Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 11:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe
-
Size
453KB
-
MD5
59655a252f32ecd9ef7ba0614d008394
-
SHA1
9bd9164696d6bbde5a8b80eee2b113dd4fd1c5b2
-
SHA256
cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384
-
SHA512
424a5af64d54f92b56dc6e784498631533efd13a5bb62852780e411ce206ff2d43f52c075d1ca49eee4b96815876a25b5af03801d415802ceb6077b8c2f1a146
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2304-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2444 424226.exe 5088 i064208.exe 2932 nnbbht.exe 3232 044828.exe 4800 rflfrrf.exe 920 jpvpp.exe 3180 e02660.exe 5052 tbbtnh.exe 4500 4044846.exe 4420 g4082.exe 4808 466600.exe 5000 lflxfxf.exe 4932 tnnhhh.exe 4072 vvvdv.exe 2244 2642828.exe 208 vjppp.exe 4368 hbbtnn.exe 1472 djvpd.exe 4464 bnbhtt.exe 3036 840044.exe 1636 4842004.exe 4856 q82600.exe 4052 w66044.exe 2380 rrlffff.exe 3892 28288.exe 1900 rflxrlf.exe 3648 pjjpd.exe 688 q80444.exe 4176 0284482.exe 3592 8282666.exe 1316 nbbnht.exe 712 e66082.exe 4564 flrlffx.exe 1460 g8048.exe 3048 tntnbt.exe 4952 1dddd.exe 900 lxlfxxr.exe 2776 8844226.exe 4584 7ttttt.exe 2704 6448604.exe 4220 pjdvp.exe 4132 4242626.exe 2176 xffxllf.exe 4748 lfffxrr.exe 4440 606600.exe 2212 002844.exe 4852 824822.exe 4360 vpvpd.exe 1684 04046.exe 3632 1ffxrxr.exe 700 86604.exe 3596 9rlrlrl.exe 2036 dvjdj.exe 3416 rrxxfrx.exe 3820 1thbhn.exe 1668 hthbtt.exe 4704 4466444.exe 316 o266004.exe 4136 pjpjj.exe 4020 fxxrffx.exe 3672 64044.exe 4500 xxlllrf.exe 2220 hntbht.exe 4808 86888.exe -
resource yara_rule behavioral2/memory/2304-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-1119-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0482648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0408480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4404226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6804480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u206288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2444 2304 cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe 84 PID 2304 wrote to memory of 2444 2304 cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe 84 PID 2304 wrote to memory of 2444 2304 cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe 84 PID 2444 wrote to memory of 5088 2444 424226.exe 85 PID 2444 wrote to memory of 5088 2444 424226.exe 85 PID 2444 wrote to memory of 5088 2444 424226.exe 85 PID 5088 wrote to memory of 2932 5088 i064208.exe 86 PID 5088 wrote to memory of 2932 5088 i064208.exe 86 PID 5088 wrote to memory of 2932 5088 i064208.exe 86 PID 2932 wrote to memory of 3232 2932 nnbbht.exe 87 PID 2932 wrote to memory of 3232 2932 nnbbht.exe 87 PID 2932 wrote to memory of 3232 2932 nnbbht.exe 87 PID 3232 wrote to memory of 4800 3232 044828.exe 88 PID 3232 wrote to memory of 4800 3232 044828.exe 88 PID 3232 wrote to memory of 4800 3232 044828.exe 88 PID 4800 wrote to memory of 920 4800 rflfrrf.exe 89 PID 4800 wrote to memory of 920 4800 rflfrrf.exe 89 PID 4800 wrote to memory of 920 4800 rflfrrf.exe 89 PID 920 wrote to memory of 3180 920 jpvpp.exe 90 PID 920 wrote to memory of 3180 920 jpvpp.exe 90 PID 920 wrote to memory of 3180 920 