Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe
-
Size
454KB
-
MD5
3e30647e9c2965c84324601a062a7fbd
-
SHA1
b6f24d9722d86d643c40ad76f8ab42f57d6dd639
-
SHA256
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653
-
SHA512
ac3acd9128748f61ce4a13b075f0e9ef7d44c1a6995f750f48524f89078d49f378051992e6c29053eed659ff03e06817a6bd9b3d3e33465f6feb41a99f7efda4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3608-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-1792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-1916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3580 5ppjd.exe 3384 46686.exe 2736 2848226.exe 1432 2460400.exe 1880 20640.exe 4640 e40826.exe 2328 btnhhn.exe 548 6428282.exe 2196 bhnhbb.exe 644 jddvj.exe 2256 00642.exe 1384 bnnhbt.exe 3616 frlfxrf.exe 4600 ddvpj.exe 4056 fffrffx.exe 1292 bhhbnh.exe 3408 4808444.exe 1524 64040.exe 3912 846448.exe 780 4444820.exe 1528 llxlfxr.exe 2772 6404826.exe 868 vpjvp.exe 4360 7lfxllf.exe 4632 20082.exe 968 xrrllxr.exe 1700 htbbnt.exe 1480 dvdvv.exe 2216 bnnbtn.exe 3004 22048.exe 4784 w62604.exe 2420 thbnhb.exe 4556 ddjdd.exe 1984 7dvjd.exe 4408 084882.exe 2728 4864826.exe 1448 1ttnbt.exe 4916 48824.exe 3232 08826.exe 5052 24486.exe 976 fllxrrx.exe 1188 8228226.exe 4584 9lxrfrf.exe 764 nhhntt.exe 4304 40082.exe 2168 2060606.exe 3588 jpvjv.exe 3580 420446.exe 2668 884204.exe 4176 200882.exe 4224 8664820.exe 400 440826.exe 2384 68864.exe 1880 6048260.exe 1352 i020060.exe 4420 0482048.exe 4904 2004220.exe 4332 5thhtt.exe 5008 pjvjj.exe 2196 vjjdp.exe 372 002026.exe 1944 08820.exe 3960 ddjdp.exe 1816 i226042.exe -
resource yara_rule behavioral2/memory/3608-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2882046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrxrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3580 3608 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 83 PID 3608 wrote to memory of 3580 3608 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 83 PID 3608 wrote to memory of 3580 3608 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 83 PID 3580 wrote to memory of 3384 3580 5ppjd.exe 84 PID 3580 wrote to memory of 3384 3580 5ppjd.exe 84 PID 3580 wrote to memory of 3384 3580 5ppjd.exe 84 PID 3384 wrote to memory of 2736 3384 46686.exe 85 PID 3384 wrote to memory of 2736 3384 46686.exe 85 PID 3384 wrote to memory of 2736 3384 46686.exe 85 PID 2736 wrote to memory of 1432 2736 2848226.exe 86 PID 2736 wrote to memory of 1432 2736 2848226.exe 86 PID 2736 wrote to memory of 1432 2736 2848226.exe 86 PID 1432 wrote to memory of 1880 1432 2460400.exe 136 PID 1432 wrote to memory of 1880 1432 2460400.exe 136 PID 1432 wrote to memory of 1880 1432 2460400.exe 136 PID 1880 wrote to memory of 4640 1880 20640.exe 88 PID 1880 wrote to memory of 4640 1880 20640.exe 88 PID 1880 wrote to memory of 4640 1880 20640.exe 88 PID 4640 wrote to memory of 2328 4640 e40826.exe 89 PID 4640 wrote to memory of 2328 4640 e40826.exe 89 PID 4640 wrote to memory of 2328 4640 e40826.exe 89 PID 2328 wrote to memory of 548 2328 btnhhn.exe 90 PID 2328 wrote to memory of 548 2328 btnhhn.exe 90 PID 2328 wrote