Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:46
Behavioral task
behavioral1
Sample
750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe
-
Size
332KB
-
MD5
e11cd07de57c4fad1a33b26e6963586c
-
SHA1
8fb5dc6c0e90ba0aca2efd61a605f1533e961b50
-
SHA256
750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5
-
SHA512
024377bfd910583aa873f93e642525120a818ab684e4f6eb3b2cae4fa75031c2bdba03213aa49facbf784e54798189093a2fd86340dece43da75c3a256ec921e
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeK:R4wFHoSHYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4576-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3840-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2420-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1864-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3824-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2348-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-485-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-642-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-711-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1920-766-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3840 7flxfxl.exe 320 dppdp.exe 2764 rrrxlrr.exe 3316 thbthb.exe 2312 xxfxlxf.exe 1804 hbhbnb.exe 3944 7fxlrlf.exe 1496 htbnht.exe 1532 5hhnbn.exe 3608 lxrrfxl.exe 3060 jddvj.exe 2396 pjjvj.exe 5072 thbhtn.exe 4288 9tnbnb.exe 4872 jpjvd.exe 1120 1pjpd.exe 2420 3xrfrfr.exe 1308 rflxllf.exe 3720 1nhtbt.exe 3484 ppdpj.exe 2412 1frfxlf.exe 4440 xllfxxf.exe 216 tththb.exe 4056 1ddvv.exe 1468 htbnbt.exe 4764 dpdpv.exe 3456 9lxxfxl.exe 2340 bnbnbt.exe 3140 jvpdj.exe 2004 djjvj.exe 1816 nbthhb.exe 3592 nnbtbh.exe 2136 7fxrfrf.exe 4144 bnhthb.exe 1492 nnntbt.exe 2176 vdjvj.exe 2300 9llfrll.exe 4532 tbhbtt.exe 1820 hbhtbh.exe 992 pjdpd.exe 2332 lllflxl.exe 2796 lllxrlx.exe 3992 9tnhbn.exe 4504 hnnhtn.exe 3984 pddpv.exe 4776 rrrlxxr.exe 3912 hnbbtt.exe 3300 hnhbhn.exe 3756 jvppj.exe 1516 xlfrrlr.exe 4936 xflrlll.exe 1864 hhhbhb.exe 4648 jvdpj.exe 3360 jvvjv.exe 2712 llfxllf.exe 4536 nbhbhh.exe 2032 hhhbnh.exe 4316 ppjvj.exe 4328 7vvdj.exe 540 frrflfx.exe 4832 9thhnn.exe 320 vjpjd.exe 1324 dppdj.exe 2128 fxxrllx.exe -
resource yara_rule behavioral2/memory/4576-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c05-3.dat upx behavioral2/memory/4576-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9d-8.dat upx behavioral2/memory/3840-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-11.dat upx behavioral2/memory/320-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-19.dat upx behavioral2/memory/2764-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3316-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-24.dat upx behavioral2/memory/3316-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-29.dat upx behavioral2/memory/2312-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-34.dat upx behavioral2/memory/1804-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-39.dat upx behavioral2/memory/3944-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1496-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-44.dat upx behavioral2/files/0x0007000000023ca6-49.dat upx