Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 09:45
Behavioral task
behavioral1
Sample
e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe
-
Size
81KB
-
MD5
d53da58204c8b5a79a7095497f705bd5
-
SHA1
3bfc90e1ca4f7f68bfd70b7448c8b790e64d2895
-
SHA256
e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7
-
SHA512
77a35d37a47a65b583980c98fd59cabdb88c5ab3650a42e57c9da42f478dfeaa6bb35d3de9624660b4bd4774700d602e0ac9646f88c6b50c44984f56d137e032
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w1rCJtzx8/p7kepA:xhOmTsF93UYfwC6GIout03LzGF6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1140-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3008-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4240-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1620-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-831-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-925-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-1694-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-2104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xlfxllx.exehtbbbb.exejvjvj.exelfflxrl.exehbhtnh.exehttnbt.exe7jppd.exeddvjv.exe1xlxxfr.exedvpvd.exeffxrfxr.exexlxlfxl.exehtbtnh.exedjdpj.exelxxlfxr.exenthntt.exevjjpp.exelxxrlll.exehbhbtn.exejdpjv.exe7lfxlrl.exehhnhnn.exejdjjv.exelffxrlf.exeflxrlll.exe7bnhtt.exevpvpj.exevjpjd.exerllffrr.exebtnbbt.exe5bnhbb.exepdppd.exexlfllff.exerxfrlfx.exejpppp.exexlfrxrl.exexxrlrrl.exebtttbb.exe3ntnbb.exefllfrxl.exerxlfxff.exetbtnnn.exeppjdv.exellrrllf.exerlxrrlf.exebnttnb.exedpvpj.exepvppp.exelrrlrlx.exexrxfrxl.exe1htbnn.exevpppv.exedpddp.exe3jdvd.exexrxxlrr.exe1lrlfff.exe5btbbb.exebbbttt.exevjppd.exepppjv.exelffxrrl.exehnttnn.exenhbhbb.exepvjvj.exepid Process 5084 xlfxllx.exe 4884 htbbbb.exe 2612 jvjvj.exe 4036 lfflxrl.exe 324 hbhtnh.exe 1596 httnbt.exe 3180 7jppd.exe 836 ddvjv.exe 1600 1xlxxfr.exe 32 dvpvd.exe 3676 ffxrfxr.exe 3744 xlxlfxl.exe 4168 htbtnh.exe 4048 djdpj.exe 3556 lxxlfxr.exe 4296 nthntt.exe 4768 vjjpp.exe 4644 lxxrlll.exe 1584 hbhbtn.exe 4376 jdpjv.exe 216 7lfxlrl.exe 2984 hhnhnn.exe 3248 jdjjv.exe 4956 lffxrlf.exe 3996 flxrlll.exe 2072 7bnhtt.exe 4372 vpvpj.exe 724 vjpjd.exe 1140 rllffrr.exe 3008 btnbbt.exe 2128 5bnhbb.exe 5044 pdppd.exe 5036 xlfllff.exe 3220 rxfrlfx.exe 1936 jpppp.exe 2096 xlfrxrl.exe 1516 xxrlrrl.exe 2052 btttbb.exe 1672 3ntnbb.exe 4072 fllfrxl.exe 2068 rxlfxff.exe 4264 tbtnnn.exe 4240 ppjdv.exe 5052 llrrllf.exe 3964 rlxrrlf.exe 3692 bnttnb.exe 2428 dpvpj.exe 4200 pvppp.exe 4660 lrrlrlx.exe 3116 xrxfrxl.exe 3568 1htbnn.exe 372 vpppv.exe 4684 dpddp.exe 1144 3jdvd.exe 3016 xrxxlrr.exe 2552 1lrlfff.exe 4104 5btbbb.exe 1284 bbbttt.exe 1436 vjppd.exe 3644 pppjv.exe 4168 lffxrrl.exe 4040 hnttnn.exe 1020 nhbhbb.exe 1700 pvjvj.exe -
Processes:
resource yara_rule behavioral2/memory/2364-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b25-3.dat upx behavioral2/memory/2364-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-10.dat upx behavioral2/files/0x000a000000023b89-11.dat upx behavioral2/memory/4884-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5084-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-20.dat upx behavioral2/memory/2612-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-26.dat upx behavioral2/memory/4036-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-32.dat upx behavioral2/memory/1596-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/324-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-39.dat