Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:52
Behavioral task
behavioral1
Sample
628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe
-
Size
332KB
-
MD5
e9c6aba882f31d4522e21764a9ab93e0
-
SHA1
f596e5f869e4afeaa07e75a8575f501dc2a72ec6
-
SHA256
628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845
-
SHA512
5ea78b7e4b42439b3c937e8793cd33cbc702a5bedbb1e1797b39512bae9515a2b25015971bc6c88d0dd520ef7bfadddbed36f12393450c9e4fa44bee55c90c1b
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeO:R4wFHoSHYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2308-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2308-6-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1484-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2924-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2788-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/928-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1144-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-114-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2272-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1780-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2976-148-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2976-147-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2976-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2004-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2268-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2380-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1632-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2308-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/580-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1852-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2384-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1428-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-514-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2948-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-663-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2876-662-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2916-805-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2280-10532-0x0000000076E40000-0x0000000076F5F000-memory.dmp family_blackmoon behavioral1/memory/2280-11790-0x0000000076E40000-0x0000000076F5F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1484 nthntb.exe 2984 llxfrxf.exe 1908 bhthth.exe 2924 lrlrxxf.exe 2168 llrxlxf.exe 2988 pjvjp.exe 2932 xxxxlfl.exe 2788 htbtbn.exe 2664 rlllxlr.exe 928 9hhbnb.exe 2052 vppjp.exe 1144 7lffxxl.exe 2272 ttthnn.exe 1780 rfrfrxr.exe 2880 xxrfflx.exe 1072 vvjjv.exe 2976 3lrlxfr.exe 1840 ddjpv.exe 2752 1ppjv.exe 808 1bnnbh.exe 1200 pjvjd.exe 2004 3hthth.exe 1044 vvvvj.exe 496 3nhnth.exe 2500 ppvdj.exe 2268 3rxxrlf.exe 2068 hnbhtt.exe 2580 vjvdj.exe 1708 llxfllr.exe 1972 bhtbnt.exe 1036 vdjjp.exe 2380 5lflrrx.exe 1632 5bnntb.exe 2452 1pddd.exe 2308 3ffrllr.exe 2028 3tbbhh.exe 3036 vdjvd.exe 2368 vdjpp.exe 2348 flffrxf.exe 2948 hnbnhn.exe 2924 nntnth.exe 580 jjppv.exe 2168 jdvdp.exe 2988 3rfllrx.exe 1852 5thhnn.exe 2764 ppvdp.exe 2788 vvppj.exe 1388 xxlrlrx.exe 2384 bbbbht.exe 1336 ttbbnt.exe 1428 ddjdp.exe 2848 7fxxfrx.exe 1624 hbntbh.exe 2272 nhnntn.exe 1780 vpdpd.exe 280 ffrfllr.exe 2864 9lffrxf.exe 2876 9nnhtb.exe 1512 vppdd.exe 2264 jvjdd.exe 3000 xxlxllx.exe 3064 nthbth.exe 2100 9dppv.exe 1060 pppvd.exe -
