Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe
-
Size
453KB
-
MD5
4e07a4279a8d04d3ceed8e463f1d3a80
-
SHA1
21e9f05e968fa22165076280d4897f76dd7dda06
-
SHA256
c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0
-
SHA512
316e369be5f2f23cb7257b05c83d8c0a90a5af5bf09eeb311bae32b2527378f260df6a5fd688bb4eb4b7d15946d70cae6fe917ee002175db58021d72c2f1117f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-167-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1764-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-263-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-328-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-484-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1016-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-659-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2892 7ffrxfr.exe 2692 dvdjv.exe 2848 fxlllrx.exe 2864 rrllrrl.exe 2600 xrflrxf.exe 2700 pjvjj.exe 2596 fxlrlrx.exe 3060 7bthnt.exe 588 vpdpp.exe 2660 3rflllx.exe 1436 9vpdp.exe 1260 hbnthh.exe 1396 1tbbbb.exe 2804 lflfrrf.exe 2788 nnbbhn.exe 2948 3frrxxl.exe 376 hbbhhh.exe 1764 rrxrrrx.exe 2176 1xlflrx.exe 3024 fxrxrrx.exe 1716 1nnnbb.exe 2168 fxlrffx.exe 1368 1tnttn.exe 2204 ffrlflx.exe 1932 tnhtbh.exe 2544 vpdjv.exe 3008 fflflfl.exe 2888 ddppp.exe 2476 1xrfllr.exe 2504 xxllffl.exe 2420 tnbhtt.exe 1580 7fflxfx.exe 2712 bhbnbh.exe 2716 1pjjj.exe 2824 fxxfxxl.exe 2808 hnhthh.exe 2744 vpvdp.exe 2736 rlxfflr.exe 2568 hthntt.exe 2560 9hhbhh.exe 2392 dpvvd.exe 2552 xxflflx.exe 2060 nhbbhn.exe 2376 vpjjj.exe 2740 xrffllx.exe 2780 frxrrxr.exe 2784 nhnnbt.exe 2796 jjdjp.exe 2364 vpjjp.exe 2920 lxlrrrf.exe 1660 3hhhhh.exe 700 vjdjp.exe 592 3xxflrx.exe 1724 btbbnt.exe 2432 hhtbbb.exe 2972 rlffllx.exe 2068 rxxlflf.exe 2964 hhbtbt.exe 3036 ddvjp.exe 848 1lxrrxf.exe 1044 bnbhhh.exe 1016 vvjpv.exe 1928 1djvv.exe 2516 ffxlllr.exe -
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-167-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1764-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2892 2344 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 30 PID 2344 wrote to memory of 2892 2344 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 30 PID 2344 wrote to memory of 2892 2344 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 30 PID 2344 wrote to memory of 2892 2344 c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe 30 PID 2892 wrote to memory of 2692 2892 7ffrxfr.exe 31 PID 2892 wrote to memory of 2692 2892 7ffrxfr.exe 31 PID 2892 wrote to memory of 2692 2892 7ffrxfr.exe 31 PID 2892 wrote to memory of 2692 2892 7ffrxfr.exe 31 PID 2692 wrote to memory of 2848 2692 dvdjv.exe 32 PID 2692 wrote to memory of 2848 2692 dvdjv.exe 32 PID 2692 wrote to memory of 2848 2692 dvdjv.exe 32 PID 2692 wrote to memory of 2848 2692 dvdjv.exe 32 PID 2848 wrote to memory of 2864 2848 fxlllrx.exe 33 PID 2848 wrote to memory of 2864 2848 fxlllrx.exe 33 PID 2848 wrote to memory of 2864 2848 fxlllrx.exe 33 PID 2848 wrote to memory of 2864 2848 fxlllrx.exe 33 PID 2864 wrote to memory of 2600 2864 rrllrrl.exe 34 PID 2864 wrote to memory of 2600 2864 rrllrrl.exe 34 PID 2864 wrote to memory of 2600 2864 rrllrrl.exe 34 PID 2864 wrote to memory of 2600 2864 rrllrrl.exe 34 PID 2600 wrote to memory of 