Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2025 02:08
Behavioral task
behavioral1
Sample
1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe
-
Size
3.7MB
-
MD5
c46229b4ead71b5d5197560ec8a98a90
-
SHA1
3df3de24c2ebc74847ab5ea14e122978b0f7c364
-
SHA256
1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93
-
SHA512
029027421d5aaf403675218f8d5d41162520d2df327718cda16175aac32bff3c2dcef424de539d882dcda021c7c500e00a73c31e6f3e38ef62f6268867671104
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98B:U6XLq/qPPslzKx/dJg1ErmNI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4460-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1344-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1932-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4240-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3764-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-551-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-609-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-687-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-751-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-1202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-1627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2968 xxxlfrl.exe 4680 hntntt.exe 4656 djpvp.exe 4480 tnhnhh.exe 4724 xlffxlx.exe 3760 dpdpj.exe 756 1ddpd.exe 3092 fxxxrll.exe 2944 lffrffx.exe 3132 9bthbh.exe 5040 rflfrrl.exe 748 7hhtnh.exe 1868 nbthhb.exe 1116 dvdvp.exe 1344 7vddv.exe 5048 tnhtnt.exe 2320 jdjdv.exe 3524 nbhbtn.exe 3384 nthnnn.exe 2960 5ttnbh.exe 2284 thttbt.exe 1696 llxrrlf.exe 2644 lxlfxxr.exe 1664 nhbthb.exe 1592 hnhbbh.exe 1352 tbnnnh.exe 1400 ddpdv.exe 3256 vdjjp.exe 4544 nhnhhb.exe 2252 5bhbnh.exe 3600 7xfrlfx.exe 2168 ffffrlr.exe 836 hbhbht.exe 4372 xllfffx.exe 628 xxxxffr.exe 4400 fllfxrl.exe 2488 rrffxrr.exe 4732 7flxllr.exe 3732 hhbbnn.exe 1092 5llfrrl.exe 4536 9hthbn.exe 4868 lxfrllx.exe 4456 5fxrlfr.exe 1036 llxllff.exe 4460 3xrlrlf.exe 872 ppddv.exe 2480 jdjvv.exe 3728 jjvvp.exe 4828 pppjd.exe 1496 jvvvj.exe 4448 pdppj.exe 4724 9ddpd.exe 4068 pdppp.exe 1548 bbtbtt.exe 1560 nnbtbt.exe 4056 3htnhh.exe 2620 htnhtt.exe 5020 bnnhbb.exe 1464 5thbnh.exe 4600 nhbthh.exe 5036 lfflfxl.exe 1800 llrrrrr.exe 112 flxfrlx.exe 312 lxrfxxr.exe -
resource yara_rule behavioral2/memory/4460-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bb0-4.dat upx behavioral2/memory/4460-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2968-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bcc-10.dat upx behavioral2/files/0x0009000000023bd2-13.dat upx behavioral2/memory/4680-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4656-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bb4-22.dat upx behavioral2/memory/4480-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd3-29.dat upx behavioral2/memory/4724-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bd7-34.dat upx behavioral2/files/0x0008000000023bd9-40.dat upx behavioral2/memory/756-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdc-45.dat upx behavioral2/files/0x0008000000023bde-50.dat upx behavioral2/memory/3092-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000600000001e754-56.dat upx behavioral2/memory/2944-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdf-62.dat