Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe
-
Size
454KB
-
MD5
15f59069150485c9e0de9e5242198c80
-
SHA1
964696431b915fc7706bf4bc3120ce1377961645
-
SHA256
9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702
-
SHA512
e9d5407882780a410279f2ee82c8626e37423f6bbeeae6e23abaf7298e1108597ae4fdd310030d90ebf85c20805c5e62f180a2fb5f76cdf9c663f9029a8904d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-327-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2904-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-357-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2676-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2420-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-111-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3012-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-1049-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1416-1066-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2316 9frrrll.exe 1008 7xllfll.exe 2852 9pvvv.exe 1500 806202.exe 3060 rfrxrrx.exe 2916 5bnbnb.exe 2824 042840.exe 2944 bnnthh.exe 3012 btnthb.exe 2932 424428.exe 2744 208800.exe 1632 9rrxlrx.exe 2188 42408.exe 2184 fxflrrx.exe 2340 086804.exe 2420 nhttth.exe 1068 nhbhtn.exe 2452 pjvdv.exe 1944 nhtbnh.exe 1684 g4846.exe 1272 2824662.exe 2112 202084.exe 852 4240624.exe 1396 i202402.exe 2588 fxlrxfx.exe 2884 0844020.exe 2516 5xxxflx.exe 2228 hhttbh.exe 2544 208840.exe 2508 04000.exe 1616 86022.exe 1416 2640224.exe 784 hthtnn.exe 2752 04242.exe 1532 xrflfxf.exe 2816 2684668.exe 3060 7jvdp.exe 2820 xffrflr.exe 2904 86688.exe 648 860622.exe 1668 1tnnnt.exe 2676 9ppvp.exe 2684 w86628.exe 2744 4862480.exe 2204 20608.exe 2496 464028.exe 2724 jddjv.exe 2568 20228.exe 2244 2480444.exe 2620 9vjjd.exe 2236 rxllxxf.exe 2284 e42800.exe 2456 hhthnt.exe 1736 64280.exe 2388 bhtnbh.exe 1684 frlxlrf.exe 2624 m8242.exe 1824 ppjjd.exe 1208 g6468.exe 2632 7rrxlrf.exe 2876 rffrxxf.exe 1284 c088046.exe 1888 tnbnbb.exe 2548 dpjjv.exe -
resource yara_rule behavioral1/memory/2272-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1049-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1064-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-1057-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/1416-1066-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2908-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-1307-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8602440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i202402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8228084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2316 2272 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 30 PID 2272 wrote to memory of 2316 2272 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 30 PID 2272 wrote to memory of 2316 2272 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 30 PID 2272 wrote to memory of 2316 2272 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 30 PID 2316 wrote to memory of 1008 2316 9frrrll.exe 31 PID 2316 wrote to memory of 1008 2316 9frrrll.exe 31 PID 2316 wrote to memory of 1008 2316 9frrrll.exe 31 PID 2316 wrote to memory of 1008 2316 9frrrll.exe 31 PID 1008 wrote to memory of 2852 1008 7xllfll.exe 32 PID 1008 wrote to memory of 2852 1008 7xllfll.exe 32 PID 1008 wrote to memory of 2852 1008 7xllfll.exe 32 PID 1008 wrote to