2700 2600 xrflrxf.exe 35 PID 2600 wrote to memory of 2700 2600 xrflrxf.exe 35 PID 2600 wrote to memory of 2700 2600 xrflrxf.exe 35 PID 2600 wrote to memory of 2700 2600 xrflrxf.exe 35 PID 2700 wrote to memory of 2596 2700 pjvjj.exe 36 PID 2700 wrote to memory of 2596 2700 pjvjj.exe 36 PID 2700 wrote to memory of 2596 2700 pjvjj.exe 36 PID 2700 wrote to memory of 2596 2700 pjvjj.exe 36 PID 2596 wrote to memory of 3060 2596 fxlrlrx.exe 37 PID 2596 wrote to memory of 3060 2596 fxlrlrx.exe 37 PID 2596 wrote to memory of 3060 2596 fxlrlrx.exe 37 PID 2596 wrote to memory of 3060 2596 fxlrlrx.exe 37 PID 3060 wrote to memory of 588 3060 7bthnt.exe 38 PID 3060 wrote to memory of 588 3060 7bthnt.exe 38 PID 3060 wrote to memory of 588 3060 7bthnt.exe 38 PID 3060 wrote to memory of 588 3060 7bthnt.exe 38 PID 588 wrote to memory of 2660 588 vpdpp.exe 39 PID 588 wrote to memory of 2660 588 vpdpp.exe 39 PID 588 wrote to memory of 2660 588 vpdpp.exe 39 PID 588 wrote to memory of 2660 588 vpdpp.exe 39 PID 2660 wrote to memory of 1436 2660 3rflllx.exe 40 PID 2660 wrote to memory of 1436 2660 3rflllx.exe 40 PID 2660 wrote to memory of 1436 2660 3rflllx.exe 40 PID 2660 wrote to memory of 1436 2660 3rflllx.exe 40 PID 1436 wrote to memory of 1260 1436 9vpdp.exe 41 PID 1436 wrote to memory of 1260 1436 9vpdp.exe 41 PID 1436 wrote to memory of 1260 1436 9vpdp.exe 41 PID 1436 wrote to memory of 1260 1436 9vpdp.exe 41 PID 1260 wrote to memory of 1396 1260 hbnthh.exe 42 PID 1260 wrote to memory of 1396 1260 hbnthh.exe 42 PID 1260 wrote to memory of 1396 1260 hbnthh.exe 42 PID 1260 wrote to memory of 1396 1260 hbnthh.exe 42 PID 1396 wrote to memory of 2804 1396 1tbbbb.exe 43 PID 1396 wrote to memory of 2804 1396 1tbbbb.exe 43 PID 1396 wrote to memory of 2804 1396 1tbbbb.exe 43 PID 1396 wrote to memory of 2804 1396 1tbbbb.exe 43 PID 2804 wrote to memory of 2788 2804 lflfrrf.exe 44 PID 2804 wrote to memory of 2788 2804 lflfrrf.exe 44 PID 2804 wrote to memory of 2788 2804 lflfrrf.exe 44 PID 2804 wrote to memory of 2788 2804 lflfrrf.exe 44 PID 2788 wrote to memory of 2948 2788 nnbbhn.exe 45 PID 2788 wrote to memory of 2948 2788 nnbbhn.exe 45 PID 2788 wrote to memory of 2948 2788 nnbbhn.exe 45 PID 2788 wrote to memory of 2948 2788 nnbbhn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe"C:\Users\Admin\AppData\Local\Temp\c24dff77dfcb2bdcc51f601816a672f9681ac09f1e9e846f5adf0700474ef4d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\7ffrxfr.exec:\7ffrxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\dvdjv.exec:\dvdjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\fxlllrx.exec:\fxlllrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rrllrrl.exec:\rrllrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\xrflrxf.exec:\xrflrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\pjvjj.exec:\pjvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\fxlrlrx.exec:\fxlrlrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7bthnt.exec:\7bthnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\vpdpp.exec:\vpdpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\3rflllx.exec:\3rflllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\9vpdp.exec:\9vpdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\hbnthh.exec:\hbnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\1tbbbb.exec:\1tbbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\lflfrrf.exec:\lflfrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\nnbbhn.exec:\nnbbhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\3frrxxl.exec:\3frrxxl.exe17⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hbbhhh.exec:\hbbhhh.exe18⤵
