Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 02:39
Behavioral task
behavioral1
Sample
42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe
-
Size
3.7MB
-
MD5
ea4ba7e109b21421ef014dfdc5704070
-
SHA1
3d84fc1d28303a2ac15ab8ea6ed332314ffba027
-
SHA256
42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08e
-
SHA512
dc83c2a355e82f400a40a9816285902c466df103bea5793fccc20eec1145100fc9132db232c38ba47b695286af89fd8f8659d20cbff6a7328c7374dfa1d28844
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98V:U6XLq/qPPslzKx/dJg1ErmNE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2640-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2656-19-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2656-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-34-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2876-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1004-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1808-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2532-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1828-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2016-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2956-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2500-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2916-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/616-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1216-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-287-0x00000000002D0000-0x00000000002F7000-memory.dmp family_blackmoon behavioral1/memory/2064-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2064-308-0x0000000077410000-0x000000007752F000-memory.dmp family_blackmoon behavioral1/memory/2820-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1516-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1840-403-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2532-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1072-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2196-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1168-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1240-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-584-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2692-604-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-611-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2716-631-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-908-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-916-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1676-956-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1992-1007-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2656 nhbbbb.exe 2812 lxxfxlx.exe 2108 vdjvp.exe 2876 xlrfrfl.exe 2592 5bnbhh.exe 1004 tnhttb.exe 1808 rllxxfr.exe 1748 hbnbnn.exe 2188 5pdjd.exe 2532 dpjjv.exe 1564 nhbhtt.exe 2316 fxllxfl.exe 2616 hthttn.exe 2868 3nhbnh.exe 584 hhnnbh.exe 1828 bthnhn.exe 576 pdppd.exe 2016 hbtbhh.exe 2920 dpdjv.exe 2232 jvjjp.exe 2956 bbbhbt.exe 1312 ttnbnt.exe 2500 jjddj.exe 568 bbnbnn.exe 2916 rxllffx.exe 1996 fffrlfr.exe 616 bbntbb.exe 2444 dpdjv.exe 1216 vjppj.exe 2940 btnnbh.exe 1016 hhtbtb.exe 548 nhbbhh.exe 2064 nnbbhn.exe 2788 tthnht.exe 2908 nbhhbt.exe 2820 7jdpd.exe 2572 jdvjv.exe 3016 7pdjd.exe 2876 3pvjd.exe 1516 pjdjp.exe 3020 5pddj.exe 2872 bbhhbt.exe 1692 1hbtnb.exe 1868 fxrfxlx.exe 2288 xrlrxfr.exe 1840 pddpd.exe 2532 ddpvd.exe 1564 jpjpv.exe 2088 5pjvj.exe 2848 hbhntt.exe 1072 7nhnhn.exe 2868 fffxflx.exe 600 pjdpv.exe 1960 djvvp.exe 2196 5vdpj.exe 1168 bnnbbn.exe 2764 tnbtnh.exe 2216 xfrrxxx.exe 2968 jdvdp.exe 1972 ddvpd.exe 1100 tttnht.exe 1376 bbtbtb.exe 960 xrflxrf.exe 2432 dvppd.exe -
