Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:48
Behavioral task
behavioral1
Sample
38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
General
-
Target
38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe
-
Size
3.7MB
-
MD5
5127135160820791053140ddc771c6c0
-
SHA1
3db0e069724c220eac26d7c4f2819c3ff17f86f9
-
SHA256
38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18
-
SHA512
8965566ea8fe95b5afd1b154ba9ea08941a2fb2478b9877fe2ced65be47b950796026c5783933286105dfb2d02eee0303d9e9c0689d89346c613dfbd209e101e
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98e:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2484-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-17-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2492-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2324-23-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2324-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-37-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2164-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-66-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2428-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-96-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2616-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-105-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1312-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1732-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1732-132-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2312-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-164-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2996-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/596-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/764-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1176-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1600-302-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2024-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2852-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2624-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/728-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/816-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-569-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2068-617-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2584-655-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1316-715-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1984-732-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-808-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2436-822-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1228-882-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2664-921-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2492 o402880.exe 2324 44080.exe 1952 nhtttt.exe 2164 vjppp.exe 2688 800246.exe 2952 8040684.exe 2428 2460608.exe 2596 628862.exe 2616 vpjvp.exe 2580 4862020.exe 1312 xflfrrf.exe 2092 rrrfrff.exe 1732 2466020.exe 2312 1vjjd.exe 1340 1hhtht.exe 1296 fffrrlx.exe 1936 vvvjv.exe 2628 tthtnt.exe 2996 84648.exe 2176 66446.exe 596 ttnthb.exe 2856 806628.exe 764 fllfrxx.exe 1176 442424.exe 2168 1nhtth.exe 916 nnnnnn.exe 1812 004820.exe 1648 ddvjj.exe 2412 6248860.exe 320 6006268.exe 2932 6408028.exe 1600 nnthbn.exe 2024 1dpdv.exe 2500 666244.exe 2196 flrxlrl.exe 2028 jjvpv.exe 2532 lxfllfx.exe 2172 1bnnnb.exe 2804 64422.exe 2668 4824664.exe 2852 9nnbth.exe 2756 xrrrxxl.exe 2748 bthtth.exe 2560 pjdpd.exe 2624 hbnhnb.exe 3012 1jjdj.exe 3024 3fxlxlf.exe 1976 rrrflrl.exe 2092 ntbnht.exe 2388 a2440.exe 728 e86862.exe 1264 4884682.exe 1340 420202.exe 1944 4008406.exe 1764 hhbhnt.exe 2548 vvdpd.exe 816 dvvdv.exe 2600 llrfrxr.exe 2892 28664.exe 2160 608460.exe 2032 nnbtth.exe 1616 xflllff.exe 2844 048240.exe 2880 flxrlrf.exe -
