Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 02:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe
-
Size
453KB
-
MD5
b8d68ab533baaaef268c8a983ddf6850
-
SHA1
a9aa1b9abc23e23c59da8c52b4ca3b8376eab8aa
-
SHA256
9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306
-
SHA512
5a5c5fdbbb0af209641777c7c46b9c5efa506b12051d811122eb036579bf0f4ce957403aa2efe37085abfd9cb4a1624197c14248feb038ece82d255bbdca56e8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2420-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-63-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2880-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-109-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1016-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-197-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1808-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/948-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-221-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2220-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-300-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2184-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-379-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2892-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-499-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1968-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-803-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2392-901-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-913-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2888-920-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-936-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-1006-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-1025-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1472-1063-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1972 9lllxxl.exe 2376 486240.exe 1732 86602.exe 3060 4868868.exe 2232 86402.exe 2880 7xlrxxr.exe 2912 880800.exe 2708 hbnnbb.exe 2616 btnbnt.exe 2596 080684.exe 1920 4202062.exe 3064 dvvdj.exe 2840 5hbnhn.exe 1016 0866064.exe 1984 4644640.exe 1944 s6842.exe 2848 tbhhnh.exe 2204 642840.exe 2156 64066.exe 536 3rllrxl.exe 1808 64028.exe 820 xlrllfl.exe 1468 602442.exe 948 bthhhb.exe 1716 02068.exe 1688 rfllllf.exe 604 8644006.exe 2300 7jpjd.exe 2140 80266.exe 1704 c600040.exe 2164 8684440.exe 2220 8866460.exe 2424 hbnnnn.exe 2184 lxxrxrr.exe 2376 bnbhtt.exe 2508 868444.exe 2064 q68264.exe 2732 02086.exe 2792 1thhnh.exe 2700 824448.exe 2868 7rrrrxf.exe 2764 lrfxrll.exe 2600 xrllrll.exe 2756 jdjpv.exe 2632 3hhhhb.exe 2588 48822.exe 2892 9hhbtt.exe 2668 1jppv.exe 3064 xlrxlfr.exe 1776 8288440.exe 2272 5dpjd.exe 2496 5jvpp.exe 1984 o686822.exe 1944 ffxfllr.exe 1696 m6680.exe 2068 xfxrrff.exe 1636 rlflrfl.exe 1832 604284.exe 2172 dvpvj.exe 1032 hbtthn.exe 1824 hbbhtt.exe 1164 rlxfflr.exe 1548 vvpdv.exe 980 44804.exe -
resource yara_rule behavioral1/memory/2420-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-901-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-936-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2612-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-962-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0802880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4222822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4284444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q42462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2022822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w48068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6426228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1972 