Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 03:08
Behavioral task
behavioral1
Sample
f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe
-
Size
3.7MB
-
MD5
34135706b0fd40c5a0715fd3c49a2696
-
SHA1
c244aac51c1a31efaa2820d1c7307df1b9cc3e1c
-
SHA256
f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8
-
SHA512
08efbd0451af5ca4efce3b275d2e8ce388c1c2e2e57ec7532b708fc36e08d3f4e15b31b1ca5dcf7615208c60ff50e9f5f04fe36c3455d437d5bb2c323f8d29eb
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98f:U6XLq/qPPslzKx/dJg1ErmNi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2668-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1920-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3804-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/852-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-547-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-587-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-633-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-653-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-672-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-760-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-896-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-996-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-1105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-1259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-1299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 376 nnttnn.exe 4336 2282604.exe 3344 04660.exe 1920 808446.exe 4872 62006.exe 3804 nnbtnn.exe 2784 ntbtnn.exe 4888 42608.exe 3180 5hnnnh.exe 3264 48204.exe 3532 00226.exe 4864 000602.exe 1540 024826.exe 4452 46242.exe 1016 nbtbtn.exe 4140 462260.exe 2428 846048.exe 1924 4028282.exe 4968 666024.exe 1668 6282604.exe 4552 vdpjv.exe 2840 2860040.exe 2960 02826.exe 2520 04228.exe 1536 842822.exe 2192 hnthtn.exe 4168 jpjjd.exe 3056 26822.exe 2340 620048.exe 1760 8800606.exe 3636 pjjjj.exe 4644 9dpjv.exe 1156 0248226.exe 2632 dvpvp.exe 1480 rlllfff.exe 4360 xllxfxr.exe 3604 80048.exe 2336 frfxxxf.exe 4364 bnbbhh.exe 3368 dvvjd.exe 1756 pdjdd.exe 1008 42822.exe 4748 dpdpp.exe 4660 httnnh.exe 4256 lxxxfxx.exe 3540 2860600.exe 4160 2088828.exe 232 c682644.exe 4468 8268048.exe 4472 jjjdd.exe 2476 o882200.exe 4868 8426048.exe 4280 bbttnh.exe 4192 8066048.exe 3564 flxrlfx.exe 5024 dvppj.exe 5096 8242482.exe 4376 hnnhbb.exe 1220 tbbbth.exe 3340 ttbttt.exe 1884 1fxrxff.exe 1824 dvvpj.exe 60 2848288.exe 3612 hhnnbh.exe -
resource yara_rule behavioral2/memory/2668-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c7a-3.dat upx behavioral2/memory/2668-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-9.dat upx behavioral2/memory/376-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c7b-13.dat upx behavioral2/memory/3344-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-23.dat upx behavioral2/memory/1920-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4872-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c80-29.dat upx behavioral2/memory/4336-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-35.dat upx behavioral2/memory/4872-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-41.dat upx behavioral2/memory/3804-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4888-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c85-53.dat upx behavioral2/memory/3180-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c84-47.dat upx behavioral2/files/0x0007000000023c86-58.dat upx behavioral2/files/0x0007000000023c87-63.dat upx behavioral2/memory/3264-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-69.dat upx behavioral2/memory/4864-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3532-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-78.dat upx behavioral2/files/0x0007000000023c8a-81.dat upx behavioral2/memory/1540-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-87.dat upx behavioral2/files/0x0007000000023c8c-93.dat upx behavioral2/memory/1016-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-99.dat upx behavioral2/memory/4140-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-105.dat upx behavioral2/memory/1924-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2428-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-113.dat