upx behavioral2/memory/1596-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-45.dat upx behavioral2/memory/3180-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-51.dat upx behavioral2/memory/836-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-57.dat upx behavioral2/memory/1600-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-63.dat upx behavioral2/memory/32-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3676-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b92-71.dat upx behavioral2/files/0x000b000000023b93-75.dat upx behavioral2/memory/3744-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b94-82.dat upx behavioral2/memory/4168-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-89.dat upx behavioral2/memory/4048-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023ba3-93.dat upx behavioral2/memory/3556-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4296-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bac-101.dat upx behavioral2/files/0x0009000000023bb1-105.dat upx behavioral2/files/0x0009000000023bb2-110.dat upx behavioral2/memory/4644-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb3-116.dat upx behavioral2/files/0x000e000000023bb7-121.dat upx behavioral2/memory/4376-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb9-127.dat upx behavioral2/memory/216-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbc-133.dat upx behavioral2/memory/2984-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbd-139.dat upx behavioral2/files/0x000b000000023b85-144.dat upx behavioral2/memory/4956-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbe-151.dat upx behavioral2/files/0x0008000000023bbf-155.dat upx behavioral2/memory/2072-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bee-161.dat upx behavioral2/memory/4372-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf0-167.dat upx behavioral2/memory/724-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf1-174.dat upx behavioral2/memory/1140-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3008-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf2-182.dat upx behavioral2/memory/2128-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf3-187.dat upx behavioral2/memory/5036-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3220-199-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bhttnn.exebbbtnt.exe5htthh.exetnhhbb.exedvdvp.exehbbbtn.exevvddp.exerxfflrx.exelfxrfff.exerlrxrxl.exe1nbtnb.exehbnhbb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exexlfxllx.exehtbbbb.exejvjvj.exelfflxrl.exehbhtnh.exehttnbt.exe7jppd.exeddvjv.exe1xlxxfr.exedvpvd.exeffxrfxr.exexlxlfxl.exehtbtnh.exedjdpj.exelxxlfxr.exenthntt.exevjjpp.exelxxrlll.exehbhbtn.exejdpjv.exe7lfxlrl.exedescription pid Process procid_target PID 2364 wrote to memory of 5084 2364 e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe 83 PID 2364 wrote to memory of 5084 2364 e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe 83 PID 2364 wrote to memory of 5084 2364 e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe 83 PID 5084 wrote to memory of 4884 5084 xlfxllx.exe 84 PID 5084 wrote to memory of 4884 5084 xlfxllx.exe 84 PID 5084 wrote to memory of 4884 5084 xlfxllx.exe 84 PID 4884 wrote to memory of 2612 4884 htbbbb.exe 85 PID 4884 wrote to memory of 2612 4884 htbbbb.exe 85 PID 4884 wrote to memory of 