Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 14:38
Behavioral task
behavioral1
Sample
9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe
-
Size
91KB
-
MD5
5ec0a015b12008041477a0cd969451a0
-
SHA1
c262a837f758d5e03246edc86a2267e467b3e9ae
-
SHA256
9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72
-
SHA512
5e19bff78600c23b2e5aa2efcec682aacf2d09ab88c9151ccc2b5031606346dbbdc6109b781ce116c13f63cf722502723917c2a06ddf3a44c681ab52a2984df8
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADUOj2YUW+S436CM:9hOmTsF93UYfwC6GIoutyaVszyKd+XY+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2972-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-31-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2484-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2336-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2644-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-63-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2900-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2608-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2548-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-120-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1744-117-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1744-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1536-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1988-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-166-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1816-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/624-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2860-186-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2860-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-194-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2144-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/532-247-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2972-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-324-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2708-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2564-385-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1916-440-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2796-446-0x00000000002D0000-0x00000000002F7000-memory.dmp family_blackmoon behavioral1/memory/2800-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1916-461-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2892-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1396-475-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/884-537-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2432-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/284-570-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2304-582-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2708-605-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/3008-646-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1096-653-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1744-687-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2996-719-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-744-0x00000000002D0000-0x00000000002F7000-memory.dmp family_blackmoon behavioral1/memory/2648-757-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/304-778-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-779-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2580-885-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-1083-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 26068.exe 2636 a8044.exe 2484 rfrrfxf.exe 2336 pddjp.exe 2644 2206404.exe 2760 xfrfffl.exe 2164 468404.exe 2668 1dvpv.exe 2900 80642.exe 2608 dvdjv.exe 2548 thnhnh.exe 1744 7thtbh.exe 1824 vpddj.exe 2600 ddvpv.exe 1536 a6440.exe 