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012260-5.dat upx behavioral1/memory/2484-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016cf0-18.dat upx behavioral1/memory/2492-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d49-28.dat upx behavioral1/memory/2324-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016ccd-38.dat upx behavioral1/memory/2164-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2164-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d5a-48.dat upx behavioral1/files/0x0007000000016d71-58.dat upx behavioral1/memory/2688-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000016e1d-67.dat upx behavioral1/memory/2428-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016f45-77.dat upx behavioral1/memory/2596-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2616-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018634-87.dat upx behavioral1/files/0x000500000001948d-95.dat upx behavioral1/memory/2616-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2580-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e2-106.dat upx behavioral1/memory/1312-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001958b-116.dat upx behavioral1/memory/2092-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c2-128.dat upx behavioral1/memory/1732-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2092-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c4-139.dat upx behavioral1/memory/2312-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c6-147.dat upx behavioral1/memory/2312-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1296-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c7-156.dat upx behavioral1/files/0x00050000000195c8-166.dat upx behavioral1/files/0x00050000000195ca-174.dat upx behavioral1/memory/2628-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195cc-183.dat upx behavioral1/files/0x00050000000195ce-189.dat upx behavioral1/memory/2996-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195d0-202.dat upx behavioral1/memory/2176-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/596-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2856-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195e0-212.dat upx behavioral1/files/0x0005000000019624-221.dat upx behavioral1/memory/764-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196a0-230.dat upx behavioral1/files/0x0005000000019931-240.dat upx behavioral1/memory/1176-239-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bec-248.dat upx behavioral1/files/0x0005000000019bf0-256.dat upx behavioral1/memory/1812-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf2-265.dat upx behavioral1/files/0x0005000000019c0b-274.dat upx behavioral1/files/0x0005000000019cd5-281.dat upx behavioral1/files/0x0005000000019cfc-289.dat upx behavioral1/memory/2932-297-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d5c-298.dat upx behavioral1/memory/2024-307-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2532-332-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2668-351-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i820086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fffrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6400224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u660606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c442464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6866604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0664842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i484642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q66868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6400040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2486062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2492 