Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 04:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe
-
Size
453KB
-
MD5
33ba11f8f56212499259848b6df9881e
-
SHA1
bbd0e672f626ade8e933d06097bde31becac5f45
-
SHA256
cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46
-
SHA512
74af959675c9e9189a9e595280881120a86c72d4815bf3b86f9d232f3bdd662b032c42f9d5a304a0354f3629f54ef0993242403c7a57dd288de11f1cf81fb47a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2176-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-45-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/652-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-65-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-84-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1752-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-228-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-241-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1768-250-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2480-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/652-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-386-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2808-408-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3012-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-508-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2484-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-671-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1928-693-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1968-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-910-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2440-960-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2204-1029-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-1322-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2532 nhbbnn.exe 3028 4800224.exe 2600 604088.exe 2332 llxxfxf.exe 652 pjddp.exe 2948 8266222.exe 2960 9jjdj.exe 2848 rxlllxf.exe 1752 42822.exe 2700 5rxrffl.exe 2756 nhtthb.exe 2344 7bnntn.exe 2352 6462226.exe 1164 206400.exe 2120 rfxxrrf.exe 1720 e00282.exe 2980 04062.exe 2872 0866268.exe 2248 vpvvv.exe 2448 08066.exe 1868 i428484.exe 1100 26406.exe 1808 5vdvv.exe 1104 4200006.exe 1680 2600640.exe 2036 1rllllx.exe 1768 tnbhtt.exe 1820 lxrrrlr.exe 2480 9vjjp.exe 2132 084000.exe 1116 c802846.exe 316 2460662.exe 576 a0624.exe 1596 1jddp.exe 2476 fxfflff.exe 1996 7bhbhb.exe 2356 20828.exe 2376 24606.exe 2536 7nbbhh.exe 2332 20828.exe 652 thtnnt.exe 2920 nbnttn.exe 2916 bhntbn.exe 2804 6462840.exe 2712 20628.exe 2856 o024002.exe 2692 xrxfllx.exe 2944 rflrxxl.exe 2808 64284.exe 1788 468844.exe 820 5hnntt.exe 2148 0866240.exe 1292 602844.exe 2120 480026.exe 1452 1vdvd.exe 1684 9xlrxrx.exe 2272 482284.exe 3012 7dvvv.exe 2212 u084668.exe 1048 5dvvj.exe 1144 1ppdd.exe 2088 5xlllfl.exe 1688 64280.exe 1872 9bnhhh.exe -
resource yara_rule behavioral1/memory/2176-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/652-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/652-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-218-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1680-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/652-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-671-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1968-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-974-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-1029-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1700-1063-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-1101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-1121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-1208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-1279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-1292-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2532 