Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe
-
Size
453KB
-
MD5
cc4d46815384798476dfe3a17633726f
-
SHA1
da32d8c42958b8c85cc8f98d8b67743c21ac1caa
-
SHA256
c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b
-
SHA512
c8b147afac53acba404e8b00fd1c3a12881e65cbd8f4938b054878429598a7c5631efc758c98dd159728b63dbfd6ed45acd575fd2084324e350206fd08cc4b87
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4012-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-1036-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-1292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xllxlxr.exehbntbh.exevjpjd.exerllfxrr.exe1ntntb.exe7bhnbb.exethnttt.exeflxlrff.exehthbtt.exehnthht.exepjjdd.exenbnhbh.exe9pvpd.exelfllfff.exe9fllfff.exe7nttbb.exexxxrrrl.exebtbhnt.exedjppv.exetbnbtn.exexrrfxrf.exenbbnbt.exerxfrlfr.exefxfrlfx.exehtnbtn.exerxffrxx.exetnntnb.exelrxffxx.exevppjv.exerxrrfrl.exebthbtt.exeffrlxxf.exehtbhht.exepdjdd.exe9lxrlfx.exethhhbb.exedvdvv.exelrlfrrf.exennbttn.exe1lrlrrx.exethnbtt.exejvdpd.exerfxlfrl.exehttnhb.exenbbnht.exeppjvd.exexflflfx.exettbtnn.exeflrllff.exefxxrllr.exe3hbbnn.exepvvpj.exe3xrfxrl.exe1llfrlf.exehbnhbh.exevjvjp.exexfffxxl.exebbnnhh.exevpppp.exe3jvpj.exelrrlffr.exetbhbnn.exebtnnbb.exejdjdv.exepid Process 3028 xllxlxr.exe 2232 hbntbh.exe 4504 vjpjd.exe 3516 rllfxrr.exe 4420 1ntntb.exe 432 7bhnbb.exe 1896 thnttt.exe 1944 flxlrff.exe 1232 hthbtt.exe 1072 hnthht.exe 4404 pjjdd.exe 2164 nbnhbh.exe 1592 9pvpd.exe 3836 lfllfff.exe 1248 9fllfff.exe 1416 7nttbb.exe 5024 xxxrrrl.exe 3636 btbhnt.exe 4584 djppv.exe 5032 tbnbtn.exe 2240 xrrfxrf.exe 3424 nbbnbt.exe 1092 rxfrlfr.exe 208 fxfrlfx.exe 4804 htnbtn.exe 4892 rxffrxx.exe 2872 tnntnb.exe 2628 lrxffxx.exe 444 vppjv.exe 3524 rxrrfrl.exe 684 bthbtt.exe 3976 ffrlxxf.exe 3872 htbhht.exe 3536 pdjdd.exe 224 9lxrlfx.exe 1500 thhhbb.exe 2784 dvdvv.exe 3040 lrlfrrf.exe 2316 nnbttn.exe 4444 1lrlrrx.exe 1784 thnbtt.exe 3452 jvdpd.exe 3896 rfxlfrl.exe 2232 httnhb.exe 540 nbbnht.exe 3164 ppjvd.exe 1936 xflflfx.exe 552 ttbtnn.exe 4112 flrllff.exe 2592 fxxrllr.exe 432 3hbbnn.exe 4832 pvvpj.exe 3712 3xrfxrl.exe 2572 1llfrlf.exe 2284 hbnhbh.exe 1312 vjvjp.exe 1864 xfffxxl.exe 3700 bbnnhh.exe 2344 vpppp.exe 4344 3jvpj.exe 4072 lrrlffr.exe 2332 tbhbnn.exe 5068 btnnbb.exe 5024 jdjdv.exe -
Processes:
resource yara_rule behavioral2/memory/4012-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-811-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
