Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 01:05
Behavioral task
behavioral1
Sample
f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe
-
Size
3.7MB
-
MD5
2264fd608f92fe3d4cbc2a0bd62a8ed0
-
SHA1
3d91956f1745ce2042a509e7fe38be8807ccd0d9
-
SHA256
f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576
-
SHA512
cae5a52602a9f73e8495dc4dccac0abc1fdee4fb1737bfb2d85348c5d7984ecd6bdeed408fbcdee012b4f03614954f6ca314a2b6060313e7cc01ad6e6f25b09f
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF985:U6XLq/qPPslzKx/dJg1ErmNI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/736-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3896-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1760-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-628-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-638-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-675-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-865-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-908-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-1164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2776 268820.exe 3808 2640228.exe 4880 084448.exe 1880 820000.exe 3616 446600.exe 116 ntbtnb.exe 3172 3rlfxrl.exe 2816 60604.exe 3652 bnttnn.exe 4260 6248220.exe 2156 hnhbtn.exe 2440 0426444.exe 1644 e68882.exe 3968 1frlfxr.exe 4108 flrxllx.exe 2136 nnbnhb.exe 2920 lrlfxrf.exe 868 3lffxxr.exe 1172 vjjdv.exe 780 28860.exe 1536 djvpp.exe 1468 nnnnhb.exe 2116 bnhbbt.exe 3240 bthbhb.exe 412 lrffxrl.exe 4780 pjdvp.exe 2164 88226.exe 4752 xlrlxrf.exe 2188 xxfxfrl.exe 2712 pjvdv.exe 4860 6408260.exe 1720 pvjjp.exe 4480 thnnnh.exe 2700 k86048.exe 1088 046006.exe 3980 nnhbtn.exe 4168 6000044.exe 1360 vjpjd.exe 2904 5fllffx.exe 4576 nbhbbt.exe 3280 84064.exe 4584 02428.exe 2004 pppvj.exe 5112 hthhbb.exe 4300 4886604.exe 4728 48402.exe 4544 nhnnbt.exe 2860 tnnhbh.exe 2772 jppjd.exe 4664 002666.exe 4476 ntttnh.exe 2864 ttnhbt.exe 2720 46262.exe 1504 pvvpj.exe 1968 nttttt.exe 2648 rlrrxrl.exe 232 2062666.exe 2748 djjjv.exe 1160 bbnnnn.exe 1448 jvddv.exe 2540 260482.exe 548 jdvvv.exe 3424 btbthn.exe 4936 jdvpd.exe -
resource yara_rule behavioral2/memory/736-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/736-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b53-3.dat upx behavioral2/files/0x000a000000023b57-8.dat upx behavioral2/memory/2776-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b54-12.dat upx behavioral2/memory/4880-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3808-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b59-22.dat upx behavioral2/memory/1880-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5a-27.dat upx behavioral2/memory/3616-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5b-33.dat upx behavioral2/memory/116-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5c-39.dat upx behavioral2/memory/116-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3172-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5d-46.dat upx behavioral2/files/0x000a000000023b5e-51.dat upx behavioral2/memory/2816-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5f-57.dat upx behavioral2/memory/4260-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b60-63.dat upx behavioral2/files/0x000a000000023b61-69.dat upx behavioral2/memory/2156-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b62-75.dat upx behavioral2/memory/2440-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e72a-80.dat upx behavioral2/memory/1644-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-86.dat upx behavioral2/memory/3968-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4108-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b66-93.dat upx behavioral2/files/0x000a000000023b67-98.dat upx behavioral2/memory/2136-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b68-105.dat upx behavioral2/memory/2920-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/868-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-110.dat upx behavioral2/files/0x000a000000023b6a-115.dat upx behavioral2/memory/1172-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6b-122.dat upx