Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 03:08
Behavioral task
behavioral1
Sample
f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe
-
Size
3.7MB
-
MD5
34135706b0fd40c5a0715fd3c49a2696
-
SHA1
c244aac51c1a31efaa2820d1c7307df1b9cc3e1c
-
SHA256
f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8
-
SHA512
08efbd0451af5ca4efce3b275d2e8ce388c1c2e2e57ec7532b708fc36e08d3f4e15b31b1ca5dcf7615208c60ff50e9f5f04fe36c3455d437d5bb2c323f8d29eb
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98f:U6XLq/qPPslzKx/dJg1ErmNi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2724-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1432-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-60-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2676-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-73-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2948-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-80-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2428-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2908-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2100-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1056-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1148-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-228-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1540-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2540-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/292-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1672-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-375-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1504-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/640-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/676-433-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2988-437-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2276-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1360-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2324-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-583-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-590-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/292-598-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1580-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-620-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2144-640-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-643-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1504-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-707-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2864-715-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1052-753-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2384 tnttbh.exe 2848 882408.exe 1432 xrrrffl.exe 2660 8262808.exe 2748 5btthn.exe 2676 020066.exe 2948 26840.exe 2884 08262.exe 2428 08240.exe 2232 482806.exe 3016 pdpjv.exe 2908 48068.exe 1248 2088402.exe 568 40422.exe 2252 446428.exe 1928 nnhhnn.exe 2612 bbthnt.exe 2100 0080240.exe 2104 666240.exe 960 xrlxfxf.exe 1056 vdjdj.exe 1148 66846.exe 2600 604628.exe 1704 840684.exe 1540 jpjdv.exe 1720 jdvvd.exe 612 xlxxlll.exe 2540 g0488.exe 292 008062.exe 1032 868066.exe 1672 4462244.exe 1792 264026.exe 1700 frxxlfl.exe 2780 ppvpd.exe 2828 jdvdj.exe 2848 bthntt.exe 2936 jdpdj.exe 2352 2022428.exe 2688 pvjjj.exe 2696 dpjjv.exe 2676 4828686.exe 2068 6068440.exe 1504 42240.exe 2220 vpjjv.exe 2076 a0644.exe 2692 llrfxlx.exe 600 xrxfllr.exe 2988 80466.exe 640 3djpv.exe 676 pvpvv.exe 3036 1rrlxrx.exe 3048 7dpdp.exe 2276 6864488.exe 108 840688.exe 2160 u622822.exe 2388 82068.exe 2212 dpdjj.exe 2104 ddjpv.exe 2580 lrfflff.exe 1636 bbnnnn.exe 1360 vjvvv.exe 904 084284.exe 2336 nbttbb.exe 2412 8622828.exe -
resource yara_rule behavioral1/memory/2724-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2384-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000120f9-8.dat upx behavioral1/memory/2724-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018bdd-16.dat upx behavioral1/files/0x000700000001921d-26.dat upx behavioral1/memory/1432-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2848-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1432-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x003000000001875f-36.dat upx behavioral1/memory/2660-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001921f-47.dat upx behavioral1/memory/2660-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2748-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019242-56.dat upx behavioral1/memory/2676-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001925b-66.dat