Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 11:37
Behavioral task
behavioral1
Sample
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe
-
Size
86KB
-
MD5
299858b8db7ae1ab751673b4953185ac
-
SHA1
8630935ba7c234df2fbd6c458e16e25973cd2ad7
-
SHA256
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd
-
SHA512
d5fc972c2907dae8265aea95887d0747350a2f9367d6169043c8871aa671bf181e4aa3b2998a3b4ad7e311ac0961612c027df0a5cb1c9374dd3b5dfb8e3c4d8d
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADSNVQfKPgqA22GU:9hOmTsF93UYfwC6GIoutyaVszyKd+XYg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/324-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1892-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/792-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4180-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1208-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-508-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-624-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-659-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-680-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/700-783-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-856-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-896-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-906-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
nhbtnh.exe3bnhtt.exepvppj.exexxrlxrl.exelfxrfff.exettnhbt.exetttnbt.exe3pvjv.exedvvpj.exelflxlfx.exefflfxxr.exebttnbh.exettnbnh.exedpdvj.exejjjvp.exerlrflfx.exe1rlfrff.exe3nhthb.exenhbtbb.exe5ddvp.exedddjp.exeppvvp.exe9ffrffr.exe3xlrflx.exebbnhtn.exehnbtbt.exevjdpd.exejdpdj.exexrrxllf.exerxlxlrl.exelxxrlfx.exe9bhtnh.exepjjdj.exevjjdp.exejjvpp.exexrrrlll.exe1hbthh.exenhnhbt.exe7vdvj.exepvdvp.exefffxllf.exefxrlffx.exebtnnbt.exenhbbtt.exevppjv.exedjvjd.exe1rlfrrl.exerlrllxl.exebbbbth.exe9hbhbh.exedvjdv.exerxrfxrf.exelffrlrf.exe3tnhbb.exeddvpd.exejvjvj.exe9xfrrlx.exe5lfxrrl.exetttttn.exejpdjd.exelflfxxr.exetnbtnt.exenhbbtn.exeddvjj.exepid Process 3836 nhbtnh.exe 3176 3bnhtt.exe 3600 pvppj.exe 224 xxrlxrl.exe 1612 lfxrfff.exe 2472 ttnhbt.exe 3528 tttnbt.exe 4520 3pvjv.exe 4484 dvvpj.exe 528 lflxlfx.exe 2284 fflfxxr.exe 792 bttnbh.exe 5032 ttnbnh.exe 540 dpdvj.exe 1892 jjjvp.exe 2060 rlrflfx.exe 3092 1rlfrff.exe 2660 3nhthb.exe 2564 nhbtbb.exe 1476 5ddvp.exe 732 dddjp.exe 4316 ppvvp.exe 972 9ffrffr.exe 1948 3xlrflx.exe 1304 bbnhtn.exe 1952 hnbtbt.exe 5040 vjdpd.exe 3660 jdpdj.exe 4432 xrrxllf.exe 1424 rxlxlrl.exe 2076 lxxrlfx.exe 3516 9bhtnh.exe 4580 pjjdj.exe 4160 vjjdp.exe 4592 jjvpp.exe 4600 xrrrlll.exe 3688 1hbthh.exe 4180 nhnhbt.exe 5108 7vdvj.exe 4880 pvdvp.exe 4452 fffxllf.exe 2420 fxrlffx.exe 3824 btnnbt.exe 2904 nhbbtt.exe 2960 vppjv.exe 4944 djvjd.exe 1192 1rlfrrl.exe 4868 rlrllxl.exe 4336 bbbbth.exe 2056 9hbhbh.exe 324 dvjdv.exe 3988 rxrfxrf.exe 1208 lffrlrf.exe 3488 3tnhbb.exe 2628 ddvpd.exe 3968 jvjvj.exe 1728 9xfrrlx.exe 5048 5lfxrrl.exe 3536 tttttn.exe 4424 jpdjd.exe 4564 lflfxxr.exe 3980 tnbtnt.exe 8 nhbbtn.exe 5076 ddvjj.exe -
Processes:
