Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 11:42
Behavioral task
behavioral1
Sample
31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe
-
Size
3.7MB
-
MD5
d907bfc5b0d2de96852acf0719c53720
-
SHA1
3daff44988640b3b12578d54722d946444c546c7
-
SHA256
31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ff
-
SHA512
311b77a4849e76978e7a98538d2d2bc46b16698c9cbf1752bf21a4dfccb0429b40c74b360240efd14675818d80636fda07c8acef77c6353b47ce807f8581f72e
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98e:U6XLq/qPPslzKx/dJg1ErmNN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-27-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2800-36-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2800-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-38-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2636-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/760-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2276-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/332-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2308-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1956-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/576-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1104-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2436-188-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1104-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1480-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/700-265-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2252-285-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1636-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1708-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/484-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/340-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1956-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2436-472-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2436-491-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1444-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2392-563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2644-595-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2760-603-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2656-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/600-641-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1620-648-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/600-661-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1512-699-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-712-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-730-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2568-738-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2592-791-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2592-789-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2076-848-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-899-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2608-908-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2608-927-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2816 djvjj.exe 2736 bnhtbh.exe 2800 2880846.exe 2636 ffxlrfl.exe 760 4604822.exe 2276 66646.exe 332 bbbtnb.exe 2256 048428.exe 2308 8080880.exe 2304 jdvvd.exe 1956 644624.exe 2936 08860.exe 1748 268068.exe 576 44808.exe 2996 042064.exe 1544 xfxlfll.exe 768 0826886.exe 2092 8224028.exe 2436 26846.exe 2432 4824064.exe 1104 nbhnbh.exe 1480 pvppd.exe 1604 bhtnhb.exe 1472 dvvjj.exe 1496 060808.exe 1796 620486.exe 1384 48826.exe 700 0822808.exe 2332 488642.exe 2252 4046624.exe 2292 68802.exe 1708 tnhtbb.exe 1636 80000.exe 2808 284440.exe 2484 ddvjd.exe 2900 688460.exe 2444 664602.exe 2672 484646.exe 2488 26228.exe 276 4422400.exe 484 048442.exe 1420 ffllxfx.exe 2196 frxxfrr.exe 340 2002846.exe 2948 42868.exe 1872 6048868.exe 1956 e40684.exe 1740 22066.exe 2976 nhbnbh.exe 2084 0642248.exe 2516 608684.exe 396 xlflxll.exe 2144 2668202.exe 584 0080240.exe 2856 260026.exe 1264 jvdpd.exe 2436 0468406.exe 2036 tthnhn.exe 1676 xrrffrf.exe 1632 260662.exe 2460 06200.exe 1444 vvjvd.exe 1996 486064.exe 1324 864062.exe -
