Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 23:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
-
Size
346KB
-
MD5
ccabd7100dc60875227597623cdc2fa0
-
SHA1
9eb9f45714a2d36d8afe80771c7a543c9c58d54b
-
SHA256
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066
-
SHA512
f384f24db710ae947abfd1b4f472f87049ff5a5483d6c3add1f5991217257a7231b884148edbf9c5b30a33bcf97889862d95d98a3c5eca0d439a6002c2541f2e
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAa:l7TcbWXZshJX2VGda
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1756-8-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2336-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2628-29-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2728-38-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2240-48-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2768-56-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2804-66-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2712-74-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2296-83-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2552-87-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2296-84-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/3012-103-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2280-121-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2280-119-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/592-130-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/948-141-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1876-139-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1564-162-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2036-159-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2036-157-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1536-196-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2644-193-0x0000000000250000-0x0000000000278000-memory.dmp family_blackmoon behavioral1/memory/1712-229-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1712-230-0x00000000002C0000-0x00000000002E8000-memory.dmp family_blackmoon behavioral1/memory/880-264-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/3000-283-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2052-294-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2832-318-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2816-338-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2768-339-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2932-354-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2560-374-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2592-388-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1556-402-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1924-413-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2080-459-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/836-504-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1208-510-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1208-512-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2276-525-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2944-613-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2668-627-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2300-643-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/996-819-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/276-851-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/3000-1108-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2336 9lrfxlf.exe 2628 jppjd.exe 2728 tttbnt.exe 2240 vdvpp.exe 2768 1tnbth.exe 2804 jpvvv.exe 2712 hbttbb.exe 2296 3ntnht.exe 2552 lxrllxf.exe 3012 bbbhhn.exe 3028 rflxxll.exe 2280 hbbttn.exe 592 pvpjv.exe 1876 ttbhbh.exe 948 jdvjd.exe 2036 fffrfrr.exe 