Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
-
Size
454KB
-
MD5
26e47a741468ae2447aef83a6c757333
-
SHA1
67b02a8d491a13031954390fd8a9582871f85c92
-
SHA256
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a
-
SHA512
05d40185474e5a31b99516b60af9e2c528e00fce7979564ce9c1eefa7033cea75c3d3e01721bbdd0a0f8e672f0d3e2ac47cbae7be11aabc39b0f04574a596c15
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH2:q7Tc2NYHUrAwfMp3CDH2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2264-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-196-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-250-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1220-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2588-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-340-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-389-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2832-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-431-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2420-446-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1668-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 hbtntb.exe 2796 vdppp.exe 3048 1xxflrf.exe 2804 thttbh.exe 2748 5vvvp.exe 2888 hthhbh.exe 2656 vppvv.exe 1776 dddvv.exe 900 vpvpp.exe 2424 ddjpv.exe 2100 vvvdj.exe 1260 ddjjd.exe 1728 3xlfxrr.exe 2812 5bhhbb.exe 1916 jjddd.exe 536 rrrfflx.exe 2152 ddjvv.exe 848 hbhntt.exe 2192 5tnttt.exe 2552 3xlrxrx.exe 1012 bhhnnh.exe 1616 7xllfxf.exe 796 bbhhhh.exe 2540 rrxrrxf.exe 1612 3tbtbb.exe 1576 9lffllr.exe 2288 5tnntb.exe 988 5lxxllr.exe 1220 hhthnb.exe 748 xxfflrx.exe 2120 9tnhhh.exe 2800 5rflrxl.exe 2588 nnhttt.exe 1456 jdjjp.exe 3048 ffflrrx.exe 2872 hhhbbb.exe 2868 vdddj.exe 2636 frxxxxf.exe 2056 xfrrrrr.exe 1996 tnbhnn.exe 2704 7vppv.exe 2568 xxxrlrr.exe 1872 nnhntb.exe 3068 hhbhhn.exe 1564 pvjjp.exe 2460 1xfffrr.exe 1260 thnhbb.exe 2832 ddpvd.exe 1496 djjjj.exe 1020 xxllffl.exe 1688 bhbbhh.exe 2420 9jdjp.exe 2320 7xlllfl.exe 2012 7nbtbb.exe 1752 bthtbt.exe 1276 1dpjp.exe 2468 fxffflr.exe 1500 hnnnth.exe 1668 1jppv.exe 1236 flxrrll.exe 824 rrffffr.exe 2928 1tttbh.exe 1556 vdpjp.exe 2524 dpvjp.exe -
resource yara_rule behavioral1/memory/2264-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-375-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/3068-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-538-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/380-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-737-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthth.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2176 2264 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 2264 wrote to memory of 2176 2264 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 2264 wrote to memory of 2176 2264 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 2264 wrote to memory of 2176 2264 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 2176 wrote to memory of 2796 2176 hbtntb.exe 31 PID 2176 wrote to memory of 2796 2176 hbtntb.exe 31 PID 2176 wrote to memory of 2796 2176 hbtntb.exe 31 PID 2176 wrote to memory of 2796 2176 hbtntb.exe 31 PID 2796 wrote to memory of 3048 2796 vdppp.exe 32 PID 2796 wrote to memory of 3048 2796 vdppp.exe 32 PID 2796 wrote to memory of 3048 2796 vdppp.exe 32 PID 2796 wrote to memory of 3048 2796 