Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 03:36
Behavioral task
behavioral1
Sample
b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe
-
Size
3.7MB
-
MD5
04614e669e761c5b813b07790275bb96
-
SHA1
3bf1ba4f587ff8f26d843a0cf4e09bf1f42e08a8
-
SHA256
b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005
-
SHA512
8474cf8ef7d5a2b979cec500253e3bdacc8c3852b1eb29face54108672365ffad9c6f48603bc4ac8513889608f3da462dd87b2c813392b9b58937fbafe5b016e
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98O:U6XLq/qPPslzKx/dJg1ErmNL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3420-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2928-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2420-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/704-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-620-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-1251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-1264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-1328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-1359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-1703-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3456 0226662.exe 2976 486224.exe 2344 2808888.exe 4560 nnnbnb.exe 1696 lllfrlx.exe 4792 thbtth.exe 4616 6080460.exe 4300 5vvpj.exe 1572 8244462.exe 4940 86884.exe 1644 66044.exe 64 84266.exe 2468 frxfxxx.exe 2340 nbbtnn.exe 5068 rfrlxfl.exe 2252 284804.exe 2928 vjpjv.exe 4328 68208.exe 2180 lllfxrr.exe 4620 4648264.exe 2420 a4866.exe 836 bbhhbb.exe 3784 vdvjp.exe 4928 80820.exe 3016 nbbnnn.exe 4348 pvpjd.exe 4776 bnhbtn.exe 5024 0608488.exe 60 bbbnhb.exe 1804 68480.exe 2836 xrfxxfl.exe 1588 hnbbtn.exe 3304 vjpjv.exe 5100 nhtbhh.exe 2524 tnbttb.exe 4912 xrfrfxl.exe 3948 20622.exe 3184 ttbtnb.exe 4696 686020.exe 2840 ffrxffl.exe 4716 6284486.exe 2460 4644426.exe 5020 jvvjd.exe 2344 dvdpp.exe 3996 lxfrxxx.exe 4792 dvdvj.exe 1060 06660.exe 2688 886628.exe 4012 28662.exe 1504 xxxxrrl.exe 704 llxrlfl.exe 1952 bhbthb.exe 4960 68660.exe 3984 66400.exe 4712 ddvvd.exe 5048 088260.exe 2724 jvjjj.exe 640 420084.exe 5068 8868880.exe 3012 284888.exe 4332 442606.exe 3168 rxxrrfr.exe 2364 448600.exe 4328 26444.exe -
resource yara_rule behavioral2/memory/3420-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3420-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b8f-3.dat upx behavioral2/files/0x0008000000023c76-9.dat upx behavioral2/memory/3456-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c77-13.dat upx behavioral2/memory/2976-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-21.dat upx behavioral2/memory/2344-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-27.dat upx behavioral2/memory/4560-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-33.dat upx behavioral2/memory/1696-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4792-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-42.dat upx behavioral2/files/0x0007000000023c80-45.dat upx behavioral2/memory/4616-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-51.dat upx behavioral2/memory/4300-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-57.dat upx behavioral2/memory/1572-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-63.dat upx behavioral2/memory/1644-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c84-69.dat upx behavioral2/files/0x0007000000023c85-74.dat upx behavioral2/memory/64-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c86-79.dat upx behavioral2/memory/2468-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2340-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-85.dat upx behavioral2/files/0x0007000000023c88-91.dat upx behavioral2/files/0x0007000000023c89-96.dat upx behavioral2/memory/2252-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-102.dat upx behavioral2/memory/4328-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2928-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4328-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e762-109.dat upx behavioral2/files/0x0007000000023c8c-115.dat upx behavioral2/memory/4620-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-121.dat upx behavioral2/memory/4620-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-127.dat