Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe
-
Size
454KB
-
MD5
151c15a739ef0ab44161b0e07d51a2b0
-
SHA1
0952993bdbe1fe3065913097f0ece4025441c0d7
-
SHA256
e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284d
-
SHA512
99c2faffa84e381ce134ff03d8fb0183000fd53cc693e2ddc5f2ed46b38df3508742b368f6aec6144d842ba659855f46a2eb74ca94830617631d92ec1e31ae17
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3416-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-846-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-1056-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 nbbnht.exe 208 vpvvv.exe 2380 xxxlfxl.exe 1632 e48204.exe 432 7nbhnb.exe 1860 42060.exe 1512 pvvjd.exe 4752 1hnhbt.exe 4900 xxlxlfx.exe 4156 htbttn.exe 3468 lflflfl.exe 664 o024264.exe 5116 9pppj.exe 3324 htbthb.exe 3272 pjvjd.exe 4904 22884.exe 2432 u842600.exe 5032 jvpdp.exe 1460 ddjdd.exe 3440 64488.exe 984 1pvpj.exe 4740 62608.exe 3544 k06842.exe 4916 5hnbnn.exe 2448 dpjvp.exe 3992 9jjdd.exe 4384 w46000.exe 2624 88042.exe 3940 nnnhhh.exe 1628 20426.exe 3936 bbttnn.exe 4760 ttnhtt.exe 3968 3hbtnn.exe 3744 0822008.exe 3708 288260.exe 5000 4208264.exe 4020 04844.exe 4684 nbtnhb.exe 3340 vjjvj.exe 1548 htnbnh.exe 4392 bnhbnh.exe 2348 9xrlfxr.exe 4360 806044.exe 3464 w28446.exe 3472 6006622.exe 208 jvvvd.exe 2636 bhhhhn.exe 4436 s0604.exe 1028 0664260.exe 460 9nbntn.exe 432 bttnhb.exe 1968 0048820.exe 3588 8648044.exe 3336 2408480.exe 1948 dpjvp.exe 2904 2020888.exe 4064 s8420.exe 3468 pjjvd.exe 1140 jppdp.exe 2696 0020264.exe 4844 7fxlfxr.exe 1156 484642.exe 3260 5fxlxrl.exe 3272 nnhhbb.exe -
resource yara_rule behavioral2/memory/1720-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-766-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c686042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w46000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0860826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2206286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0860606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6260204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q22604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u422266.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3416 wrote to memory of 1720 3416 e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe 85 PID 3416 wrote to memory of 1720 3416 e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe 85 PID 3416 wrote to memory of 1720 3416 e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe 85 PID 1720 wrote to memory of 208 1720 nbbnht.exe 131 PID 1720 wrote to memory of 208 1720 nbbnht.exe 131 PID 1720 wrote to memory of 208 1720 nbbnht.exe 131 PID 208 wrote to memory of 2380 208 vpvvv.exe 87 PID 208 wrote to memory of 2380 208 vpvvv.exe 87 PID 208 wrote to memory of 2380 208 vpvvv.exe 87 PID 2380 wrote to memory of 1632 2380 xxxlfxl.exe 88 PID 2380 wrote to memory of 1632 2380 xxxlfxl.exe 88 PID 2380 wrote to memory of 1632 2380 xxxlfxl.exe 88 PID 1632 wrote to memory of 432 1632 e48204.exe 136 PID 1632 wrote to memory of 432 1632 e48204.exe 136 PID 1632 wrote to memory of 432 1632 e48204.exe 136 PID 432 wrote to memory of 1860 432 7nbhnb.exe 90 PID 432 wrote to memory of 1860 432 7nbhnb.exe 90 PID 