Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 08:54
Behavioral task
behavioral1
Sample
a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe
-
Size
3.7MB
-
MD5
dcdf374c742ee28f5c69f7cfcb5dfc00
-
SHA1
3bac11ce2e9d3dcb66acd4e13f402e5a1b78e12e
-
SHA256
a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3
-
SHA512
8d07773a3c7c76e228f2a0ca460fd069b4e0ef343e91905ec151e96e97c46963ee7f4572d4369fdf62602d684315dd9b582600f3344077b20c1eb17f79021bf3
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98Z:U6XLq/qPPslzKx/dJg1ErmNy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1224-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3828-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-508-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-633-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-700-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-731-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-973-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-1046-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-1074-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-1171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-1196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-1317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4008 xlrxxrx.exe 3608 ntnnnb.exe 2316 bhhnnt.exe 2448 tbnhbh.exe 4804 tbnnhh.exe 2724 3htttb.exe 4864 hhtnhb.exe 2116 vvdvv.exe 3400 dpvpp.exe 3208 3dpjv.exe 2976 rrxxrxr.exe 3420 rrllfll.exe 3904 flllffl.exe 2912 pjjvv.exe 4424 thhbtt.exe 2280 3hnnnn.exe 4992 9thtnt.exe 3472 xrlfxrl.exe 4092 ffrxxxf.exe 312 5rlfffx.exe 2056 rllrrrr.exe 1448 xxffffl.exe 3688 tbntth.exe 2412 hhhnbh.exe 972 ntntht.exe 3828 xxrxxfl.exe 4088 9xrxlrl.exe 4080 rfxfrrx.exe 4244 rffffll.exe 3224 thhhnt.exe 2392 rxfxxrr.exe 4980 tntnbt.exe 2560 hnnntb.exe 440 bhhnnt.exe 4668 bbthhn.exe 4612 hnttnn.exe 3876 tntttb.exe 4660 hbnnnn.exe 3660 rfxffxx.exe 2124 1thhhn.exe 4492 5xffxfx.exe 3948 lrxrffr.exe 2496 7rrlffx.exe 3236 thhnnt.exe 2012 1rffxff.exe 3040 9rxrrxx.exe 772 nhnnnn.exe 2316 hhnhbb.exe 2664 nhhbtn.exe 1216 xrxxrxx.exe 2448 5flfxxr.exe 5060 xfrrxxf.exe 4048 llxrxfl.exe 536 1lxxxxx.exe 4960 fffxrxl.exe 212 rxxllxx.exe 116 lxllflf.exe 2068 ddjdd.exe 2920 vjdjj.exe 5052 1djdp.exe 2944 jjpdv.exe 388 jdddd.exe 1536 ddddv.exe 3528 tttbbh.exe -
resource yara_rule behavioral2/memory/1224-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bb1-3.dat upx behavioral2/memory/1224-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-9.dat upx behavioral2/memory/3608-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4008-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-14.dat upx behavioral2/memory/2316-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-23.dat upx behavioral2/memory/2448-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-29.dat upx behavioral2/memory/4804-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-34.dat upx behavioral2/memory/2724-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-41.dat upx behavioral2/memory/4864-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-47.dat upx behavioral2/memory/2116-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-53.dat upx behavioral2/files/0x0007000000023ca3-58.dat upx