2484 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 30 PID 2484 wrote to memory of 2492 2484 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 30 PID 2484 wrote to memory of 2492 2484 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 30 PID 2484 wrote to memory of 2492 2484 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 30 PID 2492 wrote to memory of 2324 2492 o402880.exe 31 PID 2492 wrote to memory of 2324 2492 o402880.exe 31 PID 2492 wrote to memory of 2324 2492 o402880.exe 31 PID 2492 wrote to memory of 2324 2492 o402880.exe 31 PID 2324 wrote to memory of 1952 2324 44080.exe 32 PID 2324 wrote to memory of 1952 2324 44080.exe 32 PID 2324 wrote to memory of 1952 2324 44080.exe 32 PID 2324 wrote to memory of 1952 2324 44080.exe 32 PID 1952 wrote to memory of 2164 1952 nhtttt.exe 33 PID 1952 wrote to memory of 2164 1952 nhtttt.exe 33 PID 1952 wrote to memory of 2164 1952 nhtttt.exe 33 PID 1952 wrote to memory of 2164 1952 nhtttt.exe 33 PID 2164 wrote to memory of 2688 2164 vjppp.exe 34 PID 2164 wrote to memory of 2688 2164 vjppp.exe 34 PID 2164 wrote to memory of 2688 2164 vjppp.exe 34 PID 2164 wrote to memory of 2688 2164 vjppp.exe 34 PID 2688 wrote to memory of 2952 2688 800246.exe 35 PID 2688 wrote to memory of 2952 2688 800246.exe 35 PID 2688 wrote to memory of 2952 2688 800246.exe 35 PID 2688 wrote to memory of 2952 2688 800246.exe 35 PID 2952 wrote to memory of 2428 2952 8040684.exe 36 PID 2952 wrote to memory of 2428 2952 8040684.exe 36 PID 2952 wrote to memory of 2428 2952 8040684.exe 36 PID 2952 wrote to memory of 2428 2952 8040684.exe 36 PID 2428 wrote to memory of 2596 2428 2460608.exe 37 PID 2428 wrote to memory of 2596 2428 2460608.exe 37 PID 2428 wrote to memory of 2596 2428 2460608.exe 37 PID 2428 wrote to memory of 2596 2428 2460608.exe 37 PID 2596 wrote to memory of 2616 2596 628862.exe 38 PID 2596 wrote to memory of 2616 2596 628862.exe 38 PID 2596 wrote to memory of 2616 2596 628862.exe 38 PID 2596 wrote to memory of 2616 2596 628862.exe 38 PID 2616 wrote to memory of 2580 2616 vpjvp.exe 39 PID 2616 wrote to memory of 2580 2616 vpjvp.exe 39 PID 2616 wrote to memory of 2580 2616 vpjvp.exe 39 PID 2616 wrote to memory of 2580 2616 vpjvp.exe 39 PID 2580 wrote to memory of 1312 2580 4862020.exe 40 PID 2580 wrote to memory of 1312 2580 4862020.exe 40 PID 2580 wrote to memory of 1312 2580 4862020.exe 40 PID 2580 wrote to memory of 1312 2580 4862020.exe 40 PID 1312 wrote to memory of 2092 1312 xflfrrf.exe 41 PID 1312 wrote to memory of 2092 1312 xflfrrf.exe 41 PID 1312 wrote to memory of 2092 1312 xflfrrf.exe 41 PID 1312 wrote to memory of 2092 1312 xflfrrf.exe 41 PID 2092 wrote to memory of 1732 2092 rrrfrff.exe 42 PID 2092 wrote to memory of 1732 2092 rrrfrff.exe 42 PID 2092 wrote to memory of 1732 2092 rrrfrff.exe 42 PID 2092 wrote to memory of 1732 2092 rrrfrff.exe 42 PID 1732 wrote to memory of 2312 1732 2466020.exe 43 PID 1732 wrote to memory of 2312 1732 2466020.exe 43 PID 1732 wrote to memory of 2312 1732 2466020.exe 43 PID 1732 wrote to memory of 2312 1732 2466020.exe 43 PID 2312 wrote to memory of 1340 2312 1vjjd.exe 44 PID 2312 wrote to memory of 1340 2312 1vjjd.exe 44 PID 2312 wrote to memory of 1340 2312 1vjjd.exe 44 PID 2312 wrote to memory of 1340 2312 1vjjd.exe 44 PID 1340 wrote to memory of 1296 1340 1hhtht.exe 45 PID 1340 wrote to memory of 1296 1340 1hhtht.exe 45 PID 1340 wrote to memory of 1296 1340 1hhtht.exe 45 PID 1340 wrote to memory of 1296 1340 1hhtht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe"C:\Users\Admin\AppData\Local\Temp\38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\o402880.exec:\o402880.