Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe
-
Size
454KB
-
MD5
a283e376125e3a47c88b2e7c1d5f6c4e
-
SHA1
ead8f9437a61757c2da005fcc3570ea1c36e30e2
-
SHA256
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c
-
SHA512
14b4f957f96c71423ab2c757e12a9cc5342d9c9eeaa6e13458efb2284c868a463e0b0a09b133f4e28c32cf97268be81e5e7734d39df652e62387dcb6e7ba468d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1R:q7Tc2NYHUrAwfMp3CD1R
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2500-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-92-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-129-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2488-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-213-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1044-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-378-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2588-389-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2588-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-432-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2784-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-459-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1712-472-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-523-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2472-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-626-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2064-841-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1588-872-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2512 rlxfllx.exe 2928 7hthnb.exe 2556 pjjdp.exe 2216 xfffxfr.exe 2848 btbhnt.exe 2740 5jpdv.exe 1484 5vdvp.exe 2612 rrlrffx.exe 2640 vpvvd.exe 2648 tttbnt.exe 2188 pjpjj.exe 1196 rrlrfrx.exe 1272 ppjjv.exe 1336 7tntnb.exe 2488 3jppp.exe 2120 hhhnhh.exe 3000 vpjdj.exe 3012 nnhnhn.exe 2200 3pddj.exe 2104 rlfrxfx.exe 1628 djdjd.exe 1072 bbbhbb.exe 1892 vpdpd.exe 1044 jdvjj.exe 2544 7frxflr.exe 1096 ttntnn.exe 1940 jdppj.exe 1084 llxfrrf.exe 2196 nhtttt.exe 1056 pjjjp.exe 2456 fxlflfr.exe 2036 7djjj.exe 2520 xfflllx.exe 1548 htntbh.exe 2392 jpvjv.exe 2124 rlfrrxf.exe 2216 xxfrxxl.exe 2876 bthnhn.exe 2868 9dpdj.exe 2712 5frrxxf.exe 2084 llxrfrx.exe 2620 tttbbh.exe 2796 jdvpj.exe 2916 djdjd.exe 1872 xlxxxfl.exe 2588 3htnnt.exe 2644 thtnbh.exe 2800 dvvdp.exe 2904 5fxfrrx.exe 1524 3hnnnt.exe 2808 5bttbb.exe 2784 9jdvp.exe 2376 rlxfxlr.exe 1296 bnbbhh.exe 1752 bbbbbb.exe 3012 jdvvd.exe 2240 xrlrffr.exe 1712 1tntnt.exe 2484 7nbbhb.exe 2144 5jjpp.exe 2244 1rrxflx.exe 1132 9xrlflx.exe 1328 9tttbh.exe 1044 9jpdd.exe -
resource yara_rule behavioral1/memory/2500-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-1239-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2512 2500 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 30 PID 2500 wrote to memory of 2512 2500 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 30 PID 2500 wrote to memory of 2512 2500 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 30 PID 2500 wrote to memory of 2512 2500 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 30 PID 2512 wrote to memory of 2928 2512 rlxfllx.exe 31 PID 2512 wrote to memory of 2928 2512 rlxfllx.exe 31 PID 2512 wrote to memory of 2928 2512 rlxfllx.exe 31 PID 2512 wrote to memory of 2928 2512 rlxfllx.exe 31 PID 2928 wrote to memory of 2556 2928 7hthnb.exe 32 PID 2928 wrote