1564 bbhtnt.exe 1636 vdjdv.exe 2864 fxrrrrx.exe 2644 vdddd.exe 1536 9thnnb.exe 1592 ntthnb.exe 1120 lxlfrll.exe 1712 hhbtbh.exe 576 9lrlrrx.exe 2496 ttthhn.exe 2140 fxlfxrf.exe 880 hbtbtb.exe 2412 rrrlxrl.exe 1240 tbbtnh.exe 3000 djpjd.exe 2052 xxrrlxr.exe 1732 xffxxll.exe 2176 vdjdj.exe 2832 lfxlxlf.exe 2076 xxrrrxr.exe 2740 bthhnn.exe 2816 ddvvp.exe 2768 flrlxlx.exe 2932 lxfxflr.exe 2576 nntbtn.exe 2792 dddpd.exe 2560 5fxfrrx.exe 1740 lllrfrf.exe 2592 1bnbhn.exe 1952 vvpvv.exe 1556 frxlxrr.exe 856 hnnnhh.exe 1924 tbhthb.exe 1532 pppjv.exe 948 frxrrff.exe 1620 bnnhnh.exe 2036 pjjdd.exe 2536 ppjvp.exe 2908 7rlxrxx.exe 2080 9bhbtt.exe 2400 tbttnt.exe 1980 djpjv.exe 2948 fflflxx.exe 2388 rrflxlx.exe 1612 bttbhn.exe 840 ppjdd.exe 836 rrrfxll.exe 1208 xfxxrfx.exe -
resource yara_rule behavioral1/memory/1756-8-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2336-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2728-30-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2628-29-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2728-38-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2240-48-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2768-56-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2804-66-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2712-74-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2296-83-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2552-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2296-84-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/3012-103-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2280-121-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/592-130-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/948-141-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1876-139-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1564-162-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2036-159-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1536-196-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1712-229-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/880-264-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/3000-283-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2832-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2832-318-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2768-339-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2932-354-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2560-367-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2560-374-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2592-388-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1556-402-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2080-459-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/836-504-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1208-512-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/1316-526-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2276-525-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/1680-539-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2344-564-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2824-614-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2668-627-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2300-643-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/996-819-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/276-851-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1644-968-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1656-999-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1660-1024-0x00000000001B0000-0x00000000001D8000-memory.dmp upx