Analysis
-
max time kernel
120s -
max time network
25s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 02:10
Behavioral task
behavioral1
Sample
1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe
-
Size
3.7MB
-
MD5
fc9e3eeadfb100e3fba51b069e10c7b0
-
SHA1
3c80a6610dc34ab42e93b2760d364ccec5425c05
-
SHA256
1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7
-
SHA512
3f493afaeb614bf3c9ae092045155539a82b013cf4e2d1039151e3e3c5535b5ad01bd8d9bc81521cc75cc40c1cb1e84d516732f0048003c778a03c875523daed
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF989:U6XLq/qPPslzKx/dJg1ErmNo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/1680-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2120-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-22-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/572-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-59-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2844-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2604-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/896-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1560-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1560-120-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1604-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/776-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/776-135-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2736-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2752-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1032-202-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/584-217-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/584-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/348-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3064-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1072-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1580-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1380-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2916-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2652-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2096-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/548-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1784-510-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2260-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-637-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2364-741-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-754-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/952-771-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2040-779-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1636-842-0x00000000002E0000-0x0000000000307000-memory.dmp family_blackmoon behavioral1/memory/1864-970-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2096-983-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/284-1003-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/284-1022-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2052 fxlxfxx.exe 2280 nttbtt.exe 2120 thtnth.exe 572 vjddp.exe 2832 lrlrfrr.exe 2808 bthttt.exe 2556 nntntb.exe 2844 dpddd.exe 2604 dppvv.exe 3028 bhtbbh.exe 896 frxrrrr.exe 1560 dvjjv.exe 596 jdvdd.exe 776 htnhtn.exe 1604 rxlxllf.exe 844 tntnnn.exe 2736 djdvp.exe 2752 hhnbtb.exe 2628 bhbnbt.exe 2900 rfxfrrl.exe 1032 ddjdp.exe 2144 ntnbnn.exe 584 jpjdd.exe 1124 xxxllxr.exe 348 nhhhbb.exe 1528 ddpjp.exe 1100 ttnbnn.exe 3064 hbnbhh.exe 2212 llflxfr.exe 1696 tntbhb.exe 1072 7jjjj.exe 2972 frxrlrl.exe 1580 pvvjj.exe 1680 vjdpj.exe 1608 httthn.exe 1380 vdpvj.exe 2676 thbtbn.exe 2856 nnhhth.exe 2664 tnnthb.exe 2432 pppvj.exe 2644 xlrrlrr.exe 2916 nnbbbn.exe 1468 frlfrxf.exe 2652 tnnbbt.exe 1452 bhnhhn.exe 1904 pdvpj.exe 1556 pvvvj.exe 2588 vvvdv.exe 2096 pjddj.exe 1500 hhhnbn.exe 2600 thbtbh.exe 2740 thnhnh.exe 548 hhhhtb.exe 2872 bthbbt.exe 2756 hhtthb.exe 2476 nththb.exe 2412 dpjdv.exe 2912 pvdjp.exe 916 jjvvp.exe 952 jdvvp.exe 2040 rfxxxfr.exe 808 rfrxrlf.exe 948 llrflxr.exe 1784 nhnbht.exe -
