Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 09:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe
-
Size
454KB
-
MD5
5bdb15a4f914b7ce8d6859308024c80f
-
SHA1
34dffca373535f5cb4c97a085eb0feadfe343e64
-
SHA256
fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9
-
SHA512
67f76913a83e0b45d397acd3adaa23950236cb9e8aee178cb794e996f75861f0e47199788805dfcfd09821ed60b2f2db4a48f809f855a65e22df74b9b7c458d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4552-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-1290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-1489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-1917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 866204.exe 3860 20262.exe 2232 i208822.exe 5112 1frlfff.exe 1948 hbtnhb.exe 324 228260.exe 2008 65djdj.exe 3460 0288884.exe 2428 rlfffrx.exe 3532 htbbtn.exe 2244 84682.exe 1276 bhtttb.exe 1780 866000.exe 2716 202222.exe 5076 bbhhhh.exe 2632 bbnbhn.exe 3728 fxrrrrr.exe 2728 680888.exe 1416 jdpjj.exe 4952 0400448.exe 3120 486606.exe 1400 nthtnn.exe 1160 nnnhbb.exe 976 0446626.exe 1576 44488.exe 3260 pjppp.exe 3712 htbbbh.exe 4696 rllfxxr.exe 3620 262288.exe 2524 u026002.exe 4824 vjdvp.exe 3716 vppjj.exe 628 084828.exe 4740 44082.exe 1596 ttnnbb.exe 4520 082660.exe 1988 46882.exe 3472 820462.exe 4852 g4060.exe 3096 3nhtnn.exe 1436 w44826.exe 1804 jpdvp.exe 32 48026.exe 244 fflxfxf.exe 3100 8266282.exe 1356 866422.exe 2604 bhnntt.exe 4272 28664.exe 756 086460.exe 4552 e88422.exe 1888 804282.exe 2212 288226.exe 3496 c402608.exe 3752 8026004.exe 4452 i848260.exe 2448 vppdv.exe 4428 60820.exe 1136 bntnhh.exe 4748 0404044.exe 1928 xllfrll.exe 1892 bnnhbb.exe 1132 htbtnb.exe 4488 0640282.exe 2700 rllfrlf.exe -
resource yara_rule behavioral2/memory/4552-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-747-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4088808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6460044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8066600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6066688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4188 4552 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 83 PID 4552 wrote to memory of 4188 4552 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 83 PID 4552 wrote to memory of 4188 4552 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 83 PID 4188 wrote to memory of 3860 4188 866204.exe 84 PID 4188 wrote to memory of 3860 4188 866204.exe 84 PID 4188 wrote to memory of 3860 4188 866204.exe 84 PID 3860 wrote to memory of 2232 3860 20262.exe 85 PID 3860 wrote to memory of 2232 3860 20262.exe 85 PID 3860 wrote to memory of 2232 3860 20262.exe 85 PID 2232 wrote to memory of 5112 2232 i208822.exe 86 PID 2232 wrote to memory of 5112 2232 i208822.exe 86 PID 2232 wrote to memory of 5112 2232 i208822.exe 86 PID 5112 wrote to memory of 1948 5112 1frlfff.exe 87 PID 5112 wrote to memory of 1948 5112 1frlfff.exe 87 PID 5112 wrote to memory of 1948 5112 1frlfff.exe 87 PID 1948 wrote to memory of 324 1948 hbtnhb.exe 88 PID 1948 wrote to memory of 324 1948 hbtnhb.exe 88 PID 1948 wrote to memory of 324 1948 hbtnhb.exe 88 PID 324 wrote to memory of 2008 324 228260.exe 