resource yara_rule behavioral2/memory/324-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3836-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/324-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b30-5.dat upx behavioral2/files/0x000d000000023b85-13.dat upx behavioral2/files/0x000a000000023b8e-18.dat upx behavioral2/files/0x000a000000023b90-30.dat upx behavioral2/memory/224-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2472-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-48.dat upx behavioral2/files/0x000a000000023b95-59.dat upx behavioral2/files/0x000a000000023b96-65.dat upx behavioral2/memory/2284-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-85.dat upx behavioral2/files/0x000a000000023b9b-94.dat upx behavioral2/files/0x000a000000023b9c-100.dat upx behavioral2/files/0x000a000000023b9e-111.dat upx behavioral2/files/0x000a000000023ba0-122.dat upx behavioral2/files/0x000a000000023ba1-128.dat upx behavioral2/files/0x000a000000023ba3-139.dat upx behavioral2/files/0x000a000000023ba4-142.dat upx behavioral2/files/0x000a000000023ba7-160.dat upx behavioral2/files/0x000a000000023ba6-155.dat upx behavioral2/memory/4432-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bab-182.dat upx behavioral2/memory/2076-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4160-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023baa-176.dat upx behavioral2/files/0x000b000000023ba9-170.dat upx behavioral2/files/0x000a000000023ba8-165.dat upx behavioral2/files/0x000a000000023ba5-150.dat upx behavioral2/memory/1948-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4592-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/972-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-133.dat upx behavioral2/memory/732-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1476-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9f-116.dat upx behavioral2/memory/2660-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-105.dat upx behavioral2/memory/2060-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1892-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/540-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-82.dat upx behavioral2/files/0x000a000000023b98-77.dat upx behavioral2/memory/792-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-70.dat upx behavioral2/memory/4600-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/528-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-54.dat upx behavioral2/memory/4520-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3528-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-42.dat upx behavioral2/files/0x000a000000023b91-36.dat upx behavioral2/memory/1612-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-24.dat upx behavioral2/memory/3600-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3176-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3836-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4180-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3688-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4880-216-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vvppd.exebtbntb.exenbbthb.exedvddp.exe7dvpp.exedjvdd.exeflfrfrf.exeththbb.exexrllffx.exebhhbnn.exexrrlllf.exepjpvv.exelxxrrrl.exenbbbbb.exexrrlrxx.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlrxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exenhbtnh.exe3bnhtt.exepvppj.exexxrlxrl.exelfxrfff.exettnhbt.exetttnbt.exe3pvjv.exedvvpj.exelflxlfx.exefflfxxr.exebttnbh.exettnbnh.exedpdvj.exejjjvp.exerlrflfx.exe1rlfrff.exe3nhthb.exenhbtbb.exe5ddvp.exedddjp.exedescription pid Process procid_target PID 324 wrote to memory of 3836 324 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 82 PID 324 wrote to memory of 3836 324 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 82 