behavioral2/memory/780-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-129.dat upx behavioral2/memory/1536-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1468-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6e-136.dat upx behavioral2/memory/2116-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-140.dat upx behavioral2/files/0x000a000000023b70-146.dat upx behavioral2/files/0x000a000000023b71-150.dat upx behavioral2/files/0x000a000000023b72-155.dat upx behavioral2/files/0x000a000000023b74-160.dat upx behavioral2/memory/2164-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-166.dat upx behavioral2/files/0x000a000000023b76-172.dat upx behavioral2/memory/2712-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-177.dat upx behavioral2/files/0x000a000000023b78-182.dat upx behavioral2/memory/1720-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4480-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2700-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1088-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3980-201-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0022666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6882226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o040400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6806268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6888260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8642604.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 736 wrote to memory of 2776 736 f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe 82 PID 736 wrote to memory of 2776 736 f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe 82 PID 736 wrote to memory of 2776 736 f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe 82 PID 2776 wrote to memory of 3808 2776 268820.exe 83 PID 2776 wrote to memory of 3808 2776 268820.exe 83 PID 2776 wrote to memory of 3808 2776 268820.exe 83 PID 3808 wrote to memory of 4880 3808 2640228.exe 84 PID 3808 wrote to memory of 4880 3808 2640228.exe 84 PID 3808 wrote to memory of 4880 3808 2640228.exe 84 PID 4880 wrote to memory of 1880 4880 084448.exe 85 PID 4880 wrote to memory of 1880 4880 084448.exe 85 PID 4880 wrote to memory of 1880 4880 084448.exe 85 PID 1880 wrote to memory of 3616 1880 820000.exe 86 PID 1880 wrote to memory of 3616 1880 820000.exe 86 PID 1880 wrote to memory of 3616 1880 820000.exe 86 PID 3616 wrote to memory of 116 3616 446600.exe 87 PID 3616 wrote to memory of 116 3616 446600.exe 87 PID 3616 wrote to memory of 116 3616 446600.exe 87 PID 116 wrote to memory of 3172 116 ntbtnb.exe 88 PID 116 wrote to memory of 3172 116 ntbtnb.exe 88 PID 116 wrote to memory of 3172 116 ntbtnb.exe 88 PID 3172 wrote to memory of 2816 3172 3rlfxrl.exe 89 PID 3172 wrote to memory of 2816 3172 3rlfxrl.exe 89 PID 3172 wrote to memory of 2816 3172 3rlfxrl.exe 89 PID 2816 wrote to memory of 3652 2816 60604.exe 90 PID 2816 wrote to memory of 3652 2816 60604.exe 90 PID 2816 wrote to memory of 3652 2816 60604.exe 90 PID 3652 wrote to memory of 4260 3652 bnttnn.exe 91 PID 3652 wrote to memory of 4260 3652 bnttnn.exe 91 PID 3652 wrote to memory of 4260 3652 bnttnn.exe 91 PID 4260 wrote to memory of 2156 4260 6248220.exe 92 PID 4260 wrote to memory of 2156 4260 6248220.exe 92 PID 4260 wrote to memory of 2156 4260 6248220.exe 92 PID 2156 wrote to memory of 2440 2156 hnhbtn.exe 93 PID 2156 wrote to memory of 2440 2156 hnhbtn.exe 93 PID 2156 wrote to memory of 2440 2156 hnhbtn.exe 93 PID 2440 wrote to memory of 1644 2440 0426444.exe 94 PID 2440 wrote to memory of 1644 2440 0426444.exe 94 PID 2440 wrote to memory of 1644 2440 0426444.exe 94 PID 1644 wrote to memory of 3968 1644 e68882.exe 95 PID 1644 wrote to memory of 3968 1644 e68882.exe 95 PID 1644 wrote to memory of 3968 1644 e68882.exe 95 PID 3968 wrote to memory of 4108 3968 1frlfxr.exe 96 PID 3968 wrote to memory of 4108 3968 1frlfxr.exe 96 PID 3968 wrote to memory of 4108 3968 1frlfxr.exe 96 PID 4108 wrote to memory of 2136 4108 flrxllx.exe 97 PID 4108 wrote to memory of 2136 4108 flrxllx.exe 97 PID 4108 wrote to memory of 2136 4108 flrxllx.exe 97 PID 2136 wrote to memory of 2920 2136 nnbnhb.exe 98 PID 