Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 04:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe
-
Size
453KB
-
MD5
33ba11f8f56212499259848b6df9881e
-
SHA1
bbd0e672f626ade8e933d06097bde31becac5f45
-
SHA256
cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46
-
SHA512
74af959675c9e9189a9e595280881120a86c72d4815bf3b86f9d232f3bdd662b032c42f9d5a304a0354f3629f54ef0993242403c7a57dd288de11f1cf81fb47a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3780-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-1034-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-1243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-1824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2920 864606.exe 3144 dpppj.exe 2488 nnnnhh.exe 5060 4680662.exe 1784 06860.exe 2432 428884.exe 4124 nbbthb.exe 3100 thbnbt.exe 4024 c622042.exe 4188 dpjdp.exe 2396 ddvvp.exe 4924 0622048.exe 1672 rrrxlfr.exe 1164 pdjdv.exe 3852 q00426.exe 1724 m4640.exe 5092 4260826.exe 2412 5xlxxff.exe 5012 268488.exe 3624 pdjdp.exe 4692 jpjvj.exe 3668 hbhbhh.exe 4872 u024048.exe 1624 jvpdp.exe 2608 040062.exe 2788 44200.exe 1144 lxlxrlx.exe 4012 24600.exe 996 0060444.exe 3444 lfxrlrr.exe 3116 286824.exe 2704 7djpv.exe 3512 2048446.exe 716 htbbhn.exe 3484 vdjjj.exe 4104 60422.exe 4580 xffflxx.exe 2200 68060.exe 2148 2404482.exe 4244 thhbbt.exe 3084 0242008.exe 4332 826646.exe 2972 llfxrfx.exe 3780 40040.exe 4752 262626.exe 880 86042.exe 2556 6884882.exe 4052 1ttnbt.exe 2576 484448.exe 1108 m2488.exe 2560 66266.exe 2584 7jjjp.exe 4532 w02266.exe 4588 tnhnnh.exe 2180 022064.exe 3312 fxflflf.exe 4492 btntbn.exe 4200 1nhtnh.exe 5040 nbhnbt.exe 400 pdvjd.exe 2536 8286042.exe 2396 082626.exe 816 086420.exe 1172 lxlfrlf.exe -
resource yara_rule behavioral2/memory/3780-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-944-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6486420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w46482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 2920 3780 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 85 PID 3780 wrote to memory of 2920 3780 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 85 PID 3780 wrote to memory of 2920 3780 cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe 85 PID 2920 wrote to memory of 3144 2920 864606.exe 86 PID 2920 wrote to memory of 3144 2920 864606.exe 86 PID 2920 wrote to memory of 3144 2920 864606.exe 86 PID 3144 wrote to memory of 2488 3144 dpppj.exe 87 PID 3144 wrote to memory of 2488 3144 dpppj.exe 87 PID 3144 wrote to memory of 2488 3144 dpppj.exe 87 PID 2488 wrote to memory of 5060 2488 nnnnhh.exe 88 PID 2488 wrote to memory of 5060 2488 nnnnhh.exe 88 PID 2488 wrote to memory of 5060 2488 nnnnhh.exe 88 PID 5060 wrote to memory of 1784 5060 4680662.exe 89 PID 5060 wrote to memory of 1784 5060 4680662.exe 89 PID 5060 wrote to memory of 1784 5060 4680662.exe 89 PID 1784 wrote to memory of 2432 1784 06860.exe 90 PID 1784 wrote to memory of 2432 1784 06860.exe 90 PID 1784 wrote to memory of 2432 1784 06860.exe 90 PID 2432 wrote to memory of 4124 2432 428884.exe 91 PID 2432 wrote to memory of 4124 2432 428884.exe 91 PID 2432 wrote to memory of 4124 2432 