Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe
-
Size
454KB
-
MD5
26371a8788e8a4f1dd2519e383f133d0
-
SHA1
a248ef00da06210f3d8f3bd06f0768f59440c78d
-
SHA256
26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668a
-
SHA512
4a2ed3a1fe9c6245db17a1e0f19da685833ccd8b4cdb72beadbd4800c5375cf85c5ce17f51a186a54781f75fed0d7d9a2f46d58859e301e063605aa128762916
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1904-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-88-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2920-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-108-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-241-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1788-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-564-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2772-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-716-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2348-800-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2332-816-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2348-823-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2788-862-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1696-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-1020-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-1031-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1904-1102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2504 rrrffrf.exe 2808 420066.exe 2756 6860662.exe 2720 7hhnnt.exe 568 jdjpp.exe 2556 c084062.exe 2632 428886.exe 2364 0866220.exe 1724 a8666.exe 2920 jjdjp.exe 1276 vpdjj.exe 1728 vvjpd.exe 2376 4688440.exe 1244 rlrlrlr.exe 1624 lflrxxx.exe 1316 028226.exe 1296 frxrxrr.exe 2160 thtbhb.exe 1308 nhhhnn.exe 1640 nhtnbh.exe 616 rxfxrrr.exe 1916 nhbtnh.exe 964 86064.exe 564 e80688.exe 1532 nhtbhn.exe 1252 rlflllx.exe 1656 rrffrxl.exe 1788 686622.exe 2332 nthbtt.exe 1852 8206262.exe 1996 82068.exe 2272 btnhtt.exe 1592 20606.exe 2824 i428668.exe 2768 dppjd.exe 2756 jvjjp.exe 2676 048204.exe 568 q60082.exe 2572 vjpjd.exe 2636 64802.exe 2632 3xllrrx.exe 2764 642244.exe 2832 1xllxxf.exe 3036 nhhhtt.exe 3028 rlxfllr.exe 3048 bntntt.exe 1060 rflfffl.exe 1716 864400.exe 480 4288484.exe 684 4866224.exe 1636 fflrxxl.exe 2620 3nhnbt.exe 1848 rlxllxx.exe 1152 vpdjp.exe 2188 fxrxfrx.exe 2968 86864.exe 2060 hbbbnt.exe 2292 046682.exe 852 486804.exe 712 086828.exe 1708 2062240.exe 964 480246.exe 940 64222.exe 2420 bnhbhh.exe -
resource yara_rule behavioral1/memory/1904-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-727-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/852-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-843-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1696-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-1020-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1916-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-1102-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2408288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2066046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2504 1904 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 31 PID 1904 wrote to memory of 2504 1904 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 31 PID 1904 wrote to memory of 2504 1904 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 31 PID 1904 wrote to memory of 2504 1904 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 31 PID 2504 wrote to