Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 10:24
Behavioral task
behavioral1
Sample
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe
-
Size
3.7MB
-
MD5
6b042ecf7c29ad15534621096520cab6
-
SHA1
a0e7ae80322f62f7fb7c13daf17fa7f4bf2fa401
-
SHA256
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799
-
SHA512
b63817abac66a103cdc10149b2ff62a63a8ec86325e8d2b19936fa375292156a5899298e857cbd4dd4b811ee81ce70383087c26a31b222b51d6cb230fe25cc02
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98o:U6XLq/qPPslzKx/dJg1ErmNl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
Processes:
resource yara_rule behavioral1/memory/2724-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-24-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2556-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-44-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2740-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/264-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2604-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/264-69-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1432-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2060-100-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2060-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1852-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-133-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2436-149-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2028-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2296-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/468-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2164-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/272-276-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/272-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1240-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1528-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1588-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2152-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2376-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/704-520-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1316-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1316-530-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1316-528-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2464-572-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1004-587-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1452-743-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2296-758-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1164-802-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-847-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/3024-882-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1680-919-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1692-1106-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1904-1131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
nhbnnt.exe7xlrxrf.exeffxfrlx.exenbhhbn.exenhbhht.exe9tnbbn.exevvjpd.exejvjpv.exejddpd.exefffflxl.exeffrlxlr.exebhttht.exe9nhnnh.exelrrfrxf.exepddpv.exevdpjp.exe5pjpd.exeddvdp.exebthhbn.exejjvdv.exejddvp.exe7jpvj.exejjpdp.exefxlrxlx.exe3dpjv.exejddpd.exeflxfllf.exethhbbt.exebnttnb.exepvpjd.exettnnhn.exefxfflxr.exe1flxrrx.exejvdvd.exejdppj.exenhbtnt.exetnbbtn.exefllxxlr.exefrrxlxf.exeddvdp.exepdjdj.exe1bttht.exebthhtt.exe1lxfxlx.exe1pjvp.exe5vpjp.exeppjjp.exevddjv.exebhhbbn.exetnnbth.exebttttt.exehbhbnt.exe1hbbth.exe9nntnb.exe5rrxrlf.exe5rrxflr.exe3jjvj.exellxxrfx.exeppjvv.exepddvv.exe3pjvp.exe1nbbnb.exebbhnnt.exefxxlfxf.exepid Process 2768 nhbnnt.exe 2848 7xlrxrf.exe 2556 ffxfrlx.exe 2740 nbhhbn.exe 2604 nhbhht.exe 264 9tnbbn.exe 1432 vvjpd.exe 2108 jvjpv.exe 2628 jddpd.exe 2060 fffflxl.exe 1852 ffrlxlr.exe 2876 bhttht.exe 2824 9nhnnh.exe 3036 lrrfrxf.exe 2436 pddpv.exe 2028 vdpjp.exe 2296 5pjpd.exe 2708 ddvdp.exe 2512 bthhbn.exe 468 jjvdv.exe 1544 jddvp.exe 1900 7jpvj.exe 2164 jjpdp.exe 1692 fxlrxlx.exe 688 3dpjv.exe 1468 jddpd.exe 1660 flxfllf.exe 2320 thhbbt.exe 272 bnttnb.exe 1240 pvpjd.exe 2336 ttnnhn.exe 2636 fxfflxr.exe 1528 1flxrrx.exe 2724 jvdvd.exe 2780 jdppj.exe 2964 nhbtnt.exe 2240 tnbbtn.exe 2644 fllxxlr.exe 2572 frrxlxf.exe 2252 ddvdp.exe 1588 pdjdj.exe 2808 1bttht.exe 2700 bthhtt.exe 2152 1lxfxlx.exe 2368 1pjvp.exe 2144 5vpjp.exe 1600 ppjjp.exe 2516 vddjv.exe 1852 bhhbbn.exe 2620 tnnbth.exe 2864 bttttt.exe 3044 hbhbnt.exe 3036 1hbbth.exe 1564 9nntnb.exe 2092 5rrxrlf.exe 2292 5rrxflr.exe 2428 3jjvj.exe 2376 llxxrfx.exe 2708 ppjvv.exe 840 pddvv.exe 1228 3pjvp.exe 1972 1nbbnb.exe 1112 bbhnnt.exe 2356 fxxlfxf.exe -
Processes:
resource yara_rule behavioral1/memory/2724-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a00000001227e-5.dat upx behavioral1/memory/2768-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2724-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2768-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d0e-19.dat upx behavioral1/memory/2848-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2848-24-0x00000000003C0000-0x00000000003E7000-memory.dmp upx behavioral1/files/0x0008000000016d18-29.dat upx behavioral1/memory/2556-33-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0038000000016cc8-38.dat upx behavioral1/memory/2556-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d21-50.dat upx behavioral1/memory/2740-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/264-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d31-61.dat upx behavioral1/memory/2604-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d3a-70.dat upx behavioral1/memory/1432-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d42-79.dat upx behavioral1/memory/2628-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d5e-87.dat upx behavioral1/files/0x0006000000018683-96.dat upx behavioral1/files/0x00050000000186e4-106.dat upx behavioral1/memory/2060-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1852-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2876-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186ea-117.dat upx behavioral1/files/0x00050000000186ee-126.dat upx behavioral1/memory/2824-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186fd-136.dat upx behavioral1/memory/2824-133-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000018728-145.dat upx behavioral1/memory/2028-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001873d-155.dat upx behavioral1/files/0x0005000000018784-164.dat upx behavioral1/files/0x000500000001878f-174.dat upx behavioral1/memory/2708-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000187a5-184.dat