Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe
-
Size
454KB
-
MD5
402565796f96c59c175eadf18a9fc0f7
-
SHA1
a1c2138440280e3b2b9175adfb0fe828f63fb7ed
-
SHA256
067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3
-
SHA512
c2110e9d319d9e9ef4383782d5f09ab8f719fae9b38b5459a4dcd48a045f2e9bb5f7fd8c7c6b0d2dc0f4114c969e04d323832646bfcaaf3ac2b44ea1c90cf405
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet8:q7Tc2NYHUrAwfMp3CDt8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1448-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3036 xlrxxll.exe 3896 btbnth.exe 4456 bhbhnt.exe 1120 xlfrfrf.exe 432 vddpd.exe 3300 jpjjp.exe 4368 lxlrfxr.exe 3056 bththb.exe 3432 rflfrlx.exe 776 thntth.exe 3052 htnbtn.exe 2684 ffrlxrl.exe 4432 rxlxfxr.exe 4716 rrxlxrf.exe 4972 bhhthh.exe 5112 7thbnb.exe 5116 1dvjv.exe 3104 bnhthb.exe 2760 pppdv.exe 3676 9jvpd.exe 1828 hnhbnh.exe 3684 dvjjv.exe 2184 ffxrllx.exe 1776 pddvj.exe 2384 fllrfxl.exe 860 rlxrrlf.exe 1900 ttthnt.exe 3596 dvjvp.exe 2840 tnhtbt.exe 2312 xlrlrxf.exe 5040 nbtnbt.exe 4996 3rrxlfx.exe 5008 xxlfrlf.exe 972 htthtb.exe 4824 jvvpj.exe 3472 1llxxll.exe 3124 7tthbt.exe 3752 5pjvv.exe 116 lffrrll.exe 5000 ntnnhn.exe 3692 btnhth.exe 3416 1djpd.exe 3640 bnnbbt.exe 4484 pvdpd.exe 4336 lrlxflx.exe 4780 htntnb.exe 4608 hthhhh.exe 3896 5vdjd.exe 4456 llrrfxl.exe 2208 nhnbbt.exe 4968 1jdpp.exe 1264 pdvjv.exe 932 5xfxxfr.exe 4216 nbthtn.exe 4200 pddpv.exe 1692 jjjvd.exe 1644 xfxflfr.exe 4420 7xrfxrl.exe 764 bnthtn.exe 776 jjvdp.exe 1408 9rfrfxl.exe 5100 tnhtnh.exe 3088 nnhtht.exe 2788 jdppj.exe -
resource yara_rule behavioral2/memory/1448-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-773-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 3036 1448 067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe 82 PID 1448 wrote to memory of 3036 1448 067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe 82 PID 1448 wrote to memory of 3036 1448 067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe 82 PID 3036 wrote to memory of 3896 3036 xlrxxll.exe 83 PID 3036 wrote to memory of 3896 3036 xlrxxll.exe 83 PID 3036 wrote to memory of 3896 3036 xlrxxll.exe 83 PID 3896 wrote to memory of 4456 3896 btbnth.exe 84 PID 3896 wrote to memory of 4456 3896 btbnth.exe 84 PID 3896 wrote to memory of 4456 3896 btbnth.exe 84 PID 4456 wrote to memory of 1120 4456 bhbhnt.exe 85 PID 4456 wrote to memory of 1120 4456 bhbhnt.exe 85 PID 4456 wrote to memory of 1120 4456 bhbhnt.exe 85 PID 1120 wrote to memory of 432 1120 xlfrfrf.exe 86 PID 1120 wrote to memory of 432 1120 xlfrfrf.exe 86 PID 1120 wrote to memory of 432 1120 xlfrfrf.exe 86 PID 432 wrote to memory of 3300 432 vddpd.exe 87 PID 432 wrote to memory of 3300 432 vddpd.exe 87 PID 432 wrote to memory of 3300 432 vddpd.exe 87 PID 3300 wrote to memory of 4368 3300 jpjjp.exe 88 PID 3300 wrote to memory of 4368 3300 jpjjp.exe 88 PID 3300 wrote to memory of 4368 3300 jpjjp.exe 88 PID 4368 wrote to memory of 3056 4368 lxlrfxr.exe 89 PID 4368 wrote to memory of 3056 4368 lxlrfxr.exe 89 PID 4368 wrote to memory of 3056 4368 lxlrfxr.exe 89 PID 3056 