Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe
-
Size
453KB
-
MD5
be6d21306bce457b6fb08e9a9273c574
-
SHA1
b79a7d731fab6f78e9aa5b8998aa871577cb0cf3
-
SHA256
b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02
-
SHA512
137c5e69479116d0e5cdcde80c7cec0a29d1959249d6dc79d984ed5157e60ea202918b1d355e63d92a58b6225ea563b53deace090d84d6deed4a928c4f9f31d0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4060-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/504-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-1200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-1317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-1324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 408 644882.exe 2152 dpppv.exe 1556 88482.exe 688 a4224.exe 3468 3flfxrl.exe 1968 ddjvv.exe 4776 68882.exe 1292 20264.exe 2312 vdvvp.exe 4676 xrxrrlr.exe 964 c844884.exe 1616 dvjvd.exe 2280 200048.exe 2912 thnbtt.exe 3180 hthnbn.exe 4216 0682604.exe 632 3bbthh.exe 1744 660826.exe 2824 llxrlff.exe 5116 2004822.exe 3760 tnbtnn.exe 3676 02482.exe 2620 frlrrff.exe 4844 9frlllf.exe 2212 bnhbth.exe 2200 446048.exe 4128 jjjpj.exe 2064 pddvp.exe 4972 042806.exe 1680 pdjpp.exe 3136 dvpdp.exe 1524 44064.exe 1732 lllfffx.exe 3496 64084.exe 3892 206044.exe 3836 4082282.exe 940 6248666.exe 4568 q80048.exe 4392 8488440.exe 4556 4468244.exe 4468 nthhbb.exe 5048 s6648.exe 2716 frxrrrl.exe 1768 046082.exe 4056 vdjdd.exe 2372 264848.exe 4968 028060.exe 4364 288060.exe 3748 5lfxffx.exe 1316 fflxrlx.exe 1040 04086.exe 2284 06620.exe 4688 llrffxr.exe 3812 rrlffxf.exe 688 44604.exe 4268 8006224.exe 2116 06046.exe 5004 bnnhbt.exe 904 9flfffl.exe 1528 bthbhh.exe 3292 rrfxrlf.exe 2864 1ttnhb.exe 4532 thtnbb.exe 2572 42802.exe -
resource yara_rule behavioral2/memory/4060-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/504-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-762-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0442004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0822082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8882604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u204488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i062660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8408600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u402062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfffx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 408 4060 b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe 83 PID 4060 wrote to memory of 408 4060 b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe 83 PID 4060 wrote to memory of 408 4060 b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe 83 PID 408 wrote to memory of 2152 408 644882.exe 84 PID 408 wrote to memory of 2152 408 644882.exe 84 PID 408 wrote to memory of 2152 408 644882.exe 84 PID 2152 wrote to memory of 1556 2152 dpppv.exe 85 PID 2152 wrote to memory of 1556 2152 dpppv.exe 85 PID 2152 wrote to memory of 1556 2152 dpppv.exe 85 PID 1556 wrote to memory of 688 1556 88482.exe 86 PID 1556 wrote to memory of 688 1556 88482.exe 86 PID 1556 wrote to memory of 688 1556 88482.exe 86 PID 688 wrote to memory of 3468 688 a4224.exe 87 PID 688 wrote to memory of 3468 688 a4224.exe 87 PID 688 wrote to memory of 3468 688 a4224.exe 