Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 02:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe
-
Size
454KB
-
MD5
b04f96217665277605e62a671869befe
-
SHA1
1e0693f1998cc079e15b6e1d04c41bb745854455
-
SHA256
babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f
-
SHA512
624e437313d216e2ffe9535dfa2b66efc75d7019acdd577d5bccaf475de87199617a0ea5f15458b7604aa27618b07e0b9d8f7f70b931adf35e04fd6fcc6d80a0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-1111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-1936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4912 80248.exe 1888 68208.exe 3860 ppjvd.exe 1996 nnnbnh.exe 2688 flxxlrf.exe 444 g4486.exe 4572 1pdpv.exe 2076 006486.exe 4584 fxrfxlf.exe 1708 ddvpv.exe 2640 7bthnh.exe 3256 9lfrfxf.exe 4636 xfffrfx.exe 3404 8020286.exe 2064 84468.exe 1980 c408822.exe 5004 fllxlfr.exe 1484 3frflfr.exe 4140 rllrfrf.exe 1444 60842.exe 1660 5djpd.exe 1056 lffxfrr.exe 1704 dvjvd.exe 1628 6868888.exe 4004 hbnbnb.exe 3384 lxrfrlx.exe 2324 pdppp.exe 3508 jjpdj.exe 4664 jpdvj.exe 4212 6220448.exe 3832 08442.exe 996 a0866.exe 3472 86822.exe 5060 rxfxrrl.exe 4112 68860.exe 5000 40266.exe 4696 4844404.exe 1772 808020.exe 4924 42440.exe 3476 5nnhtt.exe 1828 pjpjj.exe 4316 224048.exe 4328 i242660.exe 4904 20044.exe 3952 5tbtnn.exe 1672 u800000.exe 2404 08482.exe 2296 04426.exe 2424 26240.exe 4408 4226600.exe 1388 pddvd.exe 2252 jjppd.exe 4572 402044.exe 4836 jpvjd.exe 4248 tbhbbt.exe 1516 86866.exe 3788 jdjdj.exe 1708 9dvpj.exe 2184 220486.exe 1332 42048.exe 4416 jppjd.exe 3124 4008660.exe 2732 4026048.exe 4052 82642.exe -
resource yara_rule behavioral2/memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2064040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w06860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4912 2524 babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe 83 PID 2524 wrote to memory of 4912 2524 babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe 83 PID 2524 wrote to memory of 4912 2524 babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe 83 PID 4912 wrote to memory of 1888 4912 80248.exe 84 PID 4912 wrote to memory of 1888 4912 80248.exe 84 PID 4912 wrote to memory of 1888 4912 80248.exe 84 PID 1888 wrote to memory of 3860 1888 68208.exe 85 PID 1888 wrote to memory of 3860 1888 68208.exe 85 PID 1888 wrote to memory of 3860 1888 68208.exe 85 PID 3860 wrote to memory of 1996 3860 ppjvd.exe 86 PID 3860 wrote to memory of 1996 3860 ppjvd.exe 86 PID 3860 wrote to memory of 1996 3860 ppjvd.exe 86 PID 1996 wrote to memory of 2688 1996 nnnbnh.exe 87 PID 1996 wrote to memory of 2688 1996 nnnbnh.exe 87 PID 1996 wrote to memory of 2688 1996 nnnbnh.exe 87 PID 2688 wrote to memory of 444 2688 flxxlrf.exe 88 PID 2688 wrote to memory of 444 2688 flxxlrf.exe 88 PID 2688 wrote to memory of 444 2688 flxxlrf.exe 88 PID 444 wrote to memory of 4572 444 g4486.exe 89 PID 444 wrote to memory of 4572 444 g4486.exe 89 PID 444 wrote to memory of 4572 444 g4486.exe 89 PID 4572 wrote to memory of 2076 4572 1pdpv.exe 90 PID 4572 wrote to memory of 2076 4572 1pdpv.exe 90 PID 4572 wrote to memory of 2076 4572 1pdpv.exe 90 PID 2076 