Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 02:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe
-
Size
456KB
-
MD5
ee7a2f594504816ca51605addc6b0080
-
SHA1
fe06dcaabebc2905a9344a2805c33157f2e42e7f
-
SHA256
c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1c
-
SHA512
246895cb2a293c567a3e134f213847be7b9d2e22073578cf2ac752024fd88fab3da70394a79a407e269a2ed3fdea81bba2d6e1d25f92c0371f4505aa23e1c59b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeLu:q7Tc2NYHUrAwfMp3CDLu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2324-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-77-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1272-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-59-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2968-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-262-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/696-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-285-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1584-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-304-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1316-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-420-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1944-433-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2852-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-513-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2020-589-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2876-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-699-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1664-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-719-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2996-768-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2216-843-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2536-874-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2536-894-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/536-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-921-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3016-1020-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2240-1065-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2252-1155-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2912-1256-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1424-1269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2348 dvjpp.exe 2064 3vddj.exe 1924 k80000.exe 1144 608428.exe 1840 1nhbbb.exe 1272 5ntnbb.exe 2896 hthhbb.exe 3068 a8488.exe 2816 hntthb.exe 2968 frffrxl.exe 2676 u862402.exe 2696 vvdvj.exe 2440 g6226.exe 2864 7htnnn.exe 1944 bbthbn.exe 1780 u648884.exe 1760 a0200.exe 1748 80222.exe 2996 5frlfff.exe 2268 3bnnnn.exe 3052 5xxxxrr.exe 1464 jdvvd.exe 2240 802888.exe 952 htbhhh.exe 584 bnbbbb.exe 1836 4666828.exe 1996 4688822.exe 1572 1ntttn.exe 768 2400260.exe 696 hthhnh.exe 580 20628.exe 2412 8684002.exe 1584 660644.exe 2020 g2440.exe 2524 42206.exe 2340 02800.exe 356 c244440.exe 1316 5tbbnb.exe 308 o688040.exe 1272 ntbnnb.exe 2876 m4006.exe 3068 6464628.exe 2656 26222.exe 2796 xrllxrf.exe 2728 4244644.exe 2644 7htbbh.exe 2652 426626.exe 2448 802288.exe 2460 pjdvp.exe 2512 3vddj.exe 2712 q40888.exe 848 2688440.exe 1944 pjvpp.exe 2852 pdddj.exe 2964 c644484.exe 3000 06668.exe 3012 08422.exe 2996 hthhhh.exe 2136 frrxllf.exe 2272 xrxrxxf.exe 2128 5bnbtb.exe 1124 dvpvj.exe 3032 86446.exe 1844 7bhhhn.exe -