to memory of 548 2328 btnhhn.exe 90 PID 548 wrote to memory of 2196 548 6428282.exe 142 PID 548 wrote to memory of 2196 548 6428282.exe 142 PID 548 wrote to memory of 2196 548 6428282.exe 142 PID 2196 wrote to memory of 644 2196 bhnhbb.exe 92 PID 2196 wrote to memory of 644 2196 bhnhbb.exe 92 PID 2196 wrote to memory of 644 2196 bhnhbb.exe 92 PID 644 wrote to memory of 2256 644 jddvj.exe 93 PID 644 wrote to memory of 2256 644 jddvj.exe 93 PID 644 wrote to memory of 2256 644 jddvj.exe 93 PID 2256 wrote to memory of 1384 2256 00642.exe 94 PID 2256 wrote to memory of 1384 2256 00642.exe 94 PID 2256 wrote to memory of 1384 2256 00642.exe 94 PID 1384 wrote to memory of 3616 1384 bnnhbt.exe 95 PID 1384 wrote to memory of 3616 1384 bnnhbt.exe 95 PID 1384 wrote to memory of 3616 1384 bnnhbt.exe 95 PID 3616 wrote to memory of 4600 3616 frlfxrf.exe 96 PID 3616 wrote to memory of 4600 3616 frlfxrf.exe 96 PID 3616 wrote to memory of 4600 3616 frlfxrf.exe 96 PID 4600 wrote to memory of 4056 4600 ddvpj.exe 97 PID 4600 wrote to memory of 4056 4600 ddvpj.exe 97 PID 4600 wrote to memory of 4056 4600 ddvpj.exe 97 PID 4056 wrote to memory of 1292 4056 fffrffx.exe 98 PID 4056 wrote to memory of 1292 4056 fffrffx.exe 98 PID 4056 wrote to memory of 1292 4056 fffrffx.exe 98 PID 1292 wrote to memory of 3408 1292 bhhbnh.exe 99 PID 1292 wrote to memory of 3408 1292 bhhbnh.exe 99 PID 1292 wrote to memory of 3408 1292 bhhbnh.exe 99 PID 3408 wrote to memory of 1524 3408 4808444.exe 100 PID 3408 wrote to memory of 1524 3408 4808444.exe 100 PID 3408 wrote to memory of 1524 3408 4808444.exe 100 PID 1524 wrote to memory of 3912 1524 64040.exe 101 PID 1524 wrote to memory of 3912 1524 64040.exe 101 PID 1524 wrote to memory of 3912 1524 64040.exe 101 PID 3912 wrote to memory of 780 3912 846448.exe 102 PID 3912 wrote to memory of 780 3912 846448.exe 102 PID 3912 wrote to memory of 780 3912 846448.exe 102 PID 780 wrote to memory of 1528 780 4444820.exe 103 PID 780 wrote to memory of 1528 780 4444820.exe 103 PID 780 wrote to memory of 1528 780 4444820.exe 103 PID 1528 wrote to memory of 2772 1528 llxlfxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe"C:\Users\Admin\AppData\Local\Temp\fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\5ppjd.exec:\5ppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\46686.exec:\46686.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\2848226.exec:\2848226.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\2460400.exec:\2460400.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\20640.exec:\20640.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\e40826.exec:\e40826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\btnhhn.exec:\btnhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\6428282.exec:\6428282.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\bhnhbb.exec:\bhnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\jddvj.exec:\jddvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\00642.exec:\00642.