Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe
-
Size
454KB
-
MD5
43c1c7cb96a737ca40e8b50b17804728
-
SHA1
f84413491b80f000495ed48944238c0eaabd9aff
-
SHA256
6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0
-
SHA512
04e4c15dc5fcad53b218b1561e2e261bd05f32a48baab99462a9b6263b938b096b693408c162d012b384c8c7b12bf5571f9a191d68e4cf477b96c1c3b56c7451
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3460-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-1015-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-1146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-1283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4272 djvpj.exe 2952 nhnntt.exe 3388 vjdvj.exe 1828 rrrlffx.exe 1272 hbbttt.exe 3468 nnhnnh.exe 3484 ppppp.exe 2700 xrrlfrr.exe 3488 hnnhbt.exe 3848 pjjdv.exe 380 xrrlfxr.exe 3528 hnthbt.exe 1016 dvdvv.exe 1924 dpdvv.exe 5024 rlflrlr.exe 3016 5lxrfxl.exe 1216 rffxlfx.exe 2732 rffrfxr.exe 3588 jdpjj.exe 1548 llrlfxr.exe 3268 5vpjd.exe 408 dvdpd.exe 3416 lxxlfrl.exe 1744 htbbbn.exe 1636 pvpjd.exe 1776 7fxrlrf.exe 1252 bthbtt.exe 5096 vppvv.exe 2264 lxrlfff.exe 1948 nttnnh.exe 2328 dvvjd.exe 3244 hbbtnh.exe 3052 pjpjd.exe 3664 httnnn.exe 1772 vjjvp.exe 964 xllfxrl.exe 1888 bbhtnb.exe 2132 pdjdp.exe 1780 xflfxxr.exe 636 llxrrxf.exe 3760 pvvpj.exe 4360 frrlfxr.exe 4932 bnbhbb.exe 2848 hbhtnh.exe 4660 jjvjp.exe 2172 fllfrxr.exe 4816 tnbthh.exe 2368 tnnbtt.exe 2228 dvjdd.exe 3960 llxrffx.exe 3540 bhnhbb.exe 3096 5pvjv.exe 216 djddv.exe 4468 7rlrflx.exe 3460 nbbhbt.exe 3312 pvvvj.exe 4624 xlrfxrl.exe 2288 ththnh.exe 3112 vvvvj.exe 3332 rlrrlll.exe 708 bntnnn.exe 1568 hhtnhb.exe 3484 1pdpv.exe 2552 flffxxr.exe -
resource yara_rule behavioral2/memory/3460-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-988-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3460 wrote to memory of 4272 3460 6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe 82 PID 3460 wrote to memory of 4272 3460 6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe 82 PID 3460 wrote to memory of 4272 3460 6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe 82 PID 4272 wrote to memory of 2952 4272 djvpj.exe 83 PID 4272 wrote to memory of 2952 4272 djvpj.exe 83 PID 4272 wrote to memory of 2952 4272 djvpj.exe 83 PID 2952 wrote to memory of 3388 2952 nhnntt.exe 84 PID 2952 wrote to memory of 3388 2952 nhnntt.exe 84 PID 2952 wrote to memory of 3388 2952 nhnntt.exe 84 PID 3388 wrote to memory of 1828 3388 vjdvj.exe 85 PID 3388 wrote to memory of 1828 3388 vjdvj.exe 85 PID 3388 wrote to memory of 1828 3388 vjdvj.exe 85 PID 1828 wrote to memory of 1272 1828 rrrlffx.exe 86 PID 1828 wrote to memory of 1272 1828 rrrlffx.exe 86 PID 1828 wrote to memory of 1272 1828 rrrlffx.exe 86 PID 1272 wrote to memory of 3468 1272 hbbttt.exe 87 PID 1272 wrote to memory of 3468 1272 hbbttt.exe 87 PID 1272 wrote to memory of 3468 1272 hbbttt.exe 87 PID 3468 wrote to memory of 3484 3468 nnhnnh.exe 88 PID 3468 wrote to memory of 3484 3468 nnhnnh.exe 88 PID 3468 wrote to memory of 3484 3468 nnhnnh.exe 88 PID 3484 wrote to memory of 2700 3484 ppppp.exe 89 PID 3484 wrote to memory of 2700 3484 ppppp.exe 89 PID 