Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 01:38
Behavioral task
behavioral1
Sample
af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe
-
Size
3.7MB
-
MD5
e75d344ff5f22d55af9afad5f6c12868
-
SHA1
87168079e491c71a6fd1bc216685abd3324a9b68
-
SHA256
af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7
-
SHA512
a10474160df0f4510dfd3155a7cf862bb200b67cb2f87194119d8b4c569ebec6ba39540d617f455567439c12522a7cc33a140a60bbdf3c3db8a925a1a19da517
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF988:U6XLq/qPPslzKx/dJg1ErmNB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3184-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2388-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1020-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/612-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/364-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-570-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-623-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-630-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-966-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2536-1202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-1529-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2376 nnnttb.exe 2864 vvdvj.exe 4988 rlrllfx.exe 1504 thbnnh.exe 4624 djpdv.exe 1476 jddvp.exe 4404 vdjvp.exe 2680 jpdpj.exe 1656 vddpd.exe 3600 pjppp.exe 444 lxfrffr.exe 2876 pvvpp.exe 376 hbthbt.exe 3388 dpvjd.exe 3728 rxxlfxl.exe 4208 tbhbtn.exe 2612 vjvdd.exe 2380 frlfxlf.exe 2616 lrrfxfr.exe 116 nhnbtb.exe 4248 nhtntn.exe 3580 xxxxxrf.exe 3604 jdddv.exe 2504 pdjjd.exe 3556 rffxrrl.exe 5028 5bhbtt.exe 1080 rrxxrrr.exe 2388 pdvdp.exe 1340 bhnbtn.exe 2192 tnhhbb.exe 1580 bhtnhb.exe 884 nntntn.exe 3664 vjdjv.exe 3732 pdvvv.exe 1972 pjpjd.exe 4884 pjdvp.exe 1020 jdpdd.exe 4752 pjjdj.exe 3328 ppvvv.exe 612 vdjdv.exe 3988 dvjpp.exe 3624 vppdp.exe 3040 xlfrfxl.exe 4768 frxllfx.exe 4544 lrlfxxr.exe 2672 1djvp.exe 4388 jpjdp.exe 4440 djjdv.exe 1532 vpppj.exe 1876 dvjdp.exe 2376 ppvjv.exe 4072 nhhbnb.exe 3668 nhhbtn.exe 4988 nhhbtn.exe 628 lxrfxrl.exe 752 lfxlxrf.exe 1656 flrlrlf.exe 1268 lxfxrrl.exe 1480 rxxlxlx.exe 2876 fxllllr.exe 3056 7flxllx.exe 4100 pvdvd.exe 3388 jjdvp.exe 3612 vjjvj.exe -
resource yara_rule behavioral2/memory/3184-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6d-3.dat upx behavioral2/memory/3184-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-9.dat upx behavioral2/memory/2864-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2376-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-14.dat upx behavioral2/files/0x000a000000023b74-21.dat upx behavioral2/memory/1504-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4988-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6e-30.dat upx behavioral2/memory/1504-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4624-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-35.dat upx behavioral2/files/0x000a000000023b76-39.dat upx behavioral2/memory/4404-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1476-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4404-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-49.dat upx behavioral2/files/0x000a000000023b78-51.dat upx