Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2024, 10:12
Behavioral task
behavioral1
Sample
5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe
-
Size
3.7MB
-
MD5
72f767b1183d20c732f674bfe6bac75c
-
SHA1
28d3036ed2d8575e4a141f3ebad201aaf797fc5b
-
SHA256
5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0
-
SHA512
6008c0cbaeb1b3a2e1000280b49003d202b09ce64d397c7b0fcede4016573d353c0c030839db1ea58fb70a4391ac6905f30723a66f9b57973b90ede1cc3eab68
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98A:U6XLq/qPPslzKx/dJg1ErmNl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1544-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3396-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-525-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-541-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-733-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-740-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-918-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-937-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2856-1139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3548 dpjjj.exe 3328 xxlllll.exe 4860 bhhhhb.exe 460 tnnnnn.exe 2824 jvvpj.exe 2164 tbhhbb.exe 4512 nnnnnn.exe 1544 rrxrlll.exe 1748 flfxrrl.exe 3216 xllfffx.exe 4908 nnhhbt.exe 3900 dvvvp.exe 4124 pjjdv.exe 4440 jvddv.exe 3980 tnhbtt.exe 3068 ffxxxxl.exe 2768 xxrxrxr.exe 3844 ppdjd.exe 4564 bbbttn.exe 3184 jjpjd.exe 4760 3fffxrr.exe 3784 xxxrllf.exe 448 vvpvj.exe 508 ppvpp.exe 4548 ppjdv.exe 4336 djpvp.exe 1280 3vjdd.exe 3864 xflllll.exe 3244 xlllxrr.exe 1232 1frlfll.exe 4776 lrflrxf.exe 4992 xrffxrf.exe 4708 1rlffll.exe 60 nnbttt.exe 1816 pvvpp.exe 3912 jpvjj.exe 660 5pvjd.exe 220 rfrlflx.exe 4900 xxllrlr.exe 4140 llflllr.exe 1424 frllfff.exe 4128 bnnnnt.exe 4544 btnttt.exe 5084 htbtnt.exe 740 3ntthn.exe 1820 jdpjd.exe 2596 pvjjd.exe 3132 dpppp.exe 2564 pjpvp.exe 1976 pjjdd.exe 8 dvpjd.exe 3396 7vdvp.exe 4980 pvdjj.exe 2264 jdvpj.exe 1612 jjdvj.exe 648 vpjdv.exe 3040 dvjdd.exe 4756 7djvj.exe 4440 9pppj.exe 5116 pvppp.exe 2764 fxffflr.exe 4260 xlxrfxr.exe 2908 rflrrlf.exe 3028 5frrxxl.exe -
resource yara_rule behavioral2/memory/5080-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b23-3.dat upx behavioral2/memory/3548-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5080-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-10.dat upx behavioral2/memory/3548-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-14.dat upx behavioral2/memory/4860-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3328-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-23.dat upx behavioral2/files/0x000b000000023b82-28.dat upx behavioral2/memory/2824-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-35.dat upx behavioral2/memory/2164-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-41.dat upx behavioral2/memory/4512-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-46.dat upx behavioral2/files/0x000a000000023b8c-52.dat upx behavioral2/memory/1544-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-57.dat upx behavioral2/memory/1748-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-62.dat upx behavioral2/memory/3216-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-68.dat upx