Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe
-
Size
454KB
-
MD5
538f1a1627e2e404679d394911cc605a
-
SHA1
5b95f9a85b78128dd96a90b9193dab5dbf58ee51
-
SHA256
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755
-
SHA512
e0b0c461a6667db735d66dbcb701caa09bff71acc147adb1059434fefc6aa68b6b3aaa4e8e6e37cf909e14255276e6096038d083a6e5e74aa725fa005bc12bac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1J:q7Tc2NYHUrAwfMp3CD1J
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1092-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-1051-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-1283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-1329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4572 7nhbtn.exe 4104 xlxllff.exe 1232 xllfrlf.exe 2512 nbthbn.exe 2240 dppdv.exe 3040 7htthh.exe 4188 dppdp.exe 3852 nbthbt.exe 4660 xrfrrrl.exe 3108 hnthbn.exe 3024 7vppv.exe 4364 dpvjd.exe 2532 pppdv.exe 3152 9nthhb.exe 2924 7pjpj.exe 3228 frrxxrx.exe 3536 bnnbtn.exe 4420 frllrrx.exe 4888 lxxxlrr.exe 3684 vpvpd.exe 1524 ffxlffx.exe 2380 9jvjv.exe 4336 xxlxrrl.exe 1148 ppdvj.exe 3712 dvvjd.exe 5056 vvvpd.exe 3244 ntbthb.exe 2204 1bnhtt.exe 1680 5rxxrxr.exe 2668 tnttbb.exe 4344 3jjjd.exe 4412 lxfxllf.exe 1492 jppjd.exe 1016 dddvp.exe 2696 5nbtnn.exe 3188 5dpjd.exe 3504 xrfllff.exe 1096 bnnhtt.exe 4916 pdjjd.exe 1640 jppdp.exe 2520 fllfrlf.exe 5088 bnnhtt.exe 2448 tbbnhb.exe 1116 5jdvp.exe 724 fxrlfrl.exe 2292 pjjdd.exe 704 rllffrx.exe 3640 lfrlrlx.exe 5068 tnnnbn.exe 4896 dppjd.exe 4392 xrlfrlf.exe 3964 thnhtn.exe 4572 dddpd.exe 4648 xffxrll.exe 4596 1nthnh.exe 1232 btthbb.exe 2512 pdjvj.exe 2052 lrxlrfr.exe 1976 tnhhbt.exe 3968 tnttnn.exe 1452 9vpjd.exe 2460 3frlxxx.exe 2700 3llxlfx.exe 3920 htnnhh.exe -
resource yara_rule behavioral2/memory/1092-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-929-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 4572 1092 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 83 PID 1092 wrote to memory of 4572 1092 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 83 PID 1092 wrote to memory of 4572 1092 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 83 PID 4572 wrote to memory of 4104 4572 7nhbtn.exe 84 PID 4572 wrote to memory of 4104 4572 7nhbtn.exe 84 PID 4572 wrote to memory of 4104 4572 7nhbtn.exe 84 PID 4104 wrote to memory of 1232 4104 xlxllff.exe 85 PID 4104 wrote to memory of 1232 4104 xlxllff.exe 85 PID 4104 wrote to memory of 1232 4104 xlxllff.exe 85 PID 1232 wrote to memory of 2512 1232 xllfrlf.exe 86 PID 1232 wrote to memory of 2512 1232 xllfrlf.exe 86 PID 1232 wrote to memory of 2512 1232 xllfrlf.exe 86 PID 2512 wrote to memory of 2240 2512 nbthbn.exe 87 PID 2512 wrote to memory of 2240 2512 nbthbn.exe 87 PID 2512 wrote to memory of 2240 2512 nbthbn.exe 87 PID 2240 wrote to memory of 3040 2240 dppdv.exe 88 PID 2240 wrote to memory of 3040 2240 dppdv.exe 88 PID 2240 wrote to memory of 3040 2240 dppdv.exe 88 PID 3040 wrote to memory of 4188 3040 7htthh.exe 89 PID 3040 wrote to memory of 4188 3040 7htthh.exe 89 PID 3040 wrote to memory of 4188 3040 7htthh.exe 89 PID 4188 wrote to