wrote to memory of 3432 3056 bththb.exe 90 PID 3056 wrote to memory of 3432 3056 bththb.exe 90 PID 3056 wrote to memory of 3432 3056 bththb.exe 90 PID 3432 wrote to memory of 776 3432 rflfrlx.exe 91 PID 3432 wrote to memory of 776 3432 rflfrlx.exe 91 PID 3432 wrote to memory of 776 3432 rflfrlx.exe 91 PID 776 wrote to memory of 3052 776 thntth.exe 92 PID 776 wrote to memory of 3052 776 thntth.exe 92 PID 776 wrote to memory of 3052 776 thntth.exe 92 PID 3052 wrote to memory of 2684 3052 htnbtn.exe 93 PID 3052 wrote to memory of 2684 3052 htnbtn.exe 93 PID 3052 wrote to memory of 2684 3052 htnbtn.exe 93 PID 2684 wrote to memory of 4432 2684 ffrlxrl.exe 94 PID 2684 wrote to memory of 4432 2684 ffrlxrl.exe 94 PID 2684 wrote to memory of 4432 2684 ffrlxrl.exe 94 PID 4432 wrote to memory of 4716 4432 rxlxfxr.exe 95 PID 4432 wrote to memory of 4716 4432 rxlxfxr.exe 95 PID 4432 wrote to memory of 4716 4432 rxlxfxr.exe 95 PID 4716 wrote to memory of 4972 4716 rrxlxrf.exe 96 PID 4716 wrote to memory of 4972 4716 rrxlxrf.exe 96 PID 4716 wrote to memory of 4972 4716 rrxlxrf.exe 96 PID 4972 wrote to memory of 5112 4972 bhhthh.exe 97 PID 4972 wrote to memory of 5112 4972 bhhthh.exe 97 PID 4972 wrote to memory of 5112 4972 bhhthh.exe 97 PID 5112 wrote to memory of 5116 5112 7thbnb.exe 98 PID 5112 wrote to memory of 5116 5112 7thbnb.exe 98 PID 5112 wrote to memory of 5116 5112 7thbnb.exe 98 PID 5116 wrote to memory of 3104 5116 1dvjv.exe 99 PID 5116 wrote to memory of 3104 5116 1dvjv.exe 99 PID 5116 wrote to memory of 3104 5116 1dvjv.exe 99 PID 3104 wrote to memory of 2760 3104 bnhthb.exe 100 PID 3104 wrote to memory of 2760 3104 bnhthb.exe 100 PID 3104 wrote to memory of 2760 3104 bnhthb.exe 100 PID 2760 wrote to memory of 3676 2760 pppdv.exe 101 PID 2760 wrote to memory of 3676 2760 pppdv.exe 101 PID 2760 wrote to memory of 3676 2760 pppdv.exe 101 PID 3676 wrote to memory of 1828 3676 9jvpd.exe 102 PID 3676 wrote to memory of 1828 3676 9jvpd.exe 102 PID 3676 wrote to memory of 1828 3676 9jvpd.exe 102 PID 1828 wrote to memory of 3684 1828 hnhbnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe"C:\Users\Admin\AppData\Local\Temp\067489b9d62e3c85fb962c7089877993b031a6c54b2fef6459a89af56f68c1e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\xlrxxll.exec:\xlrxxll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\btbnth.exec:\btbnth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\bhbhnt.exec:\bhbhnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\xlfrfrf.exec:\xlfrfrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\vddpd.exec:\vddpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\jpjjp.exec:\jpjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\lxlrfxr.exec:\lxlrfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\bththb.exec:\bththb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\rflfrlx.exec:\rflfrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\thntth.exec:\thntth.