behavioral2/memory/1532-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-54.dat upx behavioral2/memory/3608-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-59.dat upx behavioral2/memory/3060-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-66.dat upx behavioral2/memory/2396-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-75.dat upx behavioral2/memory/4288-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-80.dat upx behavioral2/memory/4872-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1120-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-86.dat upx behavioral2/memory/2420-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1120-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-92.dat upx behavioral2/files/0x0007000000023caf-96.dat upx behavioral2/memory/3720-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5072-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-70.dat upx behavioral2/files/0x0007000000023cb0-100.dat upx behavioral2/memory/3484-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-105.dat upx behavioral2/memory/2412-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-111.dat upx behavioral2/files/0x0007000000023cb3-114.dat upx behavioral2/files/0x0007000000023cb4-118.dat upx behavioral2/files/0x0007000000023cb5-122.dat upx behavioral2/memory/1468-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-126.dat upx behavioral2/memory/4764-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-132.dat upx behavioral2/files/0x0007000000023cb8-137.dat upx behavioral2/files/0x0007000000023cb9-141.dat upx behavioral2/memory/3140-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-147.dat upx behavioral2/memory/2004-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-151.dat upx behavioral2/memory/2004-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-156.dat upx behavioral2/memory/3592-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2136-163-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4576 wrote to memory of 3840 4576 750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe 82 PID 4576 wrote to memory of 3840 4576 750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe 82 PID 4576 wrote to memory of 3840 4576 750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe 82 PID 3840 wrote to memory of 320 3840 7flxfxl.exe 83 PID 3840 wrote to memory of 320 3840 7flxfxl.exe 83 PID 3840 wrote to memory of 320 3840 7flxfxl.exe 83 PID 320 wrote to memory of 2764 320 dppdp.exe 84 PID 320 wrote to memory of 2764 320 dppdp.exe 84 PID 320 wrote to memory of 2764 320 dppdp.exe 84 PID 2764 wrote to memory of 3316 2764 rrrxlrr.exe 85 PID 2764 wrote to memory of 3316 2764 rrrxlrr.exe 85 PID 2764 wrote to memory of 3316 2764 rrrxlrr.exe 85 PID 3316 wrote to memory of 2312 3316 thbthb.exe 86 PID 3316 wrote to memory of 2312 3316 thbthb.exe 86 PID 3316 wrote to memory of 2312 3316 thbthb.exe 86 PID 2312 wrote to memory of 1804 2312 xxfxlxf.exe 87 PID 2312 wrote to memory of 1804 2312 xxfxlxf.exe 87 PID 2312 wrote to memory of 1804 2312 xxfxlxf.exe 87 PID 1804 wrote to memory of 3944 1804 hbhbnb.exe 88 PID 1804 wrote to memory of 3944 1804 hbhbnb.exe 88 PID 1804 wrote to memory of 