Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 12:48
Behavioral task
behavioral1
Sample
9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe
-
Size
3.7MB
-
MD5
9967b66c5da03db3c33b432aea338980
-
SHA1
3d61254a00f9599b772151636b0c2ae5735ad95c
-
SHA256
9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8
-
SHA512
41c355d7bbeec44e09014b2f940b3b816d1a7912a9eab89707cde6618c20d6e876ac12646373f51984bb90761903857599d38bcf15cafd4f5a115cec3d9735c7
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98a:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2848-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2316-23-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/572-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2316-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2832-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2072-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2832-42-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2576-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-61-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2592-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-79-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/2424-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1460-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1808-134-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1552-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2124-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3044-204-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1608-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1680-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1536-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1508-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2160-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2316-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/844-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1040-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2908-739-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1084-759-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/904-1064-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2096-1179-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2000-1192-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2524 vppdj.exe 2316 llxrllr.exe 572 hthtnb.exe 2832 frrlrrr.exe 2072 448642.exe 2744 btnntn.exe 2576 6244488.exe 2664 7lfxflx.exe 2592 5nhtnb.exe 2424 66488.exe 844 08802.exe 2884 hbnhhn.exe 1460 86866.exe 1808 dvjdj.exe 2640 5vdvj.exe 1552 446260.exe 1352 g8208.exe 2920 442042.exe 2648 4806868.exe 2124 48464.exe 1936 vvppv.exe 3044 2000006.exe 1608 6268686.exe 1680 248046.exe 908 9pjpv.exe 1664 ffxllfl.exe 1536 8284620.exe 1508 tbhbth.exe 2444 6446684.exe 1944 4442608.exe 2484 xxlflrr.exe 2160 pdvpd.exe 1588 86282.exe 2848 xfrxrfx.exe 2336 m4446.exe 2316 w24204.exe 2492 606046.exe 2824 2246082.exe 2832 2204442.exe 2072 jppjj.exe 2000 nthhbn.exe 2932 0666646.exe 2576 040866.exe 2684 046664.exe 1052 9xrxfrl.exe 2056 8820868.exe 2424 tbtnnh.exe 844 hbttbh.exe 2912 48646.exe 2608 k04086.exe 1816 c006840.exe 1704 046240.exe 1980 tnthhb.exe 2900 nnnbnt.exe 2652 1nhhbt.exe 1852 20080.exe 1932 20024.exe 1444 xxxfrrl.exe 2120 bhtnht.exe 2152 660646.exe 1020 86042.exe 1088 jdvdv.exe 1344 066060.exe 2412 8224808.exe -