behavioral2/files/0x000a000000023b90-76.dat upx behavioral2/memory/3900-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-79.dat upx behavioral2/files/0x000a000000023b92-85.dat upx behavioral2/files/0x000a000000023b93-89.dat upx behavioral2/memory/3068-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-95.dat upx behavioral2/files/0x000200000001e764-100.dat upx behavioral2/memory/2768-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-106.dat upx behavioral2/memory/3844-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-113.dat upx behavioral2/files/0x000a000000023b99-117.dat upx behavioral2/memory/4760-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9a-124.dat upx behavioral2/files/0x000b000000023b9b-131.dat upx behavioral2/memory/3784-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9c-135.dat upx behavioral2/memory/508-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba4-141.dat upx behavioral2/memory/4548-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bab-148.dat upx behavioral2/files/0x0008000000023bb4-152.dat upx behavioral2/memory/1280-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb9-160.dat upx behavioral2/memory/3864-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bba-165.dat upx behavioral2/files/0x0009000000023bbb-172.dat upx behavioral2/memory/3244-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bbf-174.dat upx behavioral2/files/0x0008000000023bc1-180.dat upx behavioral2/memory/4776-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4992-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/60-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4708-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1424-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4544-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5084-228-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2564-244-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrfff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3548 5080 5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe 83 PID 5080 wrote to memory of 3548 5080 5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe 83 PID 5080 wrote to memory of 3548 5080 5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe 83 PID 3548 wrote to memory of 3328 3548 dpjjj.exe 84 PID 3548 wrote to memory of 3328 3548 dpjjj.exe 84 PID 3548 wrote to memory of 3328 3548 dpjjj.exe 84 PID 3328 wrote to memory of 4860 3328 xxlllll.exe 85 PID 3328 wrote to memory of 4860 3328 xxlllll.exe 85 PID 3328 wrote to memory of 4860 3328 xxlllll.exe 85 PID 4860 wrote to memory of 460 4860 bhhhhb.exe 86 PID 4860 wrote to memory of 460 4860 bhhhhb.exe 86 PID 4860 wrote to memory of 460 4860 bhhhhb.exe 86 PID 460 wrote to memory of 2824 460 tnnnnn.exe 87 PID 460 wrote to memory of 2824 460 tnnnnn.exe 87 PID 460 wrote to memory of 2824 460 tnnnnn.exe 87 PID 2824 wrote to memory of 2164 2824 jvvpj.exe 88 PID 2824 wrote to memory of 2164 2824 jvvpj.exe 88 PID 2824 wrote to memory of 2164 2824 jvvpj.exe 88 PID 2164 wrote to memory of 4512 2164 tbhhbb.exe 89 PID 2164 wrote to memory of 4512 2164 tbhhbb.exe 89 PID 2164 wrote to memory of 4512 2164 tbhhbb.exe 89 PID 4512 wrote to memory of 1544 4512 nnnnnn.exe 90 PID 4512 wrote to memory of 