memory of 2852 1008 7xllfll.exe 32 PID 2852 wrote to memory of 1500 2852 9pvvv.exe 33 PID 2852 wrote to memory of 1500 2852 9pvvv.exe 33 PID 2852 wrote to memory of 1500 2852 9pvvv.exe 33 PID 2852 wrote to memory of 1500 2852 9pvvv.exe 33 PID 1500 wrote to memory of 3060 1500 806202.exe 66 PID 1500 wrote to memory of 3060 1500 806202.exe 66 PID 1500 wrote to memory of 3060 1500 806202.exe 66 PID 1500 wrote to memory of 3060 1500 806202.exe 66 PID 3060 wrote to memory of 2916 3060 rfrxrrx.exe 35 PID 3060 wrote to memory of 2916 3060 rfrxrrx.exe 35 PID 3060 wrote to memory of 2916 3060 rfrxrrx.exe 35 PID 3060 wrote to memory of 2916 3060 rfrxrrx.exe 35 PID 2916 wrote to memory of 2824 2916 5bnbnb.exe 36 PID 2916 wrote to memory of 2824 2916 5bnbnb.exe 36 PID 2916 wrote to memory of 2824 2916 5bnbnb.exe 36 PID 2916 wrote to memory of 2824 2916 5bnbnb.exe 36 PID 2824 wrote to memory of 2944 2824 042840.exe 37 PID 2824 wrote to memory of 2944 2824 042840.exe 37 PID 2824 wrote to memory of 2944 2824 042840.exe 37 PID 2824 wrote to memory of 2944 2824 042840.exe 37 PID 2944 wrote to memory of 3012 2944 bnnthh.exe 38 PID 2944 wrote to memory of 3012 2944 bnnthh.exe 38 PID 2944 wrote to memory of 3012 2944 bnnthh.exe 38 PID 2944 wrote to memory of 3012 2944 bnnthh.exe 38 PID 3012 wrote to memory of 2932 3012 btnthb.exe 111 PID 3012 wrote to memory of 2932 3012 btnthb.exe 111 PID 3012 wrote to memory of 2932 3012 btnthb.exe 111 PID 3012 wrote to memory of 2932 3012 btnthb.exe 111 PID 2932 wrote to memory of 2744 2932 424428.exe 40 PID 2932 wrote to memory of 2744 2932 424428.exe 40 PID 2932 wrote to memory of 2744 2932 424428.exe 40 PID 2932 wrote to memory of 2744 2932 424428.exe 40 PID 2744 wrote to memory of 1632 2744 208800.exe 41 PID 2744 wrote to memory of 1632 2744 208800.exe 41 PID 2744 wrote to memory of 1632 2744 208800.exe 41 PID 2744 wrote to memory of 1632 2744 208800.exe 41 PID 1632 wrote to memory of 2188 1632 9rrxlrx.exe 42 PID 1632 wrote to memory of 2188 1632 9rrxlrx.exe 42 PID 1632 wrote to memory of 2188 1632 9rrxlrx.exe 42 PID 1632 wrote to memory of 2188 1632 9rrxlrx.exe 42 PID 2188 wrote to memory of 2184 2188 42408.exe 43 PID 2188 wrote to memory of 2184 2188 42408.exe 43 PID 2188 wrote to memory of 2184 2188 42408.exe 43 PID 2188 wrote to memory of 2184 2188 42408.exe 43 PID 2184 wrote to memory of 2340 2184 fxflrrx.exe 44 PID 2184 wrote to memory of 2340 2184 fxflrrx.exe 44 PID 2184 wrote to memory of 2340 2184 fxflrrx.exe 44 PID 2184 wrote to memory of 2340 2184 fxflrrx.exe 44 PID 2340 wrote to memory of 2420 2340 086804.exe 45 PID 2340 wrote to memory of 2420 2340 086804.exe 45 PID 2340 wrote to memory of 2420 2340 086804.exe 45 PID 2340 wrote to memory of 2420 2340 086804.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe"C:\Users\Admin\AppData\Local\Temp\9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\9frrrll.exec:\9frrrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\7xllfll.exec:\7xllfll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\9pvvv.exec:\9pvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\806202.exec:\806202.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\rfrxrrx.exec:\rfrxrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\5bnbnb.exec:\5bnbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\042840.exec:\042840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\bnnthh.exec:\bnnthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\btnthb.exec:\btnthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\424428.exec:\424428.