resource yara_rule behavioral1/memory/2308-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fe-5.dat upx behavioral1/memory/1484-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000195d6-16.dat upx behavioral1/memory/1484-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019605-24.dat upx behavioral1/memory/2984-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019608-31.dat upx behavioral1/memory/2924-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001960a-40.dat upx behavioral1/memory/2924-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2168-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001960c-47.dat upx behavioral1/files/0x000800000001961c-56.dat upx behavioral1/memory/2988-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2788-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2932-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001961e-64.dat upx behavioral1/files/0x000500000001a4b9-74.dat upx behavioral1/memory/2788-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bb-81.dat upx behavioral1/files/0x000500000001a4bd-90.dat upx behavioral1/memory/928-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bf-97.dat upx behavioral1/memory/2052-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1144-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c1-107.dat upx behavioral1/memory/1144-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c3-115.dat upx behavioral1/memory/2272-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c5-124.dat upx behavioral1/memory/1780-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c7-134.dat upx behavioral1/files/0x000500000001a4c9-140.dat upx behavioral1/memory/2976-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4cb-151.dat upx behavioral1/files/0x000500000001a4cd-157.dat upx behavioral1/files/0x002d00000001956c-165.dat upx behavioral1/memory/808-172-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a4cf-173.dat upx behavioral1/files/0x000500000001a4d1-182.dat upx behavioral1/memory/2004-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d3-189.dat upx behavioral1/files/0x000500000001a4d5-196.dat upx behavioral1/files/0x000500000001a4d7-204.dat upx behavioral1/files/0x000500000001a4d9-211.dat upx behavioral1/memory/2268-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4db-219.dat upx behavioral1/files/0x000500000001a4de-227.dat upx behavioral1/files/0x000500000001a4e0-234.dat upx behavioral1/files/0x000500000001a4e2-241.dat upx behavioral1/files/0x000500000001a4e4-248.dat upx behavioral1/files/0x000500000001a4e6-255.dat upx behavioral1/memory/2380-262-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1632-268-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2452-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2308-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2368-296-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2348-299-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2948-303-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/580-319-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2988-325-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rflrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1484 2308 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 30 PID 2308 wrote to memory of 1484 2308 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 30 PID 2308 wrote to memory of 1484 2308 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 30 PID 2308 wrote to memory of 1484 2308 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 