to memory of 2556 2928 7hthnb.exe 32 PID 2928 wrote to memory of 2556 2928 7hthnb.exe 32 PID 2928 wrote to memory of 2556 2928 7hthnb.exe 32 PID 2556 wrote to memory of 2216 2556 pjjdp.exe 33 PID 2556 wrote to memory of 2216 2556 pjjdp.exe 33 PID 2556 wrote to memory of 2216 2556 pjjdp.exe 33 PID 2556 wrote to memory of 2216 2556 pjjdp.exe 33 PID 2216 wrote to memory of 2848 2216 xfffxfr.exe 34 PID 2216 wrote to memory of 2848 2216 xfffxfr.exe 34 PID 2216 wrote to memory of 2848 2216 xfffxfr.exe 34 PID 2216 wrote to memory of 2848 2216 xfffxfr.exe 34 PID 2848 wrote to memory of 2740 2848 btbhnt.exe 35 PID 2848 wrote to memory of 2740 2848 btbhnt.exe 35 PID 2848 wrote to memory of 2740 2848 btbhnt.exe 35 PID 2848 wrote to memory of 2740 2848 btbhnt.exe 35 PID 2740 wrote to memory of 1484 2740 5jpdv.exe 36 PID 2740 wrote to memory of 1484 2740 5jpdv.exe 36 PID 2740 wrote to memory of 1484 2740 5jpdv.exe 36 PID 2740 wrote to memory of 1484 2740 5jpdv.exe 36 PID 1484 wrote to memory of 2612 1484 5vdvp.exe 37 PID 1484 wrote to memory of 2612 1484 5vdvp.exe 37 PID 1484 wrote to memory of 2612 1484 5vdvp.exe 37 PID 1484 wrote to memory of 2612 1484 5vdvp.exe 37 PID 2612 wrote to memory of 2640 2612 rrlrffx.exe 38 PID 2612 wrote to memory of 2640 2612 rrlrffx.exe 38 PID 2612 wrote to memory of 2640 2612 rrlrffx.exe 38 PID 2612 wrote to memory of 2640 2612 rrlrffx.exe 38 PID 2640 wrote to memory of 2648 2640 vpvvd.exe 39 PID 2640 wrote to memory of 2648 2640 vpvvd.exe 39 PID 2640 wrote to memory of 2648 2640 vpvvd.exe 39 PID 2640 wrote to memory of 2648 2640 vpvvd.exe 39 PID 2648 wrote to memory of 2188 2648 tttbnt.exe 40 PID 2648 wrote to memory of 2188 2648 tttbnt.exe 40 PID 2648 wrote to memory of 2188 2648 tttbnt.exe 40 PID 2648 wrote to memory of 2188 2648 tttbnt.exe 40 PID 2188 wrote to memory of 1196 2188 pjpjj.exe 41 PID 2188 wrote to memory of 1196 2188 pjpjj.exe 41 PID 2188 wrote to memory of 1196 2188 pjpjj.exe 41 PID 2188 wrote to memory of 1196 2188 pjpjj.exe 41 PID 1196 wrote to memory of 1272 1196 rrlrfrx.exe 42 PID 1196 wrote to memory of 1272 1196 rrlrfrx.exe 42 PID 1196 wrote to memory of 1272 1196 rrlrfrx.exe 42 PID 1196 wrote to memory of 1272 1196 rrlrfrx.exe 42 PID 1272 wrote to memory of 1336 1272 ppjjv.exe 43 PID 1272 wrote to memory of 1336 1272 ppjjv.exe 43 PID 1272 wrote to memory of 1336 1272 ppjjv.exe 43 PID 1272 wrote to memory of 1336 1272 ppjjv.exe 43 PID 1336 wrote to memory of 2488 1336 7tntnb.exe 44 PID 1336 wrote to memory of 2488 1336 7tntnb.exe 44 PID 1336 wrote to memory of 2488 1336 7tntnb.exe 44 PID 1336 wrote to memory of 2488 1336 7tntnb.exe 44 PID 2488 wrote to memory of 2120 2488 3jppp.exe 45 PID 2488 wrote to memory of 2120 2488 3jppp.exe 45 PID 2488 wrote to memory of 2120 2488 3jppp.exe 45 PID 2488 wrote to memory of 2120 2488 3jppp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe"C:\Users\Admin\AppData\Local\Temp\abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\rlxfllx.exec:\rlxfllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\7hthnb.exec:\7hthnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\pjjdp.exec:\pjjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\xfffxfr.exec:\xfffxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\btbhnt.exec:\btbhnt.