Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe
-
Size
454KB
-
MD5
26371a8788e8a4f1dd2519e383f133d0
-
SHA1
a248ef00da06210f3d8f3bd06f0768f59440c78d
-
SHA256
26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668a
-
SHA512
4a2ed3a1fe9c6245db17a1e0f19da685833ccd8b4cdb72beadbd4800c5375cf85c5ce17f51a186a54781f75fed0d7d9a2f46d58859e301e063605aa128762916
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2544-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 860 bhnnhn.exe 3320 ppjvp.exe 5012 dddpj.exe 5112 62860.exe 3168 jpdjj.exe 2224 rlrfxrx.exe 2600 2862826.exe 4760 4082488.exe 1416 hnhhht.exe 624 64620.exe 2196 6200044.exe 1600 fxfxrll.exe 1392 222048.exe 3184 820066.exe 536 240600.exe 4680 08482.exe 220 8220004.exe 1656 pjjdd.exe 1940 rxrlffx.exe 2484 240482.exe 2604 6022828.exe 4792 bhnhbt.exe 4832 26044.exe 3568 820066.exe 1436 0644888.exe 1340 2820406.exe 4812 dpvvp.exe 1256 006048.exe 712 rlffflx.exe 3912 nhhnhn.exe 4408 rlrlrrr.exe 4764 4826004.exe 4432 1jjdd.exe 3424 2004260.exe 4588 vjpjd.exe 1716 0400826.exe 3896 04886.exe 2408 60600.exe 1424 c248604.exe 4860 2882042.exe 812 2066064.exe 3456 u220864.exe 2344 q06864.exe 3620 jppdd.exe 1076 84008.exe 1504 206042.exe 2488 nbhhbb.exe 1592 860484.exe 1520 hnthbb.exe 3168 60606.exe 2164 rfrflff.exe 3148 jvjjd.exe 2424 8020882.exe 464 bnttnb.exe 764 o882008.exe 1756 266048.exe 1416 s4042.exe 1924 4286408.exe 3696 60482.exe 2664 8682262.exe 4172 frlfxxr.exe 1500 jvvpp.exe 2832 thhtht.exe 4800 20064.exe -
resource yara_rule behavioral2/memory/2544-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6286042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8222000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 860 2544 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 83 PID 2544 wrote to memory of 860 2544 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 83 PID 2544 wrote to memory of 860 2544 26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe 83 PID 860 wrote to memory of 3320 860 bhnnhn.exe 84 PID 860 wrote to memory of 3320 860 bhnnhn.exe 84 PID 860 wrote to memory of 3320 860 bhnnhn.exe 84 PID 3320 wrote to memory of 5012 3320 ppjvp.exe 85 PID 3320 wrote to memory of 5012 3320 ppjvp.exe 85 PID 3320 wrote to memory of 5012 3320 ppjvp.exe 85 PID 5012 wrote to memory of 5112 5012 dddpj.exe 86 PID 5012 wrote to memory of 5112 5012 dddpj.exe 86 PID 5012 wrote to memory of 5112 5012 dddpj.exe 86 PID 5112 wrote to memory of 3168 5112 62860.exe 87 PID 5112 wrote to memory of 3168 5112 62860.exe 87 PID 5112 wrote to memory of 3168 5112 62860.exe 87 PID 3168 wrote to memory of 2224 3168 jpdjj.exe 88 PID 3168 wrote to memory of 2224 3168 jpdjj.exe 88 PID 3168 wrote to memory of 2224 3168 jpdjj.exe 88 PID 2224 wrote to memory of 2600 2224 rlrfxrx.exe 89 PID 2224 wrote to memory of 2600 2224 rlrfxrx.exe 89 PID 2224 wrote to memory of 2600 2224 rlrfxrx.exe 89 PID 2600 wrote to memory of 4760 2600 2862826.exe 90 PID 2600 wrote to memory of 4760 2600 2862826.exe 90 PID 2600 wrote to memory of 4760 2600 2862826.exe 90 PID 4760 wrote to memory of 1416 4760 