2136 wrote to memory of 2920 2136 nnbnhb.exe 98 PID 2136 wrote to memory of 2920 2136 nnbnhb.exe 98 PID 2920 wrote to memory of 868 2920 lrlfxrf.exe 99 PID 2920 wrote to memory of 868 2920 lrlfxrf.exe 99 PID 2920 wrote to memory of 868 2920 lrlfxrf.exe 99 PID 868 wrote to memory of 1172 868 3lffxxr.exe 102 PID 868 wrote to memory of 1172 868 3lffxxr.exe 102 PID 868 wrote to memory of 1172 868 3lffxxr.exe 102 PID 1172 wrote to memory of 780 1172 vjjdv.exe 103 PID 1172 wrote to memory of 780 1172 vjjdv.exe 103 PID 1172 wrote to memory of 780 1172 vjjdv.exe 103 PID 780 wrote to memory of 1536 780 28860.exe 104 PID 780 wrote to memory of 1536 780 28860.exe 104 PID 780 wrote to memory of 1536 780 28860.exe 104 PID 1536 wrote to memory of 1468 1536 djvpp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe"C:\Users\Admin\AppData\Local\Temp\f46733db81b7cace690a167c4ebb78221e99772de1631fddacccf59595ffb576N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\268820.exec:\268820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\2640228.exec:\2640228.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\084448.exec:\084448.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\820000.exec:\820000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\446600.exec:\446600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\ntbtnb.exec:\ntbtnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\3rlfxrl.exec:\3rlfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\60604.exec:\60604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\bnttnn.exec:\bnttnn.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\6248220.exec:\6248220.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\hnhbtn.exec:\hnhbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\0426444.exec:\0426444.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\e68882.exec:\e68882.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\1frlfxr.exec:\1frlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\flrxllx.exec:\flrxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\nnbnhb.exec:\nnbnhb.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\lrlfxrf.exec:\lrlfxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\3lffxxr.exec:\3lffxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\vjjdv.exec:\vjjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\28860.exec:\28860.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\djvpp.exec:\djvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\nnnnhb.exec:\nnnnhb.exe23⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bnhbbt.exec:\bnhbbt.exe24⤵
- Executes dropped EXE
PID:2116 -
\??\c:\bthbhb.exec:\bthbhb.exe25⤵
- Executes dropped EXE
PID:3240 -
\??\c:\lrffxrl.exec:\lrffxrl.exe26⤵
- Executes dropped EXE
PID:412 -
\??\c:\pjdvp.exec:\pjdvp.exe27⤵
- Executes dropped EXE
PID:4780 -
\??\c:\88226.exec:\88226.exe28⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xlrlxrf.exec:\xlrlxrf.exe29⤵
- Executes dropped EXE
PID:4752 -
\??\c:\xxfxfrl.exec:\xxfxfrl.exe30⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pjvdv.exec:\pjvdv.exe31⤵
- Executes dropped EXE
PID:2712 -
\??\c:\6408260.exec:\6408260.exe32⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pvjjp.exec:\pvjjp.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\thnnnh.exec:\thnnnh.exe34⤵
- Executes dropped EXE
PID:4480 -
\??\c:\k86048.exec:\k86048.exe35⤵
- Executes dropped EXE
PID:2700 -
\??\c:\046006.exec:\046006.exe36⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nnhbtn.exec:\nnhbtn.exe37⤵
- Executes dropped EXE
PID:3980 -
\??\c:\6000044.exec:\6000044.exe38⤵
- Executes dropped EXE
PID:4168 -
\??\c:\vjpjd.exec:\vjpjd.exe39⤵
- Executes dropped EXE
PID:1360 -
\??\c:\5fllffx.exec:\5fllffx.exe40⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nbhbbt.exec:\nbhbbt.exe41⤵
- Executes dropped EXE
PID:4576 -
\??\c:\84064.exec:\84064.exe42⤵
- Executes dropped EXE
PID:3280 -
\??\c:\02428.exec:\02428.exe43⤵
- Executes dropped EXE
PID:4584 -
\??\c:\pppvj.exec:\pppvj.exe44⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hthhbb.exec:\hthhbb.exe45⤵
- Executes dropped EXE
PID:5112 -
\??\c:\4886604.exec:\4886604.exe46⤵
