Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 15:49
Behavioral task
behavioral1
Sample
0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
General
-
Target
0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe
-
Size
3.7MB
-
MD5
d29ddc39af0b2f85115f9a2fb2f32358
-
SHA1
208d69341dbb68f27e2907f6fdd2252d717c8b8a
-
SHA256
0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583
-
SHA512
d3b752c86c2f8b1ca3f9393ed9c4158882fdb9799ef9c3b63d1a8d2cc8f880bd08896cff9903fe8d973e5b6626d908d23b1551d1f230d45263775734ee61cc87
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98T:U6XLq/qPPslzKx/dJg1ErmNI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4716-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/980-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/472-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3204-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/892-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/688-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-716-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-831-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-877-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-908-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-1266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3480 jvpdd.exe 980 thnbtn.exe 924 7nhhbb.exe 1872 9ppjv.exe 4004 djdpj.exe 3116 pvjjd.exe 1976 nnhbnh.exe 2008 nbhttt.exe 472 tnnthb.exe 3260 thnbtn.exe 232 nhtnhb.exe 4236 btbttn.exe 3204 tnnhbn.exe 4764 bnthtb.exe 4820 hnbbnn.exe 3640 hbbbbb.exe 1476 5nhbnn.exe 3568 thnnhh.exe 1644 7pjjj.exe 4556 xrfffrr.exe 4752 rlrllll.exe 1356 bnthtn.exe 4832 htbnnn.exe 648 pvvpj.exe 3684 hhbttt.exe 4976 rrxxxxx.exe 4824 nnhbbb.exe 4492 btttbb.exe 380 xrxflff.exe 408 bnnbhb.exe 3384 btbnnh.exe 4660 3hthth.exe 4924 xxrlxll.exe 3848 bttnhb.exe 4684 thhtht.exe 3304 nnbttb.exe 1684 dpjdv.exe 2588 djdvp.exe 892 pddvv.exe 2252 vjvjv.exe 4572 nhhbtt.exe 1300 dvdvp.exe 3172 lfxrlfr.exe 1436 ntthbt.exe 1088 3rxrfxr.exe 2008 xrrfxlx.exe 1844 jdvjd.exe 4704 vpjvp.exe 2744 9vddv.exe 3232 jvvjv.exe 3228 jvpdv.exe 2668 hbhbbt.exe 3980 tbttbt.exe 1484 nhbbnt.exe 2348 rlxrrxr.exe 5060 lfflrxl.exe 1840 rfxlxrx.exe 4764 5ppdp.exe 728 7vvjv.exe 1056 bbhbhh.exe 1388 nhtnbb.exe 4636 xrxllxf.exe 2004 7llfxrl.exe 3936 5rrrflx.exe -
resource yara_rule behavioral2/memory/4716-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4716-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c97-6.dat upx behavioral2/files/0x0007000000023c9b-11.dat upx behavioral2/memory/3480-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-12.dat upx behavioral2/memory/980-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1872-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/924-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-27.dat upx behavioral2/memory/4004-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-33.dat upx behavioral2/files/0x0007000000023c9e-20.dat upx behavioral2/files/0x0008000000023c98-39.dat upx behavioral2/memory/1976-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-43.dat upx behavioral2/files/0x0007000000023ca2-51.dat upx behavioral2/memory/472-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-61.dat upx