1988 xlxxxxf.exe 1816 hthhhb.exe 624 dvdvd.exe 2860 9dvjp.exe 2892 c240666.exe 2144 u206284.exe 2728 24846.exe 584 642466.exe 2152 862888.exe 948 m8628.exe 532 vjdjp.exe 2524 9nbthn.exe 568 pdpjv.exe 480 660680.exe 2204 vpjvj.exe 2972 q04086.exe 1056 o480268.exe 3048 vvjjj.exe 2304 s2402.exe 2084 9xllflr.exe 2408 6080806.exe 2692 a0662.exe 2708 bttttt.exe 2760 nnhthn.exe 2804 xlrrxrr.exe 2808 nhtttt.exe 2840 xrrfxlr.exe 2688 nbhbbb.exe 2572 4828444.exe 2564 frxxxxx.exe 2372 bnthbt.exe 3032 268444.exe 2112 bnnntt.exe 2248 828400.exe 1696 8202648.exe 1704 642484.exe 2044 3xlxfxf.exe 1916 xxlrflf.exe 2796 202400.exe 2800 dppdj.exe 2404 rxflfxx.exe 2892 82624.exe 1396 9bhnbb.exe 2908 m6200.exe 1124 4282884.exe 1076 w68406.exe 1376 82680.exe 816 3ddjv.exe 1232 424026.exe -
resource yara_rule behavioral1/memory/2972-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2972-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b0000000120dc-9.dat upx behavioral1/memory/2352-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019214-18.dat upx behavioral1/memory/2484-31-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2484-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019219-27.dat upx behavioral1/memory/2636-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001921d-36.dat upx behavioral1/files/0x0006000000019232-44.dat upx behavioral1/memory/2644-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2336-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019329-55.dat upx behavioral1/memory/2644-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019369-64.dat upx behavioral1/files/0x00060000000195c2-72.dat upx behavioral1/files/0x000500000001a2b9-80.dat upx behavioral1/memory/2900-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2668-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a2fc-90.dat upx behavioral1/memory/2608-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3e4-98.dat upx behavioral1/memory/2548-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2548-109-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a3e6-108.dat upx behavioral1/files/0x000500000001a3e8-118.dat upx behavioral1/memory/1744-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3ea-129.dat upx behavioral1/memory/2600-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3ed-136.dat upx behavioral1/memory/1536-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a423-145.dat upx behavioral1/memory/1988-154-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a445-156.dat upx behavioral1/memory/1988-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a447-167.dat upx behavioral1/memory/1816-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/624-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a452-175.dat upx behavioral1/files/0x000500000001a454-187.dat upx behavioral1/memory/2860-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2892-194-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00080000000191d1-195.dat upx behavioral1/memory/2144-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a463-202.dat upx behavioral1/memory/2728-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46d-214.dat upx behavioral1/files/0x000500000001a470-222.dat upx behavioral1/memory/584-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a472-230.dat upx behavioral1/files/0x000500000001a478-239.dat upx behavioral1/files/0x000500000001a47c-248.dat upx behavioral1/files/0x000500000001a47f-257.dat upx behavioral1/files/0x000500000001a481-265.dat upx behavioral1/files/0x000500000001a483-273.dat upx behavioral1/files/0x000500000001a485-281.dat upx behavioral1/files/0x000500000001a487-291.dat upx behavioral1/memory/2972-290-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1056-298-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2084-313-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2708-339-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2760-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2760-348-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82086.