Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 21:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe
-
Size
454KB
-
MD5
ca93742b50625cf343ca87d31fef5740
-
SHA1
c24b2b2be8fe3c8cf767e4838d31f7bdbf0349c1
-
SHA256
2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1
-
SHA512
cee54c5e23fe125e06da7cec2bcc764362e9694a8fa591713be8c9d84e0dffbb1c42fc92d836c5eb2955cb691974b8daedacacab9f59bf8ebd7f4a723eefb119
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/1908-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-76-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2900-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-543-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-567-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2648-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-687-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2040-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-813-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2488-819-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2536-853-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2536-852-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1232-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-1065-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1308 7btnnn.exe 2944 xffrfrf.exe 2064 3hbbht.exe 2988 vvpdp.exe 2768 btbhnn.exe 2740 jdvjv.exe 2772 xrlrflf.exe 2700 7pddp.exe 2900 lxrlrxl.exe 2688 xrllxxl.exe 2784 1xrflxl.exe 1304 9xfrfrf.exe 1500 ntntht.exe 1112 lrrrrxl.exe 2844 tttbnt.exe 1200 5fxflfr.exe 1856 djjvj.exe 1956 1xlxlrl.exe 2976 hnbtnh.exe 2172 btnbnn.exe 1980 7fflrxl.exe 1756 xxrrlrf.exe 2260 hbnbhn.exe 752 thbbnt.exe 1048 lxxrrll.exe 2460 jvjpv.exe 2292 rlrlrrl.exe 2488 pddjv.exe 760 rfxxrlr.exe 2132 hbtbbn.exe 1136 vppjj.exe 1612 vddvj.exe 3060 pvvjv.exe 2528 ttbnht.exe 2064 ttbnbn.exe 2872 pvjdj.exe 2876 llfrxxl.exe 2764 hbhhnn.exe 2620 5ttbtb.exe 2904 5jpvj.exe 2640 fllxxll.exe 2660 hhthnt.exe 2684 hhhhht.exe 2664 ddddd.exe 2908 xxfrlxr.exe 1972 tbnthb.exe 1732 ppvjd.exe 604 xllrrxf.exe 2036 7lrlrxl.exe 1112 tttbnb.exe 1160 jjjpp.exe 692 ppvdv.exe 1828 xxxlfrl.exe 1856 nbhhht.exe 2196 dpjjv.exe 1720 9jvpp.exe 2376 xrfrxfr.exe 2168 tththh.exe 1356 vvpdd.exe 940 lfxfflr.exe 1880 rlfllrf.exe 848 bnhthn.exe 1584 pdvjd.exe 1544 rlxflrf.exe -
resource yara_rule behavioral1/memory/1908-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-342-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2660-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-687-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2040-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-946-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1308 1908 2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe 30 PID 1908 wrote to memory of 1308 1908 2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe 30 PID 1908 wrote to memory of 1308 1908 2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe 30 PID 1908 wrote to memory of 1308 1908 2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe 30 PID 1308 wrote to memory of 2944 1308 7btnnn.exe 31 PID 1308 wrote to memory of 2944 1308 7btnnn.exe 31 PID 1308 wrote to memory of 2944 1308 7btnnn.exe 31 PID 1308 wrote to memory of 2944 1308 7btnnn.exe 31 PID 2944 wrote to memory of 2064 2944 xffrfrf.exe 32 PID 2944 wrote to memory of 2064 2944 xffrfrf.exe 32 PID 2944 wrote to