behavioral2/memory/4236-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-67.dat upx behavioral2/files/0x0007000000023ca5-72.dat upx behavioral2/memory/3204-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4236-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-78.dat upx behavioral2/memory/2008-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4820-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4764-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-93.dat upx behavioral2/memory/4820-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3640-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-97.dat upx behavioral2/memory/1476-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-104.dat upx behavioral2/files/0x0007000000023ca8-84.dat upx behavioral2/files/0x0007000000023cac-111.dat upx behavioral2/memory/3568-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-117.dat upx behavioral2/files/0x0007000000023cae-120.dat upx behavioral2/memory/4752-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-127.dat upx behavioral2/memory/1356-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-135.dat upx behavioral2/memory/1644-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-140.dat upx behavioral2/memory/4832-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000300000001e75a-145.dat upx behavioral2/files/0x0007000000023cb3-151.dat upx behavioral2/memory/3684-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-154.dat upx behavioral2/memory/4824-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4976-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4824-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-163.dat upx behavioral2/files/0x0007000000023cb6-168.dat upx behavioral2/memory/380-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-174.dat upx behavioral2/memory/408-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-180.dat upx behavioral2/memory/3384-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-185.dat upx behavioral2/memory/4660-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3848-197-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rllfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hththt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4716 wrote to memory of 3480 4716 0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe 82 PID 4716 wrote to memory of 3480 4716 0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe 82 PID 4716 wrote to memory of 3480 4716 0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe 82 PID 3480 wrote to memory of 980 3480 jvpdd.exe 83 PID 3480 wrote to memory of 980 3480 jvpdd.exe 83 PID 3480 wrote to memory of 980 3480 jvpdd.exe 83 PID 980 wrote to memory of 924 980 thnbtn.exe 84 PID 980 wrote to memory of 924 980 thnbtn.exe 84 PID 980 wrote to memory of 924 980 thnbtn.exe 84 PID 924 wrote to memory of 1872 924 7nhhbb.exe 85 PID 924 wrote to memory of 1872 924 7nhhbb.exe 85 PID 924 wrote to memory of 1872 924 7nhhbb.exe 85 PID 1872 wrote to memory of 4004 1872 9ppjv.exe 86 PID 1872 wrote to memory of 4004 1872 9ppjv.exe 86 PID 1872 wrote to memory of 4004 1872 9ppjv.exe 86 PID 4004 wrote to memory of 3116 4004 djdpj.exe 87 PID 4004 wrote to memory of 3116 4004 djdpj.exe 87 PID 4004 wrote to memory of 3116 4004 djdpj.exe 