432 wrote to memory of 1860 432 7nbhnb.exe 90 PID 1860 wrote to memory of 1512 1860 42060.exe 91 PID 1860 wrote to memory of 1512 1860 42060.exe 91 PID 1860 wrote to memory of 1512 1860 42060.exe 91 PID 1512 wrote to memory of 4752 1512 pvvjd.exe 92 PID 1512 wrote to memory of 4752 1512 pvvjd.exe 92 PID 1512 wrote to memory of 4752 1512 pvvjd.exe 92 PID 4752 wrote to memory of 4900 4752 1hnhbt.exe 93 PID 4752 wrote to memory of 4900 4752 1hnhbt.exe 93 PID 4752 wrote to memory of 4900 4752 1hnhbt.exe 93 PID 4900 wrote to memory of 4156 4900 xxlxlfx.exe 94 PID 4900 wrote to memory of 4156 4900 xxlxlfx.exe 94 PID 4900 wrote to memory of 4156 4900 xxlxlfx.exe 94 PID 4156 wrote to memory of 3468 4156 htbttn.exe 143 PID 4156 wrote to memory of 3468 4156 htbttn.exe 143 PID 4156 wrote to memory of 3468 4156 htbttn.exe 143 PID 3468 wrote to memory of 664 3468 lflflfl.exe 96 PID 3468 wrote to memory of 664 3468 lflflfl.exe 96 PID 3468 wrote to memory of 664 3468 lflflfl.exe 96 PID 664 wrote to memory of 5116 664 o024264.exe 97 PID 664 wrote to memory of 5116 664 o024264.exe 97 PID 664 wrote to memory of 5116 664 o024264.exe 97 PID 5116 wrote to memory of 3324 5116 9pppj.exe 98 PID 5116 wrote to memory of 3324 5116 9pppj.exe 98 PID 5116 wrote to memory of 3324 5116 9pppj.exe 98 PID 3324 wrote to memory of 3272 3324 htbthb.exe 99 PID 3324 wrote to memory of 3272 3324 htbthb.exe 99 PID 3324 wrote to memory of 3272 3324 htbthb.exe 99 PID 3272 wrote to memory of 4904 3272 pjvjd.exe 100 PID 3272 wrote to memory of 4904 3272 pjvjd.exe 100 PID 3272 wrote to memory of 4904 3272 pjvjd.exe 100 PID 4904 wrote to memory of 2432 4904 22884.exe 101 PID 4904 wrote to memory of 2432 4904 22884.exe 101 PID 4904 wrote to memory of 2432 4904 22884.exe 101 PID 2432 wrote to memory of 5032 2432 u842600.exe 102 PID 2432 wrote to memory of 5032 2432 u842600.exe 102 PID 2432 wrote to memory of 5032 2432 u842600.exe 102 PID 5032 wrote to memory of 1460 5032 jvpdp.exe 103 PID 5032 wrote to memory of 1460 5032 jvpdp.exe 103 PID 5032 wrote to memory of 1460 5032 jvpdp.exe 103 PID 1460 wrote to memory of 3440 1460 ddjdd.exe 104 PID 1460 wrote to memory of 3440 1460 ddjdd.exe 104 PID 1460 wrote to memory of 3440 1460 ddjdd.exe 104 PID 3440 wrote to memory of 984 3440 64488.exe 105 PID 3440 wrote to memory of 984 3440 64488.exe 105 PID 3440 wrote to memory of 984 3440 64488.exe 105 PID 984 wrote to memory of 4740 984 1pvpj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe"C:\Users\Admin\AppData\Local\Temp\e142dcd5f51f185d5875042fcdeb5390c1d72daedbb9692dd91ec99c5e9c284dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\nbbnht.exec:\nbbnht.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\vpvvv.exec:\vpvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\xxxlfxl.exec:\xxxlfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\e48204.exec:\e48204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\7nbhnb.exec:\7nbhnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\42060.exec:\42060.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\pvvjd.exec:\pvvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\1hnhbt.exec:\1hnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\xxlxlfx.exec:\xxlxlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\htbttn.exec:\htbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\lflflfl.exec:\lflflfl.