Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe
-
Size
453KB
-
MD5
a91b92359fd518957432a6c721c0c6e9
-
SHA1
1dc08c771b2f34287ff035903c9a45c6c0fe49d3
-
SHA256
124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724
-
SHA512
cda5e453c799d4e76477c2813a82384d10e7d45fabd39bf1a95edfe72ecda81f4329c23f1d8b0321c7fbf922ecf79fb4c0e5ef9f402ea20d05e9c55f9df4fc83
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1620-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/608-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/656-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-220-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/800-209-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2984-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-903-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2012-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-1142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-1149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2088 xxxlflr.exe 1716 dvjvj.exe 2420 rrrrxfx.exe 2700 1tntbn.exe 2844 1htbhh.exe 2760 ddddd.exe 2740 fxlrfrf.exe 2916 tnhhnt.exe 2720 ppdjd.exe 2640 bhhbbn.exe 2656 vvpdj.exe 1808 jjdjp.exe 908 rrfxlxl.exe 2956 nnhtht.exe 2040 jpjpj.exe 2708 1xllflx.exe 1144 bnhntt.exe 1704 xrxfxxf.exe 1688 7hthbh.exe 2984 5nhnbh.exe 2188 1dpjd.exe 800 5llrlrl.exe 340 vvvjv.exe 3044 xxlxrxl.exe 1760 lllrxlr.exe 608 bnhntn.exe 2552 dvvvd.exe 2476 dvpvj.exe 1652 xrlxflx.exe 468 3bnbhn.exe 656 3ntbtb.exe 2580 xxlrfrf.exe 2104 7tthbn.exe 2352 xxlrxfl.exe 1600 3lfrlrl.exe 2716 bthnhn.exe 2856 hhbnnt.exe 2852 5jdvp.exe 264 7ddjv.exe 2764 5xrflfl.exe 2740 9tthnb.exe 2652 5bthbn.exe 2644 vppdp.exe 2680 lflxrfx.exe 1424 3xrrlrx.exe 928 bbnbnt.exe 1808 htbhnt.exe 2784 vpvvv.exe 2868 vpjpp.exe 1740 rrflffl.exe 2040 nnbhbb.exe 2708 9ntbhn.exe 2676 jdpdd.exe 1980 ddjjp.exe 1180 1rrffxl.exe 2944 btnnnb.exe 2192 nbnbhn.exe 2380 ppjpd.exe 2456 jdvjp.exe 1120 xxrxrxr.exe 2000 flxlrfl.exe 1972 bbnnbh.exe 940 tnnnbb.exe 1760 dvjvd.exe -
resource yara_rule behavioral1/memory/1620-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-61-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2464-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-1149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-1169-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/572-1340-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2088 1620 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 30 PID 1620 wrote to memory of 2088 1620 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 30 PID 1620 wrote to memory of 2088 1620 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 30 PID 1620 wrote to memory of 2088 1620 124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe 30 PID 2088 wrote to memory of 1716 2088 xxxlflr.exe 31 PID 2088 wrote to memory of 1716 2088 xxxlflr.exe 31 PID 2088 wrote to memory of 1716 2088 xxxlflr.exe 31 PID 2088 wrote to memory of 1716 2088 xxxlflr.exe 31 PID 1716 wrote to memory of 2420 1716 dvjvj.exe 32 PID 1716 wrote to memory of 2420 1716 dvjvj.exe 32 PID 1716 wrote to memory of 2420 1716 dvjvj.exe 32 PID 1716 wrote to memory of 2420 1716 dvjvj.exe 32 PID 2420 wrote to memory of 2700 2420 rrrrxfx.exe 33 PID 2420 wrote to memory of 2700 2420 rrrrxfx.exe 33 PID 