87 PID 3116 wrote to memory of 1976 3116 pvjjd.exe 88 PID 3116 wrote to memory of 1976 3116 pvjjd.exe 88 PID 3116 wrote to memory of 1976 3116 pvjjd.exe 88 PID 1976 wrote to memory of 2008 1976 nnhbnh.exe 131 PID 1976 wrote to memory of 2008 1976 nnhbnh.exe 131 PID 1976 wrote to memory of 2008 1976 nnhbnh.exe 131 PID 2008 wrote to memory of 472 2008 nbhttt.exe 90 PID 2008 wrote to memory of 472 2008 nbhttt.exe 90 PID 2008 wrote to memory of 472 2008 nbhttt.exe 90 PID 472 wrote to memory of 3260 472 tnnthb.exe 91 PID 472 wrote to memory of 3260 472 tnnthb.exe 91 PID 472 wrote to memory of 3260 472 tnnthb.exe 91 PID 3260 wrote to memory of 232 3260 thnbtn.exe 92 PID 3260 wrote to memory of 232 3260 thnbtn.exe 92 PID 3260 wrote to memory of 232 3260 thnbtn.exe 92 PID 232 wrote to memory of 4236 232 nhtnhb.exe 93 PID 232 wrote to memory of 4236 232 nhtnhb.exe 93 PID 232 wrote to memory of 4236 232 nhtnhb.exe 93 PID 4236 wrote to memory of 3204 4236 btbttn.exe 94 PID 4236 wrote to memory of 3204 4236 btbttn.exe 94 PID 4236 wrote to memory of 3204 4236 btbttn.exe 94 PID 3204 wrote to memory of 4764 3204 tnnhbn.exe 143 PID 3204 wrote to memory of 4764 3204 tnnhbn.exe 143 PID 3204 wrote to memory of 4764 3204 tnnhbn.exe 143 PID 4764 wrote to memory of 4820 4764 bnthtb.exe 96 PID 4764 wrote to memory of 4820 4764 bnthtb.exe 96 PID 4764 wrote to memory of 4820 4764 bnthtb.exe 96 PID 4820 wrote to memory of 3640 4820 hnbbnn.exe 97 PID 4820 wrote to memory of 3640 4820 hnbbnn.exe 97 PID 4820 wrote to memory of 3640 4820 hnbbnn.exe 97 PID 3640 wrote to memory of 1476 3640 hbbbbb.exe 98 PID 3640 wrote to memory of 1476 3640 hbbbbb.exe 98 PID 3640 wrote to memory of 1476 3640 hbbbbb.exe 98 PID 1476 wrote to memory of 3568 1476 5nhbnn.exe 99 PID 1476 wrote to memory of 3568 1476 5nhbnn.exe 99 PID 1476 wrote to memory of 3568 1476 5nhbnn.exe 99 PID 3568 wrote to memory of 1644 3568 thnnhh.exe 100 PID 3568 wrote to memory of 1644 3568 thnnhh.exe 100 PID 3568 wrote to memory of 1644 3568 thnnhh.exe 100 PID 1644 wrote to memory of 4556 1644 7pjjj.exe 101 PID 1644 wrote to memory of 4556 1644 7pjjj.exe 101 PID 1644 wrote to memory of 4556 1644 7pjjj.exe 101 PID 4556 wrote to memory of 4752 4556 xrfffrr.exe 102 PID 4556 wrote to memory of 4752 4556 xrfffrr.exe 102 PID 4556 wrote to memory of 4752 4556 xrfffrr.exe 102 PID 4752 wrote to memory of 1356 4752 rlrllll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe"C:\Users\Admin\AppData\Local\Temp\0f9ed98c4cf45cd4ec650ec54e4005a75cfa89452b5bb39f9103ae4f4e63e583.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\jvpdd.exec:\jvpdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\thnbtn.exec:\thnbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\7nhhbb.exec:\7nhhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\9ppjv.exec:\9ppjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\djdpj.exec:\djdpj.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\pvjjd.exec:\pvjjd.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\nnhbnh.exec:\nnhbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\nbhttt.exec:\nbhttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\tnnthb.exec:\tnnthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472 -