lflfxrr.exe5rxlfxr.exebnnnnh.exenbhhbb.exexfffxxl.exevvvpd.exevjppd.exejjppd.exenbbnht.exevpjvj.exe1vppj.exefxxrlrl.exethnbtt.exe9nbntn.exe9lrlfff.exe7hhtbt.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exexllxlxr.exehbntbh.exevjpjd.exerllfxrr.exe1ntntb.exe7bhnbb.exethnttt.exeflxlrff.exehthbtt.exehnthht.exepjjdd.exenbnhbh.exe9pvpd.exelfllfff.exe9fllfff.exe7nttbb.exexxxrrrl.exebtbhnt.exedjppv.exetbnbtn.exexrrfxrf.exedescription pid Process procid_target PID 4012 wrote to memory of 3028 4012 c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe 83 PID 4012 wrote to memory of 3028 4012 c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe 83 PID 4012 wrote to memory of 3028 4012 c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe 83 PID 3028 wrote to memory of 2232 3028 xllxlxr.exe 84 PID 3028 wrote to memory of 2232 3028 xllxlxr.exe 84 PID 3028 wrote to memory of 2232 3028 xllxlxr.exe 84 PID 2232 wrote to memory of 4504 2232 hbntbh.exe 85 PID 2232 wrote to memory of 4504 2232 hbntbh.exe 85 PID 2232 wrote to memory of 4504 2232 hbntbh.exe 85 PID 4504 wrote to memory of 3516 4504 vjpjd.exe 86 PID 4504 wrote to memory of 3516 4504 vjpjd.exe 86 PID 4504 wrote to memory of 3516 4504 vjpjd.exe 86 PID 3516 wrote to memory of 4420 3516 rllfxrr.exe 87 PID 3516 wrote to memory of 4420 3516 rllfxrr.exe 87 PID 3516 wrote to memory of 4420 3516 rllfxrr.exe 87 PID 4420 wrote to memory of 432 4420 1ntntb.exe 88 PID 4420 wrote to memory of 432 4420 1ntntb.exe 88 PID 4420 wrote to memory of 432 4420 1ntntb.exe 88 PID 432 wrote to memory of 1896 432 7bhnbb.exe 89 PID 432 wrote to memory of 1896 432 7bhnbb.exe 89 PID 432 wrote to memory of 1896 432 7bhnbb.exe 89 PID 1896 wrote to memory of 1944 1896 thnttt.exe 90 PID 1896 wrote to memory of 1944 1896 thnttt.exe 90 PID 1896 wrote to memory of 1944 1896 thnttt.exe 90 PID 1944 wrote to memory of 1232 1944 flxlrff.exe 91 PID 1944 wrote to memory of 1232 1944 flxlrff.exe 91 PID 1944 wrote to memory of 1232 1944 flxlrff.exe 91 PID 1232 wrote to memory of 1072 1232 hthbtt.exe 92 PID 1232 wrote to memory of 1072 1232 hthbtt.exe 92 PID 1232 wrote to memory of 1072 1232 hthbtt.exe 92 PID 1072 wrote to memory of 4404 1072 hnthht.exe 93 PID 1072 wrote to memory of 4404 1072 hnthht.exe 93 PID 1072 wrote to memory of 4404 1072 hnthht.exe 93 PID 4404 wrote to memory of 2164 4404 pjjdd.exe 94 PID 4404 wrote to memory of 2164 4404 pjjdd.exe 94 PID 4404 wrote to memory of 2164 4404 pjjdd.exe 94 PID 2164 wrote to memory of 1592 2164 nbnhbh.exe 95 PID 2164 wrote to memory of 1592 2164 nbnhbh.exe 95 PID 2164 wrote to memory of 1592 2164 nbnhbh.exe 95 PID 1592 wrote to memory of 3836 1592 9pvpd.exe 96 PID 1592 wrote to memory of 3836 1592 9pvpd.exe 96 PID 1592 wrote to memory of 3836 1592 9pvpd.exe 96 PID 3836 wrote to memory of 1248 3836 lfllfff.exe 97 PID 3836 wrote to memory of 1248 3836 lfllfff.exe 97 PID 3836 wrote to memory of 1248 3836 lfllfff.exe 97 PID 1248 wrote to memory of 1416 1248 9fllfff.exe 98 PID 1248 wrote to