wrote to memory of 4584 2076 006486.exe 91 PID 2076 wrote to memory of 4584 2076 006486.exe 91 PID 2076 wrote to memory of 4584 2076 006486.exe 91 PID 4584 wrote to memory of 1708 4584 fxrfxlf.exe 92 PID 4584 wrote to memory of 1708 4584 fxrfxlf.exe 92 PID 4584 wrote to memory of 1708 4584 fxrfxlf.exe 92 PID 1708 wrote to memory of 2640 1708 ddvpv.exe 93 PID 1708 wrote to memory of 2640 1708 ddvpv.exe 93 PID 1708 wrote to memory of 2640 1708 ddvpv.exe 93 PID 2640 wrote to memory of 3256 2640 7bthnh.exe 94 PID 2640 wrote to memory of 3256 2640 7bthnh.exe 94 PID 2640 wrote to memory of 3256 2640 7bthnh.exe 94 PID 3256 wrote to memory of 4636 3256 9lfrfxf.exe 95 PID 3256 wrote to memory of 4636 3256 9lfrfxf.exe 95 PID 3256 wrote to memory of 4636 3256 9lfrfxf.exe 95 PID 4636 wrote to memory of 3404 4636 xfffrfx.exe 96 PID 4636 wrote to memory of 3404 4636 xfffrfx.exe 96 PID 4636 wrote to memory of 3404 4636 xfffrfx.exe 96 PID 3404 wrote to memory of 2064 3404 8020286.exe 97 PID 3404 wrote to memory of 2064 3404 8020286.exe 97 PID 3404 wrote to memory of 2064 3404 8020286.exe 97 PID 2064 wrote to memory of 1980 2064 84468.exe 98 PID 2064 wrote to memory of 1980 2064 84468.exe 98 PID 2064 wrote to memory of 1980 2064 84468.exe 98 PID 1980 wrote to memory of 5004 1980 c408822.exe 99 PID 1980 wrote to memory of 5004 1980 c408822.exe 99 PID 1980 wrote to memory of 5004 1980 c408822.exe 99 PID 5004 wrote to memory of 1484 5004 fllxlfr.exe 100 PID 5004 wrote to memory of 1484 5004 fllxlfr.exe 100 PID 5004 wrote to memory of 1484 5004 fllxlfr.exe 100 PID 1484 wrote to memory of 4140 1484 3frflfr.exe 101 PID 1484 wrote to memory of 4140 1484 3frflfr.exe 101 PID 1484 wrote to memory of 4140 1484 3frflfr.exe 101 PID 4140 wrote to memory of 1444 4140 rllrfrf.exe 102 PID 4140 wrote to memory of 1444 4140 rllrfrf.exe 102 PID 4140 wrote to memory of 1444 4140 rllrfrf.exe 102 PID 1444 wrote to memory of 1660 1444 60842.exe 103 PID 1444 wrote to memory of 1660 1444 60842.exe 103 PID 1444 wrote to memory of 1660 1444 60842.exe 103 PID 1660 wrote to memory of 1056 1660 5djpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe"C:\Users\Admin\AppData\Local\Temp\babdfe61f16d62282606d2ea63bdbd4e4993c88c9f7e236bf57adef6c8270c6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\80248.exec:\80248.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\68208.exec:\68208.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\ppjvd.exec:\ppjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\nnnbnh.exec:\nnnbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\flxxlrf.exec:\flxxlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\g4486.exec:\g4486.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\1pdpv.exec:\1pdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\006486.exec:\006486.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\fxrfxlf.exec:\fxrfxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\ddvpv.exec:\ddvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\7bthnh.exec:\7bthnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\9lfrfxf.exec:\9lfrfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\xfffrfx.exec:\xfffrfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\8020286.exec:\8020286.