30 PID 1484 wrote to memory of 2984 1484 nthntb.exe 31 PID 1484 wrote to memory of 2984 1484 nthntb.exe 31 PID 1484 wrote to memory of 2984 1484 nthntb.exe 31 PID 1484 wrote to memory of 2984 1484 nthntb.exe 31 PID 2984 wrote to memory of 1908 2984 llxfrxf.exe 32 PID 2984 wrote to memory of 1908 2984 llxfrxf.exe 32 PID 2984 wrote to memory of 1908 2984 llxfrxf.exe 32 PID 2984 wrote to memory of 1908 2984 llxfrxf.exe 32 PID 1908 wrote to memory of 2924 1908 bhthth.exe 33 PID 1908 wrote to memory of 2924 1908 bhthth.exe 33 PID 1908 wrote to memory of 2924 1908 bhthth.exe 33 PID 1908 wrote to memory of 2924 1908 bhthth.exe 33 PID 2924 wrote to memory of 2168 2924 lrlrxxf.exe 34 PID 2924 wrote to memory of 2168 2924 lrlrxxf.exe 34 PID 2924 wrote to memory of 2168 2924 lrlrxxf.exe 34 PID 2924 wrote to memory of 2168 2924 lrlrxxf.exe 34 PID 2168 wrote to memory of 2988 2168 llrxlxf.exe 35 PID 2168 wrote to memory of 2988 2168 llrxlxf.exe 35 PID 2168 wrote to memory of 2988 2168 llrxlxf.exe 35 PID 2168 wrote to memory of 2988 2168 llrxlxf.exe 35 PID 2988 wrote to memory of 2932 2988 pjvjp.exe 36 PID 2988 wrote to memory of 2932 2988 pjvjp.exe 36 PID 2988 wrote to memory of 2932 2988 pjvjp.exe 36 PID 2988 wrote to memory of 2932 2988 pjvjp.exe 36 PID 2932 wrote to memory of 2788 2932 xxxxlfl.exe 37 PID 2932 wrote to memory of 2788 2932 xxxxlfl.exe 37 PID 2932 wrote to memory of 2788 2932 xxxxlfl.exe 37 PID 2932 wrote to memory of 2788 2932 xxxxlfl.exe 37 PID 2788 wrote to memory of 2664 2788 htbtbn.exe 38 PID 2788 wrote to memory of 2664 2788 htbtbn.exe 38 PID 2788 wrote to memory of 2664 2788 htbtbn.exe 38 PID 2788 wrote to memory of 2664 2788 htbtbn.exe 38 PID 2664 wrote to memory of 928 2664 rlllxlr.exe 39 PID 2664 wrote to memory of 928 2664 rlllxlr.exe 39 PID 2664 wrote to memory of 928 2664 rlllxlr.exe 39 PID 2664 wrote to memory of 928 2664 rlllxlr.exe 39 PID 928 wrote to memory of 2052 928 9hhbnb.exe 40 PID 928 wrote to memory of 2052 928 9hhbnb.exe 40 PID 928 wrote to memory of 2052 928 9hhbnb.exe 40 PID 928 wrote to memory of 2052 928 9hhbnb.exe 40 PID 2052 wrote to memory of 1144 2052 vppjp.exe 41 PID 2052 wrote to memory of 1144 2052 vppjp.exe 41 PID 2052 wrote to memory of 1144 2052 vppjp.exe 41 PID 2052 wrote to memory of 1144 2052 vppjp.exe 41 PID 1144 wrote to memory of 2272 1144 7lffxxl.exe 42 PID 1144 wrote to memory of 2272 1144 7lffxxl.exe 42 PID 1144 wrote to memory of 2272 1144 7lffxxl.exe 42 PID 1144 wrote to memory of 2272 1144 7lffxxl.exe 42 PID 2272 wrote to memory of 1780 2272 ttthnn.exe 43 PID 2272 wrote to memory of 1780 2272 ttthnn.exe 43 PID 2272 wrote to memory of 1780 2272 ttthnn.exe 43 PID 2272 wrote to memory of 1780 2272 ttthnn.exe 43 PID 1780 wrote to memory of 2880 1780 rfrfrxr.exe 44 PID 1780 wrote to memory of 2880 1780 rfrfrxr.exe 44 PID 1780 wrote to memory of 2880 1780 rfrfrxr.exe 44 PID 1780 wrote to memory of 2880 1780 rfrfrxr.exe 44 PID 2880 wrote to memory of 1072 2880 xxrfflx.exe 45 PID 2880 wrote to memory of 1072 2880 xxrfflx.exe 45 PID 2880 wrote to memory of 1072 2880 xxrfflx.exe 45 PID 2880 wrote to memory of 1072 2880 