PID 324 wrote to memory of 3836 324 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 82 PID 3836 wrote to memory of 3176 3836 nhbtnh.exe 83 PID 3836 wrote to memory of 3176 3836 nhbtnh.exe 83 PID 3836 wrote to memory of 3176 3836 nhbtnh.exe 83 PID 3176 wrote to memory of 3600 3176 3bnhtt.exe 84 PID 3176 wrote to memory of 3600 3176 3bnhtt.exe 84 PID 3176 wrote to memory of 3600 3176 3bnhtt.exe 84 PID 3600 wrote to memory of 224 3600 pvppj.exe 85 PID 3600 wrote to memory of 224 3600 pvppj.exe 85 PID 3600 wrote to memory of 224 3600 pvppj.exe 85 PID 224 wrote to memory of 1612 224 xxrlxrl.exe 86 PID 224 wrote to memory of 1612 224 xxrlxrl.exe 86 PID 224 wrote to memory of 1612 224 xxrlxrl.exe 86 PID 1612 wrote to memory of 2472 1612 lfxrfff.exe 87 PID 1612 wrote to memory of 2472 1612 lfxrfff.exe 87 PID 1612 wrote to memory of 2472 1612 lfxrfff.exe 87 PID 2472 wrote to memory of 3528 2472 ttnhbt.exe 88 PID 2472 wrote to memory of 3528 2472 ttnhbt.exe 88 PID 2472 wrote to memory of 3528 2472 ttnhbt.exe 88 PID 3528 wrote to memory of 4520 3528 tttnbt.exe 89 PID 3528 wrote to memory of 4520 3528 tttnbt.exe 89 PID 3528 wrote to memory of 4520 3528 tttnbt.exe 89 PID 4520 wrote to memory of 4484 4520 3pvjv.exe 90 PID 4520 wrote to memory of 4484 4520 3pvjv.exe 90 PID 4520 wrote to memory of 4484 4520 3pvjv.exe 90 PID 4484 wrote to memory of 528 4484 dvvpj.exe 91 PID 4484 wrote to memory of 528 4484 dvvpj.exe 91 PID 4484 wrote to memory of 528 4484 dvvpj.exe 91 PID 528 wrote to memory of 2284 528 lflxlfx.exe 92 PID 528 wrote to memory of 2284 528 lflxlfx.exe 92 PID 528 wrote to memory of 2284 528 lflxlfx.exe 92 PID 2284 wrote to memory of 792 2284 fflfxxr.exe 93 PID 2284 wrote to memory of 792 2284 fflfxxr.exe 93 PID 2284 wrote to memory of 792 2284 fflfxxr.exe 93 PID 792 wrote to memory of 5032 792 bttnbh.exe 94 PID 792 wrote to memory of 5032 792 bttnbh.exe 94 PID 792 wrote to memory of 5032 792 bttnbh.exe 94 PID 5032 wrote to memory of 540 5032 ttnbnh.exe 95 PID 5032 wrote to memory of 540 5032 ttnbnh.exe 95 PID 5032 wrote to memory of 540 5032 ttnbnh.exe 95 PID 540 wrote to memory of 1892 540 dpdvj.exe 96 PID 540 wrote to memory of 1892 540 dpdvj.exe 96 PID 540 wrote to memory of 1892 540 dpdvj.exe 96 PID 1892 wrote to memory of 2060 1892 jjjvp.exe 97 PID 1892 wrote to memory of 2060 1892 jjjvp.exe 97 PID 1892 wrote to memory of 2060 1892 jjjvp.exe 97 PID 2060 wrote to memory of 3092 2060 rlrflfx.exe 98 PID 2060 wrote to memory of 3092 2060 rlrflfx.exe 98 PID 2060 wrote to memory of 3092 2060 rlrflfx.exe 98 PID 3092 wrote to memory of 2660 3092 1rlfrff.exe 99 PID 3092 wrote to memory of 2660 3092 1rlfrff.exe 99 PID 3092 wrote to memory of 2660 3092 1rlfrff.exe 99 PID 2660 wrote to memory of 2564 2660 3nhthb.exe 100 PID 2660 wrote to memory of 2564 2660 3nhthb.exe 100 PID 2660 wrote to memory of 2564 2660 3nhthb.exe 100 PID 2564 wrote to memory of 1476 2564 nhbtbb.exe 101 PID 2564 wrote to memory of 1476 2564 nhbtbb.exe 101 PID 2564 wrote to memory of 1476 2564 nhbtbb.exe 101 PID 1476 wrote to memory of 732 1476 5ddvp.exe 102 PID 1476 wrote to memory of 732 1476 5ddvp.exe 102 PID 1476 wrote to memory of 732 1476 5ddvp.exe 102 PID 732 wrote to memory of 4316 732 