behavioral2/memory/2680-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-58.dat upx behavioral2/memory/1656-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-64.dat upx behavioral2/memory/3600-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-69.dat upx behavioral2/memory/444-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-74.dat upx behavioral2/memory/2876-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-82.dat upx behavioral2/memory/3388-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-86.dat upx behavioral2/files/0x000a000000023b7f-91.dat upx behavioral2/memory/3728-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-96.dat upx behavioral2/memory/4208-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-104.dat upx behavioral2/files/0x000a000000023b82-107.dat upx behavioral2/memory/2380-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-113.dat upx behavioral2/memory/2616-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-119.dat upx behavioral2/memory/116-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-125.dat upx behavioral2/files/0x000a000000023b86-130.dat upx behavioral2/memory/3580-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-136.dat upx behavioral2/memory/3604-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-142.dat upx behavioral2/files/0x000a000000023b89-147.dat upx behavioral2/files/0x000a000000023b8a-152.dat upx behavioral2/files/0x000a000000023b8b-157.dat upx behavioral2/memory/1080-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-163.dat upx behavioral2/memory/2388-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-169.dat upx behavioral2/memory/2192-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-175.dat upx behavioral2/files/0x000a000000023b8f-182.dat upx behavioral2/memory/1580-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/884-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4884-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1020-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4752-208-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 2376 3184 af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe 83 PID 3184 wrote to memory of 2376 3184 af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe 83 PID 3184 wrote to memory of 2376 3184 af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe 83 PID 2376 wrote to memory of 2864 2376 nnnttb.exe 84 PID 2376 wrote to memory of 2864 2376 nnnttb.exe 84 PID 2376 wrote to memory of 2864 2376 nnnttb.exe 84 PID 2864 wrote to memory of 4988 2864 vvdvj.exe 85 PID 2864 wrote to memory of 4988 2864 vvdvj.exe 85 PID 2864 wrote to memory of 4988 2864 vvdvj.exe 85 PID 4988 wrote to memory of 1504 4988 rlrllfx.exe 86 PID 4988 wrote to memory of 1504 4988 rlrllfx.exe 86 PID 4988 wrote to memory of 1504 4988 rlrllfx.exe 86 PID 1504 wrote to memory of 4624 1504 thbnnh.exe 87 PID 1504 wrote to memory of 4624 1504 thbnnh.exe 87 PID 1504 wrote to memory of 4624 1504 thbnnh.exe 87 PID 4624 wrote to memory of 1476 4624 djpdv.exe 88 PID 4624 wrote to memory of 1476 4624 djpdv.exe 88 PID 4624 wrote to memory of 1476 4624 djpdv.exe 88 PID 1476 wrote to memory of 4404 1476 jddvp.exe 89 PID 1476 wrote to memory of 4404 1476 jddvp.exe 89 PID 1476 wrote to memory of 4404 1476 jddvp.exe 89 PID 