upx behavioral2/memory/3132-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0e-68.dat upx behavioral2/memory/5040-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0f-74.dat upx behavioral2/memory/748-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c10-80.dat upx behavioral2/files/0x0008000000023c11-85.dat upx behavioral2/memory/1116-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c12-91.dat upx behavioral2/memory/1344-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c13-96.dat upx behavioral2/memory/5048-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c18-102.dat upx behavioral2/memory/2320-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c19-109.dat upx behavioral2/memory/3524-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1a-114.dat upx behavioral2/memory/2960-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2c-120.dat upx behavioral2/files/0x0008000000023c33-125.dat upx behavioral2/files/0x0008000000023c34-131.dat upx behavioral2/memory/2644-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c36-137.dat upx behavioral2/files/0x0008000000023c37-142.dat upx behavioral2/memory/1592-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1664-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c4c-148.dat upx behavioral2/memory/1592-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0016000000023c4d-153.dat upx behavioral2/memory/1352-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c53-162.dat upx behavioral2/files/0x0008000000023c63-165.dat upx behavioral2/memory/4544-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c64-171.dat upx behavioral2/memory/2252-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c65-177.dat upx behavioral2/memory/2252-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c66-183.dat upx behavioral2/memory/4372-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/628-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4400-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2488-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3732-213-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfffll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4460 wrote to memory of 2968 4460 1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe 82 PID 4460 wrote to memory of 2968 4460 1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe 82 PID 4460 wrote to memory of 2968 4460 1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe 82 PID 2968 wrote to memory of 4680 2968 xxxlfrl.exe 83 PID 2968 wrote to memory of 4680 2968 xxxlfrl.exe 83 PID 2968 wrote to memory of 4680 2968 xxxlfrl.exe 83 PID 4680 wrote to memory of 4656 4680 hntntt.exe 84 PID 4680 wrote to memory of 4656 4680 hntntt.exe 84 PID 4680 wrote to memory of 4656 4680 hntntt.exe 84 PID 4656 wrote to memory of 4480 4656 djpvp.exe 85 PID 4656 wrote to memory of 4480 4656 djpvp.exe 85 PID 4656 wrote to memory of 4480 4656 djpvp.exe 85 PID 4480 wrote to memory of 4724 4480 tnhnhh.exe 86 PID 4480 wrote to memory of 4724 4480 tnhnhh.exe 86 PID 4480 wrote to memory of 4724 4480 tnhnhh.exe 86 PID 4724 wrote to memory of 3760 4724 xlffxlx.exe 87 PID 4724 wrote to memory of 3760 4724 xlffxlx.exe 87 PID 4724 wrote to memory