upx behavioral2/memory/2420-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-133.dat upx behavioral2/memory/836-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-140.dat upx behavioral2/memory/4928-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3784-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-148.dat upx behavioral2/memory/3016-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4348-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-152.dat upx behavioral2/files/0x0007000000023c94-158.dat upx behavioral2/memory/4776-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4348-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-165.dat upx behavioral2/files/0x0007000000023c96-171.dat upx behavioral2/memory/60-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-176.dat upx behavioral2/files/0x0007000000023c99-183.dat upx behavioral2/files/0x0007000000023c9a-186.dat upx behavioral2/memory/1588-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3304-196-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6006266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2664820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c004264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o460488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4044226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8086880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4202486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4286828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0004884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6202424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllffx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3420 wrote to memory of 3456 3420 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 83 PID 3420 wrote to memory of 3456 3420 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 83 PID 3420 wrote to memory of 3456 3420 b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe 83 PID 3456 wrote to memory of 2976 3456 0226662.exe 84 PID 3456 wrote to memory of 2976 3456 0226662.exe 84 PID 3456 wrote to memory of 2976 3456 0226662.exe 84 PID 2976 wrote to memory of 2344 2976 486224.exe 85 PID 2976 wrote to memory of 2344 2976 486224.exe 85 PID 2976 wrote to memory of 2344 2976 486224.exe 85 PID 2344 wrote to memory of 4560 2344 2808888.exe 86 PID 2344 wrote to memory of 4560 2344 2808888.exe 86 PID 2344 wrote to memory of 4560 2344 2808888.exe 86 PID 4560 wrote to memory of 1696 4560 nnnbnb.exe 87 PID 4560 wrote to memory of 1696 4560 nnnbnb.exe 87 PID 4560 wrote to memory of 1696 4560 nnnbnb.exe 87 PID 1696 wrote to memory of 4792 1696 lllfrlx.exe 88 PID 1696 wrote to memory of 4792 1696 lllfrlx.exe 88 PID 1696 wrote to memory of 4792 1696 lllfrlx.exe 88 PID 4792 wrote to memory of 4616 4792 thbtth.exe 89 PID 4792 wrote to memory of 4616 4792 thbtth.exe 89 PID 4792 wrote to memory of 4616 4792 thbtth.exe 89 PID 4616 wrote to memory of 4300 4616 6080460.exe 90 PID 4616 wrote to memory of 4300 4616 6080460.exe 90 PID 4616 wrote to memory of 4300 4616 6080460.exe 90 PID 4300 wrote to memory of 1572 4300 5vvpj.exe 91 PID 4300 wrote to memory of 1572 4300 5vvpj.exe 91 PID 4300 wrote to memory of 1572 4300 5vvpj.exe 91 PID 1572 wrote to memory of 4940 1572 8244462.exe 92 PID 1572 wrote to memory of 4940 1572 8244462.exe 92 PID 1572 wrote to memory of 4940 1572 8244462.exe 92 PID 4940 wrote to memory of 1644 4940 86884.exe 93 PID 4940 wrote to memory of 1644 4940 86884.exe 93 PID 4940 wrote to memory of 1644 4940 86884.exe 93 PID 1644 wrote to memory of 64 1644 66044.exe 94 PID 1644 wrote to memory of 64 1644 66044.exe 94 PID 1644 wrote to memory of 64 1644 66044.exe 94 PID 64 wrote to memory of 2468 64 84266.exe 95 PID 64 wrote to memory of 2468 64 84266.exe 95 PID 64 wrote to memory of 2468 64 84266.exe 95 PID 2468 wrote to memory of 2340 2468 frxfxxx.exe 96 PID 2468 wrote to memory of 2340 2468 frxfxxx.exe 96 PID 2468 wrote to memory of 2340 2468 frxfxxx.exe 96 PID 2340 wrote to memory of 5068 2340 nbbtnn.exe 97 PID 2340 wrote to memory of 5068 2340 nbbtnn.exe 97 PID 2340 wrote to memory of 5068 2340 nbbtnn.exe 97 PID 5068 wrote to memory of 2252 5068 