3484 wrote to memory of 2700 3484 ppppp.exe 89 PID 2700 wrote to memory of 3488 2700 xrrlfrr.exe 90 PID 2700 wrote to memory of 3488 2700 xrrlfrr.exe 90 PID 2700 wrote to memory of 3488 2700 xrrlfrr.exe 90 PID 3488 wrote to memory of 3848 3488 hnnhbt.exe 91 PID 3488 wrote to memory of 3848 3488 hnnhbt.exe 91 PID 3488 wrote to memory of 3848 3488 hnnhbt.exe 91 PID 3848 wrote to memory of 380 3848 pjjdv.exe 92 PID 3848 wrote to memory of 380 3848 pjjdv.exe 92 PID 3848 wrote to memory of 380 3848 pjjdv.exe 92 PID 380 wrote to memory of 3528 380 xrrlfxr.exe 93 PID 380 wrote to memory of 3528 380 xrrlfxr.exe 93 PID 380 wrote to memory of 3528 380 xrrlfxr.exe 93 PID 3528 wrote to memory of 1016 3528 hnthbt.exe 94 PID 3528 wrote to memory of 1016 3528 hnthbt.exe 94 PID 3528 wrote to memory of 1016 3528 hnthbt.exe 94 PID 1016 wrote to memory of 1924 1016 dvdvv.exe 95 PID 1016 wrote to memory of 1924 1016 dvdvv.exe 95 PID 1016 wrote to memory of 1924 1016 dvdvv.exe 95 PID 1924 wrote to memory of 5024 1924 dpdvv.exe 96 PID 1924 wrote to memory of 5024 1924 dpdvv.exe 96 PID 1924 wrote to memory of 5024 1924 dpdvv.exe 96 PID 5024 wrote to memory of 3016 5024 rlflrlr.exe 97 PID 5024 wrote to memory of 3016 5024 rlflrlr.exe 97 PID 5024 wrote to memory of 3016 5024 rlflrlr.exe 97 PID 3016 wrote to memory of 1216 3016 5lxrfxl.exe 98 PID 3016 wrote to memory of 1216 3016 5lxrfxl.exe 98 PID 3016 wrote to memory of 1216 3016 5lxrfxl.exe 98 PID 1216 wrote to memory of 2732 1216 rffxlfx.exe 99 PID 1216 wrote to memory of 2732 1216 rffxlfx.exe 99 PID 1216 wrote to memory of 2732 1216 rffxlfx.exe 99 PID 2732 wrote to memory of 3588 2732 rffrfxr.exe 100 PID 2732 wrote to memory of 3588 2732 rffrfxr.exe 100 PID 2732 wrote to memory of 3588 2732 rffrfxr.exe 100 PID 3588 wrote to memory of 1548 3588 jdpjj.exe 101 PID 3588 wrote to memory of 1548 3588 jdpjj.exe 101 PID 3588 wrote to memory of 1548 3588 jdpjj.exe 101 PID 1548 wrote to memory of 3268 1548 llrlfxr.exe 102 PID 1548 wrote to memory of 3268 1548 llrlfxr.exe 102 PID 1548 wrote to memory of 3268 1548 llrlfxr.exe 102 PID 3268 wrote to memory of 408 3268 5vpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe"C:\Users\Admin\AppData\Local\Temp\6afddd7fd533b2b6d7f7d21d42b326d94a3f53508010b0058d613ddadcf3f1a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\djvpj.exec:\djvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\nhnntt.exec:\nhnntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\vjdvj.exec:\vjdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\rrrlffx.exec:\rrrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\hbbttt.exec:\hbbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\nnhnnh.exec:\nnhnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\ppppp.exec:\ppppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\xrrlfrr.exec:\xrrlfrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\hnnhbt.exec:\hnnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\pjjdv.exec:\pjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\hnthbt.exec:\hnthbt.