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a00000001202c-5.dat upx behavioral1/memory/2816-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2372-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015e8f-16.dat upx behavioral1/memory/2736-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2816-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2736-27-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0008000000015ef6-30.dat upx behavioral1/files/0x0032000000015d33-41.dat upx behavioral1/memory/2800-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015f4f-50.dat upx behavioral1/memory/2636-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015fdb-61.dat upx behavioral1/memory/2276-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/760-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000160db-71.dat upx behavioral1/memory/2276-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/332-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016239-79.dat upx behavioral1/files/0x0007000000016307-88.dat upx behavioral1/memory/2256-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2308-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016599-97.dat upx behavioral1/files/0x0005000000019242-106.dat upx behavioral1/memory/2304-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925b-116.dat upx behavioral1/memory/1956-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925d-124.dat upx behavioral1/memory/2936-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001930d-131.dat upx behavioral1/memory/1748-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001932a-144.dat upx behavioral1/memory/576-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019377-152.dat upx behavioral1/memory/1544-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/768-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001938a-161.dat upx behavioral1/files/0x000500000001938e-170.dat upx behavioral1/memory/2092-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001939c-182.dat upx behavioral1/memory/2436-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2092-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001941b-191.dat upx behavioral1/memory/1104-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019429-198.dat upx behavioral1/files/0x000500000001946b-208.dat upx behavioral1/memory/1104-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019481-219.dat upx behavioral1/memory/1480-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1472-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019490-226.dat upx behavioral1/files/0x000500000001949d-237.dat upx behavioral1/memory/1496-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194c6-244.dat upx behavioral1/files/0x00050000000194d0-254.dat upx behavioral1/files/0x00050000000194da-261.dat upx behavioral1/memory/700-265-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000194e4-270.dat upx behavioral1/files/0x00050000000194e6-278.dat upx behavioral1/files/0x0005000000019551-287.dat upx behavioral1/files/0x000500000001955c-296.dat upx behavioral1/memory/1636-304-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1708-303-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6248020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4280662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4046624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6048868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u882042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8086424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4882468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q26262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnthb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2816 2372 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 30 PID 2372 wrote to memory of 2816 2372 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 30 PID 2372 wrote to memory of 2816 2372 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 30 PID 2372 wrote to memory of 2816 2372 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 30 PID 2816 wrote to memory of 2736 2816 djvjj.exe 31 PID 2816 wrote to memory of 2736 2816 djvjj.exe 31 PID 2816 wrote to memory of 2736 2816 djvjj.exe 31 PID 2816 wrote to memory of 2736 2816 djvjj.exe 31 PID 2736 wrote to memory of 2800 2736 bnhtbh.exe 32 PID 2736 wrote to memory of 2800 2736 bnhtbh.exe 32 PID 2736 wrote to memory of 2800 2736 bnhtbh.exe 32 PID 2736 wrote to memory of 2800 2736 bnhtbh.exe 32 PID 2800 wrote to memory of 2636 2800 2880846.exe 33 PID 2800 wrote to memory of 2636 2800 2880846.exe 33 PID 2800 wrote to memory of 2636 2800 2880846.exe 33 PID 2800 wrote to memory of 2636 2800 2880846.exe 33 PID 2636 wrote to memory of 760 2636 ffxlrfl.exe 34 PID 2636 wrote to memory of 760 2636 ffxlrfl.exe 34 PID 2636 wrote to memory of 760 2636 ffxlrfl.exe 34 PID 2636 wrote to memory of 760 2636 ffxlrfl.exe 34 PID 760 wrote to memory of 2276 760 4604822.exe 35 PID 760 wrote to memory of 2276 760 4604822.exe 35 PID 760 wrote to memory of 2276 760 4604822.exe 35 PID 760 wrote to memory of 2276 760 4604822.exe 35 PID 2276 wrote to memory of 332 2276 66646.exe 36 PID 2276 wrote to memory of 332 2276 66646.exe 36 PID 2276 wrote to memory of 332 2276 66646.exe 