memory of 3852 4188 dppdp.exe 90 PID 4188 wrote to memory of 3852 4188 dppdp.exe 90 PID 4188 wrote to memory of 3852 4188 dppdp.exe 90 PID 3852 wrote to memory of 4660 3852 nbthbt.exe 91 PID 3852 wrote to memory of 4660 3852 nbthbt.exe 91 PID 3852 wrote to memory of 4660 3852 nbthbt.exe 91 PID 4660 wrote to memory of 3108 4660 xrfrrrl.exe 92 PID 4660 wrote to memory of 3108 4660 xrfrrrl.exe 92 PID 4660 wrote to memory of 3108 4660 xrfrrrl.exe 92 PID 3108 wrote to memory of 3024 3108 hnthbn.exe 93 PID 3108 wrote to memory of 3024 3108 hnthbn.exe 93 PID 3108 wrote to memory of 3024 3108 hnthbn.exe 93 PID 3024 wrote to memory of 4364 3024 7vppv.exe 94 PID 3024 wrote to memory of 4364 3024 7vppv.exe 94 PID 3024 wrote to memory of 4364 3024 7vppv.exe 94 PID 4364 wrote to memory of 2532 4364 dpvjd.exe 95 PID 4364 wrote to memory of 2532 4364 dpvjd.exe 95 PID 4364 wrote to memory of 2532 4364 dpvjd.exe 95 PID 2532 wrote to memory of 3152 2532 pppdv.exe 96 PID 2532 wrote to memory of 3152 2532 pppdv.exe 96 PID 2532 wrote to memory of 3152 2532 pppdv.exe 96 PID 3152 wrote to memory of 2924 3152 9nthhb.exe 97 PID 3152 wrote to memory of 2924 3152 9nthhb.exe 97 PID 3152 wrote to memory of 2924 3152 9nthhb.exe 97 PID 2924 wrote to memory of 3228 2924 7pjpj.exe 98 PID 2924 wrote to memory of 3228 2924 7pjpj.exe 98 PID 2924 wrote to memory of 3228 2924 7pjpj.exe 98 PID 3228 wrote to memory of 3536 3228 frrxxrx.exe 99 PID 3228 wrote to memory of 3536 3228 frrxxrx.exe 99 PID 3228 wrote to memory of 3536 3228 frrxxrx.exe 99 PID 3536 wrote to memory of 4420 3536 bnnbtn.exe 100 PID 3536 wrote to memory of 4420 3536 bnnbtn.exe 100 PID 3536 wrote to memory of 4420 3536 bnnbtn.exe 100 PID 4420 wrote to memory of 4888 4420 frllrrx.exe 101 PID 4420 wrote to memory of 4888 4420 frllrrx.exe 101 PID 4420 wrote to memory of 4888 4420 frllrrx.exe 101 PID 4888 wrote to memory of 3684 4888 lxxxlrr.exe 102 PID 4888 wrote to memory of 3684 4888 lxxxlrr.exe 102 PID 4888 wrote to memory of 3684 4888 lxxxlrr.exe 102 PID 3684 wrote to memory of 1524 3684 vpvpd.exe 103 PID 3684 wrote to memory of 1524 3684 vpvpd.exe 103 PID 3684 wrote to memory of 1524 3684 vpvpd.exe 103 PID 1524 wrote to memory of 2380 1524 ffxlffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe"C:\Users\Admin\AppData\Local\Temp\e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\7nhbtn.exec:\7nhbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\xlxllff.exec:\xlxllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\xllfrlf.exec:\xllfrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\nbthbn.exec:\nbthbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\dppdv.exec:\dppdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\7htthh.exec:\7htthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\dppdp.exec:\dppdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\nbthbt.exec:\nbthbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\xrfrrrl.exec:\xrfrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\hnthbn.exec:\hnthbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\7vppv.exec:\7vppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\dpvjd.exec:\dpvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\pppdv.exec:\pppdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\9nthhb.exec:\9nthhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\7pjpj.exec:\7pjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\frrxxrx.exec:\frrxxrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\bnnbtn.exec:\bnnbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\frllrrx.exec:\frllrrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\lxxxlrr.exec:\lxxxlrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\vpvpd.exec:\vpvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\ffxlffx.exec:\ffxlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\9jvjv.exec:\9jvjv.exe23⤵
- Executes dropped EXE
PID:2380 -
\??\c:\xxlxrrl.exec:\xxlxrrl.exe24⤵
- Executes dropped EXE
PID:4336 -
\??\c:\ppdvj.exec:\ppdvj.exe25⤵
- Executes dropped EXE
PID:1148 -
\??\c:\dvvjd.exec:\dvvjd.exe26⤵
- Executes dropped EXE
PID:3712 -
\??\c:\vvvpd.exec:\vvvpd.exe27⤵
- Executes dropped EXE
PID:5056 -
\??\c:\ntbthb.exec:\ntbthb.exe28⤵
- Executes dropped EXE
PID:3244 -
\??\c:\1bnhtt.exec:\1bnhtt.exe29⤵
- Executes dropped EXE
PID:2204 -
\??\c:\5rxxrxr.exec:\5rxxrxr.exe30⤵
- Executes dropped EXE
PID:1680 -
\??\c:\tnttbb.exec:\tnttbb.exe31⤵
- Executes dropped EXE
PID:2668 -
\??\c:\3jjjd.exec:\3jjjd.exe32⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lxfxllf.exec:\lxfxllf.exe33⤵
- Executes dropped EXE
PID:4412 -
\??\c:\jppjd.exec:\jppjd.exe34⤵
- Executes dropped EXE
PID:1492 -
\??\c:\dddvp.exec:\dddvp.exe35⤵
- Executes dropped EXE
PID:1016 -
\??\c:\5nbtnn.exec:\5nbtnn.exe36⤵
- Executes dropped EXE
PID:2696 -
\??\c:\5dpjd.exec:\5dpjd.exe37⤵
- Executes dropped EXE
PID:3188 -
\??\c:\xrfllff.exec:\xrfllff.exe38⤵
- Executes dropped EXE
PID:3504 -
\??\c:\bnnhtt.exec:\bnnhtt.exe39⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pdjjd.exec:\pdjjd.exe40⤵
- Executes dropped EXE
PID:4916 -
\??\c:\jppdp.exec:\jppdp.exe41⤵
- Executes dropped EXE
PID:1640 -
\??\c:\fllfrlf.exec:\fllfrlf.exe42⤵
- Executes dropped EXE
PID:2520 -
\??\c:\bnnhtt.exec:\bnnhtt.exe43⤵
- Executes dropped EXE
PID:5088 -
\??\c:\tbbnhb.exec:\tbbnhb.exe44⤵
- Executes dropped EXE
PID:2448 -
\??\c:\5jdvp.exec:\5jdvp.exe45⤵
- Executes dropped EXE
PID:1116 -
\??\c:\fxrlfrl.exec:\fxrlfrl.exe46⤵
- Executes dropped EXE
PID:724 -
\??\c:\pjjdd.exec:\pjjdd.exe47⤵
- Executes dropped EXE
PID:2292 -
\??\c:\rllffrx.exec:\rllffrx.exe48⤵
- Executes dropped EXE
PID:704 -
\??\c:\lfrlrlx.exec:\lfrlrlx.exe49⤵
- Executes dropped EXE
PID:3640 -
\??\c:\tnnnbn.exec:\tnnnbn.exe50⤵
- Executes dropped EXE
PID:5068 -
\??\c:\dppjd.exec:\dppjd.exe51⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe52⤵
- Executes dropped EXE
PID:4392 -
\??\c:\thnhtn.exec:\thnhtn.exe53⤵
- Executes dropped EXE
PID:3964 -
\??\c:\dddpd.exec:\dddpd.exe54⤵
- Executes dropped EXE
PID:4572 -
\??\c:\xffxrll.exec:\xffxrll.exe55⤵
- Executes dropped EXE
PID:4648 -
\??\c:\1nthnh.exec:\1nthnh.exe56⤵
- Executes dropped EXE
PID:4596 -
\??\c:\btthbb.exec:\btthbb.exe57⤵
- Executes dropped EXE
