Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:42
Behavioral task
behavioral1
Sample
31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe
-
Size
3.7MB
-
MD5
d907bfc5b0d2de96852acf0719c53720
-
SHA1
3daff44988640b3b12578d54722d946444c546c7
-
SHA256
31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ff
-
SHA512
311b77a4849e76978e7a98538d2d2bc46b16698c9cbf1752bf21a4dfccb0429b40c74b360240efd14675818d80636fda07c8acef77c6353b47ce807f8581f72e
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98e:U6XLq/qPPslzKx/dJg1ErmNN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1528-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3392-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3788-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1764-434-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-613-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-649-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-686-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-813-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4952 844444.exe 2608 642020.exe 4656 xxrrlrr.exe 1008 0288264.exe 4964 848822.exe 4160 httnhh.exe 4956 djjpd.exe 2340 a6884.exe 4296 frrrlll.exe 4708 3frlllf.exe 3392 2448260.exe 4692 i844826.exe 3868 46242.exe 1348 846822.exe 4540 02024.exe 1992 0846448.exe 3464 pjjdp.exe 536 vvpjv.exe 3368 62482.exe 2776 9vddp.exe 2384 9lrfrrf.exe 4696 djpjv.exe 2988 lflxfxr.exe 4800 u846040.exe 4512 k88648.exe 3788 e60666.exe 1136 4800260.exe 3348 jvddv.exe 1144 8280464.exe 1744 2028244.exe 1860 406600.exe 3472 00406.exe 3936 6200406.exe 4840 jjvpp.exe 4140 0684882.exe 836 nnnhhh.exe 4388 28284.exe 4952 vdjjd.exe 2608 dppjd.exe 1748 028826.exe 2164 vpvvd.exe 2012 846622.exe 3700 9hhhbh.exe 1420 280844.exe 904 frfrfxl.exe 1196 vppjj.exe 1876 rrrlxxl.exe 4304 m8044.exe 2720 jvjdp.exe 4244 24420.exe 1620 24482.exe 3340 806266.exe 5092 6844228.exe 424 64204.exe 696 3fxrllf.exe 1556 846066.exe 4072 884866.exe 1496 pddvp.exe 4880 rlrxxxr.exe 2308 026222.exe 844 7bbnbn.exe 1372 4806044.exe 1388 40026.exe 4872 q22622.exe -
resource yara_rule behavioral2/memory/1528-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c74-3.dat upx behavioral2/memory/1528-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c77-12.dat upx behavioral2/memory/4952-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-13.dat upx behavioral2/memory/2608-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c78-24.dat upx behavioral2/memory/4656-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-28.dat upx behavioral2/memory/4964-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1008-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-35.dat upx behavioral2/memory/4160-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c80-42.dat upx behavioral2/memory/4160-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-49.dat upx behavioral2/memory/4956-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-52.dat upx behavioral2/memory/4296-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2340-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-61.dat upx behavioral2/files/0x0007000000023c84-66.dat upx behavioral2/memory/4692-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c85-71.dat upx behavioral2/memory/3392-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4692-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c86-77.dat upx behavioral2/files/0x0007000000023c87-85.dat upx behavioral2/memory/3868-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-91.dat upx behavioral2/memory/1348-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-96.dat upx behavioral2/memory/4540-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-102.dat upx behavioral2/files/0x0007000000023c8b-107.dat upx behavioral2/memory/3464-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/536-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-110.dat upx behavioral2/memory/3368-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2776-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-117.dat upx behavioral2/files/0x0007000000023c8e-124.dat upx behavioral2/memory/2988-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-141.dat upx