resource yara_rule behavioral1/memory/2848-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012280-5.dat upx behavioral1/memory/2848-6-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/memory/2524-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2848-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016edc-19.dat upx behavioral1/memory/2524-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/572-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016f02-30.dat upx behavioral1/files/0x00070000000174b4-38.dat upx behavioral1/memory/2316-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016de9-49.dat upx behavioral1/memory/2832-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2072-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000174f8-58.dat upx behavioral1/files/0x0007000000017570-66.dat upx behavioral1/memory/2576-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000175f7-75.dat upx behavioral1/files/0x0007000000019261-85.dat upx behavioral1/memory/2592-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019274-95.dat upx behavioral1/files/0x000500000001927a-104.dat upx behavioral1/memory/2424-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019299-113.dat upx behavioral1/files/0x00050000000192a1-122.dat upx behavioral1/memory/1460-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2884-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019354-131.dat upx behavioral1/files/0x0005000000019358-140.dat upx behavioral1/files/0x000500000001938e-148.dat upx behavioral1/files/0x000500000001939f-157.dat upx behavioral1/memory/1552-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193cc-165.dat upx behavioral1/files/0x00050000000193d0-174.dat upx behavioral1/memory/2648-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193dc-182.dat upx behavioral1/memory/2124-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193f9-192.dat upx behavioral1/files/0x0005000000019426-200.dat upx behavioral1/memory/1608-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019428-210.dat upx behavioral1/files/0x00050000000194ad-218.dat upx behavioral1/files/0x00050000000194c3-229.dat upx behavioral1/memory/1680-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d5-236.dat upx behavioral1/memory/1680-222-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000194e1-247.dat upx behavioral1/memory/1536-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1664-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019502-256.dat upx behavioral1/memory/1508-264-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019508-265.dat upx behavioral1/files/0x0005000000019510-273.dat upx behavioral1/files/0x0005000000019518-281.dat upx behavioral1/files/0x0005000000019520-289.dat upx behavioral1/memory/2160-297-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2316-323-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-330-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2576-361-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2056-386-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/844-399-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1980-425-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1704-424-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8264800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8802680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o866284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2828266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2464426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8280602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i068620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0246642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i660082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbth.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2524 2848 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 31 PID 2848 wrote to memory of 2524 2848 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 31 PID 2848 wrote to memory of 2524 2848 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 31 PID 2848 wrote to memory of 2524 2848 9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe 31 PID 2524 wrote to memory of 2316 2524 vppdj.exe 32 PID 2524 wrote to memory of 2316 2524 vppdj.exe 32 PID 2524 wrote to memory of 2316 2524 vppdj.exe 32 PID 2524 wrote to memory of 2316 2524 vppdj.exe 32 PID 2316 wrote to memory of 572 2316 llxrllr.exe 33 PID 2316 wrote to memory of 572 2316 llxrllr.exe 33 PID 2316 wrote to memory of 572 2316 llxrllr.exe 33 PID 2316 wrote to memory of 572 2316 llxrllr.exe 33 PID 572 wrote to memory of 2832 572 hthtnb.exe 34 PID 572 wrote to memory of 2832 572 hthtnb.exe 34 PID 572 wrote to memory of 2832 572 hthtnb.exe 34 PID 572 wrote to memory of 2832 572 hthtnb.exe 34 PID 2832 wrote to memory of 2072 2832 frrlrrr.exe 35 PID 2832 wrote to memory of 2072 2832 frrlrrr.exe 35 PID 2832 wrote to memory of 2072 2832 frrlrrr.exe 35 PID 2832 wrote to memory of 2072 2832 frrlrrr.exe 35 PID 2072 wrote to memory of 2744 2072 448642.exe 36 PID 2072 wrote to memory of 2744 2072 448642.exe 36 PID 2072 wrote to memory of 2744 2072 448642.exe 36 PID 2072 wrote to memory of 2744 2072 448642.exe 36 PID 2744 wrote to memory of 2576 2744 btnntn.exe 37 PID 2744 wrote to memory of 2576 2744 btnntn.exe 37 PID 2744 wrote to memory of 2576 2744 btnntn.exe 37 PID 2744 wrote to memory of 2576 2744 btnntn.exe 37 PID 2576 wrote to memory of 2664 2576 6244488.exe 38 PID 2576 wrote to memory of 2664 2576 6244488.exe 38 PID 2576 wrote to memory of 2664 2576 6244488.exe 38 PID 2576 wrote to memory of 2664 2576 6244488.exe 38 PID 2664 wrote to memory of 2592 2664 7lfxflx.exe 39 PID 2664 wrote to memory of 2592 2664 7lfxflx.exe 39 PID 2664 wrote to memory of 2592 2664 7lfxflx.exe 39 PID 2664 wrote to memory of 2592 2664 7lfxflx.exe 39 PID 2592 wrote to memory of 2424 2592 5nhtnb.exe 40 PID 2592 wrote to memory of 2424 2592 5nhtnb.exe 40 PID 2592 wrote to memory of 2424 2592 5nhtnb.exe 40 PID 2592 wrote to memory of 2424 2592 5nhtnb.exe 40 PID 2424 wrote to memory of 844 2424 66488.exe 41 PID 2424 wrote to memory of 844 2424 66488.exe 41 PID 2424 wrote to memory of 844 2424 66488.exe 41 PID 2424 wrote to memory of 844 2424 66488.exe 41 PID 844 wrote to memory of 2884 844 08802.exe 42 PID 844 wrote to memory of 2884 844 08802.exe 42 PID 844 wrote to memory of 2884 844 08802.exe 42 PID 844 wrote to memory of 2884 844 08802.exe 42 PID 2884 wrote to memory of 1460 2884 hbnhhn.exe 43 PID 2884 wrote to memory of 1460 2884 hbnhhn.exe 43 PID 2884 wrote to memory of 1460 2884 hbnhhn.exe 43 PID 2884 wrote to memory of 1460 2884 hbnhhn.exe 43 PID 1460 wrote to memory of 1808 1460 86866.exe 44 PID 1460 wrote to memory of 1808 1460 86866.exe 44 PID 1460 wrote to memory of 1808 1460 86866.exe 44 PID 1460 wrote to memory of 1808 1460 86866.exe 44 PID 1808 wrote to memory of 2640 1808 dvjdj.exe 45 PID 1808 wrote to memory of 2640 1808 dvjdj.exe 45 PID 1808 wrote to memory of 2640 1808 dvjdj.exe 45 PID 1808 wrote to memory of 2640 1808 dvjdj.exe 45 PID 2640 wrote to memory of 1552 2640 5vdvj.exe 46 PID 2640 wrote to memory of 1552 2640 5vdvj.exe 46 PID 2640 wrote to memory of 1552 2640 5vdvj.exe 46 PID 2640 wrote to memory of 1552 2640 5vdvj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe"C:\Users\Admin\AppData\Local\Temp\9de5c23077bff99ea63a656ac54eebb52a26ad06424847d848dcf437a2bc70f8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\vppdj.exec:\vppdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\llxrllr.exec:\llxrllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\hthtnb.exec:\hthtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\frrlrrr.exec:\frrlrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\448642.exec:\448642.