upx behavioral1/files/0x0006000000019023-192.dat upx behavioral1/memory/468-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925e-202.dat upx behavioral1/memory/1544-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1544-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019261-212.dat upx behavioral1/files/0x0005000000019282-220.dat upx behavioral1/memory/2164-228-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019334-230.dat upx behavioral1/files/0x0005000000019350-237.dat upx behavioral1/files/0x0008000000016d5e-245.dat upx behavioral1/files/0x00050000000193b4-253.dat upx behavioral1/files/0x00050000000193c2-263.dat upx behavioral1/files/0x00050000000193e1-272.dat upx behavioral1/files/0x000500000001941e-282.dat upx behavioral1/memory/272-281-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019427-291.dat upx behavioral1/memory/1240-290-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019431-299.dat upx behavioral1/memory/2636-307-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1528-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1528-315-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2724-316-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fxxlflx.exe7flxrfl.exe5nhhbb.exejdppj.exeddvvp.exehnthhn.exejdjdv.exellxrlxx.exevpjvd.exepdvvd.exethttbt.exebbbbht.exe9flrxfl.exebnbnht.exe9vpdv.exehbhtbh.exevvpdj.exettbhbn.exeffxrxfx.exejjpdv.exerrxxlrx.exepvdpv.exetbnhtt.exe1vvpv.exexxflxlx.exenbnhnb.exevdpjp.exe1xrfxfx.exerlfrrfl.exedjvdv.exellxfxxf.exe7jpvj.exe5nbhtb.exehbnthb.exennhnnb.exeddjdp.exe7ppvd.exexrrfrlx.exeddpjv.exexrlrlxr.exebhbnbt.exeddvvj.exedjjjv.exeflfrxfr.exevpdjj.exennbtth.exelfffrlx.exelrxrrlr.exeffrxrlr.exejvjvj.exerlfxxff.exevvjjp.exehnbnhh.exetbbbhb.exe5pdjp.exelllfxlx.exevvddp.exehbbtbn.exelflxrxf.exeddvdv.exe3jjvj.exe1nbbnb.exexxxlrxx.exexrxrlxl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exenhbnnt.exe7xlrxrf.exeffxfrlx.exenbhhbn.exenhbhht.exe9tnbbn.exevvjpd.exejvjpv.exejddpd.exefffflxl.exeffrlxlr.exebhttht.exe9nhnnh.exelrrfrxf.exepddpv.exedescription pid Process procid_target PID 2724 wrote to memory of 2768 2724 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 30 PID 2724 wrote to memory of 2768 2724 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 30 PID 2724 wrote to memory of 2768 2724 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 30 PID 2724 wrote to memory of 2768 2724 7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe 30 PID 2768 wrote to memory of 2848 2768 nhbnnt.exe 31 PID 2768 wrote to memory of 2848 2768 nhbnnt.exe 31 PID 2768 wrote to memory of 2848 2768 nhbnnt.exe 31 PID 2768 wrote to memory of 2848 2768 nhbnnt.exe 31 PID 2848 wrote to memory of 2556 2848 7xlrxrf.exe 32 PID 2848 wrote to memory of 2556 2848 7xlrxrf.exe 32 PID 2848 wrote to memory of 2556 2848 7xlrxrf.exe 32 PID 2848 wrote to memory of 2556 2848 7xlrxrf.exe 32 PID 2556 wrote to memory of 2740 2556 ffxfrlx.exe 33 PID 2556 wrote to memory of 2740 2556 ffxfrlx.exe 33 PID 2556 wrote to memory of 2740 2556 ffxfrlx.exe 33 PID 2556 wrote to memory of 2740 2556 ffxfrlx.exe 33 PID 2740 wrote to memory of 2604 2740 nbhhbn.exe 34 PID 2740 wrote to memory of 2604 2740 nbhhbn.exe 34 PID 2740 wrote to memory of 2604 2740 