memory of 1416 1248 9fllfff.exe 98 PID 1248 wrote to memory of 1416 1248 9fllfff.exe 98 PID 1416 wrote to memory of 5024 1416 7nttbb.exe 99 PID 1416 wrote to memory of 5024 1416 7nttbb.exe 99 PID 1416 wrote to memory of 5024 1416 7nttbb.exe 99 PID 5024 wrote to memory of 3636 5024 xxxrrrl.exe 100 PID 5024 wrote to memory of 3636 5024 xxxrrrl.exe 100 PID 5024 wrote to memory of 3636 5024 xxxrrrl.exe 100 PID 3636 wrote to memory of 4584 3636 btbhnt.exe 101 PID 3636 wrote to memory of 4584 3636 btbhnt.exe 101 PID 3636 wrote to memory of 4584 3636 btbhnt.exe 101 PID 4584 wrote to memory of 5032 4584 djppv.exe 102 PID 4584 wrote to memory of 5032 4584 djppv.exe 102 PID 4584 wrote to memory of 5032 4584 djppv.exe 102 PID 5032 wrote to memory of 2240 5032 tbnbtn.exe 103 PID 5032 wrote to memory of 2240 5032 tbnbtn.exe 103 PID 5032 wrote to memory of 2240 5032 tbnbtn.exe 103 PID 2240 wrote to memory of 3424 2240 xrrfxrf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe"C:\Users\Admin\AppData\Local\Temp\c05f68db062e5fac78518762a9456b52f5f99365faaf51aee7f722587d1b539b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\xllxlxr.exec:\xllxlxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\hbntbh.exec:\hbntbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\vjpjd.exec:\vjpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rllfxrr.exec:\rllfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\1ntntb.exec:\1ntntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\7bhnbb.exec:\7bhnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\thnttt.exec:\thnttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\flxlrff.exec:\flxlrff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\hthbtt.exec:\hthbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\hnthht.exec:\hnthht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\pjjdd.exec:\pjjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\nbnhbh.exec:\nbnhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\9pvpd.exec:\9pvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\lfllfff.exec:\lfllfff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\9fllfff.exec:\9fllfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\7nttbb.exec:\7nttbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\btbhnt.exec:\btbhnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\djppv.exec:\djppv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\tbnbtn.exec:\tbnbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\nbbnbt.exec:\nbbnbt.exe23⤵
- Executes dropped EXE
PID:3424 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe24⤵
- Executes dropped EXE
PID:1092 -
\??\c:\fxfrlfx.exec:\fxfrlfx.exe25⤵
- Executes dropped EXE
PID:208 -