jpvpp.exe 90 PID 3180 wrote to memory of 5052 3180 e02660.exe 91 PID 3180 wrote to memory of 5052 3180 e02660.exe 91 PID 3180 wrote to memory of 5052 3180 e02660.exe 91 PID 5052 wrote to memory of 4500 5052 tbbtnh.exe 92 PID 5052 wrote to memory of 4500 5052 tbbtnh.exe 92 PID 5052 wrote to memory of 4500 5052 tbbtnh.exe 92 PID 4500 wrote to memory of 4420 4500 4044846.exe 93 PID 4500 wrote to memory of 4420 4500 4044846.exe 93 PID 4500 wrote to memory of 4420 4500 4044846.exe 93 PID 4420 wrote to memory of 4808 4420 g4082.exe 94 PID 4420 wrote to memory of 4808 4420 g4082.exe 94 PID 4420 wrote to memory of 4808 4420 g4082.exe 94 PID 4808 wrote to memory of 5000 4808 466600.exe 95 PID 4808 wrote to memory of 5000 4808 466600.exe 95 PID 4808 wrote to memory of 5000 4808 466600.exe 95 PID 5000 wrote to memory of 4932 5000 lflxfxf.exe 96 PID 5000 wrote to memory of 4932 5000 lflxfxf.exe 96 PID 5000 wrote to memory of 4932 5000 lflxfxf.exe 96 PID 4932 wrote to memory of 4072 4932 tnnhhh.exe 97 PID 4932 wrote to memory of 4072 4932 tnnhhh.exe 97 PID 4932 wrote to memory of 4072 4932 tnnhhh.exe 97 PID 4072 wrote to memory of 2244 4072 vvvdv.exe 98 PID 4072 wrote to memory of 2244 4072 vvvdv.exe 98 PID 4072 wrote to memory of 2244 4072 vvvdv.exe 98 PID 2244 wrote to memory of 208 2244 2642828.exe 99 PID 2244 wrote to memory of 208 2244 2642828.exe 99 PID 2244 wrote to memory of 208 2244 2642828.exe 99 PID 208 wrote to memory of 4368 208 vjppp.exe 100 PID 208 wrote to memory of 4368 208 vjppp.exe 100 PID 208 wrote to memory of 4368 208 vjppp.exe 100 PID 4368 wrote to memory of 1472 4368 hbbtnn.exe 101 PID 4368 wrote to memory of 1472 4368 hbbtnn.exe 101 PID 4368 wrote to memory of 1472 4368 hbbtnn.exe 101 PID 1472 wrote to memory of 4464 1472 djvpd.exe 102 PID 1472 wrote to memory of 4464 1472 djvpd.exe 102 PID 1472 wrote to memory of 4464 1472 djvpd.exe 102 PID 4464 wrote to memory of 3036 4464 bnbhtt.exe 103 PID 4464 wrote to memory of 3036 4464 bnbhtt.exe 103 PID 4464 wrote to memory of 3036 4464 bnbhtt.exe 103 PID 3036 wrote to memory of 1636 3036 840044.exe 104 PID 3036 wrote to memory of 1636 3036 840044.exe 104 PID 3036 wrote to memory of 1636 3036 840044.exe 104 PID 1636 wrote to memory of 4856 1636 4842004.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe"C:\Users\Admin\AppData\Local\Temp\cab5a9e5d2efd344fefb74ad68f5da9c6e3b8c0d97d5ae51e7e5cf42a32e3384.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\424226.exec:\424226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\i064208.exec:\i064208.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\nnbbht.exec:\nnbbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\044828.exec:\044828.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\rflfrrf.exec:\rflfrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\jpvpp.exec:\jpvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\e02660.exec:\e02660.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\tbbtnh.exec:\tbbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\4044846.exec:\4044846.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\g4082.exec:\g4082.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\466600.exec:\466600.