nbhhbn.exe 34 PID 2740 wrote to memory of 2604 2740 nbhhbn.exe 34 PID 2604 wrote to memory of 264 2604 nhbhht.exe 35 PID 2604 wrote to memory of 264 2604 nhbhht.exe 35 PID 2604 wrote to memory of 264 2604 nhbhht.exe 35 PID 2604 wrote to memory of 264 2604 nhbhht.exe 35 PID 264 wrote to memory of 1432 264 9tnbbn.exe 36 PID 264 wrote to memory of 1432 264 9tnbbn.exe 36 PID 264 wrote to memory of 1432 264 9tnbbn.exe 36 PID 264 wrote to memory of 1432 264 9tnbbn.exe 36 PID 1432 wrote to memory of 2108 1432 vvjpd.exe 37 PID 1432 wrote to memory of 2108 1432 vvjpd.exe 37 PID 1432 wrote to memory of 2108 1432 vvjpd.exe 37 PID 1432 wrote to memory of 2108 1432 vvjpd.exe 37 PID 2108 wrote to memory of 2628 2108 jvjpv.exe 38 PID 2108 wrote to memory of 2628 2108 jvjpv.exe 38 PID 2108 wrote to memory of 2628 2108 jvjpv.exe 38 PID 2108 wrote to memory of 2628 2108 jvjpv.exe 38 PID 2628 wrote to memory of 2060 2628 jddpd.exe 39 PID 2628 wrote to memory of 2060 2628 jddpd.exe 39 PID 2628 wrote to memory of 2060 2628 jddpd.exe 39 PID 2628 wrote to memory of 2060 2628 jddpd.exe 39 PID 2060 wrote to memory of 1852 2060 fffflxl.exe 40 PID 2060 wrote to memory of 1852 2060 fffflxl.exe 40 PID 2060 wrote to memory of 1852 2060 fffflxl.exe 40 PID 2060 wrote to memory of 1852 2060 fffflxl.exe 40 PID 1852 wrote to memory of 2876 1852 ffrlxlr.exe 41 PID 1852 wrote to memory of 2876 1852 ffrlxlr.exe 41 PID 1852 wrote to memory of 2876 1852 ffrlxlr.exe 41 PID 1852 wrote to memory of 2876 1852 ffrlxlr.exe 41 PID 2876 wrote to memory of 2824 2876 bhttht.exe 42 PID 2876 wrote to memory of 2824 2876 bhttht.exe 42 PID 2876 wrote to memory of 2824 2876 bhttht.exe 42 PID 2876 wrote to memory of 2824 2876 bhttht.exe 42 PID 2824 wrote to memory of 3036 2824 9nhnnh.exe 43 PID 2824 wrote to memory of 3036 2824 9nhnnh.exe 43 PID 2824 wrote to memory of 3036 2824 9nhnnh.exe 43 PID 2824 wrote to memory of 3036 2824 9nhnnh.exe 43 PID 3036 wrote to memory of 2436 3036 lrrfrxf.exe 44 PID 3036 wrote to memory of 2436 3036 lrrfrxf.exe 44 PID 3036 wrote to memory of 2436 3036 lrrfrxf.exe 44 PID 3036 wrote to memory of 2436 3036 lrrfrxf.exe 44 PID 2436 wrote to memory of 2028 2436 pddpv.exe 45 PID 2436 wrote to memory of 2028 2436 pddpv.exe 45 PID 2436 wrote to memory of 2028 2436 pddpv.exe 45 PID 2436 wrote to memory of 2028 2436 pddpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe"C:\Users\Admin\AppData\Local\Temp\7971881855b6c6c2ac99fc9ac82def577ee578345d4f24e043e9415661bbc799.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\nhbnnt.exec:\nhbnnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\7xlrxrf.exec:\7xlrxrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\ffxfrlx.exec:\ffxfrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\nbhhbn.exec:\nbhhbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nhbhht.exec:\nhbhht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\9tnbbn.exec:\9tnbbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\vvjpd.exec:\vvjpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\jvjpv.exec:\jvjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jddpd.exec:\jddpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\fffflxl.exec:\fffflxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\ffrlxlr.exec:\ffrlxlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\bhttht.exec:\bhttht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\9nhnnh.exec:\9nhnnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\lrrfrxf.exec:\lrrfrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\pddpv.exec:\pddpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\vdpjp.exec:\vdpjp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\5pjpd.exec:\5pjpd.exe18⤵