\??\c:\htnbtn.exec:\htnbtn.exe26⤵
- Executes dropped EXE
PID:4804 -
\??\c:\rxffrxx.exec:\rxffrxx.exe27⤵
- Executes dropped EXE
PID:4892 -
\??\c:\tnntnb.exec:\tnntnb.exe28⤵
- Executes dropped EXE
PID:2872 -
\??\c:\lrxffxx.exec:\lrxffxx.exe29⤵
- Executes dropped EXE
PID:2628 -
\??\c:\vppjv.exec:\vppjv.exe30⤵
- Executes dropped EXE
PID:444 -
\??\c:\rxrrfrl.exec:\rxrrfrl.exe31⤵
- Executes dropped EXE
PID:3524 -
\??\c:\bthbtt.exec:\bthbtt.exe32⤵
- Executes dropped EXE
PID:684 -
\??\c:\ffrlxxf.exec:\ffrlxxf.exe33⤵
- Executes dropped EXE
PID:3976 -
\??\c:\htbhht.exec:\htbhht.exe34⤵
- Executes dropped EXE
PID:3872 -
\??\c:\pdjdd.exec:\pdjdd.exe35⤵
- Executes dropped EXE
PID:3536 -
\??\c:\9lxrlfx.exec:\9lxrlfx.exe36⤵
- Executes dropped EXE
PID:224 -
\??\c:\thhhbb.exec:\thhhbb.exe37⤵
- Executes dropped EXE
PID:1500 -
\??\c:\dvdvv.exec:\dvdvv.exe38⤵
- Executes dropped EXE
PID:2784 -
\??\c:\lrlfrrf.exec:\lrlfrrf.exe39⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nnbttn.exec:\nnbttn.exe40⤵
- Executes dropped EXE
PID:2316 -
\??\c:\1lrlrrx.exec:\1lrlrrx.exe41⤵
- Executes dropped EXE
PID:4444 -
\??\c:\thnbtt.exec:\thnbtt.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
\??\c:\jvdpd.exec:\jvdpd.exe43⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rfxlfrl.exec:\rfxlfrl.exe44⤵
- Executes dropped EXE
PID:3896 -
\??\c:\httnhb.exec:\httnhb.exe45⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nbbnht.exec:\nbbnht.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
\??\c:\ppjvd.exec:\ppjvd.exe47⤵
- Executes dropped EXE
PID:3164 -
\??\c:\xflflfx.exec:\xflflfx.exe48⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ttbtnn.exec:\ttbtnn.exe49⤵
- Executes dropped EXE
PID:552 -
\??\c:\flrllff.exec:\flrllff.exe50⤵
- Executes dropped EXE
PID:4112 -
\??\c:\fxxrllr.exec:\fxxrllr.exe51⤵
- Executes dropped EXE
PID:2592 -
\??\c:\3hbbnn.exec:\3hbbnn.exe52⤵
- Executes dropped EXE
PID:432 -
\??\c:\pvvpj.exec:\pvvpj.exe53⤵
- Executes dropped EXE
PID:4832 -
\??\c:\3xrfxrl.exec:\3xrfxrl.exe54⤵
- Executes dropped EXE
PID:3712 -
\??\c:\1llfrlf.exec:\1llfrlf.exe55⤵
- Executes dropped EXE
PID:2572 -
\??\c:\hbnhbh.exec:\hbnhbh.exe56⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vjvjp.exec:\vjvjp.exe57⤵
- Executes dropped EXE
PID:1312 -
\??\c:\xfffxxl.exec:\xfffxxl.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
\??\c:\bbnnhh.exec:\bbnnhh.exe59⤵
- Executes dropped EXE
PID:3700 -
\??\c:\vpppp.exec:\vpppp.exe60⤵
- Executes dropped EXE
PID:2344 -
\??\c:\3jvpj.exec:\3jvpj.exe61⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lrrlffr.exec:\lrrlffr.exe62⤵
- Executes dropped EXE
PID:4072 -
\??\c:\tbhbnn.exec:\tbhbnn.exe63⤵
- Executes dropped EXE
PID:2332 -
\??\c:\btnnbb.exec:\btnnbb.exe64⤵