behavioral1/memory/3000-1108-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2076-1134-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2772-1171-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2536-1245-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1656-1271-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/864-1296-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2360-1438-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2336 1756 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 31 PID 1756 wrote to memory of 2336 1756 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 31 PID 1756 wrote to memory of 2336 1756 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 31 PID 1756 wrote to memory of 2336 1756 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 31 PID 2336 wrote to memory of 2628 2336 9lrfxlf.exe 32 PID 2336 wrote to memory of 2628 2336 9lrfxlf.exe 32 PID 2336 wrote to memory of 2628 2336 9lrfxlf.exe 32 PID 2336 wrote to memory of 2628 2336 9lrfxlf.exe 32 PID 2628 wrote to memory of 2728 2628 jppjd.exe 33 PID 2628 wrote to memory of 2728 2628 jppjd.exe 33 PID 2628 wrote to memory of 2728 2628 jppjd.exe 33 PID 2628 wrote to memory of 2728 2628 jppjd.exe 33 PID 2728 wrote to memory of 2240 2728 tttbnt.exe 34 PID 2728 wrote to memory of 2240 2728 tttbnt.exe 34 PID 2728 wrote to memory of 2240 2728 tttbnt.exe 34 PID 2728 wrote to memory of 2240 2728 tttbnt.exe 34 PID 2240 wrote to memory of 2768 2240 vdvpp.exe 35 PID 2240 wrote to memory of 2768 2240 vdvpp.exe 35 PID 2240 wrote to memory of 2768 2240 vdvpp.exe 35 PID 2240 wrote to memory of 2768 2240 vdvpp.exe 35 PID 2768 wrote to memory of 2804 2768 1tnbth.exe 36 PID 2768 wrote to memory of 2804 2768 1tnbth.exe 36 PID 2768 wrote to memory of 2804 2768 1tnbth.exe 36 PID 2768 wrote to memory of 2804 2768 1tnbth.exe 36 PID 2804 wrote to memory of 2712 2804 jpvvv.exe 37 PID 2804 wrote to memory of 2712 2804 jpvvv.exe 37 PID 2804 wrote to memory of 2712 2804 jpvvv.exe 37 PID 2804 wrote to memory of 2712 2804 jpvvv.exe 37 PID 2712 wrote to memory of 2296 2712 hbttbb.exe 38 PID 2712 wrote to memory of 2296 2712 hbttbb.exe 38 PID 2712 wrote to memory of 2296 2712 hbttbb.exe 38 PID 2712 wrote to memory of 2296 2712 hbttbb.exe 38 PID 2296 wrote to memory of 2552 2296 3ntnht.exe 39 PID 2296 wrote to memory of 2552 2296 3ntnht.exe 39 PID 2296 wrote to memory of 2552 2296 3ntnht.exe 39 PID 2296 wrote to memory of 2552 2296 3ntnht.exe 39 PID 2552 wrote to memory of 3012 2552 lxrllxf.exe 40 PID 2552 wrote to memory of 3012 2552 lxrllxf.exe 40 PID 2552 wrote to memory of 3012 2552 lxrllxf.exe 40 PID 2552 wrote to memory of 3012 2552 lxrllxf.exe 40 PID 3012 wrote to memory of 3028 3012 bbbhhn.exe 41 PID 3012 wrote to memory of 3028 3012 bbbhhn.exe 41 PID 3012 wrote to memory of 3028 3012 bbbhhn.exe 41 PID 3012 wrote to memory of 3028 3012 bbbhhn.exe 41 PID 3028 wrote to memory of 2280 3028 rflxxll.exe 42 PID 3028 wrote to memory of 2280 3028 rflxxll.exe 42 PID 3028 wrote to memory of 2280 3028 rflxxll.exe 42 PID 3028 wrote to memory of 2280 3028 rflxxll.exe 42 PID 2280 wrote to memory of 592 2280 hbbttn.exe 43 PID 2280 wrote to memory of 592 2280 hbbttn.exe 43 PID 2280 wrote to memory of 592 2280 hbbttn.exe 43 PID 2280 wrote to memory of 592 2280 hbbttn.exe 43 PID 592 wrote to memory of 1876 592 pvpjv.exe 44 PID 592 wrote to memory of 1876 592 pvpjv.exe 44 PID 592 wrote to memory of 1876 592 pvpjv.exe 44 PID 592 wrote to memory of 1876 592 pvpjv.exe 44 PID 1876 wrote to memory of 948 1876 ttbhbh.exe 45 PID 1876 wrote to memory of 948 1876 ttbhbh.exe 45 PID 1876 wrote to memory of 948 1876 ttbhbh.exe 45 PID 1876 wrote to memory of 948 1876 ttbhbh.exe 45 PID 948 wrote to memory of 2036 948 jdvjd.exe 46 PID 