89 PID 324 wrote to memory of 2008 324 228260.exe 89 PID 324 wrote to memory of 2008 324 228260.exe 89 PID 2008 wrote to memory of 3460 2008 65djdj.exe 90 PID 2008 wrote to memory of 3460 2008 65djdj.exe 90 PID 2008 wrote to memory of 3460 2008 65djdj.exe 90 PID 3460 wrote to memory of 2428 3460 0288884.exe 91 PID 3460 wrote to memory of 2428 3460 0288884.exe 91 PID 3460 wrote to memory of 2428 3460 0288884.exe 91 PID 2428 wrote to memory of 3532 2428 rlfffrx.exe 92 PID 2428 wrote to memory of 3532 2428 rlfffrx.exe 92 PID 2428 wrote to memory of 3532 2428 rlfffrx.exe 92 PID 3532 wrote to memory of 2244 3532 htbbtn.exe 93 PID 3532 wrote to memory of 2244 3532 htbbtn.exe 93 PID 3532 wrote to memory of 2244 3532 htbbtn.exe 93 PID 2244 wrote to memory of 1276 2244 84682.exe 94 PID 2244 wrote to memory of 1276 2244 84682.exe 94 PID 2244 wrote to memory of 1276 2244 84682.exe 94 PID 1276 wrote to memory of 1780 1276 bhtttb.exe 95 PID 1276 wrote to memory of 1780 1276 bhtttb.exe 95 PID 1276 wrote to memory of 1780 1276 bhtttb.exe 95 PID 1780 wrote to memory of 2716 1780 866000.exe 96 PID 1780 wrote to memory of 2716 1780 866000.exe 96 PID 1780 wrote to memory of 2716 1780 866000.exe 96 PID 2716 wrote to memory of 5076 2716 202222.exe 97 PID 2716 wrote to memory of 5076 2716 202222.exe 97 PID 2716 wrote to memory of 5076 2716 202222.exe 97 PID 5076 wrote to memory of 2632 5076 bbhhhh.exe 98 PID 5076 wrote to memory of 2632 5076 bbhhhh.exe 98 PID 5076 wrote to memory of 2632 5076 bbhhhh.exe 98 PID 2632 wrote to memory of 3728 2632 bbnbhn.exe 99 PID 2632 wrote to memory of 3728 2632 bbnbhn.exe 99 PID 2632 wrote to memory of 3728 2632 bbnbhn.exe 99 PID 3728 wrote to memory of 2728 3728 fxrrrrr.exe 100 PID 3728 wrote to memory of 2728 3728 fxrrrrr.exe 100 PID 3728 wrote to memory of 2728 3728 fxrrrrr.exe 100 PID 2728 wrote to memory of 1416 2728 680888.exe 101 PID 2728 wrote to memory of 1416 2728 680888.exe 101 PID 2728 wrote to memory of 1416 2728 680888.exe 101 PID 1416 wrote to memory of 4952 1416 jdpjj.exe 102 PID 1416 wrote to memory of 4952 1416 jdpjj.exe 102 PID 1416 wrote to memory of 4952 1416 jdpjj.exe 102 PID 4952 wrote to memory of 3120 4952 0400448.exe 103 PID 4952 wrote to memory of 3120 4952 0400448.exe 103 PID 4952 wrote to memory of 3120 4952 0400448.exe 103 PID 3120 wrote to memory of 1400 3120 486606.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe"C:\Users\Admin\AppData\Local\Temp\fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\866204.exec:\866204.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\20262.exec:\20262.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\i208822.exec:\i208822.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\1frlfff.exec:\1frlfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\hbtnhb.exec:\hbtnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\228260.exec:\228260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\65djdj.exec:\65djdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\0288884.exec:\0288884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\rlfffrx.exec:\rlfffrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\htbbtn.exec:\htbbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\84682.exec:\84682.