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\5jpdv.exec:\5jpdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\5vdvp.exec:\5vdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\rrlrffx.exec:\rrlrffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\vpvvd.exec:\vpvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\tttbnt.exec:\tttbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\pjpjj.exec:\pjpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\rrlrfrx.exec:\rrlrfrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\ppjjv.exec:\ppjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\7tntnb.exec:\7tntnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\3jppp.exec:\3jppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\hhhnhh.exec:\hhhnhh.exe17⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vpjdj.exec:\vpjdj.exe18⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nnhnhn.exec:\nnhnhn.exe19⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3pddj.exec:\3pddj.exe20⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rlfrxfx.exec:\rlfrxfx.exe21⤵
- Executes dropped EXE
PID:2104 -
\??\c:\djdjd.exec:\djdjd.exe22⤵
- Executes dropped EXE
PID:1628 -
\??\c:\bbbhbb.exec:\bbbhbb.exe23⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vpdpd.exec:\vpdpd.exe24⤵
- Executes dropped EXE
PID:1892 -
\??\c:\jdvjj.exec:\jdvjj.exe25⤵
- Executes dropped EXE
PID:1044 -
\??\c:\7frxflr.exec:\7frxflr.exe26⤵
- Executes dropped EXE
PID:2544 -
\??\c:\ttntnn.exec:\ttntnn.exe27⤵
- Executes dropped EXE
PID:1096 -
\??\c:\jdppj.exec:\jdppj.exe28⤵
- Executes dropped EXE
PID:1940 -
\??\c:\llxfrrf.exec:\llxfrrf.exe29⤵
- Executes dropped EXE
PID:1084 -
\??\c:\nhtttt.exec:\nhtttt.exe30⤵
- Executes dropped EXE
PID:2196 -
\??\c:\pjjjp.exec:\pjjjp.exe31⤵
- Executes dropped EXE
PID:1056 -
\??\c:\fxlflfr.exec:\fxlflfr.exe32⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7djjj.exec:\7djjj.exe33⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xfflllx.exec:\xfflllx.exe34⤵
- Executes dropped EXE
PID:2520 -
\??\c:\htntbh.exec:\htntbh.exe35⤵
- Executes dropped EXE
PID:1548 -
\??\c:\jpvjv.exec:\jpvjv.exe36⤵
- Executes dropped EXE
PID:2392 -
\??\c:\rlfrrxf.exec:\rlfrrxf.exe37⤵
- Executes dropped EXE
PID:2124 -
\??\c:\xxfrxxl.exec:\xxfrxxl.exe38⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bthnhn.exec:\bthnhn.exe39⤵
- Executes dropped EXE
PID:2876 -
\??\c:\9dpdj.exec:\9dpdj.exe40⤵
- Executes dropped EXE
PID:2868 -
\??\c:\5frrxxf.exec:\5frrxxf.exe41⤵
- Executes dropped EXE
PID:2712 -
\??\c:\llxrfrx.exec:\llxrfrx.exe42⤵
- Executes dropped EXE
PID:2084 -
\??\c:\tttbbh.exec:\tttbbh.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jdvpj.exec:\jdvpj.exe44⤵
- Executes dropped EXE
PID:2796 -
\??\c:\djdjd.exec:\djdjd.exe45⤵
- Executes dropped EXE
PID:2916 -
\??\c:\xlxxxfl.exec:\xlxxxfl.exe46⤵
- Executes dropped EXE
PID:1872 -
\??\c:\3htnnt.exec:\3htnnt.exe47⤵
- Executes dropped EXE
PID:2588 -
\??\c:\thtnbh.exec:\thtnbh.exe48⤵
- Executes dropped EXE
PID:2644 -
\??\c:\dvvdp.exec:\dvvdp.exe49⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5fxfrrx.exec:\5fxfrrx.exe50⤵
- Executes dropped EXE
PID:2904 -
\??\c:\3hnnnt.exec:\3hnnnt.exe51⤵
- Executes dropped EXE
PID:1524 -
\??\c:\5bttbb.exec:\5bttbb.exe52⤵
- Executes dropped EXE
PID:2808 -
\??\c:\9jdvp.exec:\9jdvp.exe53⤵
- Executes dropped EXE
PID:2784 -
\??\c:\rlxfxlr.exec:\rlxfxlr.exe54⤵
- Executes dropped EXE
PID:2376 -