\??\c:\thnbtn.exec:\thnbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\nhtnhb.exec:\nhtnhb.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\btbttn.exec:\btbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\tnnhbn.exec:\tnnhbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\bnthtb.exec:\bnthtb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\hnbbnn.exec:\hnbbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\hbbbbb.exec:\hbbbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\5nhbnn.exec:\5nhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\thnnhh.exec:\thnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\7pjjj.exec:\7pjjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\xrfffrr.exec:\xrfffrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\rlrllll.exec:\rlrllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\bnthtn.exec:\bnthtn.exe23⤵
- Executes dropped EXE
PID:1356 -
\??\c:\htbnnn.exec:\htbnnn.exe24⤵
- Executes dropped EXE
PID:4832 -
\??\c:\pvvpj.exec:\pvvpj.exe25⤵
- Executes dropped EXE
PID:648 -
\??\c:\hhbttt.exec:\hhbttt.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe27⤵
- Executes dropped EXE
PID:4976 -
\??\c:\nnhbbb.exec:\nnhbbb.exe28⤵
- Executes dropped EXE
PID:4824 -
\??\c:\btttbb.exec:\btttbb.exe29⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xrxflff.exec:\xrxflff.exe30⤵
- Executes dropped EXE
PID:380 -
\??\c:\bnnbhb.exec:\bnnbhb.exe31⤵
- Executes dropped EXE
PID:408 -
\??\c:\btbnnh.exec:\btbnnh.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384 -
\??\c:\3hthth.exec:\3hthth.exe33⤵
- Executes dropped EXE
PID:4660 -
\??\c:\xxrlxll.exec:\xxrlxll.exe34⤵
- Executes dropped EXE
PID:4924 -
\??\c:\bttnhb.exec:\bttnhb.exe35⤵
- Executes dropped EXE
PID:3848 -
\??\c:\thhtht.exec:\thhtht.exe36⤵
- Executes dropped EXE
PID:4684 -
\??\c:\nnbttb.exec:\nnbttb.exe37⤵
- Executes dropped EXE
PID:3304 -
\??\c:\dpjdv.exec:\dpjdv.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
\??\c:\djdvp.exec:\djdvp.exe39⤵
- Executes dropped EXE
PID:2588 -
\??\c:\pddvv.exec:\pddvv.exe40⤵
- Executes dropped EXE
PID:892 -
\??\c:\vjvjv.exec:\vjvjv.exe41⤵
- Executes dropped EXE
PID:2252 -
\??\c:\nhhbtt.exec:\nhhbtt.exe42⤵
- Executes dropped EXE
PID:4572 -
\??\c:\dvdvp.exec:\dvdvp.exe43⤵
- Executes dropped EXE
PID:1300 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe44⤵
- Executes dropped EXE
PID:3172 -
\??\c:\ntthbt.exec:\ntthbt.exe45⤵
- Executes dropped EXE
PID:1436 -
\??\c:\3rxrfxr.exec:\3rxrfxr.exe46⤵
- Executes dropped EXE
PID:1088 -
\??\c:\xrrfxlx.exec:\xrrfxlx.exe47⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jdvjd.exec:\jdvjd.exe48⤵
- Executes dropped EXE
PID:1844 -
\??\c:\vpjvp.exec:\vpjvp.exe49⤵
- Executes dropped EXE
PID:4704 -
\??\c:\9vddv.exec:\9vddv.exe50⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jvvjv.exec:\jvvjv.exe51⤵
- Executes dropped EXE
PID:3232 -
\??\c:\jvpdv.exec:\jvpdv.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228 -
\??\c:\hbhbbt.exec:\hbhbbt.exe53⤵
- Executes dropped EXE
PID:2668 -
\??\c:\tbttbt.exec:\tbttbt.exe54⤵
- Executes dropped EXE
PID:3980 -
\??\c:\nhbbnt.exec:\nhbbnt.exe55⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rlxrrxr.exec:\rlxrrxr.exe56⤵
- Executes dropped EXE
PID:2348 -
\??\c:\lfflrxl.exec:\lfflrxl.exe57⤵