resource yara_rule behavioral1/memory/2640-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012117-10.dat upx behavioral1/memory/2640-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000193d9-20.dat upx behavioral1/memory/2656-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000193df-30.dat upx behavioral1/memory/2108-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019401-39.dat upx behavioral1/files/0x00350000000193be-46.dat upx behavioral1/memory/2876-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1004-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2592-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019403-56.dat upx behavioral1/files/0x000600000001942f-68.dat upx behavioral1/memory/1004-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019441-78.dat upx behavioral1/memory/1808-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1748-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001947e-86.dat upx behavioral1/files/0x000600000001967d-98.dat upx behavioral1/memory/2188-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196be-108.dat upx behavioral1/memory/2532-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196f6-116.dat upx behavioral1/files/0x000500000001998a-125.dat upx behavioral1/memory/2616-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c43-135.dat upx behavioral1/memory/2616-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c48-144.dat upx behavioral1/files/0x0005000000019c4a-153.dat upx behavioral1/memory/584-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c63-160.dat upx behavioral1/memory/1828-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d2d-171.dat upx behavioral1/memory/2016-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d54-179.dat upx behavioral1/files/0x0005000000019db5-189.dat upx behavioral1/files/0x0005000000019dc1-197.dat upx behavioral1/files/0x0005000000019faf-206.dat upx behavioral1/memory/2956-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fc9-215.dat upx behavioral1/memory/2500-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a078-224.dat upx behavioral1/files/0x000500000001a08b-233.dat upx behavioral1/memory/1996-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a0b3-242.dat upx behavioral1/memory/2916-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a311-252.dat upx behavioral1/memory/616-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d54-262.dat upx behavioral1/files/0x000500000001a354-271.dat upx behavioral1/files/0x000500000001a43d-280.dat upx behavioral1/memory/1216-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a43f-288.dat upx behavioral1/files/0x000500000001a441-297.dat upx behavioral1/memory/2064-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3060-310-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2064-308-0x0000000077410000-0x000000007752F000-memory.dmp upx behavioral1/memory/2820-329-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-350-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1516-364-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-371-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2288-396-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2532-410-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lflxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxxfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2656 2640 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 30 PID 2640 wrote to memory of 2656 2640 