2612 4884 htbbbb.exe 85 PID 2612 wrote to memory of 4036 2612 jvjvj.exe 86 PID 2612 wrote to memory of 4036 2612 jvjvj.exe 86 PID 2612 wrote to memory of 4036 2612 jvjvj.exe 86 PID 4036 wrote to memory of 324 4036 lfflxrl.exe 87 PID 4036 wrote to memory of 324 4036 lfflxrl.exe 87 PID 4036 wrote to memory of 324 4036 lfflxrl.exe 87 PID 324 wrote to memory of 1596 324 hbhtnh.exe 88 PID 324 wrote to memory of 1596 324 hbhtnh.exe 88 PID 324 wrote to memory of 1596 324 hbhtnh.exe 88 PID 1596 wrote to memory of 3180 1596 httnbt.exe 89 PID 1596 wrote to memory of 3180 1596 httnbt.exe 89 PID 1596 wrote to memory of 3180 1596 httnbt.exe 89 PID 3180 wrote to memory of 836 3180 7jppd.exe 90 PID 3180 wrote to memory of 836 3180 7jppd.exe 90 PID 3180 wrote to memory of 836 3180 7jppd.exe 90 PID 836 wrote to memory of 1600 836 ddvjv.exe 91 PID 836 wrote to memory of 1600 836 ddvjv.exe 91 PID 836 wrote to memory of 1600 836 ddvjv.exe 91 PID 1600 wrote to memory of 32 1600 1xlxxfr.exe 92 PID 1600 wrote to memory of 32 1600 1xlxxfr.exe 92 PID 1600 wrote to memory of 32 1600 1xlxxfr.exe 92 PID 32 wrote to memory of 3676 32 dvpvd.exe 93 PID 32 wrote to memory of 3676 32 dvpvd.exe 93 PID 32 wrote to memory of 3676 32 dvpvd.exe 93 PID 3676 wrote to memory of 3744 3676 ffxrfxr.exe 94 PID 3676 wrote to memory of 3744 3676 ffxrfxr.exe 94 PID 3676 wrote to memory of 3744 3676 ffxrfxr.exe 94 PID 3744 wrote to memory of 4168 3744 xlxlfxl.exe 95 PID 3744 wrote to memory of 4168 3744 xlxlfxl.exe 95 PID 3744 wrote to memory of 4168 3744 xlxlfxl.exe 95 PID 4168 wrote to memory of 4048 4168 htbtnh.exe 96 PID 4168 wrote to memory of 4048 4168 htbtnh.exe 96 PID 4168 wrote to memory of 4048 4168 htbtnh.exe 96 PID 4048 wrote to memory of 3556 4048 djdpj.exe 97 PID 4048 wrote to memory of 3556 4048 djdpj.exe 97 PID 4048 wrote to memory of 3556 4048 djdpj.exe 97 PID 3556 wrote to memory of 4296 3556 lxxlfxr.exe 98 PID 3556 wrote to memory of 4296 3556 lxxlfxr.exe 98 PID 3556 wrote to memory of 4296 3556 lxxlfxr.exe 98 PID 4296 wrote to memory of 4768 4296 nthntt.exe 99 PID 4296 wrote to memory of 4768 4296 nthntt.exe 99 PID 4296 wrote to memory of 4768 4296 nthntt.exe 99 PID 4768 wrote to memory of 4644 4768 vjjpp.exe 100 PID 4768 wrote to memory of 4644 4768 vjjpp.exe 100 PID 4768 wrote to memory of 4644 4768 vjjpp.exe 100 PID 4644 wrote to memory of 1584 4644 lxxrlll.exe 101 PID 4644 wrote to memory of 1584 4644 lxxrlll.exe 101 PID 4644 wrote to memory of 1584 4644 lxxrlll.exe 101 PID 1584 wrote to memory of 4376 1584 hbhbtn.exe 102 PID 1584 wrote to memory of 4376 1584 hbhbtn.exe 102 PID 1584 wrote to memory of 4376 1584 hbhbtn.exe 102 PID 4376 wrote to memory of 216 4376 jdpjv.exe 103 PID 4376 wrote to memory of 216 4376 jdpjv.exe 103 PID 4376 wrote to memory of 216 4376 jdpjv.exe 103 PID 216 wrote to memory of 2984 216 7lfxlrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe"C:\Users\Admin\AppData\Local\Temp\e2918f34222ace0e9b2a193999aca99bfba8fc1d2b4c12dad2963f7e460f73d7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\xlfxllx.exec:\xlfxllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\htbbbb.exec:\htbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\jvjvj.exec:\jvjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\lfflxrl.exec:\lfflxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\hbhtnh.exec:\hbhtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