Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 22:55
Behavioral task
behavioral1
Sample
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe
-
Size
3.7MB
-
MD5
4062f74bf62046004298ebcb3629f2d4
-
SHA1
9f7d9c6ee3f7881ba821fb7e2ab44004cc73afe8
-
SHA256
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5
-
SHA512
a580ea4e5491135652c054ae252638b57636fea294bd2406d5a7920a5274caeb3c03cc38ab21f29b9fa33e6469e1ae70add16a1c3abf6d7079f7922e3a4f9058
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98+:U6XLq/qPPslzKx/dJg1ErmNd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/384-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1764-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2848-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-620-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-733-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/384-821-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-1258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-1674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-1840-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 336 nnhhbt.exe 4828 rfxxxfl.exe 1764 hbntbb.exe 404 llfflfr.exe 116 1hbtnh.exe 3416 1bnnbh.exe 2248 frrlffx.exe 3808 xffxrlx.exe 4704 btbtbt.exe 3668 vdppj.exe 3904 3nhbnn.exe 1056 ttttnt.exe 640 ffffflr.exe 4396 jjjjj.exe 2932 pvjjv.exe 4712 xxllrxl.exe 3652 lxfffff.exe 3524 llfxllf.exe 4868 xrxxllf.exe 3092 vdddd.exe 3336 ntnhnt.exe 1484 7lxrlll.exe 3584 3btnhh.exe 5116 5pvjv.exe 4628 llffrrr.exe 1264 xlllfxr.exe 3916 ffrfxfx.exe 64 nhtnbt.exe 2848 xrffxrl.exe 4832 xflllfx.exe 2892 3hhbtt.exe 632 nhnbtb.exe 1372 dvdvp.exe 4524 3djdd.exe 440 ddddj.exe 4056 dpvpj.exe 4072 flrxrxx.exe 3908 3pjdv.exe 336 ffrllrx.exe 1844 7fffxxr.exe 4788 dppdd.exe 2852 3vppp.exe 2840 dvvjd.exe 4824 lxrlfxr.exe 4600 3jddj.exe 4760 3vjvv.exe 548 lrxrlfl.exe 396 1dvjd.exe 2288 lfllllf.exe 4592 frffxff.exe 4808 vjvpj.exe 3076 dppjd.exe 3496 dvddd.exe 1028 pdjdp.exe 1848 1pjdj.exe 3988 7vvpj.exe 5100 dvvpp.exe 4176 pdppp.exe 2124 7nttbh.exe 3620 tnnhhh.exe 3652 hntnbt.exe 3524 1ffxrlx.exe 1596 ffrrlxx.exe 3016 rfrllxx.exe -
resource yara_rule behavioral2/memory/384-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0032000000023b77-3.dat upx behavioral2/memory/384-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-9.dat upx behavioral2/memory/336-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-13.dat upx behavioral2/memory/4828-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1764-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b78-23.dat upx behavioral2/memory/404-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-28.dat upx behavioral2/memory/116-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-35.dat upx behavioral2/memory/3416-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-40.dat upx behavioral2/memory/3416-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-46.dat upx behavioral2/memory/3808-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2248-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-53.dat upx behavioral2/files/0x000a000000023b83-57.dat upx behavioral2/memory/4704-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-64.dat upx