87 PID 3468 wrote to memory of 1968 3468 3flfxrl.exe 88 PID 3468 wrote to memory of 1968 3468 3flfxrl.exe 88 PID 3468 wrote to memory of 1968 3468 3flfxrl.exe 88 PID 1968 wrote to memory of 4776 1968 ddjvv.exe 89 PID 1968 wrote to memory of 4776 1968 ddjvv.exe 89 PID 1968 wrote to memory of 4776 1968 ddjvv.exe 89 PID 4776 wrote to memory of 1292 4776 68882.exe 90 PID 4776 wrote to memory of 1292 4776 68882.exe 90 PID 4776 wrote to memory of 1292 4776 68882.exe 90 PID 1292 wrote to memory of 2312 1292 20264.exe 91 PID 1292 wrote to memory of 2312 1292 20264.exe 91 PID 1292 wrote to memory of 2312 1292 20264.exe 91 PID 2312 wrote to memory of 4676 2312 vdvvp.exe 92 PID 2312 wrote to memory of 4676 2312 vdvvp.exe 92 PID 2312 wrote to memory of 4676 2312 vdvvp.exe 92 PID 4676 wrote to memory of 964 4676 xrxrrlr.exe 93 PID 4676 wrote to memory of 964 4676 xrxrrlr.exe 93 PID 4676 wrote to memory of 964 4676 xrxrrlr.exe 93 PID 964 wrote to memory of 1616 964 c844884.exe 94 PID 964 wrote to memory of 1616 964 c844884.exe 94 PID 964 wrote to memory of 1616 964 c844884.exe 94 PID 1616 wrote to memory of 2280 1616 dvjvd.exe 95 PID 1616 wrote to memory of 2280 1616 dvjvd.exe 95 PID 1616 wrote to memory of 2280 1616 dvjvd.exe 95 PID 2280 wrote to memory of 2912 2280 200048.exe 96 PID 2280 wrote to memory of 2912 2280 200048.exe 96 PID 2280 wrote to memory of 2912 2280 200048.exe 96 PID 2912 wrote to memory of 3180 2912 thnbtt.exe 97 PID 2912 wrote to memory of 3180 2912 thnbtt.exe 97 PID 2912 wrote to memory of 3180 2912 thnbtt.exe 97 PID 3180 wrote to memory of 4216 3180 hthnbn.exe 98 PID 3180 wrote to memory of 4216 3180 hthnbn.exe 98 PID 3180 wrote to memory of 4216 3180 hthnbn.exe 98 PID 4216 wrote to memory of 632 4216 0682604.exe 99 PID 4216 wrote to memory of 632 4216 0682604.exe 99 PID 4216 wrote to memory of 632 4216 0682604.exe 99 PID 632 wrote to memory of 1744 632 3bbthh.exe 100 PID 632 wrote to memory of 1744 632 3bbthh.exe 100 PID 632 wrote to memory of 1744 632 3bbthh.exe 100 PID 1744 wrote to memory of 2824 1744 660826.exe 101 PID 1744 wrote to memory of 2824 1744 660826.exe 101 PID 1744 wrote to memory of 2824 1744 660826.exe 101 PID 2824 wrote to memory of 5116 2824 llxrlff.exe 102 PID 2824 wrote to memory of 5116 2824 llxrlff.exe 102 PID 2824 wrote to memory of 5116 2824 llxrlff.exe 102 PID 5116 wrote to memory of 3760 5116 2004822.exe 103 PID 5116 wrote to memory of 3760 5116 2004822.exe 103 PID 5116 wrote to memory of 3760 5116 2004822.exe 103 PID 3760 wrote to memory of 3676 3760 tnbtnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe"C:\Users\Admin\AppData\Local\Temp\b206faa46c733e1c7f3079bc8de8824989dd5fb264bf543853db0a8453d9ec02.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\644882.exec:\644882.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\dpppv.exec:\dpppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\88482.exec:\88482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\a4224.exec:\a4224.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\3flfxrl.exec:\3flfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\ddjvv.exec:\ddjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\68882.exec:\68882.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\20264.exec:\20264.