428884.exe 91 PID 4124 wrote to memory of 3100 4124 nbbthb.exe 92 PID 4124 wrote to memory of 3100 4124 nbbthb.exe 92 PID 4124 wrote to memory of 3100 4124 nbbthb.exe 92 PID 3100 wrote to memory of 4024 3100 thbnbt.exe 93 PID 3100 wrote to memory of 4024 3100 thbnbt.exe 93 PID 3100 wrote to memory of 4024 3100 thbnbt.exe 93 PID 4024 wrote to memory of 4188 4024 c622042.exe 94 PID 4024 wrote to memory of 4188 4024 c622042.exe 94 PID 4024 wrote to memory of 4188 4024 c622042.exe 94 PID 4188 wrote to memory of 2396 4188 dpjdp.exe 95 PID 4188 wrote to memory of 2396 4188 dpjdp.exe 95 PID 4188 wrote to memory of 2396 4188 dpjdp.exe 95 PID 2396 wrote to memory of 4924 2396 ddvvp.exe 96 PID 2396 wrote to memory of 4924 2396 ddvvp.exe 96 PID 2396 wrote to memory of 4924 2396 ddvvp.exe 96 PID 4924 wrote to memory of 1672 4924 0622048.exe 97 PID 4924 wrote to memory of 1672 4924 0622048.exe 97 PID 4924 wrote to memory of 1672 4924 0622048.exe 97 PID 1672 wrote to memory of 1164 1672 rrrxlfr.exe 98 PID 1672 wrote to memory of 1164 1672 rrrxlfr.exe 98 PID 1672 wrote to memory of 1164 1672 rrrxlfr.exe 98 PID 1164 wrote to memory of 3852 1164 pdjdv.exe 99 PID 1164 wrote to memory of 3852 1164 pdjdv.exe 99 PID 1164 wrote to memory of 3852 1164 pdjdv.exe 99 PID 3852 wrote to memory of 1724 3852 q00426.exe 100 PID 3852 wrote to memory of 1724 3852 q00426.exe 100 PID 3852 wrote to memory of 1724 3852 q00426.exe 100 PID 1724 wrote to memory of 5092 1724 m4640.exe 101 PID 1724 wrote to memory of 5092 1724 m4640.exe 101 PID 1724 wrote to memory of 5092 1724 m4640.exe 101 PID 5092 wrote to memory of 2412 5092 4260826.exe 102 PID 5092 wrote to memory of 2412 5092 4260826.exe 102 PID 5092 wrote to memory of 2412 5092 4260826.exe 102 PID 2412 wrote to memory of 5012 2412 5xlxxff.exe 103 PID 2412 wrote to memory of 5012 2412 5xlxxff.exe 103 PID 2412 wrote to memory of 5012 2412 5xlxxff.exe 103 PID 5012 wrote to memory of 3624 5012 268488.exe 104 PID 5012 wrote to memory of 3624 5012 268488.exe 104 PID 5012 wrote to memory of 3624 5012 268488.exe 104 PID 3624 wrote to memory of 4692 3624 pdjdp.exe 105 PID 3624 wrote to memory of 4692 3624 pdjdp.exe 105 PID 3624 wrote to memory of 4692 3624 pdjdp.exe 105 PID 4692 wrote to memory of 3668 4692 jpjvj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe"C:\Users\Admin\AppData\Local\Temp\cf01e9d4b2a24c37546e7c2ecd70d6495e1676913b4c4abd38256b9974685d46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\864606.exec:\864606.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\dpppj.exec:\dpppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\nnnnhh.exec:\nnnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\4680662.exec:\4680662.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\06860.exec:\06860.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\428884.exec:\428884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\nbbthb.exec:\nbbthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\thbnbt.exec:\thbnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\c622042.exec:\c622042.