Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:59
Behavioral task
behavioral1
Sample
b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe
-
Size
91KB
-
MD5
9049dc803102e6a4b77ba58815186d50
-
SHA1
6d9f182ecf75c75ca9a84c091b120d5a99b04d95
-
SHA256
b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36
-
SHA512
9f8ac765460fc41d728337cd57090f91febbb31c0eaffca1d962519774fb8e5c3e94d8bfa9bb78d540d8751b33f57b0d97cf876b8d150fca225932b1dd80e820
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8HglWxR9Yii9J01qCxNiL:chOmTsF93UYfwC6GIout3xR9nx0L
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4768-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3764-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/264-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-622-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-636-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-661-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-689-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-765-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-1079-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-1537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-1618-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 400 bnnhbb.exe 2852 2460448.exe 3596 024822.exe 2136 vpjdv.exe 2548 hhnhtt.exe 3260 48044.exe 4940 4284006.exe 1336 6048226.exe 5116 pjpvv.exe 1384 880044.exe 3764 606060.exe 3100 88820.exe 3488 66248.exe 2908 fxllffx.exe 32 602044.exe 5100 rlxxrrr.exe 4144 028822.exe 3892 5hnnnh.exe 2632 xlrrlrl.exe 2160 4004826.exe 2620 824444.exe 4444 5vddd.exe 2380 xrxlllr.exe 1232 ntnhbb.exe 3316 662646.exe 5020 422644.exe 1056 3flfrxr.exe 1576 rfxrfxl.exe 3676 flxrlll.exe 4260 0848226.exe 1768 2246006.exe 2460 k28660.exe 4024 0228822.exe 4172 66884.exe 4220 jdpjj.exe 724 frfxxxf.exe 4160 62448.exe 4948 xflfrrr.exe 4796 046802.exe 3712 24442.exe 3368 40600.exe 4352 46664.exe 4540 844822.exe 3968 3hhtnt.exe 2080 6004844.exe 2936 jdvvj.exe 4496 3flfrrl.exe 4312 vvjjj.exe 3320 3jjjd.exe 2444 tttnhh.exe 2076 406604.exe 264 fflrfxr.exe 4680 06866.exe 1336 402604.exe 1700 nhhtnh.exe 3628 0626260.exe 3752 22444.exe 3764 64266.exe 1064 60424.exe 412 4400448.exe 1252 rxrrlfx.exe 2276 hbhbhb.exe 3728 48886.exe 3604 06222.exe -
resource yara_rule behavioral2/memory/4768-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b32-3.dat upx behavioral2/memory/4768-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-9.dat upx behavioral2/memory/2852-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-17.dat upx behavioral2/memory/400-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3596-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-21.dat upx behavioral2/files/0x000a000000023b95-27.dat upx behavioral2/memory/2548-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-35.dat upx behavioral2/memory/3260-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-41.dat upx behavioral2/memory/2136-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-45.dat upx behavioral2/memory/4940-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1336-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-53.dat upx behavioral2/files/0x000a000000023b9a-57.dat upx