behavioral2/files/0x0007000000023c90-135.dat upx behavioral2/files/0x0007000000023c8f-130.dat upx behavioral2/memory/2384-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a00000001e104-145.dat upx behavioral2/files/0x0007000000023c94-152.dat upx behavioral2/memory/1136-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3788-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-156.dat upx behavioral2/files/0x0007000000023c96-163.dat upx behavioral2/memory/1136-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1144-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-169.dat upx behavioral2/memory/1744-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-182.dat upx behavioral2/files/0x0007000000023c9a-188.dat upx behavioral2/memory/1144-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-175.dat upx behavioral2/memory/4140-202-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4642008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w64444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4448262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 242466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6284844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0200662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4424882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0000460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6888004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k20684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u408266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4952 1528 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 83 PID 1528 wrote to memory of 4952 1528 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 83 PID 1528 wrote to memory of 4952 1528 31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe 83 PID 4952 wrote to memory of 2608 4952 844444.exe 84 PID 4952 wrote to memory of 2608 4952 844444.exe 84 PID 4952 wrote to memory of 2608 4952 844444.exe 84 PID 2608 wrote to memory of 4656 2608 642020.exe 85 PID 2608 wrote to memory of 4656 2608 642020.exe 85 PID 2608 wrote to memory of 4656 2608 642020.exe 85 PID 4656 wrote to memory of 1008 4656 xxrrlrr.exe 230 PID 4656 wrote to memory of 1008 4656 xxrrlrr.exe 230 PID 4656 wrote to memory of 1008 4656 xxrrlrr.exe 230 PID 1008 wrote to memory of 4964 1008 0288264.exe 87 PID 1008 wrote to memory of 4964 1008 0288264.exe 87 PID 1008 wrote to memory of 4964 1008 0288264.exe 87 PID 4964 wrote to memory of 4160 4964 848822.exe 388 PID 4964 wrote to memory of 4160 4964 848822.exe 388 PID 4964 wrote to memory of 4160 4964 848822.exe 388 PID 4160 wrote to memory of 4956 4160 httnhh.exe 89 PID 4160 wrote to memory of 4956 4160 httnhh.exe 89 PID 4160 wrote to memory of 4956 4160 httnhh.exe 89 PID 4956 wrote to memory of 2340 4956 djjpd.exe 290 PID 4956 wrote to memory of 2340 4956 djjpd.exe 290 PID 4956 wrote to memory of 2340 4956 djjpd.exe 290 PID 2340 wrote to memory of 4296 2340 a6884.exe 91 PID 2340 wrote to memory of 4296 2340 a6884.exe 91 PID 2340 wrote to memory of 4296 2340 a6884.exe 91 PID 4296 wrote to memory of 4708 4296 frrrlll.exe 242 PID 4296 wrote to memory of 4708 4296 frrrlll.exe 242 PID 4296 wrote to memory of 4708 4296 frrrlll.exe 242 PID 4708 wrote to memory of 3392 4708 3frlllf.exe 347 PID 4708 wrote to memory of 3392 4708 3frlllf.exe 347 PID 4708 wrote to memory of 3392 4708 3frlllf.exe 347 PID 3392 wrote to memory of 4692 3392 2448260.exe 296 PID 3392 wrote to memory of 4692 3392 2448260.exe 296 PID 3392 wrote to memory of 4692 3392 2448260.exe 296 PID 4692 wrote to memory of 3868 4692 i844826.exe 95 PID 4692 wrote to memory of 3868 4692 i844826.exe 95 PID 4692 wrote to memory of 3868 4692 i844826.exe 95 PID 3868 wrote to memory of 1348 3868 46242.exe 247 PID 3868 wrote to memory of 1348 3868 46242.exe 247 PID 3868 wrote to memory of 1348 3868 46242.exe 247 PID 1348 wrote to memory of 4540 1348 846822.exe 98 PID 1348 wrote to memory of 4540 1348 846822.exe 98 PID 1348 wrote to memory of 4540 1348 846822.exe 98 PID 4540 wrote to memory of 1992 4540 02024.exe 99 PID 4540 wrote to memory of 1992 4540 02024.exe 99 PID 4540 wrote to memory of 1992 4540 02024.exe 99 PID 1992 wrote to memory of 3464 