Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe
-
Size
454KB
-
MD5
5a4c339e50b726872c6ad1500982877a
-
SHA1
ce61bb9657ee9642239eea4a85ec85963bedcbd6
-
SHA256
926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf
-
SHA512
01d3ce3416d602122e9661a13315a9c2f400d76ed71262e09222f2d1cbc4c14205e1f7ac52f4f58931bb3275bfdf60f894675e6c56a82e3c0b583f70089114ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/868-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-1206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-1525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 532 pppjj.exe 900 84660.exe 5092 bbnhtn.exe 5052 3fxrlfx.exe 852 1nbnbt.exe 3696 c464260.exe 2364 o480448.exe 3388 08264.exe 4412 22206.exe 3920 jdvdv.exe 3608 bhnhth.exe 1332 vddpj.exe 1988 44420.exe 3048 0886444.exe 2656 284848.exe 4864 frrrflf.exe 1252 g6246.exe 3492 dpvpj.exe 2216 nhtnhh.exe 2140 4842226.exe 2328 628224.exe 4136 46866.exe 4680 4248446.exe 5084 tttttt.exe 4556 4844444.exe 3668 pjpjd.exe 3436 bnbnhh.exe 4884 rlffxxr.exe 3496 640444.exe 1568 5lxrllf.exe 2276 i466662.exe 1084 484822.exe 424 btnhbb.exe 3392 622206.exe 1896 pjvvv.exe 4572 044660.exe 2332 lxrlffx.exe 1276 vvddv.exe 3724 s2620.exe 2852 a2482.exe 4928 tbnhtb.exe 2004 6064882.exe 2116 hnttnh.exe 1744 pjvpp.exe 1628 jvpvp.exe 3044 60004.exe 4568 hbnhbt.exe 3976 u084226.exe 4164 rlxllxr.exe 5056 hhnttt.exe 1756 pvdvv.exe 4508 xflfxrf.exe 2196 xlrllll.exe 3212 688242.exe 3144 pvdvp.exe 3580 vjvpj.exe 4376 8404866.exe 1924 hbthbb.exe 3248 06426.exe 1248 1rrrlff.exe 1100 82882.exe 2432 fxxlffl.exe 3968 dddvv.exe 4536 262044.exe -
resource yara_rule behavioral2/memory/868-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-1206-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q66848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8624488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8882660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20006.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 868 wrote to memory of 532 868 926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe 83 PID 868 wrote to memory of 532 868 926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe 83 PID 868 wrote to memory of 532 868 926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe 83 PID 532 wrote to memory of 900 532 pppjj.exe 84 PID 532 wrote to memory of 900 532 pppjj.exe 84 PID 532 wrote to memory of 900 532 pppjj.exe 84 PID 900 wrote to memory of 5092 900 84660.exe 85 PID 900 wrote to memory of 5092 900 84660.exe 85 PID 900 wrote to memory of 5092 900 84660.exe 85 PID 5092 wrote to memory of 5052 5092 bbnhtn.exe 86 PID 5092 wrote to memory of 5052 5092 bbnhtn.exe 86 PID 5092 wrote to memory of 5052 5092 bbnhtn.exe 86 PID 5052 wrote to memory of 852 5052 3fxrlfx.exe 87 PID 5052 wrote to memory of 852 5052 3fxrlfx.exe 87 PID 5052 wrote to memory of 852 5052 3fxrlfx.exe 87 PID 852 wrote to memory of 3696 852 1nbnbt.exe 88 PID 852 wrote to memory of 3696 852 1nbnbt.exe 88 PID 852 wrote to memory of 3696 852 1nbnbt.exe 88 PID 3696 wrote to memory of 2364 3696 c464260.exe 89 PID 3696 wrote to memory of 2364 3696 c464260.exe 89 PID 3696 wrote to memory of 