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2352 2972 9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe 30 PID 2972 wrote to memory of 2352 2972 9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe 30 PID 2972 wrote to memory of 2352 2972 9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe 30 PID 2972 wrote to memory of 2352 2972 9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe 30 PID 2352 wrote to memory of 2636 2352 26068.exe 31 PID 2352 wrote to memory of 2636 2352 26068.exe 31 PID 2352 wrote to memory of 2636 2352 26068.exe 31 PID 2352 wrote to memory of 2636 2352 26068.exe 31 PID 2636 wrote to memory of 2484 2636 a8044.exe 32 PID 2636 wrote to memory of 2484 2636 a8044.exe 32 PID 2636 wrote to memory of 2484 2636 a8044.exe 32 PID 2636 wrote to memory of 2484 2636 a8044.exe 32 PID 2484 wrote to memory of 2336 2484 rfrrfxf.exe 33 PID 2484 wrote to memory of 2336 2484 rfrrfxf.exe 33 PID 2484 wrote to memory of 2336 2484 rfrrfxf.exe 33 PID 2484 wrote to memory of 2336 2484 rfrrfxf.exe 33 PID 2336 wrote to memory of 2644 2336 pddjp.exe 34 PID 2336 wrote to memory of 2644 2336 pddjp.exe 34 PID 2336 wrote to memory of 2644 2336 pddjp.exe 34 PID 2336 wrote to memory of 2644 2336 pddjp.exe 34 PID 2644 wrote to memory of 2760 2644 2206404.exe 35 PID 2644 wrote to memory of 2760 2644 2206404.exe 35 PID 2644 wrote to memory of 2760 2644 2206404.exe 35 PID 2644 wrote to memory of 2760 2644 2206404.exe 35 PID 2760 wrote to memory of 2164 2760 xfrfffl.exe 36 PID 2760 wrote to memory of 2164 2760 xfrfffl.exe 36 PID 2760 wrote to memory of 2164 2760 xfrfffl.exe 36 PID 2760 wrote to memory of 2164 2760 xfrfffl.exe 36 PID 2164 wrote to memory of 2668 2164 468404.exe 37 PID 2164 wrote to memory of 2668 2164 468404.exe 37 PID 2164 wrote to memory of 2668 2164 468404.exe 37 PID 2164 wrote to memory of 2668 2164 468404.exe 37 PID 2668 wrote to memory of 2900 2668 1dvpv.exe 38 PID 2668 wrote to memory of 2900 2668 1dvpv.exe 38 PID 2668 wrote to memory of 2900 2668 1dvpv.exe 38 PID 2668 wrote to memory of 2900 2668 1dvpv.exe 38 PID 2900 wrote to memory of 2608 2900 80642.exe 39 PID 2900 wrote to memory of 2608 2900 80642.exe 39 PID 2900 wrote to memory of 2608 2900 80642.exe 39 PID 2900 wrote to memory of 2608 2900 80642.exe 39 PID 2608 wrote to memory of 2548 2608 dvdjv.exe 40 PID 2608 wrote to memory of 2548 2608 dvdjv.exe 40 PID 2608 wrote to memory of 2548 2608 dvdjv.exe 40 PID 2608 wrote to memory of 2548 2608 dvdjv.exe 40 PID 2548 wrote to memory of 1744 2548 thnhnh.exe 41 PID 2548 wrote to memory of 1744 2548 thnhnh.exe 41 PID 2548 wrote to memory of 1744 2548 thnhnh.exe 41 PID 2548 wrote to memory of 1744 2548 thnhnh.exe 41 PID 1744 wrote to memory of 1824 1744 7thtbh.exe 42 PID 1744 wrote to memory of 1824 1744 7thtbh.exe 42 PID 1744 wrote to memory of 1824 1744 7thtbh.exe 42 PID 1744 wrote to memory of 1824 1744 7thtbh.exe 42 PID 1824 wrote to memory of 2600 1824 vpddj.exe 43 PID 1824 wrote to memory of 2600 1824 vpddj.exe 43 PID 1824 wrote to memory of 2600 1824 vpddj.exe 43 PID 1824 wrote to memory of 2600 1824 vpddj.exe 43 PID 2600 wrote to memory of 1536 2600 ddvpv.exe 44 PID 2600 wrote to memory of 1536 2600 ddvpv.exe 44 PID 2600 wrote to memory of 1536 2600 ddvpv.exe 44 PID 2600 wrote to memory of 1536 2600 ddvpv.exe 44 PID 1536 wrote to memory of 1988 1536 a6440.exe 45 PID 1536 wrote to memory of 1988 1536 a6440.exe 45 PID 1536 wrote to memory of 1988 1536 a6440.exe 45 PID 1536 wrote to memory of 1988 1536 a6440.