Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe
-
Size
454KB
-
MD5
5e9f8627fa3247bac4b5baf04abc1a15
-
SHA1
4aba5c64b3bcb437ad6247980568a588374910ae
-
SHA256
24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9
-
SHA512
3371dbf0a77aabd8808df57dfac37afd95cf362c7cc0843c84f127859e0cdf0234ef3512c0aa5dfedeba5b528522803dd1f322f3770c8d45b7c52b95c392302a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 59 IoCs
resource yara_rule behavioral1/memory/2028-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-81-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-150-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1864-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-214-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1844-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-225-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1784-237-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1808-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-274-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1164-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-340-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2848-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-384-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/640-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-492-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2480-495-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/612-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-661-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2160-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-702-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2204-715-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2184-725-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2436-729-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/700-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-802-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-842-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-900-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1144-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-1049-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3008-1104-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2664-1156-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2452-1162-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-1159-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-1220-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2992 pdjdp.exe 2556 9frlxfl.exe 2660 bntntn.exe 2056 xrxffrl.exe 2780 jpvjj.exe 2736 lxlffxf.exe 2808 9btttb.exe 2912 dpdjp.exe 2752 rllfffl.exe 2592 nbnnnt.exe 2160 dvpdv.exe 1020 rrrfrxf.exe 1684 9jddj.exe 772 jdpvv.exe 1600 1htnbb.exe 1864 dvdpv.exe 348 rfxfrrx.exe 2972 nhtthh.exe 2232 3ppvv.exe 2620 xlrlrrr.exe 1960 bntnnh.exe 2968 fxrlfrx.exe 928 hbhntt.exe 1844 nbtbhh.exe 900 9jdvj.exe 1784 hthntb.exe 1468 jvjdj.exe 1808 xlrrflr.exe 568 nnbhnt.exe 2460 dpvvj.exe 1872 9bnntt.exe 3036 dvddj.exe 796 lfrxllf.exe 1508 tntntn.exe 1164 tnbnnt.exe 836 3jpdd.exe 1296 xrlrrxl.exe 2688 xlxlllf.exe 2800 bnttbh.exe 2780 jvddj.exe 2848 rrllrrf.exe 2948 7flxxfl.exe 2604 bnbhhn.exe 2912 pdpvv.exe 2632 vppvd.exe 2656 rflllrr.exe 2700 bntntt.exe 640 pvvjd.exe 2880 ddjpd.exe 2032 xfxxxxf.exe 340 5nbbbh.exe 1600 9bttnn.exe 2052 ddvdp.exe 336 rfrrxrf.exe 2668 3llxflx.exe 2760 nnbbbb.exe 2376 dvjjp.exe 2232 pjpjj.exe 908 3fffxfr.exe 1228 ththtb.exe 1656 dpppv.exe 1572 5ffxflr.exe 2480 lfxflrr.exe 612 thbbhh.exe -