1544 4512 nnnnnn.exe 90 PID 4512 wrote to memory of 1544 4512 nnnnnn.exe 90 PID 1544 wrote to memory of 1748 1544 rrxrlll.exe 91 PID 1544 wrote to memory of 1748 1544 rrxrlll.exe 91 PID 1544 wrote to memory of 1748 1544 rrxrlll.exe 91 PID 1748 wrote to memory of 3216 1748 flfxrrl.exe 92 PID 1748 wrote to memory of 3216 1748 flfxrrl.exe 92 PID 1748 wrote to memory of 3216 1748 flfxrrl.exe 92 PID 3216 wrote to memory of 4908 3216 xllfffx.exe 93 PID 3216 wrote to memory of 4908 3216 xllfffx.exe 93 PID 3216 wrote to memory of 4908 3216 xllfffx.exe 93 PID 4908 wrote to memory of 3900 4908 nnhhbt.exe 94 PID 4908 wrote to memory of 3900 4908 nnhhbt.exe 94 PID 4908 wrote to memory of 3900 4908 nnhhbt.exe 94 PID 3900 wrote to memory of 4124 3900 dvvvp.exe 95 PID 3900 wrote to memory of 4124 3900 dvvvp.exe 95 PID 3900 wrote to memory of 4124 3900 dvvvp.exe 95 PID 4124 wrote to memory of 4440 4124 pjjdv.exe 96 PID 4124 wrote to memory of 4440 4124 pjjdv.exe 96 PID 4124 wrote to memory of 4440 4124 pjjdv.exe 96 PID 4440 wrote to memory of 3980 4440 jvddv.exe 97 PID 4440 wrote to memory of 3980 4440 jvddv.exe 97 PID 4440 wrote to memory of 3980 4440 jvddv.exe 97 PID 3980 wrote to memory of 3068 3980 tnhbtt.exe 98 PID 3980 wrote to memory of 3068 3980 tnhbtt.exe 98 PID 3980 wrote to memory of 3068 3980 tnhbtt.exe 98 PID 3068 wrote to memory of 2768 3068 ffxxxxl.exe 99 PID 3068 wrote to memory of 2768 3068 ffxxxxl.exe 99 PID 3068 wrote to memory of 2768 3068 ffxxxxl.exe 99 PID 2768 wrote to memory of 3844 2768 xxrxrxr.exe 100 PID 2768 wrote to memory of 3844 2768 xxrxrxr.exe 100 PID 2768 wrote to memory of 3844 2768 xxrxrxr.exe 100 PID 3844 wrote to memory of 4564 3844 ppdjd.exe 101 PID 3844 wrote to memory of 4564 3844 ppdjd.exe 101 PID 3844 wrote to memory of 4564 3844 ppdjd.exe 101 PID 4564 wrote to memory of 3184 4564 bbbttn.exe 102 PID 4564 wrote to memory of 3184 4564 bbbttn.exe 102 PID 4564 wrote to memory of 3184 4564 bbbttn.exe 102 PID 3184 wrote to memory of 4760 3184 jjpjd.exe 103 PID 3184 wrote to memory of 4760 3184 jjpjd.exe 103 PID 3184 wrote to memory of 4760 3184 jjpjd.exe 103 PID 4760 wrote to memory of 3784 4760 3fffxrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe"C:\Users\Admin\AppData\Local\Temp\5b4a795046b247ce7fc0a9785614a2771e054f9d8d2950716f3ec2a00d167ae0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\dpjjj.exec:\dpjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\xxlllll.exec:\xxlllll.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\bhhhhb.exec:\bhhhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\tnnnnn.exec:\tnnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\jvvpj.exec:\jvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\tbhhbb.exec:\tbhhbb.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nnnnnn.exec:\nnnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\rrxrlll.exec:\rrxrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\flfxrrl.exec:\flfxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\xllfffx.exec:\xllfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\nnhhbt.exec:\nnhhbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\dvvvp.exec:\dvvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\pjjdv.exec:\pjjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\jvddv.exec:\jvddv.