Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe
Resource
win7-20240708-en
7 signatures
150 seconds
General
-
Target
c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe
-
Size
454KB
-
MD5
566214a86f4b61209f354ca48a26d6ba
-
SHA1
5473dd7d56e2fe683c45ef6b438e4871896609a7
-
SHA256
c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3
-
SHA512
8b498de2f7b6442e3b2ab3555f1c0b8644e1b5aed367a71b2f25e55a5e76d50697ad30f86f234af0000d79ef9501f160cf78a3d628e3e7cd0add73a7f90c2de5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral1/memory/2988-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-23-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1924-42-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-155-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1392-172-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1392-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-190-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2236-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-224-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1720-229-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1340-238-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2292-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-277-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/1868-282-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1868-287-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2304-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-343-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2704-351-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2824-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-372-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2612-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-406-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1324-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-464-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1084-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-605-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1440-642-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2604-653-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2512-700-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-707-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2228-720-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2436-727-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2136-734-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/296-760-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/304-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/552-798-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1612-829-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2632-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-887-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2804-901-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1096-914-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-977-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 nbhhhh.exe 1932 vpdpd.exe 1976 9rxxfxl.exe 1924 pjpvv.exe 2180 6088828.exe 2776 c644000.exe 2120 9pjjv.exe 2804 ffrrflx.exe 2576 9ppdj.exe 2200 i806006.exe 2572 08224.exe 3008 u266286.exe 1512 0244624.exe 1952 s2068.exe 2308 dvddj.exe 2004 ppjpd.exe 1724 1rrxfxl.exe 1392 602806.exe 2844 vpvdj.exe 2236 s0468.exe 2144 42402.exe 2876 w00022.exe 816 7frrflx.exe 1720 86884.exe 1340 42628.exe 804 tnbttb.exe 2292 lfrrxxf.exe 552 jdjpv.exe 2224 xxllrfl.exe 1868 rfxfrxl.exe 1944 1tnnbt.exe 1716 4866280.exe 1932 a2684.exe 2304 2062824.exe 2736 o288828.exe 2460 0468624.exe 2280 vvjpv.exe 2768 48662.exe 2704 0862402.exe 2928 vpppv.exe 2824 48282.exe 2148 jdvvj.exe 2616 xrlrxfr.exe 2584 o262446.exe 2564 rfrxflx.exe 1496 2026288.exe 2612 824062.exe 1984 7ttttt.exe 1324 82848.exe 2600 9bhhnt.exe 1816 68446.exe 1568 266244.exe 1400 20822.exe 2800 ddvdp.exe 1768 004022.exe 2276 s8686.exe 576 vpvdd.exe 3016 9htbhn.exe 2152 1rrrxxl.exe 1084 240882.exe 744 3fxxrrx.exe 1684 864028.exe 656 82668.exe 760 464622.exe -