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\o024264.exec:\o024264.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\9pppj.exec:\9pppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\htbthb.exec:\htbthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\pjvjd.exec:\pjvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\22884.exec:\22884.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\u842600.exec:\u842600.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\jvpdp.exec:\jvpdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\ddjdd.exec:\ddjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\64488.exec:\64488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\1pvpj.exec:\1pvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\62608.exec:\62608.exe23⤵
- Executes dropped EXE
PID:4740 -
\??\c:\k06842.exec:\k06842.exe24⤵
- Executes dropped EXE
PID:3544 -
\??\c:\5hnbnn.exec:\5hnbnn.exe25⤵
- Executes dropped EXE
PID:4916 -
\??\c:\dpjvp.exec:\dpjvp.exe26⤵
- Executes dropped EXE
PID:2448 -
\??\c:\9jjdd.exec:\9jjdd.exe27⤵
- Executes dropped EXE
PID:3992 -
\??\c:\w46000.exec:\w46000.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384 -
\??\c:\88042.exec:\88042.exe29⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nnnhhh.exec:\nnnhhh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940 -
\??\c:\20426.exec:\20426.exe31⤵
- Executes dropped EXE
PID:1628 -
\??\c:\bbttnn.exec:\bbttnn.exe32⤵
- Executes dropped EXE
PID:3936 -
\??\c:\ttnhtt.exec:\ttnhtt.exe33⤵
- Executes dropped EXE
PID:4760 -
\??\c:\3hbtnn.exec:\3hbtnn.exe34⤵
- Executes dropped EXE
PID:3968 -
\??\c:\0822008.exec:\0822008.exe35⤵
- Executes dropped EXE
PID:3744 -
\??\c:\288260.exec:\288260.exe36⤵
- Executes dropped EXE
PID:3708 -
\??\c:\4208264.exec:\4208264.exe37⤵
- Executes dropped EXE
PID:5000 -
\??\c:\04844.exec:\04844.exe38⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nbtnhb.exec:\nbtnhb.exe39⤵
- Executes dropped EXE
PID:4684 -
\??\c:\vjjvj.exec:\vjjvj.exe40⤵
- Executes dropped EXE
PID:3340 -
\??\c:\htnbnh.exec:\htnbnh.exe41⤵
- Executes dropped EXE
PID:1548 -
\??\c:\bnhbnh.exec:\bnhbnh.exe42⤵
- Executes dropped EXE
PID:4392 -
\??\c:\9xrlfxr.exec:\9xrlfxr.exe43⤵
- Executes dropped EXE
PID:2348 -
\??\c:\806044.exec:\806044.exe44⤵
- Executes dropped EXE
PID:4360 -
\??\c:\vdpvd.exec:\vdpvd.exe45⤵PID:636
-
\??\c:\w28446.exec:\w28446.exe46⤵
- Executes dropped EXE
PID:3464 -
\??\c:\6006622.exec:\6006622.exe47⤵
- Executes dropped EXE
PID:3472 -
\??\c:\jvvvd.exec:\jvvvd.exe48⤵
- Executes dropped EXE
PID:208 -
\??\c:\bhhhhn.exec:\bhhhhn.exe49⤵
- Executes dropped EXE
PID:2636 -
\??\c:\s0604.exec:\s0604.exe50⤵
- Executes dropped EXE
PID:4436 -
\??\c:\0664260.exec:\0664260.exe51⤵
- Executes dropped EXE
PID:1028 -
\??\c:\9nbntn.exec:\9nbntn.exe52⤵
- Executes dropped EXE
PID:460 -
\??\c:\bttnhb.exec:\bttnhb.exe53⤵
- Executes dropped EXE
PID:432 -
\??\c:\0048820.exec:\0048820.exe54⤵
- Executes dropped EXE
PID:1968 -
\??\c:\8648044.exec:\8648044.exe55⤵
- Executes dropped EXE
PID:3588 -
\??\c:\2408480.exec:\2408480.exe56⤵
- Executes dropped EXE
PID:3336 -