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\84468.exec:\84468.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\c408822.exec:\c408822.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\fllxlfr.exec:\fllxlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\3frflfr.exec:\3frflfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\rllrfrf.exec:\rllrfrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\60842.exec:\60842.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\5djpd.exec:\5djpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\lffxfrr.exec:\lffxfrr.exe23⤵
- Executes dropped EXE
PID:1056 -
\??\c:\dvjvd.exec:\dvjvd.exe24⤵
- Executes dropped EXE
PID:1704 -
\??\c:\6868888.exec:\6868888.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hbnbnb.exec:\hbnbnb.exe26⤵
- Executes dropped EXE
PID:4004 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe27⤵
- Executes dropped EXE
PID:3384 -
\??\c:\pdppp.exec:\pdppp.exe28⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jjpdj.exec:\jjpdj.exe29⤵
- Executes dropped EXE
PID:3508 -
\??\c:\jpdvj.exec:\jpdvj.exe30⤵
- Executes dropped EXE
PID:4664 -
\??\c:\6220448.exec:\6220448.exe31⤵
- Executes dropped EXE
PID:4212 -
\??\c:\08442.exec:\08442.exe32⤵
- Executes dropped EXE
PID:3832 -
\??\c:\a0866.exec:\a0866.exe33⤵
- Executes dropped EXE
PID:996 -
\??\c:\86822.exec:\86822.exe34⤵
- Executes dropped EXE
PID:3472 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe35⤵
- Executes dropped EXE
PID:5060 -
\??\c:\68860.exec:\68860.exe36⤵
- Executes dropped EXE
PID:4112 -
\??\c:\40266.exec:\40266.exe37⤵
- Executes dropped EXE
PID:5000 -
\??\c:\4844404.exec:\4844404.exe38⤵
- Executes dropped EXE
PID:4696 -
\??\c:\808020.exec:\808020.exe39⤵
- Executes dropped EXE
PID:1772 -
\??\c:\42440.exec:\42440.exe40⤵
- Executes dropped EXE
PID:4924 -
\??\c:\5nnhtt.exec:\5nnhtt.exe41⤵
- Executes dropped EXE
PID:3476 -
\??\c:\pjpjj.exec:\pjpjj.exe42⤵
- Executes dropped EXE
PID:1828 -
\??\c:\224048.exec:\224048.exe43⤵
- Executes dropped EXE
PID:4316 -
\??\c:\i242660.exec:\i242660.exe44⤵
- Executes dropped EXE
PID:4328 -
\??\c:\20044.exec:\20044.exe45⤵
- Executes dropped EXE
PID:4904 -
\??\c:\5tbtnn.exec:\5tbtnn.exe46⤵
- Executes dropped EXE
PID:3952 -
\??\c:\u800000.exec:\u800000.exe47⤵
- Executes dropped EXE
PID:1672 -
\??\c:\08482.exec:\08482.exe48⤵
- Executes dropped EXE
PID:2404 -
\??\c:\04426.exec:\04426.exe49⤵
- Executes dropped EXE
PID:2296 -
\??\c:\26240.exec:\26240.exe50⤵
- Executes dropped EXE
PID:2424 -
\??\c:\4226600.exec:\4226600.exe51⤵
- Executes dropped EXE
PID:4408 -
\??\c:\pddvd.exec:\pddvd.exe52⤵
- Executes dropped EXE
PID:1388 -
\??\c:\jjppd.exec:\jjppd.exe53⤵
- Executes dropped EXE
PID:2252 -
\??\c:\402044.exec:\402044.exe54⤵
- Executes dropped EXE
PID:4572 -
\??\c:\jpvjd.exec:\jpvjd.exe55⤵
- Executes dropped EXE
PID:4836 -
\??\c:\tbhbbt.exec:\tbhbbt.exe56⤵
- Executes dropped EXE
PID:4248 -
\??\c:\86866.exec:\86866.exe57⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jdjdj.exec:\jdjdj.exe58⤵
- Executes dropped EXE
PID:3788 -