2176 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 30 PID 2176 wrote to memory of 2532 2176 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 30 PID 2176 wrote to memory of 2532 2176 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 30 PID 2176 wrote to memory of 2532 2176 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 30 PID 2532 wrote to memory of 3028 2532 nhbbnn.exe 31 PID 2532 wrote to memory of 3028 2532 nhbbnn.exe 31 PID 2532 wrote to memory of 3028 2532 nhbbnn.exe 31 PID 2532 wrote to memory of 3028 2532 nhbbnn.exe 31 PID 3028 wrote to memory of 2600 3028 4800224.exe 32 PID 3028 wrote to memory of 2600 3028 4800224.exe 32 PID 3028 wrote to memory of 2600 3028 4800224.exe 32 PID 3028 wrote to memory of 2600 3028 4800224.exe 32 PID 2600 wrote to memory of 2332 2600 604088.exe 33 PID 2600 wrote to memory of 2332 2600 604088.exe 33 PID 2600 wrote to memory of 2332 2600 604088.exe 33 PID 2600 wrote to memory of 2332 2600 604088.exe 33 PID 2332 wrote to memory of 652 2332 llxxfxf.exe 34 PID 2332 wrote to memory of 652 2332 llxxfxf.exe 34 PID 2332 wrote to memory of 652 2332 llxxfxf.exe 34 PID 2332 wrote to memory of 652 2332 llxxfxf.exe 34 PID 652 wrote to memory of 2948 652 pjddp.exe 35 PID 652 wrote to memory of 2948 652 pjddp.exe 35 PID 652 wrote to memory of 2948 652 pjddp.exe 35 PID 652 wrote to memory of 2948 652 pjddp.exe 35 PID 2948 wrote to memory of 2960 2948 8266222.exe 36 PID 2948 wrote to memory of 2960 2948 8266222.exe 36 PID 2948 wrote to memory of 2960 2948 8266222.exe 36 PID 2948 wrote to memory of 2960 2948 8266222.exe 36 PID 2960 wrote to memory of 2848 2960 9jjdj.exe 37 PID 2960 wrote to memory of 2848 2960 9jjdj.exe 37 PID 2960 wrote to memory of 2848 2960 9jjdj.exe 37 PID 2960 wrote to memory of 2848 2960 9jjdj.exe 37 PID 2848 wrote to memory of 1752 2848 rxlllxf.exe 38 PID 2848 wrote to memory of 1752 2848 rxlllxf.exe 38 PID 2848 wrote to memory of 1752 2848 rxlllxf.exe 38 PID 2848 wrote to memory of 1752 2848 rxlllxf.exe 38 PID 1752 wrote to memory of 2700 1752 42822.exe 39 PID 1752 wrote to memory of 2700 1752 42822.exe 39 PID 1752 wrote to memory of 2700 1752 42822.exe 39 PID 1752 wrote to memory of 2700 1752 42822.exe 39 PID 2700 wrote to memory of 2756 2700 5rxrffl.exe 40 PID 2700 wrote to memory of 2756 2700 5rxrffl.exe 40 PID 2700 wrote to memory of 2756 2700 5rxrffl.exe 40 PID 2700 wrote to memory of 2756 2700 5rxrffl.exe 40 PID 2756 wrote to memory of 2344 2756 nhtthb.exe 41 PID 2756 wrote to memory of 2344 2756 nhtthb.exe 41 PID 2756 wrote to memory of 2344 2756 nhtthb.exe 41 PID 2756 wrote to memory of 2344 2756 nhtthb.exe 41 PID 2344 wrote to memory of 2352 2344 7bnntn.exe 42 PID 2344 wrote to memory of 2352 2344 7bnntn.exe 42 PID 2344 wrote to memory of 2352 2344 7bnntn.exe 42 PID 2344 wrote to memory of 2352 2344 7bnntn.exe 42 PID 2352 wrote to memory of 1164 2352 6462226.exe 43 PID 2352 wrote to memory of 1164 2352 6462226.exe 43 PID 2352 wrote to memory of 1164 2352 6462226.exe 43 PID 2352 wrote to memory of 1164 2352 6462226.exe 43 PID 1164 wrote to memory of 2120 1164 206400.exe 44 PID 1164 wrote to memory of 2120 1164 206400.exe 44 PID 1164 wrote to memory of 2120 1164 206400.exe 44 PID 1164 wrote to memory of 2120 1164 206400.exe 44 PID 2120 wrote to memory of 1720 2120 rfxxrrf.exe 45 PID 2120 wrote to memory of 1720 2120 rfxxrrf.exe 45 PID 2120 wrote to memory of 1720 2120 rfxxrrf.exe 45 PID 2120 wrote to memory of 1720 2120 rfxxrrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe"C:\Users\Admin\AppData\Local\Temp\cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\nhbbnn.exec:\nhbbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\4800224.exec:\4800224.