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\vdvvp.exec:\vdvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\c844884.exec:\c844884.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\dvjvd.exec:\dvjvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\200048.exec:\200048.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\thnbtt.exec:\thnbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hthnbn.exec:\hthnbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\0682604.exec:\0682604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\3bbthh.exec:\3bbthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\660826.exec:\660826.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\llxrlff.exec:\llxrlff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\2004822.exec:\2004822.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\tnbtnn.exec:\tnbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\02482.exec:\02482.exe23⤵
- Executes dropped EXE
PID:3676 -
\??\c:\frlrrff.exec:\frlrrff.exe24⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9frlllf.exec:\9frlllf.exe25⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bnhbth.exec:\bnhbth.exe26⤵
- Executes dropped EXE
PID:2212 -
\??\c:\446048.exec:\446048.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jjjpj.exec:\jjjpj.exe28⤵
- Executes dropped EXE
PID:4128 -
\??\c:\pddvp.exec:\pddvp.exe29⤵
- Executes dropped EXE
PID:2064 -
\??\c:\042806.exec:\042806.exe30⤵
- Executes dropped EXE
PID:4972 -
\??\c:\pdjpp.exec:\pdjpp.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\dvpdp.exec:\dvpdp.exe32⤵
- Executes dropped EXE
PID:3136 -
\??\c:\44064.exec:\44064.exe33⤵
- Executes dropped EXE
PID:1524 -
\??\c:\lllfffx.exec:\lllfffx.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\64084.exec:\64084.exe35⤵
- Executes dropped EXE
PID:3496 -
\??\c:\206044.exec:\206044.exe36⤵
- Executes dropped EXE
PID:3892 -
\??\c:\4082282.exec:\4082282.exe37⤵
- Executes dropped EXE
PID:3836 -
\??\c:\6248666.exec:\6248666.exe38⤵
- Executes dropped EXE
PID:940 -
\??\c:\q80048.exec:\q80048.exe39⤵
- Executes dropped EXE
PID:4568 -
\??\c:\8488440.exec:\8488440.exe40⤵
- Executes dropped EXE
PID:4392 -
\??\c:\4468244.exec:\4468244.exe41⤵
- Executes dropped EXE
PID:4556 -
\??\c:\nthhbb.exec:\nthhbb.exe42⤵
- Executes dropped EXE
PID:4468 -
\??\c:\s6648.exec:\s6648.exe43⤵
- Executes dropped EXE
PID:5048 -
\??\c:\frxrrrl.exec:\frxrrrl.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\046082.exec:\046082.exe45⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vdjdd.exec:\vdjdd.exe46⤵
- Executes dropped EXE
PID:4056 -
\??\c:\264848.exec:\264848.exe47⤵
- Executes dropped EXE
PID:2372 -
\??\c:\028060.exec:\028060.exe48⤵
- Executes dropped EXE
PID:4968 -
\??\c:\288060.exec:\288060.exe49⤵
- Executes dropped EXE
PID:4364 -
\??\c:\5lfxffx.exec:\5lfxffx.exe50⤵
- Executes dropped EXE
PID:3748 -
\??\c:\fflxrlx.exec:\fflxrlx.exe51⤵
- Executes dropped EXE
PID:1316 -
\??\c:\04086.exec:\04086.exe52⤵
- Executes dropped EXE
PID:1040 -
\??\c:\06620.exec:\06620.exe53⤵
- Executes dropped EXE
PID:2284 -
\??\c:\llrffxr.exec:\llrffxr.exe54⤵
- Executes dropped EXE
PID:4688 -
\??\c:\rrlffxf.exec:\rrlffxf.exe55⤵
- Executes dropped EXE
PID:3812 -
\??\c:\44604.exec:\44604.exe56⤵
- Executes dropped EXE