resource yara_rule behavioral1/memory/2988-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-141-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1952-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-155-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1392-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-343-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2704-351-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2824-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-406-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1324-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-464-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/744-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-584-0x0000000001C60000-0x0000000001C8A000-memory.dmp upx behavioral1/memory/1800-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-894-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-914-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2892-979-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1029-0x0000000000230000-0x000000000025A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8200224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhhhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2352 2988 c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe 30 PID 2988 wrote to memory of 2352 2988 c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe 30 PID 2988 wrote to memory of 2352 2988 c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe 30 PID 2988 wrote to memory of 2352 2988 c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe 30 PID 2352 wrote to memory of 1932 2352 nbhhhh.exe 31 PID 2352 wrote to memory of 1932 2352 nbhhhh.exe 31 PID 2352 wrote to memory of 1932 2352 nbhhhh.exe 31 PID 2352 wrote to memory of 1932 2352 nbhhhh.exe 31 PID 1932 wrote to memory of 1976 1932 vpdpd.exe 32 PID 1932 wrote to memory of 1976 1932 vpdpd.exe 32 PID 1932 wrote to memory of 1976 1932 vpdpd.exe 32 PID 1932 wrote to memory of 1976 1932 vpdpd.exe 32 PID 1976 wrote to memory of 1924 1976 9rxxfxl.exe 33 PID 1976 wrote to memory of 1924 1976 9rxxfxl.exe 33 PID 1976 wrote to memory of 1924 1976 9rxxfxl.exe 33 PID 1976 wrote to memory of 1924 1976 9rxxfxl.exe 33 PID 1924 wrote to memory of 2180 1924 pjpvv.exe 34 PID 1924 wrote to memory of 2180 1924 pjpvv.exe 34 PID 1924 wrote to memory of 2180 1924 pjpvv.exe 34 PID 1924 wrote to memory of 2180 1924 pjpvv.exe 34 PID 2180 wrote to memory of 2776 2180 6088828.exe 35 PID 2180 wrote to memory of 2776 2180 6088828.exe 35 PID 2180 wrote to memory of 2776 2180 6088828.exe 35 PID 2180 wrote to memory of 2776 2180 6088828.exe 35 PID 2776 wrote to memory of 2120 2776 c644000.exe 36 PID 2776 wrote to memory of 2120 2776 c644000.exe 36 PID 2776 wrote to memory of 2120 2776 c644000.exe 36 PID 2776 wrote to memory of 2120 2776 c644000.exe 36 PID 2120 wrote to memory of 2804 2120 9pjjv.exe 37 PID 2120 wrote to memory of 2804 2120 9pjjv.exe 37 PID 2120 wrote to memory of 2804 2120 9pjjv.exe 37 PID 2120 wrote to memory of 2804 2120 9pjjv.exe 37 PID 2804 wrote to memory of 2576 2804 ffrrflx.exe 38 PID 2804 wrote to memory of 2576 2804 ffrrflx.exe 38 PID 2804 wrote to memory of 2576 2804 ffrrflx.exe 38 PID 2804 wrote to memory of 2576 2804 ffrrflx.exe 38 PID 2576 wrote to memory of 2200 2576 9ppdj.exe 39 PID 2576 wrote to memory of 2200 2576 9ppdj.exe 39 PID 2576 wrote to memory of 2200 2576 9ppdj.exe 39 PID 2576 wrote to memory of 2200 2576 9ppdj.exe 39 PID 2200 wrote to memory of 2572 2200 i806006.exe 40 PID 2200 wrote to memory of 2572 2200 i806006.exe 40 PID 2200 wrote to memory of 2572 2200 i806006.exe 40 PID 2200 wrote to memory of 2572 2200 i806006.exe 40 PID 2572 wrote to memory of 3008 2572 08224.exe 41 PID 2572 wrote to memory of 3008 2572 08224.exe 41 PID 2572 wrote to memory of 3008 2572 08224.exe 41 PID 2572 wrote to memory of 3008 2572 08224.exe 41 PID 3008 wrote to memory of 1512 3008 u266286.exe 42 PID 3008 wrote to memory of 1512 3008 