Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 20:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe
-
Size
453KB
-
MD5
56323addaaeb8269821b75e373f2bb90
-
SHA1
1b94c54762a065dcf8415dc37cf8f4aec847e886
-
SHA256
cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7fae
-
SHA512
9367ab394fb39fb79b2ba882e5f4b7fd4f321aa870c0dc6afa1a9ceb5fa5ffa09b69e6d63199836379db380f514cc422facddaee966518256a1afedef8489c32
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2132-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-54-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2880-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2928-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-152-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-309-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2692-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-347-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-362-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2084-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1188-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-415-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2920-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/504-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/504-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-459-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2160-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-665-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/536-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-709-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/976-967-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/976-968-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2796-977-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2760-990-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1632-1009-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2304-1066-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1620 1vpdp.exe 2360 xlllfxr.exe 876 nhbnbh.exe 2260 rrfrflf.exe 2880 9tnnnt.exe 2728 lfxxxfr.exe 2868 rxrxffr.exe 1596 ddpdj.exe 2584 5ffflxr.exe 2660 9bttbh.exe 2752 jjjpj.exe 1676 nbnntb.exe 2928 nhtttt.exe 1528 7jdpv.exe 2760 9xlxlfr.exe 776 jjjpj.exe 2768 jdppv.exe 308 7lfflrr.exe 1740 1btbhn.exe 2992 jdvpd.exe 684 nthtbh.exe 2564 7pddv.exe 676 rxrlllr.exe 604 bthnbb.exe 2152 pdvpd.exe 1284 5lxlxlx.exe 2556 tnbnbb.exe 2520 dvjpd.exe 2352 xfffrrr.exe 1144 ntthbh.exe 112 ttnntb.exe 2548 xxrxlrx.exe 2412 5tttnt.exe 3048 nttbbb.exe 1588 7pddv.exe 1780 jddpd.exe 1984 rrlrffr.exe 2692 nhbhbt.exe 2884 hhbhth.exe 3064 ppppd.exe 2592 pjvdp.exe 2904 llrrflx.exe 2868 hbthtb.exe 2848 bhbhnn.exe 2240 3vjdv.exe 2340 pjjpj.exe 2084 xxllxfr.exe 1664 xxfrrfx.exe 1472 9bnhnt.exe 1188 1pjdv.exe 2852 9vvdj.exe 1528 fxlllxf.exe 2920 bttbtb.exe 504 vjjpp.exe 264 rlxfxxl.exe 2284 bhbthh.exe 2976 pjdpd.exe 300 hbtbth.exe 344 jddjp.exe 2160 xlxrxxl.exe 1668 1rxfxfx.exe 1408 jvvpp.exe 676 fxrrfll.exe 1684 ddvdp.exe -
resource yara_rule behavioral1/memory/1620-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/504-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/504-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-503-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/868-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-1002-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/448-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1620 2132 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 30 PID 2132 wrote to memory of 1620 