4082488.exe 91 PID 4760 wrote to memory of 1416 4760 4082488.exe 91 PID 4760 wrote to memory of 1416 4760 4082488.exe 91 PID 1416 wrote to memory of 624 1416 hnhhht.exe 92 PID 1416 wrote to memory of 624 1416 hnhhht.exe 92 PID 1416 wrote to memory of 624 1416 hnhhht.exe 92 PID 624 wrote to memory of 2196 624 64620.exe 93 PID 624 wrote to memory of 2196 624 64620.exe 93 PID 624 wrote to memory of 2196 624 64620.exe 93 PID 2196 wrote to memory of 1600 2196 6200044.exe 94 PID 2196 wrote to memory of 1600 2196 6200044.exe 94 PID 2196 wrote to memory of 1600 2196 6200044.exe 94 PID 1600 wrote to memory of 1392 1600 fxfxrll.exe 95 PID 1600 wrote to memory of 1392 1600 fxfxrll.exe 95 PID 1600 wrote to memory of 1392 1600 fxfxrll.exe 95 PID 1392 wrote to memory of 3184 1392 222048.exe 96 PID 1392 wrote to memory of 3184 1392 222048.exe 96 PID 1392 wrote to memory of 3184 1392 222048.exe 96 PID 3184 wrote to memory of 536 3184 820066.exe 97 PID 3184 wrote to memory of 536 3184 820066.exe 97 PID 3184 wrote to memory of 536 3184 820066.exe 97 PID 536 wrote to memory of 4680 536 240600.exe 98 PID 536 wrote to memory of 4680 536 240600.exe 98 PID 536 wrote to memory of 4680 536 240600.exe 98 PID 4680 wrote to memory of 220 4680 08482.exe 99 PID 4680 wrote to memory of 220 4680 08482.exe 99 PID 4680 wrote to memory of 220 4680 08482.exe 99 PID 220 wrote to memory of 1656 220 8220004.exe 100 PID 220 wrote to memory of 1656 220 8220004.exe 100 PID 220 wrote to memory of 1656 220 8220004.exe 100 PID 1656 wrote to memory of 1940 1656 pjjdd.exe 101 PID 1656 wrote to memory of 1940 1656 pjjdd.exe 101 PID 1656 wrote to memory of 1940 1656 pjjdd.exe 101 PID 1940 wrote to memory of 2484 1940 rxrlffx.exe 102 PID 1940 wrote to memory of 2484 1940 rxrlffx.exe 102 PID 1940 wrote to memory of 2484 1940 rxrlffx.exe 102 PID 2484 wrote to memory of 2604 2484 240482.exe 103 PID 2484 wrote to memory of 2604 2484 240482.exe 103 PID 2484 wrote to memory of 2604 2484 240482.exe 103 PID 2604 wrote to memory of 4792 2604 6022828.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe"C:\Users\Admin\AppData\Local\Temp\26136e5d8efa420af8a7f9c7364013bc2c559a5f83943dc1f7aa4477408b668aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\bhnnhn.exec:\bhnnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\ppjvp.exec:\ppjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\dddpj.exec:\dddpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\62860.exec:\62860.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\jpdjj.exec:\jpdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\rlrfxrx.exec:\rlrfxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\2862826.exec:\2862826.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\4082488.exec:\4082488.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\hnhhht.exec:\hnhhht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\64620.exec:\64620.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\6200044.exec:\6200044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\fxfxrll.exec:\fxfxrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\222048.exec:\222048.