resource yara_rule behavioral1/memory/2028-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-81-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2592-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-274-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/796-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-384-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/640-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-481-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/908-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-596-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2840-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-715-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/700-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-907-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1144-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-1049-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2248-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-1104-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/564-1227-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2992 2028 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 31 PID 2028 wrote to memory of 2992 2028 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 31 PID 2028 wrote to memory of 2992 2028 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 31 PID 2028 wrote to memory of 2992 2028 24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe 31 PID 2992 wrote to memory of 2556 2992 pdjdp.exe 32 PID 2992 wrote to memory of 2556 2992 pdjdp.exe 32 PID 2992 wrote to memory of 2556 2992 pdjdp.exe 32 PID 2992 wrote to memory of 2556 2992 pdjdp.exe 32 PID 2556 wrote to memory of 2660 2556 9frlxfl.exe 33 PID 2556 wrote to memory of 2660 2556 9frlxfl.exe 33 PID 2556 wrote to memory of 2660 2556 9frlxfl.exe 33 PID 2556 wrote to memory of 2660 2556 9frlxfl.exe 33 PID 2660 wrote to memory of 2056 2660 bntntn.exe 34 PID 2660 wrote to memory of 2056 2660 bntntn.exe 34 PID 2660 wrote to memory of 2056 2660 bntntn.exe 34 PID 2660 wrote to memory of 2056 2660 bntntn.exe 34 PID 2056 wrote to memory of 2780 2056 xrxffrl.exe 35 PID 2056 wrote to memory of 2780 2056 xrxffrl.exe 35 PID 2056 wrote to memory of 2780 2056 xrxffrl.exe 35 PID 2056 wrote to memory of 2780 2056 xrxffrl.exe 35 PID 2780 wrote to memory of 2736 2780 jpvjj.exe 36 PID 2780 wrote to memory of 2736 2780 jpvjj.exe 36 PID 2780 wrote to memory of 2736 2780 jpvjj.exe 36 PID 2780 wrote to memory of 2736 2780 jpvjj.exe 36 PID 2736 wrote to memory of 2808 2736 lxlffxf.exe 37 PID 2736 wrote to memory of 2808 2736 lxlffxf.exe 37 PID 2736 wrote to memory of 2808 2736 lxlffxf.exe 37 PID 2736 wrote to memory of 2808 2736 lxlffxf.exe 37 PID 2808 wrote to memory of 2912 2808 9btttb.exe 38 PID 2808 wrote to memory of 2912 2808 9btttb.exe 38 PID 2808 wrote to memory of 2912 2808 9btttb.exe 38 PID 2808 wrote to memory of 2912 2808 9btttb.exe 38 PID 2912 wrote to memory of 2752 2912 dpdjp.exe 39 PID 2912 wrote to memory of 2752 2912 dpdjp.exe 39 PID 2912 wrote to memory of 2752 2912 dpdjp.exe 39 PID 2912 wrote to memory of 2752 2912 dpdjp.exe 39 PID 2752 wrote to memory of 2592 2752 rllfffl.exe 40 PID 2752 wrote to memory of 2592 2752 rllfffl.exe 40 PID 2752 wrote to memory of 2592 2752 rllfffl.exe 40 PID 2752 wrote to memory of 2592 2752 rllfffl.exe 40 PID 2592 wrote to memory of 2160 2592 nbnnnt.exe 41 PID 2592 wrote to memory of 2160 2592 nbnnnt.exe 41 PID 2592 wrote to memory of 2160 2592 nbnnnt.exe 41 PID 2592 wrote to memory of 2160 2592 nbnnnt.exe 41 PID 2160 wrote to memory of 1020 2160 dvpdv.exe 42 PID 2160 wrote to memory of 1020 2160 dvpdv.exe 42 PID 2160 wrote to memory of 1020 2160 dvpdv.exe 42 PID 2160 wrote to memory of 1020 2160 dvpdv.exe 42 PID 1020 wrote to memory of 1684 1020 rrrfrxf.exe 43 PID 1020 wrote to memory of 1684 1020 rrrfrxf.exe 43 PID 1020 wrote to memory of 1684 1020 rrrfrxf.exe 43 PID 1020 wrote to memory of 1684 1020 rrrfrxf.exe 43 PID 1684 wrote to memory of 772 1684 9jddj.exe 44 PID 1684 wrote to memory of 772 1684 9jddj.exe 44 PID 1684 wrote to memory of 772 1684 9jddj.exe 44 PID 1684 wrote to memory of 772 1684 9jddj.exe 