upx behavioral1/files/0x000600000001925d-75.dat upx behavioral1/memory/2948-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001930d-85.dat upx behavioral1/memory/2428-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001932a-95.dat upx behavioral1/files/0x0005000000019f9a-104.dat upx behavioral1/memory/3016-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fb8-113.dat upx behavioral1/memory/2908-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a071-121.dat upx behavioral1/files/0x000500000001a07a-129.dat upx behavioral1/files/0x000500000001a09a-138.dat upx behavioral1/files/0x000500000001a303-146.dat upx behavioral1/memory/2252-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2612-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a355-156.dat upx behavioral1/memory/2612-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41a-166.dat upx behavioral1/memory/2100-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41c-176.dat upx behavioral1/memory/2104-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41f-184.dat upx behavioral1/memory/1056-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a423-194.dat upx behavioral1/files/0x000500000001a42d-204.dat upx behavioral1/memory/1056-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a467-214.dat upx behavioral1/memory/1148-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a487-221.dat upx behavioral1/memory/2600-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1704-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a489-233.dat upx behavioral1/memory/1540-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a494-242.dat upx behavioral1/memory/1720-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a495-253.dat upx behavioral1/memory/1720-252-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4a5-262.dat upx behavioral1/files/0x000500000001a4ab-272.dat upx behavioral1/memory/2540-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ad-284.dat upx behavioral1/memory/1032-283-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/292-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4af-291.dat upx behavioral1/memory/1672-299-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b1-300.dat upx behavioral1/memory/1792-301-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i664642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6848206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w24060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4024422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2206200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4462244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0204464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264080.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2384 2724 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 30 PID 2724 wrote to memory of 2384 2724 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 30 PID 2724 wrote to memory of 2384 2724 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 30 PID 2724 wrote to memory of 2384 2724 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 30 PID 2384 wrote to memory of 2848 2384 tnttbh.exe 31 PID 2384 wrote to memory of 2848 2384 tnttbh.exe 31 PID 2384 wrote to memory of 2848 2384 tnttbh.exe 31 PID 2384 wrote to memory of 2848 2384 tnttbh.exe 31 PID 2848 wrote to memory of 1432 2848 882408.exe 32 PID 2848 wrote to memory of 1432 2848 882408.exe 32 PID 2848 wrote to memory of 1432 2848 882408.exe 32 PID 2848 wrote to memory of 1432 2848 882408.exe 32 PID 1432 wrote to memory of 2660 1432 xrrrffl.exe 33 PID 1432 wrote to memory of 2660 1432 xrrrffl.exe 33 PID 1432 wrote to memory of 2660 1432 xrrrffl.exe 33 PID 1432 wrote to memory of 2660 1432 xrrrffl.exe 33 PID 2660 wrote to memory of 2748 2660 8262808.exe 34 PID 2660 wrote to memory of 2748 2660 8262808.exe 34 PID 2660 wrote to memory of 2748 2660 8262808.exe 34 PID 2660 wrote to memory of 2748 2660 8262808.exe 34 PID 2748 wrote to memory of 2676 2748 5btthn.exe 35 PID 2748 wrote to memory of 2676 2748 5btthn.exe 35 PID 2748 wrote to memory of 2676 2748 5btthn.exe 35 PID 2748 wrote to memory of 2676 2748 5btthn.exe 35 PID 2676 wrote to memory of 2948 2676 020066.exe 36 PID 2676 wrote to memory of 2948 2676 020066.exe 36 PID 2676 wrote to memory of 2948 2676 020066.exe 36 PID 2676 wrote to memory of 2948 2676 020066.exe 36 PID 2948 wrote to memory of 2884 2948 26840.exe 37 PID 2948 wrote to memory of 2884 2948 26840.exe 37 PID 2948 wrote to memory