PID:1232 -
\??\c:\pdjvj.exec:\pdjvj.exe58⤵
- Executes dropped EXE
PID:2512 -
\??\c:\lrxlrfr.exec:\lrxlrfr.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tnhhbt.exec:\tnhhbt.exe60⤵
- Executes dropped EXE
PID:1976 -
\??\c:\tnttnn.exec:\tnttnn.exe61⤵
- Executes dropped EXE
PID:3968 -
\??\c:\9vpjd.exec:\9vpjd.exe62⤵
- Executes dropped EXE
PID:1452 -
\??\c:\3frlxxx.exec:\3frlxxx.exe63⤵
- Executes dropped EXE
PID:2460 -
\??\c:\3llxlfx.exec:\3llxlfx.exe64⤵
- Executes dropped EXE
PID:2700 -
\??\c:\htnnhh.exec:\htnnhh.exe65⤵
- Executes dropped EXE
PID:3920 -
\??\c:\pjdpd.exec:\pjdpd.exe66⤵PID:1656
-
\??\c:\7rrfxrf.exec:\7rrfxrf.exe67⤵PID:1672
-
\??\c:\hnbnhb.exec:\hnbnhb.exe68⤵PID:3728
-
\??\c:\btbttn.exec:\btbttn.exe69⤵PID:2360
-
\??\c:\jvdpj.exec:\jvdpj.exe70⤵PID:4004
-
\??\c:\lxxrffr.exec:\lxxrffr.exe71⤵PID:3156
-
\??\c:\5xlxrrl.exec:\5xlxrrl.exe72⤵PID:4972
-
\??\c:\3nhbtn.exec:\3nhbtn.exe73⤵PID:3688
-
\??\c:\vvvpj.exec:\vvvpj.exe74⤵PID:3816
-
\??\c:\xlfxllf.exec:\xlfxllf.exe75⤵PID:4204
-
\??\c:\bnthbt.exec:\bnthbt.exe76⤵PID:4000
-
\??\c:\hhhbtt.exec:\hhhbtt.exe77⤵PID:8
-
\??\c:\vpvpj.exec:\vpvpj.exe78⤵PID:3044
-
\??\c:\xrxlfll.exec:\xrxlfll.exe79⤵PID:368
-
\??\c:\tbtnhh.exec:\tbtnhh.exe80⤵PID:4796
-
\??\c:\vpjjv.exec:\vpjjv.exe81⤵PID:2660
-
\??\c:\rlrlllf.exec:\rlrlllf.exe82⤵PID:3336
-
\??\c:\nhtnnn.exec:\nhtnnn.exe83⤵PID:2820
-
\??\c:\jddpj.exec:\jddpj.exe84⤵PID:3988
-
\??\c:\xrflflf.exec:\xrflflf.exe85⤵PID:1520
-
\??\c:\7tbthb.exec:\7tbthb.exe86⤵PID:1580
-
\??\c:\5bhbhh.exec:\5bhbhh.exe87⤵PID:2148
-
\??\c:\vdjjv.exec:\vdjjv.exe88⤵PID:1464
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe89⤵PID:4756
-
\??\c:\1hhbbb.exec:\1hhbbb.exe90⤵PID:3244
-
\??\c:\bnnhtn.exec:\bnnhtn.exe91⤵PID:2956
-
\??\c:\vvvpj.exec:\vvvpj.exe92⤵PID:4140
-
\??\c:\1xfxllf.exec:\1xfxllf.exe93⤵PID:5008
-
\??\c:\bnbttt.exec:\bnbttt.exe94⤵PID:3396
-
\??\c:\pddvp.exec:\pddvp.exe95⤵PID:4912
-
\??\c:\fffxrlf.exec:\fffxrlf.exe96⤵PID:3200
-
\??\c:\7rfrfxr.exec:\7rfrfxr.exe97⤵PID:2024
-
\??\c:\tnttnn.exec:\tnttnn.exe98⤵PID:3408
-
\??\c:\dvvpd.exec:\dvvpd.exe99⤵PID:952
-
\??\c:\1rxxxlf.exec:\1rxxxlf.exe100⤵PID:2404
-
\??\c:\1hnhbt.exec:\1hnhbt.exe101⤵PID:3584
-
\??\c:\djpjj.exec:\djpjj.exe102⤵PID:1136
-
\??\c:\jjjdv.exec:\jjjdv.exe103⤵PID:1500
-
\??\c:\xrxrffx.exec:\xrxrffx.exe104⤵PID:2124
-
\??\c:\3rrxlfx.exec:\3rrxlfx.exe105⤵PID:4060
-
\??\c:\hbnnbt.exec:\hbnnbt.exe106⤵PID:1620
-
\??\c:\ppvpp.exec:\ppvpp.exe107⤵PID:4432
-
\??\c:\nbbtnh.exec:\nbbtnh.exe108⤵PID:376
-
\??\c:\7bbnht.exec:\7bbnht.exe109⤵PID:2972
-
\??\c:\5vjjd.exec:\5vjjd.exe110⤵PID:4804
-
\??\c:\rlxrxrx.exec:\rlxrxrx.exe111⤵PID:2644
-
\??\c:\nbbhtt.exec:\nbbhtt.exe112⤵PID:3980
-
\??\c:\jppdp.exec:\jppdp.exe113⤵PID:4860
-
\??\c:\9xlxffr.exec:\9xlxffr.exe114⤵PID:732
-
\??\c:\lflffrl.exec:\lflffrl.exe115⤵PID:4480
-
\??\c:\bhthhh.exec:\bhthhh.exe116⤵PID:4936
-
\??\c:\pdpdv.exec:\pdpdv.exe117⤵PID:3844
-
\??\c:\fflxfrr.exec:\fflxfrr.exe118⤵PID:3948
-
\??\c:\9bbthh.exec:\9bbthh.exe119⤵PID:4252
-
\??\c:\thbbhb.exec:\thbbhb.exe120⤵PID:4568
-
\??\c:\djvjv.exec:\djvjv.exe121⤵PID:5020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-