behavioral2/files/0x000a000000023b85-70.dat upx behavioral2/memory/3904-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-76.dat upx behavioral2/files/0x000a000000023b87-80.dat upx behavioral2/memory/640-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e747-86.dat upx behavioral2/memory/4396-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-92.dat upx behavioral2/memory/4712-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-98.dat upx behavioral2/files/0x000a000000023b8b-103.dat upx behavioral2/memory/3652-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-112.dat upx behavioral2/memory/3524-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-116.dat upx behavioral2/memory/3092-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-123.dat upx behavioral2/files/0x000a000000023b90-128.dat upx behavioral2/memory/3336-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-133.dat upx behavioral2/files/0x000a000000023b92-139.dat upx behavioral2/files/0x000a000000023b93-143.dat upx behavioral2/files/0x000a000000023b94-150.dat upx behavioral2/memory/4628-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-155.dat upx behavioral2/memory/3916-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-160.dat upx behavioral2/files/0x000a000000023b98-164.dat upx behavioral2/files/0x000a000000023b99-169.dat upx behavioral2/memory/2848-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-174.dat upx behavioral2/files/0x000a000000023b9b-180.dat upx behavioral2/memory/2892-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1372-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/440-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4072-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3908-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4788-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4600-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/548-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/396-240-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 384 wrote to memory of 336 384 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 83 PID 384 wrote to memory of 336 384 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 83 PID 384 wrote to memory of 336 384 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 83 PID 336 wrote to memory of 4828 336 nnhhbt.exe 84 PID 336 wrote to memory of 4828 336 nnhhbt.exe 84 PID 336 wrote to memory of 4828 336 nnhhbt.exe 84 PID 4828 wrote to memory of 1764 4828 rfxxxfl.exe 85 PID 4828 wrote to memory of 1764 4828 rfxxxfl.exe 85 PID 4828 wrote to memory of 1764 4828 rfxxxfl.exe 85 PID 1764 wrote to memory of 404 1764 hbntbb.exe 86 PID 1764 wrote to memory of 404 1764 hbntbb.exe 86 PID 1764 wrote to memory of 404 1764 hbntbb.exe 86 PID 404 wrote to memory of 116 404 llfflfr.exe 87 PID 404 wrote to memory of 116 404 llfflfr.exe 87 PID 404 wrote to memory of 116 404 llfflfr.exe 87 PID 116 wrote to memory of 3416 116 1hbtnh.exe 88 PID 116 wrote to memory of 3416 116 1hbtnh.exe 88 PID 116 wrote to memory of 3416 116 1hbtnh.exe 88 PID 3416 wrote to memory of 2248 3416 1bnnbh.exe 89 PID 3416 wrote to memory of 2248 3416 1bnnbh.exe 89 PID 3416 wrote to memory of 2248 3416 1bnnbh.exe 89 PID 2248 wrote