Executes dropped EXE
PID:1796 -
\??\c:\9dpdd.exec:\9dpdd.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\jdjdp.exec:\jdjdp.exe58⤵
- Executes dropped EXE
PID:3012 -
\??\c:\hthbbb.exec:\hthbbb.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bntthb.exec:\bntthb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\7tnbnh.exec:\7tnbnh.exe61⤵
- Executes dropped EXE
PID:2532 -
\??\c:\lffxlfr.exec:\lffxlfr.exe62⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lrxxlfr.exec:\lrxxlfr.exe63⤵
- Executes dropped EXE
PID:2208 -
\??\c:\1rxrlrl.exec:\1rxrlrl.exe64⤵
- Executes dropped EXE
PID:2396 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe65⤵
- Executes dropped EXE
PID:1384 -
\??\c:\7rrrlfx.exec:\7rrrlfx.exe66⤵PID:1544
-
\??\c:\vvpjj.exec:\vvpjj.exe67⤵PID:1768
-
\??\c:\pvdpp.exec:\pvdpp.exe68⤵PID:1100
-
\??\c:\ddpjp.exec:\ddpjp.exe69⤵PID:1716
-
\??\c:\ppvpv.exec:\ppvpv.exe70⤵PID:2244
-
\??\c:\pvpdj.exec:\pvpdj.exe71⤵PID:1660
-
\??\c:\pjvpp.exec:\pjvpp.exe72⤵PID:2228
-
\??\c:\9tthht.exec:\9tthht.exe73⤵
- System Location Discovery: System Language Discovery
PID:1764 -
\??\c:\9tnhbt.exec:\9tnhbt.exe74⤵PID:2608
-
\??\c:\hnbnnh.exec:\hnbnnh.exe75⤵PID:900
-
\??\c:\hhttth.exec:\hhttth.exe76⤵PID:1732
-
\??\c:\hhtthh.exec:\hhtthh.exe77⤵PID:1464
-
\??\c:\xxxfflf.exec:\xxxfflf.exe78⤵PID:2332
-
\??\c:\5lrlllr.exec:\5lrlllr.exe79⤵PID:2476
-
\??\c:\lrfflxl.exec:\lrfflxl.exe80⤵PID:2760
-
\??\c:\llxllxl.exec:\llxllxl.exe81⤵PID:2932
-
\??\c:\lrfllll.exec:\lrfllll.exe82⤵PID:2224
-
\??\c:\fflfxxx.exec:\fflfxxx.exe83⤵PID:2640
-
\??\c:\jpddd.exec:\jpddd.exe84⤵PID:2148
-
\??\c:\djdvv.exec:\djdvv.exe85⤵PID:2916
-
\??\c:\hhbbbb.exec:\hhbbbb.exe86⤵PID:2952
-
\??\c:\httnbt.exec:\httnbt.exe87⤵PID:2648
-
\??\c:\ntbbnh.exec:\ntbbnh.exe88⤵PID:2752
-
\??\c:\rfrfrxr.exec:\rfrfrxr.exe89⤵PID:2356
-
\??\c:\nhthhh.exec:\nhthhh.exe90⤵PID:1328
-
\??\c:\hnbbtb.exec:\hnbbtb.exe91⤵PID:912
-
\??\c:\nhbbnt.exec:\nhbbnt.exe92⤵PID:2888
-
\??\c:\tbthnn.exec:\tbthnn.exe93⤵
- System Location Discovery: System Language Discovery
PID:600 -
\??\c:\bhnbnb.exec:\bhnbnb.exe94⤵PID:1516
-
\??\c:\tthttn.exec:\tthttn.exe95⤵PID:2872
-
\??\c:\hbbtnh.exec:\hbbtnh.exe96⤵PID:1260
-
\??\c:\bttttn.exec:\bttttn.exe97⤵PID:484
-
\??\c:\nnnnbn.exec:\nnnnbn.exe98⤵PID:1980
-
\??\c:\bbttbh.exec:\bbttbh.exe99⤵PID:1284
-
\??\c:\xfrllfx.exec:\xfrllfx.exe100⤵PID:3024
-
\??\c:\flxfrlf.exec:\flxfrlf.exe101⤵PID:3056
-
\??\c:\lfxrfrf.exec:\lfxrfrf.exe102⤵PID:2432
-
\??\c:\vdjpd.exec:\vdjpd.exe103⤵PID:2428
-
\??\c:\pjpjp.exec:\pjpjp.exe104⤵PID:1448
-
\??\c:\jvvdv.exec:\jvvdv.exe105⤵PID:2612
-
\??\c:\nntttt.exec:\nntttt.exe106⤵PID:1264
-
\??\c:\bntthh.exec:\bntthh.exe107⤵PID:2836
-
\??\c:\5hhtnn.exec:\5hhtnn.exe108⤵PID:1680
-
\??\c:\ttntth.exec:\ttntth.exe109⤵PID:468
-
\??\c:\bnttbh.exec:\bnttbh.exe110⤵PID:1376
-
\??\c:\ntbbhh.exec:\ntbbhh.exe111⤵PID:1560
-
\??\c:\5ttbtn.exec:\5ttbtn.exe112⤵PID:1556
-
\??\c:\thbnht.exec:\thbnht.exe113⤵PID:1716
-
\??\c:\jvdjd.exec:\jvdjd.exe114⤵
- System Location Discovery: System Language Discovery
PID:2544 -
\??\c:\jvpvd.exec:\jvpvd.exe115⤵PID:1564
-
\??\c:\djdjv.exec:\djdjv.exe116⤵PID:352
-
\??\c:\jjjdv.exec:\jjjdv.exe117⤵PID:620
-
\??\c:\ddvpd.exec:\ddvpd.exe118⤵PID:2580
-
\??\c:\9ntntb.exec:\9ntntb.exe119⤵PID:2548
-
\??\c:\tbnhnh.exec:\tbnhnh.exe120⤵PID:1372
-
\??\c:\7bbntt.exec:\7bbntt.exe121⤵PID:2272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-