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\820066.exec:\820066.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\240600.exec:\240600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\08482.exec:\08482.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\8220004.exec:\8220004.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\pjjdd.exec:\pjjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\rxrlffx.exec:\rxrlffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\240482.exec:\240482.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\6022828.exec:\6022828.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\bhnhbt.exec:\bhnhbt.exe23⤵
- Executes dropped EXE
PID:4792 -
\??\c:\26044.exec:\26044.exe24⤵
- Executes dropped EXE
PID:4832 -
\??\c:\820066.exec:\820066.exe25⤵
- Executes dropped EXE
PID:3568 -
\??\c:\0644888.exec:\0644888.exe26⤵
- Executes dropped EXE
PID:1436 -
\??\c:\2820406.exec:\2820406.exe27⤵
- Executes dropped EXE
PID:1340 -
\??\c:\dpvvp.exec:\dpvvp.exe28⤵
- Executes dropped EXE
PID:4812 -
\??\c:\006048.exec:\006048.exe29⤵
- Executes dropped EXE
PID:1256 -
\??\c:\rlffflx.exec:\rlffflx.exe30⤵
- Executes dropped EXE
PID:712 -
\??\c:\nhhnhn.exec:\nhhnhn.exe31⤵
- Executes dropped EXE
PID:3912 -
\??\c:\rlrlrrr.exec:\rlrlrrr.exe32⤵
- Executes dropped EXE
PID:4408 -
\??\c:\4826004.exec:\4826004.exe33⤵
- Executes dropped EXE
PID:4764 -
\??\c:\1jjdd.exec:\1jjdd.exe34⤵
- Executes dropped EXE
PID:4432 -
\??\c:\2004260.exec:\2004260.exe35⤵
- Executes dropped EXE
PID:3424 -
\??\c:\vjpjd.exec:\vjpjd.exe36⤵
- Executes dropped EXE
PID:4588 -
\??\c:\0400826.exec:\0400826.exe37⤵
- Executes dropped EXE
PID:1716 -
\??\c:\04886.exec:\04886.exe38⤵
- Executes dropped EXE
PID:3896 -
\??\c:\60600.exec:\60600.exe39⤵
- Executes dropped EXE
PID:2408 -
\??\c:\c248604.exec:\c248604.exe40⤵
- Executes dropped EXE
PID:1424 -
\??\c:\4248860.exec:\4248860.exe41⤵PID:2848
-
\??\c:\2882042.exec:\2882042.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\2066064.exec:\2066064.exe43⤵
- Executes dropped EXE
PID:812 -
\??\c:\u220864.exec:\u220864.exe44⤵
- Executes dropped EXE
PID:3456 -
\??\c:\q06864.exec:\q06864.exe45⤵
- Executes dropped EXE
PID:2344 -
\??\c:\jppdd.exec:\jppdd.exe46⤵
- Executes dropped EXE
PID:3620 -
\??\c:\84008.exec:\84008.exe47⤵
- Executes dropped EXE
PID:1076 -
\??\c:\206042.exec:\206042.exe48⤵
- Executes dropped EXE
PID:1504 -
\??\c:\nbhhbb.exec:\nbhhbb.exe49⤵
- Executes dropped EXE
PID:2488 -
\??\c:\860484.exec:\860484.exe50⤵
- Executes dropped EXE
PID:1592 -
\??\c:\hnthbb.exec:\hnthbb.exe51⤵
- Executes dropped EXE
PID:1520 -
\??\c:\60606.exec:\60606.exe52⤵
- Executes dropped EXE
PID:3168 -
\??\c:\rfrflff.exec:\rfrflff.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\jvjjd.exec:\jvjjd.exe54⤵
- Executes dropped EXE
PID:3148 -
\??\c:\8020882.exec:\8020882.exe55⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bnttnb.exec:\bnttnb.exe56⤵
- Executes dropped EXE
PID:464 -
\??\c:\o882008.exec:\o882008.exe57⤵
- Executes dropped EXE
PID:764 -
\??\c:\266048.exec:\266048.exe58⤵