3944 1804 hbhbnb.exe 88 PID 3944 wrote to memory of 1496 3944 7fxlrlf.exe 89 PID 3944 wrote to memory of 1496 3944 7fxlrlf.exe 89 PID 3944 wrote to memory of 1496 3944 7fxlrlf.exe 89 PID 1496 wrote to memory of 1532 1496 htbnht.exe 90 PID 1496 wrote to memory of 1532 1496 htbnht.exe 90 PID 1496 wrote to memory of 1532 1496 htbnht.exe 90 PID 1532 wrote to memory of 3608 1532 5hhnbn.exe 91 PID 1532 wrote to memory of 3608 1532 5hhnbn.exe 91 PID 1532 wrote to memory of 3608 1532 5hhnbn.exe 91 PID 3608 wrote to memory of 3060 3608 lxrrfxl.exe 92 PID 3608 wrote to memory of 3060 3608 lxrrfxl.exe 92 PID 3608 wrote to memory of 3060 3608 lxrrfxl.exe 92 PID 3060 wrote to memory of 2396 3060 jddvj.exe 93 PID 3060 wrote to memory of 2396 3060 jddvj.exe 93 PID 3060 wrote to memory of 2396 3060 jddvj.exe 93 PID 2396 wrote to memory of 5072 2396 pjjvj.exe 94 PID 2396 wrote to memory of 5072 2396 pjjvj.exe 94 PID 2396 wrote to memory of 5072 2396 pjjvj.exe 94 PID 5072 wrote to memory of 4288 5072 thbhtn.exe 95 PID 5072 wrote to memory of 4288 5072 thbhtn.exe 95 PID 5072 wrote to memory of 4288 5072 thbhtn.exe 95 PID 4288 wrote to memory of 4872 4288 9tnbnb.exe 96 PID 4288 wrote to memory of 4872 4288 9tnbnb.exe 96 PID 4288 wrote to memory of 4872 4288 9tnbnb.exe 96 PID 4872 wrote to memory of 1120 4872 jpjvd.exe 97 PID 4872 wrote to memory of 1120 4872 jpjvd.exe 97 PID 4872 wrote to memory of 1120 4872 jpjvd.exe 97 PID 1120 wrote to memory of 2420 1120 1pjpd.exe 98 PID 1120 wrote to memory of 2420 1120 1pjpd.exe 98 PID 1120 wrote to memory of 2420 1120 1pjpd.exe 98 PID 2420 wrote to memory of 1308 2420 3xrfrfr.exe 99 PID 2420 wrote to memory of 1308 2420 3xrfrfr.exe 99 PID 2420 wrote to memory of 1308 2420 3xrfrfr.exe 99 PID 1308 wrote to memory of 3720 1308 rflxllf.exe 100 PID 1308 wrote to memory of 3720 1308 rflxllf.exe 100 PID 1308 wrote to memory of 3720 1308 rflxllf.exe 100 PID 3720 wrote to memory of 3484 3720 1nhtbt.exe 101 PID 3720 wrote to memory of 3484 3720 1nhtbt.exe 101 PID 3720 wrote to memory of 3484 3720 1nhtbt.exe 101 PID 3484 wrote to memory of 2412 3484 ppdpj.exe 102 PID 3484 wrote to memory of 2412 3484 ppdpj.exe 102 PID 3484 wrote to memory of 2412 3484 ppdpj.exe 102 PID 2412 wrote to memory of 4440 2412 1frfxlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe"C:\Users\Admin\AppData\Local\Temp\750322caf9645bfaa4ff59a32ba273d3376a0bdd4ab29294de438d758d7a81c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\7flxfxl.exec:\7flxfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\dppdp.exec:\dppdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\rrrxlrr.exec:\rrrxlrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\thbthb.exec:\thbthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\xxfxlxf.exec:\xxfxlxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\hbhbnb.exec:\hbhbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\7fxlrlf.exec:\7fxlrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\htbnht.exec:\htbnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\5hhnbn.exec:\5hhnbn.