\httnbt.exec:\httnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\7jppd.exec:\7jppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\ddvjv.exec:\ddvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\1xlxxfr.exec:\1xlxxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\dvpvd.exec:\dvpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\ffxrfxr.exec:\ffxrfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\xlxlfxl.exec:\xlxlfxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\htbtnh.exec:\htbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\djdpj.exec:\djdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\nthntt.exec:\nthntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\vjjpp.exec:\vjjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\lxxrlll.exec:\lxxrlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\hbhbtn.exec:\hbhbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\jdpjv.exec:\jdpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\7lfxlrl.exec:\7lfxlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\hhnhnn.exec:\hhnhnn.exe23⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jdjjv.exec:\jdjjv.exe24⤵
- Executes dropped EXE
PID:3248 -
\??\c:\lffxrlf.exec:\lffxrlf.exe25⤵
- Executes dropped EXE
PID:4956 -
\??\c:\flxrlll.exec:\flxrlll.exe26⤵
- Executes dropped EXE
PID:3996 -
\??\c:\7bnhtt.exec:\7bnhtt.exe27⤵
- Executes dropped EXE
PID:2072 -
\??\c:\vpvpj.exec:\vpvpj.exe28⤵
- Executes dropped EXE
PID:4372 -
\??\c:\vjpjd.exec:\vjpjd.exe29⤵
- Executes dropped EXE
PID:724 -
\??\c:\rllffrr.exec:\rllffrr.exe30⤵
- Executes dropped EXE
PID:1140 -
\??\c:\btnbbt.exec:\btnbbt.exe31⤵
- Executes dropped EXE
PID:3008 -
\??\c:\5bnhbb.exec:\5bnhbb.exe32⤵
- Executes dropped EXE
PID:2128 -
\??\c:\pdppd.exec:\pdppd.exe33⤵
- Executes dropped EXE
PID:5044 -
\??\c:\xlfllff.exec:\xlfllff.exe34⤵
- Executes dropped EXE
PID:5036 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe35⤵
- Executes dropped EXE
PID:3220 -
\??\c:\jpppp.exec:\jpppp.exe36⤵
- Executes dropped EXE
PID:1936 -
\??\c:\xlfrxrl.exec:\xlfrxrl.exe37⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xxrlrrl.exec:\xxrlrrl.exe38⤵
- Executes dropped EXE
PID:1516 -
\??\c:\btttbb.exec:\btttbb.exe39⤵
- Executes dropped EXE
PID:2052 -
\??\c:\3ntnbb.exec:\3ntnbb.exe40⤵
- Executes dropped EXE
PID:1672 -
\??\c:\fllfrxl.exec:\fllfrxl.exe41⤵
- Executes dropped EXE
PID:4072 -
\??\c:\rxlfxff.exec:\rxlfxff.exe42⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tbtnnn.exec:\tbtnnn.exe43⤵
- Executes dropped EXE
PID:4264 -
\??\c:\ppjdv.exec:\ppjdv.exe44⤵
- Executes dropped EXE
PID:4240 -
\??\c:\llrrllf.exec:\llrrllf.exe45⤵
- Executes dropped EXE
PID:5052 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe46⤵
- Executes dropped EXE
PID:3964 -
\??\c:\bnttnb.exec:\bnttnb.exe47⤵
- Executes dropped EXE
PID:3692 -
\??\c:\dpvpj.exec:\dpvpj.exe48⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pvppp.exec:\pvppp.exe49⤵
- Executes dropped EXE
PID:4200 -
\??\c:\lrrlrlx.exec:\lrrlrlx.exe50⤵
- Executes dropped EXE
PID:4660 -
\??\c:\xrxfrxl.exec:\xrxfrxl.exe51⤵
- Executes dropped EXE
PID:3116 -
\??\c:\1htbnn.exec:\1htbnn.exe52⤵
- Executes dropped EXE
PID:3568 -
\??\c:\vpppv.exec:\vpppv.exe53⤵
- Executes dropped EXE
PID:372 -
\??\c:\dpddp.exec:\dpddp.exe54⤵
- Executes dropped EXE
PID:4684 -
\??\c:\3jdvd.exec:\3jdvd.exe55⤵
- Executes dropped EXE
PID:1144 -