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 30 PID 2640 wrote to memory of 2656 2640 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 30 PID 2640 wrote to memory of 2656 2640 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 30 PID 2656 wrote to memory of 2812 2656 nhbbbb.exe 31 PID 2656 wrote to memory of 2812 2656 nhbbbb.exe 31 PID 2656 wrote to memory of 2812 2656 nhbbbb.exe 31 PID 2656 wrote to memory of 2812 2656 nhbbbb.exe 31 PID 2812 wrote to memory of 2108 2812 lxxfxlx.exe 32 PID 2812 wrote to memory of 2108 2812 lxxfxlx.exe 32 PID 2812 wrote to memory of 2108 2812 lxxfxlx.exe 32 PID 2812 wrote to memory of 2108 2812 lxxfxlx.exe 32 PID 2108 wrote to memory of 2876 2108 vdjvp.exe 33 PID 2108 wrote to memory of 2876 2108 vdjvp.exe 33 PID 2108 wrote to memory of 2876 2108 vdjvp.exe 33 PID 2108 wrote to memory of 2876 2108 vdjvp.exe 33 PID 2876 wrote to memory of 2592 2876 xlrfrfl.exe 34 PID 2876 wrote to memory of 2592 2876 xlrfrfl.exe 34 PID 2876 wrote to memory of 2592 2876 xlrfrfl.exe 34 PID 2876 wrote to memory of 2592 2876 xlrfrfl.exe 34 PID 2592 wrote to memory of 1004 2592 5bnbhh.exe 35 PID 2592 wrote to memory of 1004 2592 5bnbhh.exe 35 PID 2592 wrote to memory of 1004 2592 5bnbhh.exe 35 PID 2592 wrote to memory of 1004 2592 5bnbhh.exe 35 PID 1004 wrote to memory of 1808 1004 tnhttb.exe 36 PID 1004 wrote to memory of 1808 1004 tnhttb.exe 36 PID 1004 wrote to memory of 1808 1004 tnhttb.exe 36 PID 1004 wrote to memory of 1808 1004 tnhttb.exe 36 PID 1808 wrote to memory of 1748 1808 rllxxfr.exe 37 PID 1808 wrote to memory of 1748 1808 rllxxfr.exe 37 PID 1808 wrote to memory of 1748 1808 rllxxfr.exe 37 PID 1808 wrote to memory of 1748 1808 rllxxfr.exe 37 PID 1748 wrote to memory of 2188 1748 hbnbnn.exe 38 PID 1748 wrote to memory of 2188 1748 hbnbnn.exe 38 PID 1748 wrote to memory of 2188 1748 hbnbnn.exe 38 PID 1748 wrote to memory of 2188 1748 hbnbnn.exe 38 PID 2188 wrote to memory of 2532 2188 5pdjd.exe 39 PID 2188 wrote to memory of 2532 2188 5pdjd.exe 39 PID 2188 wrote to memory of 2532 2188 5pdjd.exe 39 PID 2188 wrote to memory of 2532 2188 5pdjd.exe 39 PID 2532 wrote to memory of 1564 2532 dpjjv.exe 40 PID 2532 wrote to memory of 1564 2532 dpjjv.exe 40 PID 2532 wrote to memory of 1564 2532 dpjjv.exe 40 PID 2532 wrote to memory of 1564 2532 dpjjv.exe 40 PID 1564 wrote to memory of 2316 1564 nhbhtt.exe 41 PID 1564 wrote to memory of 2316 1564 nhbhtt.exe 41 PID 1564 wrote to memory of 2316 1564 nhbhtt.exe 41 PID 1564 wrote to memory of 2316 1564 nhbhtt.exe 41 PID 2316 wrote to memory of 2616 2316 fxllxfl.exe 42 PID 2316 wrote to memory of 2616 2316 fxllxfl.exe 42 PID 2316 wrote to memory of 2616 2316 fxllxfl.exe 42 PID 2316 wrote to memory of 2616 2316 fxllxfl.exe 42 PID 2616 wrote to memory of 2868 2616 hthttn.exe 43 PID 2616 wrote to memory of 2868 2616 hthttn.exe 43 PID 2616 wrote to memory of 2868 2616 hthttn.exe 43 PID 2616 wrote to memory of 2868 2616 hthttn.exe 43 PID 2868 wrote to memory of 584 2868 3nhbnh.exe 44 PID 2868 wrote to memory of 584 2868 3nhbnh.exe 44 PID 2868 wrote to memory of 584 2868 3nhbnh.exe 44 PID 2868 wrote to memory of 584 2868 3nhbnh.exe 44 PID 584 wrote to memory of 1828 584 hhnnbh.exe 45 PID 584 wrote to memory of 1828 584 hhnnbh.exe 45 PID 584 wrote to memory of 1828 584 hhnnbh.exe 45 PID 584 wrote to memory of 1828 584 hhnnbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe"C:\Users\Admin\AppData\Local\Temp\42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\nhbbbb.exec:\nhbbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\lxxfxlx.exec:\lxxfxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\vdjvp.exec:\vdjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\xlrfrfl.exec:\xlrfrfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\5bnbhh.exec:\5bnbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\tnhttb.exec:\tnhttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\rllxxfr.exec:\rllxxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\hbnbnn.exec:\hbnbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\5pdjd.exec:\5pdjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\dpjjv.exec:\dpjjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\nhbhtt.exec:\nhbhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\fxllxfl.exec:\fxllxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\hthttn.exec:\hthttn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\3nhbnh.exec:\3nhbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hhnnbh.exec:\hhnnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\bthnhn.exec:\bthnhn.exe17⤵
- Executes dropped EXE
PID:1828 -
\??\c:\pdppd.exec:\pdppd.exe18⤵
- Executes dropped EXE
PID:576 -
\??\c:\hbtbhh.exec:\hbtbhh.exe19⤵
- Executes dropped EXE
PID:2016 -
\??\c:\dpdjv.exec:\dpdjv.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
\??\c:\jvjjp.exec:\jvjjp.exe21⤵
- Executes dropped EXE
PID:2232 -
\??\c:\bbbhbt.exec:\bbbhbt.exe22⤵
- Executes dropped EXE
PID:2956 -
\??\c:\ttnbnt.exec:\ttnbnt.exe23⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jjddj.exec:\jjddj.exe24⤵
- Executes dropped EXE
PID:2500 -
\??\c:\bbnbnn.exec:\bbnbnn.exe25⤵
- Executes dropped EXE
PID:568 -
\??\c:\rxllffx.exec:\rxllffx.exe26⤵
- Executes dropped EXE
PID:2916 -
\??\c:\fffrlfr.exec:\fffrlfr.exe27⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bbntbb.exec:\bbntbb.exe28⤵
- Executes dropped EXE
PID:616 -
\??\c:\dpdjv.exec:\dpdjv.exe29⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vjppj.exec:\vjppj.exe30⤵
- Executes dropped EXE
PID:1216 -
\??\c:\btnnbh.exec:\btnnbh.exe31⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hhtbtb.exec:\hhtbtb.exe32⤵
- Executes dropped EXE
PID:1016 -
\??\c:\nhbbhh.exec:\nhbbhh.exe33⤵
- Executes dropped EXE
PID:548 -
\??\c:\nnbbhn.exec:\nnbbhn.exe34⤵
- Executes dropped EXE
PID:2064 -
\??\c:\5vpdv.exec:\5vpdv.exe35⤵PID:3060
-
\??\c:\tthnht.exec:\tthnht.exe36⤵
- Executes dropped EXE
PID:2788 -
\??\c:\nbhhbt.exec:\nbhhbt.exe37⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7jdpd.exec:\7jdpd.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jdvjv.exec:\jdvjv.exe39⤵
- Executes dropped EXE
PID:2572 -
\??\c:\7pdjd.exec:\7pdjd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
\??\c:\3pvjd.exec:\3pvjd.exe41⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pjdjp.exec:\pjdjp.exe42⤵
- Executes dropped EXE
PID:1516 -
\??\c:\5pddj.exec:\5pddj.exe43⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bbhhbt.exec:\bbhhbt.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\1hbtnb.exec:\1hbtnb.exe45⤵
- Executes dropped EXE
PID:1692 -
\??\c:\fxrfxlx.exec:\fxrfxlx.exe46⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xrlrxfr.exec:\xrlrxfr.exe47⤵
- Executes dropped EXE
PID:2288 -
\??\c:\pddpd.exec:\pddpd.exe48⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ddpvd.exec:\ddpvd.exe49⤵
- Executes dropped EXE
PID:2532 -
\??\c:\jpjpv.exec:\jpjpv.exe50⤵
- Executes dropped EXE
PID:1564 -
\??\c:\5pjvj.exec:\5pjvj.exe51⤵
- Executes dropped EXE
PID:2088 -
\??\c:\hbhntt.exec:\hbhntt.exe52⤵
- Executes dropped EXE
PID:2848 -
\??\c:\7nhnhn.exec:\7nhnhn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072 -