vdppp.exe 32 PID 3048 wrote to memory of 2804 3048 1xxflrf.exe 33 PID 3048 wrote to memory of 2804 3048 1xxflrf.exe 33 PID 3048 wrote to memory of 2804 3048 1xxflrf.exe 33 PID 3048 wrote to memory of 2804 3048 1xxflrf.exe 33 PID 2804 wrote to memory of 2748 2804 thttbh.exe 34 PID 2804 wrote to memory of 2748 2804 thttbh.exe 34 PID 2804 wrote to memory of 2748 2804 thttbh.exe 34 PID 2804 wrote to memory of 2748 2804 thttbh.exe 34 PID 2748 wrote to memory of 2888 2748 5vvvp.exe 35 PID 2748 wrote to memory of 2888 2748 5vvvp.exe 35 PID 2748 wrote to memory of 2888 2748 5vvvp.exe 35 PID 2748 wrote to memory of 2888 2748 5vvvp.exe 35 PID 2888 wrote to memory of 2656 2888 hthhbh.exe 36 PID 2888 wrote to memory of 2656 2888 hthhbh.exe 36 PID 2888 wrote to memory of 2656 2888 hthhbh.exe 36 PID 2888 wrote to memory of 2656 2888 hthhbh.exe 36 PID 2656 wrote to memory of 1776 2656 vppvv.exe 37 PID 2656 wrote to memory of 1776 2656 vppvv.exe 37 PID 2656 wrote to memory of 1776 2656 vppvv.exe 37 PID 2656 wrote to memory of 1776 2656 vppvv.exe 37 PID 1776 wrote to memory of 900 1776 dddvv.exe 38 PID 1776 wrote to memory of 900 1776 dddvv.exe 38 PID 1776 wrote to memory of 900 1776 dddvv.exe 38 PID 1776 wrote to memory of 900 1776 dddvv.exe 38 PID 900 wrote to memory of 2424 900 vpvpp.exe 39 PID 900 wrote to memory of 2424 900 vpvpp.exe 39 PID 900 wrote to memory of 2424 900 vpvpp.exe 39 PID 900 wrote to memory of 2424 900 vpvpp.exe 39 PID 2424 wrote to memory of 2100 2424 ddjpv.exe 40 PID 2424 wrote to memory of 2100 2424 ddjpv.exe 40 PID 2424 wrote to memory of 2100 2424 ddjpv.exe 40 PID 2424 wrote to memory of 2100 2424 ddjpv.exe 40 PID 2100 wrote to memory of 1260 2100 vvvdj.exe 41 PID 2100 wrote to memory of 1260 2100 vvvdj.exe 41 PID 2100 wrote to memory of 1260 2100 vvvdj.exe 41 PID 2100 wrote to memory of 1260 2100 vvvdj.exe 41 PID 1260 wrote to memory of 1728 1260 ddjjd.exe 42 PID 1260 wrote to memory of 1728 1260 ddjjd.exe 42 PID 1260 wrote to memory of 1728 1260 ddjjd.exe 42 PID 1260 wrote to memory of 1728 1260 ddjjd.exe 42 PID 1728 wrote to memory of 2812 1728 3xlfxrr.exe 43 PID 1728 wrote to memory of 2812 1728 3xlfxrr.exe 43 PID 1728 wrote to memory of 2812 1728 3xlfxrr.exe 43 PID 1728 wrote to memory of 2812 1728 3xlfxrr.exe 43 PID 2812 wrote to memory of 1916 2812 5bhhbb.exe 44 PID 2812 wrote to memory of 1916 2812 5bhhbb.exe 44 PID 2812 wrote to memory of 1916 2812 5bhhbb.exe 44 PID 2812 wrote to memory of 1916 2812 5bhhbb.exe 44 PID 1916 wrote to memory of 536 1916 jjddd.exe 45 PID 1916 wrote to memory of 536 1916 jjddd.exe 45 PID 1916 wrote to memory of 536 1916 jjddd.exe 45 PID 1916 wrote to memory of 536 1916 jjddd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\hbtntb.exec:\hbtntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\vdppp.exec:\vdppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\1xxflrf.exec:\1xxflrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\thttbh.exec:\thttbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\5vvvp.exec:\5vvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\hthhbh.exec:\hthhbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vppvv.exec:\vppvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\dddvv.exec:\dddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\vpvpp.exec:\vpvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\ddjpv.exec:\ddjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\vvvdj.exec:\vvvdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\ddjjd.exec:\ddjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\3xlfxrr.exec:\3xlfxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\5bhhbb.exec:\5bhhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\jjddd.exec:\jjddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\rrrfflx.exec:\rrrfflx.