44 PID 772 wrote to memory of 1600 772 jdpvv.exe 45 PID 772 wrote to memory of 1600 772 jdpvv.exe 45 PID 772 wrote to memory of 1600 772 jdpvv.exe 45 PID 772 wrote to memory of 1600 772 jdpvv.exe 45 PID 1600 wrote to memory of 1864 1600 1htnbb.exe 46 PID 1600 wrote to memory of 1864 1600 1htnbb.exe 46 PID 1600 wrote to memory of 1864 1600 1htnbb.exe 46 PID 1600 wrote to memory of 1864 1600 1htnbb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe"C:\Users\Admin\AppData\Local\Temp\24fb884202a321cd47a0c14b05c89e3d63b4dbb96ab5fcef993e9816be823fc9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\pdjdp.exec:\pdjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\9frlxfl.exec:\9frlxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\bntntn.exec:\bntntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\xrxffrl.exec:\xrxffrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\jpvjj.exec:\jpvjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\lxlffxf.exec:\lxlffxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\9btttb.exec:\9btttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\dpdjp.exec:\dpdjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\rllfffl.exec:\rllfffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\nbnnnt.exec:\nbnnnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\dvpdv.exec:\dvpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\rrrfrxf.exec:\rrrfrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\9jddj.exec:\9jddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\jdpvv.exec:\jdpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\1htnbb.exec:\1htnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\dvdpv.exec:\dvdpv.exe17⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rfxfrrx.exec:\rfxfrrx.exe18⤵
- Executes dropped EXE
PID:348 -
\??\c:\nhtthh.exec:\nhtthh.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\3ppvv.exec:\3ppvv.exe20⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xlrlrrr.exec:\xlrlrrr.exe21⤵
- Executes dropped EXE
PID:2620 -
\??\c:\bntnnh.exec:\bntnnh.exe22⤵
- Executes dropped EXE
PID:1960 -
\??\c:\fxrlfrx.exec:\fxrlfrx.exe23⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hbhntt.exec:\hbhntt.exe24⤵
- Executes dropped EXE
PID:928 -
\??\c:\nbtbhh.exec:\nbtbhh.exe25⤵
- Executes dropped EXE
PID:1844 -
\??\c:\9jdvj.exec:\9jdvj.exe26⤵
- Executes dropped EXE
PID:900 -
\??\c:\hthntb.exec:\hthntb.exe27⤵
- Executes dropped EXE
PID:1784 -
\??\c:\jvjdj.exec:\jvjdj.exe28⤵
- Executes dropped EXE
PID:1468 -
\??\c:\xlrrflr.exec:\xlrrflr.exe29⤵
- Executes dropped EXE
PID:1808 -
\??\c:\nnbhnt.exec:\nnbhnt.exe30⤵
- Executes dropped EXE
PID:568 -
\??\c:\dpvvj.exec:\dpvvj.exe31⤵
- Executes dropped EXE
PID:2460 -
\??\c:\9bnntt.exec:\9bnntt.exe32⤵
- Executes dropped EXE
PID:1872 -
\??\c:\dvddj.exec:\dvddj.exe33⤵
- Executes dropped EXE
PID:3036 -
\??\c:\lfrxllf.exec:\lfrxllf.exe34⤵
- Executes dropped EXE
PID:796 -
\??\c:\tntntn.exec:\tntntn.exe35⤵
- Executes dropped EXE
PID:1508 -
\??\c:\tnbnnt.exec:\tnbnnt.exe36⤵
- Executes dropped EXE
PID:1164 -
\??\c:\3jpdd.exec:\3jpdd.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\xrlrrxl.exec:\xrlrrxl.exe38⤵
- Executes dropped EXE
PID:1296 -
\??\c:\xlxlllf.exec:\xlxlllf.exe39⤵
- Executes dropped EXE
PID:2688 -
\??\c:\bnttbh.exec:\bnttbh.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jvddj.exec:\jvddj.exe41⤵
- Executes dropped EXE
PID:2780 -
\??\c:\rrllrrf.exec:\rrllrrf.exe42⤵
- Executes dropped EXE
PID:2848 -
\??\c:\7flxxfl.exec:\7flxxfl.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\bnbhhn.exec:\bnbhhn.exe44⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pdpvv.exec:\pdpvv.exe45⤵
- Executes dropped EXE
PID:2912 -
\??\c:\vppvd.exec:\vppvd.exe46⤵
- Executes dropped EXE
PID:2632 -
\??\c:\rflllrr.exec:\rflllrr.exe47⤵
- Executes dropped EXE
PID:2656 -