resource yara_rule behavioral1/memory/2324-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-243-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1996-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-420-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2852-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-589-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2876-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-768-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1528-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-921-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1920-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-1132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-1145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-1330-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w40004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2348 2324 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 30 PID 2324 wrote to memory of 2348 2324 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 30 PID 2324 wrote to memory of 2348 2324 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 30 PID 2324 wrote to memory of 2348 2324 c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe 30 PID 2348 wrote to memory of 2064 2348 dvjpp.exe 31 PID 2348 wrote to memory of 2064 2348 dvjpp.exe 31 PID 2348 wrote to memory of 2064 2348 dvjpp.exe 31 PID 2348 wrote to memory of 2064 2348 dvjpp.exe 31 PID 2064 wrote to memory of 1924 2064 3vddj.exe 32 PID 2064 wrote to memory of 1924 2064 3vddj.exe 32 PID 2064 wrote to memory of 1924 2064 3vddj.exe 32 PID 2064 wrote to memory of 1924 2064 3vddj.exe 32 PID 1924 wrote to memory of 1144 1924 k80000.exe 33 PID 1924 wrote to memory of 1144 1924 k80000.exe 33 PID 1924 wrote to memory of 1144 1924 k80000.exe 33 PID 1924 wrote to memory of 1144 1924 k80000.exe 33 PID 1144 wrote to memory of 1840 1144 608428.exe 34 PID 1144 wrote to memory of 1840 1144 608428.exe 34 PID 1144 wrote to memory of 1840 1144 608428.exe 34 PID 1144 wrote to memory of 1840 1144 608428.exe 34 PID 1840 wrote to memory of 1272 1840 1nhbbb.exe 35 PID 1840 wrote to memory of 1272 1840 1nhbbb.exe 35 PID 1840 wrote to memory of 1272 1840 1nhbbb.exe 35 PID 1840 wrote to memory of 1272 1840 1nhbbb.exe 35 PID 1272 wrote to memory of 2896 1272 5ntnbb.exe 36 PID 1272 wrote to memory of 2896 1272 5ntnbb.exe 36 PID 1272 wrote to memory of 2896 1272 5ntnbb.exe 36 PID 1272 wrote to memory of 2896 1272 5ntnbb.exe 36 PID 2896 wrote to memory of 3068 2896 hthhbb.exe 37 PID 2896 wrote to memory of 3068 2896 hthhbb.exe 37 PID 2896 wrote to memory of 3068 2896 hthhbb.exe 37 PID 2896 wrote to memory of 3068 2896 hthhbb.exe 37 PID 3068 wrote to memory of 2816 3068 a8488.exe 38 PID 3068 wrote to memory of 2816 3068 a8488.exe 38 PID 3068 wrote to memory of 2816 3068 a8488.exe 38 PID 3068 wrote to memory of 2816 3068 a8488.exe 38 PID 2816 wrote to memory of 2968 2816 hntthb.exe 39 PID 2816 wrote to memory of 2968 2816 hntthb.exe 39 PID 2816 wrote to memory of 2968 2816 hntthb.exe 39 PID 2816 wrote to memory of 2968 2816 hntthb.exe 39 PID 2968 wrote to memory of 2676 2968 frffrxl.exe 40 PID 2968 wrote to memory of 2676 2968 frffrxl.exe 40 PID 2968 wrote to memory of 2676 2968 frffrxl.exe 40 PID 2968 wrote to memory of 2676 2968 frffrxl.exe 40 PID 2676 wrote to memory of 2696 2676 u862402.exe 41 PID 2676 wrote to memory of 2696 2676 u862402.exe 41 PID 2676 wrote to memory of 2696 2676 u862402.exe 41 PID 2676 wrote to memory of 2696 2676 u862402.exe 41 PID 2696 wrote to memory of 2440 2696 vvdvj.exe 42 PID 2696 wrote to memory of 2440 2696 vvdvj.exe 42 PID 2696 wrote to memory of 2440 2696 vvdvj.exe 42 PID 2696 wrote to memory of 2440 2696 vvdvj.exe 42 PID 2440 wrote to memory of 2864 2440 g6226.exe 43 PID 2440 wrote to memory of 2864 2440 g6226.exe 43 PID 2440 wrote to memory of 2864 2440 g6226.exe 43 PID 2440 wrote to memory of 2864 2440 g6226.exe 43 PID 2864 wrote to memory of 1944 2864 7htnnn.exe 44 PID 2864 wrote to memory of 1944 2864 7htnnn.exe 44 PID 2864 wrote to memory