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\604088.exec:\604088.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\llxxfxf.exec:\llxxfxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\pjddp.exec:\pjddp.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\8266222.exec:\8266222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\9jjdj.exec:\9jjdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\rxlllxf.exec:\rxlllxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\42822.exec:\42822.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\5rxrffl.exec:\5rxrffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\nhtthb.exec:\nhtthb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\7bnntn.exec:\7bnntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\6462226.exec:\6462226.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\206400.exec:\206400.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\rfxxrrf.exec:\rfxxrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\e00282.exec:\e00282.exe17⤵
- Executes dropped EXE
PID:1720 -
\??\c:\04062.exec:\04062.exe18⤵
- Executes dropped EXE
PID:2980 -
\??\c:\0866268.exec:\0866268.exe19⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vpvvv.exec:\vpvvv.exe20⤵
- Executes dropped EXE
PID:2248 -
\??\c:\08066.exec:\08066.exe21⤵
- Executes dropped EXE
PID:2448 -
\??\c:\i428484.exec:\i428484.exe22⤵
- Executes dropped EXE
PID:1868 -
\??\c:\26406.exec:\26406.exe23⤵
- Executes dropped EXE
PID:1100 -
\??\c:\5vdvv.exec:\5vdvv.exe24⤵
- Executes dropped EXE
PID:1808 -
\??\c:\4200006.exec:\4200006.exe25⤵
- Executes dropped EXE
PID:1104 -
\??\c:\2600640.exec:\2600640.exe26⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1rllllx.exec:\1rllllx.exe27⤵
- Executes dropped EXE
PID:2036 -
\??\c:\tnbhtt.exec:\tnbhtt.exe28⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lxrrrlr.exec:\lxrrrlr.exe29⤵
- Executes dropped EXE
PID:1820 -
\??\c:\9vjjp.exec:\9vjjp.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\084000.exec:\084000.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\c802846.exec:\c802846.exe32⤵
- Executes dropped EXE
PID:1116 -
\??\c:\2460662.exec:\2460662.exe33⤵
- Executes dropped EXE
PID:316 -
\??\c:\a0624.exec:\a0624.exe34⤵
- Executes dropped EXE
PID:576 -
\??\c:\1jddp.exec:\1jddp.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\fxfflff.exec:\fxfflff.exe36⤵
- Executes dropped EXE
PID:2476 -
\??\c:\7bhbhb.exec:\7bhbhb.exe37⤵
- Executes dropped EXE
PID:1996 -
\??\c:\20828.exec:\20828.exe38⤵
- Executes dropped EXE
PID:2356 -
\??\c:\24606.exec:\24606.exe39⤵
- Executes dropped EXE
PID:2376 -
\??\c:\7nbbhh.exec:\7nbbhh.exe40⤵
- Executes dropped EXE
PID:2536 -
\??\c:\20828.exec:\20828.exe41⤵
- Executes dropped EXE
PID:2332 -
\??\c:\thtnnt.exec:\thtnnt.exe42⤵
- Executes dropped EXE
PID:652 -
\??\c:\nbnttn.exec:\nbnttn.exe43⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bhntbn.exec:\bhntbn.exe44⤵
- Executes dropped EXE
PID:2916 -
\??\c:\6462840.exec:\6462840.exe45⤵
- Executes dropped EXE
PID:2804 -
\??\c:\20628.exec:\20628.exe46⤵
- Executes dropped EXE
PID:2712 -
\??\c:\o024002.exec:\o024002.exe47⤵
- Executes dropped EXE
PID:2856 -
\??\c:\xrxfllx.exec:\xrxfllx.exe48⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rflrxxl.exec:\rflrxxl.exe49⤵
- Executes dropped EXE
PID:2944 -
\??\c:\64284.exec:\64284.exe50⤵