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\dvdvv.exec:\dvdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\dpdvv.exec:\dpdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\rlflrlr.exec:\rlflrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\5lxrfxl.exec:\5lxrfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\rffxlfx.exec:\rffxlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\rffrfxr.exec:\rffrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\jdpjj.exec:\jdpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\llrlfxr.exec:\llrlfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\5vpjd.exec:\5vpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\dvdpd.exec:\dvdpd.exe23⤵
- Executes dropped EXE
PID:408 -
\??\c:\lxxlfrl.exec:\lxxlfrl.exe24⤵
- Executes dropped EXE
PID:3416 -
\??\c:\htbbbn.exec:\htbbbn.exe25⤵
- Executes dropped EXE
PID:1744 -
\??\c:\pvpjd.exec:\pvpjd.exe26⤵
- Executes dropped EXE
PID:1636 -
\??\c:\7fxrlrf.exec:\7fxrlrf.exe27⤵
- Executes dropped EXE
PID:1776 -
\??\c:\bthbtt.exec:\bthbtt.exe28⤵
- Executes dropped EXE
PID:1252 -
\??\c:\vppvv.exec:\vppvv.exe29⤵
- Executes dropped EXE
PID:5096 -
\??\c:\lxrlfff.exec:\lxrlfff.exe30⤵
- Executes dropped EXE
PID:2264 -
\??\c:\nttnnh.exec:\nttnnh.exe31⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dvvjd.exec:\dvvjd.exe32⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hbbtnh.exec:\hbbtnh.exe33⤵
- Executes dropped EXE
PID:3244 -
\??\c:\pjpjd.exec:\pjpjd.exe34⤵
- Executes dropped EXE
PID:3052 -
\??\c:\httnnn.exec:\httnnn.exe35⤵
- Executes dropped EXE
PID:3664 -
\??\c:\vjjvp.exec:\vjjvp.exe36⤵
- Executes dropped EXE
PID:1772 -
\??\c:\xllfxrl.exec:\xllfxrl.exe37⤵
- Executes dropped EXE
PID:964 -
\??\c:\bbhtnb.exec:\bbhtnb.exe38⤵
- Executes dropped EXE
PID:1888 -
\??\c:\pdjdp.exec:\pdjdp.exe39⤵
- Executes dropped EXE
PID:2132 -
\??\c:\xflfxxr.exec:\xflfxxr.exe40⤵
- Executes dropped EXE
PID:1780 -
\??\c:\llxrrxf.exec:\llxrrxf.exe41⤵
- Executes dropped EXE
PID:636 -
\??\c:\pvvpj.exec:\pvvpj.exe42⤵
- Executes dropped EXE
PID:3760 -
\??\c:\frrlfxr.exec:\frrlfxr.exe43⤵
- Executes dropped EXE
PID:4360 -
\??\c:\bnbhbb.exec:\bnbhbb.exe44⤵
- Executes dropped EXE
PID:4932 -
\??\c:\hbhtnh.exec:\hbhtnh.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jjvjp.exec:\jjvjp.exe46⤵
- Executes dropped EXE
PID:4660 -
\??\c:\fllfrxr.exec:\fllfrxr.exe47⤵
- Executes dropped EXE
PID:2172 -
\??\c:\tnbthh.exec:\tnbthh.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\tnnbtt.exec:\tnnbtt.exe49⤵
- Executes dropped EXE
PID:2368 -
\??\c:\dvjdd.exec:\dvjdd.exe50⤵
- Executes dropped EXE
PID:2228 -
\??\c:\llxrffx.exec:\llxrffx.exe51⤵
- Executes dropped EXE
PID:3960 -
\??\c:\bhnhbb.exec:\bhnhbb.exe52⤵
- Executes dropped EXE
PID:3540 -
\??\c:\5pvjv.exec:\5pvjv.exe53⤵
- Executes dropped EXE
PID:3096 -
\??\c:\djddv.exec:\djddv.exe54⤵
- Executes dropped EXE
PID:216 -
\??\c:\7rlrflx.exec:\7rlrflx.exe55⤵
- Executes dropped EXE
PID:4468 -
\??\c:\nbbhbt.exec:\nbbhbt.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3460 -
\??\c:\pvvvj.exec:\pvvvj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3312 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe58⤵
- Executes dropped EXE
PID:4624 -