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\ddjvv.exec:\ddjvv.exe18⤵
- Executes dropped EXE
PID:2152 -
\??\c:\hbhntt.exec:\hbhntt.exe19⤵
- Executes dropped EXE
PID:848 -
\??\c:\5tnttt.exec:\5tnttt.exe20⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3xlrxrx.exec:\3xlrxrx.exe21⤵
- Executes dropped EXE
PID:2552 -
\??\c:\bhhnnh.exec:\bhhnnh.exe22⤵
- Executes dropped EXE
PID:1012 -
\??\c:\7xllfxf.exec:\7xllfxf.exe23⤵
- Executes dropped EXE
PID:1616 -
\??\c:\bbhhhh.exec:\bbhhhh.exe24⤵
- Executes dropped EXE
PID:796 -
\??\c:\rrxrrxf.exec:\rrxrrxf.exe25⤵
- Executes dropped EXE
PID:2540 -
\??\c:\3tbtbb.exec:\3tbtbb.exe26⤵
- Executes dropped EXE
PID:1612 -
\??\c:\9lffllr.exec:\9lffllr.exe27⤵
- Executes dropped EXE
PID:1576 -
\??\c:\5tnntb.exec:\5tnntb.exe28⤵
- Executes dropped EXE
PID:2288 -
\??\c:\5lxxllr.exec:\5lxxllr.exe29⤵
- Executes dropped EXE
PID:988 -
\??\c:\hhthnb.exec:\hhthnb.exe30⤵
- Executes dropped EXE
PID:1220 -
\??\c:\xxfflrx.exec:\xxfflrx.exe31⤵
- Executes dropped EXE
PID:748 -
\??\c:\9tnhhh.exec:\9tnhhh.exe32⤵
- Executes dropped EXE
PID:2120 -
\??\c:\5rflrxl.exec:\5rflrxl.exe33⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nnhttt.exec:\nnhttt.exe34⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jdjjp.exec:\jdjjp.exe35⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ffflrrx.exec:\ffflrrx.exe36⤵
- Executes dropped EXE
PID:3048 -
\??\c:\hhhbbb.exec:\hhhbbb.exe37⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vdddj.exec:\vdddj.exe38⤵
- Executes dropped EXE
PID:2868 -
\??\c:\frxxxxf.exec:\frxxxxf.exe39⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xfrrrrr.exec:\xfrrrrr.exe40⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tnbhnn.exec:\tnbhnn.exe41⤵
- Executes dropped EXE
PID:1996 -
\??\c:\7vppv.exec:\7vppv.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xxxrlrr.exec:\xxxrlrr.exe43⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nnhntb.exec:\nnhntb.exe44⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hhbhhn.exec:\hhbhhn.exe45⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pvjjp.exec:\pvjjp.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564 -
\??\c:\1xfffrr.exec:\1xfffrr.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460 -
\??\c:\thnhbb.exec:\thnhbb.exe48⤵
- Executes dropped EXE
PID:1260 -
\??\c:\ddpvd.exec:\ddpvd.exe49⤵
- Executes dropped EXE
PID:2832 -
\??\c:\djjjj.exec:\djjjj.exe50⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xxllffl.exec:\xxllffl.exe51⤵
- Executes dropped EXE
PID:1020 -
\??\c:\bhbbhh.exec:\bhbbhh.exe52⤵
- Executes dropped EXE
PID:1688 -
\??\c:\9jdjp.exec:\9jdjp.exe53⤵
- Executes dropped EXE
PID:2420 -
\??\c:\7xlllfl.exec:\7xlllfl.exe54⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7nbtbb.exec:\7nbtbb.exe55⤵
- Executes dropped EXE
PID:2012 -
