Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe
-
Size
455KB
-
MD5
fdcb0d1c35362790c47d3496a73ae170
-
SHA1
b12e29a4bff892a257ac112af499888eadfeb77d
-
SHA256
faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7
-
SHA512
b84ee16844220c5b6969465ffa5fd53ee775c262ff1449ecee628b85bd1f5bddcea86b2e5aaddc9ca1cbabd29d8802e0888de6663194c05ce31127cbaaa3223a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRIJ:q7Tc2NYHUrAwfMp3CDRQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2332-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-36-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-161-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1944-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-226-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/356-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-241-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1556-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-274-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2476-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-532-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2348-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-665-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2676-677-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1732-708-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1744-729-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/796-780-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2480-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2480 hnhtbn.exe 2072 jdpvv.exe 2328 82464.exe 1752 26406.exe 2652 jpjvj.exe 2712 00408.exe 2952 fxxfrrx.exe 2780 fxllrrx.exe 2220 nhbhtt.exe 1916 5tnthn.exe 2556 1dpvd.exe 3020 xxffllf.exe 3032 4824068.exe 580 8206802.exe 2384 004022.exe 1316 2688680.exe 1944 dddjd.exe 2868 g6062.exe 2276 w42200.exe 2396 9xfrlrf.exe 2916 2028600.exe 2864 nbnbnn.exe 2856 404206.exe 764 g6624.exe 356 xfxfxfl.exe 1556 xlrxrff.exe 1520 60802.exe 2260 hbtbhn.exe 1736 vpdpd.exe 352 20286.exe 1492 ffxrfll.exe 2488 q62862.exe 2476 bnnnbb.exe 2480 824080.exe 2052 3nhnnn.exe 1604 60668.exe 2840 6606448.exe 1712 frrxlxl.exe 2224 hhhhbb.exe 2532 hthntt.exe 2704 a8620.exe 2944 frfxflr.exe 2952 vdddv.exe 2776 k08462.exe 2256 k46666.exe 2584 2084668.exe 2592 nnbhnn.exe 2604 jvjdj.exe 1312 4824068.exe 2044 7tntbh.exe 1792 rlflrxr.exe 2084 26008.exe 2384 i422884.exe 1264 tnhhtt.exe 1940 08224.exe 2860 602462.exe 1688 08622.exe 2900 8688668.exe 2176 8200668.exe 2924 5ffrxfl.exe 1892 flfrfrf.exe 280 hbbntb.exe 1592 4206442.exe 2844 frrrffl.exe -
resource yara_rule behavioral1/memory/2332-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-36-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2780-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-1134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-1202-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fllrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2200628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i028484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8228688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 404206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2480 2332 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 30 PID 2332 wrote to memory of 2480 2332 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 30 PID 2332 wrote to memory of 2480 2332 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 30 PID 2332 wrote to memory of 2480 2332 