\??\c:\ththnh.exec:\ththnh.exe59⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vvvvj.exec:\vvvvj.exe60⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rlrrlll.exec:\rlrrlll.exe61⤵
- Executes dropped EXE
PID:3332 -
\??\c:\bntnnn.exec:\bntnnn.exe62⤵
- Executes dropped EXE
PID:708 -
\??\c:\hhtnhb.exec:\hhtnhb.exe63⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1pdpv.exec:\1pdpv.exe64⤵
- Executes dropped EXE
PID:3484 -
\??\c:\flffxxr.exec:\flffxxr.exe65⤵
- Executes dropped EXE
PID:2552 -
\??\c:\xrfxxrx.exec:\xrfxxrx.exe66⤵PID:4732
-
\??\c:\1nnthb.exec:\1nnthb.exe67⤵PID:4416
-
\??\c:\dvvpv.exec:\dvvpv.exe68⤵PID:4796
-
\??\c:\9lfxllx.exec:\9lfxllx.exe69⤵PID:2568
-
\??\c:\3tbtnh.exec:\3tbtnh.exe70⤵PID:1056
-
\??\c:\9tbbnn.exec:\9tbbnn.exe71⤵PID:2052
-
\??\c:\dvvpj.exec:\dvvpj.exe72⤵PID:2756
-
\??\c:\fxlrrfx.exec:\fxlrrfx.exe73⤵PID:3516
-
\??\c:\tthbtt.exec:\tthbtt.exe74⤵PID:712
-
\??\c:\5hbbtt.exec:\5hbbtt.exe75⤵PID:1396
-
\??\c:\7vdvp.exec:\7vdvp.exe76⤵PID:2816
-
\??\c:\1llfxxf.exec:\1llfxxf.exe77⤵PID:988
-
\??\c:\hbhbtn.exec:\hbhbtn.exe78⤵PID:5044
-
\??\c:\dppjv.exec:\dppjv.exe79⤵PID:3708
-
\??\c:\vppjd.exec:\vppjd.exe80⤵PID:1216
-
\??\c:\lrxxrrx.exec:\lrxxrrx.exe81⤵PID:4544
-
\??\c:\hnnhbt.exec:\hnnhbt.exe82⤵PID:3936
-
\??\c:\ttbthh.exec:\ttbthh.exe83⤵PID:4064
-
\??\c:\7jpjp.exec:\7jpjp.exe84⤵PID:1532
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe85⤵PID:1048
-
\??\c:\hbnnnh.exec:\hbnnnh.exe86⤵PID:5060
-
\??\c:\3vvvp.exec:\3vvvp.exe87⤵PID:4640
-
\??\c:\9rxrlfl.exec:\9rxrlfl.exe88⤵PID:4504
-
\??\c:\tbhbtn.exec:\tbhbtn.exe89⤵PID:1440
-
\??\c:\vjpdv.exec:\vjpdv.exe90⤵PID:4244
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵PID:836
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe92⤵PID:1776
-
\??\c:\tnbnhb.exec:\tnbnhb.exe93⤵PID:2656
-
\??\c:\jdvpj.exec:\jdvpj.exe94⤵PID:3328
-
\??\c:\lxlffff.exec:\lxlffff.exe95⤵PID:1648
-
\??\c:\nbhbtn.exec:\nbhbtn.exe96⤵PID:4028
-
\??\c:\tnhhnn.exec:\tnhhnn.exe97⤵PID:4960
-
\??\c:\vjvpj.exec:\vjvpj.exe98⤵PID:1208
-
\??\c:\7lrfxxr.exec:\7lrfxxr.exe99⤵PID:2784
-
\??\c:\thnbhh.exec:\thnbhh.exe100⤵PID:1304
-
\??\c:\bhbnnh.exec:\bhbnnh.exe101⤵PID:1276
-
\??\c:\vjppj.exec:\vjppj.exe102⤵PID:3192
-
\??\c:\xlrlfxl.exec:\xlrlfxl.exe103⤵PID:1496
-
\??\c:\nbnttt.exec:\nbnttt.exe104⤵PID:4608
-
\??\c:\3ntbtn.exec:\3ntbtn.exe105⤵PID:4616
-
\??\c:\vpvpd.exec:\vpvpd.exe106⤵PID:384
-
\??\c:\rllxfxf.exec:\rllxfxf.exe107⤵PID:3372
-
\??\c:\lllfffx.exec:\lllfffx.exe108⤵PID:1540
-
\??\c:\bnnbtn.exec:\bnnbtn.exe109⤵PID:4208
-
\??\c:\vdjdv.exec:\vdjdv.exe110⤵PID:3752
-
\??\c:\3ffxrrr.exec:\3ffxrrr.exe111⤵
- System Location Discovery: System Language Discovery
PID:3956 -
\??\c:\llrlfxr.exec:\llrlfxr.exe112⤵PID:4168
-
\??\c:\nhnhbb.exec:\nhnhbb.exe113⤵PID:2848
-
\??\c:\3djdd.exec:\3djdd.exe114⤵PID:4660
-
\??\c:\rfxfrff.exec:\rfxfrff.exe115⤵PID:2536
-
\??\c:\tnnbtt.exec:\tnnbtt.exe116⤵PID:4548
-
\??\c:\hhnhbt.exec:\hhnhbt.exe117⤵PID:2464
-
\??\c:\dvjvd.exec:\dvjvd.exe118⤵PID:2808
-
\??\c:\xlllfxx.exec:\xlllfxx.exe119⤵PID:3960
-
\??\c:\nbhtnh.exec:\nbhtnh.exe120⤵PID:2404
-
\??\c:\jjvvp.exec:\jjvvp.exe121⤵PID:4328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-