behavioral2/memory/3208-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3400-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-64.dat upx behavioral2/files/0x0007000000023ca5-70.dat upx behavioral2/memory/3420-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2976-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-77.dat upx behavioral2/memory/3904-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-84.dat upx behavioral2/files/0x0007000000023ca8-87.dat upx behavioral2/memory/4424-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-93.dat upx behavioral2/files/0x0007000000023caa-98.dat upx behavioral2/memory/2280-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-104.dat upx behavioral2/files/0x0007000000023cac-109.dat upx behavioral2/memory/4092-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-117.dat upx behavioral2/files/0x000300000001e754-121.dat upx behavioral2/files/0x0007000000023caf-125.dat upx behavioral2/memory/1448-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2056-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-132.dat upx behavioral2/files/0x0007000000023cb2-137.dat upx behavioral2/memory/2412-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-143.dat upx behavioral2/files/0x0007000000023cb4-149.dat upx behavioral2/files/0x0007000000023cb5-153.dat upx behavioral2/memory/3828-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-159.dat upx behavioral2/memory/4088-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-165.dat upx behavioral2/memory/4080-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-171.dat upx behavioral2/memory/4244-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-176.dat upx behavioral2/files/0x0007000000023cbb-181.dat upx behavioral2/memory/2392-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/440-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4668-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4612-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3876-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4660-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3948-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1224 wrote to memory of 4008 1224 a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe 83 PID 1224 wrote to memory of 4008 1224 a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe 83 PID 1224 wrote to memory of 4008 1224 a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe 83 PID 4008 wrote to memory of 3608 4008 xlrxxrx.exe 84 PID 4008 wrote to memory of 3608 4008 xlrxxrx.exe 84 PID 4008 wrote to memory of 3608 4008 xlrxxrx.exe 84 PID 3608 wrote to memory of 2316 3608 ntnnnb.exe 85 PID 3608 wrote to memory of 2316 3608 ntnnnb.exe 85 PID 3608 wrote to memory of 2316 3608 ntnnnb.exe 85 PID 2316 wrote to memory of 2448 2316 bhhnnt.exe 86 PID 2316 wrote to memory of 2448 2316 bhhnnt.exe 86 PID 2316 wrote to memory of 2448 2316 bhhnnt.exe 86 PID 2448 wrote to memory of 4804 2448 tbnhbh.exe 87 PID 2448 wrote to memory of 4804 2448 tbnhbh.exe 87 PID 2448 wrote to memory of 4804 2448 tbnhbh.exe 87 PID 4804 wrote to memory of 2724 4804 tbnnhh.exe 88 PID 4804 wrote to memory of 2724 4804 tbnnhh.exe 88 PID 4804 wrote to memory of 2724 4804 tbnnhh.exe 88 PID 2724 wrote to memory of 4864 2724 3htttb.exe 