1992 0846448.exe 100 PID 1992 wrote to memory of 3464 1992 0846448.exe 100 PID 1992 wrote to memory of 3464 1992 0846448.exe 100 PID 3464 wrote to memory of 536 3464 pjjdp.exe 304 PID 3464 wrote to memory of 536 3464 pjjdp.exe 304 PID 3464 wrote to memory of 536 3464 pjjdp.exe 304 PID 536 wrote to memory of 3368 536 vvpjv.exe 356 PID 536 wrote to memory of 3368 536 vvpjv.exe 356 PID 536 wrote to memory of 3368 536 vvpjv.exe 356 PID 3368 wrote to memory of 2776 3368 62482.exe 103 PID 3368 wrote to memory of 2776 3368 62482.exe 103 PID 3368 wrote to memory of 2776 3368 62482.exe 103 PID 2776 wrote to memory of 2384 2776 9vddp.exe 104 PID 2776 wrote to memory of 2384 2776 9vddp.exe 104 PID 2776 wrote to memory of 2384 2776 9vddp.exe 104 PID 2384 wrote to memory of 4696 2384 9lrfrrf.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe"C:\Users\Admin\AppData\Local\Temp\31e79b9ee10654f64464d3325d34e7e0bad4687d60e4005ee3a0ab5318a798ffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\844444.exec:\844444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\642020.exec:\642020.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\xxrrlrr.exec:\xxrrlrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\0288264.exec:\0288264.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\848822.exec:\848822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\httnhh.exec:\httnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\djjpd.exec:\djjpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\a6884.exec:\a6884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\frrrlll.exec:\frrrlll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\3frlllf.exec:\3frlllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\2448260.exec:\2448260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\i844826.exec:\i844826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\46242.exec:\46242.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\846822.exec:\846822.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\02024.exec:\02024.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\0846448.exec:\0846448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\pjjdp.exec:\pjjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\vvpjv.exec:\vvpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\62482.exec:\62482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\9vddp.exec:\9vddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\9lrfrrf.exec:\9lrfrrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\djpjv.exec:\djpjv.exe23⤵
- Executes dropped EXE
PID:4696 -
\??\c:\lflxfxr.exec:\lflxfxr.exe24⤵
- Executes dropped EXE
PID:2988 -
\??\c:\u846040.exec:\u846040.exe25⤵
- Executes dropped EXE
PID:4800 -
\??\c:\k88648.exec:\k88648.exe26⤵
- Executes dropped EXE
PID:4512 -
\??\c:\e60666.exec:\e60666.exe27⤵
- Executes dropped EXE
PID:3788 -
\??\c:\4800260.exec:\4800260.exe28⤵
- Executes dropped EXE
PID:1136 -
\??\c:\jvddv.exec:\jvddv.exe29⤵
- Executes dropped EXE
PID:3348 -
\??\c:\8280464.exec:\8280464.exe30⤵
- Executes dropped EXE
PID:1144 -
\??\c:\2028244.exec:\2028244.exe31⤵
- Executes dropped EXE
PID:1744 -
\??\c:\406600.exec:\406600.exe32⤵
- Executes dropped EXE
PID:1860 -
\??\c:\00406.exec:\00406.exe33⤵
- Executes dropped EXE
PID:3472 -
\??\c:\6200406.exec:\6200406.exe34⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jjvpp.exec:\jjvpp.exe35⤵
- Executes dropped EXE
PID:4840 -
\??\c:\0684882.exec:\0684882.exe36⤵
- Executes dropped EXE
PID:4140 -
\??\c:\nnnhhh.exec:\nnnhhh.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\28284.exec:\28284.exe38⤵
- Executes dropped EXE
PID:4388 -
\??\c:\vdjjd.exec:\vdjjd.exe39⤵
- Executes dropped EXE
PID:4952 -
\??\c:\dppjd.exec:\dppjd.exe40⤵
- Executes dropped EXE
PID:2608 -
\??\c:\028826.exec:\028826.exe41⤵
- Executes dropped EXE
PID:1748 -
\??\c:\vpvvd.exec:\vpvvd.exe42⤵
- Executes dropped EXE
PID:2164 -
\??\c:\846622.exec:\846622.exe43⤵
- Executes dropped EXE
PID:2012 -
\??\c:\9hhhbh.exec:\9hhhbh.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3700 -
\??\c:\280844.exec:\280844.exe45⤵
- Executes dropped EXE
PID:1420 -
\??\c:\frfrfxl.exec:\frfrfxl.exe46⤵
- Executes dropped EXE
PID:904 -
\??\c:\vppjj.exec:\vppjj.exe47⤵