xxrfflx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe"C:\Users\Admin\AppData\Local\Temp\628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\nthntb.exec:\nthntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\llxfrxf.exec:\llxfrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\bhthth.exec:\bhthth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\lrlrxxf.exec:\lrlrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\llrxlxf.exec:\llrxlxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\pjvjp.exec:\pjvjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\xxxxlfl.exec:\xxxxlfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\htbtbn.exec:\htbtbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\rlllxlr.exec:\rlllxlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\9hhbnb.exec:\9hhbnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\vppjp.exec:\vppjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\7lffxxl.exec:\7lffxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\ttthnn.exec:\ttthnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\rfrfrxr.exec:\rfrfrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\xxrfflx.exec:\xxrfflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\vvjjv.exec:\vvjjv.exe17⤵
- Executes dropped EXE
PID:1072 -
\??\c:\3lrlxfr.exec:\3lrlxfr.exe18⤵
- Executes dropped EXE
PID:2976 -
\??\c:\ddjpv.exec:\ddjpv.exe19⤵
- Executes dropped EXE
PID:1840 -
\??\c:\1ppjv.exec:\1ppjv.exe20⤵
- Executes dropped EXE
PID:2752 -
\??\c:\1bnnbh.exec:\1bnnbh.exe21⤵
- Executes dropped EXE
PID:808 -
\??\c:\pjvjd.exec:\pjvjd.exe22⤵
- Executes dropped EXE
PID:1200 -
\??\c:\3hthth.exec:\3hthth.exe23⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vvvvj.exec:\vvvvj.exe24⤵
- Executes dropped EXE
PID:1044 -
\??\c:\3nhnth.exec:\3nhnth.exe25⤵
- Executes dropped EXE
PID:496 -
\??\c:\ppvdj.exec:\ppvdj.exe26⤵
- Executes dropped EXE
PID:2500 -
\??\c:\3rxxrlf.exec:\3rxxrlf.exe27⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hnbhtt.exec:\hnbhtt.exe28⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vjvdj.exec:\vjvdj.exe29⤵
- Executes dropped EXE
PID:2580 -
\??\c:\llxfllr.exec:\llxfllr.exe30⤵
- Executes dropped EXE
PID:1708 -
\??\c:\bhtbnt.exec:\bhtbnt.exe31⤵
- Executes dropped EXE
PID:1972 -
\??\c:\vdjjp.exec:\vdjjp.exe32⤵
- Executes dropped EXE
PID:1036 -
\??\c:\5lflrrx.exec:\5lflrrx.exe33⤵
- Executes dropped EXE
PID:2380 -
\??\c:\5bnntb.exec:\5bnntb.exe34⤵
- Executes dropped EXE
PID:1632 -
\??\c:\1pddd.exec:\1pddd.exe35⤵
- Executes dropped EXE
PID:2452 -
\??\c:\3ffrllr.exec:\3ffrllr.exe36⤵
- Executes dropped EXE
PID:2308 -
\??\c:\3tbbhh.exec:\3tbbhh.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\vdjvd.exec:\vdjvd.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\vdjpp.exec:\vdjpp.exe39⤵
- Executes dropped EXE
PID:2368 -
\??\c:\flffrxf.exec:\flffrxf.exe40⤵
- Executes dropped EXE
PID:2348 -
\??\c:\hnbnhn.exec:\hnbnhn.exe41⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nntnth.exec:\nntnth.exe42⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jjppv.exec:\jjppv.exe43⤵
- Executes dropped EXE
PID:580 -
\??\c:\jdvdp.exec:\jdvdp.exe44⤵
- Executes dropped EXE
PID:2168 -
\??\c:\3rfllrx.exec:\3rfllrx.exe45⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5thhnn.exec:\5thhnn.exe46⤵
- Executes dropped EXE
PID:1852 -
\??\c:\ppvdp.exec:\ppvdp.exe47⤵
- Executes dropped EXE
PID:2764 -
\??\c:\vvppj.exec:\vvppj.exe48⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xxlrlrx.exec:\xxlrlrx.exe49⤵
- Executes dropped EXE
PID:1388 -
\??\c:\bbbbht.exec:\bbbbht.exe50⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ttbbnt.exec:\ttbbnt.exe51⤵
- Executes dropped EXE
PID:1336 -
\??\c:\ddjdp.exec:\ddjdp.exe52⤵
- Executes dropped EXE
PID:1428 -
\??\c:\7fxxfrx.exec:\7fxxfrx.exe53⤵