dddjp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\nhbtnh.exec:\nhbtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\3bnhtt.exec:\3bnhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\pvppj.exec:\pvppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\xxrlxrl.exec:\xxrlxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\lfxrfff.exec:\lfxrfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ttnhbt.exec:\ttnhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\tttnbt.exec:\tttnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\3pvjv.exec:\3pvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\dvvpj.exec:\dvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\lflxlfx.exec:\lflxlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\fflfxxr.exec:\fflfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\bttnbh.exec:\bttnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\ttnbnh.exec:\ttnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\dpdvj.exec:\dpdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\jjjvp.exec:\jjjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\rlrflfx.exec:\rlrflfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\1rlfrff.exec:\1rlfrff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\3nhthb.exec:\3nhthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\nhbtbb.exec:\nhbtbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\5ddvp.exec:\5ddvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\dddjp.exec:\dddjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\ppvvp.exec:\ppvvp.exe23⤵
- Executes dropped EXE
PID:4316 -
\??\c:\9ffrffr.exec:\9ffrffr.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\3xlrflx.exec:\3xlrflx.exe25⤵
- Executes dropped EXE
PID:1948 -
\??\c:\bbnhtn.exec:\bbnhtn.exe26⤵
- Executes dropped EXE
PID:1304 -
\??\c:\hnbtbt.exec:\hnbtbt.exe27⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vjdpd.exec:\vjdpd.exe28⤵
- Executes dropped EXE
PID:5040 -
\??\c:\jdpdj.exec:\jdpdj.exe29⤵
- Executes dropped EXE
PID:3660 -
\??\c:\xrrxllf.exec:\xrrxllf.exe30⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rxlxlrl.exec:\rxlxlrl.exe31⤵
- Executes dropped EXE
PID:1424 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe32⤵
- Executes dropped EXE
PID:2076 -
\??\c:\9bhtnh.exec:\9bhtnh.exe33⤵
- Executes dropped EXE
PID:3516 -
\??\c:\pjjdj.exec:\pjjdj.exe34⤵
- Executes dropped EXE
PID:4580 -
\??\c:\vjjdp.exec:\vjjdp.exe35⤵
- Executes dropped EXE
PID:4160 -
\??\c:\jjvpp.exec:\jjvpp.exe36⤵
- Executes dropped EXE
PID:4592 -
\??\c:\xrrrlll.exec:\xrrrlll.exe37⤵
- Executes dropped EXE
PID:4600 -
\??\c:\1hbthh.exec:\1hbthh.exe38⤵
- Executes dropped EXE
PID:3688 -
\??\c:\nhnhbt.exec:\nhnhbt.exe39⤵
- Executes dropped EXE
PID:4180 -
\??\c:\7vdvj.exec:\7vdvj.exe40⤵
- Executes dropped EXE
PID:5108 -
\??\c:\pvdvp.exec:\pvdvp.exe41⤵
- Executes dropped EXE
PID:4880 -
\??\c:\fffxllf.exec:\fffxllf.exe42⤵
- Executes dropped EXE
PID:4452 -
\??\c:\fxrlffx.exec:\fxrlffx.exe43⤵
- Executes dropped EXE
PID:2420 -
\??\c:\btnnbt.exec:\btnnbt.exe44⤵
- Executes dropped EXE
PID:3824 -
\??\c:\nhbbtt.exec:\nhbbtt.exe45⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vppjv.exec:\vppjv.exe46⤵
- Executes dropped EXE
PID:2960 -
\??\c:\djvjd.exec:\djvjd.exe47⤵
- Executes dropped EXE
PID:4944 -
\??\c:\1rlfrrl.exec:\1rlfrrl.exe48⤵
- Executes dropped EXE
PID:1192 -
\??\c:\rlrllxl.exec:\rlrllxl.exe49⤵
- Executes dropped EXE
PID:4868 -
\??\c:\bbbbth.exec:\bbbbth.exe50⤵
- Executes dropped EXE
PID:4336 -
\??\c:\9hbhbh.exec:\9hbhbh.exe51⤵
- Executes dropped EXE
PID:2056 -
\??\c:\dvjdv.exec:\dvjdv.exe52⤵
- Executes dropped EXE
PID:324 -