to memory of 3808 2248 frrlffx.exe 90 PID 2248 wrote to memory of 3808 2248 frrlffx.exe 90 PID 2248 wrote to memory of 3808 2248 frrlffx.exe 90 PID 3808 wrote to memory of 4704 3808 xffxrlx.exe 91 PID 3808 wrote to memory of 4704 3808 xffxrlx.exe 91 PID 3808 wrote to memory of 4704 3808 xffxrlx.exe 91 PID 4704 wrote to memory of 3668 4704 btbtbt.exe 92 PID 4704 wrote to memory of 3668 4704 btbtbt.exe 92 PID 4704 wrote to memory of 3668 4704 btbtbt.exe 92 PID 3668 wrote to memory of 3904 3668 vdppj.exe 93 PID 3668 wrote to memory of 3904 3668 vdppj.exe 93 PID 3668 wrote to memory of 3904 3668 vdppj.exe 93 PID 3904 wrote to memory of 1056 3904 3nhbnn.exe 94 PID 3904 wrote to memory of 1056 3904 3nhbnn.exe 94 PID 3904 wrote to memory of 1056 3904 3nhbnn.exe 94 PID 1056 wrote to memory of 640 1056 ttttnt.exe 95 PID 1056 wrote to memory of 640 1056 ttttnt.exe 95 PID 1056 wrote to memory of 640 1056 ttttnt.exe 95 PID 640 wrote to memory of 4396 640 ffffflr.exe 96 PID 640 wrote to memory of 4396 640 ffffflr.exe 96 PID 640 wrote to memory of 4396 640 ffffflr.exe 96 PID 4396 wrote to memory of 2932 4396 jjjjj.exe 97 PID 4396 wrote to memory of 2932 4396 jjjjj.exe 97 PID 4396 wrote to memory of 2932 4396 jjjjj.exe 97 PID 2932 wrote to memory of 4712 2932 pvjjv.exe 98 PID 2932 wrote to memory of 4712 2932 pvjjv.exe 98 PID 2932 wrote to memory of 4712 2932 pvjjv.exe 98 PID 4712 wrote to memory of 3652 4712 xxllrxl.exe 99 PID 4712 wrote to memory of 3652 4712 xxllrxl.exe 99 PID 4712 wrote to memory of 3652 4712 xxllrxl.exe 99 PID 3652 wrote to memory of 3524 3652 lxfffff.exe 100 PID 3652 wrote to memory of 3524 3652 lxfffff.exe 100 PID 3652 wrote to memory of 3524 3652 lxfffff.exe 100 PID 3524 wrote to memory of 4868 3524 llfxllf.exe 101 PID 3524 wrote to memory of 4868 3524 llfxllf.exe 101 PID 3524 wrote to memory of 4868 3524 llfxllf.exe 101 PID 4868 wrote to memory of 3092 4868 xrxxllf.exe 102 PID 4868 wrote to memory of 3092 4868 xrxxllf.exe 102 PID 4868 wrote to memory of 3092 4868 xrxxllf.exe 102 PID 3092 wrote to memory of 3336 3092 vdddd.exe 103 PID 3092 wrote to memory of 3336 3092 vdddd.exe 103 PID 3092 wrote to memory of 3336 3092 vdddd.exe 103 PID 3336 wrote to memory of 1484 3336 ntnhnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe"C:\Users\Admin\AppData\Local\Temp\a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\nnhhbt.exec:\nnhhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\rfxxxfl.exec:\rfxxxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\hbntbb.exec:\hbntbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\llfflfr.exec:\llfflfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\1hbtnh.exec:\1hbtnh.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\1bnnbh.exec:\1bnnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\frrlffx.exec:\frrlffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\xffxrlx.exec:\xffxrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\btbtbt.exec:\btbtbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\vdppj.exec:\vdppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\3nhbnn.exec:\3nhbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\ttttnt.exec:\ttttnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