- Executes dropped EXE
PID:5068 -
\??\c:\jdjdv.exec:\jdjdv.exe65⤵
- Executes dropped EXE
PID:5024 -
\??\c:\rxlllll.exec:\rxlllll.exe66⤵PID:3636
-
\??\c:\rxlfffx.exec:\rxlfffx.exe67⤵PID:3012
-
\??\c:\nhnnnn.exec:\nhnnnn.exe68⤵PID:2740
-
\??\c:\dpvvv.exec:\dpvvv.exe69⤵PID:3496
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe70⤵PID:2240
-
\??\c:\bnthtb.exec:\bnthtb.exe71⤵PID:3424
-
\??\c:\tttnhh.exec:\tttnhh.exe72⤵PID:3696
-
\??\c:\3djdd.exec:\3djdd.exe73⤵PID:1620
-
\??\c:\5xlfxll.exec:\5xlfxll.exe74⤵PID:736
-
\??\c:\rrrrrxl.exec:\rrrrrxl.exe75⤵PID:4804
-
\??\c:\nhbtnt.exec:\nhbtnt.exe76⤵PID:2428
-
\??\c:\ddvpp.exec:\ddvpp.exe77⤵PID:3056
-
\??\c:\rxrlllf.exec:\rxrlllf.exe78⤵PID:2308
-
\??\c:\9nnnhh.exec:\9nnnhh.exe79⤵PID:2236
-
\??\c:\3ppjd.exec:\3ppjd.exe80⤵PID:1228
-
\??\c:\xxfxffr.exec:\xxfxffr.exe81⤵PID:4668
-
\??\c:\tnnhhb.exec:\tnnhhb.exe82⤵PID:4612
-
\??\c:\bhbtht.exec:\bhbtht.exe83⤵PID:4316
-
\??\c:\ddjpp.exec:\ddjpp.exe84⤵PID:4644
-
\??\c:\llfxrxr.exec:\llfxrxr.exe85⤵PID:3212
-
\??\c:\fxlxxxf.exec:\fxlxxxf.exe86⤵PID:4952
-
\??\c:\hbhbtn.exec:\hbhbtn.exe87⤵PID:4152
-
\??\c:\vpjdv.exec:\vpjdv.exe88⤵PID:3392
-
\??\c:\djddj.exec:\djddj.exe89⤵PID:1660
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe90⤵PID:4672
-
\??\c:\nttnhh.exec:\nttnhh.exe91⤵PID:2296
-
\??\c:\tbhnth.exec:\tbhnth.exe92⤵PID:3164
-
\??\c:\jdpjj.exec:\jdpjj.exe93⤵PID:1936
-
\??\c:\rlxlxxr.exec:\rlxlxxr.exe94⤵PID:4420
-
\??\c:\rlffllr.exec:\rlffllr.exe95⤵PID:4312
-
\??\c:\nnhhhh.exec:\nnhhhh.exe96⤵PID:1420
-
\??\c:\dvpjd.exec:\dvpjd.exe97⤵PID:2520
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe98⤵PID:1828
-
\??\c:\7nttnh.exec:\7nttnh.exe99⤵PID:3540
-
\??\c:\htbtnn.exec:\htbtnn.exe100⤵PID:4104
-
\??\c:\jpjdp.exec:\jpjdp.exe101⤵PID:4404
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe102⤵PID:2900
-
\??\c:\httthh.exec:\httthh.exe103⤵PID:2672
-
\??\c:\vjvdd.exec:\vjvdd.exe104⤵PID:3700
-
\??\c:\jvdvj.exec:\jvdvj.exe105⤵PID:2344
-
\??\c:\9fflfll.exec:\9fflfll.exe106⤵PID:4344
-
\??\c:\bhnbht.exec:\bhnbht.exe107⤵PID:2624
-
\??\c:\jdddv.exec:\jdddv.exe108⤵PID:3264
-
\??\c:\1lrlffx.exec:\1lrlffx.exe109⤵PID:4148
-
\??\c:\rrffxxx.exec:\rrffxxx.exe110⤵PID:5068
-
\??\c:\nnbbtb.exec:\nnbbtb.exe111⤵PID:4860
-
\??\c:\vjpjj.exec:\vjpjj.exe112⤵PID:3216
-
\??\c:\lfrllll.exec:\lfrllll.exe113⤵PID:4912
-
\??\c:\rlxxflr.exec:\rlxxflr.exe114⤵PID:3012
-
\??\c:\htbbtt.exec:\htbbtt.exe115⤵PID:3308
-
\??\c:\1nnhbb.exec:\1nnhbb.exe116⤵PID:4704
-
\??\c:\jpvvv.exec:\jpvvv.exe117⤵PID:4456
-
\??\c:\rfxrrrx.exec:\rfxrrrx.exe118⤵PID:4172
-
\??\c:\7hhhbb.exec:\7hhhbb.exe119⤵PID:2276
-
\??\c:\dvjdd.exec:\dvjdd.exe120⤵PID:1900
-
\??\c:\vpppv.exec:\vpppv.exe121⤵PID:4532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-