- Executes dropped EXE
PID:5060 -
\??\c:\rfxlxrx.exec:\rfxlxrx.exe58⤵
- Executes dropped EXE
PID:1840 -
\??\c:\5ppdp.exec:\5ppdp.exe59⤵
- Executes dropped EXE
PID:4764 -
\??\c:\7vvjv.exec:\7vvjv.exe60⤵
- Executes dropped EXE
PID:728 -
\??\c:\bbhbhh.exec:\bbhbhh.exe61⤵
- Executes dropped EXE
PID:1056 -
\??\c:\nhtnbb.exec:\nhtnbb.exe62⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xrxllxf.exec:\xrxllxf.exe63⤵
- Executes dropped EXE
PID:4636 -
\??\c:\7llfxrl.exec:\7llfxrl.exe64⤵
- Executes dropped EXE
PID:2004 -
\??\c:\5rrrflx.exec:\5rrrflx.exe65⤵
- Executes dropped EXE
PID:3936 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe66⤵PID:1228
-
\??\c:\lxlfxrf.exec:\lxlfxrf.exe67⤵PID:2688
-
\??\c:\frxxxlr.exec:\frxxxlr.exe68⤵PID:1984
-
\??\c:\ppdjv.exec:\ppdjv.exe69⤵PID:4644
-
\??\c:\pdddd.exec:\pdddd.exe70⤵PID:688
-
\??\c:\jjdjp.exec:\jjdjp.exe71⤵PID:3492
-
\??\c:\dpdvv.exec:\dpdvv.exe72⤵PID:3196
-
\??\c:\jjvpj.exec:\jjvpj.exe73⤵PID:2672
-
\??\c:\3nbbnn.exec:\3nbbnn.exe74⤵PID:2512
-
\??\c:\htthtb.exec:\htthtb.exe75⤵PID:1580
-
\??\c:\9rfxrlx.exec:\9rfxrlx.exe76⤵PID:1180
-
\??\c:\frlxrlx.exec:\frlxrlx.exe77⤵PID:3516
-
\??\c:\rlllffx.exec:\rlllffx.exe78⤵PID:4788
-
\??\c:\ffxxxff.exec:\ffxxxff.exe79⤵PID:380
-
\??\c:\djjvd.exec:\djjvd.exe80⤵PID:1904
-
\??\c:\ppvvv.exec:\ppvvv.exe81⤵PID:1688
-
\??\c:\vvpjv.exec:\vvpjv.exe82⤵PID:5028
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe83⤵PID:4680
-
\??\c:\ffxxrxr.exec:\ffxxrxr.exe84⤵PID:4340
-
\??\c:\3dpjd.exec:\3dpjd.exe85⤵PID:964
-
\??\c:\vvjjv.exec:\vvjjv.exe86⤵PID:1636
-
\??\c:\dvddv.exec:\dvddv.exe87⤵PID:892
-
\??\c:\7pddv.exec:\7pddv.exe88⤵PID:2612
-
\??\c:\rxfxxrl.exec:\rxfxxrl.exe89⤵PID:644
-
\??\c:\fffxfll.exec:\fffxfll.exe90⤵PID:4200
-
\??\c:\llflfxf.exec:\llflfxf.exe91⤵PID:2476
-
\??\c:\fxfxrfx.exec:\fxfxrfx.exe92⤵PID:1592
-
\??\c:\9lxlxxf.exec:\9lxlxxf.exe93⤵PID:1976
-
\??\c:\xxrlrxf.exec:\xxrlrxf.exe94⤵PID:4504
-
\??\c:\5rxlxlx.exec:\5rxlxlx.exe95⤵PID:180
-
\??\c:\frxlffr.exec:\frxlffr.exe96⤵PID:3412
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe97⤵PID:1844
-
\??\c:\pjjjd.exec:\pjjjd.exe98⤵PID:4928
-
\??\c:\3ddvj.exec:\3ddvj.exe99⤵PID:2744
-
\??\c:\pjjjv.exec:\pjjjv.exe100⤵PID:4112
-
\??\c:\5jvpj.exec:\5jvpj.exe101⤵PID:3228
-
\??\c:\5btnbn.exec:\5btnbn.exe102⤵PID:4860
-
\??\c:\hbhbth.exec:\hbhbth.exe103⤵PID:4960
-
\??\c:\frlfrlf.exec:\frlfrlf.exe104⤵PID:2280
-
\??\c:\9lxlxlr.exec:\9lxlxlr.exe105⤵PID:2348
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe106⤵PID:5072
-
\??\c:\nhnhht.exec:\nhnhht.exe107⤵PID:2040
-
\??\c:\lrxlxlx.exec:\lrxlxlx.exe108⤵PID:2144
-
\??\c:\3xlxlfr.exec:\3xlxlfr.exe109⤵PID:4548
-
\??\c:\ffflfll.exec:\ffflfll.exe110⤵PID:4784
-
\??\c:\xrrrrrf.exec:\xrrrrrf.exe111⤵PID:2720
-
\??\c:\xflfrll.exec:\xflfrll.exe112⤵PID:1644
-
\??\c:\lrrlrlr.exec:\lrrlrlr.exe113⤵PID:4152
-
\??\c:\1lxxrxr.exec:\1lxxrxr.exe114⤵
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\rlrffrf.exec:\rlrffrf.exe115⤵PID:1176
-
\??\c:\xrrfxlf.exec:\xrrfxlf.exe116⤵PID:880
-
\??\c:\dpppj.exec:\dpppj.exe117⤵PID:4644
-
\??\c:\1ddvp.exec:\1ddvp.exe118⤵PID:688
-
\??\c:\pjjdd.exec:\pjjdd.exe119⤵PID:1576
-
\??\c:\bhbnht.exec:\bhbnht.exe120⤵PID:468
-
\??\c:\3nbntn.exec:\3nbntn.exe121⤵PID:4556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-