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe"C:\Users\Admin\AppData\Local\Temp\9b9ab14963fe8f1fa1f40daee328ce374db72206a6124f1d40d77bfd75185d72N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\26068.exec:\26068.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\a8044.exec:\a8044.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\rfrrfxf.exec:\rfrrfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\pddjp.exec:\pddjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\2206404.exec:\2206404.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\xfrfffl.exec:\xfrfffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\468404.exec:\468404.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\1dvpv.exec:\1dvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\80642.exec:\80642.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\dvdjv.exec:\dvdjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\thnhnh.exec:\thnhnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\7thtbh.exec:\7thtbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\vpddj.exec:\vpddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\ddvpv.exec:\ddvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\a6440.exec:\a6440.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\xlxxxxf.exec:\xlxxxxf.exe17⤵
- Executes dropped EXE
PID:1988 -
\??\c:\hthhhb.exec:\hthhhb.exe18⤵
- Executes dropped EXE
PID:1816 -
\??\c:\dvdvd.exec:\dvdvd.exe19⤵
- Executes dropped EXE
PID:624 -
\??\c:\9dvjp.exec:\9dvjp.exe20⤵
- Executes dropped EXE
PID:2860 -
\??\c:\c240666.exec:\c240666.exe21⤵
- Executes dropped EXE
PID:2892 -
\??\c:\u206284.exec:\u206284.exe22⤵
- Executes dropped EXE
PID:2144 -
\??\c:\24846.exec:\24846.exe23⤵
- Executes dropped EXE
PID:2728 -
\??\c:\642466.exec:\642466.exe24⤵
- Executes dropped EXE
PID:584 -
\??\c:\862888.exec:\862888.exe25⤵
- Executes dropped EXE
PID:2152 -
\??\c:\m8628.exec:\m8628.exe26⤵
- Executes dropped EXE
PID:948 -
\??\c:\vjdjp.exec:\vjdjp.exe27⤵
- Executes dropped EXE
PID:532 -
\??\c:\9nbthn.exec:\9nbthn.exe28⤵
- Executes dropped EXE
PID:2524 -
\??\c:\pdpjv.exec:\pdpjv.exe29⤵
- Executes dropped EXE
PID:568 -
\??\c:\660680.exec:\660680.exe30⤵
- Executes dropped EXE
PID:480 -
\??\c:\vpjvj.exec:\vpjvj.exe31⤵
- Executes dropped EXE
PID:2204 -
\??\c:\q04086.exec:\q04086.exe32⤵
- Executes dropped EXE
PID:2972 -
\??\c:\o480268.exec:\o480268.exe33⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vvjjj.exec:\vvjjj.exe34⤵
- Executes dropped EXE
PID:3048 -
\??\c:\s2402.exec:\s2402.exe35⤵
- Executes dropped EXE
PID:2304 -
\??\c:\9xllflr.exec:\9xllflr.exe36⤵
- Executes dropped EXE
PID:2084 -
\??\c:\6080806.exec:\6080806.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\a0662.exec:\a0662.exe38⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bttttt.exec:\bttttt.exe39⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nnhthn.exec:\nnhthn.exe40⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xlrrxrr.exec:\xlrrxrr.exe41⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nhtttt.exec:\nhtttt.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\xrrfxlr.exec:\xrrfxlr.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nbhbbb.exec:\nbhbbb.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\4828444.exec:\4828444.exe45⤵
- Executes dropped EXE
PID:2572 -
\??\c:\frxxxxx.exec:\frxxxxx.exe46⤵
- Executes dropped EXE
PID:2564 -
\??\c:\bnthbt.exec:\bnthbt.exe47⤵
- Executes dropped EXE
PID:2372 -
\??\c:\268444.exec:\268444.exe48⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bnnntt.exec:\bnnntt.exe49⤵