memory of 2064 2944 xffrfrf.exe 32 PID 2944 wrote to memory of 2064 2944 xffrfrf.exe 32 PID 2064 wrote to memory of 2988 2064 3hbbht.exe 33 PID 2064 wrote to memory of 2988 2064 3hbbht.exe 33 PID 2064 wrote to memory of 2988 2064 3hbbht.exe 33 PID 2064 wrote to memory of 2988 2064 3hbbht.exe 33 PID 2988 wrote to memory of 2768 2988 vvpdp.exe 34 PID 2988 wrote to memory of 2768 2988 vvpdp.exe 34 PID 2988 wrote to memory of 2768 2988 vvpdp.exe 34 PID 2988 wrote to memory of 2768 2988 vvpdp.exe 34 PID 2768 wrote to memory of 2740 2768 btbhnn.exe 35 PID 2768 wrote to memory of 2740 2768 btbhnn.exe 35 PID 2768 wrote to memory of 2740 2768 btbhnn.exe 35 PID 2768 wrote to memory of 2740 2768 btbhnn.exe 35 PID 2740 wrote to memory of 2772 2740 jdvjv.exe 36 PID 2740 wrote to memory of 2772 2740 jdvjv.exe 36 PID 2740 wrote to memory of 2772 2740 jdvjv.exe 36 PID 2740 wrote to memory of 2772 2740 jdvjv.exe 36 PID 2772 wrote to memory of 2700 2772 xrlrflf.exe 37 PID 2772 wrote to memory of 2700 2772 xrlrflf.exe 37 PID 2772 wrote to memory of 2700 2772 xrlrflf.exe 37 PID 2772 wrote to memory of 2700 2772 xrlrflf.exe 37 PID 2700 wrote to memory of 2900 2700 7pddp.exe 38 PID 2700 wrote to memory of 2900 2700 7pddp.exe 38 PID 2700 wrote to memory of 2900 2700 7pddp.exe 38 PID 2700 wrote to memory of 2900 2700 7pddp.exe 38 PID 2900 wrote to memory of 2688 2900 lxrlrxl.exe 39 PID 2900 wrote to memory of 2688 2900 lxrlrxl.exe 39 PID 2900 wrote to memory of 2688 2900 lxrlrxl.exe 39 PID 2900 wrote to memory of 2688 2900 lxrlrxl.exe 39 PID 2688 wrote to memory of 2784 2688 xrllxxl.exe 40 PID 2688 wrote to memory of 2784 2688 xrllxxl.exe 40 PID 2688 wrote to memory of 2784 2688 xrllxxl.exe 40 PID 2688 wrote to memory of 2784 2688 xrllxxl.exe 40 PID 2784 wrote to memory of 1304 2784 1xrflxl.exe 41 PID 2784 wrote to memory of 1304 2784 1xrflxl.exe 41 PID 2784 wrote to memory of 1304 2784 1xrflxl.exe 41 PID 2784 wrote to memory of 1304 2784 1xrflxl.exe 41 PID 1304 wrote to memory of 1500 1304 9xfrfrf.exe 42 PID 1304 wrote to memory of 1500 1304 9xfrfrf.exe 42 PID 1304 wrote to memory of 1500 1304 9xfrfrf.exe 42 PID 1304 wrote to memory of 1500 1304 9xfrfrf.exe 42 PID 1500 wrote to memory of 1112 1500 ntntht.exe 43 PID 1500 wrote to memory of 1112 1500 ntntht.exe 43 PID 1500 wrote to memory of 1112 1500 ntntht.exe 43 PID 1500 wrote to memory of 1112 1500 ntntht.exe 43 PID 1112 wrote to memory of 2844 1112 lrrrrxl.exe 44 PID 1112 wrote to memory of 2844 1112 lrrrrxl.exe 44 PID 1112 wrote to memory of 2844 1112 lrrrrxl.exe 44 PID 1112 wrote to memory of 2844 1112 lrrrrxl.exe 44 PID 2844 wrote to memory of 1200 2844 tttbnt.exe 45 PID 2844 wrote to memory of 1200 2844 tttbnt.exe 45 PID 2844 wrote to memory of 1200 2844 tttbnt.exe 45 PID 2844 wrote to memory of 1200 2844 tttbnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe"C:\Users\Admin\AppData\Local\Temp\2cc503632d03e5cd87630fd54b9e0dd3be4a96001b3552b816a151aab70454a1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\7btnnn.exec:\7btnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\xffrfrf.exec:\xffrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\3hbbht.exec:\3hbbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\vvpdp.exec:\vvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\btbhnn.exec:\btbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\jdvjv.exec:\jdvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