\??\c:\dpjvp.exec:\dpjvp.exe57⤵
- Executes dropped EXE
PID:1948 -
\??\c:\2020888.exec:\2020888.exe58⤵
- Executes dropped EXE
PID:2904 -
\??\c:\s8420.exec:\s8420.exe59⤵
- Executes dropped EXE
PID:4064 -
\??\c:\pjjvd.exec:\pjjvd.exe60⤵
- Executes dropped EXE
PID:3468 -
\??\c:\jppdp.exec:\jppdp.exe61⤵
- Executes dropped EXE
PID:1140 -
\??\c:\0020264.exec:\0020264.exe62⤵
- Executes dropped EXE
PID:2696 -
\??\c:\7fxlfxr.exec:\7fxlfxr.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\484642.exec:\484642.exe64⤵
- Executes dropped EXE
PID:1156 -
\??\c:\5fxlxrl.exec:\5fxlxrl.exe65⤵
- Executes dropped EXE
PID:3260 -
\??\c:\nnhhbb.exec:\nnhhbb.exe66⤵
- Executes dropped EXE
PID:3272 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe67⤵PID:5104
-
\??\c:\s4604.exec:\s4604.exe68⤵PID:752
-
\??\c:\0620486.exec:\0620486.exe69⤵PID:1936
-
\??\c:\djpdp.exec:\djpdp.exe70⤵PID:1920
-
\??\c:\2620444.exec:\2620444.exe71⤵PID:3476
-
\??\c:\flfxrfx.exec:\flfxrfx.exe72⤵PID:2188
-
\??\c:\4220644.exec:\4220644.exe73⤵PID:1312
-
\??\c:\068222.exec:\068222.exe74⤵PID:1452
-
\??\c:\lffxlll.exec:\lffxlll.exe75⤵PID:3988
-
\??\c:\802604.exec:\802604.exe76⤵PID:4504
-
\??\c:\s2448.exec:\s2448.exe77⤵PID:976
-
\??\c:\82640.exec:\82640.exe78⤵PID:1480
-
\??\c:\a8864.exec:\a8864.exe79⤵PID:4288
-
\??\c:\ppvpd.exec:\ppvpd.exe80⤵PID:4812
-
\??\c:\ttbtnt.exec:\ttbtnt.exe81⤵PID:4680
-
\??\c:\g6608.exec:\g6608.exe82⤵PID:3164
-
\??\c:\0404822.exec:\0404822.exe83⤵PID:3704
-
\??\c:\w40422.exec:\w40422.exe84⤵PID:3488
-
\??\c:\648482.exec:\648482.exe85⤵PID:1628
-
\??\c:\vpdpv.exec:\vpdpv.exe86⤵PID:3936
-
\??\c:\thntht.exec:\thntht.exe87⤵PID:1928
-
\??\c:\2288668.exec:\2288668.exe88⤵PID:1352
-
\??\c:\nhhhbb.exec:\nhhhbb.exe89⤵PID:2840
-
\??\c:\pvdvj.exec:\pvdvj.exe90⤵PID:3292
-
\??\c:\7ntnbh.exec:\7ntnbh.exe91⤵PID:1400
-
\??\c:\btttnn.exec:\btttnn.exe92⤵
- System Location Discovery: System Language Discovery
PID:4012 -
\??\c:\jvvvp.exec:\jvvvp.exe93⤵PID:4020
-
\??\c:\3ddvj.exec:\3ddvj.exe94⤵PID:4712
-
\??\c:\488222.exec:\488222.exe95⤵PID:5072
-
\??\c:\k62000.exec:\k62000.exe96⤵PID:2736
-
\??\c:\00600.exec:\00600.exe97⤵PID:4824
-
\??\c:\4666044.exec:\4666044.exe98⤵PID:4392
-
\??\c:\w80448.exec:\w80448.exe99⤵PID:4312
-
\??\c:\244824.exec:\244824.exe100⤵PID:4924
-
\??\c:\hhbttt.exec:\hhbttt.exe101⤵PID:636
-
\??\c:\3flffxf.exec:\3flffxf.exe102⤵PID:3464
-
\??\c:\hbhbtt.exec:\hbhbtt.exe103⤵PID:1456
-
\??\c:\lrxrxxr.exec:\lrxrxxr.exe104⤵PID:1960
-
\??\c:\frfflrl.exec:\frfflrl.exe105⤵PID:4004
-
\??\c:\64466.exec:\64466.exe106⤵PID:4888
-
\??\c:\4460668.exec:\4460668.exe107⤵PID:4052
-
\??\c:\486622.exec:\486622.exe108⤵PID:820
-
\??\c:\xfffrxl.exec:\xfffrxl.exe109⤵PID:1336
-
\??\c:\ppvvj.exec:\ppvvj.exe110⤵PID:432
-
\??\c:\206208.exec:\206208.exe111⤵PID:2960
-
\??\c:\rllfxxf.exec:\rllfxxf.exe112⤵PID:740
-
\??\c:\bttthh.exec:\bttthh.exe113⤵PID:2856
-
\??\c:\0600448.exec:\0600448.exe114⤵PID:4036
-
\??\c:\tntttt.exec:\tntttt.exe115⤵PID:1356
-
\??\c:\u288884.exec:\u288884.exe116⤵PID:3696
-
\??\c:\6408664.exec:\6408664.exe117⤵PID:548
-
\??\c:\c844888.exec:\c844888.exe118⤵PID:2136
-
\??\c:\480044.exec:\480044.exe119⤵PID:2604
-
\??\c:\5djdv.exec:\5djdv.exe120⤵PID:504
-
\??\c:\7hbhhh.exec:\7hbhhh.exe121⤵PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-