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\btnntn.exec:\btnntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\6244488.exec:\6244488.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\7lfxflx.exec:\7lfxflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\5nhtnb.exec:\5nhtnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\66488.exec:\66488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\08802.exec:\08802.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\hbnhhn.exec:\hbnhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\86866.exec:\86866.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\dvjdj.exec:\dvjdj.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\5vdvj.exec:\5vdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\446260.exec:\446260.exe17⤵
- Executes dropped EXE
PID:1552 -
\??\c:\g8208.exec:\g8208.exe18⤵
- Executes dropped EXE
PID:1352 -
\??\c:\442042.exec:\442042.exe19⤵
- Executes dropped EXE
PID:2920 -
\??\c:\4806868.exec:\4806868.exe20⤵
- Executes dropped EXE
PID:2648 -
\??\c:\48464.exec:\48464.exe21⤵
- Executes dropped EXE
PID:2124 -
\??\c:\vvppv.exec:\vvppv.exe22⤵
- Executes dropped EXE
PID:1936 -
\??\c:\2000006.exec:\2000006.exe23⤵
- Executes dropped EXE
PID:3044 -
\??\c:\6268686.exec:\6268686.exe24⤵
- Executes dropped EXE
PID:1608 -
\??\c:\248046.exec:\248046.exe25⤵
- Executes dropped EXE
PID:1680 -
\??\c:\9pjpv.exec:\9pjpv.exe26⤵
- Executes dropped EXE
PID:908 -
\??\c:\ffxllfl.exec:\ffxllfl.exe27⤵
- Executes dropped EXE
PID:1664 -
\??\c:\8284620.exec:\8284620.exe28⤵
- Executes dropped EXE
PID:1536 -
\??\c:\tbhbth.exec:\tbhbth.exe29⤵
- Executes dropped EXE
PID:1508 -
\??\c:\6446684.exec:\6446684.exe30⤵
- Executes dropped EXE
PID:2444 -
\??\c:\4442608.exec:\4442608.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xxlflrr.exec:\xxlflrr.exe32⤵
- Executes dropped EXE
PID:2484 -
\??\c:\pdvpd.exec:\pdvpd.exe33⤵
- Executes dropped EXE
PID:2160 -
\??\c:\86282.exec:\86282.exe34⤵
- Executes dropped EXE
PID:1588 -
\??\c:\xfrxrfx.exec:\xfrxrfx.exe35⤵
- Executes dropped EXE
PID:2848 -
\??\c:\m4446.exec:\m4446.exe36⤵
- Executes dropped EXE
PID:2336 -
\??\c:\w24204.exec:\w24204.exe37⤵
- Executes dropped EXE
PID:2316 -
\??\c:\606046.exec:\606046.exe38⤵
- Executes dropped EXE
PID:2492 -
\??\c:\2246082.exec:\2246082.exe39⤵
- Executes dropped EXE
PID:2824 -
\??\c:\2204442.exec:\2204442.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jppjj.exec:\jppjj.exe41⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nthhbn.exec:\nthhbn.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
\??\c:\0666646.exec:\0666646.exe43⤵
- Executes dropped EXE
PID:2932 -
\??\c:\040866.exec:\040866.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\046664.exec:\046664.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9xrxfrl.exec:\9xrxfrl.exe46⤵
- Executes dropped EXE
PID:1052 -
\??\c:\8820868.exec:\8820868.exe47⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tbtnnh.exec:\tbtnnh.exe48⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hbttbh.exec:\hbttbh.exe49⤵
- Executes dropped EXE
PID:844 -
\??\c:\48646.exec:\48646.exe50⤵
- Executes dropped EXE
PID:2912 -
\??\c:\k04086.exec:\k04086.exe51⤵
- Executes dropped EXE
PID:2608 -
\??\c:\c006840.exec:\c006840.exe52⤵
- Executes dropped EXE
PID:1816 -
\??\c:\046240.exec:\046240.exe53⤵
- Executes dropped EXE
PID:1704 -