36 PID 2276 wrote to memory of 332 2276 66646.exe 36 PID 332 wrote to memory of 2256 332 bbbtnb.exe 37 PID 332 wrote to memory of 2256 332 bbbtnb.exe 37 PID 332 wrote to memory of 2256 332 bbbtnb.exe 37 PID 332 wrote to memory of 2256 332 bbbtnb.exe 37 PID 2256 wrote to memory of 2308 2256 048428.exe 38 PID 2256 wrote to memory of 2308 2256 048428.exe 38 PID 2256 wrote to memory of 2308 2256 048428.exe 38 PID 2256 wrote to memory of 2308 2256 048428.exe 38 PID 2308 wrote to memory of 2304 2308 8080880.exe 39 PID 2308 wrote to memory of 2304 2308 8080880.exe 39 PID 2308 wrote to memory of 2304 2308 8080880.exe 39 PID 2308 wrote to memory of 2304 2308 8080880.exe 39 PID 2304 wrote to memory of 1956 2304 jdvvd.exe 76 PID 2304 wrote to memory of 1956 2304 jdvvd.exe 76 PID 2304 wrote to memory of 1956 2304 jdvvd.exe 76 PID 2304 wrote to memory of 1956 2304 jdvvd.exe 76 PID 1956 wrote to memory of 2936 1956 644624.exe 41 PID 1956 wrote to memory of 2936 1956 644624.exe 41 PID 1956 wrote to memory of 2936 1956 644624.exe 41 PID 1956 wrote to memory of 2936 1956 644624.exe 41 PID 2936 wrote to memory of 1748 2936 08860.exe 121 PID 2936 wrote to memory of 1748 2936 08860.exe 121 PID 2936 wrote to memory of 1748 2936 08860.exe 121 PID 2936 wrote to memory of 1748 2936 08860.exe 121 PID 1748 wrote to memory of 576 1748 268068.exe 43 PID 1748 wrote to memory of 576 1748 268068.exe 43 PID 1748 wrote to memory of 576 1748 268068.exe 43 PID 1748 wrote to memory of 576 1748 268068.exe 43 PID 576 wrote to memory of 2996 576 44808.exe 44 PID 576 wrote to memory of 2996 576 44808.exe 44 PID 576 wrote to memory of 2996 576 44808.exe 44 PID 576 wrote to memory of 2996 576 44808.exe 44 PID 2996 wrote to memory of 1544 2996 042064.exe 45 PID 2996 wrote to memory of 1544 2996 042064.exe 45 PID 2996 wrote to memory of 1544 2996 042064.exe 45 PID 2996 wrote to memory of 1544 2996 042064.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe"C:\Users\Admin\AppData\Local\Temp\31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\djvjj.exec:\djvjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\bnhtbh.exec:\bnhtbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\2880846.exec:\2880846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\ffxlrfl.exec:\ffxlrfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\4604822.exec:\4604822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\66646.exec:\66646.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\bbbtnb.exec:\bbbtnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\048428.exec:\048428.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\8080880.exec:\8080880.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\jdvvd.exec:\jdvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\644624.exec:\644624.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\08860.exec:\08860.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\268068.exec:\268068.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\44808.exec:\44808.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\042064.exec:\042064.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\xfxlfll.exec:\xfxlfll.exe17⤵
- Executes dropped EXE
PID:1544 -
\??\c:\0826886.exec:\0826886.exe18⤵
- Executes dropped EXE
PID:768 -
\??\c:\8224028.exec:\8224028.exe19⤵
- Executes dropped EXE
PID:2092 -
\??\c:\26846.exec:\26846.exe20⤵
- Executes dropped EXE
PID:2436 -
\??\c:\4824064.exec:\4824064.exe21⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nbhnbh.exec:\nbhnbh.exe22⤵
- Executes dropped EXE
PID:1104 -
\??\c:\pvppd.exec:\pvppd.exe23⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bhtnhb.exec:\bhtnhb.exe24⤵
- Executes dropped EXE
PID:1604 -
\??\c:\dvvjj.exec:\dvvjj.exe25⤵
- Executes dropped EXE
PID:1472 -
\??\c:\060808.exec:\060808.exe26⤵
- Executes dropped EXE
PID:1496 -
\??\c:\620486.exec:\620486.exe27⤵
- Executes dropped EXE
PID:1796 -
\??\c:\48826.exec:\48826.exe28⤵
- Executes dropped EXE
PID:1384 -
\??\c:\0822808.exec:\0822808.exe29⤵
- Executes dropped EXE
PID:700 -
\??\c:\488642.exec:\488642.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\4046624.exec:\4046624.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
\??\c:\68802.exec:\68802.exe32⤵
- Executes dropped EXE
PID:2292 -
\??\c:\tnhtbb.exec:\tnhtbb.exe33⤵
- Executes dropped EXE
PID:1708 -
\??\c:\80000.exec:\80000.exe34⤵
- Executes dropped EXE
PID:1636 -
\??\c:\284440.exec:\284440.exe35⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ddvjd.exec:\ddvjd.exe36⤵
- Executes dropped EXE
PID:2484 -
\??\c:\688460.exec:\688460.exe37⤵
- Executes dropped EXE
PID:2900 -
\??\c:\664602.exec:\664602.exe38⤵
- Executes dropped EXE
PID:2444 -