of 1944 2864 7htnnn.exe 44 PID 2864 wrote to memory of 1944 2864 7htnnn.exe 44 PID 1944 wrote to memory of 1780 1944 bbthbn.exe 45 PID 1944 wrote to memory of 1780 1944 bbthbn.exe 45 PID 1944 wrote to memory of 1780 1944 bbthbn.exe 45 PID 1944 wrote to memory of 1780 1944 bbthbn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe"C:\Users\Admin\AppData\Local\Temp\c9830ae8663d61f8b979ff6f5d07271dbfccebf69622e2ed9503973733f65c1cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\dvjpp.exec:\dvjpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\3vddj.exec:\3vddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\k80000.exec:\k80000.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\608428.exec:\608428.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\1nhbbb.exec:\1nhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\5ntnbb.exec:\5ntnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\hthhbb.exec:\hthhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\a8488.exec:\a8488.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\hntthb.exec:\hntthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\frffrxl.exec:\frffrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\u862402.exec:\u862402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\vvdvj.exec:\vvdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\g6226.exec:\g6226.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\7htnnn.exec:\7htnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\bbthbn.exec:\bbthbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\u648884.exec:\u648884.exe17⤵
- Executes dropped EXE
PID:1780 -
\??\c:\a0200.exec:\a0200.exe18⤵
- Executes dropped EXE
PID:1760 -
\??\c:\80222.exec:\80222.exe19⤵
- Executes dropped EXE
PID:1748 -
\??\c:\5frlfff.exec:\5frlfff.exe20⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3bnnnn.exec:\3bnnnn.exe21⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5xxxxrr.exec:\5xxxxrr.exe22⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdvvd.exec:\jdvvd.exe23⤵
- Executes dropped EXE
PID:1464 -
\??\c:\802888.exec:\802888.exe24⤵
- Executes dropped EXE
PID:2240 -
\??\c:\htbhhh.exec:\htbhhh.exe25⤵
- Executes dropped EXE
PID:952 -
\??\c:\bnbbbb.exec:\bnbbbb.exe26⤵
- Executes dropped EXE
PID:584 -
\??\c:\4666828.exec:\4666828.exe27⤵
- Executes dropped EXE
PID:1836 -
\??\c:\4688822.exec:\4688822.exe28⤵
- Executes dropped EXE
PID:1996 -
\??\c:\1ntttn.exec:\1ntttn.exe29⤵
- Executes dropped EXE
PID:1572 -
\??\c:\2400260.exec:\2400260.exe30⤵
- Executes dropped EXE
PID:768 -
\??\c:\hthhnh.exec:\hthhnh.exe31⤵
- Executes dropped EXE
PID:696 -
\??\c:\20628.exec:\20628.exe32⤵
- Executes dropped EXE
PID:580 -
\??\c:\8684002.exec:\8684002.exe33⤵
- Executes dropped EXE
PID:2412 -
\??\c:\660644.exec:\660644.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\g2440.exec:\g2440.exe35⤵
- Executes dropped EXE
PID:2020 -
\??\c:\42206.exec:\42206.exe36⤵
- Executes dropped EXE
PID:2524 -
\??\c:\02800.exec:\02800.exe37⤵
- Executes dropped EXE
PID:2340 -
\??\c:\c244440.exec:\c244440.exe38⤵
- Executes dropped EXE
PID:356 -
\??\c:\5tbbnb.exec:\5tbbnb.exe39⤵
- Executes dropped EXE
PID:1316 -
\??\c:\o688040.exec:\o688040.exe40⤵
- Executes dropped EXE
PID:308 -
\??\c:\ntbnnb.exec:\ntbnnb.exe41⤵
- Executes dropped EXE
PID:1272 -
\??\c:\m4006.exec:\m4006.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\6464628.exec:\6464628.exe43⤵
- Executes dropped EXE
PID:3068 -
\??\c:\26222.exec:\26222.exe44⤵
- Executes dropped EXE
PID:2656 -
\??\c:\xrllxrf.exec:\xrllxrf.exe45⤵
- Executes dropped EXE
PID:2796 -
\??\c:\4244644.exec:\4244644.exe46⤵
- Executes dropped EXE
PID:2728 -
\??\c:\7htbbh.exec:\7htbbh.exe47⤵
- Executes dropped EXE
PID:2644 -
\??\c:\426626.exec:\426626.exe48⤵