- Executes dropped EXE
PID:376 -
\??\c:\rrxrrrx.exec:\rrxrrrx.exe19⤵
- Executes dropped EXE
PID:1764 -
\??\c:\1xlflrx.exec:\1xlflrx.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\fxrxrrx.exec:\fxrxrrx.exe21⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1nnnbb.exec:\1nnnbb.exe22⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fxlrffx.exec:\fxlrffx.exe23⤵
- Executes dropped EXE
PID:2168 -
\??\c:\1tnttn.exec:\1tnttn.exe24⤵
- Executes dropped EXE
PID:1368 -
\??\c:\ffrlflx.exec:\ffrlflx.exe25⤵
- Executes dropped EXE
PID:2204 -
\??\c:\tnhtbh.exec:\tnhtbh.exe26⤵
- Executes dropped EXE
PID:1932 -
\??\c:\vpdjv.exec:\vpdjv.exe27⤵
- Executes dropped EXE
PID:2544 -
\??\c:\fflflfl.exec:\fflflfl.exe28⤵
- Executes dropped EXE
PID:3008 -
\??\c:\ddppp.exec:\ddppp.exe29⤵
- Executes dropped EXE
PID:2888 -
\??\c:\1xrfllr.exec:\1xrfllr.exe30⤵
- Executes dropped EXE
PID:2476 -
\??\c:\xxllffl.exec:\xxllffl.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\tnbhtt.exec:\tnbhtt.exe32⤵
- Executes dropped EXE
PID:2420 -
\??\c:\7fflxfx.exec:\7fflxfx.exe33⤵
- Executes dropped EXE
PID:1580 -
\??\c:\bhbnbh.exec:\bhbnbh.exe34⤵
- Executes dropped EXE
PID:2712 -
\??\c:\1pjjj.exec:\1pjjj.exe35⤵
- Executes dropped EXE
PID:2716 -
\??\c:\fxxfxxl.exec:\fxxfxxl.exe36⤵
- Executes dropped EXE
PID:2824 -
\??\c:\hnhthh.exec:\hnhthh.exe37⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vpvdp.exec:\vpvdp.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rlxfflr.exec:\rlxfflr.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hthntt.exec:\hthntt.exe40⤵
- Executes dropped EXE
PID:2568 -
\??\c:\9hhbhh.exec:\9hhbhh.exe41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dpvvd.exec:\dpvvd.exe42⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xxflflx.exec:\xxflflx.exe43⤵
- Executes dropped EXE
PID:2552 -
\??\c:\nhbbhn.exec:\nhbbhn.exe44⤵
- Executes dropped EXE
PID:2060 -
\??\c:\vpjjj.exec:\vpjjj.exe45⤵
- Executes dropped EXE
PID:2376 -
\??\c:\xrffllx.exec:\xrffllx.exe46⤵
- Executes dropped EXE
PID:2740 -
\??\c:\frxrrxr.exec:\frxrrxr.exe47⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nhnnbt.exec:\nhnnbt.exe48⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jjdjp.exec:\jjdjp.exe49⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vpjjp.exec:\vpjjp.exe50⤵
- Executes dropped EXE
PID:2364 -
\??\c:\lxlrrrf.exec:\lxlrrrf.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\3hhhhh.exec:\3hhhhh.exe52⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vjdjp.exec:\vjdjp.exe53⤵
- Executes dropped EXE
PID:700 -
\??\c:\3xxflrx.exec:\3xxflrx.exe54⤵
- Executes dropped EXE
PID:592 -
\??\c:\btbbnt.exec:\btbbnt.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhtbbb.exec:\hhtbbb.exe56⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rlffllx.exec:\rlffllx.exe57⤵
- Executes dropped EXE
PID:2972 -