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\bhtttb.exec:\bhtttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\866000.exec:\866000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\202222.exec:\202222.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\bbhhhh.exec:\bbhhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\bbnbhn.exec:\bbnbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\680888.exec:\680888.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\jdpjj.exec:\jdpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\0400448.exec:\0400448.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\486606.exec:\486606.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\nthtnn.exec:\nthtnn.exe23⤵
- Executes dropped EXE
PID:1400 -
\??\c:\nnnhbb.exec:\nnnhbb.exe24⤵
- Executes dropped EXE
PID:1160 -
\??\c:\0446626.exec:\0446626.exe25⤵
- Executes dropped EXE
PID:976 -
\??\c:\44488.exec:\44488.exe26⤵
- Executes dropped EXE
PID:1576 -
\??\c:\pjppp.exec:\pjppp.exe27⤵
- Executes dropped EXE
PID:3260 -
\??\c:\htbbbh.exec:\htbbbh.exe28⤵
- Executes dropped EXE
PID:3712 -
\??\c:\rllfxxr.exec:\rllfxxr.exe29⤵
- Executes dropped EXE
PID:4696 -
\??\c:\262288.exec:\262288.exe30⤵
- Executes dropped EXE
PID:3620 -
\??\c:\u026002.exec:\u026002.exe31⤵
- Executes dropped EXE
PID:2524 -
\??\c:\vjdvp.exec:\vjdvp.exe32⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vppjj.exec:\vppjj.exe33⤵
- Executes dropped EXE
PID:3716 -
\??\c:\084828.exec:\084828.exe34⤵
- Executes dropped EXE
PID:628 -
\??\c:\44082.exec:\44082.exe35⤵
- Executes dropped EXE
PID:4740 -
\??\c:\ttnnbb.exec:\ttnnbb.exe36⤵
- Executes dropped EXE
PID:1596 -
\??\c:\082660.exec:\082660.exe37⤵
- Executes dropped EXE
PID:4520 -
\??\c:\46882.exec:\46882.exe38⤵
- Executes dropped EXE
PID:1988 -
\??\c:\820462.exec:\820462.exe39⤵
- Executes dropped EXE
PID:3472 -
\??\c:\g4060.exec:\g4060.exe40⤵
- Executes dropped EXE
PID:4852 -
\??\c:\3nhtnn.exec:\3nhtnn.exe41⤵
- Executes dropped EXE
PID:3096 -
\??\c:\w44826.exec:\w44826.exe42⤵
- Executes dropped EXE
PID:1436 -
\??\c:\jpdvp.exec:\jpdvp.exe43⤵
- Executes dropped EXE
PID:1804 -
\??\c:\48026.exec:\48026.exe44⤵
- Executes dropped EXE
PID:32 -
\??\c:\fflxfxf.exec:\fflxfxf.exe45⤵
- Executes dropped EXE
PID:244 -
\??\c:\8266282.exec:\8266282.exe46⤵
- Executes dropped EXE
PID:3100 -
\??\c:\866422.exec:\866422.exe47⤵
- Executes dropped EXE
PID:1356 -
\??\c:\bhnntt.exec:\bhnntt.exe48⤵
- Executes dropped EXE
PID:2604 -
\??\c:\28664.exec:\28664.exe49⤵
- Executes dropped EXE
PID:4272 -
\??\c:\086460.exec:\086460.exe50⤵
- Executes dropped EXE
PID:756 -
\??\c:\e88422.exec:\e88422.exe51⤵
- Executes dropped EXE
PID:4552 -
\??\c:\804282.exec:\804282.exe52⤵
- Executes dropped EXE
PID:1888 -
\??\c:\288226.exec:\288226.exe53⤵
- Executes dropped EXE
PID:2212 -
\??\c:\c402608.exec:\c402608.exe54⤵
- Executes dropped EXE
PID:3496 -
\??\c:\8026004.exec:\8026004.exe55⤵
- Executes dropped EXE
PID:3752 -
\??\c:\i848260.exec:\i848260.exe56⤵
- Executes dropped EXE
PID:4452 -
\??\c:\vppdv.exec:\vppdv.exe57⤵
- Executes dropped EXE
PID:2448 -
\??\c:\60820.exec:\60820.exe58⤵
- Executes dropped EXE