\??\c:\bnbbhh.exec:\bnbbhh.exe55⤵
- Executes dropped EXE
PID:1296 -
\??\c:\bbbbbb.exec:\bbbbbb.exe56⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jdvvd.exec:\jdvvd.exe57⤵
- Executes dropped EXE
PID:3012 -
\??\c:\xrlrffr.exec:\xrlrffr.exe58⤵
- Executes dropped EXE
PID:2240 -
\??\c:\1tntnt.exec:\1tntnt.exe59⤵
- Executes dropped EXE
PID:1712 -
\??\c:\7nbbhb.exec:\7nbbhb.exe60⤵
- Executes dropped EXE
PID:2484 -
\??\c:\5jjpp.exec:\5jjpp.exe61⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1rrxflx.exec:\1rrxflx.exe62⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9xrlflx.exec:\9xrlflx.exe63⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9tttbh.exec:\9tttbh.exe64⤵
- Executes dropped EXE
PID:1328 -
\??\c:\9jpdd.exec:\9jpdd.exe65⤵
- Executes dropped EXE
PID:1044 -
\??\c:\5dvjd.exec:\5dvjd.exe66⤵PID:1448
-
\??\c:\xrffllx.exec:\xrffllx.exe67⤵PID:2444
-
\??\c:\tntbnn.exec:\tntbnn.exe68⤵PID:3052
-
\??\c:\9bbhtb.exec:\9bbhtb.exe69⤵PID:3068
-
\??\c:\7pdpd.exec:\7pdpd.exe70⤵PID:1740
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe71⤵PID:2272
-
\??\c:\5ttthn.exec:\5ttthn.exe72⤵PID:2196
-
\??\c:\5bthbt.exec:\5bthbt.exe73⤵PID:2472
-
\??\c:\ppjpd.exec:\ppjpd.exe74⤵PID:2500
-
\??\c:\xxxxflf.exec:\xxxxflf.exe75⤵PID:2512
-
\??\c:\ffxrfrf.exec:\ffxrfrf.exe76⤵PID:2516
-
\??\c:\nbtnnh.exec:\nbtnnh.exe77⤵PID:2520
-
\??\c:\jddjd.exec:\jddjd.exe78⤵PID:2676
-
\??\c:\3pppv.exec:\3pppv.exe79⤵PID:1704
-
\??\c:\flfrflf.exec:\flfrflf.exe80⤵PID:2828
-
\??\c:\tbthtt.exec:\tbthtt.exe81⤵PID:2216
-
\??\c:\hbbbbh.exec:\hbbbbh.exe82⤵PID:2192
-
\??\c:\dvvdv.exec:\dvvdv.exe83⤵PID:2868
-
\??\c:\lrlflxl.exec:\lrlflxl.exe84⤵PID:2712
-
\??\c:\lrlxllx.exec:\lrlxllx.exe85⤵PID:2084
-
\??\c:\hhttnt.exec:\hhttnt.exe86⤵PID:2696
-
\??\c:\5vjjv.exec:\5vjjv.exe87⤵PID:2796
-
\??\c:\xxxxllr.exec:\xxxxllr.exe88⤵PID:2748
-
\??\c:\frrxflr.exec:\frrxflr.exe89⤵PID:2920
-
\??\c:\5hbbtt.exec:\5hbbtt.exe90⤵PID:2572
-
\??\c:\5pdjv.exec:\5pdjv.exe91⤵PID:2316
-
\??\c:\ddjpd.exec:\ddjpd.exe92⤵PID:2364
-
\??\c:\rlfxrrf.exec:\rlfxrrf.exe93⤵PID:2416
-
\??\c:\9bthhn.exec:\9bthhn.exe94⤵PID:1336
-
\??\c:\hbtnbb.exec:\hbtnbb.exe95⤵PID:2672
-
\??\c:\jjjvp.exec:\jjjvp.exe96⤵PID:2488
-
\??\c:\xlxxfll.exec:\xlxxfll.exe97⤵PID:2820
-
\??\c:\5xrrfrx.exec:\5xrrfrx.exe98⤵PID:2376
-
\??\c:\nbnbhh.exec:\nbnbhh.exe99⤵PID:3004
-
\??\c:\vpjdp.exec:\vpjdp.exe100⤵PID:316
-
\??\c:\7pjpv.exec:\7pjpv.exe101⤵PID:3036
-
\??\c:\9fxfrrx.exec:\9fxfrrx.exe102⤵PID:1652
-
\??\c:\hhbhtt.exec:\hhbhtt.exe103⤵PID:2200
-
\??\c:\tthtnn.exec:\tthtnn.exe104⤵PID:2056
-
\??\c:\vvjpd.exec:\vvjpd.exe105⤵PID:2264
-
\??\c:\lfxflxl.exec:\lfxflxl.exe106⤵PID:2568
-
\??\c:\llfxllr.exec:\llfxllr.exe107⤵PID:3020
-
\??\c:\bththn.exec:\bththn.exe108⤵PID:664
-
\??\c:\pjdpp.exec:\pjdpp.exe109⤵PID:1888
-
\??\c:\7vvjj.exec:\7vvjj.exe110⤵PID:2452
-
\??\c:\xxxfrxr.exec:\xxxfrxr.exe111⤵PID:2448
-
\??\c:\hhhtbb.exec:\hhhtbb.exe112⤵PID:1684
-
\??\c:\jpvpp.exec:\jpvpp.exe113⤵PID:2816
-
\??\c:\pjdvj.exec:\pjdvj.exe114⤵PID:1084
-
\??\c:\lrlxrxr.exec:\lrlxrxr.exe115⤵PID:328
-
\??\c:\nnhttt.exec:\nnhttt.exe116⤵PID:1504
-
\??\c:\nhbhhn.exec:\nhbhhn.exe117⤵PID:2524
-
\??\c:\ppjpp.exec:\ppjpp.exe118⤵PID:2064
-
\??\c:\flxfrlr.exec:\flxfrlr.exe119⤵PID:2496
-
\??\c:\xrrrxfr.exec:\xrrrxfr.exe120⤵PID:1936
-
\??\c:\ntnthn.exec:\ntnthn.exe121⤵PID:1048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-