memory of 2808 2504 rrrffrf.exe 32 PID 2504 wrote to memory of 2808 2504 rrrffrf.exe 32 PID 2504 wrote to memory of 2808 2504 rrrffrf.exe 32 PID 2504 wrote to memory of 2808 2504 rrrffrf.exe 32 PID 2808 wrote to memory of 2756 2808 420066.exe 33 PID 2808 wrote to memory of 2756 2808 420066.exe 33 PID 2808 wrote to memory of 2756 2808 420066.exe 33 PID 2808 wrote to memory of 2756 2808 420066.exe 33 PID 2756 wrote to memory of 2720 2756 6860662.exe 34 PID 2756 wrote to memory of 2720 2756 6860662.exe 34 PID 2756 wrote to memory of 2720 2756 6860662.exe 34 PID 2756 wrote to memory of 2720 2756 6860662.exe 34 PID 2720 wrote to memory of 568 2720 7hhnnt.exe 35 PID 2720 wrote to memory of 568 2720 7hhnnt.exe 35 PID 2720 wrote to memory of 568 2720 7hhnnt.exe 35 PID 2720 wrote to memory of 568 2720 7hhnnt.exe 35 PID 568 wrote to memory of 2556 568 jdjpp.exe 36 PID 568 wrote to memory of 2556 568 jdjpp.exe 36 PID 568 wrote to memory of 2556 568 jdjpp.exe 36 PID 568 wrote to memory of 2556 568 jdjpp.exe 36 PID 2556 wrote to memory of 2632 2556 c084062.exe 37 PID 2556 wrote to memory of 2632 2556 c084062.exe 37 PID 2556 wrote to memory of 2632 2556 c084062.exe 37 PID 2556 wrote to memory of 2632 2556 c084062.exe 37 PID 2632 wrote to memory of 2364 2632 428886.exe 38 PID 2632 wrote to memory of 2364 2632 428886.exe 38 PID 2632 wrote to memory of 2364 2632 428886.exe 38 PID 2632 wrote to memory of 2364 2632 428886.exe 38 PID 2364 wrote to memory of 1724 2364 0866220.exe 39 PID 2364 wrote to memory of 1724 2364 0866220.exe 39 PID 2364 wrote to memory of 1724 2364 0866220.exe 39 PID 2364 wrote to memory of 1724 2364 0866220.exe 39 PID 1724 wrote to memory of 2920 1724 a8666.exe 40 PID 1724 wrote to memory of 2920 1724 a8666.exe 40 PID 1724 wrote to memory of 2920 1724 a8666.exe 40 PID 1724 wrote to memory of 2920 1724 a8666.exe 40 PID 2920 wrote to memory of 1276 2920 jjdjp.exe 41 PID 2920 wrote to memory of 1276 2920 jjdjp.exe 41 PID 2920 wrote to memory of 1276 2920 jjdjp.exe 41 PID 2920 wrote to memory of 1276 2920 jjdjp.exe 41 PID 1276 wrote to memory of 1728 1276 vpdjj.exe 42 PID 1276 wrote to memory of 1728 1276 vpdjj.exe 42 PID 1276 wrote to memory of 1728 1276 vpdjj.exe 42 PID 1276 wrote to memory of 1728 1276 vpdjj.exe 42 PID 1728 wrote to memory of 2376 1728 vvjpd.exe 43 PID 1728 wrote to memory of 2376 1728 vvjpd.exe 43 PID 1728 wrote to memory of 2376 1728 vvjpd.exe 43 PID 1728 wrote to memory of 2376 1728 vvjpd.exe 43 PID 2376 wrote to memory of 1244 2376 4688440.exe 44 PID 2376 wrote to memory of 1244 2376 4688440.exe 44 PID 2376 wrote to memory of 1244 2376 4688440.exe 44 PID 2376 wrote to memory of 1244 2376 4688440.exe 44 PID 1244 wrote to memory of 1624 1244 rlrlrlr.exe 45 PID 1244 wrote to memory of 1624 1244 rlrlrlr.exe 45 PID 1244 wrote to memory of 1624 1244 rlrlrlr.exe 45 PID 1244 wrote to memory of 1624 1244 rlrlrlr.exe 45 PID 1624 wrote to memory of 1316 1624 lflrxxx.exe 46 PID 1624 wrote to memory of 1316 1624 lflrxxx.exe 46 PID 1624 wrote to memory of 1316 1624 lflrxxx.exe 46 PID 1624 wrote to memory of 1316 1624 lflrxxx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe"C:\Users\Admin\AppData\Local\Temp\26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\rrrffrf.exec:\rrrffrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\420066.exec:\420066.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\6860662.exec:\6860662.