upx behavioral2/memory/4968-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-118.dat upx behavioral2/memory/1668-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-125.dat upx behavioral2/memory/4552-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-130.dat upx behavioral2/files/0x0007000000023c93-135.dat upx behavioral2/files/0x0007000000023c94-140.dat upx behavioral2/files/0x0007000000023c95-145.dat upx behavioral2/files/0x0007000000023c96-153.dat upx behavioral2/memory/1536-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-156.dat upx behavioral2/memory/2192-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-162.dat upx behavioral2/memory/3056-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2340-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-175.dat upx behavioral2/files/0x0007000000023c99-168.dat upx behavioral2/files/0x0007000000023c9b-179.dat upx behavioral2/files/0x0007000000023c9c-184.dat upx behavioral2/memory/4644-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1480-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4364-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3368-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1008-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k22282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4004860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q66026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c682644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k66042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8204226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 404864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u626088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8468864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6460482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 376 2668 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 82 PID 2668 wrote to memory of 376 2668 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 82 PID 2668 wrote to memory of 376 2668 f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe 82 PID 376 wrote to memory of 4336 376 nnttnn.exe 83 PID 376 wrote to memory of 4336 376 nnttnn.exe 83 PID 376 wrote to memory of 4336 376 nnttnn.exe 83 PID 4336 wrote to memory of 3344 4336 2282604.exe 84 PID 4336 wrote to memory of 3344 4336 2282604.exe 84 PID 4336 wrote to memory of 3344 4336 2282604.exe 84 PID 3344 wrote to memory of 1920 3344 04660.exe 85 PID 3344 wrote to memory of 1920 3344 04660.exe 85 PID 3344 wrote to memory of 1920 3344 04660.exe 85 PID 1920 wrote to memory of 4872 1920 808446.exe 86 PID 1920 wrote to memory of 4872 1920 808446.exe 86 PID 1920 wrote to memory of 4872 1920 808446.exe 86 PID 4872 wrote to memory of 3804 4872 62006.exe 87 PID 4872 wrote to memory of 3804 4872 62006.exe 87 PID 4872 wrote to memory of 3804 4872 62006.exe 87 PID 3804 wrote to memory of 2784 3804 nnbtnn.exe 88 PID 3804 wrote to memory of 2784 3804 nnbtnn.exe 88 PID 3804 wrote to memory of 2784 3804 nnbtnn.exe 88 PID 2784 wrote to memory of 4888 2784 ntbtnn.exe 89 PID 2784 wrote to memory of 4888 2784 ntbtnn.exe 89 PID 2784 wrote to memory of 4888 2784 ntbtnn.exe 89 PID 4888 wrote to memory of 3180 4888 42608.exe 90 PID 4888 wrote to memory of 3180 4888 42608.exe 90 PID 4888 wrote to memory of 3180 4888 42608.exe 90 PID 3180 wrote to memory of 3264 3180 5hnnnh.exe 91 PID 3180 wrote to memory of 3264 3180 5hnnnh.exe 91 PID 3180 wrote to memory of 3264 3180 5hnnnh.exe 91 PID 3264 wrote to memory of 3532 3264 48204.exe 92 PID 3264 wrote to memory of 3532 3264 48204.exe 92 PID 3264 wrote to memory of 3532 3264 48204.exe 92 PID 3532 wrote to memory of 4864 3532 00226.exe 93 PID 3532 wrote to memory of 4864 3532 00226.exe 93 PID 3532 wrote to memory of 4864 3532 00226.exe 93 PID 4864 wrote to memory of 1540 4864 000602.exe 94 PID 4864 wrote to memory of 1540 4864 000602.exe 94 PID 4864 wrote to memory of 1540 4864 000602.exe 94 PID 1540 wrote to memory of 4452 1540 024826.exe 95 PID 1540 wrote to memory of 4452 1540 024826.exe 95 PID 1540 wrote to memory of 4452 1540 024826.exe 95 PID 4452 wrote to memory of 1016 4452 46242.exe 96 PID 4452 wrote to memory of 1016 4452 46242.exe 96 PID 4452 