- Executes dropped EXE
PID:1756 -
\??\c:\s4042.exec:\s4042.exe59⤵
- Executes dropped EXE
PID:1416 -
\??\c:\4286408.exec:\4286408.exe60⤵
- Executes dropped EXE
PID:1924 -
\??\c:\60482.exec:\60482.exe61⤵
- Executes dropped EXE
PID:3696 -
\??\c:\8682262.exec:\8682262.exe62⤵
- Executes dropped EXE
PID:2664 -
\??\c:\frlfxxr.exec:\frlfxxr.exe63⤵
- Executes dropped EXE
PID:4172 -
\??\c:\jvvpp.exec:\jvvpp.exe64⤵
- Executes dropped EXE
PID:1500 -
\??\c:\thhtht.exec:\thhtht.exe65⤵
- Executes dropped EXE
PID:2832 -
\??\c:\20064.exec:\20064.exe66⤵
- Executes dropped EXE
PID:4800 -
\??\c:\c842048.exec:\c842048.exe67⤵PID:1920
-
\??\c:\djddv.exec:\djddv.exe68⤵PID:4808
-
\??\c:\vvdjd.exec:\vvdjd.exe69⤵PID:3164
-
\??\c:\o626448.exec:\o626448.exe70⤵PID:3864
-
\??\c:\7nttnt.exec:\7nttnt.exe71⤵PID:3120
-
\??\c:\rflrrrr.exec:\rflrrrr.exe72⤵PID:1588
-
\??\c:\828266.exec:\828266.exe73⤵PID:5052
-
\??\c:\2808226.exec:\2808226.exe74⤵PID:1940
-
\??\c:\662266.exec:\662266.exe75⤵PID:552
-
\??\c:\3hnhnt.exec:\3hnhnt.exe76⤵PID:4788
-
\??\c:\44642.exec:\44642.exe77⤵PID:4868
-
\??\c:\hntnhb.exec:\hntnhb.exe78⤵PID:2236
-
\??\c:\6022604.exec:\6022604.exe79⤵PID:2228
-
\??\c:\66860.exec:\66860.exe80⤵PID:3816
-
\??\c:\806268.exec:\806268.exe81⤵PID:3376
-
\??\c:\flxrffr.exec:\flxrffr.exe82⤵PID:460
-
\??\c:\62482.exec:\62482.exe83⤵PID:3940
-
\??\c:\rxxrrfx.exec:\rxxrrfx.exe84⤵PID:2148
-
\??\c:\jpvvp.exec:\jpvvp.exe85⤵PID:4076
-
\??\c:\206488.exec:\206488.exe86⤵PID:2316
-
\??\c:\i442048.exec:\i442048.exe87⤵PID:2716
-
\??\c:\fxffllr.exec:\fxffllr.exe88⤵PID:3136
-
\??\c:\662828.exec:\662828.exe89⤵PID:5044
-
\??\c:\4626004.exec:\4626004.exe90⤵PID:904
-
\??\c:\btnhtt.exec:\btnhtt.exe91⤵PID:4964
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe92⤵PID:436
-
\??\c:\64820.exec:\64820.exe93⤵PID:3124
-
\??\c:\7tnbtn.exec:\7tnbtn.exe94⤵PID:672
-
\??\c:\206482.exec:\206482.exe95⤵PID:3780
-
\??\c:\06266.exec:\06266.exe96⤵PID:2208
-
\??\c:\xffxxxr.exec:\xffxxxr.exe97⤵PID:2612
-
\??\c:\m4222.exec:\m4222.exe98⤵PID:4032
-
\??\c:\2068828.exec:\2068828.exe99⤵PID:2396
-
\??\c:\o004882.exec:\o004882.exe100⤵PID:3172
-
\??\c:\2642260.exec:\2642260.exe101⤵PID:3456
-
\??\c:\08882.exec:\08882.exe102⤵PID:1568
-
\??\c:\08482.exec:\08482.exe103⤵PID:4852
-
\??\c:\64204.exec:\64204.exe104⤵PID:2488
-
\??\c:\thtnnt.exec:\thtnnt.exe105⤵PID:224
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe106⤵PID:1496
-
\??\c:\9ffxlxr.exec:\9ffxlxr.exe107⤵PID:1172
-
\??\c:\q86444.exec:\q86444.exe108⤵PID:5020
-
\??\c:\06828.exec:\06828.exe109⤵PID:2600
-
\??\c:\5hhhbt.exec:\5hhhbt.exe110⤵PID:3972
-
\??\c:\842048.exec:\842048.exe111⤵PID:1084
-
\??\c:\rxrfrlx.exec:\rxrfrlx.exe112⤵PID:4708
-
\??\c:\pdjjd.exec:\pdjjd.exe113⤵PID:1964
-
\??\c:\028222.exec:\028222.exe114⤵PID:4112
-
\??\c:\288824.exec:\288824.exe115⤵PID:4880
-
\??\c:\3bbnhb.exec:\3bbnhb.exe116⤵PID:2196
-
\??\c:\nhnhnt.exec:\nhnhnt.exe117⤵PID:3488
-
\??\c:\dvpjd.exec:\dvpjd.exe118⤵PID:4740
-
\??\c:\86866.exec:\86866.exe119⤵PID:1600
-
\??\c:\djjdv.exec:\djjdv.exe120⤵PID:4604
-
\??\c:\g8466.exec:\g8466.exe121⤵PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-