- Executes dropped EXE
PID:2296 -
\??\c:\ddvdp.exec:\ddvdp.exe19⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bthhbn.exec:\bthhbn.exe20⤵
- Executes dropped EXE
PID:2512 -
\??\c:\jjvdv.exec:\jjvdv.exe21⤵
- Executes dropped EXE
PID:468 -
\??\c:\jddvp.exec:\jddvp.exe22⤵
- Executes dropped EXE
PID:1544 -
\??\c:\7jpvj.exec:\7jpvj.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
\??\c:\jjpdp.exec:\jjpdp.exe24⤵
- Executes dropped EXE
PID:2164 -
\??\c:\fxlrxlx.exec:\fxlrxlx.exe25⤵
- Executes dropped EXE
PID:1692 -
\??\c:\3dpjv.exec:\3dpjv.exe26⤵
- Executes dropped EXE
PID:688 -
\??\c:\jddpd.exec:\jddpd.exe27⤵
- Executes dropped EXE
PID:1468 -
\??\c:\flxfllf.exec:\flxfllf.exe28⤵
- Executes dropped EXE
PID:1660 -
\??\c:\thhbbt.exec:\thhbbt.exe29⤵
- Executes dropped EXE
PID:2320 -
\??\c:\bnttnb.exec:\bnttnb.exe30⤵
- Executes dropped EXE
PID:272 -
\??\c:\pvpjd.exec:\pvpjd.exe31⤵
- Executes dropped EXE
PID:1240 -
\??\c:\ttnnhn.exec:\ttnnhn.exe32⤵
- Executes dropped EXE
PID:2336 -
\??\c:\fxfflxr.exec:\fxfflxr.exe33⤵
- Executes dropped EXE
PID:2636 -
\??\c:\1flxrrx.exec:\1flxrrx.exe34⤵
- Executes dropped EXE
PID:1528 -
\??\c:\jvdvd.exec:\jvdvd.exe35⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jdppj.exec:\jdppj.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\nhbtnt.exec:\nhbtnt.exe37⤵
- Executes dropped EXE
PID:2964 -
\??\c:\tnbbtn.exec:\tnbbtn.exe38⤵
- Executes dropped EXE
PID:2240 -
\??\c:\fllxxlr.exec:\fllxxlr.exe39⤵
- Executes dropped EXE
PID:2644 -
\??\c:\frrxlxf.exec:\frrxlxf.exe40⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ddvdp.exec:\ddvdp.exe41⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pdjdj.exec:\pdjdj.exe42⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1bttht.exec:\1bttht.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\bthhtt.exec:\bthhtt.exe44⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1lxfxlx.exec:\1lxfxlx.exe45⤵
- Executes dropped EXE
PID:2152 -
\??\c:\1pjvp.exec:\1pjvp.exe46⤵
- Executes dropped EXE
PID:2368 -
\??\c:\5vpjp.exec:\5vpjp.exe47⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ppjjp.exec:\ppjjp.exe48⤵
- Executes dropped EXE
PID:1600 -
\??\c:\vddjv.exec:\vddjv.exe49⤵
- Executes dropped EXE
PID:2516 -
\??\c:\bhhbbn.exec:\bhhbbn.exe50⤵
- Executes dropped EXE
PID:1852 -
\??\c:\tnnbth.exec:\tnnbth.exe51⤵
- Executes dropped EXE
PID:2620 -
\??\c:\bttttt.exec:\bttttt.exe52⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hbhbnt.exec:\hbhbnt.exe53⤵
- Executes dropped EXE
PID:3044 -
\??\c:\1hbbth.exec:\1hbbth.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\9nntnb.exec:\9nntnb.exe55⤵
- Executes dropped EXE
PID:1564 -
\??\c:\5rrxrlf.exec:\5rrxrlf.exe56⤵
- Executes dropped EXE
PID:2092 -
\??\c:\5rrxflr.exec:\5rrxflr.exe57⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3jjvj.exec:\3jjvj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2428 -