wrote to memory of 1016 4452 46242.exe 96 PID 1016 wrote to memory of 4140 1016 nbtbtn.exe 97 PID 1016 wrote to memory of 4140 1016 nbtbtn.exe 97 PID 1016 wrote to memory of 4140 1016 nbtbtn.exe 97 PID 4140 wrote to memory of 2428 4140 462260.exe 98 PID 4140 wrote to memory of 2428 4140 462260.exe 98 PID 4140 wrote to memory of 2428 4140 462260.exe 98 PID 2428 wrote to memory of 1924 2428 846048.exe 99 PID 2428 wrote to memory of 1924 2428 846048.exe 99 PID 2428 wrote to memory of 1924 2428 846048.exe 99 PID 1924 wrote to memory of 4968 1924 4028282.exe 100 PID 1924 wrote to memory of 4968 1924 4028282.exe 100 PID 1924 wrote to memory of 4968 1924 4028282.exe 100 PID 4968 wrote to memory of 1668 4968 666024.exe 101 PID 4968 wrote to memory of 1668 4968 666024.exe 101 PID 4968 wrote to memory of 1668 4968 666024.exe 101 PID 1668 wrote to memory of 4552 1668 6282604.exe 102 PID 1668 wrote to memory of 4552 1668 6282604.exe 102 PID 1668 wrote to memory of 4552 1668 6282604.exe 102 PID 4552 wrote to memory of 2840 4552 vdpjv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe"C:\Users\Admin\AppData\Local\Temp\f636ab53df10cdfede3c0ae861a359913be52b76471e76d242d334f7daed7ac8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\nnttnn.exec:\nnttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\2282604.exec:\2282604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\04660.exec:\04660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\808446.exec:\808446.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\62006.exec:\62006.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\nnbtnn.exec:\nnbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\ntbtnn.exec:\ntbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\42608.exec:\42608.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\5hnnnh.exec:\5hnnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\48204.exec:\48204.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\00226.exec:\00226.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\000602.exec:\000602.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\024826.exec:\024826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\46242.exec:\46242.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\nbtbtn.exec:\nbtbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\462260.exec:\462260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\846048.exec:\846048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\4028282.exec:\4028282.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\666024.exec:\666024.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\6282604.exec:\6282604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\vdpjv.exec:\vdpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\2860040.exec:\2860040.exe23⤵
- Executes dropped EXE
PID:2840 -
\??\c:\02826.exec:\02826.exe24⤵
- Executes dropped EXE
PID:2960 -
\??\c:\04228.exec:\04228.exe25⤵
- Executes dropped EXE
PID:2520 -
\??\c:\842822.exec:\842822.exe26⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hnthtn.exec:\hnthtn.exe27⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jpjjd.exec:\jpjjd.exe28⤵
- Executes dropped EXE
PID:4168 -
\??\c:\26822.exec:\26822.exe29⤵
- Executes dropped EXE
PID:3056 -
\??\c:\620048.exec:\620048.exe30⤵
- Executes dropped EXE
PID:2340 -
\??\c:\8800606.exec:\8800606.exe31⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pjjjj.exec:\pjjjj.exe32⤵
- Executes dropped EXE
PID:3636 -
\??\c:\9dpjv.exec:\9dpjv.exe33⤵
- Executes dropped EXE
PID:4644 -
\??\c:\0248226.exec:\0248226.exe34⤵
- Executes dropped EXE
PID:1156 -
\??\c:\dvpvp.exec:\dvpvp.exe35⤵
- Executes dropped EXE
PID:2632 -
\??\c:\rlllfff.exec:\rlllfff.exe36⤵
- Executes dropped EXE
PID:1480 -
\??\c:\xllxfxr.exec:\xllxfxr.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360 -
\??\c:\80048.exec:\80048.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
\??\c:\frfxxxf.exec:\frfxxxf.exe39⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bnbbhh.exec:\bnbbhh.exe40⤵
- Executes dropped EXE
PID:4364 -
\??\c:\dvvjd.exec:\dvvjd.exe41⤵
- Executes dropped EXE
PID:3368 -
\??\c:\pdjdd.exec:\pdjdd.exe42⤵
- Executes dropped EXE
PID:1756 -
\??\c:\42822.exec:\42822.exe43⤵
- Executes dropped EXE
PID:1008 -