behavioral2/memory/5116-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-63.dat upx behavioral2/memory/1384-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-69.dat upx behavioral2/memory/3764-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3100-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9e-75.dat upx behavioral2/files/0x000a000000023b9f-81.dat upx behavioral2/memory/3488-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2908-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba0-88.dat upx behavioral2/files/0x000b000000023ba1-92.dat upx behavioral2/memory/32-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba2-98.dat upx behavioral2/memory/4144-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-103.dat upx behavioral2/files/0x000e000000023bb1-109.dat upx behavioral2/memory/3892-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bba-115.dat upx behavioral2/files/0x0009000000023bbf-120.dat upx behavioral2/memory/2620-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc0-127.dat upx behavioral2/files/0x000b000000023b90-131.dat upx behavioral2/memory/4444-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc1-137.dat upx behavioral2/files/0x000e000000023bc5-142.dat upx behavioral2/files/0x0008000000023bca-147.dat upx behavioral2/files/0x0008000000023bcb-152.dat upx behavioral2/memory/1056-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5020-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bcc-160.dat upx behavioral2/files/0x0008000000023bcd-166.dat upx behavioral2/memory/1576-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3676-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfc-172.dat upx behavioral2/memory/4260-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfd-178.dat upx behavioral2/memory/1768-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfe-183.dat upx behavioral2/memory/2460-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4220-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4160-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4352-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2288888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8648884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c400448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2062266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 400 4768 b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe 83 PID 4768 wrote to memory of 400 4768 b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe 83 PID 4768 wrote to memory of 400 4768 b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe 83 PID 400 wrote to memory of 2852 400 bnnhbb.exe 84 PID 400 wrote to memory of 2852 400 bnnhbb.exe 84 PID 400 wrote to memory of 2852 400 bnnhbb.exe 84 PID 2852 wrote to memory of 3596 2852 2460448.exe 85 PID 2852 wrote to memory of 3596 2852 2460448.exe 85 PID 2852 wrote to memory of 3596 2852 2460448.exe 85 PID 3596 wrote to memory of 2136 3596 024822.exe 86 PID 3596 wrote to memory of 2136 3596 024822.exe 86 PID 3596 wrote to memory of 2136 3596 024822.exe 86 PID 2136 wrote to memory of 2548 2136 vpjdv.exe 87 PID 2136 wrote to memory of 2548 2136 vpjdv.exe 87 PID 2136 wrote to memory of 2548 2136 vpjdv.exe 87 PID 2548 wrote to memory of 