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\lflxfxf.exec:\lflxfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\tnnhhh.exec:\tnnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\vvvdv.exec:\vvvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\2642828.exec:\2642828.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\vjppp.exec:\vjppp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\hbbtnn.exec:\hbbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\djvpd.exec:\djvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\bnbhtt.exec:\bnbhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\840044.exec:\840044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\4842004.exec:\4842004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\q82600.exec:\q82600.exe23⤵
- Executes dropped EXE
PID:4856 -
\??\c:\w66044.exec:\w66044.exe24⤵
- Executes dropped EXE
PID:4052 -
\??\c:\rrlffff.exec:\rrlffff.exe25⤵
- Executes dropped EXE
PID:2380 -
\??\c:\28288.exec:\28288.exe26⤵
- Executes dropped EXE
PID:3892 -
\??\c:\rflxrlf.exec:\rflxrlf.exe27⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pjjpd.exec:\pjjpd.exe28⤵
- Executes dropped EXE
PID:3648 -
\??\c:\q80444.exec:\q80444.exe29⤵
- Executes dropped EXE
PID:688 -
\??\c:\0284482.exec:\0284482.exe30⤵
- Executes dropped EXE
PID:4176 -
\??\c:\8282666.exec:\8282666.exe31⤵
- Executes dropped EXE
PID:3592 -
\??\c:\nbbnht.exec:\nbbnht.exe32⤵
- Executes dropped EXE
PID:1316 -
\??\c:\e66082.exec:\e66082.exe33⤵
- Executes dropped EXE
PID:712 -
\??\c:\flrlffx.exec:\flrlffx.exe34⤵
- Executes dropped EXE
PID:4564 -
\??\c:\g8048.exec:\g8048.exe35⤵
- Executes dropped EXE
PID:1460 -
\??\c:\tntnbt.exec:\tntnbt.exe36⤵
- Executes dropped EXE
PID:3048 -
\??\c:\1dddd.exec:\1dddd.exe37⤵
- Executes dropped EXE
PID:4952 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe38⤵
- Executes dropped EXE
PID:900 -
\??\c:\8844226.exec:\8844226.exe39⤵
- Executes dropped EXE
PID:2776 -
\??\c:\7ttttt.exec:\7ttttt.exe40⤵
- Executes dropped EXE
PID:4584 -
\??\c:\6448604.exec:\6448604.exe41⤵
- Executes dropped EXE
PID:2704 -
\??\c:\pjdvp.exec:\pjdvp.exe42⤵
- Executes dropped EXE
PID:4220 -
\??\c:\4242626.exec:\4242626.exe43⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xffxllf.exec:\xffxllf.exe44⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lfffxrr.exec:\lfffxrr.exe45⤵
- Executes dropped EXE
PID:4748 -
\??\c:\606600.exec:\606600.exe46⤵
- Executes dropped EXE
PID:4440 -
\??\c:\002844.exec:\002844.exe47⤵
- Executes dropped EXE
PID:2212 -
\??\c:\824822.exec:\824822.exe48⤵
- Executes dropped EXE
PID:4852 -
\??\c:\vpvpd.exec:\vpvpd.exe49⤵
- Executes dropped EXE
PID:4360 -
\??\c:\04046.exec:\04046.exe50⤵
- Executes dropped EXE
PID:1684 -
\??\c:\1ffxrxr.exec:\1ffxrxr.exe51⤵
- Executes dropped EXE
PID:3632 -
\??\c:\86604.exec:\86604.exe52⤵
- Executes dropped EXE
PID:700 -
\??\c:\9rlrlrl.exec:\9rlrlrl.exe53⤵
- Executes dropped EXE
PID:3596 -
\??\c:\dvjdj.exec:\dvjdj.exe54⤵
- Executes dropped EXE
PID:2036 -
\??\c:\rrxxfrx.exec:\rrxxfrx.exe55⤵
- Executes dropped EXE
PID:3416 -
\??\c:\1thbhn.exec:\1thbhn.exe56⤵
- Executes dropped EXE
PID:3820 -
\??\c:\hthbtt.exec:\hthbtt.exe57⤵
- Executes dropped EXE