\??\c:\dpdpp.exec:\dpdpp.exe44⤵
- Executes dropped EXE
PID:4748 -
\??\c:\httnnh.exec:\httnnh.exe45⤵
- Executes dropped EXE
PID:4660 -
\??\c:\lxxxfxx.exec:\lxxxfxx.exe46⤵
- Executes dropped EXE
PID:4256 -
\??\c:\2860600.exec:\2860600.exe47⤵
- Executes dropped EXE
PID:3540 -
\??\c:\2088828.exec:\2088828.exe48⤵
- Executes dropped EXE
PID:4160 -
\??\c:\c682644.exec:\c682644.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:232 -
\??\c:\8268048.exec:\8268048.exe50⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jjjdd.exec:\jjjdd.exe51⤵
- Executes dropped EXE
PID:4472 -
\??\c:\o882200.exec:\o882200.exe52⤵
- Executes dropped EXE
PID:2476 -
\??\c:\8426048.exec:\8426048.exe53⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bbttnh.exec:\bbttnh.exe54⤵
- Executes dropped EXE
PID:4280 -
\??\c:\8066048.exec:\8066048.exe55⤵
- Executes dropped EXE
PID:4192 -
\??\c:\flxrlfx.exec:\flxrlfx.exe56⤵
- Executes dropped EXE
PID:3564 -
\??\c:\dvppj.exec:\dvppj.exe57⤵
- Executes dropped EXE
PID:5024 -
\??\c:\8242482.exec:\8242482.exe58⤵
- Executes dropped EXE
PID:5096 -
\??\c:\hnnhbb.exec:\hnnhbb.exe59⤵
- Executes dropped EXE
PID:4376 -
\??\c:\tbbbth.exec:\tbbbth.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220 -
\??\c:\ttbttt.exec:\ttbttt.exe61⤵
- Executes dropped EXE
PID:3340 -
\??\c:\1fxrxff.exec:\1fxrxff.exe62⤵
- Executes dropped EXE
PID:1884 -
\??\c:\dvvpj.exec:\dvvpj.exe63⤵
- Executes dropped EXE
PID:1824 -
\??\c:\2848288.exec:\2848288.exe64⤵
- Executes dropped EXE
PID:60 -
\??\c:\hhnnbh.exec:\hhnnbh.exe65⤵
- Executes dropped EXE
PID:3612 -
\??\c:\httnnh.exec:\httnnh.exe66⤵PID:1524
-
\??\c:\42208.exec:\42208.exe67⤵PID:4428
-
\??\c:\xxllfff.exec:\xxllfff.exe68⤵PID:216
-
\??\c:\lrxxrlf.exec:\lrxxrlf.exe69⤵PID:4580
-
\??\c:\fxrlfxl.exec:\fxrlfxl.exe70⤵
- System Location Discovery: System Language Discovery
PID:3872 -
\??\c:\66282.exec:\66282.exe71⤵PID:4772
-
\??\c:\2046048.exec:\2046048.exe72⤵PID:1540
-
\??\c:\xffxxll.exec:\xffxxll.exe73⤵PID:4444
-
\??\c:\a4200.exec:\a4200.exe74⤵PID:1080
-
\??\c:\bnbhth.exec:\bnbhth.exe75⤵PID:2944
-
\??\c:\7hbtnb.exec:\7hbtnb.exe76⤵PID:4140
-
\??\c:\862004.exec:\862004.exe77⤵
- System Location Discovery: System Language Discovery
PID:2428 -
\??\c:\468888.exec:\468888.exe78⤵PID:5000
-
\??\c:\xlxxrll.exec:\xlxxrll.exe79⤵PID:1476
-
\??\c:\e46426.exec:\e46426.exe80⤵PID:824
-
\??\c:\846044.exec:\846044.exe81⤵PID:3752
-
\??\c:\442042.exec:\442042.exe82⤵PID:4516
-
\??\c:\7btnbb.exec:\7btnbb.exe83⤵PID:1076
-
\??\c:\4288644.exec:\4288644.exe84⤵PID:3948
-
\??\c:\thhbbt.exec:\thhbbt.exe85⤵PID:4064
-
\??\c:\62226.exec:\62226.exe86⤵PID:4924
-
\??\c:\xrrlxrf.exec:\xrrlxrf.exe87⤵PID:2520
-
\??\c:\68888.exec:\68888.exe88⤵PID:4328
-
\??\c:\htthth.exec:\htthth.exe89⤵PID:1536
-
\??\c:\40260.exec:\40260.exe90⤵PID:4112
-
\??\c:\48404.exec:\48404.exe91⤵PID:4168
-
\??\c:\jdvpj.exec:\jdvpj.exe92⤵PID:3056
-
\??\c:\6488686.exec:\6488686.exe93⤵PID:1400
-
\??\c:\o828484.exec:\o828484.exe94⤵PID:2340
-
\??\c:\480408.exec:\480408.exe95⤵PID:1760
-
\??\c:\vvvdv.exec:\vvvdv.exe96⤵PID:3292
-
\??\c:\xllfxxf.exec:\xllfxxf.exe97⤵PID:4196
-
\??\c:\nhtnhb.exec:\nhtnhb.exe98⤵PID:4644
-
\??\c:\bnnhbb.exec:\bnnhbb.exe99⤵PID:1156
-
\??\c:\dppjd.exec:\dppjd.exe100⤵PID:5060
-
\??\c:\xlrlfrl.exec:\xlrlfrl.exe101⤵PID:1480
-
\??\c:\884222.exec:\884222.exe102⤵PID:4360
-
\??\c:\6824688.exec:\6824688.exe103⤵PID:3604
-
\??\c:\ddjvp.exec:\ddjvp.exe104⤵PID:2140
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe105⤵PID:4988
-
\??\c:\rlllflf.exec:\rlllflf.exe106⤵PID:3688
-
\??\c:\bbhhbb.exec:\bbhhbb.exe107⤵PID:3184
-
\??\c:\fxlfxrr.exec:\fxlfxrr.exe108⤵PID:1008
-
\??\c:\nbhbhh.exec:\nbhbhh.exe109⤵PID:1216
-
\??\c:\flflffr.exec:\flflffr.exe110⤵PID:1164
-
\??\c:\6228266.exec:\6228266.exe111⤵PID:224
-
\??\c:\84626.exec:\84626.exe112⤵PID:852
-
\??\c:\468866.exec:\468866.exe113⤵PID:4160
-
\??\c:\u860882.exec:\u860882.exe114⤵PID:4460
-
\??\c:\xxffxxx.exec:\xxffxxx.exe115⤵PID:4468
-
\??\c:\248260.exec:\248260.exe116⤵PID:768
-
\??\c:\624422.exec:\624422.exe117⤵PID:2788
-
\??\c:\pdjdv.exec:\pdjdv.exe118⤵PID:1260
-
\??\c:\1bhhhn.exec:\1bhhhn.exe119⤵PID:4348
-
\??\c:\2200482.exec:\2200482.exe120⤵PID:4280
-
\??\c:\9xflxxl.exec:\9xflxxl.exe121⤵PID:3344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-