of 3760 4724 xlffxlx.exe 87 PID 3760 wrote to memory of 756 3760 dpdpj.exe 88 PID 3760 wrote to memory of 756 3760 dpdpj.exe 88 PID 3760 wrote to memory of 756 3760 dpdpj.exe 88 PID 756 wrote to memory of 3092 756 1ddpd.exe 89 PID 756 wrote to memory of 3092 756 1ddpd.exe 89 PID 756 wrote to memory of 3092 756 1ddpd.exe 89 PID 3092 wrote to memory of 2944 3092 fxxxrll.exe 90 PID 3092 wrote to memory of 2944 3092 fxxxrll.exe 90 PID 3092 wrote to memory of 2944 3092 fxxxrll.exe 90 PID 2944 wrote to memory of 3132 2944 lffrffx.exe 91 PID 2944 wrote to memory of 3132 2944 lffrffx.exe 91 PID 2944 wrote to memory of 3132 2944 lffrffx.exe 91 PID 3132 wrote to memory of 5040 3132 9bthbh.exe 92 PID 3132 wrote to memory of 5040 3132 9bthbh.exe 92 PID 3132 wrote to memory of 5040 3132 9bthbh.exe 92 PID 5040 wrote to memory of 748 5040 rflfrrl.exe 93 PID 5040 wrote to memory of 748 5040 rflfrrl.exe 93 PID 5040 wrote to memory of 748 5040 rflfrrl.exe 93 PID 748 wrote to memory of 1868 748 7hhtnh.exe 94 PID 748 wrote to memory of 1868 748 7hhtnh.exe 94 PID 748 wrote to memory of 1868 748 7hhtnh.exe 94 PID 1868 wrote to memory of 1116 1868 nbthhb.exe 95 PID 1868 wrote to memory of 1116 1868 nbthhb.exe 95 PID 1868 wrote to memory of 1116 1868 nbthhb.exe 95 PID 1116 wrote to memory of 1344 1116 dvdvp.exe 96 PID 1116 wrote to memory of 1344 1116 dvdvp.exe 96 PID 1116 wrote to memory of 1344 1116 dvdvp.exe 96 PID 1344 wrote to memory of 5048 1344 7vddv.exe 97 PID 1344 wrote to memory of 5048 1344 7vddv.exe 97 PID 1344 wrote to memory of 5048 1344 7vddv.exe 97 PID 5048 wrote to memory of 2320 5048 tnhtnt.exe 98 PID 5048 wrote to memory of 2320 5048 tnhtnt.exe 98 PID 5048 wrote to memory of 2320 5048 tnhtnt.exe 98 PID 2320 wrote to memory of 3524 2320 jdjdv.exe 99 PID 2320 wrote to memory of 3524 2320 jdjdv.exe 99 PID 2320 wrote to memory of 3524 2320 jdjdv.exe 99 PID 3524 wrote to memory of 3384 3524 nbhbtn.exe 100 PID 3524 wrote to memory of 3384 3524 nbhbtn.exe 100 PID 3524 wrote to memory of 3384 3524 nbhbtn.exe 100 PID 3384 wrote to memory of 2960 3384 nthnnn.exe 101 PID 3384 wrote to memory of 2960 3384 nthnnn.exe 101 PID 3384 wrote to memory of 2960 3384 nthnnn.exe 101 PID 2960 wrote to memory of 2284 2960 5ttnbh.exe 102 PID 2960 wrote to memory of 2284 2960 5ttnbh.exe 102 PID 2960 wrote to memory of 2284 2960 5ttnbh.exe 102 PID 2284 wrote to memory of 1696 2284 thttbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe"C:\Users\Admin\AppData\Local\Temp\1671111d584ac310c1bc0426a0bfbe8d81a5b920983e6884b17c4351afc06b93N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\hntntt.exec:\hntntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\djpvp.exec:\djpvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\tnhnhh.exec:\tnhnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\xlffxlx.exec:\xlffxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\dpdpj.exec:\dpdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\1ddpd.exec:\1ddpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\fxxxrll.exec:\fxxxrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lffrffx.exec:\lffrffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\9bthbh.exec:\9bthbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