PID:1668 -
\??\c:\4466444.exec:\4466444.exe58⤵
- Executes dropped EXE
PID:4704 -
\??\c:\o266004.exec:\o266004.exe59⤵
- Executes dropped EXE
PID:316 -
\??\c:\pjpjj.exec:\pjpjj.exe60⤵
- Executes dropped EXE
PID:4136 -
\??\c:\fxxrffx.exec:\fxxrffx.exe61⤵
- Executes dropped EXE
PID:4020 -
\??\c:\64044.exec:\64044.exe62⤵
- Executes dropped EXE
PID:3672 -
\??\c:\xxlllrf.exec:\xxlllrf.exe63⤵
- Executes dropped EXE
PID:4500 -
\??\c:\hntbht.exec:\hntbht.exe64⤵
- Executes dropped EXE
PID:2220 -
\??\c:\86888.exec:\86888.exe65⤵
- Executes dropped EXE
PID:4808 -
\??\c:\jpdvp.exec:\jpdvp.exe66⤵PID:3844
-
\??\c:\2680400.exec:\2680400.exe67⤵PID:2728
-
\??\c:\jvvvp.exec:\jvvvp.exe68⤵PID:3972
-
\??\c:\pjdvp.exec:\pjdvp.exe69⤵PID:4072
-
\??\c:\pdjdj.exec:\pdjdj.exe70⤵PID:4352
-
\??\c:\0686226.exec:\0686226.exe71⤵PID:2968
-
\??\c:\044266.exec:\044266.exe72⤵PID:3824
-
\??\c:\1xfxrrr.exec:\1xfxrrr.exe73⤵PID:2464
-
\??\c:\jpvpj.exec:\jpvpj.exe74⤵PID:2360
-
\??\c:\5xrllfx.exec:\5xrllfx.exe75⤵PID:1472
-
\??\c:\22440.exec:\22440.exe76⤵PID:4464
-
\??\c:\42488.exec:\42488.exe77⤵PID:3036
-
\??\c:\btthbb.exec:\btthbb.exe78⤵PID:2908
-
\??\c:\frfxrlf.exec:\frfxrlf.exe79⤵PID:4056
-
\??\c:\rlrrffx.exec:\rlrrffx.exe80⤵PID:776
-
\??\c:\vppjd.exec:\vppjd.exe81⤵PID:1132
-
\??\c:\840444.exec:\840444.exe82⤵PID:3016
-
\??\c:\262646.exec:\262646.exe83⤵PID:4052
-
\??\c:\4686442.exec:\4686442.exe84⤵PID:3336
-
\??\c:\7jpdv.exec:\7jpdv.exe85⤵PID:2364
-
\??\c:\q84226.exec:\q84226.exe86⤵PID:2504
-
\??\c:\4882000.exec:\4882000.exe87⤵PID:2160
-
\??\c:\rrrllfl.exec:\rrrllfl.exe88⤵PID:4956
-
\??\c:\q80826.exec:\q80826.exe89⤵PID:5092
-
\??\c:\04482.exec:\04482.exe90⤵PID:4840
-
\??\c:\2848222.exec:\2848222.exe91⤵PID:3032
-
\??\c:\jvdvp.exec:\jvdvp.exe92⤵PID:3316
-
\??\c:\88404.exec:\88404.exe93⤵PID:2628
-
\??\c:\0804040.exec:\0804040.exe94⤵PID:1488
-
\??\c:\5pjdp.exec:\5pjdp.exe95⤵PID:1976
-
\??\c:\208222.exec:\208222.exe96⤵PID:2492
-
\??\c:\88088.exec:\88088.exe97⤵PID:2020
-
\??\c:\42484.exec:\42484.exe98⤵PID:2860
-
\??\c:\844482.exec:\844482.exe99⤵PID:2560
-
\??\c:\084200.exec:\084200.exe100⤵
- System Location Discovery: System Language Discovery
PID:4628 -
\??\c:\028200.exec:\028200.exe101⤵PID:1972
-
\??\c:\3btnbb.exec:\3btnbb.exe102⤵PID:4472
-
\??\c:\880400.exec:\880400.exe103⤵PID:2976
-
\??\c:\thnnhh.exec:\thnnhh.exe104⤵PID:2800
-
\??\c:\hbhbnn.exec:\hbhbnn.exe105⤵PID:1732
-
\??\c:\pjpjd.exec:\pjpjd.exe106⤵PID:2080
-
\??\c:\48482.exec:\48482.exe107⤵PID:4424
-
\??\c:\484826.exec:\484826.exe108⤵PID:876
-
\??\c:\jpvpj.exec:\jpvpj.exe109⤵PID:4216
-
\??\c:\nhhbth.exec:\nhhbth.exe110⤵PID:4188
-
\??\c:\228446.exec:\228446.exe111⤵
- System Location Discovery: System Language Discovery
PID:2388 -
\??\c:\fflxrrl.exec:\fflxrrl.exe112⤵PID:3628
-
\??\c:\lxxrllf.exec:\lxxrllf.exe113⤵PID:1912
-
\??\c:\4448260.exec:\4448260.exe114⤵PID:4340
-
\??\c:\42826.exec:\42826.exe115⤵PID:700
-
\??\c:\7vdvd.exec:\7vdvd.exe116⤵PID:864
-
\??\c:\thnbnn.exec:\thnbnn.exe117⤵PID:2036
-
\??\c:\0282226.exec:\0282226.exe118⤵PID:4640
-
\??\c:\40604.exec:\40604.exe119⤵PID:5040
-
\??\c:\xrrlxlf.exec:\xrrlxlf.exe120⤵PID:2012
-
\??\c:\dpvjd.exec:\dpvjd.exe121⤵PID:4480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-