\??\c:\xrxxlrr.exec:\xrxxlrr.exe56⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1lrlfff.exec:\1lrlfff.exe57⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5btbbb.exec:\5btbbb.exe58⤵
- Executes dropped EXE
PID:4104 -
\??\c:\bbbttt.exec:\bbbttt.exe59⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vjppd.exec:\vjppd.exe60⤵
- Executes dropped EXE
PID:1436 -
\??\c:\pppjv.exec:\pppjv.exe61⤵
- Executes dropped EXE
PID:3644 -
\??\c:\lffxrrl.exec:\lffxrrl.exe62⤵
- Executes dropped EXE
PID:4168 -
\??\c:\hnttnn.exec:\hnttnn.exe63⤵
- Executes dropped EXE
PID:4040 -
\??\c:\nhbhbb.exec:\nhbhbb.exe64⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pvjvj.exec:\pvjvj.exe65⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jpdjp.exec:\jpdjp.exe66⤵PID:4044
-
\??\c:\5fxrrrx.exec:\5fxrrrx.exe67⤵PID:4868
-
\??\c:\3tbtnt.exec:\3tbtnt.exe68⤵PID:4872
-
\??\c:\tnhhbb.exec:\tnhhbb.exe69⤵
- System Location Discovery: System Language Discovery
PID:860 -
\??\c:\3pvpj.exec:\3pvpj.exe70⤵PID:400
-
\??\c:\9pdvp.exec:\9pdvp.exe71⤵PID:2400
-
\??\c:\1xfxlll.exec:\1xfxlll.exe72⤵PID:4460
-
\??\c:\ntttnn.exec:\ntttnn.exe73⤵PID:3260
-
\??\c:\rxfflrx.exec:\rxfflrx.exe74⤵
- System Location Discovery: System Language Discovery
PID:216 -
\??\c:\rlxxlfx.exec:\rlxxlfx.exe75⤵PID:4748
-
\??\c:\htbtbb.exec:\htbtbb.exe76⤵PID:1348
-
\??\c:\jvvjv.exec:\jvvjv.exe77⤵PID:2728
-
\??\c:\djdjj.exec:\djdjj.exe78⤵PID:1152
-
\??\c:\5jjjv.exec:\5jjjv.exe79⤵PID:5092
-
\??\c:\lfxxxxf.exec:\lfxxxxf.exe80⤵PID:4304
-
\??\c:\btnnhb.exec:\btnnhb.exe81⤵PID:2320
-
\??\c:\jddvj.exec:\jddvj.exe82⤵PID:60
-
\??\c:\jvddv.exec:\jvddv.exe83⤵PID:724
-
\??\c:\llrlflf.exec:\llrlflf.exe84⤵PID:1944
-
\??\c:\tttnhh.exec:\tttnhh.exe85⤵PID:5096
-
\??\c:\bhttnn.exec:\bhttnn.exe86⤵PID:512
-
\??\c:\9djpv.exec:\9djpv.exe87⤵PID:5044
-
\??\c:\dpppj.exec:\dpppj.exe88⤵PID:3348
-
\??\c:\vvpjp.exec:\vvpjp.exe89⤵PID:4020
-
\??\c:\9ffxrrr.exec:\9ffxrrr.exe90⤵PID:1480
-
\??\c:\rlxrlxr.exec:\rlxrlxr.exe91⤵PID:4432
-
\??\c:\tnbbhh.exec:\tnbbhh.exe92⤵PID:4784
-
\??\c:\jjddp.exec:\jjddp.exe93⤵PID:1792
-
\??\c:\rxllfll.exec:\rxllfll.exe94⤵PID:428
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe95⤵PID:2052
-
\??\c:\tnhhhh.exec:\tnhhhh.exe96⤵PID:2668
-
\??\c:\jdpjd.exec:\jdpjd.exe97⤵PID:2068
-
\??\c:\9ddjd.exec:\9ddjd.exe98⤵PID:920
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe99⤵PID:4884
-
\??\c:\9hnhbb.exec:\9hnhbb.exe100⤵PID:3532
-
\??\c:\vjjdv.exec:\vjjdv.exe101⤵PID:3440
-
\??\c:\xxffffl.exec:\xxffffl.exe102⤵PID:4808
-
\??\c:\rrrlllf.exec:\rrrlllf.exe103⤵PID:2316
-
\??\c:\httttt.exec:\httttt.exe104⤵PID:4164
-
\??\c:\5ttnnn.exec:\5ttnnn.exe105⤵PID:3724
-
\??\c:\9vdvj.exec:\9vdvj.exe106⤵PID:2044
-
\??\c:\5lffrrr.exec:\5lffrrr.exe107⤵PID:3536
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe108⤵PID:836
-
\??\c:\thnnhh.exec:\thnnhh.exe109⤵PID:1084
-
\??\c:\bnnhbb.exec:\bnnhbb.exe110⤵PID:2148
-
\??\c:\7pvjd.exec:\7pvjd.exe111⤵PID:1224
-
\??\c:\lfllllr.exec:\lfllllr.exe112⤵PID:2552
-
\??\c:\hbnnnn.exec:\hbnnnn.exe113⤵PID:1180
-
\??\c:\nhnhbb.exec:\nhnhbb.exe114⤵PID:1284
-
\??\c:\3nbbtn.exec:\3nbbtn.exe115⤵PID:3888
-
\??\c:\pjjpd.exec:\pjjpd.exe116⤵PID:2636
-
\??\c:\5jdvj.exec:\5jdvj.exe117⤵PID:4048
-
\??\c:\xrxxlfl.exec:\xrxxlfl.exe118⤵PID:1664
-
\??\c:\nhnbhh.exec:\nhnbhh.exe119⤵PID:3640
-
\??\c:\nbhhhn.exec:\nbhhhn.exe120⤵PID:3716
-
\??\c:\vpddp.exec:\vpddp.exe121⤵PID:3740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-