\rflfrrl.exec:\rflfrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\7hhtnh.exec:\7hhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\nbthhb.exec:\nbthhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\dvdvp.exec:\dvdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\7vddv.exec:\7vddv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\tnhtnt.exec:\tnhtnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\jdjdv.exec:\jdjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\nbhbtn.exec:\nbhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\nthnnn.exec:\nthnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\5ttnbh.exec:\5ttnbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\thttbt.exec:\thttbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\llxrrlf.exec:\llxrrlf.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
\??\c:\nhbthb.exec:\nhbthb.exe25⤵
- Executes dropped EXE
PID:1664 -
\??\c:\hnhbbh.exec:\hnhbbh.exe26⤵
- Executes dropped EXE
PID:1592 -
\??\c:\tbnnnh.exec:\tbnnnh.exe27⤵
- Executes dropped EXE
PID:1352 -
\??\c:\ddpdv.exec:\ddpdv.exe28⤵
- Executes dropped EXE
PID:1400 -
\??\c:\vdjjp.exec:\vdjjp.exe29⤵
- Executes dropped EXE
PID:3256 -
\??\c:\nhnhhb.exec:\nhnhhb.exe30⤵
- Executes dropped EXE
PID:4544 -
\??\c:\5bhbnh.exec:\5bhbnh.exe31⤵
- Executes dropped EXE
PID:2252 -
\??\c:\7xfrlfx.exec:\7xfrlfx.exe32⤵
- Executes dropped EXE
PID:3600 -
\??\c:\ffffrlr.exec:\ffffrlr.exe33⤵
- Executes dropped EXE
PID:2168 -
\??\c:\hbhbht.exec:\hbhbht.exe34⤵
- Executes dropped EXE
PID:836 -
\??\c:\xllfffx.exec:\xllfffx.exe35⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xxxxffr.exec:\xxxxffr.exe36⤵
- Executes dropped EXE
PID:628 -
\??\c:\fllfxrl.exec:\fllfxrl.exe37⤵
- Executes dropped EXE
PID:4400 -
\??\c:\rrffxrr.exec:\rrffxrr.exe38⤵
- Executes dropped EXE
PID:2488 -
\??\c:\7flxllr.exec:\7flxllr.exe39⤵
- Executes dropped EXE
PID:4732 -
\??\c:\hhbbnn.exec:\hhbbnn.exe40⤵
- Executes dropped EXE
PID:3732 -
\??\c:\5llfrrl.exec:\5llfrrl.exe41⤵
- Executes dropped EXE
PID:1092 -
\??\c:\9hthbn.exec:\9hthbn.exe42⤵
- Executes dropped EXE
PID:4536 -
\??\c:\lxfrllx.exec:\lxfrllx.exe43⤵
- Executes dropped EXE
PID:4868 -
\??\c:\5fxrlfr.exec:\5fxrlfr.exe44⤵
- Executes dropped EXE
PID:4456 -
\??\c:\llxllff.exec:\llxllff.exe45⤵
- Executes dropped EXE
PID:1036 -
\??\c:\3xrlrlf.exec:\3xrlrlf.exe46⤵
- Executes dropped EXE
PID:4460 -
\??\c:\ppddv.exec:\ppddv.exe47⤵
- Executes dropped EXE
PID:872 -
\??\c:\jdjvv.exec:\jdjvv.exe48⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jjvvp.exec:\jjvvp.exe49⤵
- Executes dropped EXE
PID:3728 -
\??\c:\pppjd.exec:\pppjd.exe50⤵
- Executes dropped EXE
PID:4828 -
\??\c:\jvvvj.exec:\jvvvj.exe51⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pdppj.exec:\pdppj.exe52⤵
- Executes dropped EXE
PID:4448 -
\??\c:\9ddpd.exec:\9ddpd.exe53⤵
- Executes dropped EXE
PID:4724 -
\??\c:\pdppp.exec:\pdppp.exe54⤵
- Executes dropped EXE
PID:4068 -
\??\c:\bbtbtt.exec:\bbtbtt.exe55⤵
- Executes dropped EXE
PID:1548 -
\??\c:\nnbtbt.exec:\nnbtbt.exe56⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3htnhh.exec:\3htnhh.exe57⤵
- Executes dropped EXE
PID:4056 -
\??\c:\htnhtt.exec:\htnhtt.exe58⤵
- Executes dropped EXE
PID:2620 -
\??\c:\bnnhbb.exec:\bnnhbb.exe59⤵