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\208800.exec:\208800.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\9rrxlrx.exec:\9rrxlrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\42408.exec:\42408.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\fxflrrx.exec:\fxflrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\086804.exec:\086804.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\nhttth.exec:\nhttth.exe17⤵
- Executes dropped EXE
PID:2420 -
\??\c:\nhbhtn.exec:\nhbhtn.exe18⤵
- Executes dropped EXE
PID:1068 -
\??\c:\pjvdv.exec:\pjvdv.exe19⤵
- Executes dropped EXE
PID:2452 -
\??\c:\nhtbnh.exec:\nhtbnh.exe20⤵
- Executes dropped EXE
PID:1944 -
\??\c:\g4846.exec:\g4846.exe21⤵
- Executes dropped EXE
PID:1684 -
\??\c:\2824662.exec:\2824662.exe22⤵
- Executes dropped EXE
PID:1272 -
\??\c:\202084.exec:\202084.exe23⤵
- Executes dropped EXE
PID:2112 -
\??\c:\4240624.exec:\4240624.exe24⤵
- Executes dropped EXE
PID:852 -
\??\c:\i202402.exec:\i202402.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396 -
\??\c:\fxlrxfx.exec:\fxlrxfx.exe26⤵
- Executes dropped EXE
PID:2588 -
\??\c:\0844020.exec:\0844020.exe27⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5xxxflx.exec:\5xxxflx.exe28⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hhttbh.exec:\hhttbh.exe29⤵
- Executes dropped EXE
PID:2228 -
\??\c:\208840.exec:\208840.exe30⤵
- Executes dropped EXE
PID:2544 -
\??\c:\04000.exec:\04000.exe31⤵
- Executes dropped EXE
PID:2508 -
\??\c:\86022.exec:\86022.exe32⤵
- Executes dropped EXE
PID:1616 -
\??\c:\2640224.exec:\2640224.exe33⤵
- Executes dropped EXE
PID:1416 -
\??\c:\hthtnn.exec:\hthtnn.exe34⤵
- Executes dropped EXE
PID:784 -
\??\c:\04242.exec:\04242.exe35⤵
- Executes dropped EXE
PID:2752 -
\??\c:\xrflfxf.exec:\xrflfxf.exe36⤵
- Executes dropped EXE
PID:1532 -
\??\c:\2684668.exec:\2684668.exe37⤵
- Executes dropped EXE
PID:2816 -
\??\c:\7jvdp.exec:\7jvdp.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xffrflr.exec:\xffrflr.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\86688.exec:\86688.exe40⤵
- Executes dropped EXE
PID:2904 -
\??\c:\860622.exec:\860622.exe41⤵
- Executes dropped EXE
PID:648 -
\??\c:\1tnnnt.exec:\1tnnnt.exe42⤵
- Executes dropped EXE
PID:1668 -
\??\c:\9ppvp.exec:\9ppvp.exe43⤵
- Executes dropped EXE
PID:2676 -
\??\c:\w86628.exec:\w86628.exe44⤵
- Executes dropped EXE
PID:2684 -
\??\c:\4862480.exec:\4862480.exe45⤵
- Executes dropped EXE
PID:2744 -
\??\c:\20608.exec:\20608.exe46⤵
- Executes dropped EXE
PID:2204 -
\??\c:\464028.exec:\464028.exe47⤵
- Executes dropped EXE
PID:2496 -
\??\c:\jddjv.exec:\jddjv.exe48⤵
- Executes dropped EXE
PID:2724 -
\??\c:\20228.exec:\20228.exe49⤵
- Executes dropped EXE
PID:2568 -
\??\c:\2480444.exec:\2480444.exe50⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9vjjd.exec:\9vjjd.exe51⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rxllxxf.exec:\rxllxxf.exe52⤵
- Executes dropped EXE
PID:2236 -
\??\c:\e42800.exec:\e42800.exe53⤵
- Executes dropped EXE
PID:2284 -
\??\c:\hhthnt.exec:\hhthnt.exe54⤵
- Executes dropped EXE
PID:2456 -
\??\c:\64280.exec:\64280.exe55⤵
- Executes dropped EXE