\??\c:\rxrfxrf.exec:\rxrfxrf.exe53⤵
- Executes dropped EXE
PID:3988 -
\??\c:\lffrlrf.exec:\lffrlrf.exe54⤵
- Executes dropped EXE
PID:1208 -
\??\c:\3tnhbb.exec:\3tnhbb.exe55⤵
- Executes dropped EXE
PID:3488 -
\??\c:\ddvpd.exec:\ddvpd.exe56⤵
- Executes dropped EXE
PID:2628 -
\??\c:\jvjvj.exec:\jvjvj.exe57⤵
- Executes dropped EXE
PID:3968 -
\??\c:\9xfrrlx.exec:\9xfrrlx.exe58⤵
- Executes dropped EXE
PID:1728 -
\??\c:\5lfxrrl.exec:\5lfxrrl.exe59⤵
- Executes dropped EXE
PID:5048 -
\??\c:\tttttn.exec:\tttttn.exe60⤵
- Executes dropped EXE
PID:3536 -
\??\c:\jpdjd.exec:\jpdjd.exe61⤵
- Executes dropped EXE
PID:4424 -
\??\c:\lflfxxr.exec:\lflfxxr.exe62⤵
- Executes dropped EXE
PID:4564 -
\??\c:\tnbtnt.exec:\tnbtnt.exe63⤵
- Executes dropped EXE
PID:3980 -
\??\c:\nhbbtn.exec:\nhbbtn.exe64⤵
- Executes dropped EXE
PID:8 -
\??\c:\ddvjj.exec:\ddvjj.exe65⤵
- Executes dropped EXE
PID:5076 -
\??\c:\lxlllfx.exec:\lxlllfx.exe66⤵PID:4856
-
\??\c:\xrflffl.exec:\xrflffl.exe67⤵PID:1188
-
\??\c:\tnttbb.exec:\tnttbb.exe68⤵PID:3616
-
\??\c:\htbtnn.exec:\htbtnn.exe69⤵PID:1884
-
\??\c:\pddvp.exec:\pddvp.exe70⤵PID:1892
-
\??\c:\dvddd.exec:\dvddd.exe71⤵PID:1992
-
\??\c:\7fxrllf.exec:\7fxrllf.exe72⤵PID:2780
-
\??\c:\tbhbhh.exec:\tbhbhh.exe73⤵PID:2060
-
\??\c:\5tbtnn.exec:\5tbtnn.exe74⤵PID:1808
-
\??\c:\vdpjd.exec:\vdpjd.exe75⤵PID:1552
-
\??\c:\jppjd.exec:\jppjd.exe76⤵PID:3732
-
\??\c:\3xfxlfx.exec:\3xfxlfx.exe77⤵PID:4444
-
\??\c:\thnnhn.exec:\thnnhn.exe78⤵PID:1476
-
\??\c:\fxrlfff.exec:\fxrlfff.exe79⤵PID:2344
-
\??\c:\ntttnh.exec:\ntttnh.exe80⤵PID:860
-
\??\c:\djppd.exec:\djppd.exe81⤵PID:536
-
\??\c:\tthhbb.exec:\tthhbb.exe82⤵PID:388
-
\??\c:\lffxrxr.exec:\lffxrxr.exe83⤵PID:1948
-
\??\c:\7nnnhn.exec:\7nnnhn.exe84⤵PID:880
-
\??\c:\ffrrrrr.exec:\ffrrrrr.exe85⤵PID:1160
-
\??\c:\djpjd.exec:\djpjd.exe86⤵PID:2024
-
\??\c:\9fflfff.exec:\9fflfff.exe87⤵PID:4900
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe88⤵PID:3940
-
\??\c:\3pdvj.exec:\3pdvj.exe89⤵PID:3144
-
\??\c:\vvjdd.exec:\vvjdd.exe90⤵PID:2796
-
\??\c:\jdjdd.exec:\jdjdd.exe91⤵PID:2608
-
\??\c:\lffxrrr.exec:\lffxrrr.exe92⤵PID:1184
-
\??\c:\xrffllx.exec:\xrffllx.exe93⤵PID:2140
-
\??\c:\btbhhb.exec:\btbhhb.exe94⤵PID:3648
-
\??\c:\nthbnt.exec:\nthbnt.exe95⤵PID:4156
-
\??\c:\jdddv.exec:\jdddv.exe96⤵PID:4584
-
\??\c:\jvdvj.exec:\jvdvj.exe97⤵PID:2424
-
\??\c:\9lllxxx.exec:\9lllxxx.exe98⤵PID:1204
-
\??\c:\3bhhhb.exec:\3bhhhb.exe99⤵PID:4528
-
\??\c:\7nnhbn.exec:\7nnhbn.exe100⤵PID:4608
-
\??\c:\vpdjj.exec:\vpdjj.exe101⤵PID:1712
-
\??\c:\xrxrxxx.exec:\xrxrxxx.exe102⤵PID:4572
-
\??\c:\hbnntt.exec:\hbnntt.exe103⤵PID:3696
-
\??\c:\hbtnnn.exec:\hbtnnn.exe104⤵PID:4452
-
\??\c:\5jddv.exec:\5jddv.exe105⤵PID:3116
-
\??\c:\ddvjv.exec:\ddvjv.exe106⤵PID:2872
-
\??\c:\5xlrlfx.exec:\5xlrlfx.exe107⤵PID:2904
-
\??\c:\hbnhnn.exec:\hbnhnn.exe108⤵PID:2960
-
\??\c:\thnhbb.exec:\thnhbb.exe109⤵PID:4944
-
\??\c:\1pddp.exec:\1pddp.exe110⤵PID:1192
-
\??\c:\3lffrrr.exec:\3lffrrr.exe111⤵PID:3052
-
\??\c:\9fxxxxx.exec:\9fxxxxx.exe112⤵PID:4980
-
\??\c:\htthnb.exec:\htthnb.exe113⤵PID:804
-
\??\c:\1tthbb.exec:\1tthbb.exe114⤵PID:324
-
\??\c:\vpjdv.exec:\vpjdv.exe115⤵PID:4708
-
\??\c:\5dpjv.exec:\5dpjv.exe116⤵PID:4884
-
\??\c:\rffxrrl.exec:\rffxrrl.exe117⤵PID:4740
-
\??\c:\lxffffx.exec:\lxffffx.exe118⤵PID:1612
-
\??\c:\nhnhbb.exec:\nhnhbb.exe119⤵PID:3620
-
\??\c:\ppjpp.exec:\ppjpp.exe120⤵PID:2472
-
\??\c:\vvppd.exec:\vvppd.exe121⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-