\ffffflr.exec:\ffffflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\jjjjj.exec:\jjjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\pvjjv.exec:\pvjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\xxllrxl.exec:\xxllrxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\lxfffff.exec:\lxfffff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\llfxllf.exec:\llfxllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\xrxxllf.exec:\xrxxllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\vdddd.exec:\vdddd.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\ntnhnt.exec:\ntnhnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\7lxrlll.exec:\7lxrlll.exe23⤵
- Executes dropped EXE
PID:1484 -
\??\c:\3btnhh.exec:\3btnhh.exe24⤵
- Executes dropped EXE
PID:3584 -
\??\c:\5pvjv.exec:\5pvjv.exe25⤵
- Executes dropped EXE
PID:5116 -
\??\c:\llffrrr.exec:\llffrrr.exe26⤵
- Executes dropped EXE
PID:4628 -
\??\c:\xlllfxr.exec:\xlllfxr.exe27⤵
- Executes dropped EXE
PID:1264 -
\??\c:\ffrfxfx.exec:\ffrfxfx.exe28⤵
- Executes dropped EXE
PID:3916 -
\??\c:\nhtnbt.exec:\nhtnbt.exe29⤵
- Executes dropped EXE
PID:64 -
\??\c:\xrffxrl.exec:\xrffxrl.exe30⤵
- Executes dropped EXE
PID:2848 -
\??\c:\xflllfx.exec:\xflllfx.exe31⤵
- Executes dropped EXE
PID:4832 -
\??\c:\3hhbtt.exec:\3hhbtt.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
\??\c:\nhnbtb.exec:\nhnbtb.exe33⤵
- Executes dropped EXE
PID:632 -
\??\c:\dvdvp.exec:\dvdvp.exe34⤵
- Executes dropped EXE
PID:1372 -
\??\c:\3djdd.exec:\3djdd.exe35⤵
- Executes dropped EXE
PID:4524 -
\??\c:\ddddj.exec:\ddddj.exe36⤵
- Executes dropped EXE
PID:440 -
\??\c:\dpvpj.exec:\dpvpj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056 -
\??\c:\flrxrxx.exec:\flrxrxx.exe38⤵
- Executes dropped EXE
PID:4072 -
\??\c:\3pjdv.exec:\3pjdv.exe39⤵
- Executes dropped EXE
PID:3908 -
\??\c:\ffrllrx.exec:\ffrllrx.exe40⤵
- Executes dropped EXE
PID:336 -
\??\c:\7fffxxr.exec:\7fffxxr.exe41⤵
- Executes dropped EXE
PID:1844 -
\??\c:\dppdd.exec:\dppdd.exe42⤵
- Executes dropped EXE
PID:4788 -
\??\c:\3vppp.exec:\3vppp.exe43⤵
- Executes dropped EXE
PID:2852 -
\??\c:\dvvjd.exec:\dvvjd.exe44⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe45⤵
- Executes dropped EXE
PID:4824 -
\??\c:\3jddj.exec:\3jddj.exe46⤵
- Executes dropped EXE
PID:4600 -
\??\c:\3vjvv.exec:\3vjvv.exe47⤵
- Executes dropped EXE
PID:4760 -
\??\c:\lrxrlfl.exec:\lrxrlfl.exe48⤵
- Executes dropped EXE
PID:548 -
\??\c:\1dvjd.exec:\1dvjd.exe49⤵
- Executes dropped EXE
PID:396 -
\??\c:\lfllllf.exec:\lfllllf.exe50⤵
- Executes dropped EXE
PID:2288 -
\??\c:\frffxff.exec:\frffxff.exe51⤵
- Executes dropped EXE
PID:4592 -
\??\c:\vjvpj.exec:\vjvpj.exe52⤵
- Executes dropped EXE
PID:4808 -
\??\c:\dppjd.exec:\dppjd.exe53⤵
- Executes dropped EXE
PID:3076 -
\??\c:\dvddd.exec:\dvddd.exe54⤵
- Executes dropped EXE
PID:3496 -
\??\c:\pdjdp.exec:\pdjdp.exe55⤵
- Executes dropped EXE
PID:1028 -
\??\c:\1pjdj.exec:\1pjdj.exe56⤵
- Executes dropped EXE
PID:1848 -
\??\c:\7vvpj.exec:\7vvpj.exe57⤵
- Executes dropped EXE
PID:3988 -
\??\c:\dvvpp.exec:\dvvpp.exe58⤵
- Executes dropped EXE
PID:5100 -
\??\c:\pdppp.exec:\pdppp.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4176 -
\??\c:\7nttbh.exec:\7nttbh.exe60⤵