948 wrote to memory of 2036 948 jdvjd.exe 46 PID 948 wrote to memory of 2036 948 jdvjd.exe 46 PID 948 wrote to memory of 2036 948 jdvjd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\9lrfxlf.exec:\9lrfxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\jppjd.exec:\jppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\tttbnt.exec:\tttbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\vdvpp.exec:\vdvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\1tnbth.exec:\1tnbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\jpvvv.exec:\jpvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\hbttbb.exec:\hbttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\3ntnht.exec:\3ntnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\lxrllxf.exec:\lxrllxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\bbbhhn.exec:\bbbhhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\rflxxll.exec:\rflxxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\hbbttn.exec:\hbbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\pvpjv.exec:\pvpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\ttbhbh.exec:\ttbhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\jdvjd.exec:\jdvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\fffrfrr.exec:\fffrfrr.exe17⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bbhtnt.exec:\bbhtnt.exe18⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vdjdv.exec:\vdjdv.exe19⤵
- Executes dropped EXE
PID:1636 -
\??\c:\fxrrrrx.exec:\fxrrrrx.exe20⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vdddd.exec:\vdddd.exe21⤵
- Executes dropped EXE
PID:2644 -
\??\c:\9thnnb.exec:\9thnnb.exe22⤵
- Executes dropped EXE
PID:1536 -
\??\c:\ntthnb.exec:\ntthnb.exe23⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lxlfrll.exec:\lxlfrll.exe24⤵
- Executes dropped EXE
PID:1120 -
\??\c:\hhbtbh.exec:\hhbtbh.exe25⤵
- Executes dropped EXE
PID:1712 -
\??\c:\9lrlrrx.exec:\9lrlrrx.exe26⤵
- Executes dropped EXE
PID:576 -
\??\c:\ttthhn.exec:\ttthhn.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\fxlfxrf.exec:\fxlfxrf.exe28⤵
- Executes dropped EXE
PID:2140 -
\??\c:\hbtbtb.exec:\hbtbtb.exe29⤵
- Executes dropped EXE
PID:880 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\tbbtnh.exec:\tbbtnh.exe31⤵
- Executes dropped EXE
PID:1240 -
\??\c:\djpjd.exec:\djpjd.exe32⤵
- Executes dropped EXE
PID:3000 -
\??\c:\xxrrlxr.exec:\xxrrlxr.exe33⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xffxxll.exec:\xffxxll.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vdjdj.exec:\vdjdj.exe35⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lfxlxlf.exec:\lfxlxlf.exe36⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xxrrrxr.exec:\xxrrrxr.exe37⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bthhnn.exec:\bthhnn.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\ddvvp.exec:\ddvvp.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
\??\c:\flrlxlx.exec:\flrlxlx.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\lxfxflr.exec:\lxfxflr.exe41⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nntbtn.exec:\nntbtn.exe42⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dddpd.exec:\dddpd.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792 -
\??\c:\5fxfrrx.exec:\5fxfrrx.exe44⤵
- Executes dropped EXE
PID:2560 -
\??\c:\lllrfrf.exec:\lllrfrf.exe45⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1bnbhn.exec:\1bnbhn.exe46⤵
- Executes dropped EXE
PID:2592 -
\??\c:\vvpvv.exec:\vvpvv.exe47⤵
- Executes dropped EXE
PID:1952 -
\??\c:\frxlxrr.exec:\frxlxrr.exe48⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hnnnhh.exec:\hnnnhh.exe49⤵
- Executes dropped EXE
PID:856 -
\??\c:\tbhthb.exec:\tbhthb.exe50⤵