2420 9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe 30 PID 2420 wrote to memory of 1972 2420 9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe 30 PID 2420 wrote to memory of 1972 2420 9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe 30 PID 2420 wrote to memory of 1972 2420 9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe 30 PID 1972 wrote to memory of 2376 1972 9lllxxl.exe 31 PID 1972 wrote to memory of 2376 1972 9lllxxl.exe 31 PID 1972 wrote to memory of 2376 1972 9lllxxl.exe 31 PID 1972 wrote to memory of 2376 1972 9lllxxl.exe 31 PID 2376 wrote to memory of 1732 2376 486240.exe 32 PID 2376 wrote to memory of 1732 2376 486240.exe 32 PID 2376 wrote to memory of 1732 2376 486240.exe 32 PID 2376 wrote to memory of 1732 2376 486240.exe 32 PID 1732 wrote to memory of 3060 1732 86602.exe 33 PID 1732 wrote to memory of 3060 1732 86602.exe 33 PID 1732 wrote to memory of 3060 1732 86602.exe 33 PID 1732 wrote to memory of 3060 1732 86602.exe 33 PID 3060 wrote to memory of 2232 3060 4868868.exe 34 PID 3060 wrote to memory of 2232 3060 4868868.exe 34 PID 3060 wrote to memory of 2232 3060 4868868.exe 34 PID 3060 wrote to memory of 2232 3060 4868868.exe 34 PID 2232 wrote to memory of 2880 2232 86402.exe 35 PID 2232 wrote to memory of 2880 2232 86402.exe 35 PID 2232 wrote to memory of 2880 2232 86402.exe 35 PID 2232 wrote to memory of 2880 2232 86402.exe 35 PID 2880 wrote to memory of 2912 2880 7xlrxxr.exe 36 PID 2880 wrote to memory of 2912 2880 7xlrxxr.exe 36 PID 2880 wrote to memory of 2912 2880 7xlrxxr.exe 36 PID 2880 wrote to memory of 2912 2880 7xlrxxr.exe 36 PID 2912 wrote to memory of 2708 2912 880800.exe 37 PID 2912 wrote to memory of 2708 2912 880800.exe 37 PID 2912 wrote to memory of 2708 2912 880800.exe 37 PID 2912 wrote to memory of 2708 2912 880800.exe 37 PID 2708 wrote to memory of 2616 2708 hbnnbb.exe 38 PID 2708 wrote to memory of 2616 2708 hbnnbb.exe 38 PID 2708 wrote to memory of 2616 2708 hbnnbb.exe 38 PID 2708 wrote to memory of 2616 2708 hbnnbb.exe 38 PID 2616 wrote to memory of 2596 2616 btnbnt.exe 39 PID 2616 wrote to memory of 2596 2616 btnbnt.exe 39 PID 2616 wrote to memory of 2596 2616 btnbnt.exe 39 PID 2616 wrote to memory of 2596 2616 btnbnt.exe 39 PID 2596 wrote to memory of 1920 2596 080684.exe 40 PID 2596 wrote to memory of 1920 2596 080684.exe 40 PID 2596 wrote to memory of 1920 2596 080684.exe 40 PID 2596 wrote to memory of 1920 2596 080684.exe 40 PID 1920 wrote to memory of 3064 1920 4202062.exe 41 PID 1920 wrote to memory of 3064 1920 4202062.exe 41 PID 1920 wrote to memory of 3064 1920 4202062.exe 41 PID 1920 wrote to memory of 3064 1920 4202062.exe 41 PID 3064 wrote to memory of 2840 3064 dvvdj.exe 42 PID 3064 wrote to memory of 2840 3064 dvvdj.exe 42 PID 3064 wrote to memory of 2840 3064 dvvdj.exe 42 PID 3064 wrote to memory of 2840 3064 dvvdj.exe 42 PID 2840 wrote to memory of 1016 2840 5hbnhn.exe 43 PID 2840 wrote to memory of 1016 2840 5hbnhn.exe 43 PID 2840 wrote to memory of 1016 2840 5hbnhn.exe 43 PID 2840 wrote to memory of 1016 2840 5hbnhn.exe 43 PID 1016 wrote to memory of 1984 1016 0866064.exe 44 PID 1016 wrote to memory of 1984 1016 0866064.exe 44 PID 1016 wrote to memory of 1984 1016 0866064.exe 44 PID 1016 wrote to memory of 1984 1016 0866064.exe 44 PID 1984 wrote to memory of 1944 1984 4644640.exe 45 PID 1984 wrote to memory of 1944 1984 4644640.exe 45 PID 1984 wrote to memory of 1944 1984 4644640.exe 45 PID 1984 wrote to memory of 1944 1984 4644640.