Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe
-
Size
456KB
-
MD5
a03453537332aac2cf2583f7d3231a76
-
SHA1
2f704022dd4c0e3080e8fcd801644de660540697
-
SHA256
26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71
-
SHA512
b9123e847b2e62dd76dca9fb0bd9a38491eb8e4cc4af4af21fd206ae89947e0f4d07cf221c75e612e5e85c1c4dc1e22d654ed42c238c23abedc6cd6fc2163c2e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRs:q7Tc2NYHUrAwfMp3CDRs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/2684-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-1477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 nhhnnt.exe 4064 dddvv.exe 5080 pddjp.exe 4028 ppjjd.exe 1028 xfffxrl.exe 3376 hthbbb.exe 4452 httthh.exe 1296 xflfffl.exe 4456 hnttnn.exe 4928 nhhbbn.exe 932 3tthhn.exe 4936 tbhbbb.exe 2932 rffffxx.exe 100 nbnhbb.exe 856 nhthth.exe 212 jjjdd.exe 3656 vpvpp.exe 5000 dpvvd.exe 1792 1rllxxr.exe 2928 9hnhbb.exe 2840 rxlfxrx.exe 640 hnthbb.exe 2164 3dvpj.exe 1484 7xfxrrr.exe 1460 5hbtnn.exe 1668 thbnbt.exe 924 vjppj.exe 3088 fxxlfxl.exe 3604 jjjdv.exe 2828 vpppj.exe 516 1tnhbn.exe 1896 jvdpd.exe 2220 jpdvv.exe 3992 bbbbtb.exe 3676 rxlfxff.exe 2488 nnthtb.exe 4800 3dpjv.exe 1704 7btthn.exe 2172 1tnnnn.exe 1916 nnhbnt.exe 4684 htthbt.exe 4788 pdppj.exe 740 xrffffx.exe 3704 nhttnn.exe 4884 ppvpd.exe 4736 rxrrxxl.exe 3136 9nbthb.exe 1352 ddvpj.exe 2316 xrrfxrl.exe 4592 bhbthn.exe 4412 jdjdd.exe 5100 dvvvj.exe 1584 5fxrlrf.exe 4040 hbhbbt.exe 4796 jppjd.exe 3076 7jjvp.exe 4080 flrlfff.exe 4948 tbhbtn.exe 3000 ddvpj.exe 1624 hthtnh.exe 4272 jpvjd.exe 2944 xlfrfrl.exe 872 ffxrfxr.exe 948 5hbbtb.exe -
resource yara_rule behavioral2/memory/2684-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-694-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2300 2684 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 82 PID 2684 wrote to memory of 2300 2684 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 82 PID 2684 wrote to memory of 2300 2684 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 82 PID 2300 wrote to memory of 4064 2300 nhhnnt.exe 83 PID 2300 wrote to memory of 4064 2300 nhhnnt.exe 83 PID 2300 wrote to memory of 4064 2300 nhhnnt.exe 83 PID 4064 wrote to memory of 5080 4064 dddvv.exe 84 PID 4064 wrote to memory of 5080 4064 dddvv.exe 84 PID 4064 wrote to memory of 5080 4064 dddvv.exe 84 PID 5080 wrote to memory of 4028 5080 pddjp.exe 85 PID 5080 wrote to memory of 4028 5080 pddjp.exe 85 PID 5080 wrote to memory of 4028 5080 pddjp.exe 85 PID 4028 wrote to memory of 1028 4028 ppjjd.exe 86 PID 4028 wrote to memory of 1028 4028 ppjjd.exe 86 PID 4028 wrote to memory of 1028 4028 ppjjd.exe 86 PID 1028 wrote to memory of 3376 1028 xfffxrl.exe 87 PID 1028 wrote to memory of 3376 1028 xfffxrl.exe 87 PID 1028 wrote to memory of 3376 1028 xfffxrl.exe 87 PID 3376 wrote to memory of 4452 3376 hthbbb.exe 88 PID 3376 wrote to memory of 4452 3376 hthbbb.exe 88 PID 3376 wrote to memory of 4452 3376 hthbbb.exe 88 PID 4452 wrote to memory of 1296 4452 httthh.exe 89 PID 4452 wrote to memory of 1296 4452 httthh.exe 89 PID 4452 wrote to memory of 1296 4452 httthh.exe 89 PID 1296 wrote to memory of 4456 1296 xflfffl.exe 90 PID 1296 wrote to memory of 4456 1296 xflfffl.exe 90 PID 1296 wrote to memory of 4456 1296 xflfffl.exe 90 PID 4456 wrote to memory of 4928 4456 hnttnn.exe 91 PID 4456 wrote to memory of 4928 4456 hnttnn.exe 91 PID 4456 wrote to memory of 4928 4456 hnttnn.exe 91 PID 4928 wrote to memory of 