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\tnhbtt.exec:\tnhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\ffxxxxl.exec:\ffxxxxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\xxrxrxr.exec:\xxrxrxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\ppdjd.exec:\ppdjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\bbbttn.exec:\bbbttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\jjpjd.exec:\jjpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\3fffxrr.exec:\3fffxrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\xxxrllf.exec:\xxxrllf.exe23⤵
- Executes dropped EXE
PID:3784 -
\??\c:\vvpvj.exec:\vvpvj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:448 -
\??\c:\ppvpp.exec:\ppvpp.exe25⤵
- Executes dropped EXE
PID:508 -
\??\c:\ppjdv.exec:\ppjdv.exe26⤵
- Executes dropped EXE
PID:4548 -
\??\c:\djpvp.exec:\djpvp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336 -
\??\c:\3vjdd.exec:\3vjdd.exe28⤵
- Executes dropped EXE
PID:1280 -
\??\c:\xflllll.exec:\xflllll.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3864 -
\??\c:\xlllxrr.exec:\xlllxrr.exe30⤵
- Executes dropped EXE
PID:3244 -
\??\c:\1frlfll.exec:\1frlfll.exe31⤵
- Executes dropped EXE
PID:1232 -
\??\c:\lrflrxf.exec:\lrflrxf.exe32⤵
- Executes dropped EXE
PID:4776 -
\??\c:\xrffxrf.exec:\xrffxrf.exe33⤵
- Executes dropped EXE
PID:4992 -
\??\c:\1rlffll.exec:\1rlffll.exe34⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nnbttt.exec:\nnbttt.exe35⤵
- Executes dropped EXE
PID:60 -
\??\c:\pvvpp.exec:\pvvpp.exe36⤵
- Executes dropped EXE
PID:1816 -
\??\c:\jpvjj.exec:\jpvjj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
\??\c:\5pvjd.exec:\5pvjd.exe38⤵
- Executes dropped EXE
PID:660 -
\??\c:\rfrlflx.exec:\rfrlflx.exe39⤵
- Executes dropped EXE
PID:220 -
\??\c:\xxllrlr.exec:\xxllrlr.exe40⤵
- Executes dropped EXE
PID:4900 -
\??\c:\llflllr.exec:\llflllr.exe41⤵
- Executes dropped EXE
PID:4140 -
\??\c:\frllfff.exec:\frllfff.exe42⤵
- Executes dropped EXE
PID:1424 -
\??\c:\bnnnnt.exec:\bnnnnt.exe43⤵
- Executes dropped EXE
PID:4128 -
\??\c:\btnttt.exec:\btnttt.exe44⤵
- Executes dropped EXE
PID:4544 -
\??\c:\htbtnt.exec:\htbtnt.exe45⤵
- Executes dropped EXE
PID:5084 -
\??\c:\3ntthn.exec:\3ntthn.exe46⤵
- Executes dropped EXE
PID:740 -
\??\c:\jdpjd.exec:\jdpjd.exe47⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pvjjd.exec:\pvjjd.exe48⤵
- Executes dropped EXE
PID:2596 -
\??\c:\dpppp.exec:\dpppp.exe49⤵
- Executes dropped EXE
PID:3132 -
\??\c:\pjpvp.exec:\pjpvp.exe50⤵
- Executes dropped EXE
PID:2564 -
\??\c:\pjjdd.exec:\pjjdd.exe51⤵
- Executes dropped EXE
PID:1976 -
\??\c:\dvpjd.exec:\dvpjd.exe52⤵
- Executes dropped EXE
PID:8 -
\??\c:\7vdvp.exec:\7vdvp.exe53⤵
- Executes dropped EXE
PID:3396 -
\??\c:\pvdjj.exec:\pvdjj.exe54⤵
- Executes dropped EXE
PID:4980 -
\??\c:\jdvpj.exec:\jdvpj.exe55⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jjdvj.exec:\jjdvj.exe56⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vpjdv.exec:\vpjdv.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:648 -
\??\c:\dvjdd.exec:\dvjdd.exe58⤵
- Executes dropped EXE
PID:3040 -
\??\c:\7djvj.exec:\7djvj.exe59⤵
- Executes dropped EXE
PID:4756 -
\??\c:\9pppj.exec:\9pppj.exe60⤵