PID:4428 -
\??\c:\bntnhh.exec:\bntnhh.exe59⤵
- Executes dropped EXE
PID:1136 -
\??\c:\0404044.exec:\0404044.exe60⤵
- Executes dropped EXE
PID:4748 -
\??\c:\xllfrll.exec:\xllfrll.exe61⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bnnhbb.exec:\bnnhbb.exe62⤵
- Executes dropped EXE
PID:1892 -
\??\c:\htbtnb.exec:\htbtnb.exe63⤵
- Executes dropped EXE
PID:1132 -
\??\c:\0640282.exec:\0640282.exe64⤵
- Executes dropped EXE
PID:4488 -
\??\c:\rllfrlf.exec:\rllfrlf.exe65⤵
- Executes dropped EXE
PID:2700 -
\??\c:\00260.exec:\00260.exe66⤵PID:1840
-
\??\c:\pdvvp.exec:\pdvvp.exe67⤵PID:1780
-
\??\c:\82604.exec:\82604.exe68⤵PID:2244
-
\??\c:\djvpj.exec:\djvpj.exe69⤵PID:4908
-
\??\c:\flxrflf.exec:\flxrflf.exe70⤵PID:1284
-
\??\c:\lxxfffl.exec:\lxxfffl.exe71⤵PID:4800
-
\??\c:\rlllxfx.exec:\rlllxfx.exe72⤵
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\s8266.exec:\s8266.exe73⤵PID:4528
-
\??\c:\2608044.exec:\2608044.exe74⤵PID:1040
-
\??\c:\64846.exec:\64846.exe75⤵PID:2728
-
\??\c:\06824.exec:\06824.exe76⤵PID:3624
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe77⤵PID:1416
-
\??\c:\228426.exec:\228426.exe78⤵PID:3044
-
\??\c:\htbbnn.exec:\htbbnn.exe79⤵PID:2152
-
\??\c:\lrllfxx.exec:\lrllfxx.exe80⤵PID:2864
-
\??\c:\2400044.exec:\2400044.exe81⤵PID:2460
-
\??\c:\jppvj.exec:\jppvj.exe82⤵PID:1160
-
\??\c:\dpppj.exec:\dpppj.exe83⤵PID:2676
-
\??\c:\68826.exec:\68826.exe84⤵PID:3604
-
\??\c:\5ttnbt.exec:\5ttnbt.exe85⤵PID:2468
-
\??\c:\rffrlfx.exec:\rffrlfx.exe86⤵PID:4904
-
\??\c:\4060448.exec:\4060448.exe87⤵PID:1064
-
\??\c:\vvdvj.exec:\vvdvj.exe88⤵PID:948
-
\??\c:\frxrllf.exec:\frxrllf.exe89⤵
- System Location Discovery: System Language Discovery
PID:3632 -
\??\c:\htbbth.exec:\htbbth.exe90⤵PID:64
-
\??\c:\048860.exec:\048860.exe91⤵PID:4244
-
\??\c:\jvjvp.exec:\jvjvp.exe92⤵PID:224
-
\??\c:\fxlrrrr.exec:\fxlrrrr.exe93⤵PID:1816
-
\??\c:\htbtnh.exec:\htbtnh.exe94⤵PID:2000
-
\??\c:\60422.exec:\60422.exe95⤵PID:628
-
\??\c:\bbnhhh.exec:\bbnhhh.exe96⤵PID:4740
-
\??\c:\66266.exec:\66266.exe97⤵PID:4400
-
\??\c:\pjjvv.exec:\pjjvv.exe98⤵PID:4916
-
\??\c:\s8046.exec:\s8046.exe99⤵PID:2956
-
\??\c:\062648.exec:\062648.exe100⤵PID:1316
-
\??\c:\462662.exec:\462662.exe101⤵PID:3168
-
\??\c:\2468444.exec:\2468444.exe102⤵PID:3788
-
\??\c:\ppvvd.exec:\ppvvd.exe103⤵PID:3024
-
\??\c:\800448.exec:\800448.exe104⤵PID:3408
-
\??\c:\s4660.exec:\s4660.exe105⤵PID:3808
-
\??\c:\2288222.exec:\2288222.exe106⤵PID:1500
-
\??\c:\hntbtn.exec:\hntbtn.exe107⤵PID:2072
-
\??\c:\nhthnn.exec:\nhthnn.exe108⤵PID:840
-
\??\c:\5jpdv.exec:\5jpdv.exe109⤵PID:4352
-
\??\c:\04042.exec:\04042.exe110⤵PID:2604
-
\??\c:\1ffrfxx.exec:\1ffrfxx.exe111⤵PID:1860
-
\??\c:\6066688.exec:\6066688.exe112⤵
- System Location Discovery: System Language Discovery
PID:456 -
\??\c:\u464048.exec:\u464048.exe113⤵PID:3052
-
\??\c:\5tthtt.exec:\5tthtt.exe114⤵PID:2924
-
\??\c:\pvpjj.exec:\pvpjj.exe115⤵PID:4756
-
\??\c:\480826.exec:\480826.exe116⤵PID:1124
-
\??\c:\lrrlxfx.exec:\lrrlxfx.exe117⤵PID:1448
-
\??\c:\20264.exec:\20264.exe118⤵PID:692
-
\??\c:\802266.exec:\802266.exe119⤵PID:3156
-
\??\c:\20268.exec:\20268.exe120⤵PID:2192
-
\??\c:\fxxrlll.exec:\fxxrlll.exe121⤵PID:4340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-