- Executes dropped EXE
PID:2112 -
\??\c:\828400.exec:\828400.exe50⤵
- Executes dropped EXE
PID:2248 -
\??\c:\8202648.exec:\8202648.exe51⤵
- Executes dropped EXE
PID:1696 -
\??\c:\642484.exec:\642484.exe52⤵
- Executes dropped EXE
PID:1704 -
\??\c:\3xlxfxf.exec:\3xlxfxf.exe53⤵
- Executes dropped EXE
PID:2044 -
\??\c:\xxlrflf.exec:\xxlrflf.exe54⤵
- Executes dropped EXE
PID:1916 -
\??\c:\202400.exec:\202400.exe55⤵
- Executes dropped EXE
PID:2796 -
\??\c:\dppdj.exec:\dppdj.exe56⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rxflfxx.exec:\rxflfxx.exe57⤵
- Executes dropped EXE
PID:2404 -
\??\c:\82624.exec:\82624.exe58⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9bhnbb.exec:\9bhnbb.exe59⤵
- Executes dropped EXE
PID:1396 -
\??\c:\m6200.exec:\m6200.exe60⤵
- Executes dropped EXE
PID:2908 -
\??\c:\4282884.exec:\4282884.exe61⤵
- Executes dropped EXE
PID:1124 -
\??\c:\w68406.exec:\w68406.exe62⤵
- Executes dropped EXE
PID:1076 -
\??\c:\82680.exec:\82680.exe63⤵
- Executes dropped EXE
PID:1376 -
\??\c:\3ddjv.exec:\3ddjv.exe64⤵
- Executes dropped EXE
PID:816 -
\??\c:\424026.exec:\424026.exe65⤵
- Executes dropped EXE
PID:1232 -
\??\c:\pdvpv.exec:\pdvpv.exe66⤵PID:2424
-
\??\c:\1pppp.exec:\1pppp.exe67⤵PID:292
-
\??\c:\028882.exec:\028882.exe68⤵PID:552
-
\??\c:\868804.exec:\868804.exe69⤵PID:884
-
\??\c:\642844.exec:\642844.exe70⤵PID:2432
-
\??\c:\tnnnht.exec:\tnnnht.exe71⤵PID:2468
-
\??\c:\dpddd.exec:\dpddd.exe72⤵PID:2500
-
\??\c:\o868686.exec:\o868686.exe73⤵PID:2104
-
\??\c:\3pdvj.exec:\3pdvj.exe74⤵
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\084466.exec:\084466.exe75⤵PID:284
-
\??\c:\862804.exec:\862804.exe76⤵PID:2304
-
\??\c:\pdpjp.exec:\pdpjp.exe77⤵PID:2084
-
\??\c:\1vjdj.exec:\1vjdj.exe78⤵PID:2408
-
\??\c:\5nbhnn.exec:\5nbhnn.exe79⤵PID:2752
-
\??\c:\k68800.exec:\k68800.exe80⤵PID:2708
-
\??\c:\htnnnh.exec:\htnnnh.exe81⤵PID:2704
-
\??\c:\8646228.exec:\8646228.exe82⤵PID:2828
-
\??\c:\a2446.exec:\a2446.exe83⤵PID:2812
-
\??\c:\q08406.exec:\q08406.exe84⤵PID:2556
-
\??\c:\0848488.exec:\0848488.exe85⤵PID:2584
-
\??\c:\bntthn.exec:\bntthn.exe86⤵PID:3008
-
\??\c:\xrrllxx.exec:\xrrllxx.exe87⤵PID:1096
-
\??\c:\4626884.exec:\4626884.exe88⤵PID:1552
-
\??\c:\jdjpp.exec:\jdjpp.exe89⤵PID:1744
-
\??\c:\a6066.exec:\a6066.exe90⤵PID:2016
-
\??\c:\pjvjv.exec:\pjvjv.exe91⤵PID:2308
-
\??\c:\6462402.exec:\6462402.exe92⤵PID:1756
-
\??\c:\vvddv.exec:\vvddv.exe93⤵PID:1820
-
\??\c:\jdjjp.exec:\jdjjp.exe94⤵PID:1916
-
\??\c:\606466.exec:\606466.exe95⤵PID:1768
-
\??\c:\08068.exec:\08068.exe96⤵PID:3044
-
\??\c:\6422806.exec:\6422806.exe97⤵PID:2996
-
\??\c:\o428024.exec:\o428024.exe98⤵PID:2448
-
\??\c:\u088008.exec:\u088008.exe99⤵PID:576
-
\??\c:\xfrlxrf.exec:\xfrlxrf.exe100⤵PID:1864
-
\??\c:\lrflrrx.exec:\lrflrrx.exe101⤵PID:2876
-
\??\c:\9btbnn.exec:\9btbnn.exe102⤵PID:2088
-
\??\c:\822204.exec:\822204.exe103⤵PID:2648
-
\??\c:\4428624.exec:\4428624.exe104⤵PID:948
-
\??\c:\2000880.exec:\2000880.exe105⤵PID:2188
-
\??\c:\622084.exec:\622084.exe106⤵PID:304
-
\??\c:\ntbbhn.exec:\ntbbhn.exe107⤵PID:1776
-
\??\c:\1xrffrl.exec:\1xrffrl.exe108⤵PID:552
-
\??\c:\202204.exec:\202204.exe109⤵PID:884
-
\??\c:\e42260.exec:\e42260.exe110⤵PID:2432
-
\??\c:\q80400.exec:\q80400.exe111⤵PID:2988
-
\??\c:\5rxffll.exec:\5rxffll.exe112⤵PID:2832
-
\??\c:\3pddv.exec:\3pddv.exe113⤵PID:2636
-
\??\c:\46840.exec:\46840.exe114⤵PID:2912
-
\??\c:\9pjjv.exec:\9pjjv.exe115⤵PID:2484
-
\??\c:\lfxlrxr.exec:\lfxlrxr.exe116⤵PID:2056
-
\??\c:\jddjp.exec:\jddjp.exe117⤵PID:2700
-
\??\c:\24002.exec:\24002.exe118⤵PID:2772
-
\??\c:\hthtbh.exec:\hthtbh.exe119⤵PID:2408
-
\??\c:\200682.exec:\200682.exe120⤵PID:2752
-
\??\c:\jjvvp.exec:\jjvvp.exe121⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-