2364 3696 c464260.exe 89 PID 2364 wrote to memory of 3388 2364 o480448.exe 147 PID 2364 wrote to memory of 3388 2364 o480448.exe 147 PID 2364 wrote to memory of 3388 2364 o480448.exe 147 PID 3388 wrote to memory of 4412 3388 08264.exe 91 PID 3388 wrote to memory of 4412 3388 08264.exe 91 PID 3388 wrote to memory of 4412 3388 08264.exe 91 PID 4412 wrote to memory of 3920 4412 22206.exe 92 PID 4412 wrote to memory of 3920 4412 22206.exe 92 PID 4412 wrote to memory of 3920 4412 22206.exe 92 PID 3920 wrote to memory of 3608 3920 jdvdv.exe 93 PID 3920 wrote to memory of 3608 3920 jdvdv.exe 93 PID 3920 wrote to memory of 3608 3920 jdvdv.exe 93 PID 3608 wrote to memory of 1332 3608 bhnhth.exe 94 PID 3608 wrote to memory of 1332 3608 bhnhth.exe 94 PID 3608 wrote to memory of 1332 3608 bhnhth.exe 94 PID 1332 wrote to memory of 1988 1332 vddpj.exe 95 PID 1332 wrote to memory of 1988 1332 vddpj.exe 95 PID 1332 wrote to memory of 1988 1332 vddpj.exe 95 PID 1988 wrote to memory of 3048 1988 44420.exe 96 PID 1988 wrote to memory of 3048 1988 44420.exe 96 PID 1988 wrote to memory of 3048 1988 44420.exe 96 PID 3048 wrote to memory of 2656 3048 0886444.exe 97 PID 3048 wrote to memory of 2656 3048 0886444.exe 97 PID 3048 wrote to memory of 2656 3048 0886444.exe 97 PID 2656 wrote to memory of 4864 2656 284848.exe 98 PID 2656 wrote to memory of 4864 2656 284848.exe 98 PID 2656 wrote to memory of 4864 2656 284848.exe 98 PID 4864 wrote to memory of 1252 4864 frrrflf.exe 99 PID 4864 wrote to memory of 1252 4864 frrrflf.exe 99 PID 4864 wrote to memory of 1252 4864 frrrflf.exe 99 PID 1252 wrote to memory of 3492 1252 g6246.exe 100 PID 1252 wrote to memory of 3492 1252 g6246.exe 100 PID 1252 wrote to memory of 3492 1252 g6246.exe 100 PID 3492 wrote to memory of 2216 3492 dpvpj.exe 101 PID 3492 wrote to memory of 2216 3492 dpvpj.exe 101 PID 3492 wrote to memory of 2216 3492 dpvpj.exe 101 PID 2216 wrote to memory of 2140 2216 nhtnhh.exe 102 PID 2216 wrote to memory of 2140 2216 nhtnhh.exe 102 PID 2216 wrote to memory of 2140 2216 nhtnhh.exe 102 PID 2140 wrote to memory of 2328 2140 4842226.exe 103 PID 2140 wrote to memory of 2328 2140 4842226.exe 103 PID 2140 wrote to memory of 2328 2140 4842226.exe 103 PID 2328 wrote to memory of 4136 2328 628224.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe"C:\Users\Admin\AppData\Local\Temp\926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\pppjj.exec:\pppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\84660.exec:\84660.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\bbnhtn.exec:\bbnhtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\3fxrlfx.exec:\3fxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\1nbnbt.exec:\1nbnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\c464260.exec:\c464260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\o480448.exec:\o480448.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\08264.exec:\08264.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\22206.exec:\22206.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\jdvdv.exec:\jdvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\bhnhth.exec:\bhnhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\vddpj.exec:\vddpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\44420.exec:\44420.