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\7hhnnt.exec:\7hhnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\jdjpp.exec:\jdjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\c084062.exec:\c084062.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\428886.exec:\428886.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\0866220.exec:\0866220.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\a8666.exec:\a8666.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\jjdjp.exec:\jjdjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\vpdjj.exec:\vpdjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\vvjpd.exec:\vvjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\4688440.exec:\4688440.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\lflrxxx.exec:\lflrxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\028226.exec:\028226.exe17⤵
- Executes dropped EXE
PID:1316 -
\??\c:\frxrxrr.exec:\frxrxrr.exe18⤵
- Executes dropped EXE
PID:1296 -
\??\c:\thtbhb.exec:\thtbhb.exe19⤵
- Executes dropped EXE
PID:2160 -
\??\c:\nhhhnn.exec:\nhhhnn.exe20⤵
- Executes dropped EXE
PID:1308 -
\??\c:\nhtnbh.exec:\nhtnbh.exe21⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe22⤵
- Executes dropped EXE
PID:616 -
\??\c:\nhbtnh.exec:\nhbtnh.exe23⤵
- Executes dropped EXE
PID:1916 -
\??\c:\86064.exec:\86064.exe24⤵
- Executes dropped EXE
PID:964 -
\??\c:\e80688.exec:\e80688.exe25⤵
- Executes dropped EXE
PID:564 -
\??\c:\nhtbhn.exec:\nhtbhn.exe26⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rlflllx.exec:\rlflllx.exe27⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rrffrxl.exec:\rrffrxl.exe28⤵
- Executes dropped EXE
PID:1656 -
\??\c:\686622.exec:\686622.exe29⤵
- Executes dropped EXE
PID:1788 -
\??\c:\nthbtt.exec:\nthbtt.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\8206262.exec:\8206262.exe31⤵
- Executes dropped EXE
PID:1852 -
\??\c:\82068.exec:\82068.exe32⤵
- Executes dropped EXE
PID:1996 -
\??\c:\btnhtt.exec:\btnhtt.exe33⤵
- Executes dropped EXE
PID:2272 -
\??\c:\20606.exec:\20606.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\i428668.exec:\i428668.exe35⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dppjd.exec:\dppjd.exe36⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jvjjp.exec:\jvjjp.exe37⤵
- Executes dropped EXE
PID:2756 -
\??\c:\048204.exec:\048204.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\q60082.exec:\q60082.exe39⤵
- Executes dropped EXE
PID:568 -
\??\c:\vjpjd.exec:\vjpjd.exe40⤵
- Executes dropped EXE
PID:2572 -
\??\c:\64802.exec:\64802.exe41⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3xllrrx.exec:\3xllrrx.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\642244.exec:\642244.exe43⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1xllxxf.exec:\1xllxxf.exe44⤵
- Executes dropped EXE
PID:2832 -
\??\c:\nhhhtt.exec:\nhhhtt.exe45⤵
- Executes dropped EXE
PID:3036 -
\??\c:\rlxfllr.exec:\rlxfllr.exe46⤵
- Executes dropped EXE
PID:3028 -
\??\c:\bntntt.exec:\bntntt.exe47⤵
- Executes dropped EXE
PID:3048 -
\??\c:\rflfffl.exec:\rflfffl.exe48⤵
- Executes dropped EXE
PID:1060 -
\??\c:\864400.exec:\864400.exe49⤵
- Executes dropped EXE
PID:1716 -
\??\c:\4288484.exec:\4288484.exe50⤵
- Executes dropped EXE
PID:480 -
\??\c:\4866224.exec:\4866224.exe51⤵
- Executes dropped EXE
PID:684 -
\??\c:\fflrxxl.exec:\fflrxxl.exe52⤵
- Executes dropped EXE
PID:1636 -
\??\c:\3nhnbt.exec:\3nhnbt.exe53⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rlxllxx.exec:\rlxllxx.exe54⤵