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\bnnhbt.exec:\bnnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\frlfxrf.exec:\frlfxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\ddvpj.exec:\ddvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\fffrffx.exec:\fffrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\bhhbnh.exec:\bhhbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\4808444.exec:\4808444.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\64040.exec:\64040.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\846448.exec:\846448.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\4444820.exec:\4444820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\llxlfxr.exec:\llxlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\6404826.exec:\6404826.exe23⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vpjvp.exec:\vpjvp.exe24⤵
- Executes dropped EXE
PID:868 -
\??\c:\7lfxllf.exec:\7lfxllf.exe25⤵
- Executes dropped EXE
PID:4360 -
\??\c:\20082.exec:\20082.exe26⤵
- Executes dropped EXE
PID:4632 -
\??\c:\xrrllxr.exec:\xrrllxr.exe27⤵
- Executes dropped EXE
PID:968 -
\??\c:\htbbnt.exec:\htbbnt.exe28⤵
- Executes dropped EXE
PID:1700 -
\??\c:\dvdvv.exec:\dvdvv.exe29⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bnnbtn.exec:\bnnbtn.exe30⤵
- Executes dropped EXE
PID:2216 -
\??\c:\22048.exec:\22048.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\w62604.exec:\w62604.exe32⤵
- Executes dropped EXE
PID:4784 -
\??\c:\thbnhb.exec:\thbnhb.exe33⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ddjdd.exec:\ddjdd.exe34⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7dvjd.exec:\7dvjd.exe35⤵
- Executes dropped EXE
PID:1984 -
\??\c:\084882.exec:\084882.exe36⤵
- Executes dropped EXE
PID:4408 -
\??\c:\4864826.exec:\4864826.exe37⤵
- Executes dropped EXE
PID:2728 -
\??\c:\1ttnbt.exec:\1ttnbt.exe38⤵
- Executes dropped EXE
PID:1448 -
\??\c:\48824.exec:\48824.exe39⤵
- Executes dropped EXE
PID:4916 -
\??\c:\08826.exec:\08826.exe40⤵
- Executes dropped EXE
PID:3232 -
\??\c:\24486.exec:\24486.exe41⤵
- Executes dropped EXE
PID:5052 -
\??\c:\fllxrrx.exec:\fllxrrx.exe42⤵
- Executes dropped EXE
PID:976 -
\??\c:\8228226.exec:\8228226.exe43⤵
- Executes dropped EXE
PID:1188 -
\??\c:\9lxrfrf.exec:\9lxrfrf.exe44⤵
- Executes dropped EXE
PID:4584 -
\??\c:\nhhntt.exec:\nhhntt.exe45⤵
- Executes dropped EXE
PID:764 -
\??\c:\40082.exec:\40082.exe46⤵
- Executes dropped EXE
PID:4304 -
\??\c:\2060606.exec:\2060606.exe47⤵
- Executes dropped EXE
PID:2168 -
\??\c:\jpvjv.exec:\jpvjv.exe48⤵
- Executes dropped EXE
PID:3588 -
\??\c:\420446.exec:\420446.exe49⤵
- Executes dropped EXE
PID:3580 -
\??\c:\884204.exec:\884204.exe50⤵
- Executes dropped EXE
PID:2668 -
\??\c:\200882.exec:\200882.exe51⤵
- Executes dropped EXE
PID:4176 -
\??\c:\8664820.exec:\8664820.exe52⤵
- Executes dropped EXE
PID:4224 -
\??\c:\440826.exec:\440826.exe53⤵
- Executes dropped EXE
PID:400 -
\??\c:\68864.exec:\68864.exe54⤵
- Executes dropped EXE
PID:2384 -
\??\c:\6048260.exec:\6048260.exe55⤵
- Executes dropped EXE
PID:1880 -
\??\c:\i020060.exec:\i020060.exe56⤵
- Executes dropped EXE
PID:1352 -
\??\c:\0482048.exec:\0482048.exe57⤵
- Executes dropped EXE
PID:4420 -
\??\c:\2004220.exec:\2004220.exe58⤵
- Executes dropped EXE