resource yara_rule behavioral1/memory/1680-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012117-5.dat upx behavioral1/memory/1680-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2052-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d31-19.dat upx behavioral1/memory/2280-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2120-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d3a-29.dat upx behavioral1/memory/2280-22-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/files/0x0008000000016d4a-38.dat upx behavioral1/files/0x0007000000016d68-47.dat upx behavioral1/memory/572-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d6d-66.dat upx behavioral1/files/0x0008000000016d18-56.dat upx behavioral1/memory/2808-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d89-76.dat upx behavioral1/memory/2844-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2604-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016fdf-85.dat upx behavioral1/files/0x0005000000018784-94.dat upx behavioral1/files/0x000500000001878f-103.dat upx behavioral1/memory/3028-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/896-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000187a5-113.dat upx behavioral1/memory/896-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019023-121.dat upx behavioral1/memory/1560-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925e-132.dat upx behavioral1/files/0x0005000000019261-141.dat upx behavioral1/memory/1604-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/776-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019282-151.dat upx behavioral1/files/0x0005000000019334-159.dat upx behavioral1/memory/2736-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019350-168.dat upx behavioral1/files/0x00050000000193b4-176.dat upx behavioral1/memory/2628-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2752-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193c2-185.dat upx behavioral1/files/0x00050000000193e1-195.dat upx behavioral1/files/0x000500000001941e-205.dat upx behavioral1/files/0x0005000000019427-213.dat upx behavioral1/memory/584-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019431-224.dat upx behavioral1/memory/348-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019441-233.dat upx behavioral1/files/0x000500000001944f-241.dat upx behavioral1/memory/1100-251-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1528-250-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019461-249.dat upx behavioral1/files/0x000500000001950c-259.dat upx behavioral1/files/0x0005000000019582-269.dat upx behavioral1/memory/3064-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c5-276.dat upx behavioral1/memory/1696-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019609-286.dat upx behavioral1/memory/1072-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960b-295.dat upx behavioral1/memory/1580-308-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1608-315-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1380-330-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2916-368-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2652-382-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1556-395-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxfxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnttb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2052 