- Executes dropped EXE
PID:2848 -
\??\c:\hbntbh.exec:\hbntbh.exe54⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nhnntn.exec:\nhnntn.exe55⤵
- Executes dropped EXE
PID:2272 -
\??\c:\vpdpd.exec:\vpdpd.exe56⤵
- Executes dropped EXE
PID:1780 -
\??\c:\ffrfllr.exec:\ffrfllr.exe57⤵
- Executes dropped EXE
PID:280 -
\??\c:\9lffrxf.exec:\9lffrxf.exe58⤵
- Executes dropped EXE
PID:2864 -
\??\c:\9nnhtb.exec:\9nnhtb.exe59⤵
- Executes dropped EXE
PID:2876 -
\??\c:\vppdd.exec:\vppdd.exe60⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jvjdd.exec:\jvjdd.exe61⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xxlxllx.exec:\xxlxllx.exe62⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nthbth.exec:\nthbth.exe63⤵
- Executes dropped EXE
PID:3064 -
\??\c:\9dppv.exec:\9dppv.exe64⤵
- Executes dropped EXE
PID:2100 -
\??\c:\pppvd.exec:\pppvd.exe65⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xxxlllr.exec:\xxxlllr.exe66⤵PID:388
-
\??\c:\ntbthb.exec:\ntbthb.exe67⤵PID:2004
-
\??\c:\ppvdp.exec:\ppvdp.exe68⤵PID:1992
-
\??\c:\7pjvd.exec:\7pjvd.exe69⤵PID:1864
-
\??\c:\xfrfflx.exec:\xfrfflx.exe70⤵PID:696
-
\??\c:\1bttbt.exec:\1bttbt.exe71⤵PID:304
-
\??\c:\vvjjp.exec:\vvjjp.exe72⤵PID:1556
-
\??\c:\xrflxfl.exec:\xrflxfl.exe73⤵PID:2288
-
\??\c:\rrfffff.exec:\rrfffff.exe74⤵PID:2252
-
\??\c:\ttbhth.exec:\ttbhth.exe75⤵PID:1752
-
\??\c:\7thbbb.exec:\7thbbb.exe76⤵PID:2292
-
\??\c:\pppvd.exec:\pppvd.exe77⤵PID:1988
-
\??\c:\xxrlrrr.exec:\xxrlrrr.exe78⤵PID:2480
-
\??\c:\hbnnnb.exec:\hbnnnb.exe79⤵PID:2620
-
\??\c:\ttnhhb.exec:\ttnhhb.exe80⤵PID:2256
-
\??\c:\vdvvj.exec:\vdvvj.exe81⤵PID:2200
-
\??\c:\lrrxxxf.exec:\lrrxxxf.exe82⤵PID:2280
-
\??\c:\fflrrxx.exec:\fflrrxx.exe83⤵PID:2372
-
\??\c:\9nhhnh.exec:\9nhhnh.exe84⤵PID:1696
-
\??\c:\llxfrfl.exec:\llxfrfl.exe85⤵PID:1916
-
\??\c:\nthtbn.exec:\nthtbn.exe86⤵PID:2980
-
\??\c:\jjjjp.exec:\jjjjp.exe87⤵PID:2756
-
\??\c:\jdjjj.exec:\jdjjj.exe88⤵PID:2348
-
\??\c:\xxlxxlx.exec:\xxlxxlx.exe89⤵PID:2948
-
\??\c:\lflrxrr.exec:\lflrxrr.exe90⤵PID:2804
-
\??\c:\hhnntt.exec:\hhnntt.exe91⤵PID:580
-
\??\c:\pjjpv.exec:\pjjpv.exe92⤵PID:2812
-
\??\c:\vpvvj.exec:\vpvvj.exe93⤵PID:2688
-
\??\c:\7rrlxll.exec:\7rrlxll.exe94⤵PID:2824
-
\??\c:\nntnnt.exec:\nntnnt.exe95⤵PID:1756
-
\??\c:\btbntn.exec:\btbntn.exe96⤵PID:2772
-
\??\c:\jpdpd.exec:\jpdpd.exe97⤵PID:2400
-
\??\c:\rrllffx.exec:\rrllffx.exe98⤵PID:2712
-
\??\c:\rflrfxx.exec:\rflrfxx.exe99⤵PID:2388
-
\??\c:\btnnbn.exec:\btnnbn.exe100⤵PID:900
-
\??\c:\vvvdj.exec:\vvvdj.exe101⤵PID:2428
-
\??\c:\rxfflrx.exec:\rxfflrx.exe102⤵PID:2408
-
\??\c:\lrxffff.exec:\lrxffff.exe103⤵PID:2056
-
\??\c:\bbhbnt.exec:\bbhbnt.exe104⤵PID:1276
-
\??\c:\1jddd.exec:\1jddd.exe105⤵PID:436
-
\??\c:\lffflrx.exec:\lffflrx.exe106⤵PID:1540
-
\??\c:\9frrxfl.exec:\9frrxfl.exe107⤵PID:2876
-
\??\c:\tbhhhh.exec:\tbhhhh.exe108⤵PID:448
-
\??\c:\jdpvd.exec:\jdpvd.exe109⤵PID:2264
-
\??\c:\7dpvd.exec:\7dpvd.exe110⤵PID:1848
-
\??\c:\xxflrxf.exec:\xxflrxf.exe111⤵PID:1732
-
\??\c:\7hnnbh.exec:\7hnnbh.exe112⤵PID:2220
-
\??\c:\7dpjj.exec:\7dpjj.exe113⤵PID:864
-
\??\c:\1jjpp.exec:\1jjpp.exe114⤵PID:388
-
\??\c:\9frfffl.exec:\9frfffl.exe115⤵PID:552
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe116⤵PID:1048
-
\??\c:\3tbhhh.exec:\3tbhhh.exe117⤵PID:496
-
\??\c:\9vppd.exec:\9vppd.exe118⤵PID:2592
-
\??\c:\9xlxfxf.exec:\9xlxfxf.exe119⤵PID:984
-
\??\c:\7lrrrfl.exec:\7lrrrfl.exe120⤵PID:1556
-
\??\c:\bhtntb.exec:\bhtntb.exe121⤵PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-