PID:4904 -
\??\c:\5thhtt.exec:\5thhtt.exe59⤵
- Executes dropped EXE
PID:4332 -
\??\c:\pjvjj.exec:\pjvjj.exe60⤵
- Executes dropped EXE
PID:5008 -
\??\c:\vjjdp.exec:\vjjdp.exe61⤵
- Executes dropped EXE
PID:2196 -
\??\c:\002026.exec:\002026.exe62⤵
- Executes dropped EXE
PID:372 -
\??\c:\08820.exec:\08820.exe63⤵
- Executes dropped EXE
PID:1944 -
\??\c:\ddjdp.exec:\ddjdp.exe64⤵
- Executes dropped EXE
PID:3960 -
\??\c:\i226042.exec:\i226042.exe65⤵
- Executes dropped EXE
PID:1816 -
\??\c:\64426.exec:\64426.exe66⤵PID:4644
-
\??\c:\jvvpj.exec:\jvvpj.exe67⤵PID:380
-
\??\c:\9nhthb.exec:\9nhthb.exe68⤵PID:4836
-
\??\c:\884204.exec:\884204.exe69⤵PID:4780
-
\??\c:\6404448.exec:\6404448.exe70⤵PID:3196
-
\??\c:\c220448.exec:\c220448.exe71⤵PID:2476
-
\??\c:\a0286.exec:\a0286.exe72⤵PID:4872
-
\??\c:\m4484.exec:\m4484.exe73⤵PID:5084
-
\??\c:\0886600.exec:\0886600.exe74⤵PID:4900
-
\??\c:\dvppj.exec:\dvppj.exe75⤵PID:2412
-
\??\c:\bthbhh.exec:\bthbhh.exe76⤵PID:3920
-
\??\c:\7fffrlf.exec:\7fffrlf.exe77⤵PID:2876
-
\??\c:\62260.exec:\62260.exe78⤵PID:3804
-
\??\c:\5rfxrrl.exec:\5rfxrrl.exe79⤵PID:2308
-
\??\c:\q68860.exec:\q68860.exe80⤵PID:1480
-
\??\c:\xrvddjp.exec:\xrvddjp.exe81⤵PID:2216
-
\??\c:\6408442.exec:\6408442.exe82⤵PID:4788
-
\??\c:\s4420.exec:\s4420.exe83⤵PID:1084
-
\??\c:\86642.exec:\86642.exe84⤵
- System Location Discovery: System Language Discovery
PID:1560 -
\??\c:\40042.exec:\40042.exe85⤵PID:2572
-
\??\c:\ntbnht.exec:\ntbnht.exe86⤵PID:4204
-
\??\c:\o064264.exec:\o064264.exe87⤵PID:760
-
\??\c:\2426004.exec:\2426004.exe88⤵PID:428
-
\??\c:\rlxrrll.exec:\rlxrrll.exe89⤵PID:2076
-
\??\c:\4464260.exec:\4464260.exe90⤵PID:4796
-
\??\c:\288826.exec:\288826.exe91⤵PID:4284
-
\??\c:\frxrxfr.exec:\frxrxfr.exe92⤵PID:3740
-
\??\c:\2682826.exec:\2682826.exe93⤵PID:3104
-
\??\c:\dpvjd.exec:\dpvjd.exe94⤵PID:4588
-
\??\c:\pdddp.exec:\pdddp.exe95⤵PID:3060
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe96⤵PID:3572
-
\??\c:\466048.exec:\466048.exe97⤵PID:4808
-
\??\c:\i604260.exec:\i604260.exe98⤵PID:536
-
\??\c:\llrlrlf.exec:\llrlrlf.exe99⤵PID:4316
-
\??\c:\9btnhh.exec:\9btnhh.exe100⤵PID:3204
-
\??\c:\1ddpj.exec:\1ddpj.exe101⤵PID:3100
-
\??\c:\hbhbtn.exec:\hbhbtn.exe102⤵PID:4460
-
\??\c:\3hthtn.exec:\3hthtn.exe103⤵PID:3728
-
\??\c:\jpvpd.exec:\jpvpd.exe104⤵PID:1856
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe105⤵PID:4508
-
\??\c:\bttnbb.exec:\bttnbb.exe106⤵PID:4532
-
\??\c:\642228.exec:\642228.exe107⤵PID:5108
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe108⤵PID:4740
-
\??\c:\vjpdp.exec:\vjpdp.exe109⤵PID:2320
-
\??\c:\jddvp.exec:\jddvp.exe110⤵PID:1352
-
\??\c:\jjpjd.exec:\jjpjd.exe111⤵PID:1976
-
\??\c:\s6800.exec:\s6800.exe112⤵PID:1132
-
\??\c:\5hbnbt.exec:\5hbnbt.exe113⤵PID:3912
-
\??\c:\9ppdp.exec:\9ppdp.exe114⤵PID:4904
-
\??\c:\7vvpj.exec:\7vvpj.exe115⤵PID:4768
-
\??\c:\ffffflf.exec:\ffffflf.exe116⤵PID:3488
-
\??\c:\024260.exec:\024260.exe117⤵PID:4440
-
\??\c:\w22082.exec:\w22082.exe118⤵PID:1328
-
\??\c:\tnhbnt.exec:\tnhbnt.exe119⤵PID:628
-
\??\c:\s0486.exec:\s0486.exe120⤵PID:952
-
\??\c:\64042.exec:\64042.exe121⤵PID:3636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-