PID:688 -
\??\c:\8006224.exec:\8006224.exe57⤵
- Executes dropped EXE
PID:4268 -
\??\c:\06046.exec:\06046.exe58⤵
- Executes dropped EXE
PID:2116 -
\??\c:\bnnhbt.exec:\bnnhbt.exe59⤵
- Executes dropped EXE
PID:5004 -
\??\c:\9flfffl.exec:\9flfffl.exe60⤵
- Executes dropped EXE
PID:904 -
\??\c:\bthbhh.exec:\bthbhh.exe61⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rrfxrlf.exec:\rrfxrlf.exe62⤵
- Executes dropped EXE
PID:3292 -
\??\c:\1ttnhb.exec:\1ttnhb.exe63⤵
- Executes dropped EXE
PID:2864 -
\??\c:\thtnbb.exec:\thtnbb.exe64⤵
- Executes dropped EXE
PID:4532 -
\??\c:\42802.exec:\42802.exe65⤵
- Executes dropped EXE
PID:2572 -
\??\c:\rxffllf.exec:\rxffllf.exe66⤵PID:3564
-
\??\c:\048868.exec:\048868.exe67⤵PID:3580
-
\??\c:\s8820.exec:\s8820.exe68⤵
- System Location Discovery: System Language Discovery
PID:3636 -
\??\c:\c008860.exec:\c008860.exe69⤵PID:3268
-
\??\c:\dpvvp.exec:\dpvvp.exe70⤵PID:4112
-
\??\c:\082626.exec:\082626.exe71⤵PID:1144
-
\??\c:\nhnnhb.exec:\nhnnhb.exe72⤵PID:1656
-
\??\c:\tttnhh.exec:\tttnhh.exe73⤵PID:504
-
\??\c:\ppddj.exec:\ppddj.exe74⤵PID:2972
-
\??\c:\5bhtnh.exec:\5bhtnh.exe75⤵PID:4124
-
\??\c:\g0486.exec:\g0486.exe76⤵PID:2824
-
\??\c:\8660448.exec:\8660448.exe77⤵PID:4896
-
\??\c:\nbhnhh.exec:\nbhnhh.exe78⤵PID:4736
-
\??\c:\5jvdd.exec:\5jvdd.exe79⤵PID:4108
-
\??\c:\08004.exec:\08004.exe80⤵PID:1808
-
\??\c:\g4448.exec:\g4448.exe81⤵PID:1792
-
\??\c:\64026.exec:\64026.exe82⤵PID:3448
-
\??\c:\84608.exec:\84608.exe83⤵PID:1492
-
\??\c:\020862.exec:\020862.exe84⤵PID:2448
-
\??\c:\44208.exec:\44208.exe85⤵PID:616
-
\??\c:\208480.exec:\208480.exe86⤵PID:3264
-
\??\c:\066648.exec:\066648.exe87⤵PID:216
-
\??\c:\8620822.exec:\8620822.exe88⤵PID:3312
-
\??\c:\200448.exec:\200448.exe89⤵PID:4972
-
\??\c:\44486.exec:\44486.exe90⤵PID:3696
-
\??\c:\frlxlrl.exec:\frlxlrl.exe91⤵PID:712
-
\??\c:\06826.exec:\06826.exe92⤵PID:2364
-
\??\c:\s8408.exec:\s8408.exe93⤵PID:5028
-
\??\c:\9xrfxxl.exec:\9xrfxxl.exe94⤵PID:3520
-
\??\c:\s8482.exec:\s8482.exe95⤵PID:1732
-
\??\c:\dvpjp.exec:\dvpjp.exe96⤵PID:3496
-
\??\c:\1tnhnn.exec:\1tnhnn.exe97⤵PID:1232
-
\??\c:\lxxrrlf.exec:\lxxrrlf.exe98⤵PID:3836
-
\??\c:\828266.exec:\828266.exe99⤵PID:3548
-
\??\c:\m8048.exec:\m8048.exe100⤵PID:1644
-
\??\c:\pjjvj.exec:\pjjvj.exe101⤵PID:3464
-
\??\c:\6062626.exec:\6062626.exe102⤵PID:4732
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe103⤵PID:3192
-
\??\c:\282688.exec:\282688.exe104⤵PID:4468
-
\??\c:\vpjdj.exec:\vpjdj.exe105⤵PID:5048
-
\??\c:\vjvpp.exec:\vjvpp.exe106⤵PID:3320
-
\??\c:\444424.exec:\444424.exe107⤵PID:3352
-
\??\c:\000486.exec:\000486.exe108⤵PID:2904
-
\??\c:\6064826.exec:\6064826.exe109⤵PID:828
-
\??\c:\8284262.exec:\8284262.exe110⤵PID:4324
-
\??\c:\rrlxrrl.exec:\rrlxrrl.exe111⤵PID:960
-
\??\c:\0848488.exec:\0848488.exe112⤵PID:1960
-
\??\c:\28408.exec:\28408.exe113⤵PID:2472
-
\??\c:\024226.exec:\024226.exe114⤵PID:2728
-
\??\c:\vpvjd.exec:\vpvjd.exe115⤵PID:4452
-
\??\c:\ntbnhb.exec:\ntbnhb.exe116⤵PID:4940
-
\??\c:\vvdpd.exec:\vvdpd.exe117⤵PID:5008
-
\??\c:\rllxlfx.exec:\rllxlfx.exe118⤵PID:1772
-
\??\c:\8882604.exec:\8882604.exe119⤵
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\htbbtn.exec:\htbbtn.exe120⤵PID:3020
-
\??\c:\jddpj.exec:\jddpj.exe121⤵PID:4792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-