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\44080.exec:\44080.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\nhtttt.exec:\nhtttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\vjppp.exec:\vjppp.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\800246.exec:\800246.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\8040684.exec:\8040684.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\2460608.exec:\2460608.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\628862.exec:\628862.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vpjvp.exec:\vpjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\4862020.exec:\4862020.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xflfrrf.exec:\xflfrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\rrrfrff.exec:\rrrfrff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\2466020.exec:\2466020.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\1vjjd.exec:\1vjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\1hhtht.exec:\1hhtht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\fffrrlx.exec:\fffrrlx.exe17⤵
- Executes dropped EXE
PID:1296 -
\??\c:\vvvjv.exec:\vvvjv.exe18⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tthtnt.exec:\tthtnt.exe19⤵
- Executes dropped EXE
PID:2628 -
\??\c:\84648.exec:\84648.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
\??\c:\66446.exec:\66446.exe21⤵
- Executes dropped EXE
PID:2176 -
\??\c:\ttnthb.exec:\ttnthb.exe22⤵
- Executes dropped EXE
PID:596 -
\??\c:\806628.exec:\806628.exe23⤵
- Executes dropped EXE
PID:2856 -
\??\c:\fllfrxx.exec:\fllfrxx.exe24⤵
- Executes dropped EXE
PID:764 -
\??\c:\442424.exec:\442424.exe25⤵
- Executes dropped EXE
PID:1176 -
\??\c:\1nhtth.exec:\1nhtth.exe26⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nnnnnn.exec:\nnnnnn.exe27⤵
- Executes dropped EXE
PID:916 -
\??\c:\004820.exec:\004820.exe28⤵
- Executes dropped EXE
PID:1812 -
\??\c:\ddvjj.exec:\ddvjj.exe29⤵
- Executes dropped EXE
PID:1648 -
\??\c:\6248860.exec:\6248860.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\6006268.exec:\6006268.exe31⤵
- Executes dropped EXE
PID:320 -
\??\c:\6408028.exec:\6408028.exe32⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nnthbn.exec:\nnthbn.exe33⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1dpdv.exec:\1dpdv.exe34⤵
- Executes dropped EXE
PID:2024 -
\??\c:\666244.exec:\666244.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\flrxlrl.exec:\flrxlrl.exe36⤵
- Executes dropped EXE
PID:2196 -
\??\c:\jjvpv.exec:\jjvpv.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\lxfllfx.exec:\lxfllfx.exe38⤵
- Executes dropped EXE
PID:2532 -
\??\c:\1bnnnb.exec:\1bnnnb.exe39⤵
- Executes dropped EXE
PID:2172 -
\??\c:\64422.exec:\64422.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\4824664.exec:\4824664.exe41⤵
- Executes dropped EXE
PID:2668 -
\??\c:\9nnbth.exec:\9nnbth.exe42⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xrrrxxl.exec:\xrrrxxl.exe43⤵
- Executes dropped EXE
PID:2756 -
\??\c:\bthtth.exec:\bthtth.exe44⤵
- Executes dropped EXE
PID:2748 -
\??\c:\pjdpd.exec:\pjdpd.exe45⤵
- Executes dropped EXE
PID:2560 -
\??\c:\hbnhnb.exec:\hbnhnb.exe46⤵
- Executes dropped EXE
PID:2624 -
\??\c:\1jjdj.exec:\1jjdj.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\3fxlxlf.exec:\3fxlxlf.exe48⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rrrflrl.exec:\rrrflrl.exe49⤵
- Executes dropped EXE
PID:1976 -
\??\c:\ntbnht.exec:\ntbnht.exe50⤵
- Executes dropped EXE
PID:2092 -
\??\c:\a2440.exec:\a2440.exe51⤵
- Executes dropped EXE
PID:2388 -
\??\c:\e86862.exec:\e86862.exe52⤵
- Executes dropped EXE