\xrlrflf.exec:\xrlrflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\7pddp.exec:\7pddp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\lxrlrxl.exec:\lxrlrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\xrllxxl.exec:\xrllxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\1xrflxl.exec:\1xrflxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\9xfrfrf.exec:\9xfrfrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\ntntht.exec:\ntntht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\lrrrrxl.exec:\lrrrrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\tttbnt.exec:\tttbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\5fxflfr.exec:\5fxflfr.exe17⤵
- Executes dropped EXE
PID:1200 -
\??\c:\djjvj.exec:\djjvj.exe18⤵
- Executes dropped EXE
PID:1856 -
\??\c:\1xlxlrl.exec:\1xlxlrl.exe19⤵
- Executes dropped EXE
PID:1956 -
\??\c:\hnbtnh.exec:\hnbtnh.exe20⤵
- Executes dropped EXE
PID:2976 -
\??\c:\btnbnn.exec:\btnbnn.exe21⤵
- Executes dropped EXE
PID:2172 -
\??\c:\7fflrxl.exec:\7fflrxl.exe22⤵
- Executes dropped EXE
PID:1980 -
\??\c:\xxrrlrf.exec:\xxrrlrf.exe23⤵
- Executes dropped EXE
PID:1756 -
\??\c:\hbnbhn.exec:\hbnbhn.exe24⤵
- Executes dropped EXE
PID:2260 -
\??\c:\thbbnt.exec:\thbbnt.exe25⤵
- Executes dropped EXE
PID:752 -
\??\c:\lxxrrll.exec:\lxxrrll.exe26⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jvjpv.exec:\jvjpv.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rlrlrrl.exec:\rlrlrrl.exe28⤵
- Executes dropped EXE
PID:2292 -
\??\c:\pddjv.exec:\pddjv.exe29⤵
- Executes dropped EXE
PID:2488 -
\??\c:\rfxxrlr.exec:\rfxxrlr.exe30⤵
- Executes dropped EXE
PID:760 -
\??\c:\hbtbbn.exec:\hbtbbn.exe31⤵
- Executes dropped EXE
PID:2132 -
\??\c:\vppjj.exec:\vppjj.exe32⤵
- Executes dropped EXE
PID:1136 -
\??\c:\vddvj.exec:\vddvj.exe33⤵
- Executes dropped EXE
PID:1612 -
\??\c:\pvvjv.exec:\pvvjv.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ttbnht.exec:\ttbnht.exe35⤵
- Executes dropped EXE
PID:2528 -
\??\c:\ttbnbn.exec:\ttbnbn.exe36⤵
- Executes dropped EXE
PID:2064 -
\??\c:\pvjdj.exec:\pvjdj.exe37⤵
- Executes dropped EXE
PID:2872 -
\??\c:\llfrxxl.exec:\llfrxxl.exe38⤵
- Executes dropped EXE
PID:2876 -
\??\c:\hbhhnn.exec:\hbhhnn.exe39⤵
- Executes dropped EXE
PID:2764 -
\??\c:\5ttbtb.exec:\5ttbtb.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\5jpvj.exec:\5jpvj.exe41⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fllxxll.exec:\fllxxll.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\hhthnt.exec:\hhthnt.exe43⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hhhhht.exec:\hhhhht.exe44⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ddddd.exec:\ddddd.exe45⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xxfrlxr.exec:\xxfrlxr.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\tbnthb.exec:\tbnthb.exe47⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ppvjd.exec:\ppvjd.exe48⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xllrrxf.exec:\xllrrxf.exe49⤵
- Executes dropped EXE
PID:604 -
\??\c:\7lrlrxl.exec:\7lrlrxl.exe50⤵
- Executes dropped EXE
PID:2036 -
\??\c:\tttbnb.exec:\tttbnb.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\jjjpp.exec:\jjjpp.exe52⤵
- Executes dropped EXE
PID:1160 -
\??\c:\ppvdv.exec:\ppvdv.exe53⤵
- Executes dropped EXE
PID:692 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe54⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nbhhht.exec:\nbhhht.exe55⤵