1680 1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe 31 PID 1680 wrote to memory of 2052 1680 1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe 31 PID 1680 wrote to memory of 2052 1680 1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe 31 PID 1680 wrote to memory of 2052 1680 1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe 31 PID 2052 wrote to memory of 2280 2052 fxlxfxx.exe 32 PID 2052 wrote to memory of 2280 2052 fxlxfxx.exe 32 PID 2052 wrote to memory of 2280 2052 fxlxfxx.exe 32 PID 2052 wrote to memory of 2280 2052 fxlxfxx.exe 32 PID 2280 wrote to memory of 2120 2280 nttbtt.exe 33 PID 2280 wrote to memory of 2120 2280 nttbtt.exe 33 PID 2280 wrote to memory of 2120 2280 nttbtt.exe 33 PID 2280 wrote to memory of 2120 2280 nttbtt.exe 33 PID 2120 wrote to memory of 572 2120 thtnth.exe 34 PID 2120 wrote to memory of 572 2120 thtnth.exe 34 PID 2120 wrote to memory of 572 2120 thtnth.exe 34 PID 2120 wrote to memory of 572 2120 thtnth.exe 34 PID 572 wrote to memory of 2832 572 vjddp.exe 111 PID 572 wrote to memory of 2832 572 vjddp.exe 111 PID 572 wrote to memory of 2832 572 vjddp.exe 111 PID 572 wrote to memory of 2832 572 vjddp.exe 111 PID 2832 wrote to memory of 2808 2832 lrlrfrr.exe 36 PID 2832 wrote to memory of 2808 2832 lrlrfrr.exe 36 PID 2832 wrote to memory of 2808 2832 lrlrfrr.exe 36 PID 2832 wrote to memory of 2808 2832 lrlrfrr.exe 36 PID 2808 wrote to memory of 2556 2808 bthttt.exe 37 PID 2808 wrote to memory of 2556 2808 bthttt.exe 37 PID 2808 wrote to memory of 2556 2808 bthttt.exe 37 PID 2808 wrote to memory of 2556 2808 bthttt.exe 37 PID 2556 wrote to memory of 2844 2556 nntntb.exe 250 PID 2556 wrote to memory of 2844 2556 nntntb.exe 250 PID 2556 wrote to memory of 2844 2556 nntntb.exe 250 PID 2556 wrote to memory of 2844 2556 nntntb.exe 250 PID 2844 wrote to memory of 2604 2844 dpddd.exe 39 PID 2844 wrote to memory of 2604 2844 dpddd.exe 39 PID 2844 wrote to memory of 2604 2844 dpddd.exe 39 PID 2844 wrote to memory of 2604 2844 dpddd.exe 39 PID 2604 wrote to memory of 3028 2604 dppvv.exe 40 PID 2604 wrote to memory of 3028 2604 dppvv.exe 40 PID 2604 wrote to memory of 3028 2604 dppvv.exe 40 PID 2604 wrote to memory of 3028 2604 dppvv.exe 40 PID 3028 wrote to memory of 896 3028 bhtbbh.exe 41 PID 3028 wrote to memory of 896 3028 bhtbbh.exe 41 PID 3028 wrote to memory of 896 3028 bhtbbh.exe 41 PID 3028 wrote to memory of 896 3028 bhtbbh.exe 41 PID 896 wrote to memory of 1560 896 frxrrrr.exe 167 PID 896 wrote to memory of 1560 896 frxrrrr.exe 167 PID 896 wrote to memory of 1560 896 frxrrrr.exe 167 PID 896 wrote to memory of 1560 896 frxrrrr.exe 167 PID 1560 wrote to memory of 596 1560 dvjjv.exe 43 PID 1560 wrote to memory of 596 1560 dvjjv.exe 43 PID 1560 wrote to memory of 596 1560 dvjjv.exe 43 PID 1560 wrote to memory of 596 1560 dvjjv.exe 43 PID 596 wrote to memory of 776 596 jdvdd.exe 44 PID 596 wrote to memory of 776 596 jdvdd.exe 44 PID 596 wrote to memory of 776 596 jdvdd.exe 44 PID 596 wrote to memory of 776 596 jdvdd.exe 44 PID 776 wrote to memory of 1604 776 htnhtn.exe 45 PID 776 wrote to memory of 1604 776 htnhtn.exe 45 PID 776 wrote to memory of 1604 776 htnhtn.exe 45 PID 776 wrote to memory of 1604 776 htnhtn.exe 45 PID 1604 wrote to memory of 844 1604 rxlxllf.exe 46 PID 1604 wrote to memory of 844 1604 rxlxllf.exe 46 PID 1604 wrote to memory of 844 1604 rxlxllf.exe 46 PID 1604 wrote to memory of 844 1604 