2420 wrote to memory of 2700 2420 rrrrxfx.exe 33 PID 2420 wrote to memory of 2700 2420 rrrrxfx.exe 33 PID 2700 wrote to memory of 2844 2700 1tntbn.exe 34 PID 2700 wrote to memory of 2844 2700 1tntbn.exe 34 PID 2700 wrote to memory of 2844 2700 1tntbn.exe 34 PID 2700 wrote to memory of 2844 2700 1tntbn.exe 34 PID 2844 wrote to memory of 2760 2844 1htbhh.exe 35 PID 2844 wrote to memory of 2760 2844 1htbhh.exe 35 PID 2844 wrote to memory of 2760 2844 1htbhh.exe 35 PID 2844 wrote to memory of 2760 2844 1htbhh.exe 35 PID 2760 wrote to memory of 2740 2760 ddddd.exe 36 PID 2760 wrote to memory of 2740 2760 ddddd.exe 36 PID 2760 wrote to memory of 2740 2760 ddddd.exe 36 PID 2760 wrote to memory of 2740 2760 ddddd.exe 36 PID 2740 wrote to memory of 2916 2740 fxlrfrf.exe 37 PID 2740 wrote to memory of 2916 2740 fxlrfrf.exe 37 PID 2740 wrote to memory of 2916 2740 fxlrfrf.exe 37 PID 2740 wrote to memory of 2916 2740 fxlrfrf.exe 37 PID 2916 wrote to memory of 2720 2916 tnhhnt.exe 38 PID 2916 wrote to memory of 2720 2916 tnhhnt.exe 38 PID 2916 wrote to memory of 2720 2916 tnhhnt.exe 38 PID 2916 wrote to memory of 2720 2916 tnhhnt.exe 38 PID 2720 wrote to memory of 2640 2720 ppdjd.exe 39 PID 2720 wrote to memory of 2640 2720 ppdjd.exe 39 PID 2720 wrote to memory of 2640 2720 ppdjd.exe 39 PID 2720 wrote to memory of 2640 2720 ppdjd.exe 39 PID 2640 wrote to memory of 2656 2640 bhhbbn.exe 40 PID 2640 wrote to memory of 2656 2640 bhhbbn.exe 40 PID 2640 wrote to memory of 2656 2640 bhhbbn.exe 40 PID 2640 wrote to memory of 2656 2640 bhhbbn.exe 40 PID 2656 wrote to memory of 1808 2656 vvpdj.exe 41 PID 2656 wrote to memory of 1808 2656 vvpdj.exe 41 PID 2656 wrote to memory of 1808 2656 vvpdj.exe 41 PID 2656 wrote to memory of 1808 2656 vvpdj.exe 41 PID 1808 wrote to memory of 908 1808 jjdjp.exe 42 PID 1808 wrote to memory of 908 1808 jjdjp.exe 42 PID 1808 wrote to memory of 908 1808 jjdjp.exe 42 PID 1808 wrote to memory of 908 1808 jjdjp.exe 42 PID 908 wrote to memory of 2956 908 rrfxlxl.exe 43 PID 908 wrote to memory of 2956 908 rrfxlxl.exe 43 PID 908 wrote to memory of 2956 908 rrfxlxl.exe 43 PID 908 wrote to memory of 2956 908 rrfxlxl.exe 43 PID 2956 wrote to memory of 2040 2956 nnhtht.exe 44 PID 2956 wrote to memory of 2040 2956 nnhtht.exe 44 PID 2956 wrote to memory of 2040 2956 nnhtht.exe 44 PID 2956 wrote to memory of 2040 2956 nnhtht.exe 44 PID 2040 wrote to memory of 2708 2040 jpjpj.exe 45 PID 2040 wrote to memory of 2708 2040 jpjpj.exe 45 PID 2040 wrote to memory of 2708 2040 jpjpj.exe 45 PID 2040 wrote to memory of 2708 2040 jpjpj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe"C:\Users\Admin\AppData\Local\Temp\124136f9f80aa808352c4d2f201db3eaf16bd424c02c96bef141b092df75c724.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\xxxlflr.exec:\xxxlflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\dvjvj.exec:\dvjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\rrrrxfx.exec:\rrrrxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\1tntbn.exec:\1tntbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\1htbhh.exec:\1htbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\ddddd.exec:\ddddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\fxlrfrf.exec:\fxlrfrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\tnhhnt.exec:\tnhhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\ppdjd.exec:\ppdjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\bhhbbn.exec:\bhhbbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\vvpdj.exec:\vvpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\jjdjp.exec:\jjdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\rrfxlxl.exec:\rrfxlxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\nnhtht.exec:\nnhtht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\jpjpj.exec:\jpjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\1xllflx.exec:\1xllflx.exe17⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bnhntt.exec:\bnhntt.exe18⤵
- Executes dropped EXE
PID:1144 -
\??\c:\xrxfxxf.exec:\xrxfxxf.exe19⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7hthbh.exec:\7hthbh.exe20⤵
- Executes dropped EXE
PID:1688 -
\??\c:\5nhnbh.exec:\5nhnbh.exe21⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1dpjd.exec:\1dpjd.exe22⤵
- Executes dropped EXE
PID:2188 -
\??\c:\5llrlrl.exec:\5llrlrl.exe23⤵
- Executes dropped EXE
PID:800 -
\??\c:\vvvjv.exec:\vvvjv.exe24⤵
- Executes dropped EXE
PID:340 -
\??\c:\xxlxrxl.exec:\xxlxrxl.exe25⤵
- Executes dropped EXE
PID:3044 -
\??\c:\lllrxlr.exec:\lllrxlr.exe26⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bnhntn.exec:\bnhntn.exe27⤵
- Executes dropped EXE
PID:608 -
\??\c:\dvvvd.exec:\dvvvd.exe28⤵
- Executes dropped EXE
PID:2552 -
\??\c:\dvpvj.exec:\dvpvj.exe29⤵
- Executes dropped EXE
PID:2476 -
\??\c:\xrlxflx.exec:\xrlxflx.exe30⤵
- Executes dropped EXE
PID:1652 -
\??\c:\3bnbhn.exec:\3bnbhn.exe31⤵
- Executes dropped EXE
PID:468 -
\??\c:\3ntbtb.exec:\3ntbtb.exe32⤵
- Executes dropped EXE
PID:656 -
\??\c:\xxlrfrf.exec:\xxlrfrf.exe33⤵
- Executes dropped EXE
PID:2580 -
\??\c:\7tthbn.exec:\7tthbn.exe34⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xxlrxfl.exec:\xxlrxfl.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\3lfrlrl.exec:\3lfrlrl.exe36⤵
- Executes dropped EXE
PID:1600 -
\??\c:\bthnhn.exec:\bthnhn.exe37⤵
- Executes dropped EXE
PID:2716 -
\??\c:\hhbnnt.exec:\hhbnnt.exe38⤵
- Executes dropped EXE
PID:2856 -
\??\c:\5jdvp.exec:\5jdvp.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\7ddjv.exec:\7ddjv.exe40⤵
- Executes dropped EXE
PID:264 -
\??\c:\5xrflfl.exec:\5xrflfl.exe41⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9tthnb.exec:\9tthnb.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\5bthbn.exec:\5bthbn.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\vppdp.exec:\vppdp.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lflxrfx.exec:\lflxrfx.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\3xrrlrx.exec:\3xrrlrx.exe46⤵
- Executes dropped EXE
PID:1424 -
\??\c:\bbnbnt.exec:\bbnbnt.exe47⤵
- Executes dropped EXE
PID:928 -
\??\c:\htbhnt.exec:\htbhnt.exe48⤵
- Executes dropped EXE
PID:1808 -
\??\c:\vpvvv.exec:\vpvvv.exe49⤵
- Executes dropped EXE
PID:2784 -
\??\c:\vpjpp.exec:\vpjpp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\rrflffl.exec:\rrflffl.exe51⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nnbhbb.exec:\nnbhbb.exe52⤵
- Executes dropped EXE
PID:2040 -
\??\c:\9ntbhn.exec:\9ntbhn.exe53⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jdpdd.exec:\jdpdd.exe54⤵
- Executes dropped EXE
PID:2676 -
\??\c:\ddjjp.exec:\ddjjp.exe55⤵