- Executes dropped EXE
PID:1848 -
\??\c:\vpdjp.exec:\vpdjp.exe55⤵
- Executes dropped EXE
PID:1152 -
\??\c:\fxrxfrx.exec:\fxrxfrx.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\86864.exec:\86864.exe57⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hbbbnt.exec:\hbbbnt.exe58⤵
- Executes dropped EXE
PID:2060 -
\??\c:\046682.exec:\046682.exe59⤵
- Executes dropped EXE
PID:2292 -
\??\c:\486804.exec:\486804.exe60⤵
- Executes dropped EXE
PID:852 -
\??\c:\086828.exec:\086828.exe61⤵
- Executes dropped EXE
PID:712 -
\??\c:\2062240.exec:\2062240.exe62⤵
- Executes dropped EXE
PID:1708 -
\??\c:\480246.exec:\480246.exe63⤵
- Executes dropped EXE
PID:964 -
\??\c:\64222.exec:\64222.exe64⤵
- Executes dropped EXE
PID:940 -
\??\c:\bnhbhh.exec:\bnhbhh.exe65⤵
- Executes dropped EXE
PID:2420 -
\??\c:\9dpvd.exec:\9dpvd.exe66⤵PID:2316
-
\??\c:\xxffrxf.exec:\xxffrxf.exe67⤵PID:1292
-
\??\c:\fxxrrrx.exec:\fxxrrrx.exe68⤵PID:1500
-
\??\c:\60062.exec:\60062.exe69⤵PID:2080
-
\??\c:\bnbtbb.exec:\bnbtbb.exe70⤵PID:3068
-
\??\c:\26400.exec:\26400.exe71⤵PID:1844
-
\??\c:\0400662.exec:\0400662.exe72⤵PID:2456
-
\??\c:\c022260.exec:\c022260.exe73⤵PID:2144
-
\??\c:\424466.exec:\424466.exe74⤵PID:2344
-
\??\c:\7fxfrlx.exec:\7fxfrlx.exe75⤵PID:1584
-
\??\c:\thttbt.exec:\thttbt.exe76⤵
- System Location Discovery: System Language Discovery
PID:2688 -
\??\c:\860466.exec:\860466.exe77⤵PID:2712
-
\??\c:\bthntt.exec:\bthntt.exe78⤵PID:2564
-
\??\c:\262284.exec:\262284.exe79⤵PID:2592
-
\??\c:\2066046.exec:\2066046.exe80⤵
- System Location Discovery: System Language Discovery
PID:2772 -
\??\c:\8240880.exec:\8240880.exe81⤵PID:2728
-
\??\c:\4244044.exec:\4244044.exe82⤵PID:2560
-
\??\c:\48246.exec:\48246.exe83⤵PID:3040
-
\??\c:\g8822.exec:\g8822.exe84⤵PID:1424
-
\??\c:\dpdpj.exec:\dpdpj.exe85⤵PID:1760
-
\??\c:\9hnnht.exec:\9hnnht.exe86⤵PID:1876
-
\??\c:\00280.exec:\00280.exe87⤵PID:2884
-
\??\c:\0800666.exec:\0800666.exe88⤵PID:2928
-
\??\c:\nbhhnn.exec:\nbhhnn.exe89⤵PID:2356
-
\??\c:\48224.exec:\48224.exe90⤵PID:2596
-
\??\c:\c644602.exec:\c644602.exe91⤵PID:588
-
\??\c:\bttttt.exec:\bttttt.exe92⤵PID:2360
-
\??\c:\rxrxrlf.exec:\rxrxrlf.exe93⤵PID:2376
-
\??\c:\hbnhnt.exec:\hbnhnt.exe94⤵PID:2856
-
\??\c:\5ddvv.exec:\5ddvv.exe95⤵PID:1320
-
\??\c:\7xlxxxx.exec:\7xlxxxx.exe96⤵PID:1840
-
\??\c:\02446.exec:\02446.exe97⤵PID:372
-
\??\c:\7lrxrrr.exec:\7lrxrrr.exe98⤵PID:2408
-
\??\c:\nbnthn.exec:\nbnthn.exe99⤵PID:2092
-
\??\c:\pvpvp.exec:\pvpvp.exe100⤵PID:444
-
\??\c:\q20622.exec:\q20622.exe101⤵PID:2060
-
\??\c:\jdpvj.exec:\jdpvj.exe102⤵PID:1364
-
\??\c:\426682.exec:\426682.exe103⤵PID:852
-
\??\c:\4826880.exec:\4826880.exe104⤵PID:1056
-
\??\c:\3bnntn.exec:\3bnntn.exe105⤵PID:1708
-
\??\c:\e08868.exec:\e08868.exe106⤵PID:1340
-
\??\c:\xrxlllx.exec:\xrxlllx.exe107⤵PID:1984
-
\??\c:\ddpvj.exec:\ddpvj.exe108⤵PID:1712
-
\??\c:\82400.exec:\82400.exe109⤵PID:1632
-
\??\c:\dvdvd.exec:\dvdvd.exe110⤵PID:2280
-
\??\c:\8202440.exec:\8202440.exe111⤵PID:2348
-
\??\c:\608428.exec:\608428.exe112⤵PID:2204
-
\??\c:\462660.exec:\462660.exe113⤵PID:2332
-
\??\c:\ttnbbt.exec:\ttnbbt.exe114⤵PID:2212
-
\??\c:\04402.exec:\04402.exe115⤵PID:2144
-
\??\c:\6002624.exec:\6002624.exe116⤵PID:2468
-
\??\c:\3vppp.exec:\3vppp.exe117⤵PID:2788
-
\??\c:\46066.exec:\46066.exe118⤵PID:2688
-
\??\c:\xlrllll.exec:\xlrllll.exe119⤵PID:2264
-
\??\c:\4206808.exec:\4206808.exe120⤵PID:2760
-
\??\c:\bntnnh.exec:\bntnnh.exe121⤵PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-