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\lxrrfxl.exec:\lxrrfxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\jddvj.exec:\jddvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\pjjvj.exec:\pjjvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\thbhtn.exec:\thbhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\9tnbnb.exec:\9tnbnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\jpjvd.exec:\jpjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\1pjpd.exec:\1pjpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\3xrfrfr.exec:\3xrfrfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\rflxllf.exec:\rflxllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\1nhtbt.exec:\1nhtbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\ppdpj.exec:\ppdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\1frfxlf.exec:\1frfxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\xllfxxf.exec:\xllfxxf.exe23⤵
- Executes dropped EXE
PID:4440 -
\??\c:\tththb.exec:\tththb.exe24⤵
- Executes dropped EXE
PID:216 -
\??\c:\1ddvv.exec:\1ddvv.exe25⤵
- Executes dropped EXE
PID:4056 -
\??\c:\htbnbt.exec:\htbnbt.exe26⤵
- Executes dropped EXE
PID:1468 -
\??\c:\dpdpv.exec:\dpdpv.exe27⤵
- Executes dropped EXE
PID:4764 -
\??\c:\9lxxfxl.exec:\9lxxfxl.exe28⤵
- Executes dropped EXE
PID:3456 -
\??\c:\bnbnbt.exec:\bnbnbt.exe29⤵
- Executes dropped EXE
PID:2340 -
\??\c:\jvpdj.exec:\jvpdj.exe30⤵
- Executes dropped EXE
PID:3140 -
\??\c:\djjvj.exec:\djjvj.exe31⤵
- Executes dropped EXE
PID:2004 -
\??\c:\nbthhb.exec:\nbthhb.exe32⤵
- Executes dropped EXE
PID:1816 -
\??\c:\nnbtbh.exec:\nnbtbh.exe33⤵
- Executes dropped EXE
PID:3592 -
\??\c:\7fxrfrf.exec:\7fxrfrf.exe34⤵
- Executes dropped EXE
PID:2136 -
\??\c:\bnhthb.exec:\bnhthb.exe35⤵
- Executes dropped EXE
PID:4144 -
\??\c:\nnntbt.exec:\nnntbt.exe36⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vdjvj.exec:\vdjvj.exe37⤵
- Executes dropped EXE
PID:2176 -
\??\c:\9llfrll.exec:\9llfrll.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\tbhbtt.exec:\tbhbtt.exe39⤵
- Executes dropped EXE
PID:4532 -
\??\c:\hbhtbh.exec:\hbhtbh.exe40⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pjdpd.exec:\pjdpd.exe41⤵
- Executes dropped EXE
PID:992 -
\??\c:\lllflxl.exec:\lllflxl.exe42⤵
- Executes dropped EXE
PID:2332 -
\??\c:\lllxrlx.exec:\lllxrlx.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
\??\c:\9tnhbn.exec:\9tnhbn.exe44⤵
- Executes dropped EXE
PID:3992 -
\??\c:\hnnhtn.exec:\hnnhtn.exe45⤵
- Executes dropped EXE
PID:4504 -
\??\c:\pddpv.exec:\pddpv.exe46⤵
- Executes dropped EXE
PID:3984 -
\??\c:\rrrlxxr.exec:\rrrlxxr.exe47⤵
- Executes dropped EXE
PID:4776 -
\??\c:\hnbbtt.exec:\hnbbtt.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
\??\c:\hnhbhn.exec:\hnhbhn.exe49⤵
- Executes dropped EXE
PID:3300 -
\??\c:\jvppj.exec:\jvppj.exe50⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xlfrrlr.exec:\xlfrrlr.exe51⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xflrlll.exec:\xflrlll.exe52⤵
- Executes dropped EXE
PID:4936 -
\??\c:\hhhbhb.exec:\hhhbhb.exe53⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jvdpj.exec:\jvdpj.exe54⤵
- Executes dropped EXE
PID:4648 -
\??\c:\jvvjv.exec:\jvvjv.exe55⤵
- Executes dropped EXE
PID:3360 -
\??\c:\llfxllf.exec:\llfxllf.exe56⤵
- Executes dropped EXE
PID:2712 -