89 PID 2724 wrote to memory of 4864 2724 3htttb.exe 89 PID 2724 wrote to memory of 4864 2724 3htttb.exe 89 PID 4864 wrote to memory of 2116 4864 hhtnhb.exe 90 PID 4864 wrote to memory of 2116 4864 hhtnhb.exe 90 PID 4864 wrote to memory of 2116 4864 hhtnhb.exe 90 PID 2116 wrote to memory of 3400 2116 vvdvv.exe 91 PID 2116 wrote to memory of 3400 2116 vvdvv.exe 91 PID 2116 wrote to memory of 3400 2116 vvdvv.exe 91 PID 3400 wrote to memory of 3208 3400 dpvpp.exe 92 PID 3400 wrote to memory of 3208 3400 dpvpp.exe 92 PID 3400 wrote to memory of 3208 3400 dpvpp.exe 92 PID 3208 wrote to memory of 2976 3208 3dpjv.exe 93 PID 3208 wrote to memory of 2976 3208 3dpjv.exe 93 PID 3208 wrote to memory of 2976 3208 3dpjv.exe 93 PID 2976 wrote to memory of 3420 2976 rrxxrxr.exe 94 PID 2976 wrote to memory of 3420 2976 rrxxrxr.exe 94 PID 2976 wrote to memory of 3420 2976 rrxxrxr.exe 94 PID 3420 wrote to memory of 3904 3420 rrllfll.exe 95 PID 3420 wrote to memory of 3904 3420 rrllfll.exe 95 PID 3420 wrote to memory of 3904 3420 rrllfll.exe 95 PID 3904 wrote to memory of 2912 3904 flllffl.exe 96 PID 3904 wrote to memory of 2912 3904 flllffl.exe 96 PID 3904 wrote to memory of 2912 3904 flllffl.exe 96 PID 2912 wrote to memory of 4424 2912 pjjvv.exe 97 PID 2912 wrote to memory of 4424 2912 pjjvv.exe 97 PID 2912 wrote to memory of 4424 2912 pjjvv.exe 97 PID 4424 wrote to memory of 2280 4424 thhbtt.exe 98 PID 4424 wrote to memory of 2280 4424 thhbtt.exe 98 PID 4424 wrote to memory of 2280 4424 thhbtt.exe 98 PID 2280 wrote to memory of 4992 2280 3hnnnn.exe 99 PID 2280 wrote to memory of 4992 2280 3hnnnn.exe 99 PID 2280 wrote to memory of 4992 2280 3hnnnn.exe 99 PID 4992 wrote to memory of 3472 4992 9thtnt.exe 100 PID 4992 wrote to memory of 3472 4992 9thtnt.exe 100 PID 4992 wrote to memory of 3472 4992 9thtnt.exe 100 PID 3472 wrote to memory of 4092 3472 xrlfxrl.exe 101 PID 3472 wrote to memory of 4092 3472 xrlfxrl.exe 101 PID 3472 wrote to memory of 4092 3472 xrlfxrl.exe 101 PID 4092 wrote to memory of 312 4092 ffrxxxf.exe 102 PID 4092 wrote to memory of 312 4092 ffrxxxf.exe 102 PID 4092 wrote to memory of 312 4092 ffrxxxf.exe 102 PID 312 wrote to memory of 2056 312 5rlfffx.exe 103 PID 312 wrote to memory of 2056 312 5rlfffx.exe 103 PID 312 wrote to memory of 2056 312 5rlfffx.exe 103 PID 2056 wrote to memory of 1448 2056 rllrrrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe"C:\Users\Admin\AppData\Local\Temp\a75bab9050b09c902d27634f7805665e465e2ac5164d79fcabe1394df02f66d3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\xlrxxrx.exec:\xlrxxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\ntnnnb.exec:\ntnnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\bhhnnt.exec:\bhhnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\tbnhbh.exec:\tbnhbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\tbnnhh.exec:\tbnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\3htttb.exec:\3htttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\hhtnhb.exec:\hhtnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\vvdvv.exec:\vvdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\dpvpp.exec:\dpvpp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\3dpjv.exec:\3dpjv.