of 2884 2948 26840.exe 37 PID 2948 wrote to memory of 2884 2948 26840.exe 37 PID 2884 wrote to memory of 2428 2884 08262.exe 38 PID 2884 wrote to memory of 2428 2884 08262.exe 38 PID 2884 wrote to memory of 2428 2884 08262.exe 38 PID 2884 wrote to memory of 2428 2884 08262.exe 38 PID 2428 wrote to memory of 2232 2428 08240.exe 39 PID 2428 wrote to memory of 2232 2428 08240.exe 39 PID 2428 wrote to memory of 2232 2428 08240.exe 39 PID 2428 wrote to memory of 2232 2428 08240.exe 39 PID 2232 wrote to memory of 3016 2232 482806.exe 40 PID 2232 wrote to memory of 3016 2232 482806.exe 40 PID 2232 wrote to memory of 3016 2232 482806.exe 40 PID 2232 wrote to memory of 3016 2232 482806.exe 40 PID 3016 wrote to memory of 2908 3016 pdpjv.exe 41 PID 3016 wrote to memory of 2908 3016 pdpjv.exe 41 PID 3016 wrote to memory of 2908 3016 pdpjv.exe 41 PID 3016 wrote to memory of 2908 3016 pdpjv.exe 41 PID 2908 wrote to memory of 1248 2908 48068.exe 42 PID 2908 wrote to memory of 1248 2908 48068.exe 42 PID 2908 wrote to memory of 1248 2908 48068.exe 42 PID 2908 wrote to memory of 1248 2908 48068.exe 42 PID 1248 wrote to memory of 568 1248 2088402.exe 43 PID 1248 wrote to memory of 568 1248 2088402.exe 43 PID 1248 wrote to memory of 568 1248 2088402.exe 43 PID 1248 wrote to memory of 568 1248 2088402.exe 43 PID 568 wrote to memory of 2252 568 40422.exe 44 PID 568 wrote to memory of 2252 568 40422.exe 44 PID 568 wrote to memory of 2252 568 40422.exe 44 PID 568 wrote to memory of 2252 568 40422.exe 44 PID 2252 wrote to memory of 1928 2252 446428.exe 45 PID 2252 wrote to memory of 1928 2252 446428.exe 45 PID 2252 wrote to memory of 1928 2252 446428.exe 45 PID 2252 wrote to memory of 1928 2252 446428.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe"C:\Users\Admin\AppData\Local\Temp\f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\tnttbh.exec:\tnttbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\882408.exec:\882408.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\xrrrffl.exec:\xrrrffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\8262808.exec:\8262808.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\5btthn.exec:\5btthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\020066.exec:\020066.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\26840.exec:\26840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\08262.exec:\08262.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\08240.exec:\08240.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\482806.exec:\482806.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\pdpjv.exec:\pdpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\48068.exec:\48068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\2088402.exec:\2088402.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\40422.exec:\40422.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\446428.exec:\446428.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\nnhhnn.exec:\nnhhnn.exe17⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bbthnt.exec:\bbthnt.exe18⤵
- Executes dropped EXE
PID:2612 -
\??\c:\0080240.exec:\0080240.exe19⤵
- Executes dropped EXE
PID:2100 -
\??\c:\666240.exec:\666240.exe20⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xrlxfxf.exec:\xrlxfxf.exe21⤵
- Executes dropped EXE
PID:960 -
\??\c:\vdjdj.exec:\vdjdj.exe22⤵
- Executes dropped EXE
PID:1056 -
\??\c:\66846.exec:\66846.exe23⤵
- Executes dropped EXE
PID:1148 -
\??\c:\604628.exec:\604628.exe24⤵
- Executes dropped EXE
PID:2600 -
\??\c:\840684.exec:\840684.exe25⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jpjdv.exec:\jpjdv.exe26⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jdvvd.exec:\jdvvd.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xlxxlll.exec:\xlxxlll.exe28⤵
- Executes dropped EXE
PID:612 -
\??\c:\g0488.exec:\g0488.exe29⤵
- Executes dropped EXE
PID:2540 -
\??\c:\008062.exec:\008062.exe30⤵
- Executes dropped EXE
PID:292 -
\??\c:\868066.exec:\868066.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
\??\c:\4462244.exec:\4462244.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\264026.exec:\264026.exe33⤵
- Executes dropped EXE
PID:1792 -
\??\c:\frxxlfl.exec:\frxxlfl.exe34⤵
- Executes dropped EXE
PID:1700 -
\??\c:\ppvpd.exec:\ppvpd.exe35⤵
- Executes dropped EXE
PID:2780 -
\??\c:\jdvdj.exec:\jdvdj.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\bthntt.exec:\bthntt.exe37⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jdpdj.exec:\jdpdj.exe38⤵
- Executes dropped EXE
PID:2936 -
\??\c:\2022428.exec:\2022428.exe39⤵