2132 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 30 PID 2132 wrote to memory of 1620 2132 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 30 PID 2132 wrote to memory of 1620 2132 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 30 PID 1620 wrote to memory of 2360 1620 1vpdp.exe 31 PID 1620 wrote to memory of 2360 1620 1vpdp.exe 31 PID 1620 wrote to memory of 2360 1620 1vpdp.exe 31 PID 1620 wrote to memory of 2360 1620 1vpdp.exe 31 PID 2360 wrote to memory of 876 2360 xlllfxr.exe 32 PID 2360 wrote to memory of 876 2360 xlllfxr.exe 32 PID 2360 wrote to memory of 876 2360 xlllfxr.exe 32 PID 2360 wrote to memory of 876 2360 xlllfxr.exe 32 PID 876 wrote to memory of 2260 876 nhbnbh.exe 33 PID 876 wrote to memory of 2260 876 nhbnbh.exe 33 PID 876 wrote to memory of 2260 876 nhbnbh.exe 33 PID 876 wrote to memory of 2260 876 nhbnbh.exe 33 PID 2260 wrote to memory of 2880 2260 rrfrflf.exe 34 PID 2260 wrote to memory of 2880 2260 rrfrflf.exe 34 PID 2260 wrote to memory of 2880 2260 rrfrflf.exe 34 PID 2260 wrote to memory of 2880 2260 rrfrflf.exe 34 PID 2880 wrote to memory of 2728 2880 9tnnnt.exe 35 PID 2880 wrote to memory of 2728 2880 9tnnnt.exe 35 PID 2880 wrote to memory of 2728 2880 9tnnnt.exe 35 PID 2880 wrote to memory of 2728 2880 9tnnnt.exe 35 PID 2728 wrote to memory of 2868 2728 lfxxxfr.exe 36 PID 2728 wrote to memory of 2868 2728 lfxxxfr.exe 36 PID 2728 wrote to memory of 2868 2728 lfxxxfr.exe 36 PID 2728 wrote to memory of 2868 2728 lfxxxfr.exe 36 PID 2868 wrote to memory of 1596 2868 rxrxffr.exe 37 PID 2868 wrote to memory of 1596 2868 rxrxffr.exe 37 PID 2868 wrote to memory of 1596 2868 rxrxffr.exe 37 PID 2868 wrote to memory of 1596 2868 rxrxffr.exe 37 PID 1596 wrote to memory of 2584 1596 ddpdj.exe 38 PID 1596 wrote to memory of 2584 1596 ddpdj.exe 38 PID 1596 wrote to memory of 2584 1596 ddpdj.exe 38 PID 1596 wrote to memory of 2584 1596 ddpdj.exe 38 PID 2584 wrote to memory of 2660 2584 5ffflxr.exe 39 PID 2584 wrote to memory of 2660 2584 5ffflxr.exe 39 PID 2584 wrote to memory of 2660 2584 5ffflxr.exe 39 PID 2584 wrote to memory of 2660 2584 5ffflxr.exe 39 PID 2660 wrote to memory of 2752 2660 9bttbh.exe 40 PID 2660 wrote to memory of 2752 2660 9bttbh.exe 40 PID 2660 wrote to memory of 2752 2660 9bttbh.exe 40 PID 2660 wrote to memory of 2752 2660 9bttbh.exe 40 PID 2752 wrote to memory of 1676 2752 jjjpj.exe 41 PID 2752 wrote to memory of 1676 2752 jjjpj.exe 41 PID 2752 wrote to memory of 1676 2752 jjjpj.exe 41 PID 2752 wrote to memory of 1676 2752 jjjpj.exe 41 PID 1676 wrote to memory of 2928 1676 nbnntb.exe 42 PID 1676 wrote to memory of 2928 1676 nbnntb.exe 42 PID 1676 wrote to memory of 2928 1676 nbnntb.exe 42 PID 1676 wrote to memory of 2928 1676 nbnntb.exe 42 PID 2928 wrote to memory of 1528 2928 nhtttt.exe 81 PID 2928 wrote to memory of 1528 2928 nhtttt.exe 81 PID 2928 wrote to memory of 1528 2928 nhtttt.exe 81 PID 2928 wrote to memory of 1528 2928 nhtttt.exe 81 PID 1528 wrote to memory of 2760 1528 7jdpv.exe 44 PID 1528 wrote to memory of 2760 1528 7jdpv.exe 44 PID 1528 wrote to memory of 2760 1528 7jdpv.exe 44 PID 1528 wrote to memory of 2760 1528 7jdpv.exe 44 PID 2760 wrote to memory of 776 2760 9xlxlfr.exe 45 PID 2760 wrote to memory of 776 2760 9xlxlfr.exe 45 PID 2760 wrote to memory of 776 2760 9xlxlfr.exe 45 PID 2760 wrote to memory of 776 2760 