3260 2548 hhnhtt.exe 88 PID 2548 wrote to memory of 3260 2548 hhnhtt.exe 88 PID 2548 wrote to memory of 3260 2548 hhnhtt.exe 88 PID 3260 wrote to memory of 4940 3260 48044.exe 89 PID 3260 wrote to memory of 4940 3260 48044.exe 89 PID 3260 wrote to memory of 4940 3260 48044.exe 89 PID 4940 wrote to memory of 1336 4940 4284006.exe 90 PID 4940 wrote to memory of 1336 4940 4284006.exe 90 PID 4940 wrote to memory of 1336 4940 4284006.exe 90 PID 1336 wrote to memory of 5116 1336 6048226.exe 91 PID 1336 wrote to memory of 5116 1336 6048226.exe 91 PID 1336 wrote to memory of 5116 1336 6048226.exe 91 PID 5116 wrote to memory of 1384 5116 pjpvv.exe 92 PID 5116 wrote to memory of 1384 5116 pjpvv.exe 92 PID 5116 wrote to memory of 1384 5116 pjpvv.exe 92 PID 1384 wrote to memory of 3764 1384 880044.exe 93 PID 1384 wrote to memory of 3764 1384 880044.exe 93 PID 1384 wrote to memory of 3764 1384 880044.exe 93 PID 3764 wrote to memory of 3100 3764 606060.exe 94 PID 3764 wrote to memory of 3100 3764 606060.exe 94 PID 3764 wrote to memory of 3100 3764 606060.exe 94 PID 3100 wrote to memory of 3488 3100 88820.exe 95 PID 3100 wrote to memory of 3488 3100 88820.exe 95 PID 3100 wrote to memory of 3488 3100 88820.exe 95 PID 3488 wrote to memory of 2908 3488 66248.exe 96 PID 3488 wrote to memory of 2908 3488 66248.exe 96 PID 3488 wrote to memory of 2908 3488 66248.exe 96 PID 2908 wrote to memory of 32 2908 fxllffx.exe 97 PID 2908 wrote to memory of 32 2908 fxllffx.exe 97 PID 2908 wrote to memory of 32 2908 fxllffx.exe 97 PID 32 wrote to memory of 5100 32 602044.exe 98 PID 32 wrote to memory of 5100 32 602044.exe 98 PID 32 wrote to memory of 5100 32 602044.exe 98 PID 5100 wrote to memory of 4144 5100 rlxxrrr.exe 99 PID 5100 wrote to memory of 4144 5100 rlxxrrr.exe 99 PID 5100 wrote to memory of 4144 5100 rlxxrrr.exe 99 PID 4144 wrote to memory of 3892 4144 028822.exe 100 PID 4144 wrote to memory of 3892 4144 028822.exe 100 PID 4144 wrote to memory of 3892 4144 028822.exe 100 PID 3892 wrote to memory of 2632 3892 5hnnnh.exe 101 PID 3892 wrote to memory of 2632 3892 5hnnnh.exe 101 PID 3892 wrote to memory of 2632 3892 5hnnnh.exe 101 PID 2632 wrote to memory of 2160 2632 xlrrlrl.exe 102 PID 2632 wrote to memory of 2160 2632 xlrrlrl.exe 102 PID 2632 wrote to memory of 2160 2632 xlrrlrl.exe 102 PID 2160 wrote to memory of 2620 2160 4004826.exe 103 PID 2160 wrote to memory of 2620 2160 4004826.exe 103 PID 2160 wrote to memory of 2620 2160 4004826.exe 103 PID 2620 wrote to memory of 4444 2620 824444.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe"C:\Users\Admin\AppData\Local\Temp\b51ce26f60fa71c8c2e10bafd1c55e3b4fcbcc0138f651a85757d186b7632b36N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\bnnhbb.exec:\bnnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\2460448.exec:\2460448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\024822.exec:\024822.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\vpjdv.exec:\vpjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\hhnhtt.exec:\hhnhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\48044.exec:\48044.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\4284006.exec:\4284006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\6048226.exec:\6048226.