\??\c:\bthtbt.exec:\bthtbt.exe56⤵
- Executes dropped EXE
PID:1752 -
\??\c:\1dpjp.exec:\1dpjp.exe57⤵
- Executes dropped EXE
PID:1276 -
\??\c:\fxffflr.exec:\fxffflr.exe58⤵
- Executes dropped EXE
PID:2468 -
\??\c:\hnnnth.exec:\hnnnth.exe59⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1jppv.exec:\1jppv.exe60⤵
- Executes dropped EXE
PID:1668 -
\??\c:\flxrrll.exec:\flxrrll.exe61⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rrffffr.exec:\rrffffr.exe62⤵
- Executes dropped EXE
PID:824 -
\??\c:\1tttbh.exec:\1tttbh.exe63⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vdpjp.exec:\vdpjp.exe64⤵
- Executes dropped EXE
PID:1556 -
\??\c:\dpvjp.exec:\dpvjp.exe65⤵
- Executes dropped EXE
PID:2524 -
\??\c:\9rfxfll.exec:\9rfxfll.exe66⤵PID:3052
-
\??\c:\nhntht.exec:\nhntht.exe67⤵PID:380
-
\??\c:\5pjjj.exec:\5pjjj.exe68⤵PID:2212
-
\??\c:\hhnnbh.exec:\hhnnbh.exe69⤵PID:1988
-
\??\c:\ttbntt.exec:\ttbntt.exe70⤵PID:1220
-
\??\c:\vdpvd.exec:\vdpvd.exe71⤵PID:2376
-
\??\c:\fxffxff.exec:\fxffxff.exe72⤵PID:2732
-
\??\c:\nttbht.exec:\nttbht.exe73⤵PID:2876
-
\??\c:\ddjvp.exec:\ddjvp.exe74⤵PID:3060
-
\??\c:\ddjjv.exec:\ddjjv.exe75⤵PID:2380
-
\??\c:\7xffffl.exec:\7xffffl.exe76⤵PID:1364
-
\??\c:\7tnthh.exec:\7tnthh.exe77⤵PID:2972
-
\??\c:\pvjpv.exec:\pvjpv.exe78⤵PID:2988
-
\??\c:\frffflr.exec:\frffflr.exe79⤵PID:2748
-
\??\c:\nnbhht.exec:\nnbhht.exe80⤵PID:2596
-
\??\c:\vdddj.exec:\vdddj.exe81⤵PID:2056
-
\??\c:\pdpjj.exec:\pdpjj.exe82⤵PID:1996
-
\??\c:\rrffrrx.exec:\rrffrrx.exe83⤵PID:2656
-
\??\c:\hbnntt.exec:\hbnntt.exe84⤵PID:1580
-
\??\c:\pjppp.exec:\pjppp.exe85⤵PID:2560
-
\??\c:\vppjd.exec:\vppjd.exe86⤵PID:1052
-
\??\c:\rrfrllr.exec:\rrfrllr.exe87⤵PID:1868
-
\??\c:\nntntt.exec:\nntntt.exe88⤵PID:1932
-
\??\c:\pvjvd.exec:\pvjvd.exe89⤵PID:2816
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe90⤵PID:2836
-
\??\c:\3fxflrx.exec:\3fxflrx.exe91⤵PID:328
-
\??\c:\9tnnbb.exec:\9tnnbb.exe92⤵PID:2088
-
\??\c:\ppdpd.exec:\ppdpd.exe93⤵PID:2084
-
\??\c:\dpvpd.exec:\dpvpd.exe94⤵PID:2128
-
\??\c:\rlxxlrr.exec:\rlxxlrr.exe95⤵PID:1568
-
\??\c:\hnbbnt.exec:\hnbbnt.exe96⤵PID:1900
-
\??\c:\pppvj.exec:\pppvj.exe97⤵PID:2016
-
\??\c:\xxfrrlr.exec:\xxfrrlr.exe98⤵PID:1752
-
\??\c:\3fxflrx.exec:\3fxflrx.exe99⤵PID:856
-
\??\c:\thhhnn.exec:\thhhnn.exe100⤵PID:2684
-
\??\c:\pppvv.exec:\pppvv.exe101⤵PID:1748
-
\??\c:\jvpvv.exec:\jvpvv.exe102⤵PID:1436
-
\??\c:\fllrxfl.exec:\fllrxfl.exe103⤵PID:1188
-
\??\c:\nbtbnt.exec:\nbtbnt.exe104⤵PID:1724
-
\??\c:\bthhtn.exec:\bthhtn.exe105⤵PID:2104
-
\??\c:\ddddj.exec:\ddddj.exe106⤵PID:2284
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe107⤵PID:1536
-
\??\c:\bntbbh.exec:\bntbbh.exe108⤵PID:1204
-
\??\c:\ntbbhh.exec:\ntbbhh.exe109⤵PID:2492
-
\??\c:\jpddp.exec:\jpddp.exe110⤵PID:664
-
\??\c:\llxflrf.exec:\llxflrf.exe111⤵PID:2236
-
\??\c:\9hhnbh.exec:\9hhnbh.exe112⤵PID:652
-
\??\c:\vpvdj.exec:\vpvdj.exe113⤵PID:2376
-
\??\c:\xxrxrxl.exec:\xxrxrxl.exe114⤵PID:2384
-
\??\c:\bnbhnt.exec:\bnbhnt.exe115⤵PID:2876
-
\??\c:\7vdvv.exec:\7vdvv.exe116⤵PID:3060
-
\??\c:\ppppp.exec:\ppppp.exe117⤵PID:2380
-
\??\c:\xxllllr.exec:\xxllllr.exe118⤵PID:2804
-
\??\c:\bthntb.exec:\bthntb.exe119⤵PID:2972
-
\??\c:\nhhhhh.exec:\nhhhhh.exe120⤵PID:2604
-
\??\c:\ppvvv.exec:\ppvvv.exe121⤵PID:2580
-
\??\c:\xxxxfff.exec:\xxxxfff.exe122⤵PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-