PID:728 -
\??\c:\4884682.exec:\4884682.exe53⤵
- Executes dropped EXE
PID:1264 -
\??\c:\420202.exec:\420202.exe54⤵
- Executes dropped EXE
PID:1340 -
\??\c:\4008406.exec:\4008406.exe55⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hhbhnt.exec:\hhbhnt.exe56⤵
- Executes dropped EXE
PID:1764 -
\??\c:\vvdpd.exec:\vvdpd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
\??\c:\dvvdv.exec:\dvvdv.exe58⤵
- Executes dropped EXE
PID:816 -
\??\c:\llrfrxr.exec:\llrfrxr.exe59⤵
- Executes dropped EXE
PID:2600 -
\??\c:\28664.exec:\28664.exe60⤵
- Executes dropped EXE
PID:2892 -
\??\c:\608460.exec:\608460.exe61⤵
- Executes dropped EXE
PID:2160 -
\??\c:\nnbtth.exec:\nnbtth.exe62⤵
- Executes dropped EXE
PID:2032 -
\??\c:\xflllff.exec:\xflllff.exe63⤵
- Executes dropped EXE
PID:1616 -
\??\c:\048240.exec:\048240.exe64⤵
- Executes dropped EXE
PID:2844 -
\??\c:\flxrlrf.exec:\flxrlrf.exe65⤵
- Executes dropped EXE
PID:2880 -
\??\c:\448426.exec:\448426.exe66⤵PID:1552
-
\??\c:\djjdd.exec:\djjdd.exe67⤵PID:1596
-
\??\c:\u660606.exec:\u660606.exe68⤵
- System Location Discovery: System Language Discovery
PID:1852 -
\??\c:\6828628.exec:\6828628.exe69⤵PID:2236
-
\??\c:\tbnhhb.exec:\tbnhhb.exe70⤵PID:2416
-
\??\c:\vvdjv.exec:\vvdjv.exe71⤵PID:2420
-
\??\c:\pjddj.exec:\pjddj.exe72⤵PID:1648
-
\??\c:\ntbnnn.exec:\ntbnnn.exe73⤵PID:1980
-
\??\c:\60468.exec:\60468.exe74⤵PID:584
-
\??\c:\84406.exec:\84406.exe75⤵PID:1708
-
\??\c:\482040.exec:\482040.exe76⤵PID:592
-
\??\c:\2486062.exec:\2486062.exe77⤵
- System Location Discovery: System Language Discovery
PID:2320 -
\??\c:\lllrxfr.exec:\lllrxfr.exe78⤵PID:1956
-
\??\c:\66024.exec:\66024.exe79⤵PID:2008
-
\??\c:\jpdpd.exec:\jpdpd.exe80⤵PID:2068
-
\??\c:\rrrxrfx.exec:\rrrxrfx.exe81⤵PID:2128
-
\??\c:\5fxfxlf.exec:\5fxfxlf.exe82⤵PID:2100
-
\??\c:\0484846.exec:\0484846.exe83⤵
- System Location Discovery: System Language Discovery
PID:2720 -
\??\c:\jjjpj.exec:\jjjpj.exe84⤵PID:2684
-
\??\c:\jjpvd.exec:\jjpvd.exe85⤵PID:2820
-
\??\c:\5pjjp.exec:\5pjjp.exe86⤵PID:2584
-
\??\c:\646842.exec:\646842.exe87⤵PID:2908
-
\??\c:\ppdpj.exec:\ppdpj.exe88⤵
- System Location Discovery: System Language Discovery
PID:2612 -
\??\c:\dvpdj.exec:\dvpdj.exe89⤵PID:2608
-
\??\c:\xrxffrr.exec:\xrxffrr.exe90⤵PID:2580
-
\??\c:\q66868.exec:\q66868.exe91⤵
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\1xxfrrl.exec:\1xxfrrl.exe92⤵PID:2004
-
\??\c:\m6646.exec:\m6646.exe93⤵PID:860
-
\??\c:\m8020.exec:\m8020.exe94⤵PID:1668
-
\??\c:\hhhhtb.exec:\hhhhtb.exe95⤵PID:1744
-
\??\c:\86686.exec:\86686.exe96⤵PID:1316
-
\??\c:\660206.exec:\660206.exe97⤵PID:1692
-
\??\c:\hnnnhn.exec:\hnnnhn.exe98⤵PID:1984
-
\??\c:\jpdjd.exec:\jpdjd.exe99⤵PID:2884
-
\??\c:\lrrrffl.exec:\lrrrffl.exe100⤵PID:1936
-
\??\c:\80664.exec:\80664.exe101⤵PID:2772
-
\??\c:\pppdv.exec:\pppdv.exe102⤵PID:2276
-
\??\c:\242282.exec:\242282.exe103⤵PID:1284
-
\??\c:\nhbtth.exec:\nhbtth.exe104⤵PID:3016
-
\??\c:\dpvjj.exec:\dpvjj.exe105⤵PID:1892
-
\??\c:\2084202.exec:\2084202.exe106⤵PID:2032
-
\??\c:\4008608.exec:\4008608.exe107⤵PID:1616
-
\??\c:\nthnht.exec:\nthnht.exe108⤵PID:640
-
\??\c:\dpdvd.exec:\dpdvd.exe109⤵PID:1324
-
\??\c:\468440.exec:\468440.exe110⤵PID:1204
-
\??\c:\68224.exec:\68224.exe111⤵PID:2168
-
\??\c:\dvvjp.exec:\dvvjp.exe112⤵PID:1676
-
\??\c:\20600.exec:\20600.exe113⤵PID:2436
-
\??\c:\hbbtnn.exec:\hbbtnn.exe114⤵PID:2416
-
\??\c:\82688.exec:\82688.exe115⤵PID:2020
-
\??\c:\06042.exec:\06042.exe116⤵PID:2440
-
\??\c:\fffflxr.exec:\fffflxr.exe117⤵PID:2252
-
\??\c:\1dvdv.exec:\1dvdv.exe118⤵PID:2932
-
\??\c:\2608242.exec:\2608242.exe119⤵PID:2316
-
\??\c:\pjddv.exec:\pjddv.exe120⤵PID:2052
-
\??\c:\nhbhht.exec:\nhbhht.exe121⤵PID:1228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-