rxlxllf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe"C:\Users\Admin\AppData\Local\Temp\1f4dc055345bb7479461cb14d5763136c654ee5978b4eae1c818f01c1c819db7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\fxlxfxx.exec:\fxlxfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\nttbtt.exec:\nttbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\thtnth.exec:\thtnth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\vjddp.exec:\vjddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\lrlrfrr.exec:\lrlrfrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\bthttt.exec:\bthttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nntntb.exec:\nntntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\dpddd.exec:\dpddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\dppvv.exec:\dppvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\bhtbbh.exec:\bhtbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\frxrrrr.exec:\frxrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\dvjjv.exec:\dvjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\jdvdd.exec:\jdvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\htnhtn.exec:\htnhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\rxlxllf.exec:\rxlxllf.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\tntnnn.exec:\tntnnn.exe17⤵
- Executes dropped EXE
PID:844 -
\??\c:\djdvp.exec:\djdvp.exe18⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hhnbtb.exec:\hhnbtb.exe19⤵
- Executes dropped EXE
PID:2752 -
\??\c:\bhbnbt.exec:\bhbnbt.exe20⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rfxfrrl.exec:\rfxfrrl.exe21⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ddjdp.exec:\ddjdp.exe22⤵
- Executes dropped EXE
PID:1032 -
\??\c:\ntnbnn.exec:\ntnbnn.exe23⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jpjdd.exec:\jpjdd.exe24⤵
- Executes dropped EXE
PID:584 -
\??\c:\xxxllxr.exec:\xxxllxr.exe25⤵
- Executes dropped EXE
PID:1124 -
\??\c:\nhhhbb.exec:\nhhhbb.exe26⤵
- Executes dropped EXE
PID:348 -
\??\c:\ddpjp.exec:\ddpjp.exe27⤵
- Executes dropped EXE
PID:1528 -
\??\c:\ttnbnn.exec:\ttnbnn.exe28⤵
- Executes dropped EXE
PID:1100 -
\??\c:\hbnbhh.exec:\hbnbhh.exe29⤵
- Executes dropped EXE
PID:3064 -
\??\c:\llflxfr.exec:\llflxfr.exe30⤵
- Executes dropped EXE
PID:2212 -
\??\c:\tntbhb.exec:\tntbhb.exe31⤵
- Executes dropped EXE
PID:1696 -
\??\c:\7jjjj.exec:\7jjjj.exe32⤵
- Executes dropped EXE
PID:1072 -
\??\c:\frxrlrl.exec:\frxrlrl.exe33⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pvvjj.exec:\pvvjj.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\vjdpj.exec:\vjdpj.exe35⤵
- Executes dropped EXE
PID:1680 -
\??\c:\httthn.exec:\httthn.exe36⤵
- Executes dropped EXE
PID:1608 -
\??\c:\vdpvj.exec:\vdpvj.exe37⤵
- Executes dropped EXE
PID:1380 -
\??\c:\thbtbn.exec:\thbtbn.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\nnhhth.exec:\nnhhth.exe39⤵
- Executes dropped EXE
PID:2856 -
\??\c:\tnnthb.exec:\tnnthb.exe40⤵
- Executes dropped EXE
PID:2664 -
\??\c:\pppvj.exec:\pppvj.exe41⤵
- Executes dropped EXE
PID:2432 -
\??\c:\xlrrlrr.exec:\xlrrlrr.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\nnbbbn.exec:\nnbbbn.exe43⤵
- Executes dropped EXE
PID:2916 -
\??\c:\frlfrxf.exec:\frlfrxf.exe44⤵
- Executes dropped EXE
PID:1468 -
\??\c:\tnnbbt.exec:\tnnbbt.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
\??\c:\bhnhhn.exec:\bhnhhn.exe46⤵
- Executes dropped EXE
PID:1452 -
\??\c:\pdvpj.exec:\pdvpj.exe47⤵
- Executes dropped EXE
PID:1904 -
\??\c:\pvvvj.exec:\pvvvj.exe48⤵
- Executes dropped EXE
PID:1556 -
\??\c:\vvvdv.exec:\vvvdv.exe49⤵
- Executes dropped EXE
PID:2588 -
\??\c:\pjddj.exec:\pjddj.exe50⤵
- Executes dropped EXE
PID:2096 -
\??\c:\hhhnbn.exec:\hhhnbn.exe51⤵
- Executes dropped EXE