\??\c:\9dvpj.exec:\9dvpj.exe59⤵
- Executes dropped EXE
PID:1708 -
\??\c:\220486.exec:\220486.exe60⤵
- Executes dropped EXE
PID:2184 -
\??\c:\42048.exec:\42048.exe61⤵
- Executes dropped EXE
PID:1332 -
\??\c:\jppjd.exec:\jppjd.exe62⤵
- Executes dropped EXE
PID:4416 -
\??\c:\4008660.exec:\4008660.exe63⤵
- Executes dropped EXE
PID:3124 -
\??\c:\4026048.exec:\4026048.exe64⤵
- Executes dropped EXE
PID:2732 -
\??\c:\82642.exec:\82642.exe65⤵
- Executes dropped EXE
PID:4052 -
\??\c:\0800006.exec:\0800006.exe66⤵PID:1436
-
\??\c:\xxllxrl.exec:\xxllxrl.exe67⤵PID:4528
-
\??\c:\00608.exec:\00608.exe68⤵PID:2280
-
\??\c:\bbbntn.exec:\bbbntn.exe69⤵PID:3152
-
\??\c:\c280488.exec:\c280488.exe70⤵PID:4804
-
\??\c:\c626600.exec:\c626600.exe71⤵PID:2164
-
\??\c:\rxffffr.exec:\rxffffr.exe72⤵PID:3916
-
\??\c:\lxxrffx.exec:\lxxrffx.exe73⤵PID:1444
-
\??\c:\thhbtn.exec:\thhbtn.exe74⤵PID:3984
-
\??\c:\20422.exec:\20422.exe75⤵PID:4864
-
\??\c:\1xrlllf.exec:\1xrlllf.exe76⤵PID:3588
-
\??\c:\jddvp.exec:\jddvp.exe77⤵PID:4952
-
\??\c:\flrlffx.exec:\flrlffx.exe78⤵PID:2720
-
\??\c:\bbhhhh.exec:\bbhhhh.exe79⤵PID:2512
-
\??\c:\6448660.exec:\6448660.exe80⤵PID:4812
-
\??\c:\tnnbtt.exec:\tnnbtt.exe81⤵PID:2456
-
\??\c:\5hhbnb.exec:\5hhbnb.exe82⤵PID:1088
-
\??\c:\jjpvd.exec:\jjpvd.exe83⤵PID:4768
-
\??\c:\2066848.exec:\2066848.exe84⤵PID:3488
-
\??\c:\5xrllll.exec:\5xrllll.exe85⤵PID:4908
-
\??\c:\08808.exec:\08808.exe86⤵PID:4796
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe87⤵PID:3116
-
\??\c:\rffxxrl.exec:\rffxxrl.exe88⤵PID:5024
-
\??\c:\a2882.exec:\a2882.exe89⤵PID:3472
-
\??\c:\6288080.exec:\6288080.exe90⤵PID:4520
-
\??\c:\e22082.exec:\e22082.exe91⤵PID:4112
-
\??\c:\7bhbtt.exec:\7bhbtt.exe92⤵PID:2528
-
\??\c:\htbttt.exec:\htbttt.exe93⤵PID:1492
-
\??\c:\xrlxfxx.exec:\xrlxfxx.exe94⤵PID:3484
-
\??\c:\9dddv.exec:\9dddv.exe95⤵PID:1644
-
\??\c:\084844.exec:\084844.exe96⤵PID:3148
-
\??\c:\26240.exec:\26240.exe97⤵PID:3668
-
\??\c:\7hnhbn.exec:\7hnhbn.exe98⤵PID:4496
-
\??\c:\3xfrfxr.exec:\3xfrfxr.exe99⤵PID:4232
-
\??\c:\bhhhtn.exec:\bhhhtn.exe100⤵PID:3708
-
\??\c:\228482.exec:\228482.exe101⤵PID:448
-
\??\c:\fxxrllf.exec:\fxxrllf.exe102⤵PID:1888
-
\??\c:\6844882.exec:\6844882.exe103⤵PID:4840
-
\??\c:\pvvpd.exec:\pvvpd.exe104⤵PID:3216
-
\??\c:\3flxllx.exec:\3flxllx.exe105⤵PID:2156
-
\??\c:\ntbtnh.exec:\ntbtnh.exe106⤵PID:3680
-
\??\c:\4460266.exec:\4460266.exe107⤵PID:3752
-
\??\c:\xrfxfff.exec:\xrfxfff.exe108⤵PID:1004
-
\??\c:\rxfxllf.exec:\rxfxllf.exe109⤵PID:4388
-
\??\c:\84448.exec:\84448.exe110⤵PID:2252
-
\??\c:\0886482.exec:\0886482.exe111⤵PID:2944
-
\??\c:\9rxrfxc.exec:\9rxrfxc.exe112⤵PID:1768
-
\??\c:\2844822.exec:\2844822.exe113⤵PID:4836
-
\??\c:\fxfxxrr.exec:\fxfxxrr.exe114⤵
- System Location Discovery: System Language Discovery
PID:228 -
\??\c:\008600.exec:\008600.exe115⤵PID:1872
-
\??\c:\224888.exec:\224888.exe116⤵PID:4920
-
\??\c:\6460048.exec:\6460048.exe117⤵PID:3592
-
\??\c:\204420.exec:\204420.exe118⤵PID:2820
-
\??\c:\4486086.exec:\4486086.exe119⤵PID:508
-
\??\c:\02642.exec:\02642.exe120⤵
- System Location Discovery: System Language Discovery
PID:4928 -
\??\c:\88868.exec:\88868.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-