4404 wrote to memory of 2680 4404 vdjvp.exe 90 PID 4404 wrote to memory of 2680 4404 vdjvp.exe 90 PID 4404 wrote to memory of 2680 4404 vdjvp.exe 90 PID 2680 wrote to memory of 1656 2680 jpdpj.exe 91 PID 2680 wrote to memory of 1656 2680 jpdpj.exe 91 PID 2680 wrote to memory of 1656 2680 jpdpj.exe 91 PID 1656 wrote to memory of 3600 1656 vddpd.exe 92 PID 1656 wrote to memory of 3600 1656 vddpd.exe 92 PID 1656 wrote to memory of 3600 1656 vddpd.exe 92 PID 3600 wrote to memory of 444 3600 pjppp.exe 93 PID 3600 wrote to memory of 444 3600 pjppp.exe 93 PID 3600 wrote to memory of 444 3600 pjppp.exe 93 PID 444 wrote to memory of 2876 444 lxfrffr.exe 94 PID 444 wrote to memory of 2876 444 lxfrffr.exe 94 PID 444 wrote to memory of 2876 444 lxfrffr.exe 94 PID 2876 wrote to memory of 376 2876 pvvpp.exe 95 PID 2876 wrote to memory of 376 2876 pvvpp.exe 95 PID 2876 wrote to memory of 376 2876 pvvpp.exe 95 PID 376 wrote to memory of 3388 376 hbthbt.exe 96 PID 376 wrote to memory of 3388 376 hbthbt.exe 96 PID 376 wrote to memory of 3388 376 hbthbt.exe 96 PID 3388 wrote to memory of 3728 3388 dpvjd.exe 97 PID 3388 wrote to memory of 3728 3388 dpvjd.exe 97 PID 3388 wrote to memory of 3728 3388 dpvjd.exe 97 PID 3728 wrote to memory of 4208 3728 rxxlfxl.exe 98 PID 3728 wrote to memory of 4208 3728 rxxlfxl.exe 98 PID 3728 wrote to memory of 4208 3728 rxxlfxl.exe 98 PID 4208 wrote to memory of 2612 4208 tbhbtn.exe 99 PID 4208 wrote to memory of 2612 4208 tbhbtn.exe 99 PID 4208 wrote to memory of 2612 4208 tbhbtn.exe 99 PID 2612 wrote to memory of 2380 2612 vjvdd.exe 100 PID 2612 wrote to memory of 2380 2612 vjvdd.exe 100 PID 2612 wrote to memory of 2380 2612 vjvdd.exe 100 PID 2380 wrote to memory of 2616 2380 frlfxlf.exe 101 PID 2380 wrote to memory of 2616 2380 frlfxlf.exe 101 PID 2380 wrote to memory of 2616 2380 frlfxlf.exe 101 PID 2616 wrote to memory of 116 2616 lrrfxfr.exe 102 PID 2616 wrote to memory of 116 2616 lrrfxfr.exe 102 PID 2616 wrote to memory of 116 2616 lrrfxfr.exe 102 PID 116 wrote to memory of 4248 116 nhnbtb.exe 103 PID 116 wrote to memory of 4248 116 nhnbtb.exe 103 PID 116 wrote to memory of 4248 116 nhnbtb.exe 103 PID 4248 wrote to memory of 3580 4248 nhtntn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe"C:\Users\Admin\AppData\Local\Temp\af8dc32ec71b8761c8652e6fb1a9b50933cedd296dc73434b991e7a98c20f9e7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\nnnttb.exec:\nnnttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\vvdvj.exec:\vvdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\rlrllfx.exec:\rlrllfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\thbnnh.exec:\thbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\djpdv.exec:\djpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\jddvp.exec:\jddvp.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\vdjvp.exec:\vdjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\jpdpj.exec:\jpdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vddpd.exec:\vddpd.