- Executes dropped EXE
PID:2652 -
\??\c:\802288.exec:\802288.exe49⤵
- Executes dropped EXE
PID:2448 -
\??\c:\pjdvp.exec:\pjdvp.exe50⤵
- Executes dropped EXE
PID:2460 -
\??\c:\3vddj.exec:\3vddj.exe51⤵
- Executes dropped EXE
PID:2512 -
\??\c:\q40888.exec:\q40888.exe52⤵
- Executes dropped EXE
PID:2712 -
\??\c:\2688440.exec:\2688440.exe53⤵
- Executes dropped EXE
PID:848 -
\??\c:\pjvpp.exec:\pjvpp.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\pdddj.exec:\pdddj.exe55⤵
- Executes dropped EXE
PID:2852 -
\??\c:\c644484.exec:\c644484.exe56⤵
- Executes dropped EXE
PID:2964 -
\??\c:\06668.exec:\06668.exe57⤵
- Executes dropped EXE
PID:3000 -
\??\c:\08422.exec:\08422.exe58⤵
- Executes dropped EXE
PID:3012 -
\??\c:\hthhhh.exec:\hthhhh.exe59⤵
- Executes dropped EXE
PID:2996 -
\??\c:\frrxllf.exec:\frrxllf.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xrxrxxf.exec:\xrxrxxf.exe61⤵
- Executes dropped EXE
PID:2272 -
\??\c:\5bnbtb.exec:\5bnbtb.exe62⤵
- Executes dropped EXE
PID:2128 -
\??\c:\dvpvj.exec:\dvpvj.exe63⤵
- Executes dropped EXE
PID:1124 -
\??\c:\86446.exec:\86446.exe64⤵
- Executes dropped EXE
PID:3032 -
\??\c:\7bhhhn.exec:\7bhhhn.exe65⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1dvdd.exec:\1dvdd.exe66⤵PID:952
-
\??\c:\rlxxlfl.exec:\rlxxlfl.exe67⤵PID:1680
-
\??\c:\0862400.exec:\0862400.exe68⤵PID:1836
-
\??\c:\68626.exec:\68626.exe69⤵PID:1052
-
\??\c:\6848888.exec:\6848888.exe70⤵PID:556
-
\??\c:\08480.exec:\08480.exe71⤵PID:300
-
\??\c:\xrfxffl.exec:\xrfxffl.exe72⤵PID:2172
-
\??\c:\xxfflrr.exec:\xxfflrr.exe73⤵PID:2972
-
\??\c:\g0280.exec:\g0280.exe74⤵PID:1808
-
\??\c:\684226.exec:\684226.exe75⤵PID:2084
-
\??\c:\u088440.exec:\u088440.exe76⤵PID:1596
-
\??\c:\k86248.exec:\k86248.exe77⤵PID:1556
-
\??\c:\5ttttn.exec:\5ttttn.exe78⤵PID:2020
-
\??\c:\hnbttn.exec:\hnbttn.exe79⤵PID:2348
-
\??\c:\64668.exec:\64668.exe80⤵PID:1924
-
\??\c:\4240662.exec:\4240662.exe81⤵PID:2052
-
\??\c:\86484.exec:\86484.exe82⤵PID:1800
-
\??\c:\868862.exec:\868862.exe83⤵PID:2368
-
\??\c:\dvjvd.exec:\dvjvd.exe84⤵PID:964
-
\??\c:\808220.exec:\808220.exe85⤵PID:2748
-
\??\c:\9vjjj.exec:\9vjjj.exe86⤵PID:2876
-
\??\c:\e62048.exec:\e62048.exe87⤵PID:2232
-
\??\c:\u862446.exec:\u862446.exe88⤵PID:2648
-
\??\c:\hbhbhh.exec:\hbhbhh.exe89⤵PID:2664
-
\??\c:\lxfllll.exec:\lxfllll.exe90⤵PID:2728
-
\??\c:\xrfffxf.exec:\xrfffxf.exe91⤵PID:2904
-
\??\c:\vjvvd.exec:\vjvvd.exe92⤵PID:2652
-
\??\c:\4682266.exec:\4682266.exe93⤵PID:2744
-
\??\c:\4262446.exec:\4262446.exe94⤵PID:1512
-
\??\c:\i806202.exec:\i806202.exe95⤵PID:1380
-
\??\c:\260062.exec:\260062.exe96⤵PID:1664
-
\??\c:\lxffrfl.exec:\lxffrfl.exe97⤵PID:1920
-
\??\c:\084842.exec:\084842.exe98⤵PID:1964
-
\??\c:\a0600.exec:\a0600.exe99⤵PID:2988
-
\??\c:\pjvvd.exec:\pjvvd.exe100⤵PID:1792
-
\??\c:\nhttbb.exec:\nhttbb.exe101⤵PID:2828
-
\??\c:\086022.exec:\086022.exe102⤵PID:2060
-
\??\c:\nhbbnn.exec:\nhbbnn.exe103⤵PID:2996
-
\??\c:\s0884.exec:\s0884.exe104⤵PID:3052
-
\??\c:\08044.exec:\08044.exe105⤵PID:2272
-
\??\c:\k08444.exec:\k08444.exe106⤵PID:2128
-
\??\c:\o088042.exec:\o088042.exe107⤵PID:2160
-
\??\c:\8628040.exec:\8628040.exe108⤵PID:3032
-
\??\c:\g8448.exec:\g8448.exe109⤵PID:1976
-
\??\c:\hhttbt.exec:\hhttbt.exe110⤵PID:984
-
\??\c:\fxflxrr.exec:\fxflxrr.exe111⤵PID:1732
-
\??\c:\frllllx.exec:\frllllx.exe112⤵PID:1724
-
\??\c:\2662288.exec:\2662288.exe113⤵PID:1528
-
\??\c:\c088402.exec:\c088402.exe114⤵PID:320
-
\??\c:\824026.exec:\824026.exe115⤵PID:1932
-
\??\c:\42840.exec:\42840.exe116⤵PID:768
-
\??\c:\084444.exec:\084444.exe117⤵PID:2204
-
\??\c:\ttttnh.exec:\ttttnh.exe118⤵PID:2216
-
\??\c:\lxxxfxf.exec:\lxxxfxf.exe119⤵PID:2344
-
\??\c:\82062.exec:\82062.exe120⤵PID:1708
-
\??\c:\u824000.exec:\u824000.exe121⤵PID:1892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-