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\pjpvv.exec:\pjpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\880044.exec:\880044.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\606060.exec:\606060.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\88820.exec:\88820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\66248.exec:\66248.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\fxllffx.exec:\fxllffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\602044.exec:\602044.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\rlxxrrr.exec:\rlxxrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\028822.exec:\028822.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\5hnnnh.exec:\5hnnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\4004826.exec:\4004826.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\824444.exec:\824444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\5vddd.exec:\5vddd.exe23⤵
- Executes dropped EXE
PID:4444 -
\??\c:\xrxlllr.exec:\xrxlllr.exe24⤵
- Executes dropped EXE
PID:2380 -
\??\c:\ntnhbb.exec:\ntnhbb.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
\??\c:\662646.exec:\662646.exe26⤵
- Executes dropped EXE
PID:3316 -
\??\c:\422644.exec:\422644.exe27⤵
- Executes dropped EXE
PID:5020 -
\??\c:\3flfrxr.exec:\3flfrxr.exe28⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rfxrfxl.exec:\rfxrfxl.exe29⤵
- Executes dropped EXE
PID:1576 -
\??\c:\flxrlll.exec:\flxrlll.exe30⤵
- Executes dropped EXE
PID:3676 -
\??\c:\0848226.exec:\0848226.exe31⤵
- Executes dropped EXE
PID:4260 -
\??\c:\2246006.exec:\2246006.exe32⤵
- Executes dropped EXE
PID:1768 -
\??\c:\k28660.exec:\k28660.exe33⤵
- Executes dropped EXE
PID:2460 -
\??\c:\0228822.exec:\0228822.exe34⤵
- Executes dropped EXE
PID:4024 -
\??\c:\66884.exec:\66884.exe35⤵
- Executes dropped EXE
PID:4172 -
\??\c:\jdpjj.exec:\jdpjj.exe36⤵
- Executes dropped EXE
PID:4220 -
\??\c:\frfxxxf.exec:\frfxxxf.exe37⤵
- Executes dropped EXE
PID:724 -
\??\c:\62448.exec:\62448.exe38⤵
- Executes dropped EXE
PID:4160 -
\??\c:\xflfrrr.exec:\xflfrrr.exe39⤵
- Executes dropped EXE
PID:4948 -
\??\c:\046802.exec:\046802.exe40⤵
- Executes dropped EXE
PID:4796 -
\??\c:\24442.exec:\24442.exe41⤵
- Executes dropped EXE
PID:3712 -
\??\c:\40600.exec:\40600.exe42⤵
- Executes dropped EXE
PID:3368 -
\??\c:\46664.exec:\46664.exe43⤵
- Executes dropped EXE
PID:4352 -
\??\c:\844822.exec:\844822.exe44⤵
- Executes dropped EXE
PID:4540 -
\??\c:\3hhtnt.exec:\3hhtnt.exe45⤵
- Executes dropped EXE
PID:3968 -
\??\c:\6004844.exec:\6004844.exe46⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jdvvj.exec:\jdvvj.exe47⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3flfrrl.exec:\3flfrrl.exe48⤵
- Executes dropped EXE
PID:4496 -
\??\c:\vvjjj.exec:\vvjjj.exe49⤵
- Executes dropped EXE
PID:4312 -
\??\c:\3jjjd.exec:\3jjjd.exe50⤵
- Executes dropped EXE
PID:3320 -
\??\c:\tttnhh.exec:\tttnhh.exe51⤵
- Executes dropped EXE
PID:2444 -
\??\c:\406604.exec:\406604.exe52⤵
- Executes dropped EXE
PID:2076 -
\??\c:\fflrfxr.exec:\fflrfxr.exe53⤵
- Executes dropped EXE
PID:264 -
\??\c:\06866.exec:\06866.exe54⤵
- Executes dropped EXE
PID:4680 -
\??\c:\402604.exec:\402604.exe55⤵
- Executes dropped EXE
PID:1336 -