PID:1736 -
\??\c:\bhtnbh.exec:\bhtnbh.exe56⤵
- Executes dropped EXE
PID:2388 -
\??\c:\frlxlrf.exec:\frlxlrf.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\m8242.exec:\m8242.exe58⤵
- Executes dropped EXE
PID:2624 -
\??\c:\ppjjd.exec:\ppjjd.exe59⤵
- Executes dropped EXE
PID:1824 -
\??\c:\g6468.exec:\g6468.exe60⤵
- Executes dropped EXE
PID:1208 -
\??\c:\7rrxlrf.exec:\7rrxlrf.exe61⤵
- Executes dropped EXE
PID:2632 -
\??\c:\rffrxxf.exec:\rffrxxf.exe62⤵
- Executes dropped EXE
PID:2876 -
\??\c:\c088046.exec:\c088046.exe63⤵
- Executes dropped EXE
PID:1284 -
\??\c:\tnbnbb.exec:\tnbnbb.exe64⤵
- Executes dropped EXE
PID:1888 -
\??\c:\dpjjv.exec:\dpjjv.exe65⤵
- Executes dropped EXE
PID:2548 -
\??\c:\208406.exec:\208406.exe66⤵PID:700
-
\??\c:\q22260.exec:\q22260.exe67⤵PID:2372
-
\??\c:\820088.exec:\820088.exe68⤵PID:108
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe69⤵PID:2156
-
\??\c:\pjdjp.exec:\pjdjp.exe70⤵PID:2508
-
\??\c:\tnhhnt.exec:\tnhhnt.exe71⤵PID:1592
-
\??\c:\42040.exec:\42040.exe72⤵PID:2484
-
\??\c:\fxrxflf.exec:\fxrxflf.exe73⤵PID:1404
-
\??\c:\nhthtb.exec:\nhthtb.exe74⤵PID:2748
-
\??\c:\btnhhn.exec:\btnhhn.exe75⤵PID:2504
-
\??\c:\042466.exec:\042466.exe76⤵PID:928
-
\??\c:\864400.exec:\864400.exe77⤵PID:1148
-
\??\c:\7vjjp.exec:\7vjjp.exe78⤵PID:2792
-
\??\c:\042022.exec:\042022.exe79⤵PID:2440
-
\??\c:\u084666.exec:\u084666.exe80⤵PID:2880
-
\??\c:\860682.exec:\860682.exe81⤵PID:2888
-
\??\c:\7jvdv.exec:\7jvdv.exe82⤵PID:2660
-
\??\c:\266880.exec:\266880.exe83⤵PID:2932
-
\??\c:\4684224.exec:\4684224.exe84⤵PID:2488
-
\??\c:\8200228.exec:\8200228.exe85⤵PID:2256
-
\??\c:\m8442.exec:\m8442.exe86⤵PID:2364
-
\??\c:\q88028.exec:\q88028.exe87⤵PID:2524
-
\??\c:\s6008.exec:\s6008.exe88⤵PID:1804
-
\??\c:\4862462.exec:\4862462.exe89⤵PID:2184
-
\??\c:\m4824.exec:\m4824.exe90⤵PID:2292
-
\??\c:\7ddjp.exec:\7ddjp.exe91⤵PID:1128
-
\??\c:\26448.exec:\26448.exe92⤵PID:1828
-
\??\c:\fxffxfr.exec:\fxffxfr.exe93⤵PID:1528
-
\??\c:\4866486.exec:\4866486.exe94⤵PID:2284
-
\??\c:\tntthh.exec:\tntthh.exe95⤵PID:2456
-
\??\c:\vdjpd.exec:\vdjpd.exe96⤵PID:1132
-
\??\c:\rllflrr.exec:\rllflrr.exe97⤵PID:2248
-
\??\c:\860462.exec:\860462.exe98⤵PID:2068
-
\??\c:\thhhhh.exec:\thhhhh.exe99⤵PID:1364
-
\??\c:\rxlrlxl.exec:\rxlrlxl.exe100⤵PID:2052
-
\??\c:\2648068.exec:\2648068.exe101⤵PID:1732
-
\??\c:\6282884.exec:\6282884.exe102⤵PID:1680
-
\??\c:\lfxfflr.exec:\lfxfflr.exe103⤵PID:2652
-
\??\c:\20442.exec:\20442.exe104⤵PID:1776
-
\??\c:\tnbthb.exec:\tnbthb.exe105⤵
- System Location Discovery: System Language Discovery
PID:2536 -
\??\c:\tnhnbh.exec:\tnhnbh.exe106⤵PID:1164
-
\??\c:\644400.exec:\644400.exe107⤵PID:712
-
\??\c:\8262446.exec:\8262446.exe108⤵PID:1556
-
\??\c:\s8662.exec:\s8662.exe109⤵PID:2544
-
\??\c:\vvvvj.exec:\vvvvj.exe110⤵PID:1620
-
\??\c:\7htbbt.exec:\7htbbt.exe111⤵PID:2360
-
\??\c:\5jvpd.exec:\5jvpd.exe112⤵PID:444
-
\??\c:\8240662.exec:\8240662.exe113⤵PID:2768
-
\??\c:\8644068.exec:\8644068.exe114⤵
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\9nnttn.exec:\9nnttn.exe115⤵PID:2776
-
\??\c:\dpjdd.exec:\dpjdd.exe116⤵PID:1532
-
\??\c:\0866268.exec:\0866268.exe117⤵PID:3052
-
\??\c:\i224404.exec:\i224404.exe118⤵PID:3004
-
\??\c:\1bhbhh.exec:\1bhbhh.exe119⤵PID:2588
-
\??\c:\lfrxfll.exec:\lfrxfll.exe120⤵PID:2828
-
\??\c:\0468624.exec:\0468624.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-