\??\c:\bntntt.exec:\bntntt.exe48⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pvvjd.exec:\pvvjd.exe49⤵
- Executes dropped EXE
PID:640 -
\??\c:\ddjpd.exec:\ddjpd.exe50⤵
- Executes dropped EXE
PID:2880 -
\??\c:\xfxxxxf.exec:\xfxxxxf.exe51⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5nbbbh.exec:\5nbbbh.exe52⤵
- Executes dropped EXE
PID:340 -
\??\c:\9bttnn.exec:\9bttnn.exe53⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ddvdp.exec:\ddvdp.exe54⤵
- Executes dropped EXE
PID:2052 -
\??\c:\rfrrxrf.exec:\rfrrxrf.exe55⤵
- Executes dropped EXE
PID:336 -
\??\c:\3llxflx.exec:\3llxflx.exe56⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nnbbbb.exec:\nnbbbb.exe57⤵
- Executes dropped EXE
PID:2760 -
\??\c:\dvjjp.exec:\dvjjp.exe58⤵
- Executes dropped EXE
PID:2376 -
\??\c:\pjpjj.exec:\pjpjj.exe59⤵
- Executes dropped EXE
PID:2232 -
\??\c:\3fffxfr.exec:\3fffxfr.exe60⤵
- Executes dropped EXE
PID:908 -
\??\c:\ththtb.exec:\ththtb.exe61⤵
- Executes dropped EXE
PID:1228 -
\??\c:\dpppv.exec:\dpppv.exe62⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5ffxflr.exec:\5ffxflr.exe63⤵
- Executes dropped EXE
PID:1572 -
\??\c:\lfxflrr.exec:\lfxflrr.exe64⤵
- Executes dropped EXE
PID:2480 -
\??\c:\thbbhh.exec:\thbbhh.exe65⤵
- Executes dropped EXE
PID:612 -
\??\c:\jdpjp.exec:\jdpjp.exe66⤵PID:276
-
\??\c:\pdvdj.exec:\pdvdj.exe67⤵PID:1584
-
\??\c:\xlxrffl.exec:\xlxrffl.exe68⤵PID:3012
-
\??\c:\tnnthn.exec:\tnnthn.exe69⤵PID:800
-
\??\c:\thbbhh.exec:\thbbhh.exe70⤵PID:1808
-
\??\c:\ddppp.exec:\ddppp.exe71⤵PID:944
-
\??\c:\djpvp.exec:\djpvp.exe72⤵PID:2404
-
\??\c:\7lxxfll.exec:\7lxxfll.exe73⤵PID:2088
-
\??\c:\1hbbbh.exec:\1hbbbh.exe74⤵PID:1404
-
\??\c:\vpvdj.exec:\vpvdj.exe75⤵PID:2392
-
\??\c:\1dppj.exec:\1dppj.exe76⤵PID:2124
-
\??\c:\fxxxffl.exec:\fxxxffl.exe77⤵PID:1620
-
\??\c:\9nttbt.exec:\9nttbt.exe78⤵PID:2216
-
\??\c:\hbhbhn.exec:\hbhbhn.exe79⤵PID:2556
-
\??\c:\jdvdp.exec:\jdvdp.exe80⤵
- System Location Discovery: System Language Discovery
PID:2024 -
\??\c:\xrffllx.exec:\xrffllx.exe81⤵PID:2728
-
\??\c:\thbbbn.exec:\thbbbn.exe82⤵PID:2056
-
\??\c:\bnbbtt.exec:\bnbbtt.exe83⤵PID:2784
-
\??\c:\dvpdj.exec:\dvpdj.exe84⤵PID:2696
-
\??\c:\xlfxffl.exec:\xlfxffl.exe85⤵PID:1624
-
\??\c:\tnhhtb.exec:\tnhhtb.exe86⤵PID:2840
-
\??\c:\7tbbbb.exec:\7tbbbb.exe87⤵PID:2600
-
\??\c:\7dvpp.exec:\7dvpp.exe88⤵PID:2580
-
\??\c:\rlxflff.exec:\rlxflff.exe89⤵PID:2156
-
\??\c:\btbbnn.exec:\btbbnn.exe90⤵PID:2160
-
\??\c:\7hbntt.exec:\7hbntt.exe91⤵PID:1536
-
\??\c:\ppjdj.exec:\ppjdj.exe92⤵PID:2952
-
\??\c:\lfrrxff.exec:\lfrrxff.exe93⤵PID:1444
-
\??\c:\fxlflrl.exec:\fxlflrl.exe94⤵PID:2920
-
\??\c:\nbnbbh.exec:\nbnbbh.exe95⤵PID:1428
-
\??\c:\pdjjp.exec:\pdjjp.exe96⤵PID:1644
-
\??\c:\vpvjj.exec:\vpvjj.exe97⤵PID:1348
-
\??\c:\rrllxxl.exec:\rrllxxl.exe98⤵PID:2204
-
\??\c:\tnhthh.exec:\tnhthh.exe99⤵PID:2184
-
\??\c:\pdpdp.exec:\pdpdp.exe100⤵PID:2436
-
\??\c:\vpjjp.exec:\vpjjp.exe101⤵PID:2256
-
\??\c:\5xxrxxl.exec:\5xxrxxl.exe102⤵PID:1224
-
\??\c:\hbtnhh.exec:\hbtnhh.exe103⤵PID:1212
-
\??\c:\hbntbt.exec:\hbntbt.exe104⤵PID:700
-
\??\c:\jvjdv.exec:\jvjdv.exe105⤵PID:1880
-
\??\c:\xrfrxlx.exec:\xrfrxlx.exe106⤵PID:1868
-
\??\c:\fxxfxxl.exec:\fxxfxxl.exe107⤵PID:324
-
\??\c:\nbttbb.exec:\nbttbb.exe108⤵PID:792
-
\??\c:\vjjdd.exec:\vjjdd.exe109⤵PID:3024
-
\??\c:\xlxfflx.exec:\xlxfflx.exe110⤵PID:2932
-
\??\c:\1lrrrxf.exec:\1lrrrxf.exe111⤵PID:596
-
\??\c:\hbbbnn.exec:\hbbbnn.exe112⤵PID:1672
-
\??\c:\pdpvd.exec:\pdpvd.exe113⤵PID:1728
-
\??\c:\5djdp.exec:\5djdp.exe114⤵PID:2300
-
\??\c:\frfxffl.exec:\frfxffl.exe115⤵PID:1944
-
\??\c:\tnhnbb.exec:\tnhnbb.exe116⤵PID:2028
-
\??\c:\3tnttt.exec:\3tnttt.exe117⤵PID:3036
-
\??\c:\jdddv.exec:\jdddv.exe118⤵PID:1616
-
\??\c:\9lflrrx.exec:\9lflrrx.exe119⤵PID:1512
-
\??\c:\nntbtt.exec:\nntbtt.exe120⤵PID:2980
-
\??\c:\1tntbn.exec:\1tntbn.exe121⤵PID:2216
-
\??\c:\dvdjp.exec:\dvdjp.exe122⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-