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\rrxxrxr.exec:\rrxxrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\rrllfll.exec:\rrllfll.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\flllffl.exec:\flllffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\pjjvv.exec:\pjjvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\thhbtt.exec:\thhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\3hnnnn.exec:\3hnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\9thtnt.exec:\9thtnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\ffrxxxf.exec:\ffrxxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\5rlfffx.exec:\5rlfffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\rllrrrr.exec:\rllrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\xxffffl.exec:\xxffffl.exe23⤵
- Executes dropped EXE
PID:1448 -
\??\c:\tbntth.exec:\tbntth.exe24⤵
- Executes dropped EXE
PID:3688 -
\??\c:\hhhnbh.exec:\hhhnbh.exe25⤵
- Executes dropped EXE
PID:2412 -
\??\c:\ntntht.exec:\ntntht.exe26⤵
- Executes dropped EXE
PID:972 -
\??\c:\xxrxxfl.exec:\xxrxxfl.exe27⤵
- Executes dropped EXE
PID:3828 -
\??\c:\9xrxlrl.exec:\9xrxlrl.exe28⤵
- Executes dropped EXE
PID:4088 -
\??\c:\rfxfrrx.exec:\rfxfrrx.exe29⤵
- Executes dropped EXE
PID:4080 -
\??\c:\rffffll.exec:\rffffll.exe30⤵
- Executes dropped EXE
PID:4244 -
\??\c:\thhhnt.exec:\thhhnt.exe31⤵
- Executes dropped EXE
PID:3224 -
\??\c:\rxfxxrr.exec:\rxfxxrr.exe32⤵
- Executes dropped EXE
PID:2392 -
\??\c:\tntnbt.exec:\tntnbt.exe33⤵
- Executes dropped EXE
PID:4980 -
\??\c:\hnnntb.exec:\hnnntb.exe34⤵
- Executes dropped EXE
PID:2560 -
\??\c:\bhhnnt.exec:\bhhnnt.exe35⤵
- Executes dropped EXE
PID:440 -
\??\c:\bbthhn.exec:\bbthhn.exe36⤵
- Executes dropped EXE
PID:4668 -
\??\c:\hnttnn.exec:\hnttnn.exe37⤵
- Executes dropped EXE
PID:4612 -
\??\c:\tntttb.exec:\tntttb.exe38⤵
- Executes dropped EXE
PID:3876 -
\??\c:\hbnnnn.exec:\hbnnnn.exe39⤵
- Executes dropped EXE
PID:4660 -
\??\c:\rfxffxx.exec:\rfxffxx.exe40⤵
- Executes dropped EXE
PID:3660 -
\??\c:\1thhhn.exec:\1thhhn.exe41⤵
- Executes dropped EXE
PID:2124 -
\??\c:\5xffxfx.exec:\5xffxfx.exe42⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lrxrffr.exec:\lrxrffr.exe43⤵
- Executes dropped EXE
PID:3948 -
\??\c:\7rrlffx.exec:\7rrlffx.exe44⤵
- Executes dropped EXE
PID:2496 -
\??\c:\thhnnt.exec:\thhnnt.exe45⤵
- Executes dropped EXE
PID:3236 -
\??\c:\1rffxff.exec:\1rffxff.exe46⤵
- Executes dropped EXE
PID:2012 -
\??\c:\9rxrrxx.exec:\9rxrrxx.exe47⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nhnnnn.exec:\nhnnnn.exe48⤵
- Executes dropped EXE
PID:772 -
\??\c:\hhnhbb.exec:\hhnhbb.exe49⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nhhbtn.exec:\nhhbtn.exe50⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe51⤵
- Executes dropped EXE
PID:1216 -
\??\c:\5flfxxr.exec:\5flfxxr.exe52⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xfrrxxf.exec:\xfrrxxf.exe53⤵
- Executes dropped EXE
PID:5060 -
\??\c:\llxrxfl.exec:\llxrxfl.exe54⤵
- Executes dropped EXE
PID:4048 -
\??\c:\1lxxxxx.exec:\1lxxxxx.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\fffxrxl.exec:\fffxrxl.exe56⤵
- Executes dropped EXE
PID:4960 -
\??\c:\rxxllxx.exec:\rxxllxx.exe57⤵
- Executes dropped EXE
PID:212 -
\??\c:\lxllflf.exec:\lxllflf.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:116 -