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe"C:\Users\Admin\AppData\Local\Temp\9249381bfaa8f8856f06388a8db14234512558c9a0030a1caf4c56b091b7e306N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\9lllxxl.exec:\9lllxxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\486240.exec:\486240.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\86602.exec:\86602.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\4868868.exec:\4868868.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\86402.exec:\86402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\7xlrxxr.exec:\7xlrxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\880800.exec:\880800.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hbnnbb.exec:\hbnnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\btnbnt.exec:\btnbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\080684.exec:\080684.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\4202062.exec:\4202062.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\dvvdj.exec:\dvvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\5hbnhn.exec:\5hbnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\0866064.exec:\0866064.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\4644640.exec:\4644640.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\s6842.exec:\s6842.exe17⤵
- Executes dropped EXE
PID:1944 -
\??\c:\tbhhnh.exec:\tbhhnh.exe18⤵
- Executes dropped EXE
PID:2848 -
\??\c:\642840.exec:\642840.exe19⤵
- Executes dropped EXE
PID:2204 -
\??\c:\64066.exec:\64066.exe20⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3rllrxl.exec:\3rllrxl.exe21⤵
- Executes dropped EXE
PID:536 -
\??\c:\64028.exec:\64028.exe22⤵
- Executes dropped EXE
PID:1808 -
\??\c:\xlrllfl.exec:\xlrllfl.exe23⤵
- Executes dropped EXE
PID:820 -
\??\c:\602442.exec:\602442.exe24⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bthhhb.exec:\bthhhb.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\02068.exec:\02068.exe26⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rfllllf.exec:\rfllllf.exe27⤵
- Executes dropped EXE
PID:1688 -
\??\c:\8644006.exec:\8644006.exe28⤵
- Executes dropped EXE
PID:604 -
\??\c:\7jpjd.exec:\7jpjd.exe29⤵
- Executes dropped EXE
PID:2300 -
\??\c:\80266.exec:\80266.exe30⤵
- Executes dropped EXE
PID:2140 -
\??\c:\c600040.exec:\c600040.exe31⤵
- Executes dropped EXE
PID:1704 -
\??\c:\8684440.exec:\8684440.exe32⤵
- Executes dropped EXE
PID:2164 -
\??\c:\8866460.exec:\8866460.exe33⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hbnnnn.exec:\hbnnnn.exe34⤵
- Executes dropped EXE
PID:2424 -
\??\c:\lxxrxrr.exec:\lxxrxrr.exe35⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bnbhtt.exec:\bnbhtt.exe36⤵
- Executes dropped EXE
PID:2376 -
\??\c:\868444.exec:\868444.exe37⤵
- Executes dropped EXE
PID:2508 -
\??\c:\q68264.exec:\q68264.exe38⤵
- Executes dropped EXE
PID:2064 -
\??\c:\02086.exec:\02086.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1thhnh.exec:\1thhnh.exe40⤵
- Executes dropped EXE
PID:2792 -
\??\c:\824448.exec:\824448.exe41⤵
- Executes dropped EXE
PID:2700 -
\??\c:\7rrrrxf.exec:\7rrrrxf.exe42⤵
- Executes dropped EXE
PID:2868 -
\??\c:\lrfxrll.exec:\lrfxrll.exe43⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xrllrll.exec:\xrllrll.exe44⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jdjpv.exec:\jdjpv.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\3hhhhb.exec:\3hhhhb.exe46⤵
- Executes dropped EXE
PID:2632 -
\??\c:\48822.exec:\48822.exe47⤵
- Executes dropped EXE
PID:2588 -
\??\c:\9hhbtt.exec:\9hhbtt.exe48⤵
- Executes dropped EXE
PID:2892 -
\??\c:\1jppv.exec:\1jppv.exe49⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xlrxlfr.exec:\xlrxlfr.exe50⤵
- Executes dropped EXE
PID:3064 -
\??\c:\8288440.exec:\8288440.exe51⤵
- Executes dropped EXE