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\pjppp.exec:\pjppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\lxfrffr.exec:\lxfrffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\pvvpp.exec:\pvvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\hbthbt.exec:\hbthbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\dpvjd.exec:\dpvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\rxxlfxl.exec:\rxxlfxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\tbhbtn.exec:\tbhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\vjvdd.exec:\vjvdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\frlfxlf.exec:\frlfxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\lrrfxfr.exec:\lrrfxfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\nhnbtb.exec:\nhnbtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\nhtntn.exec:\nhtntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\xxxxxrf.exec:\xxxxxrf.exe23⤵
- Executes dropped EXE
PID:3580 -
\??\c:\jdddv.exec:\jdddv.exe24⤵
- Executes dropped EXE
PID:3604 -
\??\c:\pdjjd.exec:\pdjjd.exe25⤵
- Executes dropped EXE
PID:2504 -
\??\c:\rffxrrl.exec:\rffxrrl.exe26⤵
- Executes dropped EXE
PID:3556 -
\??\c:\5bhbtt.exec:\5bhbtt.exe27⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe28⤵
- Executes dropped EXE
PID:1080 -
\??\c:\pdvdp.exec:\pdvdp.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
\??\c:\bhnbtn.exec:\bhnbtn.exe30⤵
- Executes dropped EXE
PID:1340 -
\??\c:\tnhhbb.exec:\tnhhbb.exe31⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bhtnhb.exec:\bhtnhb.exe32⤵
- Executes dropped EXE
PID:1580 -
\??\c:\nntntn.exec:\nntntn.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\vjdjv.exec:\vjdjv.exe34⤵
- Executes dropped EXE
PID:3664 -
\??\c:\pdvvv.exec:\pdvvv.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3732 -
\??\c:\pjpjd.exec:\pjpjd.exe36⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pjdvp.exec:\pjdvp.exe37⤵
- Executes dropped EXE
PID:4884 -
\??\c:\jdpdd.exec:\jdpdd.exe38⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pjjdj.exec:\pjjdj.exe39⤵
- Executes dropped EXE
PID:4752 -
\??\c:\ppvvv.exec:\ppvvv.exe40⤵
- Executes dropped EXE
PID:3328 -
\??\c:\vdjdv.exec:\vdjdv.exe41⤵
- Executes dropped EXE
PID:612 -
\??\c:\dvjpp.exec:\dvjpp.exe42⤵
- Executes dropped EXE
PID:3988 -
\??\c:\vppdp.exec:\vppdp.exe43⤵
- Executes dropped EXE
PID:3624 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe44⤵
- Executes dropped EXE
PID:3040 -
\??\c:\frxllfx.exec:\frxllfx.exe45⤵
- Executes dropped EXE
PID:4768 -
\??\c:\lrlfxxr.exec:\lrlfxxr.exe46⤵
- Executes dropped EXE
PID:4544 -
\??\c:\1djvp.exec:\1djvp.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\jpjdp.exec:\jpjdp.exe48⤵
- Executes dropped EXE
PID:4388 -
\??\c:\djjdv.exec:\djjdv.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
\??\c:\vpppj.exec:\vpppj.exe50⤵
- Executes dropped EXE
PID:1532 -
\??\c:\dvjdp.exec:\dvjdp.exe51⤵
- Executes dropped EXE
PID:1876 -
\??\c:\ppvjv.exec:\ppvjv.exe52⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nhhbnb.exec:\nhhbnb.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
\??\c:\nhhbtn.exec:\nhhbtn.exe54⤵
- Executes dropped EXE
PID:3668 -
\??\c:\nhhbtn.exec:\nhhbtn.exe55⤵
- Executes dropped EXE
PID:4988 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe56⤵
- Executes dropped EXE
PID:628 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe57⤵
- Executes dropped EXE
PID:752 -
\??\c:\flrlrlf.exec:\flrlrlf.exe58⤵
- Executes dropped EXE
PID:1656 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe59⤵