9xlxlfr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe"C:\Users\Admin\AppData\Local\Temp\cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\1vpdp.exec:\1vpdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\xlllfxr.exec:\xlllfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\nhbnbh.exec:\nhbnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\rrfrflf.exec:\rrfrflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\9tnnnt.exec:\9tnnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\lfxxxfr.exec:\lfxxxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\rxrxffr.exec:\rxrxffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\ddpdj.exec:\ddpdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\5ffflxr.exec:\5ffflxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\9bttbh.exec:\9bttbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\jjjpj.exec:\jjjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\nbnntb.exec:\nbnntb.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\nhtttt.exec:\nhtttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\7jdpv.exec:\7jdpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\9xlxlfr.exec:\9xlxlfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\jjjpj.exec:\jjjpj.exe17⤵
- Executes dropped EXE
PID:776 -
\??\c:\jdppv.exec:\jdppv.exe18⤵
- Executes dropped EXE
PID:2768 -
\??\c:\7lfflrr.exec:\7lfflrr.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:308 -
\??\c:\1btbhn.exec:\1btbhn.exe20⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jdvpd.exec:\jdvpd.exe21⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nthtbh.exec:\nthtbh.exe22⤵
- Executes dropped EXE
PID:684 -
\??\c:\7pddv.exec:\7pddv.exe23⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rxrlllr.exec:\rxrlllr.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:676 -
\??\c:\bthnbb.exec:\bthnbb.exe25⤵
- Executes dropped EXE
PID:604 -
\??\c:\pdvpd.exec:\pdvpd.exe26⤵
- Executes dropped EXE
PID:2152 -
\??\c:\5lxlxlx.exec:\5lxlxlx.exe27⤵
- Executes dropped EXE
PID:1284 -
\??\c:\tnbnbb.exec:\tnbnbb.exe28⤵
- Executes dropped EXE
PID:2556 -
\??\c:\dvjpd.exec:\dvjpd.exe29⤵
- Executes dropped EXE
PID:2520 -
\??\c:\xfffrrr.exec:\xfffrrr.exe30⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ntthbh.exec:\ntthbh.exe31⤵
- Executes dropped EXE
PID:1144 -
\??\c:\ttnntb.exec:\ttnntb.exe32⤵
- Executes dropped EXE
PID:112 -
\??\c:\xxrxlrx.exec:\xxrxlrx.exe33⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5tttnt.exec:\5tttnt.exe34⤵
- Executes dropped EXE
PID:2412 -
\??\c:\nttbbb.exec:\nttbbb.exe35⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7pddv.exec:\7pddv.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\jddpd.exec:\jddpd.exe37⤵
- Executes dropped EXE
PID:1780 -
\??\c:\rrlrffr.exec:\rrlrffr.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nhbhbt.exec:\nhbhbt.exe39⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hhbhth.exec:\hhbhth.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ppppd.exec:\ppppd.exe41⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pjvdp.exec:\pjvdp.exe42⤵
- Executes dropped EXE
PID:2592 -
\??\c:\llrrflx.exec:\llrrflx.exe43⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hbthtb.exec:\hbthtb.exe44⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bhbhnn.exec:\bhbhnn.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3vjdv.exec:\3vjdv.exe46⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pjjpj.exec:\pjjpj.exe47⤵
- Executes dropped EXE
PID:2340 -
\??\c:\xxllxfr.exec:\xxllxfr.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\xxfrrfx.exec:\xxfrrfx.exe49⤵
- Executes dropped EXE
PID:1664 -
\??\c:\9bnhnt.exec:\9bnhnt.exe50⤵
- Executes dropped EXE
PID:1472 -
\??\c:\1pjdv.exec:\1pjdv.exe51⤵
- Executes dropped EXE