PID:1776 -
\??\c:\5dpjd.exec:\5dpjd.exe52⤵
- Executes dropped EXE
PID:2272 -
\??\c:\5jvpp.exec:\5jvpp.exe53⤵
- Executes dropped EXE
PID:2496 -
\??\c:\o686822.exec:\o686822.exe54⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ffxfllr.exec:\ffxfllr.exe55⤵
- Executes dropped EXE
PID:1944 -
\??\c:\m6680.exec:\m6680.exe56⤵
- Executes dropped EXE
PID:1696 -
\??\c:\xfxrrff.exec:\xfxrrff.exe57⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rlflrfl.exec:\rlflrfl.exe58⤵
- Executes dropped EXE
PID:1636 -
\??\c:\604284.exec:\604284.exe59⤵
- Executes dropped EXE
PID:1832 -
\??\c:\dvpvj.exec:\dvpvj.exe60⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hbtthn.exec:\hbtthn.exe61⤵
- Executes dropped EXE
PID:1032 -
\??\c:\hbbhtt.exec:\hbbhtt.exe62⤵
- Executes dropped EXE
PID:1824 -
\??\c:\rlxfflr.exec:\rlxfflr.exe63⤵
- Executes dropped EXE
PID:1164 -
\??\c:\vvpdv.exec:\vvpdv.exe64⤵
- Executes dropped EXE
PID:1548 -
\??\c:\44804.exec:\44804.exe65⤵
- Executes dropped EXE
PID:980 -
\??\c:\ffrfrfx.exec:\ffrfrfx.exe66⤵PID:1692
-
\??\c:\486862.exec:\486862.exe67⤵PID:1664
-
\??\c:\llflxfr.exec:\llflxfr.exe68⤵PID:2268
-
\??\c:\42464.exec:\42464.exe69⤵PID:1968
-
\??\c:\vjpjd.exec:\vjpjd.exe70⤵PID:1872
-
\??\c:\jdvvv.exec:\jdvvv.exe71⤵PID:236
-
\??\c:\hnnbnh.exec:\hnnbnh.exe72⤵PID:1600
-
\??\c:\pjjvj.exec:\pjjvj.exe73⤵PID:1444
-
\??\c:\rlfflrf.exec:\rlfflrf.exe74⤵PID:864
-
\??\c:\hbnntt.exec:\hbnntt.exe75⤵PID:2164
-
\??\c:\rlflrxl.exec:\rlflrxl.exe76⤵PID:1972
-
\??\c:\dpvdj.exec:\dpvdj.exe77⤵PID:1536
-
\??\c:\ntnbnb.exec:\ntnbnb.exe78⤵PID:1528
-
\??\c:\06440.exec:\06440.exe79⤵PID:2372
-
\??\c:\04280.exec:\04280.exe80⤵PID:2348
-
\??\c:\dppvv.exec:\dppvv.exe81⤵PID:2468
-
\??\c:\686684.exec:\686684.exe82⤵PID:2488
-
\??\c:\3djpv.exec:\3djpv.exe83⤵PID:2964
-
\??\c:\824028.exec:\824028.exe84⤵PID:2444
-
\??\c:\xxrlxlx.exec:\xxrlxlx.exe85⤵PID:2720
-
\??\c:\bbthnt.exec:\bbthnt.exe86⤵PID:2912
-
\??\c:\btntnt.exec:\btntnt.exe87⤵PID:2352
-
\??\c:\fxxxxff.exec:\fxxxxff.exe88⤵PID:2592
-
\??\c:\fffrllx.exec:\fffrllx.exe89⤵PID:2680
-
\??\c:\420288.exec:\420288.exe90⤵PID:1756
-
\??\c:\4868402.exec:\4868402.exe91⤵PID:1920
-
\??\c:\hbttbh.exec:\hbttbh.exe92⤵PID:1012
-
\??\c:\08684.exec:\08684.exe93⤵PID:2636
-
\??\c:\5hbnhh.exec:\5hbnhh.exe94⤵PID:2840
-
\??\c:\pjddj.exec:\pjddj.exe95⤵PID:1544
-
\??\c:\008460.exec:\008460.exe96⤵PID:2272
-
\??\c:\2640224.exec:\2640224.exe97⤵PID:2012
-
\??\c:\q42462.exec:\q42462.exe98⤵
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\42002.exec:\42002.exe99⤵PID:1804
-
\??\c:\xrllrrx.exec:\xrllrrx.exe100⤵PID:2688
-
\??\c:\hbnthh.exec:\hbnthh.exe101⤵PID:2104
-
\??\c:\hbhtbt.exec:\hbhtbt.exe102⤵PID:2960
-
\??\c:\rlffrrl.exec:\rlffrrl.exe103⤵PID:2576
-
\??\c:\dvdvd.exec:\dvdvd.exe104⤵PID:1524
-
\??\c:\jvppv.exec:\jvppv.exe105⤵
- System Location Discovery: System Language Discovery
PID:648 -
\??\c:\hbnnbb.exec:\hbnnbb.exe106⤵PID:1492
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe107⤵PID:572
-
\??\c:\264028.exec:\264028.exe108⤵PID:2004
-
\??\c:\dvpjd.exec:\dvpjd.exe109⤵PID:1548
-
\??\c:\vvpvp.exec:\vvpvp.exe110⤵PID:1792
-
\??\c:\3flrrrf.exec:\3flrrrf.exe111⤵PID:1684
-
\??\c:\xrlxllx.exec:\xrlxllx.exe112⤵PID:2152
-
\??\c:\ddppv.exec:\ddppv.exe113⤵PID:1964
-
\??\c:\nbttbh.exec:\nbttbh.exe114⤵PID:2288
-
\??\c:\vvjpp.exec:\vvjpp.exe115⤵PID:1744
-
\??\c:\822866.exec:\822866.exe116⤵PID:2824
-
\??\c:\64884.exec:\64884.exe117⤵PID:684
-
\??\c:\08026.exec:\08026.exe118⤵PID:2448
-
\??\c:\fxflllx.exec:\fxflllx.exe119⤵PID:2200
-
\??\c:\xlxflrf.exec:\xlxflrf.exe120⤵PID:2124
-
\??\c:\86824.exec:\86824.exe121⤵PID:1640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-