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\0886444.exec:\0886444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\284848.exec:\284848.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\frrrflf.exec:\frrrflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\g6246.exec:\g6246.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\dpvpj.exec:\dpvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\nhtnhh.exec:\nhtnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\4842226.exec:\4842226.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\628224.exec:\628224.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\46866.exec:\46866.exe23⤵
- Executes dropped EXE
PID:4136 -
\??\c:\4248446.exec:\4248446.exe24⤵
- Executes dropped EXE
PID:4680 -
\??\c:\tttttt.exec:\tttttt.exe25⤵
- Executes dropped EXE
PID:5084 -
\??\c:\4844444.exec:\4844444.exe26⤵
- Executes dropped EXE
PID:4556 -
\??\c:\pjpjd.exec:\pjpjd.exe27⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bnbnhh.exec:\bnbnhh.exe28⤵
- Executes dropped EXE
PID:3436 -
\??\c:\rlffxxr.exec:\rlffxxr.exe29⤵
- Executes dropped EXE
PID:4884 -
\??\c:\640444.exec:\640444.exe30⤵
- Executes dropped EXE
PID:3496 -
\??\c:\5lxrllf.exec:\5lxrllf.exe31⤵
- Executes dropped EXE
PID:1568 -
\??\c:\i466662.exec:\i466662.exe32⤵
- Executes dropped EXE
PID:2276 -
\??\c:\484822.exec:\484822.exe33⤵
- Executes dropped EXE
PID:1084 -
\??\c:\btnhbb.exec:\btnhbb.exe34⤵
- Executes dropped EXE
PID:424 -
\??\c:\622206.exec:\622206.exe35⤵
- Executes dropped EXE
PID:3392 -
\??\c:\pjvvv.exec:\pjvvv.exe36⤵
- Executes dropped EXE
PID:1896 -
\??\c:\044660.exec:\044660.exe37⤵
- Executes dropped EXE
PID:4572 -
\??\c:\lxrlffx.exec:\lxrlffx.exe38⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vvddv.exec:\vvddv.exe39⤵
- Executes dropped EXE
PID:1276 -
\??\c:\s2620.exec:\s2620.exe40⤵
- Executes dropped EXE
PID:3724 -
\??\c:\a2482.exec:\a2482.exe41⤵
- Executes dropped EXE
PID:2852 -
\??\c:\tbnhtb.exec:\tbnhtb.exe42⤵
- Executes dropped EXE
PID:4928 -
\??\c:\6064882.exec:\6064882.exe43⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hnttnh.exec:\hnttnh.exe44⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pjvpp.exec:\pjvpp.exe45⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jvpvp.exec:\jvpvp.exe46⤵
- Executes dropped EXE
PID:1628 -
\??\c:\60004.exec:\60004.exe47⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hbnhbt.exec:\hbnhbt.exe48⤵
- Executes dropped EXE
PID:4568 -
\??\c:\u084226.exec:\u084226.exe49⤵
- Executes dropped EXE
PID:3976 -
\??\c:\rlxllxr.exec:\rlxllxr.exe50⤵
- Executes dropped EXE
PID:4164 -
\??\c:\hhnttt.exec:\hhnttt.exe51⤵
- Executes dropped EXE
PID:5056 -
\??\c:\pvdvv.exec:\pvdvv.exe52⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xflfxrf.exec:\xflfxrf.exe53⤵
- Executes dropped EXE
PID:4508 -
\??\c:\xlrllll.exec:\xlrllll.exe54⤵
- Executes dropped EXE
PID:2196 -
\??\c:\688242.exec:\688242.exe55⤵
- Executes dropped EXE
PID:3212 -
\??\c:\pvdvp.exec:\pvdvp.exe56⤵
- Executes dropped EXE
PID:3144 -
\??\c:\vjvpj.exec:\vjvpj.exe57⤵