u266286.exe 42 PID 3008 wrote to memory of 1512 3008 u266286.exe 42 PID 3008 wrote to memory of 1512 3008 u266286.exe 42 PID 1512 wrote to memory of 1952 1512 0244624.exe 43 PID 1512 wrote to memory of 1952 1512 0244624.exe 43 PID 1512 wrote to memory of 1952 1512 0244624.exe 43 PID 1512 wrote to memory of 1952 1512 0244624.exe 43 PID 1952 wrote to memory of 2308 1952 s2068.exe 44 PID 1952 wrote to memory of 2308 1952 s2068.exe 44 PID 1952 wrote to memory of 2308 1952 s2068.exe 44 PID 1952 wrote to memory of 2308 1952 s2068.exe 44 PID 2308 wrote to memory of 2004 2308 dvddj.exe 45 PID 2308 wrote to memory of 2004 2308 dvddj.exe 45 PID 2308 wrote to memory of 2004 2308 dvddj.exe 45 PID 2308 wrote to memory of 2004 2308 dvddj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe"C:\Users\Admin\AppData\Local\Temp\c24d6c82104c978c9be1e3cf61a3a21f580cb6cc2b29f2c868fe7a3cb9d52de3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\nbhhhh.exec:\nbhhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\vpdpd.exec:\vpdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\9rxxfxl.exec:\9rxxfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\pjpvv.exec:\pjpvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\6088828.exec:\6088828.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\c644000.exec:\c644000.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\9pjjv.exec:\9pjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\ffrrflx.exec:\ffrrflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\9ppdj.exec:\9ppdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\i806006.exec:\i806006.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\08224.exec:\08224.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\u266286.exec:\u266286.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\0244624.exec:\0244624.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\s2068.exec:\s2068.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\dvddj.exec:\dvddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\ppjpd.exec:\ppjpd.exe17⤵
- Executes dropped EXE
PID:2004 -
\??\c:\1rrxfxl.exec:\1rrxfxl.exe18⤵
- Executes dropped EXE
PID:1724 -
\??\c:\602806.exec:\602806.exe19⤵
- Executes dropped EXE
PID:1392 -
\??\c:\vpvdj.exec:\vpvdj.exe20⤵
- Executes dropped EXE
PID:2844 -
\??\c:\s0468.exec:\s0468.exe21⤵
- Executes dropped EXE
PID:2236 -
\??\c:\42402.exec:\42402.exe22⤵
- Executes dropped EXE
PID:2144 -
\??\c:\w00022.exec:\w00022.exe23⤵
- Executes dropped EXE
PID:2876 -
\??\c:\7frrflx.exec:\7frrflx.exe24⤵
- Executes dropped EXE
PID:816 -
\??\c:\86884.exec:\86884.exe25⤵
- Executes dropped EXE
PID:1720 -
\??\c:\42628.exec:\42628.exe26⤵
- Executes dropped EXE
PID:1340 -
\??\c:\tnbttb.exec:\tnbttb.exe27⤵
- Executes dropped EXE
PID:804 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe28⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jdjpv.exec:\jdjpv.exe29⤵
- Executes dropped EXE
PID:552 -
\??\c:\xxllrfl.exec:\xxllrfl.exe30⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rfxfrxl.exec:\rfxfrxl.exe31⤵
- Executes dropped EXE
PID:1868 -
\??\c:\1tnnbt.exec:\1tnnbt.exe32⤵
- Executes dropped EXE
PID:1944 -
\??\c:\4866280.exec:\4866280.exe33⤵
- Executes dropped EXE
PID:1716 -
\??\c:\a2684.exec:\a2684.exe34⤵
- Executes dropped EXE
PID:1932 -
\??\c:\2062824.exec:\2062824.exe35⤵
- Executes dropped EXE
PID:2304 -
\??\c:\o288828.exec:\o288828.exe36⤵
- Executes dropped EXE
PID:2736 -
\??\c:\0468624.exec:\0468624.exe37⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vvjpv.exec:\vvjpv.exe38⤵
- Executes dropped EXE
PID:2280 -
\??\c:\48662.exec:\48662.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\0862402.exec:\0862402.exe40⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vpppv.exec:\vpppv.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\48282.exec:\48282.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jdvvj.exec:\jdvvj.exe43⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xrlrxfr.exec:\xrlrxfr.exe44⤵
- Executes dropped EXE
PID:2616 -
\??\c:\o262446.exec:\o262446.exe45⤵