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\dpjdp.exec:\dpjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\ddvvp.exec:\ddvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\0622048.exec:\0622048.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\rrrxlfr.exec:\rrrxlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\pdjdv.exec:\pdjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\q00426.exec:\q00426.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\m4640.exec:\m4640.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\4260826.exec:\4260826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\5xlxxff.exec:\5xlxxff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\268488.exec:\268488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\pdjdp.exec:\pdjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\jpjvj.exec:\jpjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\hbhbhh.exec:\hbhbhh.exe23⤵
- Executes dropped EXE
PID:3668 -
\??\c:\u024048.exec:\u024048.exe24⤵
- Executes dropped EXE
PID:4872 -
\??\c:\jvpdp.exec:\jvpdp.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\040062.exec:\040062.exe26⤵
- Executes dropped EXE
PID:2608 -
\??\c:\44200.exec:\44200.exe27⤵
- Executes dropped EXE
PID:2788 -
\??\c:\lxlxrlx.exec:\lxlxrlx.exe28⤵
- Executes dropped EXE
PID:1144 -
\??\c:\24600.exec:\24600.exe29⤵
- Executes dropped EXE
PID:4012 -
\??\c:\0060444.exec:\0060444.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\lfxrlrr.exec:\lfxrlrr.exe31⤵
- Executes dropped EXE
PID:3444 -
\??\c:\286824.exec:\286824.exe32⤵
- Executes dropped EXE
PID:3116 -
\??\c:\7djpv.exec:\7djpv.exe33⤵
- Executes dropped EXE
PID:2704 -
\??\c:\2048446.exec:\2048446.exe34⤵
- Executes dropped EXE
PID:3512 -
\??\c:\htbbhn.exec:\htbbhn.exe35⤵
- Executes dropped EXE
PID:716 -
\??\c:\vdjjj.exec:\vdjjj.exe36⤵
- Executes dropped EXE
PID:3484 -
\??\c:\60422.exec:\60422.exe37⤵
- Executes dropped EXE
PID:4104 -
\??\c:\xffflxx.exec:\xffflxx.exe38⤵
- Executes dropped EXE
PID:4580 -
\??\c:\68060.exec:\68060.exe39⤵
- Executes dropped EXE
PID:2200 -
\??\c:\2404482.exec:\2404482.exe40⤵
- Executes dropped EXE
PID:2148 -
\??\c:\thhbbt.exec:\thhbbt.exe41⤵
- Executes dropped EXE
PID:4244 -
\??\c:\0242008.exec:\0242008.exe42⤵
- Executes dropped EXE
PID:3084 -
\??\c:\826646.exec:\826646.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\llfxrfx.exec:\llfxrfx.exe44⤵
- Executes dropped EXE
PID:2972 -
\??\c:\40040.exec:\40040.exe45⤵
- Executes dropped EXE
PID:3780 -
\??\c:\262626.exec:\262626.exe46⤵
- Executes dropped EXE
PID:4752 -
\??\c:\86042.exec:\86042.exe47⤵
- Executes dropped EXE
PID:880 -
\??\c:\6884882.exec:\6884882.exe48⤵
- Executes dropped EXE
PID:2556 -
\??\c:\1ttnbt.exec:\1ttnbt.exe49⤵
- Executes dropped EXE
PID:4052 -
\??\c:\484448.exec:\484448.exe50⤵
- Executes dropped EXE
PID:2576 -
\??\c:\m2488.exec:\m2488.exe51⤵
- Executes dropped EXE
PID:1108 -
\??\c:\66266.exec:\66266.exe52⤵
- Executes dropped EXE
PID:2560 -
\??\c:\7jjjp.exec:\7jjjp.exe53⤵
- Executes dropped EXE
PID:2584 -
\??\c:\w02266.exec:\w02266.exe54⤵
- Executes dropped EXE
PID:4532 -
\??\c:\tnhnnh.exec:\tnhnnh.exe55⤵
- Executes dropped EXE
PID:4588 -
\??\c:\022064.exec:\022064.exe56⤵
- Executes dropped EXE
PID:2180 -
\??\c:\fxflflf.exec:\fxflflf.exe57⤵