- Executes dropped EXE
PID:1268 -
\??\c:\rxxlxlx.exec:\rxxlxlx.exe60⤵
- Executes dropped EXE
PID:1480 -
\??\c:\fxllllr.exec:\fxllllr.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
\??\c:\7flxllx.exec:\7flxllx.exe62⤵
- Executes dropped EXE
PID:3056 -
\??\c:\pvdvd.exec:\pvdvd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4100 -
\??\c:\jjdvp.exec:\jjdvp.exe64⤵
- Executes dropped EXE
PID:3388 -
\??\c:\vjjvj.exec:\vjjvj.exe65⤵
- Executes dropped EXE
PID:3612 -
\??\c:\jddvj.exec:\jddvj.exe66⤵PID:1812
-
\??\c:\nntnbn.exec:\nntnbn.exe67⤵PID:3536
-
\??\c:\nbbttn.exec:\nbbttn.exe68⤵PID:3528
-
\??\c:\nnnhtn.exec:\nnnhtn.exe69⤵PID:2248
-
\??\c:\xxxxlfr.exec:\xxxxlfr.exe70⤵PID:2380
-
\??\c:\fxxrrxr.exec:\fxxrrxr.exe71⤵PID:1632
-
\??\c:\7xfxfff.exec:\7xfxfff.exe72⤵PID:2744
-
\??\c:\vddjd.exec:\vddjd.exe73⤵PID:2384
-
\??\c:\pvdvp.exec:\pvdvp.exe74⤵PID:1540
-
\??\c:\pvpjv.exec:\pvpjv.exe75⤵PID:3580
-
\??\c:\tbthth.exec:\tbthth.exe76⤵PID:1220
-
\??\c:\hbthht.exec:\hbthht.exe77⤵PID:4812
-
\??\c:\nthbnn.exec:\nthbnn.exe78⤵PID:2504
-
\??\c:\xrrfrlx.exec:\xrrfrlx.exe79⤵PID:1588
-
\??\c:\frfrlfr.exec:\frfrlfr.exe80⤵PID:5040
-
\??\c:\lflfxrl.exec:\lflfxrl.exe81⤵PID:3540
-
\??\c:\lrrflfx.exec:\lrrflfx.exe82⤵
- System Location Discovery: System Language Discovery
PID:216 -
\??\c:\9flxfff.exec:\9flxfff.exe83⤵PID:1456
-
\??\c:\vjvpp.exec:\vjvpp.exe84⤵PID:3700
-
\??\c:\jvdvj.exec:\jvdvj.exe85⤵PID:1580
-
\??\c:\djjvj.exec:\djjvj.exe86⤵PID:884
-
\??\c:\bnhthb.exec:\bnhthb.exe87⤵PID:956
-
\??\c:\nhnbhn.exec:\nhnbhn.exe88⤵PID:1836
-
\??\c:\hhhtht.exec:\hhhtht.exe89⤵PID:4652
-
\??\c:\hhbhth.exec:\hhbhth.exe90⤵PID:1512
-
\??\c:\ttnhtn.exec:\ttnhtn.exe91⤵PID:2220
-
\??\c:\hbhbnh.exec:\hbhbnh.exe92⤵
- System Location Discovery: System Language Discovery
PID:1020 -
\??\c:\bttnnn.exec:\bttnnn.exe93⤵PID:4592
-
\??\c:\hhhtnh.exec:\hhhtnh.exe94⤵PID:4916
-
\??\c:\xlffrlx.exec:\xlffrlx.exe95⤵PID:2588
-
\??\c:\xfrrrlf.exec:\xfrrrlf.exe96⤵PID:1360
-
\??\c:\fxrrxlr.exec:\fxrrxlr.exe97⤵PID:4732
-
\??\c:\jpddv.exec:\jpddv.exe98⤵PID:1356
-
\??\c:\dppdv.exec:\dppdv.exe99⤵PID:4428
-
\??\c:\dvdvj.exec:\dvdvj.exe100⤵PID:2556
-
\??\c:\djpjv.exec:\djpjv.exe101⤵PID:4376
-
\??\c:\htnhtn.exec:\htnhtn.exe102⤵PID:1280
-
\??\c:\ththbt.exec:\ththbt.exe103⤵PID:3184
-
\??\c:\tbhhbb.exec:\tbhhbb.exe104⤵PID:4460
-
\??\c:\hnbhbb.exec:\hnbhbb.exe105⤵PID:4380
-
\??\c:\nbhbhb.exec:\nbhbhb.exe106⤵PID:752
-
\??\c:\nhntnb.exec:\nhntnb.exe107⤵PID:1860
-
\??\c:\btbttt.exec:\btbttt.exe108⤵PID:4624
-
\??\c:\htbtnh.exec:\htbtnh.exe109⤵PID:3224
-
\??\c:\xxfrlxr.exec:\xxfrlxr.exe110⤵PID:376
-
\??\c:\rrxrfxl.exec:\rrxrfxl.exe111⤵PID:2548
-
\??\c:\xfrllxr.exec:\xfrllxr.exe112⤵PID:3120
-
\??\c:\rffxrfx.exec:\rffxrfx.exe113⤵
- System Location Discovery: System Language Discovery
PID:4100 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe114⤵PID:3728
-
\??\c:\xxffxrl.exec:\xxffxrl.exe115⤵PID:4528
-
\??\c:\lfxllfl.exec:\lfxllfl.exe116⤵PID:1888
-
\??\c:\pppdv.exec:\pppdv.exe117⤵PID:3536
-
\??\c:\pjjvj.exec:\pjjvj.exe118⤵PID:3528
-
\??\c:\vvvjd.exec:\vvvjd.exe119⤵
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\bbhtnh.exec:\bbhtnh.exe120⤵PID:1704
-
\??\c:\hbtbbn.exec:\hbtbbn.exe121⤵PID:3496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-