- Executes dropped EXE
PID:4440 -
\??\c:\pvppp.exec:\pvppp.exe61⤵
- Executes dropped EXE
PID:5116 -
\??\c:\fxffflr.exec:\fxffflr.exe62⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xlxrfxr.exec:\xlxrfxr.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4260 -
\??\c:\rflrrlf.exec:\rflrrlf.exe64⤵
- Executes dropped EXE
PID:2908 -
\??\c:\5frrxxl.exec:\5frrxxl.exe65⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lfxrllx.exec:\lfxrllx.exe66⤵PID:544
-
\??\c:\rfxxrff.exec:\rfxxrff.exe67⤵PID:2516
-
\??\c:\rlfxfll.exec:\rlfxfll.exe68⤵PID:1636
-
\??\c:\fxrrfff.exec:\fxrrfff.exe69⤵
- System Location Discovery: System Language Discovery
PID:2724 -
\??\c:\lxxrlxf.exec:\lxxrlxf.exe70⤵PID:3908
-
\??\c:\xlrlffx.exec:\xlrlffx.exe71⤵PID:3768
-
\??\c:\lfrrllr.exec:\lfrrllr.exe72⤵PID:4760
-
\??\c:\lxrrllr.exec:\lxrrllr.exe73⤵
- System Location Discovery: System Language Discovery
PID:1128 -
\??\c:\1xfxrfx.exec:\1xfxrfx.exe74⤵PID:2176
-
\??\c:\llxxxrx.exec:\llxxxrx.exe75⤵PID:508
-
\??\c:\xlxlfff.exec:\xlxlfff.exe76⤵PID:4248
-
\??\c:\flxxlfl.exec:\flxxlfl.exe77⤵PID:2912
-
\??\c:\flrrllx.exec:\flrrllx.exe78⤵PID:4576
-
\??\c:\5lrxxxx.exec:\5lrxxxx.exe79⤵PID:1280
-
\??\c:\fllfflr.exec:\fllfflr.exe80⤵PID:4840
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe81⤵PID:3576
-
\??\c:\hthhtb.exec:\hthhtb.exe82⤵PID:3064
-
\??\c:\lllfxfx.exec:\lllfxfx.exe83⤵
- System Location Discovery: System Language Discovery
PID:1852 -
\??\c:\fxxxffl.exec:\fxxxffl.exe84⤵PID:1212
-
\??\c:\nnhhhb.exec:\nnhhhb.exe85⤵PID:3664
-
\??\c:\lrfffll.exec:\lrfffll.exe86⤵PID:4316
-
\??\c:\lrxffxx.exec:\lrxffxx.exe87⤵PID:1940
-
\??\c:\xxfxffl.exec:\xxfxffl.exe88⤵PID:368
-
\??\c:\9llflll.exec:\9llflll.exe89⤵PID:372
-
\??\c:\7flfxxr.exec:\7flfxxr.exe90⤵PID:1580
-
\??\c:\lflrfrf.exec:\lflrfrf.exe91⤵PID:3568
-
\??\c:\flrlxll.exec:\flrlxll.exe92⤵
- System Location Discovery: System Language Discovery
PID:4052 -
\??\c:\llfxlxx.exec:\llfxlxx.exe93⤵PID:2164
-
\??\c:\3xrxrrr.exec:\3xrxrrr.exe94⤵PID:4836
-
\??\c:\lffxffx.exec:\lffxffx.exe95⤵PID:632
-
\??\c:\lrffxrr.exec:\lrffxrr.exe96⤵PID:3200
-
\??\c:\xrrrlll.exec:\xrrrlll.exe97⤵PID:2700
-
\??\c:\1rlxrlx.exec:\1rlxrlx.exe98⤵PID:4912
-
\??\c:\ffrllxx.exec:\ffrllxx.exe99⤵PID:2564
-
\??\c:\fxlxxrl.exec:\fxlxxrl.exe100⤵PID:4536
-
\??\c:\fllrlfx.exec:\fllrlfx.exe101⤵PID:1320
-
\??\c:\rrrrxxl.exec:\rrrrxxl.exe102⤵PID:3216
-
\??\c:\lxxlflf.exec:\lxxlflf.exe103⤵PID:3596
-
\??\c:\flrxfrx.exec:\flrxfrx.exe104⤵PID:3900
-
\??\c:\lxfxrfx.exec:\lxfxrfx.exe105⤵PID:3624
-
\??\c:\xxlfrrx.exec:\xxlfrrx.exe106⤵PID:2268
-
\??\c:\pjjvj.exec:\pjjvj.exe107⤵PID:2592
-
\??\c:\jjvvj.exec:\jjvvj.exe108⤵PID:1428
-
\??\c:\7pdvp.exec:\7pdvp.exe109⤵PID:5004
-
\??\c:\pvjpp.exec:\pvjpp.exe110⤵PID:3728
-
\??\c:\jjjdv.exec:\jjjdv.exe111⤵PID:3692
-
\??\c:\vjpjp.exec:\vjpjp.exe112⤵PID:4468
-
\??\c:\pppjd.exec:\pppjd.exe113⤵PID:3432
-
\??\c:\dvdpp.exec:\dvdpp.exe114⤵PID:2828
-
\??\c:\djjpj.exec:\djjpj.exe115⤵PID:3844
-
\??\c:\3btnbb.exec:\3btnbb.exe116⤵PID:3452
-
\??\c:\bnnhtt.exec:\bnnhtt.exe117⤵PID:4976
-
\??\c:\nttnhb.exec:\nttnhb.exe118⤵PID:3720
-
\??\c:\nbnhnn.exec:\nbnhnn.exe119⤵PID:2304
-
\??\c:\flxxflf.exec:\flxxflf.exe120⤵PID:528
-
\??\c:\7ffrlfx.exec:\7ffrlfx.exe121⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-