\??\c:\nhhtnh.exec:\nhhtnh.exe56⤵
- Executes dropped EXE
PID:1700 -
\??\c:\0626260.exec:\0626260.exe57⤵
- Executes dropped EXE
PID:3628 -
\??\c:\22444.exec:\22444.exe58⤵
- Executes dropped EXE
PID:3752 -
\??\c:\64266.exec:\64266.exe59⤵
- Executes dropped EXE
PID:3764 -
\??\c:\60424.exec:\60424.exe60⤵
- Executes dropped EXE
PID:1064 -
\??\c:\4400448.exec:\4400448.exe61⤵
- Executes dropped EXE
PID:412 -
\??\c:\rxrrlfx.exec:\rxrrlfx.exe62⤵
- Executes dropped EXE
PID:1252 -
\??\c:\hbhbhb.exec:\hbhbhb.exe63⤵
- Executes dropped EXE
PID:2276 -
\??\c:\48886.exec:\48886.exe64⤵
- Executes dropped EXE
PID:3728 -
\??\c:\06222.exec:\06222.exe65⤵
- Executes dropped EXE
PID:3604 -
\??\c:\jvpjv.exec:\jvpjv.exe66⤵PID:2680
-
\??\c:\g0266.exec:\g0266.exe67⤵PID:2976
-
\??\c:\4400448.exec:\4400448.exe68⤵PID:1580
-
\??\c:\06022.exec:\06022.exe69⤵PID:4716
-
\??\c:\82820.exec:\82820.exe70⤵PID:2804
-
\??\c:\nbbbtt.exec:\nbbbtt.exe71⤵PID:5088
-
\??\c:\bnnntt.exec:\bnnntt.exe72⤵PID:1568
-
\??\c:\82440.exec:\82440.exe73⤵PID:3400
-
\??\c:\206660.exec:\206660.exe74⤵PID:3696
-
\??\c:\0844222.exec:\0844222.exe75⤵PID:1728
-
\??\c:\8848260.exec:\8848260.exe76⤵
- System Location Discovery: System Language Discovery
PID:716 -
\??\c:\a4604.exec:\a4604.exe77⤵PID:4760
-
\??\c:\24664.exec:\24664.exe78⤵PID:4576
-
\??\c:\flrlfxx.exec:\flrlfxx.exe79⤵PID:384
-
\??\c:\fllxxlr.exec:\fllxxlr.exe80⤵PID:2240
-
\??\c:\068284.exec:\068284.exe81⤵PID:2528
-
\??\c:\frrfxxr.exec:\frrfxxr.exe82⤵PID:2112
-
\??\c:\hhbtht.exec:\hhbtht.exe83⤵PID:1456
-
\??\c:\hbbtnn.exec:\hbbtnn.exe84⤵PID:4024
-
\??\c:\88048.exec:\88048.exe85⤵PID:1788
-
\??\c:\vjjdd.exec:\vjjdd.exe86⤵PID:3872
-
\??\c:\tnhbtn.exec:\tnhbtn.exe87⤵PID:2500
-
\??\c:\vvvjj.exec:\vvvjj.exe88⤵PID:3104
-
\??\c:\vdjdp.exec:\vdjdp.exe89⤵PID:3032
-
\??\c:\g8822.exec:\g8822.exe90⤵PID:5068
-
\??\c:\vdjdv.exec:\vdjdv.exe91⤵PID:116
-
\??\c:\tbtttb.exec:\tbtttb.exe92⤵PID:3712
-
\??\c:\9xrfxxr.exec:\9xrfxxr.exe93⤵PID:4864
-
\??\c:\vvvpd.exec:\vvvpd.exe94⤵PID:1552
-
\??\c:\208826.exec:\208826.exe95⤵PID:2852
-
\??\c:\4402248.exec:\4402248.exe96⤵PID:3076
-
\??\c:\nhhhbb.exec:\nhhhbb.exe97⤵PID:2568
-
\??\c:\0244888.exec:\0244888.exe98⤵PID:2364
-
\??\c:\484484.exec:\484484.exe99⤵PID:2548
-
\??\c:\jdvdv.exec:\jdvdv.exe100⤵PID:2116
-
\??\c:\40004.exec:\40004.exe101⤵PID:3320
-
\??\c:\rfxfffl.exec:\rfxfffl.exe102⤵PID:1040
-
\??\c:\84084.exec:\84084.exe103⤵PID:2756
-
\??\c:\6066000.exec:\6066000.exe104⤵PID:4824
-
\??\c:\1xrrlll.exec:\1xrrlll.exe105⤵PID:2260
-
\??\c:\vdvjv.exec:\vdvjv.exe106⤵PID:4028
-
\??\c:\84626.exec:\84626.exe107⤵PID:3332
-
\??\c:\088660.exec:\088660.exe108⤵PID:3748
-
\??\c:\e66826.exec:\e66826.exe109⤵PID:2908
-
\??\c:\0064264.exec:\0064264.exe110⤵PID:2188
-
\??\c:\tnhbnb.exec:\tnhbnb.exe111⤵PID:2268
-
\??\c:\4668428.exec:\4668428.exe112⤵PID:1512
-
\??\c:\824646.exec:\824646.exe113⤵PID:3096
-
\??\c:\1tthtb.exec:\1tthtb.exe114⤵PID:2144
-
\??\c:\644200.exec:\644200.exe115⤵PID:812
-
\??\c:\9ffxlfx.exec:\9ffxlfx.exe116⤵PID:5104
-
\??\c:\026462.exec:\026462.exe117⤵PID:2160
-
\??\c:\48488.exec:\48488.exe118⤵PID:432
-
\??\c:\vvvdj.exec:\vvvdj.exe119⤵PID:3404
-
\??\c:\68608.exec:\68608.exe120⤵PID:1168
-
\??\c:\26826.exec:\26826.exe121⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-