- Executes dropped EXE
PID:1196 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe48⤵
- Executes dropped EXE
PID:1876 -
\??\c:\m8044.exec:\m8044.exe49⤵
- Executes dropped EXE
PID:4304 -
\??\c:\jvjdp.exec:\jvjdp.exe50⤵
- Executes dropped EXE
PID:2720 -
\??\c:\24420.exec:\24420.exe51⤵
- Executes dropped EXE
PID:4244 -
\??\c:\24482.exec:\24482.exe52⤵
- Executes dropped EXE
PID:1620 -
\??\c:\806266.exec:\806266.exe53⤵
- Executes dropped EXE
PID:3340 -
\??\c:\6844228.exec:\6844228.exe54⤵
- Executes dropped EXE
PID:5092 -
\??\c:\64204.exec:\64204.exe55⤵
- Executes dropped EXE
PID:424 -
\??\c:\3fxrllf.exec:\3fxrllf.exe56⤵
- Executes dropped EXE
PID:696 -
\??\c:\846066.exec:\846066.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
\??\c:\884866.exec:\884866.exe58⤵
- Executes dropped EXE
PID:4072 -
\??\c:\pddvp.exec:\pddvp.exe59⤵
- Executes dropped EXE
PID:1496 -
\??\c:\rlrxxxr.exec:\rlrxxxr.exe60⤵
- Executes dropped EXE
PID:4880 -
\??\c:\026222.exec:\026222.exe61⤵
- Executes dropped EXE
PID:2308 -
\??\c:\7bbnbn.exec:\7bbnbn.exe62⤵
- Executes dropped EXE
PID:844 -
\??\c:\4806044.exec:\4806044.exe63⤵
- Executes dropped EXE
PID:1372 -
\??\c:\40026.exec:\40026.exe64⤵
- Executes dropped EXE
PID:1388 -
\??\c:\q22622.exec:\q22622.exe65⤵
- Executes dropped EXE
PID:4872 -
\??\c:\rxfrfxx.exec:\rxfrfxx.exe66⤵PID:4516
-
\??\c:\9pjjv.exec:\9pjjv.exe67⤵PID:3980
-
\??\c:\fxlxrxr.exec:\fxlxrxr.exe68⤵PID:2628
-
\??\c:\2422606.exec:\2422606.exe69⤵PID:4508
-
\??\c:\422028.exec:\422028.exe70⤵PID:4564
-
\??\c:\1nnbtb.exec:\1nnbtb.exe71⤵PID:4688
-
\??\c:\u408266.exec:\u408266.exe72⤵
- System Location Discovery: System Language Discovery
PID:4748 -
\??\c:\828642.exec:\828642.exe73⤵
- System Location Discovery: System Language Discovery
PID:2792 -
\??\c:\xrxxrfr.exec:\xrxxrfr.exe74⤵PID:948
-
\??\c:\flxrrrl.exec:\flxrrrl.exe75⤵PID:3348
-
\??\c:\pdjjd.exec:\pdjjd.exe76⤵PID:3836
-
\??\c:\hbtnnh.exec:\hbtnnh.exe77⤵PID:4852
-
\??\c:\062226.exec:\062226.exe78⤵PID:4092
-
\??\c:\dvjdj.exec:\dvjdj.exe79⤵PID:1240
-
\??\c:\7jjjd.exec:\7jjjd.exe80⤵PID:1160
-
\??\c:\k88828.exec:\k88828.exe81⤵PID:3016
-
\??\c:\xxxfffl.exec:\xxxfffl.exe82⤵PID:4972
-
\??\c:\nnbtnh.exec:\nnbtnh.exe83⤵PID:4364
-
\??\c:\9tnhbh.exec:\9tnhbh.exe84⤵PID:4952
-
\??\c:\bbnhbb.exec:\bbnhbb.exe85⤵PID:944
-
\??\c:\8646600.exec:\8646600.exe86⤵PID:4412
-
\??\c:\08486.exec:\08486.exe87⤵PID:2904
-
\??\c:\vvdvd.exec:\vvdvd.exe88⤵PID:5064
-
\??\c:\424208.exec:\424208.exe89⤵PID:1404
-
\??\c:\0848260.exec:\0848260.exe90⤵PID:4520
-
\??\c:\9rfrffx.exec:\9rfrffx.exe91⤵PID:972
-
\??\c:\44224.exec:\44224.exe92⤵
- System Location Discovery: System Language Discovery
PID:3588 -
\??\c:\rrllfrl.exec:\rrllfrl.exe93⤵PID:2348
-
\??\c:\c866626.exec:\c866626.exe94⤵PID:3780
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe95⤵PID:4820
-
\??\c:\a8442.exec:\a8442.exe96⤵PID:5060
-
\??\c:\7nhtnn.exec:\7nhtnn.exe97⤵PID:3376
-
\??\c:\0000460.exec:\0000460.exe98⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\s2006.exec:\s2006.exe99⤵
- System Location Discovery: System Language Discovery
PID:4708 -
\??\c:\tnhbbb.exec:\tnhbbb.exe100⤵PID:2468
-
\??\c:\446262.exec:\446262.exe101⤵PID:3092
-
\??\c:\20048.exec:\20048.exe102⤵PID:4876
-
\??\c:\82604.exec:\82604.exe103⤵PID:4384
-
\??\c:\bbbbth.exec:\bbbbth.exe104⤵PID:4116
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe105⤵PID:4756
-
\??\c:\btbbtt.exec:\btbbtt.exe106⤵PID:1764
-
\??\c:\vvjdv.exec:\vvjdv.exe107⤵PID:5016
-
\??\c:\a2860.exec:\a2860.exe108⤵PID:1100
-
\??\c:\6644006.exec:\6644006.exe109⤵PID:984
-
\??\c:\660420.exec:\660420.exe110⤵
- System Location Discovery: System Language Discovery
PID:4464 -
\??\c:\fxrlrrx.exec:\fxrlrrx.exe111⤵PID:3512
-
\??\c:\rrrrxxl.exec:\rrrrxxl.exe112⤵PID:2104
-
\??\c:\00848.exec:\00848.exe113⤵PID:852
-
\??\c:\lxxrflf.exec:\lxxrflf.exe114⤵PID:3732
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe115⤵PID:2988
-
\??\c:\tnhbtn.exec:\tnhbtn.exe116⤵PID:2612
-
\??\c:\6206048.exec:\6206048.exe117⤵PID:4008
-
\??\c:\u208226.exec:\u208226.exe118⤵PID:3308
-
\??\c:\htbbbh.exec:\htbbbh.exe119⤵PID:4088
-
\??\c:\246224.exec:\246224.exe120⤵PID:700
-
\??\c:\lfxrfrf.exec:\lfxrfrf.exe121⤵PID:3672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-