\??\c:\llxxrfx.exec:\llxxrfx.exe59⤵
- Executes dropped EXE
PID:2376 -
\??\c:\ppjvv.exec:\ppjvv.exe60⤵
- Executes dropped EXE
PID:2708 -
\??\c:\pddvv.exec:\pddvv.exe61⤵
- Executes dropped EXE
PID:840 -
\??\c:\3pjvp.exec:\3pjvp.exe62⤵
- Executes dropped EXE
PID:1228 -
\??\c:\1nbbnb.exec:\1nbbnb.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
\??\c:\bbhnnt.exec:\bbhnnt.exe64⤵
- Executes dropped EXE
PID:1112 -
\??\c:\fxxlfxf.exec:\fxxlfxf.exe65⤵
- Executes dropped EXE
PID:2356 -
\??\c:\frrlxlx.exec:\frrlxlx.exe66⤵PID:704
-
\??\c:\5jdjv.exec:\5jdjv.exe67⤵PID:1316
-
\??\c:\djddv.exec:\djddv.exe68⤵PID:1944
-
\??\c:\pddjj.exec:\pddjj.exe69⤵PID:2208
-
\??\c:\vvpvj.exec:\vvpvj.exe70⤵PID:108
-
\??\c:\5hbnbn.exec:\5hbnbn.exe71⤵PID:1904
-
\??\c:\thttbt.exec:\thttbt.exe72⤵
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\nhbntn.exec:\nhbntn.exe73⤵PID:2012
-
\??\c:\fffrlxx.exec:\fffrlxx.exe74⤵PID:2464
-
\??\c:\dpjjp.exec:\dpjjp.exe75⤵PID:1988
-
\??\c:\jdpjd.exec:\jdpjd.exe76⤵PID:1004
-
\??\c:\jjddp.exec:\jjddp.exe77⤵PID:3024
-
\??\c:\tbbtbt.exec:\tbbtbt.exe78⤵PID:1532
-
\??\c:\nnthhn.exec:\nnthhn.exe79⤵PID:2720
-
\??\c:\tnnhtn.exec:\tnnhtn.exe80⤵PID:2980
-
\??\c:\btbttn.exec:\btbttn.exe81⤵PID:2836
-
\??\c:\hnhntn.exec:\hnhntn.exe82⤵PID:2796
-
\??\c:\bbtntn.exec:\bbtntn.exe83⤵PID:1680
-
\??\c:\xflrlfx.exec:\xflrlfx.exe84⤵PID:2596
-
\??\c:\lrfrlrf.exec:\lrfrlrf.exe85⤵PID:2560
-
\??\c:\lfxlffr.exec:\lfxlffr.exe86⤵PID:3068
-
\??\c:\xrxlrlr.exec:\xrxlrlr.exe87⤵PID:2212
-
\??\c:\9pjpj.exec:\9pjpj.exe88⤵PID:624
-
\??\c:\jjdpd.exec:\jjdpd.exe89⤵PID:328
-
\??\c:\hhtnbn.exec:\hhtnbn.exe90⤵PID:3056
-
\??\c:\nhnbbt.exec:\nhnbbt.exe91⤵PID:2568
-
\??\c:\hnbnhh.exec:\hnbnhh.exe92⤵
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\lllxrxr.exec:\lllxrxr.exe93⤵PID:1248
-
\??\c:\pjpvj.exec:\pjpvj.exe94⤵PID:2600
-
\??\c:\5dvvd.exec:\5dvvd.exe95⤵PID:2908
-
\??\c:\3bhbbt.exec:\3bhbbt.exe96⤵PID:1852
-
\??\c:\bbbnnh.exec:\bbbnnh.exe97⤵PID:2748
-
\??\c:\rxlflll.exec:\rxlflll.exe98⤵PID:2936
-
\??\c:\ttttbn.exec:\ttttbn.exe99⤵PID:1192
-
\??\c:\xxlrxfl.exec:\xxlrxfl.exe100⤵PID:1760
-
\??\c:\llfxlxx.exec:\llfxlxx.exe101⤵PID:1452
-
\??\c:\xfrlllx.exec:\xfrlllx.exe102⤵PID:2984
-
\??\c:\7lfrllr.exec:\7lfrllr.exe103⤵PID:2296
-
\??\c:\1jdvd.exec:\1jdvd.exe104⤵PID:2488
-
\??\c:\vvvdv.exec:\vvvdv.exe105⤵PID:2392
-
\??\c:\vdjjv.exec:\vdjjv.exe106⤵PID:716
-
\??\c:\ddvdv.exec:\ddvdv.exe107⤵
- System Location Discovery: System Language Discovery
PID:1608 -
\??\c:\3bthht.exec:\3bthht.exe108⤵PID:1800
-
\??\c:\fxxlflx.exec:\fxxlflx.exe109⤵
- System Location Discovery: System Language Discovery
PID:2204 -
\??\c:\7flfxrf.exec:\7flfxrf.exe110⤵PID:2364
-
\??\c:\3vdjj.exec:\3vdjj.exe111⤵PID:1164
-
\??\c:\nhbbhn.exec:\nhbbhn.exe112⤵PID:948
-
\??\c:\3nthth.exec:\3nthth.exe113⤵PID:1296
-
\??\c:\bbhhht.exec:\bbhhht.exe114⤵PID:1288
-
\??\c:\1xrfxfx.exec:\1xrfxfx.exe115⤵
- System Location Discovery: System Language Discovery
PID:1196 -
\??\c:\9dpdv.exec:\9dpdv.exe116⤵PID:888
-
\??\c:\dddvj.exec:\dddvj.exe117⤵PID:2360
-
\??\c:\jdjdj.exec:\jdjdj.exe118⤵PID:568
-
\??\c:\bbnbnb.exec:\bbnbnb.exe119⤵PID:2268
-
\??\c:\tnnbbn.exec:\tnnbbn.exe120⤵PID:2244
-
\??\c:\5rlrrll.exec:\5rlrrll.exe121⤵PID:1688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-