\??\c:\nbhbhh.exec:\nbhbhh.exe57⤵
- Executes dropped EXE
PID:4536 -
\??\c:\hhhbnh.exec:\hhhbnh.exe58⤵
- Executes dropped EXE
PID:2032 -
\??\c:\ppjvj.exec:\ppjvj.exe59⤵
- Executes dropped EXE
PID:4316 -
\??\c:\7vvdj.exec:\7vvdj.exe60⤵
- Executes dropped EXE
PID:4328 -
\??\c:\frrflfx.exec:\frrflfx.exe61⤵
- Executes dropped EXE
PID:540 -
\??\c:\9thhnn.exec:\9thhnn.exe62⤵
- Executes dropped EXE
PID:4832 -
\??\c:\vjpjd.exec:\vjpjd.exe63⤵
- Executes dropped EXE
PID:320 -
\??\c:\dppdj.exec:\dppdj.exe64⤵
- Executes dropped EXE
PID:1324 -
\??\c:\fxxrllx.exec:\fxxrllx.exe65⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nhnhnn.exec:\nhnhnn.exe66⤵PID:628
-
\??\c:\3ddpj.exec:\3ddpj.exe67⤵PID:3784
-
\??\c:\vpjvj.exec:\vpjvj.exe68⤵PID:3120
-
\??\c:\rfxrxrf.exec:\rfxrxrf.exe69⤵PID:3740
-
\??\c:\5xrlrlf.exec:\5xrlrlf.exe70⤵PID:4292
-
\??\c:\bthhhb.exec:\bthhhb.exe71⤵PID:316
-
\??\c:\jvjvj.exec:\jvjvj.exe72⤵PID:3572
-
\??\c:\3rfrxxx.exec:\3rfrxxx.exe73⤵PID:3824
-
\??\c:\bhhhbt.exec:\bhhhbt.exe74⤵PID:2956
-
\??\c:\hhhthb.exec:\hhhthb.exe75⤵PID:4708
-
\??\c:\pjddp.exec:\pjddp.exe76⤵PID:3636
-
\??\c:\lffxlll.exec:\lffxlll.exe77⤵PID:3052
-
\??\c:\5xlrrrl.exec:\5xlrrrl.exe78⤵PID:644
-
\??\c:\nhhbhh.exec:\nhhbhh.exe79⤵PID:5076
-
\??\c:\pvpdv.exec:\pvpdv.exe80⤵PID:1528
-
\??\c:\rlxlrlr.exec:\rlxlrlr.exe81⤵PID:3092
-
\??\c:\hhhhbb.exec:\hhhhbb.exe82⤵PID:4288
-
\??\c:\bnhthh.exec:\bnhthh.exe83⤵PID:2756
-
\??\c:\jjjvd.exec:\jjjvd.exe84⤵PID:1120
-
\??\c:\3fllxxr.exec:\3fllxxr.exe85⤵PID:2420
-
\??\c:\1thhhb.exec:\1thhhb.exe86⤵PID:1676
-
\??\c:\thhtnh.exec:\thhtnh.exe87⤵PID:3184
-
\??\c:\9vppd.exec:\9vppd.exe88⤵PID:2600
-
\??\c:\flfrflf.exec:\flfrflf.exe89⤵PID:3720
-
\??\c:\bnhbtn.exec:\bnhbtn.exe90⤵PID:1108
-
\??\c:\thbnbt.exec:\thbnbt.exe91⤵PID:4800
-
\??\c:\vvdvj.exec:\vvdvj.exe92⤵PID:1932
-
\??\c:\9jjdp.exec:\9jjdp.exe93⤵PID:4356
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe94⤵PID:4372
-
\??\c:\9hntnn.exec:\9hntnn.exe95⤵PID:952
-
\??\c:\5bhhbh.exec:\5bhhbh.exe96⤵PID:2820
-
\??\c:\dpddp.exec:\dpddp.exe97⤵PID:4072
-
\??\c:\vpdjj.exec:\vpdjj.exe98⤵PID:3792
-
\??\c:\fxxxfrx.exec:\fxxxfrx.exe99⤵PID:2068
-
\??\c:\7hbtnn.exec:\7hbtnn.exe100⤵PID:3368
-
\??\c:\dvjjp.exec:\dvjjp.exe101⤵PID:3456
-
\??\c:\lrlflfr.exec:\lrlflfr.exe102⤵PID:668
-
\??\c:\9ffxrrl.exec:\9ffxrrl.exe103⤵PID:3276
-
\??\c:\btbttb.exec:\btbttb.exe104⤵PID:4468
-
\??\c:\pjvpd.exec:\pjvpd.exe105⤵PID:4136
-
\??\c:\5dvpd.exec:\5dvpd.exe106⤵PID:4456
-
\??\c:\3llxflx.exec:\3llxflx.exe107⤵PID:2348
-
\??\c:\xxffrlx.exec:\xxffrlx.exe108⤵PID:2456
-
\??\c:\tbtnhh.exec:\tbtnhh.exe109⤵PID:1220
-
\??\c:\vvddj.exec:\vvddj.exe110⤵PID:1416
-
\??\c:\ddpjv.exec:\ddpjv.exe111⤵PID:1620
-
\??\c:\fffrlfr.exec:\fffrlfr.exe112⤵PID:3440
-
\??\c:\bbnhbh.exec:\bbnhbh.exe113⤵PID:4596
-
\??\c:\vpdvj.exec:\vpdvj.exe114⤵PID:860
-
\??\c:\pdvpd.exec:\pdvpd.exe115⤵PID:4952
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe116⤵PID:4604
-
\??\c:\rlfxlfl.exec:\rlfxlfl.exe117⤵PID:992
-
\??\c:\bbthbt.exec:\bbthbt.exe118⤵PID:4924
-
\??\c:\dvddp.exec:\dvddp.exe119⤵PID:1656
-
\??\c:\jdpjd.exec:\jdpjd.exe120⤵PID:1080
-
\??\c:\9lrxfxx.exec:\9lrxfxx.exe121⤵PID:4504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-