- Executes dropped EXE
PID:2584 -
\??\c:\rfrxflx.exec:\rfrxflx.exe46⤵
- Executes dropped EXE
PID:2564 -
\??\c:\2026288.exec:\2026288.exe47⤵
- Executes dropped EXE
PID:1496 -
\??\c:\824062.exec:\824062.exe48⤵
- Executes dropped EXE
PID:2612 -
\??\c:\7ttttt.exec:\7ttttt.exe49⤵
- Executes dropped EXE
PID:1984 -
\??\c:\82848.exec:\82848.exe50⤵
- Executes dropped EXE
PID:1324 -
\??\c:\9bhhnt.exec:\9bhhnt.exe51⤵
- Executes dropped EXE
PID:2600 -
\??\c:\68446.exec:\68446.exe52⤵
- Executes dropped EXE
PID:1816 -
\??\c:\266244.exec:\266244.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\20822.exec:\20822.exe54⤵
- Executes dropped EXE
PID:1400 -
\??\c:\ddvdp.exec:\ddvdp.exe55⤵
- Executes dropped EXE
PID:2800 -
\??\c:\004022.exec:\004022.exe56⤵
- Executes dropped EXE
PID:1768 -
\??\c:\s8686.exec:\s8686.exe57⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vpvdd.exec:\vpvdd.exe58⤵
- Executes dropped EXE
PID:576 -
\??\c:\9htbhn.exec:\9htbhn.exe59⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1rrrxxl.exec:\1rrrxxl.exe60⤵
- Executes dropped EXE
PID:2152 -
\??\c:\240882.exec:\240882.exe61⤵
- Executes dropped EXE
PID:1084 -
\??\c:\3fxxrrx.exec:\3fxxrrx.exe62⤵
- Executes dropped EXE
PID:744 -
\??\c:\864028.exec:\864028.exe63⤵
- Executes dropped EXE
PID:1684 -
\??\c:\82668.exec:\82668.exe64⤵
- Executes dropped EXE
PID:656 -
\??\c:\464622.exec:\464622.exe65⤵
- Executes dropped EXE
PID:760 -
\??\c:\dvppd.exec:\dvppd.exe66⤵PID:1504
-
\??\c:\lllxrll.exec:\lllxrll.exe67⤵PID:1028
-
\??\c:\nhbtnt.exec:\nhbtnt.exe68⤵PID:568
-
\??\c:\i248840.exec:\i248840.exe69⤵PID:888
-
\??\c:\nnhthn.exec:\nnhthn.exe70⤵PID:2220
-
\??\c:\9xlrxfl.exec:\9xlrxfl.exe71⤵PID:2400
-
\??\c:\fxffrxl.exec:\fxffrxl.exe72⤵PID:2352
-
\??\c:\24662.exec:\24662.exe73⤵PID:284
-
\??\c:\jddjp.exec:\jddjp.exe74⤵PID:2516
-
\??\c:\2206840.exec:\2206840.exe75⤵PID:1932
-
\??\c:\7tnbhn.exec:\7tnbhn.exe76⤵PID:1800
-
\??\c:\hbhbhh.exec:\hbhbhh.exe77⤵PID:2736
-
\??\c:\3bbntb.exec:\3bbntb.exe78⤵PID:2084
-
\??\c:\468288.exec:\468288.exe79⤵PID:2744
-
\??\c:\1rlrxrx.exec:\1rlrxrx.exe80⤵PID:2760
-
\??\c:\o228402.exec:\o228402.exe81⤵PID:2164
-
\??\c:\8688068.exec:\8688068.exe82⤵PID:1440
-
\??\c:\6244044.exec:\6244044.exe83⤵PID:2888
-
\??\c:\082244.exec:\082244.exe84⤵PID:3036
-
\??\c:\86686.exec:\86686.exe85⤵PID:2556
-
\??\c:\vpjjd.exec:\vpjjd.exe86⤵PID:2624
-
\??\c:\hthntt.exec:\hthntt.exe87⤵PID:2604
-
\??\c:\9pjdj.exec:\9pjdj.exe88⤵PID:3032
-
\??\c:\o200006.exec:\o200006.exe89⤵PID:1808
-
\??\c:\g8000.exec:\g8000.exe90⤵PID:1512
-
\??\c:\bttnbb.exec:\bttnbb.exe91⤵PID:2512
-
\??\c:\nbbbbb.exec:\nbbbbb.exe92⤵PID:1876
-
\??\c:\bnttbb.exec:\bnttbb.exe93⤵PID:1696
-
\??\c:\2660040.exec:\2660040.exe94⤵PID:1816
-
\??\c:\frfflff.exec:\frfflff.exe95⤵PID:1732
-
\??\c:\m8046.exec:\m8046.exe96⤵PID:848
-
\??\c:\bnbbbt.exec:\bnbbbt.exe97⤵PID:2228
-
\??\c:\rfrrllx.exec:\rfrrllx.exe98⤵PID:2436
-
\??\c:\u028640.exec:\u028640.exe99⤵PID:2136
-
\??\c:\lxllxrr.exec:\lxllxrr.exe100⤵PID:1832
-
\??\c:\rflllfl.exec:\rflllfl.exe101⤵PID:1660
-
\??\c:\044682.exec:\044682.exe102⤵PID:816
-
\??\c:\24604.exec:\24604.exe103⤵PID:296
-
\??\c:\xllxxrr.exec:\xllxxrr.exe104⤵PID:632
-
\??\c:\86862.exec:\86862.exe105⤵PID:2792
-
\??\c:\84422.exec:\84422.exe106⤵PID:532
-
\??\c:\s2006.exec:\s2006.exe107⤵PID:2424
-
\??\c:\8466600.exec:\8466600.exe108⤵PID:304
-
\??\c:\htnhhb.exec:\htnhhb.exe109⤵PID:552
-
\??\c:\a6004.exec:\a6004.exe110⤵PID:2968
-
\??\c:\dpvvd.exec:\dpvvd.exe111⤵PID:1948
-
\??\c:\w68840.exec:\w68840.exe112⤵PID:536
-
\??\c:\vdjdd.exec:\vdjdd.exe113⤵PID:2492
-
\??\c:\jpdvv.exec:\jpdvv.exe114⤵
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\68000.exec:\68000.exe115⤵PID:2052
-
\??\c:\btnhtt.exec:\btnhtt.exe116⤵PID:2632
-
\??\c:\2084422.exec:\2084422.exe117⤵PID:2832
-
\??\c:\jpvpp.exec:\jpvpp.exe118⤵PID:2680
-
\??\c:\8460444.exec:\8460444.exe119⤵PID:2752
-
\??\c:\684460.exec:\684460.exe120⤵PID:2452
-
\??\c:\w24004.exec:\w24004.exe121⤵PID:2656
-
\??\c:\nhnntn.exec:\nhnntn.exe122⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-