rfrlxfl.exe 98 PID 5068 wrote to memory of 2252 5068 rfrlxfl.exe 98 PID 5068 wrote to memory of 2252 5068 rfrlxfl.exe 98 PID 2252 wrote to memory of 2928 2252 284804.exe 99 PID 2252 wrote to memory of 2928 2252 284804.exe 99 PID 2252 wrote to memory of 2928 2252 284804.exe 99 PID 2928 wrote to memory of 4328 2928 vjpjv.exe 100 PID 2928 wrote to memory of 4328 2928 vjpjv.exe 100 PID 2928 wrote to memory of 4328 2928 vjpjv.exe 100 PID 4328 wrote to memory of 2180 4328 68208.exe 101 PID 4328 wrote to memory of 2180 4328 68208.exe 101 PID 4328 wrote to memory of 2180 4328 68208.exe 101 PID 2180 wrote to memory of 4620 2180 lllfxrr.exe 102 PID 2180 wrote to memory of 4620 2180 lllfxrr.exe 102 PID 2180 wrote to memory of 4620 2180 lllfxrr.exe 102 PID 4620 wrote to memory of 2420 4620 4648264.exe 103 PID 4620 wrote to memory of 2420 4620 4648264.exe 103 PID 4620 wrote to memory of 2420 4620 4648264.exe 103 PID 2420 wrote to memory of 836 2420 a4866.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe"C:\Users\Admin\AppData\Local\Temp\b4b9e5dbb9b80ec755a35a1ffa1b0008d42d6801492370b341d1beaa995ee005.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\0226662.exec:\0226662.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\486224.exec:\486224.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\2808888.exec:\2808888.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\nnnbnb.exec:\nnnbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\lllfrlx.exec:\lllfrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\thbtth.exec:\thbtth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\6080460.exec:\6080460.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\5vvpj.exec:\5vvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\8244462.exec:\8244462.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\86884.exec:\86884.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\66044.exec:\66044.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\84266.exec:\84266.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\frxfxxx.exec:\frxfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\nbbtnn.exec:\nbbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\rfrlxfl.exec:\rfrlxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\284804.exec:\284804.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\vjpjv.exec:\vjpjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\68208.exec:\68208.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\lllfxrr.exec:\lllfxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\4648264.exec:\4648264.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\a4866.exec:\a4866.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\bbhhbb.exec:\bbhhbb.exe23⤵
- Executes dropped EXE
PID:836 -
\??\c:\vdvjp.exec:\vdvjp.exe24⤵
- Executes dropped EXE
PID:3784 -
\??\c:\80820.exec:\80820.exe25⤵
- Executes dropped EXE
PID:4928 -
\??\c:\nbbnnn.exec:\nbbnnn.exe26⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pvpjd.exec:\pvpjd.exe27⤵
- Executes dropped EXE
PID:4348 -
\??\c:\bnhbtn.exec:\bnhbtn.exe28⤵
- Executes dropped EXE
PID:4776 -
\??\c:\0608488.exec:\0608488.exe29⤵
- Executes dropped EXE
PID:5024 -
\??\c:\bbbnhb.exec:\bbbnhb.exe30⤵
- Executes dropped EXE
PID:60 -
\??\c:\68480.exec:\68480.exe31⤵
- Executes dropped EXE
PID:1804 -
\??\c:\xrfxxfl.exec:\xrfxxfl.exe32⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hnbbtn.exec:\hnbbtn.exe33⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vjpjv.exec:\vjpjv.exe34⤵
- Executes dropped EXE
PID:3304 -
\??\c:\nhtbhh.exec:\nhtbhh.exe35⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tnbttb.exec:\tnbttb.exe36⤵
- Executes dropped EXE
PID:2524 -
\??\c:\xrfrfxl.exec:\xrfrfxl.exe37⤵
- Executes dropped EXE
PID:4912 -
\??\c:\20622.exec:\20622.exe38⤵
- Executes dropped EXE
PID:3948 -
\??\c:\ttbtnb.exec:\ttbtnb.exe39⤵
- Executes dropped EXE
PID:3184 -
\??\c:\686020.exec:\686020.exe40⤵
- Executes dropped EXE
PID:4696 -
\??\c:\ffrxffl.exec:\ffrxffl.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\6284486.exec:\6284486.exe42⤵
- Executes dropped EXE
PID:4716 -
\??\c:\4644426.exec:\4644426.exe43⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jvvjd.exec:\jvvjd.exe44⤵
- Executes dropped EXE