- Executes dropped EXE
PID:1856 -
\??\c:\dpjjv.exec:\dpjjv.exe56⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9jvpp.exec:\9jvpp.exe57⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xrfrxfr.exec:\xrfrxfr.exe58⤵
- Executes dropped EXE
PID:2376 -
\??\c:\tththh.exec:\tththh.exe59⤵
- Executes dropped EXE
PID:2168 -
\??\c:\vvpdd.exec:\vvpdd.exe60⤵
- Executes dropped EXE
PID:1356 -
\??\c:\lfxfflr.exec:\lfxfflr.exe61⤵
- Executes dropped EXE
PID:940 -
\??\c:\rlfllrf.exec:\rlfllrf.exe62⤵
- Executes dropped EXE
PID:1880 -
\??\c:\bnhthn.exec:\bnhthn.exe63⤵
- Executes dropped EXE
PID:848 -
\??\c:\pdvjd.exec:\pdvjd.exe64⤵
- Executes dropped EXE
PID:1584 -
\??\c:\rlxflrf.exec:\rlxflrf.exe65⤵
- Executes dropped EXE
PID:1544 -
\??\c:\httbnt.exec:\httbnt.exe66⤵PID:1048
-
\??\c:\pjjjj.exec:\pjjjj.exe67⤵PID:1164
-
\??\c:\rxfxfrf.exec:\rxfxfrf.exe68⤵PID:2492
-
\??\c:\7bhnnh.exec:\7bhnnh.exe69⤵PID:2488
-
\??\c:\pvpdv.exec:\pvpdv.exe70⤵PID:872
-
\??\c:\1fxrlfr.exec:\1fxrlfr.exe71⤵PID:1588
-
\??\c:\rllrflx.exec:\rllrflx.exe72⤵PID:1580
-
\??\c:\9bhnbn.exec:\9bhnbn.exe73⤵PID:1432
-
\??\c:\1vvjv.exec:\1vvjv.exe74⤵PID:2212
-
\??\c:\xxrxrlx.exec:\xxrxrlx.exe75⤵PID:3048
-
\??\c:\7nhbtb.exec:\7nhbtb.exe76⤵PID:2540
-
\??\c:\vvdjj.exec:\vvdjj.exe77⤵PID:2752
-
\??\c:\vvdvd.exec:\vvdvd.exe78⤵PID:2872
-
\??\c:\rlfrxlx.exec:\rlfrxlx.exe79⤵PID:2884
-
\??\c:\hnbbht.exec:\hnbbht.exe80⤵PID:2336
-
\??\c:\jpjjv.exec:\jpjjv.exe81⤵PID:2648
-
\??\c:\3pdpp.exec:\3pdpp.exe82⤵PID:2156
-
\??\c:\lfxlxxr.exec:\lfxlxxr.exe83⤵PID:2860
-
\??\c:\1bthth.exec:\1bthth.exe84⤵PID:2660
-
\??\c:\ppjpv.exec:\ppjpv.exe85⤵PID:2432
-
\??\c:\rxrrflf.exec:\rxrrflf.exe86⤵PID:2188
-
\??\c:\nhbhtt.exec:\nhbhtt.exe87⤵PID:1084
-
\??\c:\pvvdp.exec:\pvvdp.exe88⤵PID:2788
-
\??\c:\ddjjp.exec:\ddjjp.exe89⤵PID:1304
-
\??\c:\ffxlfff.exec:\ffxlfff.exe90⤵PID:1648
-
\??\c:\bhbtnn.exec:\bhbtnn.exe91⤵PID:2836
-
\??\c:\vvvdp.exec:\vvvdp.exe92⤵PID:1656
-
\??\c:\pvvpj.exec:\pvvpj.exe93⤵PID:2844
-
\??\c:\rxrfrfx.exec:\rxrfrfx.exe94⤵PID:2040
-
\??\c:\3nhnbb.exec:\3nhnbb.exe95⤵PID:2024
-
\??\c:\ppjdv.exec:\ppjdv.exe96⤵PID:1772
-
\??\c:\9pvjv.exec:\9pvjv.exe97⤵PID:2112
-
\??\c:\3llfffr.exec:\3llfffr.exe98⤵PID:2360
-
\??\c:\3ntnbn.exec:\3ntnbn.exe99⤵PID:2140
-
\??\c:\pvvdd.exec:\pvvdd.exe100⤵PID:2376
-
\??\c:\vvdjv.exec:\vvdjv.exe101⤵PID:628
-
\??\c:\3frllrr.exec:\3frllrr.exe102⤵PID:556
-
\??\c:\thnnht.exec:\thnnht.exe103⤵PID:1624
-
\??\c:\pjddj.exec:\pjddj.exe104⤵PID:1560
-
\??\c:\9rlrflx.exec:\9rlrflx.exe105⤵PID:1628
-
\??\c:\btthhn.exec:\btthhn.exe106⤵PID:344
-
\??\c:\nttbth.exec:\nttbth.exe107⤵PID:1728
-
\??\c:\1dpdv.exec:\1dpdv.exe108⤵PID:2332
-
\??\c:\rllxffl.exec:\rllxffl.exe109⤵PID:1764
-
\??\c:\7nthbt.exec:\7nthbt.exe110⤵
- System Location Discovery: System Language Discovery
PID:1740 -
\??\c:\tttnnt.exec:\tttnnt.exe111⤵PID:1804
-
\??\c:\jddjp.exec:\jddjp.exe112⤵
- System Location Discovery: System Language Discovery
PID:2488 -
\??\c:\7xrxxxl.exec:\7xrxxxl.exe113⤵PID:1860
-
\??\c:\9hnhbn.exec:\9hnhbn.exe114⤵PID:1724
-
\??\c:\pjjpv.exec:\pjjpv.exe115⤵PID:1580
-
\??\c:\7ddpd.exec:\7ddpd.exe116⤵PID:2348
-
\??\c:\xxxfrrf.exec:\xxxfrrf.exe117⤵PID:2536
-
\??\c:\hnthbh.exec:\hnthbh.exe118⤵PID:2704
-
\??\c:\djdvv.exec:\djdvv.exe119⤵PID:2064
-
\??\c:\jdjdj.exec:\jdjdj.exe120⤵PID:2720
-
\??\c:\3xrfxfx.exec:\3xrfxfx.exe121⤵PID:2768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-