- Executes dropped EXE
PID:2352 -
\??\c:\pvjjj.exec:\pvjjj.exe40⤵
- Executes dropped EXE
PID:2688 -
\??\c:\dpjjv.exec:\dpjjv.exe41⤵
- Executes dropped EXE
PID:2696 -
\??\c:\4828686.exec:\4828686.exe42⤵
- Executes dropped EXE
PID:2676 -
\??\c:\6068440.exec:\6068440.exe43⤵
- Executes dropped EXE
PID:2068 -
\??\c:\42240.exec:\42240.exe44⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vpjjv.exec:\vpjjv.exe45⤵
- Executes dropped EXE
PID:2220 -
\??\c:\a0644.exec:\a0644.exe46⤵
- Executes dropped EXE
PID:2076 -
\??\c:\llrfxlx.exec:\llrfxlx.exe47⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xrxfllr.exec:\xrxfllr.exe48⤵
- Executes dropped EXE
PID:600 -
\??\c:\80466.exec:\80466.exe49⤵
- Executes dropped EXE
PID:2988 -
\??\c:\3djpv.exec:\3djpv.exe50⤵
- Executes dropped EXE
PID:640 -
\??\c:\pvpvv.exec:\pvpvv.exe51⤵
- Executes dropped EXE
PID:676 -
\??\c:\1rrlxrx.exec:\1rrlxrx.exe52⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7dpdp.exec:\7dpdp.exe53⤵
- Executes dropped EXE
PID:3048 -
\??\c:\6864488.exec:\6864488.exe54⤵
- Executes dropped EXE
PID:2276 -
\??\c:\840688.exec:\840688.exe55⤵
- Executes dropped EXE
PID:108 -
\??\c:\u622822.exec:\u622822.exe56⤵
- Executes dropped EXE
PID:2160 -
\??\c:\82068.exec:\82068.exe57⤵
- Executes dropped EXE
PID:2388 -
\??\c:\dpdjj.exec:\dpdjj.exe58⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ddjpv.exec:\ddjpv.exe59⤵
- Executes dropped EXE
PID:2104 -
\??\c:\lrfflff.exec:\lrfflff.exe60⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bbnnnn.exec:\bbnnnn.exe61⤵
- Executes dropped EXE
PID:1636 -
\??\c:\vjvvv.exec:\vjvvv.exe62⤵
- Executes dropped EXE
PID:1360 -
\??\c:\084284.exec:\084284.exe63⤵
- Executes dropped EXE
PID:904 -
\??\c:\nbttbb.exec:\nbttbb.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\8622828.exec:\8622828.exe65⤵
- Executes dropped EXE
PID:2412 -
\??\c:\9pddj.exec:\9pddj.exe66⤵PID:1532
-
\??\c:\42400.exec:\42400.exe67⤵PID:2324
-
\??\c:\424022.exec:\424022.exe68⤵PID:2196
-
\??\c:\420066.exec:\420066.exe69⤵PID:1240
-
\??\c:\vpvvp.exec:\vpvvp.exe70⤵PID:612
-
\??\c:\7rrxrff.exec:\7rrxrff.exe71⤵
- System Location Discovery: System Language Discovery
PID:1796 -
\??\c:\jpdvd.exec:\jpdvd.exe72⤵PID:2544
-
\??\c:\w06000.exec:\w06000.exe73⤵PID:292
-
\??\c:\20884.exec:\20884.exe74⤵PID:1032
-
\??\c:\86284.exec:\86284.exe75⤵PID:1992
-
\??\c:\6466268.exec:\6466268.exe76⤵
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\i664642.exec:\i664642.exe77⤵
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\pjjvp.exec:\pjjvp.exe78⤵PID:1588
-
\??\c:\btbhth.exec:\btbhth.exe79⤵
- System Location Discovery: System Language Discovery
PID:2144 -
\??\c:\pjvvd.exec:\pjvvd.exe80⤵PID:2768
-
\??\c:\0844666.exec:\0844666.exe81⤵PID:2408
-
\??\c:\5hbnbh.exec:\5hbnbh.exe82⤵PID:2880
-
\??\c:\k86066.exec:\k86066.exe83⤵PID:2808
-
\??\c:\pdpvv.exec:\pdpvv.exe84⤵PID:2748
-
\??\c:\frflrrr.exec:\frflrrr.exe85⤵PID:1956
-
\??\c:\llxrrxf.exec:\llxrrxf.exe86⤵PID:2476
-
\??\c:\864628.exec:\864628.exe87⤵PID:1512
-
\??\c:\82402.exec:\82402.exe88⤵PID:2884
-
\??\c:\nhbthn.exec:\nhbthn.exe89⤵PID:1504
-
\??\c:\2268888.exec:\2268888.exe90⤵PID:1348
-
\??\c:\xlxrrll.exec:\xlxrrll.exe91⤵PID:2896
-
\??\c:\bnbhnn.exec:\bnbhnn.exe92⤵PID:2892
-
\??\c:\262880.exec:\262880.exe93⤵PID:2908
-
\??\c:\jdvdj.exec:\jdvdj.exe94⤵PID:2864
-
\??\c:\vpddp.exec:\vpddp.exe95⤵PID:3012
-
\??\c:\pvddj.exec:\pvddj.exe96⤵PID:2256
-
\??\c:\3bhntt.exec:\3bhntt.exe97⤵PID:2252
-
\??\c:\fxrfxxf.exec:\fxrfxxf.exe98⤵PID:1932
-
\??\c:\jvjjp.exec:\jvjjp.exe99⤵PID:1052
-
\??\c:\8206284.exec:\8206284.exe100⤵PID:2132
-
\??\c:\bnthhn.exec:\bnthhn.exe101⤵PID:2100
-
\??\c:\0884002.exec:\0884002.exe102⤵PID:2244
-
\??\c:\0828062.exec:\0828062.exe103⤵PID:2088
-
\??\c:\k84066.exec:\k84066.exe104⤵PID:2312
-
\??\c:\pjjjv.exec:\pjjjv.exe105⤵PID:1056
-
\??\c:\204628.exec:\204628.exe106⤵PID:1628
-
\??\c:\jvddj.exec:\jvddj.exe107⤵PID:1916
-
\??\c:\a2626.exec:\a2626.exe108⤵PID:952
-
\??\c:\xxrfrfl.exec:\xxrfrfl.exe109⤵PID:576
-
\??\c:\26440.exec:\26440.exe110⤵PID:1324
-
\??\c:\1ffflrr.exec:\1ffflrr.exe111⤵PID:1540
-
\??\c:\1btthn.exec:\1btthn.exe112⤵PID:2564
-
\??\c:\3rxxrrl.exec:\3rxxrrl.exe113⤵PID:1756
-
\??\c:\4288662.exec:\4288662.exe114⤵PID:632
-
\??\c:\i268844.exec:\i268844.exe115⤵PID:1028
-
\??\c:\860660.exec:\860660.exe116⤵PID:2536
-
\??\c:\ttnbhn.exec:\ttnbhn.exe117⤵PID:3064
-
\??\c:\vjdjp.exec:\vjdjp.exe118⤵PID:1968
-
\??\c:\hbtbhb.exec:\hbtbhb.exe119⤵PID:3060
-
\??\c:\nhnbbb.exec:\nhnbbb.exe120⤵PID:2268
-
\??\c:\jdjpj.exec:\jdjpj.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-