- Executes dropped EXE
PID:3580 -
\??\c:\8404866.exec:\8404866.exe58⤵
- Executes dropped EXE
PID:4376 -
\??\c:\hbthbb.exec:\hbthbb.exe59⤵
- Executes dropped EXE
PID:1924 -
\??\c:\06426.exec:\06426.exe60⤵
- Executes dropped EXE
PID:3248 -
\??\c:\1rrrlff.exec:\1rrrlff.exe61⤵
- Executes dropped EXE
PID:1248 -
\??\c:\82882.exec:\82882.exe62⤵
- Executes dropped EXE
PID:1100 -
\??\c:\fxxlffl.exec:\fxxlffl.exe63⤵
- Executes dropped EXE
PID:2432 -
\??\c:\dddvv.exec:\dddvv.exe64⤵
- Executes dropped EXE
PID:3968 -
\??\c:\262044.exec:\262044.exe65⤵
- Executes dropped EXE
PID:4536 -
\??\c:\rlrrlfx.exec:\rlrrlfx.exe66⤵PID:3388
-
\??\c:\g0600.exec:\g0600.exe67⤵PID:2184
-
\??\c:\6804882.exec:\6804882.exe68⤵PID:2036
-
\??\c:\xllfxxf.exec:\xllfxxf.exe69⤵PID:1548
-
\??\c:\xrfrxrl.exec:\xrfrxrl.exe70⤵PID:2580
-
\??\c:\vjpdd.exec:\vjpdd.exe71⤵PID:1016
-
\??\c:\42200.exec:\42200.exe72⤵PID:1128
-
\??\c:\flrlrlf.exec:\flrlrlf.exe73⤵PID:5096
-
\??\c:\q26048.exec:\q26048.exe74⤵PID:5104
-
\??\c:\vvdpj.exec:\vvdpj.exe75⤵PID:2884
-
\??\c:\hthbtt.exec:\hthbtt.exe76⤵PID:632
-
\??\c:\6040024.exec:\6040024.exe77⤵PID:4252
-
\??\c:\6220804.exec:\6220804.exe78⤵PID:3940
-
\??\c:\02822.exec:\02822.exe79⤵PID:2164
-
\??\c:\2866002.exec:\2866002.exe80⤵PID:100
-
\??\c:\1ppjp.exec:\1ppjp.exe81⤵PID:220
-
\??\c:\thnbhn.exec:\thnbhn.exe82⤵PID:1360
-
\??\c:\688222.exec:\688222.exe83⤵PID:2112
-
\??\c:\428046.exec:\428046.exe84⤵PID:744
-
\??\c:\606604.exec:\606604.exe85⤵PID:2440
-
\??\c:\1hnhhh.exec:\1hnhhh.exe86⤵PID:4648
-
\??\c:\666266.exec:\666266.exe87⤵PID:4892
-
\??\c:\620422.exec:\620422.exe88⤵PID:1448
-
\??\c:\84640.exec:\84640.exe89⤵PID:1184
-
\??\c:\bhhnhh.exec:\bhhnhh.exe90⤵PID:4808
-
\??\c:\20842.exec:\20842.exe91⤵PID:1480
-
\??\c:\3nnnhh.exec:\3nnnhh.exe92⤵PID:4652
-
\??\c:\28060.exec:\28060.exe93⤵PID:4992
-
\??\c:\68042.exec:\68042.exe94⤵PID:3724
-
\??\c:\ppvpj.exec:\ppvpj.exe95⤵PID:2852
-
\??\c:\24226.exec:\24226.exe96⤵
- System Location Discovery: System Language Discovery
PID:4284 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe97⤵PID:2444
-
\??\c:\o082228.exec:\o082228.exe98⤵PID:3952
-
\??\c:\444488.exec:\444488.exe99⤵PID:4084
-
\??\c:\868222.exec:\868222.exe100⤵PID:2904
-
\??\c:\26222.exec:\26222.exe101⤵PID:3756
-
\??\c:\9pvvd.exec:\9pvvd.exe102⤵PID:3764
-
\??\c:\262600.exec:\262600.exe103⤵PID:3876
-
\??\c:\ppvpd.exec:\ppvpd.exe104⤵PID:672
-
\??\c:\jdpjp.exec:\jdpjp.exe105⤵PID:244
-
\??\c:\44222.exec:\44222.exe106⤵PID:3188
-
\??\c:\2666004.exec:\2666004.exe107⤵PID:1828
-
\??\c:\llffrlf.exec:\llffrlf.exe108⤵PID:3124
-
\??\c:\66888.exec:\66888.exe109⤵PID:4204
-
\??\c:\u408222.exec:\u408222.exe110⤵PID:1792
-
\??\c:\pjppp.exec:\pjppp.exe111⤵PID:4176
-
\??\c:\s4644.exec:\s4644.exe112⤵PID:4616
-
\??\c:\840668.exec:\840668.exe113⤵PID:5068
-
\??\c:\jpjdd.exec:\jpjdd.exe114⤵PID:1780
-
\??\c:\280488.exec:\280488.exe115⤵PID:3204
-
\??\c:\7tttnn.exec:\7tttnn.exe116⤵PID:4944
-
\??\c:\jpddd.exec:\jpddd.exe117⤵PID:900
-
\??\c:\jdjdd.exec:\jdjdd.exe118⤵PID:3548
-
\??\c:\bbbbtt.exec:\bbbbtt.exe119⤵PID:4788
-
\??\c:\rrffllx.exec:\rrffllx.exe120⤵PID:2816
-
\??\c:\xfrlffx.exec:\xfrlffx.exe121⤵PID:3644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-