- Executes dropped EXE
PID:5020 -
\??\c:\5thbnh.exec:\5thbnh.exe60⤵
- Executes dropped EXE
PID:1464 -
\??\c:\nhbthh.exec:\nhbthh.exe61⤵
- Executes dropped EXE
PID:4600 -
\??\c:\lfflfxl.exec:\lfflfxl.exe62⤵
- Executes dropped EXE
PID:5036 -
\??\c:\llrrrrr.exec:\llrrrrr.exe63⤵
- Executes dropped EXE
PID:1800 -
\??\c:\flxfrlx.exec:\flxfrlx.exe64⤵
- Executes dropped EXE
PID:112 -
\??\c:\lxrfxxr.exec:\lxrfxxr.exe65⤵
- Executes dropped EXE
PID:312 -
\??\c:\xxlrxlr.exec:\xxlrxlr.exe66⤵PID:4784
-
\??\c:\1lrrrll.exec:\1lrrrll.exe67⤵PID:1344
-
\??\c:\rrrlffx.exec:\rrrlffx.exe68⤵PID:4420
-
\??\c:\rrxrfll.exec:\rrxrfll.exe69⤵PID:452
-
\??\c:\jjdvv.exec:\jjdvv.exe70⤵PID:2680
-
\??\c:\vdjjj.exec:\vdjjj.exe71⤵PID:1932
-
\??\c:\7ppjd.exec:\7ppjd.exe72⤵PID:1980
-
\??\c:\jjjdd.exec:\jjjdd.exe73⤵PID:4412
-
\??\c:\rrxxxff.exec:\rrxxxff.exe74⤵PID:4872
-
\??\c:\rlxffrl.exec:\rlxffrl.exe75⤵PID:5088
-
\??\c:\xfllxfl.exec:\xfllxfl.exe76⤵PID:3096
-
\??\c:\lfrfxfl.exec:\lfrfxfl.exe77⤵PID:4080
-
\??\c:\xfxxxff.exec:\xfxxxff.exe78⤵PID:1352
-
\??\c:\rrfrrrr.exec:\rrfrrrr.exe79⤵
- System Location Discovery: System Language Discovery
PID:4952 -
\??\c:\ffffxxl.exec:\ffffxxl.exe80⤵PID:2608
-
\??\c:\3rfxrrr.exec:\3rfxrrr.exe81⤵PID:5072
-
\??\c:\nnbbhh.exec:\nnbbhh.exe82⤵
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\thttbt.exec:\thttbt.exe83⤵PID:3600
-
\??\c:\llffllx.exec:\llffllx.exe84⤵PID:4248
-
\??\c:\llxxrrl.exec:\llxxrrl.exe85⤵PID:3088
-
\??\c:\xxfxxxr.exec:\xxfxxxr.exe86⤵PID:4796
-
\??\c:\5fxrllf.exec:\5fxrllf.exe87⤵PID:4072
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe88⤵PID:4660
-
\??\c:\pjvpp.exec:\pjvpp.exe89⤵PID:4440
-
\??\c:\jpvvp.exec:\jpvvp.exe90⤵
- System Location Discovery: System Language Discovery
PID:4020 -
\??\c:\jjvvj.exec:\jjvvj.exe91⤵PID:4240
-
\??\c:\dpvpp.exec:\dpvpp.exe92⤵PID:3732
-
\??\c:\rrrrrrx.exec:\rrrrrrx.exe93⤵PID:3616
-
\??\c:\lrfxrff.exec:\lrfxrff.exe94⤵PID:4352
-
\??\c:\bnbbbh.exec:\bnbbbh.exe95⤵PID:3764
-
\??\c:\xfxxffx.exec:\xfxxffx.exe96⤵PID:1036
-
\??\c:\9xfxrrf.exec:\9xfxrrf.exe97⤵
- System Location Discovery: System Language Discovery
PID:636 -
\??\c:\1xxrffr.exec:\1xxrffr.exe98⤵PID:2504
-
\??\c:\rrxxrxx.exec:\rrxxrxx.exe99⤵PID:2480
-
\??\c:\7lxrfxr.exec:\7lxrfxr.exe100⤵PID:3728
-
\??\c:\1xrlfrl.exec:\1xrlfrl.exe101⤵PID:4828
-
\??\c:\ppvpv.exec:\ppvpv.exe102⤵PID:3664
-
\??\c:\3djdv.exec:\3djdv.exe103⤵PID:1660
-
\??\c:\dvjjj.exec:\dvjjj.exe104⤵PID:3364
-
\??\c:\pjpjj.exec:\pjpjj.exe105⤵PID:3816
-
\??\c:\1djdp.exec:\1djdp.exe106⤵PID:1560
-
\??\c:\dvvpd.exec:\dvvpd.exe107⤵PID:320
-
\??\c:\nbbtnh.exec:\nbbtnh.exe108⤵PID:4380
-
\??\c:\ttbbnn.exec:\ttbbnn.exe109⤵PID:3132
-
\??\c:\hhnbnn.exec:\hhnbnn.exe110⤵PID:2000
-
\??\c:\tbhbnn.exec:\tbhbnn.exe111⤵PID:5008
-
\??\c:\xrrlllf.exec:\xrrlllf.exe112⤵PID:4624
-
\??\c:\lfrlffx.exec:\lfrlffx.exe113⤵PID:3608
-
\??\c:\xrffrxf.exec:\xrffrxf.exe114⤵PID:3056
-
\??\c:\lffxllf.exec:\lffxllf.exe115⤵PID:5028
-
\??\c:\fxrlffx.exec:\fxrlffx.exe116⤵PID:2060
-
\??\c:\pvvjd.exec:\pvvjd.exe117⤵PID:4632
-
\??\c:\ddpjp.exec:\ddpjp.exe118⤵PID:5100
-
\??\c:\vvpjv.exec:\vvpjv.exe119⤵PID:3484
-
\??\c:\1pvvd.exec:\1pvvd.exe120⤵PID:1844
-
\??\c:\pdppp.exec:\pdppp.exe121⤵PID:4476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-