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 30 PID 2480 wrote to memory of 2072 2480 hnhtbn.exe 31 PID 2480 wrote to memory of 2072 2480 hnhtbn.exe 31 PID 2480 wrote to memory of 2072 2480 hnhtbn.exe 31 PID 2480 wrote to memory of 2072 2480 hnhtbn.exe 31 PID 2072 wrote to memory of 2328 2072 jdpvv.exe 32 PID 2072 wrote to memory of 2328 2072 jdpvv.exe 32 PID 2072 wrote to memory of 2328 2072 jdpvv.exe 32 PID 2072 wrote to memory of 2328 2072 jdpvv.exe 32 PID 2328 wrote to memory of 1752 2328 82464.exe 33 PID 2328 wrote to memory of 1752 2328 82464.exe 33 PID 2328 wrote to memory of 1752 2328 82464.exe 33 PID 2328 wrote to memory of 1752 2328 82464.exe 33 PID 1752 wrote to memory of 2652 1752 26406.exe 34 PID 1752 wrote to memory of 2652 1752 26406.exe 34 PID 1752 wrote to memory of 2652 1752 26406.exe 34 PID 1752 wrote to memory of 2652 1752 26406.exe 34 PID 2652 wrote to memory of 2712 2652 jpjvj.exe 35 PID 2652 wrote to memory of 2712 2652 jpjvj.exe 35 PID 2652 wrote to memory of 2712 2652 jpjvj.exe 35 PID 2652 wrote to memory of 2712 2652 jpjvj.exe 35 PID 2712 wrote to memory of 2952 2712 00408.exe 36 PID 2712 wrote to memory of 2952 2712 00408.exe 36 PID 2712 wrote to memory of 2952 2712 00408.exe 36 PID 2712 wrote to memory of 2952 2712 00408.exe 36 PID 2952 wrote to memory of 2780 2952 fxxfrrx.exe 37 PID 2952 wrote to memory of 2780 2952 fxxfrrx.exe 37 PID 2952 wrote to memory of 2780 2952 fxxfrrx.exe 37 PID 2952 wrote to memory of 2780 2952 fxxfrrx.exe 37 PID 2780 wrote to memory of 2220 2780 fxllrrx.exe 38 PID 2780 wrote to memory of 2220 2780 fxllrrx.exe 38 PID 2780 wrote to memory of 2220 2780 fxllrrx.exe 38 PID 2780 wrote to memory of 2220 2780 fxllrrx.exe 38 PID 2220 wrote to memory of 1916 2220 nhbhtt.exe 39 PID 2220 wrote to memory of 1916 2220 nhbhtt.exe 39 PID 2220 wrote to memory of 1916 2220 nhbhtt.exe 39 PID 2220 wrote to memory of 1916 2220 nhbhtt.exe 39 PID 1916 wrote to memory of 2556 1916 5tnthn.exe 40 PID 1916 wrote to memory of 2556 1916 5tnthn.exe 40 PID 1916 wrote to memory of 2556 1916 5tnthn.exe 40 PID 1916 wrote to memory of 2556 1916 5tnthn.exe 40 PID 2556 wrote to memory of 3020 2556 1dpvd.exe 41 PID 2556 wrote to memory of 3020 2556 1dpvd.exe 41 PID 2556 wrote to memory of 3020 2556 1dpvd.exe 41 PID 2556 wrote to memory of 3020 2556 1dpvd.exe 41 PID 3020 wrote to memory of 3032 3020 xxffllf.exe 42 PID 3020 wrote to memory of 3032 3020 xxffllf.exe 42 PID 3020 wrote to memory of 3032 3020 xxffllf.exe 42 PID 3020 wrote to memory of 3032 3020 xxffllf.exe 42 PID 3032 wrote to memory of 580 3032 4824068.exe 43 PID 3032 wrote to memory of 580 3032 4824068.exe 43 PID 3032 wrote to memory of 580 3032 4824068.exe 43 PID 3032 wrote to memory of 580 3032 4824068.exe 43 PID 580 wrote to memory of 2384 580 8206802.exe 44 PID 580 wrote to memory of 2384 580 8206802.exe 44 PID 580 wrote to memory of 2384 580 8206802.exe 44 PID 580 wrote to memory of 2384 580 8206802.exe 44 PID 2384 wrote to memory of 1316 2384 004022.exe 45 PID 2384 wrote to memory of 1316 2384 004022.exe 45 PID 2384 wrote to memory of 1316 2384 004022.exe 45 PID 2384 wrote to memory of 1316 2384 004022.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe"C:\Users\Admin\AppData\Local\Temp\faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\hnhtbn.exec:\hnhtbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\jdpvv.exec:\jdpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\82464.exec:\82464.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\26406.exec:\26406.