PID:1500 -
\??\c:\thbtbh.exec:\thbtbh.exe52⤵
- Executes dropped EXE
PID:2600 -
\??\c:\thnhnh.exec:\thnhnh.exe53⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hhhhtb.exec:\hhhhtb.exe54⤵
- Executes dropped EXE
PID:548 -
\??\c:\bthbbt.exec:\bthbbt.exe55⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hhtthb.exec:\hhtthb.exe56⤵
- Executes dropped EXE
PID:2756 -
\??\c:\nththb.exec:\nththb.exe57⤵
- Executes dropped EXE
PID:2476 -
\??\c:\dpjdv.exec:\dpjdv.exe58⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pvdjp.exec:\pvdjp.exe59⤵
- Executes dropped EXE
PID:2912 -
\??\c:\jjvvp.exec:\jjvvp.exe60⤵
- Executes dropped EXE
PID:916 -
\??\c:\jdvvp.exec:\jdvvp.exe61⤵
- Executes dropped EXE
PID:952 -
\??\c:\rfxxxfr.exec:\rfxxxfr.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
\??\c:\rfrxrlf.exec:\rfrxrlf.exe63⤵
- Executes dropped EXE
PID:808 -
\??\c:\llrflxr.exec:\llrflxr.exe64⤵
- Executes dropped EXE
PID:948 -
\??\c:\nhnbht.exec:\nhnbht.exe65⤵
- Executes dropped EXE
PID:1784 -
\??\c:\bbnbbh.exec:\bbnbbh.exe66⤵PID:852
-
\??\c:\1nhhtb.exec:\1nhhtb.exe67⤵PID:1772
-
\??\c:\nbhhhh.exec:\nbhhhh.exe68⤵PID:1528
-
\??\c:\ttthhn.exec:\ttthhn.exe69⤵PID:3048
-
\??\c:\bnhbhb.exec:\bnhbhb.exe70⤵PID:2260
-
\??\c:\nnbhhn.exec:\nnbhhn.exe71⤵PID:1720
-
\??\c:\jddpj.exec:\jddpj.exe72⤵PID:1636
-
\??\c:\dpjjp.exec:\dpjjp.exe73⤵
- System Location Discovery: System Language Discovery
PID:1696 -
\??\c:\xxllfrf.exec:\xxllfrf.exe74⤵PID:1072
-
\??\c:\rrxlxxr.exec:\rrxlxxr.exe75⤵PID:1956
-
\??\c:\xrxrfrx.exec:\xrxrfrx.exe76⤵PID:1684
-
\??\c:\rxxllxx.exec:\rxxllxx.exe77⤵
- System Location Discovery: System Language Discovery
PID:2100 -
\??\c:\rlxlllx.exec:\rlxlllx.exe78⤵PID:2088
-
\??\c:\vdpdd.exec:\vdpdd.exe79⤵PID:1896
-
\??\c:\ppvdv.exec:\ppvdv.exe80⤵PID:2724
-
\??\c:\pjpjp.exec:\pjpjp.exe81⤵PID:2660
-
\??\c:\jpjpd.exec:\jpjpd.exe82⤵PID:2832
-
\??\c:\vjdvv.exec:\vjdvv.exe83⤵PID:2708
-
\??\c:\3jdpv.exec:\3jdpv.exe84⤵PID:2860
-
\??\c:\nbnhnh.exec:\nbnhnh.exe85⤵PID:2320
-
\??\c:\ttthhb.exec:\ttthhb.exe86⤵PID:2532
-
\??\c:\tbbbtt.exec:\tbbbtt.exe87⤵PID:3052
-
\??\c:\hnbnbt.exec:\hnbnbt.exe88⤵PID:3016
-
\??\c:\btthnb.exec:\btthnb.exe89⤵PID:2000
-
\??\c:\hbbnhb.exec:\hbbnhb.exe90⤵PID:1552
-
\??\c:\xxlllxl.exec:\xxlllxl.exe91⤵PID:1452
-
\??\c:\lfxllfl.exec:\lfxllfl.exe92⤵PID:1904
-
\??\c:\xxxrxxr.exec:\xxxrxxr.exe93⤵PID:1560
-
\??\c:\flxfffl.exec:\flxfffl.exe94⤵PID:1676
-
\??\c:\rxrfrll.exec:\rxrfrll.exe95⤵PID:2096
-
\??\c:\ffffxlr.exec:\ffffxlr.exe96⤵PID:1212
-
\??\c:\xxffxrf.exec:\xxffxrf.exe97⤵PID:284
-
\??\c:\jdjjd.exec:\jdjjd.exe98⤵PID:1648
-
\??\c:\pvjjj.exec:\pvjjj.exe99⤵PID:1612
-
\??\c:\vdpjp.exec:\vdpjp.exe100⤵PID:344
-
\??\c:\pppjp.exec:\pppjp.exe101⤵PID:2220
-
\??\c:\pdvdj.exec:\pdvdj.exe102⤵PID:2364
-
\??\c:\ddjjj.exec:\ddjjj.exe103⤵PID:2752
-
\??\c:\7ppdj.exec:\7ppdj.exe104⤵PID:2900
-
\??\c:\ththnn.exec:\ththnn.exe105⤵PID:916
-
\??\c:\5hbbbb.exec:\5hbbbb.exe106⤵PID:952
-
\??\c:\ttbntb.exec:\ttbntb.exe107⤵PID:2040
-
\??\c:\nthnnb.exec:\nthnnb.exe108⤵PID:1984
-
\??\c:\flfrrff.exec:\flfrrff.exe109⤵PID:1204
-
\??\c:\ffflxfr.exec:\ffflxfr.exe110⤵PID:1344
-
\??\c:\lfrlfrf.exec:\lfrlfrf.exe111⤵PID:752
-
\??\c:\lllrlxr.exec:\lllrlxr.exe112⤵PID:1792
-
\??\c:\ffxfxxl.exec:\ffxfxxl.exe113⤵PID:1100
-
\??\c:\pvppp.exec:\pvppp.exe114⤵PID:1316
-
\??\c:\pvvdd.exec:\pvvdd.exe115⤵PID:1060
-
\??\c:\dpvvd.exec:\dpvvd.exe116⤵PID:1900
-
\??\c:\dddvd.exec:\dddvd.exe117⤵PID:1636
-
\??\c:\vppdd.exec:\vppdd.exe118⤵PID:1696
-
\??\c:\jjjpd.exec:\jjjpd.exe119⤵PID:1884
-
\??\c:\xxxfxfr.exec:\xxxfxfr.exe120⤵PID:2052
-
\??\c:\ppppv.exec:\ppppv.exe121⤵PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-