\??\c:\rxxlflf.exec:\rxxlflf.exe58⤵
- Executes dropped EXE
PID:2068 -
\??\c:\hhbtbt.exec:\hhbtbt.exe59⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ddvjp.exec:\ddvjp.exe60⤵
- Executes dropped EXE
PID:3036 -
\??\c:\1lxrrxf.exec:\1lxrrxf.exe61⤵
- Executes dropped EXE
PID:848 -
\??\c:\bnbhhh.exec:\bnbhhh.exe62⤵
- Executes dropped EXE
PID:1044 -
\??\c:\vvjpv.exec:\vvjpv.exe63⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1djvv.exec:\1djvv.exe64⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ffxlllr.exec:\ffxlllr.exe65⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hhtbnn.exec:\hhtbnn.exe66⤵PID:344
-
\??\c:\5jvvd.exec:\5jvvd.exe67⤵PID:1736
-
\??\c:\xrflxfl.exec:\xrflxfl.exe68⤵PID:1008
-
\??\c:\3fxxffr.exec:\3fxxffr.exe69⤵PID:2292
-
\??\c:\bnthbb.exec:\bnthbb.exe70⤵PID:1448
-
\??\c:\pjdvj.exec:\pjdvj.exe71⤵PID:2476
-
\??\c:\xxrrlrf.exec:\xxrrlrf.exe72⤵PID:2276
-
\??\c:\5xfxrll.exec:\5xfxrll.exe73⤵PID:2372
-
\??\c:\tbthtt.exec:\tbthtt.exe74⤵PID:352
-
\??\c:\7dddp.exec:\7dddp.exe75⤵PID:2216
-
\??\c:\5rrrfxf.exec:\5rrrfxf.exe76⤵PID:2712
-
\??\c:\7xfrxfx.exec:\7xfrxfx.exe77⤵PID:2720
-
\??\c:\nnhhnn.exec:\nnhhnn.exe78⤵PID:2976
-
\??\c:\ppdjv.exec:\ppdjv.exe79⤵PID:2856
-
\??\c:\pjdjd.exec:\pjdjd.exe80⤵PID:2908
-
\??\c:\fxllrrf.exec:\fxllrrf.exe81⤵PID:2612
-
\??\c:\bbhtbh.exec:\bbhtbh.exe82⤵PID:2684
-
\??\c:\ddjjv.exec:\ddjjv.exe83⤵PID:3064
-
\??\c:\rlrxflx.exec:\rlrxflx.exe84⤵PID:2416
-
\??\c:\9frxlrf.exec:\9frxlrf.exe85⤵PID:2604
-
\??\c:\hhhntb.exec:\hhhntb.exe86⤵
- System Location Discovery: System Language Discovery
PID:2524 -
\??\c:\jpjpv.exec:\jpjpv.exe87⤵PID:2020
-
\??\c:\ddvjd.exec:\ddvjd.exe88⤵PID:2916
-
\??\c:\rlflxxf.exec:\rlflxxf.exe89⤵PID:2300
-
\??\c:\nhbtbb.exec:\nhbtbb.exe90⤵PID:2624
-
\??\c:\7pdpv.exec:\7pdpv.exe91⤵PID:2632
-
\??\c:\dvpdv.exec:\dvpdv.exe92⤵PID:1844
-
\??\c:\9rxxxxr.exec:\9rxxxxr.exe93⤵PID:2364
-
\??\c:\3hbhtn.exec:\3hbhtn.exe94⤵
- System Location Discovery: System Language Discovery
PID:2920 -
\??\c:\ddpdj.exec:\ddpdj.exe95⤵PID:1160
-
\??\c:\rlxlflf.exec:\rlxlflf.exe96⤵PID:700
-
\??\c:\ffrxflx.exec:\ffrxflx.exe97⤵PID:2120
-
\??\c:\btnbnt.exec:\btnbnt.exe98⤵PID:680
-
\??\c:\dvpvv.exec:\dvpvv.exe99⤵PID:2176
-
\??\c:\dvjpd.exec:\dvjpd.exe100⤵PID:2172
-
\??\c:\9rflrrf.exec:\9rflrrf.exe101⤵PID:1100
-
\??\c:\hbntth.exec:\hbntth.exe102⤵PID:1716
-
\??\c:\jdpvj.exec:\jdpvj.exe103⤵PID:852
-
\??\c:\vjjdd.exec:\vjjdd.exe104⤵PID:2168
-
\??\c:\5rrxffl.exec:\5rrxffl.exe105⤵PID:1376
-
\??\c:\nhttbb.exec:\nhttbb.exe106⤵PID:2204
-
\??\c:\hhbbhh.exec:\hhbbhh.exe107⤵PID:2012
-
\??\c:\vjjpp.exec:\vjjpp.exe108⤵PID:2460
-
\??\c:\5xfrxrr.exec:\5xfrxrr.exe109⤵PID:2544
-
\??\c:\5nbntn.exec:\5nbntn.exe110⤵PID:2468
-
\??\c:\nbnntb.exec:\nbnntb.exe111⤵PID:372
-
\??\c:\3pjdv.exec:\3pjdv.exe112⤵PID:2888
-
\??\c:\lxrrxxf.exec:\lxrrxxf.exe113⤵PID:316
-
\??\c:\llfrfrl.exec:\llfrfrl.exe114⤵PID:1512
-
\??\c:\nhtttb.exec:\nhtttb.exe115⤵PID:2140
-
\??\c:\7dvvd.exec:\7dvvd.exe116⤵PID:1664
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe117⤵PID:2672
-
\??\c:\nhbhtt.exec:\nhbhtt.exe118⤵PID:2704
-
\??\c:\pjjjp.exec:\pjjjp.exe119⤵PID:2896
-
\??\c:\xxrrxrx.exec:\xxrrxrx.exe120⤵PID:2848
-
\??\c:\hbnhtb.exec:\hbnhtb.exe121⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-