- Executes dropped EXE
PID:4300 -
\??\c:\48402.exec:\48402.exe47⤵
- Executes dropped EXE
PID:4728 -
\??\c:\nhnnbt.exec:\nhnnbt.exe48⤵
- Executes dropped EXE
PID:4544 -
\??\c:\tnnhbh.exec:\tnnhbh.exe49⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jppjd.exec:\jppjd.exe50⤵
- Executes dropped EXE
PID:2772 -
\??\c:\002666.exec:\002666.exe51⤵
- Executes dropped EXE
PID:4664 -
\??\c:\ntttnh.exec:\ntttnh.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\ttnhbt.exec:\ttnhbt.exe53⤵
- Executes dropped EXE
PID:2864 -
\??\c:\46262.exec:\46262.exe54⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pvvpj.exec:\pvvpj.exe55⤵
- Executes dropped EXE
PID:1504 -
\??\c:\nttttt.exec:\nttttt.exe56⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rlrrxrl.exec:\rlrrxrl.exe57⤵
- Executes dropped EXE
PID:2648 -
\??\c:\2062666.exec:\2062666.exe58⤵
- Executes dropped EXE
PID:232 -
\??\c:\djjjv.exec:\djjjv.exe59⤵
- Executes dropped EXE
PID:2748 -
\??\c:\bbnnnn.exec:\bbnnnn.exe60⤵
- Executes dropped EXE
PID:1160 -
\??\c:\jvddv.exec:\jvddv.exe61⤵
- Executes dropped EXE
PID:1448 -
\??\c:\260482.exec:\260482.exe62⤵
- Executes dropped EXE
PID:2540 -
\??\c:\jdvvv.exec:\jdvvv.exe63⤵
- Executes dropped EXE
PID:548 -
\??\c:\btbthn.exec:\btbthn.exe64⤵
- Executes dropped EXE
PID:3424 -
\??\c:\jdvpd.exec:\jdvpd.exe65⤵
- Executes dropped EXE
PID:4936 -
\??\c:\nhbtnn.exec:\nhbtnn.exe66⤵PID:3436
-
\??\c:\22088.exec:\22088.exe67⤵PID:4916
-
\??\c:\646482.exec:\646482.exe68⤵PID:4416
-
\??\c:\o022884.exec:\o022884.exe69⤵PID:540
-
\??\c:\rxrlfff.exec:\rxrlfff.exe70⤵PID:3228
-
\??\c:\vpjdv.exec:\vpjdv.exe71⤵PID:2148
-
\??\c:\484826.exec:\484826.exe72⤵PID:4320
-
\??\c:\0060048.exec:\0060048.exe73⤵
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\ntbttn.exec:\ntbttn.exe74⤵PID:3896
-
\??\c:\6028888.exec:\6028888.exe75⤵PID:2092
-
\??\c:\8066004.exec:\8066004.exe76⤵PID:2188
-
\??\c:\nhhbbb.exec:\nhhbbb.exe77⤵PID:3636
-
\??\c:\8240006.exec:\8240006.exe78⤵PID:2712
-
\??\c:\xrfxxxx.exec:\xrfxxxx.exe79⤵PID:1760
-
\??\c:\a0882.exec:\a0882.exe80⤵PID:688
-
\??\c:\bhnhbb.exec:\bhnhbb.exe81⤵PID:3284
-
\??\c:\rrxrxrl.exec:\rrxrxrl.exe82⤵PID:3312
-
\??\c:\6444084.exec:\6444084.exe83⤵PID:5028
-
\??\c:\vdvpv.exec:\vdvpv.exe84⤵PID:4172
-
\??\c:\84284.exec:\84284.exe85⤵PID:1012
-
\??\c:\c620482.exec:\c620482.exe86⤵PID:3096
-
\??\c:\htbtnn.exec:\htbtnn.exe87⤵PID:116
-
\??\c:\408822.exec:\408822.exe88⤵PID:1460
-
\??\c:\5vjjd.exec:\5vjjd.exe89⤵
- System Location Discovery: System Language Discovery
PID:4240 -
\??\c:\rllrffr.exec:\rllrffr.exe90⤵
- System Location Discovery: System Language Discovery
PID:2816 -
\??\c:\c264826.exec:\c264826.exe91⤵PID:220
-
\??\c:\k06488.exec:\k06488.exe92⤵PID:2356
-
\??\c:\428866.exec:\428866.exe93⤵PID:4432
-
\??\c:\44688.exec:\44688.exe94⤵PID:3536
-
\??\c:\nbhbbh.exec:\nbhbbh.exe95⤵PID:1840
-
\??\c:\xxrxfxx.exec:\xxrxfxx.exe96⤵
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\840482.exec:\840482.exe97⤵PID:516
-
\??\c:\086844.exec:\086844.exe98⤵PID:2156
-
\??\c:\rlxxlll.exec:\rlxxlll.exe99⤵PID:3540
-
\??\c:\q80088.exec:\q80088.exe100⤵PID:3544
-
\??\c:\428448.exec:\428448.exe101⤵PID:3348
-
\??\c:\68006.exec:\68006.exe102⤵PID:3500
-
\??\c:\vjvpp.exec:\vjvpp.exe103⤵PID:1068
-
\??\c:\pdpvp.exec:\pdpvp.exe104⤵PID:3944
-
\??\c:\llllxxx.exec:\llllxxx.exe105⤵PID:3968
-
\??\c:\pvjdv.exec:\pvjdv.exe106⤵PID:4852
-
\??\c:\pjpjd.exec:\pjpjd.exe107⤵PID:3376
-
\??\c:\fxlxfff.exec:\fxlxfff.exe108⤵PID:232
-
\??\c:\bbtnnh.exec:\bbtnnh.exe109⤵PID:4112
-
\??\c:\844820.exec:\844820.exe110⤵
- System Location Discovery: System Language Discovery
PID:3964 -
\??\c:\062266.exec:\062266.exe111⤵PID:4488
-
\??\c:\4288882.exec:\4288882.exe112⤵PID:2452
-
\??\c:\484448.exec:\484448.exe113⤵PID:5068
-
\??\c:\nbhbtn.exec:\nbhbtn.exe114⤵PID:3288
-
\??\c:\462660.exec:\462660.exe115⤵PID:1920
-
\??\c:\200448.exec:\200448.exe116⤵PID:1364
-
\??\c:\406044.exec:\406044.exe117⤵PID:2436
-
\??\c:\ppjpd.exec:\ppjpd.exe118⤵PID:2812
-
\??\c:\fflxffl.exec:\fflxffl.exe119⤵PID:2664
-
\??\c:\408800.exec:\408800.exe120⤵PID:1540
-
\??\c:\xfxrrrl.exec:\xfxrrrl.exe121⤵PID:536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-