- Executes dropped EXE
PID:2808 -
\??\c:\468844.exec:\468844.exe51⤵
- Executes dropped EXE
PID:1788 -
\??\c:\5hnntt.exec:\5hnntt.exe52⤵
- Executes dropped EXE
PID:820 -
\??\c:\0866240.exec:\0866240.exe53⤵
- Executes dropped EXE
PID:2148 -
\??\c:\602844.exec:\602844.exe54⤵
- Executes dropped EXE
PID:1292 -
\??\c:\480026.exec:\480026.exe55⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1vdvd.exec:\1vdvd.exe56⤵
- Executes dropped EXE
PID:1452 -
\??\c:\9xlrxrx.exec:\9xlrxrx.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\482284.exec:\482284.exe58⤵
- Executes dropped EXE
PID:2272 -
\??\c:\7dvvv.exec:\7dvvv.exe59⤵
- Executes dropped EXE
PID:3012 -
\??\c:\u084668.exec:\u084668.exe60⤵
- Executes dropped EXE
PID:2212 -
\??\c:\5dvvj.exec:\5dvvj.exe61⤵
- Executes dropped EXE
PID:1048 -
\??\c:\1ppdd.exec:\1ppdd.exe62⤵
- Executes dropped EXE
PID:1144 -
\??\c:\5xlllfl.exec:\5xlllfl.exe63⤵
- Executes dropped EXE
PID:2088 -
\??\c:\64280.exec:\64280.exe64⤵
- Executes dropped EXE
PID:1688 -
\??\c:\9bnhhh.exec:\9bnhhh.exe65⤵
- Executes dropped EXE
PID:1872 -
\??\c:\0422460.exec:\0422460.exe66⤵PID:968
-
\??\c:\lrfxlfl.exec:\lrfxlfl.exe67⤵PID:2484
-
\??\c:\4868620.exec:\4868620.exe68⤵PID:1148
-
\??\c:\pjdjv.exec:\pjdjv.exe69⤵PID:924
-
\??\c:\3xlllfl.exec:\3xlllfl.exe70⤵PID:1628
-
\??\c:\c084600.exec:\c084600.exe71⤵PID:2488
-
\??\c:\3tntbb.exec:\3tntbb.exe72⤵PID:2672
-
\??\c:\602622.exec:\602622.exe73⤵PID:564
-
\??\c:\60288.exec:\60288.exe74⤵PID:2568
-
\??\c:\e42282.exec:\e42282.exe75⤵PID:1744
-
\??\c:\64202.exec:\64202.exe76⤵PID:1072
-
\??\c:\rlxfllx.exec:\rlxfllx.exe77⤵PID:2176
-
\??\c:\rlrllll.exec:\rlrllll.exe78⤵PID:2064
-
\??\c:\tnbbnb.exec:\tnbbnb.exe79⤵PID:2596
-
\??\c:\20622.exec:\20622.exe80⤵PID:1800
-
\??\c:\6022888.exec:\6022888.exe81⤵PID:2640
-
\??\c:\hbnnnh.exec:\hbnnnh.exe82⤵PID:2884
-
\??\c:\42446.exec:\42446.exe83⤵PID:2768
-
\??\c:\82002.exec:\82002.exe84⤵PID:2780
-
\??\c:\3nbbbh.exec:\3nbbbh.exe85⤵PID:2844
-
\??\c:\868806.exec:\868806.exe86⤵PID:2936
-
\??\c:\5nbtbb.exec:\5nbtbb.exe87⤵PID:2716
-
\??\c:\bthntb.exec:\bthntb.exe88⤵PID:2724
-
\??\c:\g6442.exec:\g6442.exe89⤵PID:2708
-
\??\c:\5frlrrf.exec:\5frlrrf.exe90⤵PID:2800
-
\??\c:\424466.exec:\424466.exe91⤵PID:2692
-
\??\c:\c666666.exec:\c666666.exe92⤵PID:2688
-
\??\c:\xrfffxl.exec:\xrfffxl.exe93⤵PID:2436
-
\??\c:\pjdpv.exec:\pjdpv.exe94⤵
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\9lffffr.exec:\9lffffr.exe95⤵PID:1928
-
\??\c:\5tbtbb.exec:\5tbtbb.exe96⤵PID:2676
-
\??\c:\206062.exec:\206062.exe97⤵PID:2876
-
\??\c:\m6446.exec:\m6446.exe98⤵PID:1968
-
\??\c:\8626062.exec:\8626062.exe99⤵PID:3016
-
\??\c:\e24060.exec:\e24060.exe100⤵PID:3008
-
\??\c:\vpdpd.exec:\vpdpd.exe101⤵PID:2252
-
\??\c:\e20682.exec:\e20682.exe102⤵PID:2292
-
\??\c:\dpjpp.exec:\dpjpp.exe103⤵PID:584
-
\??\c:\9rlxfxx.exec:\9rlxfxx.exe104⤵PID:496
-
\??\c:\668848.exec:\668848.exe105⤵PID:1012
-
\??\c:\ppddd.exec:\ppddd.exe106⤵PID:1448
-
\??\c:\jpddd.exec:\jpddd.exe107⤵PID:1556
-
\??\c:\s2024.exec:\s2024.exe108⤵PID:1688
-
\??\c:\60802.exec:\60802.exe109⤵PID:1380
-
\??\c:\680066.exec:\680066.exe110⤵PID:1104
-
\??\c:\vpjvj.exec:\vpjvj.exe111⤵PID:2032
-
\??\c:\nbnnnn.exec:\nbnnnn.exe112⤵PID:1148
-
\??\c:\a6440.exec:\a6440.exe113⤵PID:2036
-
\??\c:\8666606.exec:\8666606.exe114⤵PID:1984
-
\??\c:\thbhtt.exec:\thbhtt.exe115⤵PID:1796
-
\??\c:\00482.exec:\00482.exe116⤵PID:1112
-
\??\c:\nbtthh.exec:\nbtthh.exe117⤵PID:2468
-
\??\c:\22446.exec:\22446.exe118⤵PID:2612
-
\??\c:\rlxflfl.exec:\rlxflfl.exe119⤵PID:1044
-
\??\c:\4688406.exec:\4688406.exe120⤵PID:320
-
\??\c:\6882204.exec:\6882204.exe121⤵PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-