PID:5020 -
\??\c:\dvdpp.exec:\dvdpp.exe45⤵
- Executes dropped EXE
PID:2344 -
\??\c:\lxfrxxx.exec:\lxfrxxx.exe46⤵
- Executes dropped EXE
PID:3996 -
\??\c:\dvdvj.exec:\dvdvj.exe47⤵
- Executes dropped EXE
PID:4792 -
\??\c:\06660.exec:\06660.exe48⤵
- Executes dropped EXE
PID:1060 -
\??\c:\886628.exec:\886628.exe49⤵
- Executes dropped EXE
PID:2688 -
\??\c:\28662.exec:\28662.exe50⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\llxrlfl.exec:\llxrlfl.exe52⤵
- Executes dropped EXE
PID:704 -
\??\c:\bhbthb.exec:\bhbthb.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\68660.exec:\68660.exe54⤵
- Executes dropped EXE
PID:4960 -
\??\c:\66400.exec:\66400.exe55⤵
- Executes dropped EXE
PID:3984 -
\??\c:\ddvvd.exec:\ddvvd.exe56⤵
- Executes dropped EXE
PID:4712 -
\??\c:\088260.exec:\088260.exe57⤵
- Executes dropped EXE
PID:5048 -
\??\c:\jvjjj.exec:\jvjjj.exe58⤵
- Executes dropped EXE
PID:2724 -
\??\c:\420084.exec:\420084.exe59⤵
- Executes dropped EXE
PID:640 -
\??\c:\8868880.exec:\8868880.exe60⤵
- Executes dropped EXE
PID:5068 -
\??\c:\284888.exec:\284888.exe61⤵
- Executes dropped EXE
PID:3012 -
\??\c:\442606.exec:\442606.exe62⤵
- Executes dropped EXE
PID:4332 -
\??\c:\rxxrrfr.exec:\rxxrrfr.exe63⤵
- Executes dropped EXE
PID:3168 -
\??\c:\448600.exec:\448600.exe64⤵
- Executes dropped EXE
PID:2364 -
\??\c:\26444.exec:\26444.exe65⤵
- Executes dropped EXE
PID:4328 -
\??\c:\jddvp.exec:\jddvp.exe66⤵PID:1700
-
\??\c:\28222.exec:\28222.exe67⤵PID:3696
-
\??\c:\rrrlffx.exec:\rrrlffx.exe68⤵PID:1232
-
\??\c:\hhnnnn.exec:\hhnnnn.exe69⤵PID:1356
-
\??\c:\8828848.exec:\8828848.exe70⤵PID:4796
-
\??\c:\dvjdv.exec:\dvjdv.exe71⤵
- System Location Discovery: System Language Discovery
PID:560 -
\??\c:\jddvv.exec:\jddvv.exe72⤵PID:2652
-
\??\c:\nbntbh.exec:\nbntbh.exe73⤵PID:776
-
\??\c:\djpjd.exec:\djpjd.exe74⤵PID:3372
-
\??\c:\4464600.exec:\4464600.exe75⤵PID:4632
-
\??\c:\o008682.exec:\o008682.exe76⤵PID:2028
-
\??\c:\468260.exec:\468260.exe77⤵PID:3292
-
\??\c:\62408.exec:\62408.exe78⤵PID:3312
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe79⤵PID:4324
-
\??\c:\8204606.exec:\8204606.exe80⤵PID:1448
-
\??\c:\xllfxrf.exec:\xllfxrf.exe81⤵PID:2528
-
\??\c:\42042.exec:\42042.exe82⤵PID:2236
-
\??\c:\nnnhbt.exec:\nnnhbt.exe83⤵PID:3500
-
\??\c:\288260.exec:\288260.exe84⤵PID:3768
-
\??\c:\xrfxrlf.exec:\xrfxrlf.exe85⤵PID:4656
-
\??\c:\flxxxxf.exec:\flxxxxf.exe86⤵PID:5000
-
\??\c:\46442.exec:\46442.exe87⤵PID:3420
-
\??\c:\vdpdv.exec:\vdpdv.exe88⤵PID:2476
-
\??\c:\0886048.exec:\0886048.exe89⤵PID:4392
-
\??\c:\pjpjj.exec:\pjpjj.exe90⤵PID:1360
-
\??\c:\jvddv.exec:\jvddv.exe91⤵PID:2324
-
\??\c:\0004884.exec:\0004884.exe92⤵
- System Location Discovery: System Language Discovery
PID:3788 -
\??\c:\lrrrrlf.exec:\lrrrrlf.exe93⤵PID:4344
-
\??\c:\thttbb.exec:\thttbb.exe94⤵PID:3652
-
\??\c:\6024888.exec:\6024888.exe95⤵PID:3996
-
\??\c:\680626.exec:\680626.exe96⤵PID:4540
-
\??\c:\4800460.exec:\4800460.exe97⤵PID:4320
-
\??\c:\jvddv.exec:\jvddv.exe98⤵
- System Location Discovery: System Language Discovery
PID:4012 -
\??\c:\044288.exec:\044288.exe99⤵PID:3884
-
\??\c:\6200642.exec:\6200642.exe100⤵PID:2404
-
\??\c:\486882.exec:\486882.exe101⤵PID:1952
-
\??\c:\bttnhh.exec:\bttnhh.exe102⤵PID:1836
-
\??\c:\06220.exec:\06220.exe103⤵
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\026666.exec:\026666.exe104⤵PID:2468
-
\??\c:\1rxrllf.exec:\1rxrllf.exe105⤵PID:1392
-
\??\c:\0066486.exec:\0066486.exe106⤵PID:1736
-
\??\c:\0660008.exec:\0660008.exe107⤵PID:3712
-
\??\c:\42264.exec:\42264.exe108⤵PID:3320
-
\??\c:\0664860.exec:\0664860.exe109⤵PID:3248
-
\??\c:\dpvpp.exec:\dpvpp.exe110⤵PID:2452
-
\??\c:\lllfllx.exec:\lllfllx.exe111⤵PID:2232
-
\??\c:\frllfff.exec:\frllfff.exe112⤵PID:5080
-
\??\c:\lffxfff.exec:\lffxfff.exe113⤵
- System Location Discovery: System Language Discovery
PID:4024 -
\??\c:\thhnhb.exec:\thhnhb.exe114⤵PID:3236
-
\??\c:\046662.exec:\046662.exe115⤵PID:4592
-
\??\c:\40882.exec:\40882.exe116⤵PID:912
-
\??\c:\nhnhth.exec:\nhnhth.exe117⤵PID:3972
-
\??\c:\lrrxlfl.exec:\lrrxlfl.exe118⤵PID:2216
-
\??\c:\pvpjv.exec:\pvpjv.exe119⤵PID:3432
-
\??\c:\26260.exec:\26260.exe120⤵PID:2900
-
\??\c:\9xrlllf.exec:\9xrlllf.exe121⤵PID:4728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-