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\htnbtn.exec:\htnbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\ffrlxrl.exec:\ffrlxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\rxlxfxr.exec:\rxlxfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\bhhthh.exec:\bhhthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\7thbnb.exec:\7thbnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\1dvjv.exec:\1dvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\bnhthb.exec:\bnhthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\pppdv.exec:\pppdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\9jvpd.exec:\9jvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\hnhbnh.exec:\hnhbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\dvjjv.exec:\dvjjv.exe23⤵
- Executes dropped EXE
PID:3684 -
\??\c:\ffxrllx.exec:\ffxrllx.exe24⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pddvj.exec:\pddvj.exe25⤵
- Executes dropped EXE
PID:1776 -
\??\c:\fllrfxl.exec:\fllrfxl.exe26⤵
- Executes dropped EXE
PID:2384 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe27⤵
- Executes dropped EXE
PID:860 -
\??\c:\ttthnt.exec:\ttthnt.exe28⤵
- Executes dropped EXE
PID:1900 -
\??\c:\dvjvp.exec:\dvjvp.exe29⤵
- Executes dropped EXE
PID:3596 -
\??\c:\tnhtbt.exec:\tnhtbt.exe30⤵
- Executes dropped EXE
PID:2840 -
\??\c:\xlrlrxf.exec:\xlrlrxf.exe31⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nbtnbt.exec:\nbtnbt.exe32⤵
- Executes dropped EXE
PID:5040 -
\??\c:\3rrxlfx.exec:\3rrxlfx.exe33⤵
- Executes dropped EXE
PID:4996 -
\??\c:\xxlfrlf.exec:\xxlfrlf.exe34⤵
- Executes dropped EXE
PID:5008 -
\??\c:\htthtb.exec:\htthtb.exe35⤵
- Executes dropped EXE
PID:972 -
\??\c:\jvvpj.exec:\jvvpj.exe36⤵
- Executes dropped EXE
PID:4824 -
\??\c:\1llxxll.exec:\1llxxll.exe37⤵
- Executes dropped EXE
PID:3472 -
\??\c:\7tthbt.exec:\7tthbt.exe38⤵
- Executes dropped EXE
PID:3124 -
\??\c:\5pjvv.exec:\5pjvv.exe39⤵
- Executes dropped EXE
PID:3752 -
\??\c:\lffrrll.exec:\lffrrll.exe40⤵
- Executes dropped EXE
PID:116 -
\??\c:\ntnnhn.exec:\ntnnhn.exe41⤵
- Executes dropped EXE
PID:5000 -
\??\c:\btnhth.exec:\btnhth.exe42⤵
- Executes dropped EXE
PID:3692 -
\??\c:\1djpd.exec:\1djpd.exe43⤵
- Executes dropped EXE
PID:3416 -
\??\c:\bnnbbt.exec:\bnnbbt.exe44⤵
- Executes dropped EXE
PID:3640 -
\??\c:\pvdpd.exec:\pvdpd.exe45⤵
- Executes dropped EXE
PID:4484 -
\??\c:\lrlxflx.exec:\lrlxflx.exe46⤵
- Executes dropped EXE
PID:4336 -
\??\c:\htntnb.exec:\htntnb.exe47⤵
- Executes dropped EXE
PID:4780 -
\??\c:\hthhhh.exec:\hthhhh.exe48⤵
- Executes dropped EXE
PID:4608 -
\??\c:\5vdjd.exec:\5vdjd.exe49⤵
- Executes dropped EXE
PID:3896 -
\??\c:\llrrfxl.exec:\llrrfxl.exe50⤵
- Executes dropped EXE
PID:4456 -
\??\c:\nhnbbt.exec:\nhnbbt.exe51⤵
- Executes dropped EXE
PID:2208 -
\??\c:\1jdpp.exec:\1jdpp.exe52⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pdvjv.exec:\pdvjv.exe53⤵
- Executes dropped EXE
PID:1264 -
\??\c:\5xfxxfr.exec:\5xfxxfr.exe54⤵
- Executes dropped EXE
PID:932 -
\??\c:\nbthtn.exec:\nbthtn.exe55⤵
- Executes dropped EXE
PID:4216 -
\??\c:\pddpv.exec:\pddpv.exe56⤵
- Executes dropped EXE
PID:4200 -
\??\c:\jjjvd.exec:\jjjvd.exe57⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xfxflfr.exec:\xfxflfr.exe58⤵