\??\c:\tnthhb.exec:\tnthhb.exe54⤵
- Executes dropped EXE
PID:1980 -
\??\c:\nnnbnt.exec:\nnnbnt.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
\??\c:\1nhhbt.exec:\1nhhbt.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
\??\c:\20080.exec:\20080.exe57⤵
- Executes dropped EXE
PID:1852 -
\??\c:\20024.exec:\20024.exe58⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xxxfrrl.exec:\xxxfrrl.exe59⤵
- Executes dropped EXE
PID:1444 -
\??\c:\bhtnht.exec:\bhtnht.exe60⤵
- Executes dropped EXE
PID:2120 -
\??\c:\660646.exec:\660646.exe61⤵
- Executes dropped EXE
PID:2152 -
\??\c:\86042.exec:\86042.exe62⤵
- Executes dropped EXE
PID:1020 -
\??\c:\jdvdv.exec:\jdvdv.exe63⤵
- Executes dropped EXE
PID:1088 -
\??\c:\066060.exec:\066060.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1344 -
\??\c:\8224808.exec:\8224808.exe65⤵
- Executes dropped EXE
PID:2412 -
\??\c:\882202.exec:\882202.exe66⤵PID:940
-
\??\c:\086826.exec:\086826.exe67⤵PID:908
-
\??\c:\pjpdv.exec:\pjpdv.exe68⤵PID:1040
-
\??\c:\htnhhb.exec:\htnhhb.exe69⤵PID:1388
-
\??\c:\9jpjv.exec:\9jpjv.exe70⤵PID:948
-
\??\c:\htbnth.exec:\htbnth.exe71⤵PID:2296
-
\??\c:\820802.exec:\820802.exe72⤵PID:944
-
\??\c:\66020.exec:\66020.exe73⤵PID:1992
-
\??\c:\822460.exec:\822460.exe74⤵PID:2444
-
\??\c:\u224244.exec:\u224244.exe75⤵PID:1876
-
\??\c:\044604.exec:\044604.exe76⤵
- System Location Discovery: System Language Discovery
PID:2484 -
\??\c:\044466.exec:\044466.exe77⤵PID:324
-
\??\c:\42248.exec:\42248.exe78⤵PID:1700
-
\??\c:\thnthn.exec:\thnthn.exe79⤵PID:332
-
\??\c:\thnthh.exec:\thnthh.exe80⤵
- System Location Discovery: System Language Discovery
PID:2148 -
\??\c:\nnnhtt.exec:\nnnhtt.exe81⤵PID:2040
-
\??\c:\442420.exec:\442420.exe82⤵PID:1792
-
\??\c:\hbnhnb.exec:\hbnhnb.exe83⤵PID:572
-
\??\c:\6804044.exec:\6804044.exe84⤵PID:2680
-
\??\c:\ntnbth.exec:\ntnbth.exe85⤵
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\20648.exec:\20648.exe86⤵PID:2144
-
\??\c:\ddvvj.exec:\ddvvj.exe87⤵
- System Location Discovery: System Language Discovery
PID:2656 -
\??\c:\626008.exec:\626008.exe88⤵PID:2596
-
\??\c:\9btbhb.exec:\9btbhb.exe89⤵PID:2552
-
\??\c:\e40202.exec:\e40202.exe90⤵PID:2664
-
\??\c:\000208.exec:\000208.exe91⤵PID:2624
-
\??\c:\tnbhtt.exec:\tnbhtt.exe92⤵PID:2128
-
\??\c:\ttbnnh.exec:\ttbnnh.exe93⤵PID:2584
-
\??\c:\4048826.exec:\4048826.exe94⤵PID:856
-
\??\c:\nbnbnt.exec:\nbnbnt.exe95⤵PID:2028
-
\??\c:\0402460.exec:\0402460.exe96⤵PID:2452
-
\??\c:\68022.exec:\68022.exe97⤵
- System Location Discovery: System Language Discovery
PID:620 -
\??\c:\9nntbt.exec:\9nntbt.exe98⤵PID:2904
-
\??\c:\htbtbb.exec:\htbtbb.exe99⤵PID:2788
-
\??\c:\pdddj.exec:\pdddj.exe100⤵PID:2080
-
\??\c:\m8484.exec:\m8484.exe101⤵PID:2900
-
\??\c:\bbnbtn.exec:\bbnbtn.exe102⤵PID:2652
-
\??\c:\2060004.exec:\2060004.exe103⤵PID:2020
-
\??\c:\866622.exec:\866622.exe104⤵PID:2908
-
\??\c:\0208482.exec:\0208482.exe105⤵PID:3048
-
\??\c:\22682.exec:\22682.exe106⤵PID:848
-
\??\c:\886604.exec:\886604.exe107⤵PID:548
-
\??\c:\020828.exec:\020828.exe108⤵PID:1084
-
\??\c:\8200248.exec:\8200248.exe109⤵PID:664
-
\??\c:\0446864.exec:\0446864.exe110⤵PID:1764
-
\??\c:\48200.exec:\48200.exe111⤵PID:780
-
\??\c:\04442.exec:\04442.exe112⤵PID:896
-
\??\c:\9bnhnh.exec:\9bnhnh.exe113⤵PID:908
-
\??\c:\1xxxflx.exec:\1xxxflx.exe114⤵PID:2636
-
\??\c:\808080.exec:\808080.exe115⤵PID:1768
-
\??\c:\00002.exec:\00002.exe116⤵PID:948
-
\??\c:\4882068.exec:\4882068.exe117⤵PID:2296
-
\??\c:\864204.exec:\864204.exe118⤵PID:1652
-
\??\c:\tntnbn.exec:\tntnbn.exe119⤵PID:1992
-
\??\c:\xfxxrlx.exec:\xfxxrlx.exe120⤵PID:996
-
\??\c:\s0808.exec:\s0808.exe121⤵PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-