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\jpjvj.exec:\jpjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\00408.exec:\00408.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\fxxfrrx.exec:\fxxfrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\fxllrrx.exec:\fxllrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\nhbhtt.exec:\nhbhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\5tnthn.exec:\5tnthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\1dpvd.exec:\1dpvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\xxffllf.exec:\xxffllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\4824068.exec:\4824068.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\8206802.exec:\8206802.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\004022.exec:\004022.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\2688680.exec:\2688680.exe17⤵
- Executes dropped EXE
PID:1316 -
\??\c:\dddjd.exec:\dddjd.exe18⤵
- Executes dropped EXE
PID:1944 -
\??\c:\g6062.exec:\g6062.exe19⤵
- Executes dropped EXE
PID:2868 -
\??\c:\w42200.exec:\w42200.exe20⤵
- Executes dropped EXE
PID:2276 -
\??\c:\9xfrlrf.exec:\9xfrlrf.exe21⤵
- Executes dropped EXE
PID:2396 -
\??\c:\2028600.exec:\2028600.exe22⤵
- Executes dropped EXE
PID:2916 -
\??\c:\nbnbnn.exec:\nbnbnn.exe23⤵
- Executes dropped EXE
PID:2864 -
\??\c:\404206.exec:\404206.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\g6624.exec:\g6624.exe25⤵
- Executes dropped EXE
PID:764 -
\??\c:\xfxfxfl.exec:\xfxfxfl.exe26⤵
- Executes dropped EXE
PID:356 -
\??\c:\xlrxrff.exec:\xlrxrff.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\60802.exec:\60802.exe28⤵
- Executes dropped EXE
PID:1520 -
\??\c:\hbtbhn.exec:\hbtbhn.exe29⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vpdpd.exec:\vpdpd.exe30⤵
- Executes dropped EXE
PID:1736 -
\??\c:\20286.exec:\20286.exe31⤵
- Executes dropped EXE
PID:352 -
\??\c:\ffxrfll.exec:\ffxrfll.exe32⤵
- Executes dropped EXE
PID:1492 -
\??\c:\q62862.exec:\q62862.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bnnnbb.exec:\bnnnbb.exe34⤵
- Executes dropped EXE
PID:2476 -
\??\c:\824080.exec:\824080.exe35⤵
- Executes dropped EXE
PID:2480 -
\??\c:\3nhnnn.exec:\3nhnnn.exe36⤵
- Executes dropped EXE
PID:2052 -
\??\c:\60668.exec:\60668.exe37⤵
- Executes dropped EXE
PID:1604 -
\??\c:\6606448.exec:\6606448.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\frrxlxl.exec:\frrxlxl.exe39⤵
- Executes dropped EXE
PID:1712 -
\??\c:\hhhhbb.exec:\hhhhbb.exe40⤵
- Executes dropped EXE
PID:2224 -
\??\c:\hthntt.exec:\hthntt.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
\??\c:\a8620.exec:\a8620.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\frfxflr.exec:\frfxflr.exe43⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vdddv.exec:\vdddv.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\k08462.exec:\k08462.exe45⤵
- Executes dropped EXE
PID:2776 -
\??\c:\k46666.exec:\k46666.exe46⤵
- Executes dropped EXE
PID:2256 -
\??\c:\2084668.exec:\2084668.exe47⤵
- Executes dropped EXE
PID:2584 -
\??\c:\nnbhnn.exec:\nnbhnn.exe48⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jvjdj.exec:\jvjdj.exe49⤵
- Executes dropped EXE
PID:2604 -
\??\c:\4824068.exec:\4824068.exe50⤵
- Executes dropped EXE
PID:1312 -
\??\c:\7tntbh.exec:\7tntbh.exe51⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rlflrxr.exec:\rlflrxr.exe52⤵
- Executes dropped EXE
PID:1792 -
\??\c:\26008.exec:\26008.exe53⤵
- Executes dropped EXE
PID:2084 -