- Executes dropped EXE
PID:2124 -
\??\c:\tnnhhh.exec:\tnnhhh.exe61⤵
- Executes dropped EXE
PID:3620 -
\??\c:\hntnbt.exec:\hntnbt.exe62⤵
- Executes dropped EXE
PID:3652 -
\??\c:\1ffxrlx.exec:\1ffxrlx.exe63⤵
- Executes dropped EXE
PID:3524 -
\??\c:\ffrrlxx.exec:\ffrrlxx.exe64⤵
- Executes dropped EXE
PID:1596 -
\??\c:\rfrllxx.exec:\rfrllxx.exe65⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ffrlllr.exec:\ffrlllr.exe66⤵PID:4916
-
\??\c:\xlfrrrr.exec:\xlfrrrr.exe67⤵PID:4772
-
\??\c:\fxrrlxr.exec:\fxrrlxr.exe68⤵PID:892
-
\??\c:\rlflxxr.exec:\rlflxxr.exe69⤵PID:712
-
\??\c:\xfflfff.exec:\xfflfff.exe70⤵PID:2984
-
\??\c:\ffxxxfx.exec:\ffxxxfx.exe71⤵PID:1804
-
\??\c:\5rfffff.exec:\5rfffff.exe72⤵PID:2648
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe73⤵PID:3932
-
\??\c:\llffffl.exec:\llffffl.exe74⤵PID:212
-
\??\c:\rrxxlll.exec:\rrxxlll.exe75⤵PID:4520
-
\??\c:\dvdvj.exec:\dvdvj.exe76⤵PID:3688
-
\??\c:\9pvvv.exec:\9pvvv.exe77⤵PID:2780
-
\??\c:\jdjdj.exec:\jdjdj.exe78⤵PID:2548
-
\??\c:\pjpjv.exec:\pjpjv.exe79⤵PID:5056
-
\??\c:\jpjdj.exec:\jpjdj.exe80⤵PID:4240
-
\??\c:\jjjjv.exec:\jjjjv.exe81⤵PID:4716
-
\??\c:\nbnttt.exec:\nbnttt.exe82⤵PID:3756
-
\??\c:\9bnhnn.exec:\9bnhnn.exe83⤵PID:2372
-
\??\c:\thnhtn.exec:\thnhtn.exe84⤵
- System Location Discovery: System Language Discovery
PID:4440 -
\??\c:\tbhbbt.exec:\tbhbbt.exe85⤵PID:3928
-
\??\c:\3flfxrl.exec:\3flfxrl.exe86⤵PID:4840
-
\??\c:\xffffxx.exec:\xffffxx.exe87⤵PID:1968
-
\??\c:\7xrlfll.exec:\7xrlfll.exe88⤵PID:3848
-
\??\c:\rllrlrl.exec:\rllrlrl.exe89⤵PID:336
-
\??\c:\rflxrlf.exec:\rflxrlf.exe90⤵PID:3592
-
\??\c:\rlrfrll.exec:\rlrfrll.exe91⤵PID:4788
-
\??\c:\xfxxflr.exec:\xfxxflr.exe92⤵PID:2852
-
\??\c:\rxxrrlr.exec:\rxxrrlr.exe93⤵PID:2268
-
\??\c:\lffxxxx.exec:\lffxxxx.exe94⤵PID:1544
-
\??\c:\rfxxlxl.exec:\rfxxlxl.exe95⤵PID:5104
-
\??\c:\rlrrrrf.exec:\rlrrrrf.exe96⤵PID:2020
-
\??\c:\ddjvp.exec:\ddjvp.exe97⤵PID:4260
-
\??\c:\pjpdd.exec:\pjpdd.exe98⤵PID:3960
-
\??\c:\vvdjp.exec:\vvdjp.exe99⤵PID:1624
-
\??\c:\3ppjv.exec:\3ppjv.exe100⤵PID:4340
-
\??\c:\ppvvp.exec:\ppvvp.exe101⤵PID:1912
-
\??\c:\9dvdv.exec:\9dvdv.exe102⤵PID:1728
-
\??\c:\1hbhtt.exec:\1hbhtt.exe103⤵PID:3228
-
\??\c:\1tnnbb.exec:\1tnnbb.exe104⤵PID:764
-
\??\c:\bbtnnh.exec:\bbtnnh.exe105⤵PID:3396
-
\??\c:\ttttnn.exec:\ttttnn.exe106⤵PID:2964
-
\??\c:\ttbtnn.exec:\ttbtnn.exe107⤵PID:2388
-
\??\c:\hbtnhh.exec:\hbtnhh.exe108⤵PID:624
-
\??\c:\xfxlflx.exec:\xfxlflx.exe109⤵PID:2672
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe110⤵PID:1736
-
\??\c:\xffxrrl.exec:\xffxrrl.exe111⤵PID:3676
-
\??\c:\xlxxrfl.exec:\xlxxrfl.exe112⤵PID:1660
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe113⤵PID:4624
-
\??\c:\3rrfxfx.exec:\3rrfxfx.exe114⤵
- System Location Discovery: System Language Discovery
PID:3016 -
\??\c:\xlrfxxx.exec:\xlrfxxx.exe115⤵PID:4916
-
\??\c:\vvjdd.exec:\vvjdd.exe116⤵
- System Location Discovery: System Language Discovery
PID:4264 -
\??\c:\jddpj.exec:\jddpj.exe117⤵PID:3916
-
\??\c:\9jvpj.exec:\9jvpj.exe118⤵PID:1808
-
\??\c:\vpdvp.exec:\vpdvp.exe119⤵PID:2032
-
\??\c:\jdjjj.exec:\jdjjj.exe120⤵PID:4400
-
\??\c:\ppvpj.exec:\ppvpj.exe121⤵PID:2648
-
\??\c:\3tthbt.exec:\3tthbt.exe122⤵PID:1640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-