\??\c:\ddjdd.exec:\ddjdd.exe59⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vjdjj.exec:\vjdjj.exe60⤵
- Executes dropped EXE
PID:2920 -
\??\c:\1djdp.exec:\1djdp.exe61⤵
- Executes dropped EXE
PID:5052 -
\??\c:\jjpdv.exec:\jjpdv.exe62⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jdddd.exec:\jdddd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:388 -
\??\c:\ddddv.exec:\ddddv.exe64⤵
- Executes dropped EXE
PID:1536 -
\??\c:\tttbbh.exec:\tttbbh.exe65⤵
- Executes dropped EXE
PID:3528 -
\??\c:\1ttttt.exec:\1ttttt.exe66⤵PID:4024
-
\??\c:\7bbnhb.exec:\7bbnhb.exe67⤵PID:3396
-
\??\c:\5tthhb.exec:\5tthhb.exe68⤵PID:5012
-
\??\c:\hbhbhn.exec:\hbhbhn.exe69⤵PID:4220
-
\??\c:\llxxrxf.exec:\llxxrxf.exe70⤵PID:3472
-
\??\c:\xrfrrxl.exec:\xrfrrxl.exe71⤵
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\nhtbnh.exec:\nhtbnh.exe72⤵PID:1944
-
\??\c:\bbnhnt.exec:\bbnhnt.exe73⤵PID:1680
-
\??\c:\nbtbtn.exec:\nbtbtn.exe74⤵
- System Location Discovery: System Language Discovery
PID:4512 -
\??\c:\7rrrrxx.exec:\7rrrrxx.exe75⤵PID:1580
-
\??\c:\xfrrxxf.exec:\xfrrxxf.exe76⤵PID:948
-
\??\c:\xxrrffr.exec:\xxrrffr.exe77⤵PID:2148
-
\??\c:\rfllffx.exec:\rfllffx.exe78⤵PID:4164
-
\??\c:\flxrflx.exec:\flxrflx.exe79⤵PID:840
-
\??\c:\7fllxff.exec:\7fllxff.exe80⤵PID:4080
-
\??\c:\lrxrrll.exec:\lrxrrll.exe81⤵PID:4244
-
\??\c:\flffxff.exec:\flffxff.exe82⤵PID:3452
-
\??\c:\flrlxrr.exec:\flrlxrr.exe83⤵PID:2816
-
\??\c:\xxxlffx.exec:\xxxlffx.exe84⤵PID:1548
-
\??\c:\1lffxxr.exec:\1lffxxr.exe85⤵PID:436
-
\??\c:\lxrrflf.exec:\lxrrflf.exe86⤵PID:2948
-
\??\c:\lllfxxx.exec:\lllfxxx.exe87⤵PID:4100
-
\??\c:\5jdvv.exec:\5jdvv.exe88⤵PID:4616
-
\??\c:\pppvp.exec:\pppvp.exe89⤵PID:4612
-
\??\c:\vpjpp.exec:\vpjpp.exe90⤵PID:5040
-
\??\c:\pjvvv.exec:\pjvvv.exe91⤵PID:916
-
\??\c:\ppvvv.exec:\ppvvv.exe92⤵PID:1352
-
\??\c:\jvjdv.exec:\jvjdv.exe93⤵PID:2124
-
\??\c:\pjpjv.exec:\pjpjv.exe94⤵PID:3036
-
\??\c:\1tbttt.exec:\1tbttt.exe95⤵
- System Location Discovery: System Language Discovery
PID:4792 -
\??\c:\5hnnbh.exec:\5hnnbh.exe96⤵PID:4988
-
\??\c:\thhbbn.exec:\thhbbn.exe97⤵PID:3236
-
\??\c:\bbbtnn.exec:\bbbtnn.exe98⤵PID:2744
-
\??\c:\hntnnn.exec:\hntnnn.exe99⤵PID:3040
-
\??\c:\nnnhhh.exec:\nnnhhh.exe100⤵PID:3944
-
\??\c:\nhbbbh.exec:\nhbbbh.exe101⤵PID:4984
-
\??\c:\httbbb.exec:\httbbb.exe102⤵PID:4832
-
\??\c:\httbbb.exec:\httbbb.exe103⤵PID:3244
-
\??\c:\llxrrrl.exec:\llxrrrl.exe104⤵PID:4972
-
\??\c:\nbnhbb.exec:\nbnhbb.exe105⤵PID:3636
-
\??\c:\xffrrll.exec:\xffrrll.exe106⤵PID:4340
-
\??\c:\fflfxff.exec:\fflfxff.exe107⤵PID:4640
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe108⤵PID:4304
-
\??\c:\vdppv.exec:\vdppv.exe109⤵PID:4716
-
\??\c:\fffxxxf.exec:\fffxxxf.exe110⤵PID:2540
-
\??\c:\3pppj.exec:\3pppj.exe111⤵PID:3420
-
\??\c:\djvpj.exec:\djvpj.exe112⤵PID:3032
-
\??\c:\pvvpp.exec:\pvvpp.exe113⤵PID:388
-
\??\c:\jjpjj.exec:\jjpjj.exe114⤵PID:3428
-
\??\c:\dpppj.exec:\dpppj.exe115⤵PID:3528
-
\??\c:\vpddv.exec:\vpddv.exe116⤵PID:4024
-
\??\c:\9bhhbh.exec:\9bhhbh.exe117⤵
- System Location Discovery: System Language Discovery
PID:3396 -
\??\c:\tthhhh.exec:\tthhhh.exe118⤵PID:464
-
\??\c:\hnnttn.exec:\hnnttn.exe119⤵PID:3904
-
\??\c:\3ntttt.exec:\3ntttt.exe120⤵PID:3472
-
\??\c:\7hntbh.exec:\7hntbh.exe121⤵PID:4720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-