\??\c:\i422884.exec:\i422884.exe54⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tnhhtt.exec:\tnhhtt.exe55⤵
- Executes dropped EXE
PID:1264 -
\??\c:\08224.exec:\08224.exe56⤵
- Executes dropped EXE
PID:1940 -
\??\c:\602462.exec:\602462.exe57⤵
- Executes dropped EXE
PID:2860 -
\??\c:\08622.exec:\08622.exe58⤵
- Executes dropped EXE
PID:1688 -
\??\c:\8688668.exec:\8688668.exe59⤵
- Executes dropped EXE
PID:2900 -
\??\c:\8200668.exec:\8200668.exe60⤵
- Executes dropped EXE
PID:2176 -
\??\c:\5ffrxfl.exec:\5ffrxfl.exe61⤵
- Executes dropped EXE
PID:2924 -
\??\c:\flfrfrf.exec:\flfrfrf.exe62⤵
- Executes dropped EXE
PID:1892 -
\??\c:\hbbntb.exec:\hbbntb.exe63⤵
- Executes dropped EXE
PID:280 -
\??\c:\4206442.exec:\4206442.exe64⤵
- Executes dropped EXE
PID:1592 -
\??\c:\frrrffl.exec:\frrrffl.exe65⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dpddp.exec:\dpddp.exe66⤵PID:1624
-
\??\c:\xxlrxfr.exec:\xxlrxfr.exe67⤵PID:2460
-
\??\c:\xxllflr.exec:\xxllflr.exe68⤵PID:1552
-
\??\c:\04284.exec:\04284.exe69⤵PID:916
-
\??\c:\thbbhn.exec:\thbbhn.exe70⤵PID:952
-
\??\c:\e04680.exec:\e04680.exe71⤵PID:488
-
\??\c:\k04022.exec:\k04022.exe72⤵PID:2204
-
\??\c:\48246.exec:\48246.exe73⤵PID:1736
-
\??\c:\8288440.exec:\8288440.exe74⤵PID:320
-
\??\c:\q64062.exec:\q64062.exe75⤵PID:584
-
\??\c:\1lxfllr.exec:\1lxfllr.exe76⤵PID:784
-
\??\c:\9ttbhn.exec:\9ttbhn.exe77⤵PID:2488
-
\??\c:\7jvdj.exec:\7jvdj.exe78⤵PID:2112
-
\??\c:\3thhbt.exec:\3thhbt.exe79⤵PID:2504
-
\??\c:\20240.exec:\20240.exe80⤵PID:2348
-
\??\c:\u644204.exec:\u644204.exe81⤵PID:2052
-
\??\c:\btnbnt.exec:\btnbnt.exe82⤵PID:2068
-
\??\c:\080628.exec:\080628.exe83⤵PID:2840
-
\??\c:\hbnnnt.exec:\hbnnnt.exe84⤵PID:2128
-
\??\c:\vvvvj.exec:\vvvvj.exe85⤵PID:2800
-
\??\c:\u462224.exec:\u462224.exe86⤵PID:2532
-
\??\c:\pjvdp.exec:\pjvdp.exe87⤵PID:2688
-
\??\c:\0862402.exec:\0862402.exe88⤵PID:2944
-
\??\c:\w68462.exec:\w68462.exe89⤵PID:2692
-
\??\c:\hbhnnt.exec:\hbhnnt.exe90⤵PID:2756
-
\??\c:\4862880.exec:\4862880.exe91⤵PID:2676
-
\??\c:\rrfrlxr.exec:\rrfrlxr.exe92⤵PID:2584
-
\??\c:\pjdpd.exec:\pjdpd.exe93⤵PID:2612
-
\??\c:\606660.exec:\606660.exe94⤵PID:3020
-
\??\c:\26462.exec:\26462.exe95⤵PID:2732
-
\??\c:\048862.exec:\048862.exe96⤵PID:1732
-
\??\c:\fffrlxr.exec:\fffrlxr.exe97⤵PID:1792
-
\??\c:\e22862.exec:\e22862.exe98⤵PID:1988
-
\??\c:\1tntnt.exec:\1tntnt.exe99⤵PID:1744
-
\??\c:\7jvvv.exec:\7jvvv.exe100⤵PID:1264
-
\??\c:\xffflrf.exec:\xffflrf.exe101⤵PID:1940
-
\??\c:\2040880.exec:\2040880.exe102⤵PID:2868
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe103⤵PID:2548
-
\??\c:\4824280.exec:\4824280.exe104⤵PID:2432
-
\??\c:\ppvjp.exec:\ppvjp.exe105⤵PID:2156
-
\??\c:\04220.exec:\04220.exe106⤵
- System Location Discovery: System Language Discovery
PID:2904 -
\??\c:\7nnnbh.exec:\7nnnbh.exe107⤵PID:796
-
\??\c:\nbbnbb.exec:\nbbnbb.exe108⤵PID:280
-
\??\c:\ffxflrf.exec:\ffxflrf.exe109⤵PID:956
-
\??\c:\fxllrxl.exec:\fxllrxl.exe110⤵PID:1772
-
\??\c:\s2008.exec:\s2008.exe111⤵PID:1624
-
\??\c:\m0408.exec:\m0408.exe112⤵
- System Location Discovery: System Language Discovery
PID:2168 -
\??\c:\bbthnt.exec:\bbthnt.exe113⤵PID:1552
-
\??\c:\226246.exec:\226246.exe114⤵PID:1564
-
\??\c:\8828066.exec:\8828066.exe115⤵PID:2436
-
\??\c:\486222.exec:\486222.exe116⤵PID:2292
-
\??\c:\ttnbnt.exec:\ttnbnt.exe117⤵PID:1516
-
\??\c:\264466.exec:\264466.exe118⤵
- System Location Discovery: System Language Discovery
PID:352 -
\??\c:\086622.exec:\086622.exe119⤵PID:2424
-
\??\c:\nntbnn.exec:\nntbnn.exe120⤵PID:2332
-
\??\c:\9llfxfr.exec:\9llfxfr.exe121⤵PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-