\??\c:\fffxflx.exec:\fffxflx.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\pjdpv.exec:\pjdpv.exe55⤵
- Executes dropped EXE
PID:600 -
\??\c:\djvvp.exec:\djvvp.exe56⤵
- Executes dropped EXE
PID:1960 -
\??\c:\5vdpj.exec:\5vdpj.exe57⤵
- Executes dropped EXE
PID:2196 -
\??\c:\bnnbbn.exec:\bnnbbn.exe58⤵
- Executes dropped EXE
PID:1168 -
\??\c:\tnbtnh.exec:\tnbtnh.exe59⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xfrrxxx.exec:\xfrrxxx.exe60⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jdvdp.exec:\jdvdp.exe61⤵
- Executes dropped EXE
PID:2968 -
\??\c:\ddvpd.exec:\ddvpd.exe62⤵
- Executes dropped EXE
PID:1972 -
\??\c:\tttnht.exec:\tttnht.exe63⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bbtbtb.exec:\bbtbtb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\xrflxrf.exec:\xrflxrf.exe65⤵
- Executes dropped EXE
PID:960 -
\??\c:\dvppd.exec:\dvppd.exe66⤵
- Executes dropped EXE
PID:2432 -
\??\c:\pvjpv.exec:\pvjpv.exe67⤵PID:1540
-
\??\c:\1dddp.exec:\1dddp.exe68⤵PID:1240
-
\??\c:\vvpvd.exec:\vvpvd.exe69⤵PID:1728
-
\??\c:\nhnnth.exec:\nhnnth.exe70⤵PID:2092
-
\??\c:\ttnbnb.exec:\ttnbnb.exe71⤵PID:2252
-
\??\c:\frxfrxf.exec:\frxfrxf.exe72⤵PID:376
-
\??\c:\xrfxrfl.exec:\xrfxrfl.exe73⤵PID:564
-
\??\c:\1vddp.exec:\1vddp.exe74⤵PID:2448
-
\??\c:\nhbbtb.exec:\nhbbtb.exe75⤵
- System Location Discovery: System Language Discovery
PID:2436 -
\??\c:\7thhnt.exec:\7thhnt.exe76⤵PID:1812
-
\??\c:\fxxrxfr.exec:\fxxrxfr.exe77⤵PID:1444
-
\??\c:\lrrlxfx.exec:\lrrlxfx.exe78⤵PID:1592
-
\??\c:\fffrlxr.exec:\fffrlxr.exe79⤵PID:2412
-
\??\c:\pvjpp.exec:\pvjpp.exe80⤵PID:2692
-
\??\c:\vpvdj.exec:\vpvdj.exe81⤵PID:2676
-
\??\c:\jjdjp.exec:\jjdjp.exe82⤵PID:2812
-
\??\c:\9nhtbn.exec:\9nhtbn.exe83⤵PID:2568
-
\??\c:\7rlrlrr.exec:\7rlrlrr.exe84⤵PID:2716
-
\??\c:\1rffxfl.exec:\1rffxfl.exe85⤵PID:2548
-
\??\c:\dpdpp.exec:\dpdpp.exe86⤵PID:2876
-
\??\c:\pjdpd.exec:\pjdpd.exe87⤵PID:2992
-
\??\c:\btntbh.exec:\btntbh.exe88⤵PID:1716
-
\??\c:\rrxlrrx.exec:\rrxlrrx.exe89⤵PID:2584
-
\??\c:\xflflrr.exec:\xflflrr.exe90⤵PID:1080
-
\??\c:\vvjjp.exec:\vvjjp.exe91⤵PID:1748
-
\??\c:\ddppj.exec:\ddppj.exe92⤵PID:2240
-
\??\c:\hthnth.exec:\hthnth.exe93⤵
- System Location Discovery: System Language Discovery
PID:1872 -
\??\c:\xrrfxfr.exec:\xrrfxfr.exe94⤵PID:2028
-
\??\c:\rrrxflx.exec:\rrrxflx.exe95⤵PID:1308
-
\??\c:\dvpdp.exec:\dvpdp.exe96⤵PID:1664
-
\??\c:\5hthht.exec:\5hthht.exe97⤵PID:3008
-
\??\c:\1bbthb.exec:\1bbthb.exe98⤵PID:2852
-
\??\c:\nhbbnn.exec:\nhbbnn.exe99⤵PID:1372
-
\??\c:\frrrxfr.exec:\frrrxfr.exe100⤵PID:112
-
\??\c:\xrxlxlx.exec:\xrxlxlx.exe101⤵PID:2528
-
\??\c:\vvjvj.exec:\vvjvj.exe102⤵PID:2096
-
\??\c:\pvjjp.exec:\pvjjp.exe103⤵PID:2924
-
\??\c:\5hntbh.exec:\5hntbh.exe104⤵PID:1656
-
\??\c:\nhhtbb.exec:\nhhtbb.exe105⤵PID:2424
-
\??\c:\9xrrlll.exec:\9xrrlll.exe106⤵PID:2216
-
\??\c:\3pvvj.exec:\3pvvj.exe107⤵PID:2968
-
\??\c:\pddjj.exec:\pddjj.exe108⤵PID:944
-
\??\c:\hbntbh.exec:\hbntbh.exe109⤵PID:1100
-
\??\c:\5frxlrl.exec:\5frxlrl.exe110⤵PID:1268
-
\??\c:\vpjjv.exec:\vpjjv.exe111⤵PID:1644
-
\??\c:\vpdvp.exec:\vpdvp.exe112⤵PID:2432
-
\??\c:\nnthtb.exec:\nnthtb.exe113⤵PID:1980
-
\??\c:\nbbbbh.exec:\nbbbbh.exe114⤵PID:1792
-
\??\c:\fxxxllr.exec:\fxxxllr.exe115⤵PID:1728
-
\??\c:\3dvdp.exec:\3dvdp.exe116⤵PID:2320
-
\??\c:\7dvvj.exec:\7dvvj.exe117⤵PID:1756
-
\??\c:\7hhtbb.exec:\7hhtbb.exe118⤵PID:1940
-
\??\c:\xrrrflr.exec:\xrrrflr.exe119⤵PID:2340
-
\??\c:\rrxxflr.exec:\rrxxflr.exe120⤵PID:2124
-
\??\c:\1vpvj.exec:\1vpvj.exe121⤵PID:2436
-
\??\c:\7bbbnt.exec:\7bbbnt.exe122⤵PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-