\??\c:\484646.exec:\484646.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\26228.exec:\26228.exe40⤵
- Executes dropped EXE
PID:2488 -
\??\c:\4422400.exec:\4422400.exe41⤵
- Executes dropped EXE
PID:276 -
\??\c:\048442.exec:\048442.exe42⤵
- Executes dropped EXE
PID:484 -
\??\c:\ffllxfx.exec:\ffllxfx.exe43⤵
- Executes dropped EXE
PID:1420 -
\??\c:\frxxfrr.exec:\frxxfrr.exe44⤵
- Executes dropped EXE
PID:2196 -
\??\c:\2002846.exec:\2002846.exe45⤵
- Executes dropped EXE
PID:340 -
\??\c:\42868.exec:\42868.exe46⤵
- Executes dropped EXE
PID:2948 -
\??\c:\6048868.exec:\6048868.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872 -
\??\c:\e40684.exec:\e40684.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\22066.exec:\22066.exe49⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nhbnbh.exec:\nhbnbh.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\0642248.exec:\0642248.exe51⤵
- Executes dropped EXE
PID:2084 -
\??\c:\608684.exec:\608684.exe52⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xlflxll.exec:\xlflxll.exe53⤵
- Executes dropped EXE
PID:396 -
\??\c:\2668202.exec:\2668202.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\0080240.exec:\0080240.exe55⤵
- Executes dropped EXE
PID:584 -
\??\c:\260026.exec:\260026.exe56⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jvdpd.exec:\jvdpd.exe57⤵
- Executes dropped EXE
PID:1264 -
\??\c:\0468406.exec:\0468406.exe58⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tthnhn.exec:\tthnhn.exe59⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xrrffrf.exec:\xrrffrf.exe60⤵
- Executes dropped EXE
PID:1676 -
\??\c:\260662.exec:\260662.exe61⤵
- Executes dropped EXE
PID:1632 -
\??\c:\06200.exec:\06200.exe62⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vvjvd.exec:\vvjvd.exe63⤵
- Executes dropped EXE
PID:1444 -
\??\c:\486064.exec:\486064.exe64⤵
- Executes dropped EXE
PID:1996 -
\??\c:\864062.exec:\864062.exe65⤵
- Executes dropped EXE
PID:1324 -
\??\c:\hhbbnt.exec:\hhbbnt.exe66⤵PID:3056
-
\??\c:\tttbtt.exec:\tttbtt.exe67⤵PID:924
-
\??\c:\440440.exec:\440440.exe68⤵PID:2416
-
\??\c:\pdvdp.exec:\pdvdp.exe69⤵PID:1924
-
\??\c:\0866462.exec:\0866462.exe70⤵PID:2352
-
\??\c:\7llrlrx.exec:\7llrlrx.exe71⤵PID:1236
-
\??\c:\5xrlxll.exec:\5xrlxll.exe72⤵PID:2252
-
\??\c:\0444246.exec:\0444246.exe73⤵
- System Location Discovery: System Language Discovery
PID:2392 -
\??\c:\8666884.exec:\8666884.exe74⤵PID:2688
-
\??\c:\7xxlrfx.exec:\7xxlrfx.exe75⤵PID:2836
-
\??\c:\3jvjd.exec:\3jvjd.exe76⤵PID:2892
-
\??\c:\lrlrrfr.exec:\lrlrrfr.exe77⤵PID:2644
-
\??\c:\xrxfxrl.exec:\xrxfxrl.exe78⤵PID:2484
-
\??\c:\084240.exec:\084240.exe79⤵PID:2760
-
\??\c:\9jjvj.exec:\9jjvj.exe80⤵PID:2656
-
\??\c:\2640802.exec:\2640802.exe81⤵
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\5pddj.exec:\5pddj.exe82⤵PID:2664
-
\??\c:\hthbbt.exec:\hthbbt.exe83⤵PID:320
-
\??\c:\djpjp.exec:\djpjp.exe84⤵PID:600
-
\??\c:\bbntbb.exec:\bbntbb.exe85⤵PID:1620
-
\??\c:\7jjvj.exec:\7jjvj.exe86⤵PID:1624
-
\??\c:\a6406.exec:\a6406.exe87⤵PID:2708
-
\??\c:\06642.exec:\06642.exe88⤵PID:340
-
\??\c:\hbtbhn.exec:\hbtbhn.exe89⤵PID:2692
-
\??\c:\pdjpv.exec:\pdjpv.exe90⤵PID:2924
-
\??\c:\ppvjv.exec:\ppvjv.exe91⤵PID:2876
-
\??\c:\tbnhht.exec:\tbnhht.exe92⤵PID:1968
-
\??\c:\5hbhtb.exec:\5hbhtb.exe93⤵PID:1748
-
\??\c:\488024.exec:\488024.exe94⤵PID:1512
-
\??\c:\208028.exec:\208028.exe95⤵PID:1564
-
\??\c:\tbnhbt.exec:\tbnhbt.exe96⤵PID:1696
-
\??\c:\2446840.exec:\2446840.exe97⤵PID:2588
-
\??\c:\2808804.exec:\2808804.exe98⤵PID:2108
-
\??\c:\dvdjv.exec:\dvdjv.exe99⤵PID:2568
-
\??\c:\xlxxlxr.exec:\xlxxlxr.exe100⤵PID:2200
-
\??\c:\tbtbnn.exec:\tbtbnn.exe101⤵PID:2156
-
\??\c:\4280662.exec:\4280662.exe102⤵
- System Location Discovery: System Language Discovery
PID:1100 -
\??\c:\djpvp.exec:\djpvp.exe103⤵PID:1104
-
\??\c:\jdvvp.exec:\jdvvp.exe104⤵
- System Location Discovery: System Language Discovery
PID:444 -
\??\c:\nbbtbn.exec:\nbbtbn.exe105⤵PID:2140
-
\??\c:\6084686.exec:\6084686.exe106⤵PID:2476
-
\??\c:\hbthbn.exec:\hbthbn.exe107⤵PID:2592
-
\??\c:\3btbth.exec:\3btbth.exe108⤵PID:3036
-
\??\c:\40680.exec:\40680.exe109⤵PID:1548
-
\??\c:\nhbbth.exec:\nhbbth.exe110⤵PID:620
-
\??\c:\nttbtb.exec:\nttbtb.exe111⤵PID:2312
-
\??\c:\djpdv.exec:\djpdv.exe112⤵PID:2536
-
\??\c:\w04680.exec:\w04680.exe113⤵PID:2520
-
\??\c:\80468.exec:\80468.exe114⤵PID:2168
-
\??\c:\xxfrlfr.exec:\xxfrlfr.exe115⤵PID:848
-
\??\c:\9ntbth.exec:\9ntbth.exe116⤵PID:2076
-
\??\c:\u882042.exec:\u882042.exe117⤵
- System Location Discovery: System Language Discovery
PID:1540 -
\??\c:\466246.exec:\466246.exe118⤵PID:2888
-
\??\c:\m8462.exec:\m8462.exe119⤵PID:2816
-
\??\c:\62662.exec:\62662.exe120⤵PID:376
-
\??\c:\8240064.exec:\8240064.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-