PID:1188 -
\??\c:\9vvdj.exec:\9vvdj.exe52⤵
- Executes dropped EXE
PID:2852 -
\??\c:\fxlllxf.exec:\fxlllxf.exe53⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bttbtb.exec:\bttbtb.exe54⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vjjpp.exec:\vjjpp.exe55⤵
- Executes dropped EXE
PID:504 -
\??\c:\rlxfxxl.exec:\rlxfxxl.exe56⤵
- Executes dropped EXE
PID:264 -
\??\c:\bhbthh.exec:\bhbthh.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pjdpd.exec:\pjdpd.exe58⤵
- Executes dropped EXE
PID:2976 -
\??\c:\hbtbth.exec:\hbtbth.exe59⤵
- Executes dropped EXE
PID:300 -
\??\c:\jddjp.exec:\jddjp.exe60⤵
- Executes dropped EXE
PID:344 -
\??\c:\xlxrxxl.exec:\xlxrxxl.exe61⤵
- Executes dropped EXE
PID:2160 -
\??\c:\1rxfxfx.exec:\1rxfxfx.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\jvvpp.exec:\jvvpp.exe63⤵
- Executes dropped EXE
PID:1408 -
\??\c:\fxrrfll.exec:\fxrrfll.exe64⤵
- Executes dropped EXE
PID:676 -
\??\c:\ddvdp.exec:\ddvdp.exe65⤵
- Executes dropped EXE
PID:1684 -
\??\c:\llflrxx.exec:\llflrxx.exe66⤵PID:868
-
\??\c:\3xxfllx.exec:\3xxfllx.exe67⤵PID:1284
-
\??\c:\hhhnhh.exec:\hhhnhh.exe68⤵PID:488
-
\??\c:\3jpvv.exec:\3jpvv.exe69⤵PID:2140
-
\??\c:\dvpdv.exec:\dvpdv.exe70⤵PID:2520
-
\??\c:\fxffllr.exec:\fxffllr.exe71⤵PID:2272
-
\??\c:\nhbhnn.exec:\nhbhnn.exe72⤵PID:2436
-
\??\c:\pppjp.exec:\pppjp.exe73⤵PID:1788
-
\??\c:\vpvdd.exec:\vpvdd.exe74⤵PID:1764
-
\??\c:\fxrxllf.exec:\fxrxllf.exe75⤵PID:2532
-
\??\c:\nhbbtt.exec:\nhbbtt.exe76⤵PID:1988
-
\??\c:\jdvvp.exec:\jdvvp.exe77⤵PID:3044
-
\??\c:\vvpdp.exec:\vvpdp.exe78⤵PID:2232
-
\??\c:\7xfrllr.exec:\7xfrllr.exe79⤵PID:1288
-
\??\c:\nhtthh.exec:\nhtthh.exe80⤵PID:876
-
\??\c:\ntthht.exec:\ntthht.exe81⤵PID:2872
-
\??\c:\djdjd.exec:\djdjd.exe82⤵PID:2732
-
\??\c:\llxflrf.exec:\llxflrf.exe83⤵PID:3060
-
\??\c:\nnhnbb.exec:\nnhnbb.exe84⤵PID:2856
-
\??\c:\btbhnt.exec:\btbhnt.exe85⤵PID:3056
-
\??\c:\vvpjd.exec:\vvpjd.exe86⤵PID:2672
-
\??\c:\5xrlxlx.exec:\5xrlxlx.exe87⤵PID:2900
-
\??\c:\1htntt.exec:\1htntt.exe88⤵PID:2584
-
\??\c:\bbtnnn.exec:\bbtnnn.exe89⤵PID:2704
-
\??\c:\vpdjv.exec:\vpdjv.exe90⤵PID:1784
-
\??\c:\xlxxxxx.exec:\xlxxxxx.exe91⤵PID:2084
-
\??\c:\xrffllr.exec:\xrffllr.exe92⤵PID:2428
-
\??\c:\nhtbbt.exec:\nhtbbt.exe93⤵PID:1724
-
\??\c:\7jddp.exec:\7jddp.exe94⤵PID:1188
-
\??\c:\3vvjv.exec:\3vvjv.exe95⤵PID:536
-
\??\c:\xxxrfll.exec:\xxxrfll.exe96⤵PID:644
-
\??\c:\nhttbt.exec:\nhttbt.exe97⤵PID:1012
-
\??\c:\djjdv.exec:\djjdv.exe98⤵PID:1636
-
\??\c:\jvjjp.exec:\jvjjp.exe99⤵PID:1632
-
\??\c:\fxlrxlx.exec:\fxlrxlx.exe100⤵PID:308
-
\??\c:\httbbt.exec:\httbbt.exe101⤵PID:3024
-
\??\c:\nhbhhh.exec:\nhbhhh.exe102⤵PID:2976
-
\??\c:\vpdjj.exec:\vpdjj.exe103⤵PID:316
-
\??\c:\lrfxrxx.exec:\lrfxrxx.exe104⤵PID:344
-
\??\c:\lrffllf.exec:\lrffllf.exe105⤵PID:2444
-
\??\c:\9nhntt.exec:\9nhntt.exe106⤵PID:2680
-
\??\c:\dppvj.exec:\dppvj.exe107⤵PID:1408
-
\??\c:\dpvvj.exec:\dpvvj.exe108⤵PID:1980
-
\??\c:\rfxxfxl.exec:\rfxxfxl.exe109⤵PID:2152
-
\??\c:\nnnnnh.exec:\nnnnnh.exe110⤵PID:1212
-
\??\c:\1nttbt.exec:\1nttbt.exe111⤵PID:2540
-
\??\c:\dvjpp.exec:\dvjpp.exe112⤵
- System Location Discovery: System Language Discovery
PID:904 -
\??\c:\1xlrffl.exec:\1xlrffl.exe113⤵PID:1232
-
\??\c:\xxxlxrr.exec:\xxxlxrr.exe114⤵PID:352
-
\??\c:\btbbnn.exec:\btbbnn.exe115⤵PID:1036
-
\??\c:\ddvpd.exec:\ddvpd.exe116⤵PID:1144
-
\??\c:\5djjp.exec:\5djjp.exe117⤵PID:2388
-
\??\c:\7frrllx.exec:\7frrllx.exe118⤵PID:2664
-
\??\c:\btntbb.exec:\btntbb.exe119⤵PID:2452
-
\??\c:\9bttbn.exec:\9bttbn.exe120⤵PID:2396
-
\??\c:\jdddv.exec:\jdddv.exe121⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-