- Executes dropped EXE
PID:1644 -
\??\c:\7xrfxrl.exec:\7xrfxrl.exe59⤵
- Executes dropped EXE
PID:4420 -
\??\c:\bnthtn.exec:\bnthtn.exe60⤵
- Executes dropped EXE
PID:764 -
\??\c:\jjvdp.exec:\jjvdp.exe61⤵
- Executes dropped EXE
PID:776 -
\??\c:\9rfrfxl.exec:\9rfrfxl.exe62⤵
- Executes dropped EXE
PID:1408 -
\??\c:\tnhtnh.exec:\tnhtnh.exe63⤵
- Executes dropped EXE
PID:5100 -
\??\c:\nnhtht.exec:\nnhtht.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
\??\c:\jdppj.exec:\jdppj.exe65⤵
- Executes dropped EXE
PID:2788 -
\??\c:\frlxxfx.exec:\frlxxfx.exe66⤵PID:5080
-
\??\c:\frrlrlr.exec:\frrlrlr.exe67⤵PID:4716
-
\??\c:\hbbnhn.exec:\hbbnhn.exe68⤵PID:2556
-
\??\c:\jjdpd.exec:\jjdpd.exe69⤵PID:1764
-
\??\c:\5xxffxf.exec:\5xxffxf.exe70⤵PID:2356
-
\??\c:\3rfrfxr.exec:\3rfrfxr.exe71⤵PID:2024
-
\??\c:\7nnhhh.exec:\7nnhhh.exe72⤵PID:820
-
\??\c:\9flxxrx.exec:\9flxxrx.exe73⤵PID:2612
-
\??\c:\btthtn.exec:\btthtn.exe74⤵PID:2760
-
\??\c:\vdvjp.exec:\vdvjp.exe75⤵PID:1896
-
\??\c:\7ppdp.exec:\7ppdp.exe76⤵PID:448
-
\??\c:\9lrflfx.exec:\9lrflfx.exe77⤵PID:2976
-
\??\c:\1thtbt.exec:\1thtbt.exe78⤵PID:2064
-
\??\c:\1vjvd.exec:\1vjvd.exe79⤵
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\djddp.exec:\djddp.exe80⤵PID:1856
-
\??\c:\rrxlxlf.exec:\rrxlxlf.exe81⤵PID:1652
-
\??\c:\3bnhnh.exec:\3bnhnh.exe82⤵PID:4548
-
\??\c:\jdvpd.exec:\jdvpd.exe83⤵PID:3000
-
\??\c:\lxrfrfx.exec:\lxrfrfx.exe84⤵PID:2308
-
\??\c:\bbhtnb.exec:\bbhtnb.exe85⤵PID:316
-
\??\c:\dppdd.exec:\dppdd.exe86⤵PID:4864
-
\??\c:\vvvjd.exec:\vvvjd.exe87⤵PID:3880
-
\??\c:\rfflffr.exec:\rfflffr.exe88⤵PID:2164
-
\??\c:\1flxlfr.exec:\1flxlfr.exe89⤵PID:2036
-
\??\c:\btbnbt.exec:\btbnbt.exe90⤵PID:4876
-
\??\c:\9jvvp.exec:\9jvvp.exe91⤵PID:2824
-
\??\c:\rllxlxl.exec:\rllxlxl.exe92⤵PID:2696
-
\??\c:\5fxrffr.exec:\5fxrffr.exe93⤵PID:3392
-
\??\c:\bbntth.exec:\bbntth.exe94⤵PID:624
-
\??\c:\vvpdp.exec:\vvpdp.exe95⤵PID:620
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe96⤵PID:3032
-
\??\c:\ntthhn.exec:\ntthhn.exe97⤵PID:2084
-
\??\c:\jppvj.exec:\jppvj.exe98⤵PID:3752
-
\??\c:\5jdpv.exec:\5jdpv.exe99⤵PID:928
-
\??\c:\9xxllff.exec:\9xxllff.exe100⤵PID:4904
-
\??\c:\htbnbt.exec:\htbnbt.exe101⤵PID:3692
-
\??\c:\nnttbt.exec:\nnttbt.exe102⤵PID:1444
-
\??\c:\vvddd.exec:\vvddd.exe103⤵PID:232
-
\??\c:\1llflfr.exec:\1llflfr.exe104⤵PID:4484
-
\??\c:\ntthtn.exec:\ntthtn.exe105⤵PID:1448
-
\??\c:\bhbntn.exec:\bhbntn.exe106⤵PID:3800
-
\??\c:\jpdjv.exec:\jpdjv.exe107⤵PID:3856
-
\??\c:\3frflfx.exec:\3frflfx.exe108⤵PID:2836
-
\??\c:\1hbnbt.exec:\1hbnbt.exe109⤵PID:1140
-
\??\c:\7hhtbt.exec:\7hhtbt.exe110⤵PID:2208
-
\??\c:\pddvd.exec:\pddvd.exe111⤵PID:4968
-
\??\c:\pvvvd.exec:\pvvvd.exe112⤵PID:3300
-
\??\c:\lflxfxl.exec:\lflxfxl.exe113⤵PID:404
-
\??\c:\hbbnht.exec:\hbbnht.exe114⤵PID:5088
-
\??\c:\9vdjd.exec:\9vdjd.exe115⤵PID:4948
-
\??\c:\5pdpv.exec:\5pdpv.exe116⤵PID:428
-
\??\c:\7xrfrfr.exec:\7xrfrfr.exe117⤵PID:8
-
\??\c:\thhbnh.exec:\thhbnh.exe118⤵PID:1992
-
\??\c:\3jjvj.exec:\3jjvj.exe119⤵PID:4048
-
\??\c:\7xffrrr.exec:\7xffrrr.exe120⤵PID:3564
-
\??\c:\lllfrlf.exec:\lllfrlf.exe121⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-