- Executes dropped EXE
PID:1924 -
\??\c:\pppjv.exec:\pppjv.exe51⤵
- Executes dropped EXE
PID:1532 -
\??\c:\frxrrff.exec:\frxrrff.exe52⤵
- Executes dropped EXE
PID:948 -
\??\c:\bnnhnh.exec:\bnnhnh.exe53⤵
- Executes dropped EXE
PID:1620 -
\??\c:\pjjdd.exec:\pjjdd.exe54⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ppjvp.exec:\ppjvp.exe55⤵
- Executes dropped EXE
PID:2536 -
\??\c:\7rlxrxx.exec:\7rlxrxx.exe56⤵
- Executes dropped EXE
PID:2908 -
\??\c:\9bhbtt.exec:\9bhbtt.exe57⤵
- Executes dropped EXE
PID:2080 -
\??\c:\tbttnt.exec:\tbttnt.exe58⤵
- Executes dropped EXE
PID:2400 -
\??\c:\djpjv.exec:\djpjv.exe59⤵
- Executes dropped EXE
PID:1980 -
\??\c:\fflflxx.exec:\fflflxx.exe60⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rrflxlx.exec:\rrflxlx.exe61⤵
- Executes dropped EXE
PID:2388 -
\??\c:\bttbhn.exec:\bttbhn.exe62⤵
- Executes dropped EXE
PID:1612 -
\??\c:\ppjdd.exec:\ppjdd.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\rrrfxll.exec:\rrrfxll.exe64⤵
- Executes dropped EXE
PID:836 -
\??\c:\xfxxrfx.exec:\xfxxrfx.exe65⤵
- Executes dropped EXE
PID:1208 -
\??\c:\nhttnn.exec:\nhttnn.exe66⤵PID:1868
-
\??\c:\vvvvp.exec:\vvvvp.exe67⤵PID:2276
-
\??\c:\xxxxlfr.exec:\xxxxlfr.exe68⤵PID:1316
-
\??\c:\3lxfrfr.exec:\3lxfrfr.exe69⤵PID:336
-
\??\c:\7hbhnt.exec:\7hbhnt.exe70⤵PID:1680
-
\??\c:\vjjdd.exec:\vjjdd.exe71⤵PID:1696
-
\??\c:\9xrfrxf.exec:\9xrfrxf.exe72⤵PID:2068
-
\??\c:\lrrfxxr.exec:\lrrfxxr.exe73⤵PID:3000
-
\??\c:\bttntb.exec:\bttntb.exe74⤵PID:2344
-
\??\c:\vvvdd.exec:\vvvdd.exe75⤵PID:2092
-
\??\c:\ffrrfxr.exec:\ffrrfxr.exe76⤵PID:2172
-
\??\c:\xxrxrrx.exec:\xxrxrrx.exe77⤵PID:2356
-
\??\c:\7bbhtb.exec:\7bbhtb.exe78⤵PID:2124
-
\??\c:\vvjpv.exec:\vvjpv.exe79⤵PID:2076
-
\??\c:\pvpjv.exec:\pvpjv.exe80⤵PID:1744
-
\??\c:\5fxfrxr.exec:\5fxfrxr.exe81⤵PID:2944
-
\??\c:\ttthbt.exec:\ttthbt.exe82⤵PID:2824
-
\??\c:\hnnhhh.exec:\hnnhhh.exe83⤵PID:2668
-
\??\c:\ppvpd.exec:\ppvpd.exe84⤵PID:2576
-
\??\c:\llfrxfl.exec:\llfrxfl.exe85⤵PID:2444
-
\??\c:\btnhbn.exec:\btnhbn.exe86⤵PID:2300
-
\??\c:\djdjv.exec:\djdjv.exe87⤵PID:2304
-
\??\c:\1lxfrxr.exec:\1lxfrxr.exe88⤵PID:3012
-
\??\c:\ffxrlrl.exec:\ffxrlrl.exe89⤵PID:680
-
\??\c:\nhthth.exec:\nhthth.exe90⤵PID:1928
-
\??\c:\dpdvv.exec:\dpdvv.exe91⤵PID:1192
-
\??\c:\vjpjp.exec:\vjpjp.exe92⤵PID:856
-
\??\c:\rrfxfrf.exec:\rrfxfrf.exe93⤵PID:1888
-
\??\c:\thhbtb.exec:\thhbtb.exe94⤵PID:2364
-
\??\c:\bbnbht.exec:\bbnbht.exe95⤵PID:1260
-
\??\c:\1vdjv.exec:\1vdjv.exe96⤵PID:2524
-
\??\c:\ffxlxfr.exec:\ffxlxfr.exe97⤵PID:2036
-
\??\c:\llffrxl.exec:\llffrxl.exe98⤵PID:2856
-
\??\c:\nhtbhn.exec:\nhtbhn.exe99⤵PID:2900
-
\??\c:\9pjpv.exec:\9pjpv.exe100⤵PID:2616
-
\??\c:\jdpjj.exec:\jdpjj.exe101⤵PID:2916
-
\??\c:\ffxrfrl.exec:\ffxrfrl.exe102⤵PID:408
-
\??\c:\bnhbhh.exec:\bnhbhh.exe103⤵PID:1660
-
\??\c:\hbntbh.exec:\hbntbh.exe104⤵
- System Location Discovery: System Language Discovery
PID:904 -
\??\c:\1vppp.exec:\1vppp.exe105⤵PID:864
-
\??\c:\5rxflrl.exec:\5rxflrl.exe106⤵PID:2016
-
\??\c:\bnhtbb.exec:\bnhtbb.exe107⤵PID:1584
-
\??\c:\htbtbt.exec:\htbtbt.exe108⤵PID:576
-
\??\c:\5dpjj.exec:\5dpjj.exe109⤵PID:2384
-
\??\c:\5xxxxlx.exec:\5xxxxlx.exe110⤵PID:2408
-
\??\c:\lfrrxlx.exec:\lfrrxlx.exe111⤵PID:2376
-
\??\c:\nhnntn.exec:\nhnntn.exe112⤵PID:1360
-
\??\c:\jjjpd.exec:\jjjpd.exe113⤵PID:1688
-
\??\c:\pvpjv.exec:\pvpjv.exe114⤵PID:996
-
\??\c:\llfxrxr.exec:\llfxrxr.exe115⤵PID:1696
-
\??\c:\nntnbt.exec:\nntnbt.exe116⤵PID:1504
-
\??\c:\jpdvp.exec:\jpdvp.exe117⤵PID:3000
-
\??\c:\llxlfxr.exec:\llxlfxr.exe118⤵PID:2924
-
\??\c:\rrlrrxf.exec:\rrlrrxf.exe119⤵PID:276
-
\??\c:\btnthn.exec:\btnthn.exe120⤵PID:2628
-
\??\c:\jppjj.exec:\jppjj.exe121⤵PID:2732
-
\??\c:\vdvdp.exec:\vdvdp.exe122⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-