- Executes dropped EXE
PID:3312 -
\??\c:\btntbn.exec:\btntbn.exe58⤵
- Executes dropped EXE
PID:4492 -
\??\c:\1nhtnh.exec:\1nhtnh.exe59⤵
- Executes dropped EXE
PID:4200 -
\??\c:\nbhnbt.exec:\nbhnbt.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5040 -
\??\c:\pdvjd.exec:\pdvjd.exe61⤵
- Executes dropped EXE
PID:400 -
\??\c:\8286042.exec:\8286042.exe62⤵
- Executes dropped EXE
PID:2536 -
\??\c:\082626.exec:\082626.exe63⤵
- Executes dropped EXE
PID:2396 -
\??\c:\086420.exec:\086420.exe64⤵
- Executes dropped EXE
PID:816 -
\??\c:\lxlfrlf.exec:\lxlfrlf.exe65⤵
- Executes dropped EXE
PID:1172 -
\??\c:\w84248.exec:\w84248.exe66⤵PID:4784
-
\??\c:\fxfxrll.exec:\fxfxrll.exe67⤵PID:1164
-
\??\c:\5lrfxrf.exec:\5lrfxrf.exe68⤵PID:512
-
\??\c:\660420.exec:\660420.exe69⤵PID:4700
-
\??\c:\fxlllfx.exec:\fxlllfx.exe70⤵PID:1724
-
\??\c:\u886486.exec:\u886486.exe71⤵PID:636
-
\??\c:\fxrffxr.exec:\fxrffxr.exe72⤵PID:3160
-
\??\c:\u826048.exec:\u826048.exe73⤵PID:2412
-
\??\c:\bnthtn.exec:\bnthtn.exe74⤵PID:5108
-
\??\c:\7hbnbb.exec:\7hbnbb.exe75⤵PID:4100
-
\??\c:\ppvvj.exec:\ppvvj.exe76⤵PID:1096
-
\??\c:\jpdpj.exec:\jpdpj.exe77⤵PID:4692
-
\??\c:\02608.exec:\02608.exe78⤵PID:3576
-
\??\c:\8024024.exec:\8024024.exe79⤵PID:3120
-
\??\c:\082642.exec:\082642.exe80⤵PID:4536
-
\??\c:\282604.exec:\282604.exe81⤵PID:4500
-
\??\c:\5pdpd.exec:\5pdpd.exe82⤵PID:1428
-
\??\c:\62648.exec:\62648.exe83⤵PID:3044
-
\??\c:\bnhbtn.exec:\bnhbtn.exe84⤵PID:2788
-
\??\c:\o404220.exec:\o404220.exe85⤵PID:3448
-
\??\c:\44082.exec:\44082.exe86⤵PID:3216
-
\??\c:\nnnhbh.exec:\nnnhbh.exe87⤵PID:1280
-
\??\c:\4842620.exec:\4842620.exe88⤵PID:3240
-
\??\c:\6484220.exec:\6484220.exe89⤵PID:4712
-
\??\c:\26684.exec:\26684.exe90⤵PID:3364
-
\??\c:\066086.exec:\066086.exe91⤵PID:3280
-
\??\c:\vjpjj.exec:\vjpjj.exe92⤵PID:3492
-
\??\c:\2086846.exec:\2086846.exe93⤵PID:792
-
\??\c:\08826.exec:\08826.exe94⤵PID:4112
-
\??\c:\rlfxlrl.exec:\rlfxlrl.exe95⤵PID:3484
-
\??\c:\06822.exec:\06822.exe96⤵PID:4104
-
\??\c:\0420602.exec:\0420602.exe97⤵PID:1320
-
\??\c:\s8826.exec:\s8826.exe98⤵PID:1924
-
\??\c:\flrllll.exec:\flrllll.exe99⤵PID:3136
-
\??\c:\66042.exec:\66042.exe100⤵PID:4472
-
\??\c:\044860.exec:\044860.exe101⤵PID:4636
-
\??\c:\tnhnbb.exec:\tnhnbb.exe102⤵PID:4324
-
\??\c:\vjjvj.exec:\vjjvj.exe103⤵PID:2848
-
\??\c:\btthtn.exec:\btthtn.exe104⤵PID:216
-
\??\c:\e48822.exec:\e48822.exe105⤵PID:1052
-
\??\c:\4228460.exec:\4228460.exe106⤵PID:3416
-
\??\c:\9ddpd.exec:\9ddpd.exe107⤵PID:2376
-
\??\c:\fxlfxrf.exec:\fxlfxrf.exe108⤵PID:348
-
\??\c:\7bnnhn.exec:\7bnnhn.exe109⤵PID:4164
-
\??\c:\nhnbnn.exec:\nhnbnn.exe110⤵PID:524
-
\??\c:\460864.exec:\460864.exe111⤵PID:1304
-
\??\c:\dvvpv.exec:\dvvpv.exe112⤵PID:2548
-
\??\c:\pdjvv.exec:\pdjvv.exe113⤵PID:1784
-
\??\c:\0066888.exec:\0066888.exe114⤵PID:4720
-
\??\c:\jvpjv.exec:\jvpjv.exe115⤵PID:2432
-
\??\c:\djjpd.exec:\djjpd.exe116⤵PID:740
-
\??\c:\dvvjj.exec:\dvvjj.exe117⤵PID:2276
-
\??\c:\u048266.exec:\u048266.exe118⤵PID:2088
-
\??\c:\5nhnhb.exec:\5nhnhb.exe119⤵PID:756
-
\??\c:\s4086.exec:\s4086.exe120⤵PID:4200
-
\??\c:\q40044.exec:\q40044.exe121⤵
- System Location Discovery: System Language Discovery
PID:4512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-