- Executes dropped EXE
PID:1980 -
\??\c:\1rrffxl.exec:\1rrffxl.exe56⤵
- Executes dropped EXE
PID:1180 -
\??\c:\btnnnb.exec:\btnnnb.exe57⤵
- Executes dropped EXE
PID:2944 -
\??\c:\nbnbhn.exec:\nbnbhn.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ppjpd.exec:\ppjpd.exe59⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jdvjp.exec:\jdvjp.exe60⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xxrxrxr.exec:\xxrxrxr.exe61⤵
- Executes dropped EXE
PID:1120 -
\??\c:\flxlrfl.exec:\flxlrfl.exe62⤵
- Executes dropped EXE
PID:2000 -
\??\c:\bbnnbh.exec:\bbnnbh.exe63⤵
- Executes dropped EXE
PID:1972 -
\??\c:\tnnnbb.exec:\tnnnbb.exe64⤵
- Executes dropped EXE
PID:940 -
\??\c:\dvjvd.exec:\dvjvd.exe65⤵
- Executes dropped EXE
PID:1760 -
\??\c:\jpjvp.exec:\jpjvp.exe66⤵PID:3032
-
\??\c:\1lrxflr.exec:\1lrxflr.exe67⤵PID:832
-
\??\c:\hbnntt.exec:\hbnntt.exe68⤵PID:1776
-
\??\c:\nhbthh.exec:\nhbthh.exe69⤵PID:2268
-
\??\c:\9pjvj.exec:\9pjvj.exe70⤵PID:1700
-
\??\c:\dpdjv.exec:\dpdjv.exe71⤵PID:872
-
\??\c:\9llxlrf.exec:\9llxlrf.exe72⤵PID:468
-
\??\c:\ffxrlrr.exec:\ffxrlrr.exe73⤵PID:1564
-
\??\c:\hbbnhh.exec:\hbbnhh.exe74⤵PID:2088
-
\??\c:\bnbhht.exec:\bnbhht.exe75⤵PID:2540
-
\??\c:\1jdpd.exec:\1jdpd.exe76⤵PID:2116
-
\??\c:\jvdjp.exec:\jvdjp.exe77⤵PID:2360
-
\??\c:\thhbbt.exec:\thhbbt.exe78⤵PID:1604
-
\??\c:\jjdvp.exec:\jjdvp.exe79⤵PID:1940
-
\??\c:\5xlxlfl.exec:\5xlxlfl.exe80⤵PID:2524
-
\??\c:\1hnnhh.exec:\1hnnhh.exe81⤵PID:2464
-
\??\c:\1ddvj.exec:\1ddvj.exe82⤵PID:2172
-
\??\c:\rrlrfxl.exec:\rrlrfxl.exe83⤵PID:2768
-
\??\c:\tnhhtb.exec:\tnhhtb.exe84⤵PID:2764
-
\??\c:\vpjpv.exec:\vpjpv.exe85⤵PID:2816
-
\??\c:\dvddp.exec:\dvddp.exe86⤵PID:2072
-
\??\c:\1pddp.exec:\1pddp.exe87⤵PID:2144
-
\??\c:\7dvjv.exec:\7dvjv.exe88⤵PID:2680
-
\??\c:\lrlxfrf.exec:\lrlxfrf.exe89⤵PID:1136
-
\??\c:\hhhnbh.exec:\hhhnbh.exe90⤵PID:2896
-
\??\c:\fxrxrfr.exec:\fxrxrfr.exe91⤵PID:1628
-
\??\c:\5bbnbh.exec:\5bbnbh.exe92⤵PID:1852
-
\??\c:\7vvdv.exec:\7vvdv.exe93⤵PID:2288
-
\??\c:\xrlffxx.exec:\xrlffxx.exe94⤵PID:1916
-
\??\c:\tnnthb.exec:\tnnthb.exe95⤵PID:2820
-
\??\c:\ddvvj.exec:\ddvvj.exe96⤵PID:1672
-
\??\c:\1hnttt.exec:\1hnttt.exe97⤵PID:1960
-
\??\c:\9dppj.exec:\9dppj.exe98⤵PID:2872
-
\??\c:\lllrlrl.exec:\lllrlrl.exe99⤵PID:2120
-
\??\c:\hnnbtb.exec:\hnnbtb.exe100⤵PID:2208
-
\??\c:\bhhtnn.exec:\bhhtnn.exe101⤵PID:2640
-
\??\c:\flrlrxx.exec:\flrlrxx.exe102⤵PID:1796
-
\??\c:\1hbtnh.exec:\1hbtnh.exe103⤵PID:2372
-
\??\c:\vvpjv.exec:\vvpjv.exe104⤵PID:880
-
\??\c:\xxxxffr.exec:\xxxxffr.exe105⤵PID:668
-
\??\c:\dvpvj.exec:\dvpvj.exe106⤵PID:1780
-
\??\c:\jpdvv.exec:\jpdvv.exe107⤵PID:696
-
\??\c:\1bthth.exec:\1bthth.exe108⤵PID:2444
-
\??\c:\djvdd.exec:\djvdd.exe109⤵PID:1248
-
\??\c:\3bbbhn.exec:\3bbbhn.exe110⤵PID:2384
-
\??\c:\1dvpd.exec:\1dvpd.exe111⤵PID:2476
-
\??\c:\pjvdj.exec:\pjvdj.exe112⤵PID:2508
-
\??\c:\xrlfrfx.exec:\xrlfrfx.exe113⤵PID:600
-
\??\c:\htnnbh.exec:\htnnbh.exe114⤵PID:872
-
\??\c:\5vvpd.exec:\5vvpd.exe115⤵PID:468
-
\??\c:\jppjj.exec:\jppjj.exe116⤵PID:1564
-
\??\c:\rrlrlxx.exec:\rrlrlxx.exe117⤵PID:2088
-
\??\c:\tnhhhn.exec:\tnhhhn.exe118⤵PID:2540
-
\??\c:\jvvvj.exec:\jvvvj.exe119⤵PID:2116
-
\??\c:\rxrlfrr.exec:\rxrlfrr.exe120⤵PID:2420
-
\??\c:\9bbtbn.exec:\9bbtbn.exe121⤵PID:1604
-
\??\c:\lfrfxfl.exec:\lfrfxfl.exe122⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-