932 4928 nhhbbn.exe 92 PID 4928 wrote to memory of 932 4928 nhhbbn.exe 92 PID 4928 wrote to memory of 932 4928 nhhbbn.exe 92 PID 932 wrote to memory of 4936 932 3tthhn.exe 93 PID 932 wrote to memory of 4936 932 3tthhn.exe 93 PID 932 wrote to memory of 4936 932 3tthhn.exe 93 PID 4936 wrote to memory of 2932 4936 tbhbbb.exe 94 PID 4936 wrote to memory of 2932 4936 tbhbbb.exe 94 PID 4936 wrote to memory of 2932 4936 tbhbbb.exe 94 PID 2932 wrote to memory of 100 2932 rffffxx.exe 95 PID 2932 wrote to memory of 100 2932 rffffxx.exe 95 PID 2932 wrote to memory of 100 2932 rffffxx.exe 95 PID 100 wrote to memory of 856 100 nbnhbb.exe 96 PID 100 wrote to memory of 856 100 nbnhbb.exe 96 PID 100 wrote to memory of 856 100 nbnhbb.exe 96 PID 856 wrote to memory of 212 856 nhthth.exe 97 PID 856 wrote to memory of 212 856 nhthth.exe 97 PID 856 wrote to memory of 212 856 nhthth.exe 97 PID 212 wrote to memory of 3656 212 jjjdd.exe 98 PID 212 wrote to memory of 3656 212 jjjdd.exe 98 PID 212 wrote to memory of 3656 212 jjjdd.exe 98 PID 3656 wrote to memory of 5000 3656 vpvpp.exe 99 PID 3656 wrote to memory of 5000 3656 vpvpp.exe 99 PID 3656 wrote to memory of 5000 3656 vpvpp.exe 99 PID 5000 wrote to memory of 1792 5000 dpvvd.exe 100 PID 5000 wrote to memory of 1792 5000 dpvvd.exe 100 PID 5000 wrote to memory of 1792 5000 dpvvd.exe 100 PID 1792 wrote to memory of 2928 1792 1rllxxr.exe 101 PID 1792 wrote to memory of 2928 1792 1rllxxr.exe 101 PID 1792 wrote to memory of 2928 1792 1rllxxr.exe 101 PID 2928 wrote to memory of 2840 2928 9hnhbb.exe 102 PID 2928 wrote to memory of 2840 2928 9hnhbb.exe 102 PID 2928 wrote to memory of 2840 2928 9hnhbb.exe 102 PID 2840 wrote to memory of 640 2840 rxlfxrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe"C:\Users\Admin\AppData\Local\Temp\26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\nhhnnt.exec:\nhhnnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\dddvv.exec:\dddvv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\pddjp.exec:\pddjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\ppjjd.exec:\ppjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\xfffxrl.exec:\xfffxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\hthbbb.exec:\hthbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\httthh.exec:\httthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\xflfffl.exec:\xflfffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\hnttnn.exec:\hnttnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\nhhbbn.exec:\nhhbbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\3tthhn.exec:\3tthhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\tbhbbb.exec:\tbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\rffffxx.exec:\rffffxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\nbnhbb.exec:\nbnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\nhthth.exec:\nhthth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\jjjdd.exec:\jjjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\vpvpp.exec:\vpvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\dpvvd.exec:\dpvvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\1rllxxr.exec:\1rllxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\9hnhbb.exec:\9hnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\rxlfxrx.exec:\rxlfxrx.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\hnthbb.exec:\hnthbb.exe23⤵
- Executes dropped EXE
PID:640 -
\??\c:\3dvpj.exec:\3dvpj.exe24⤵
- Executes dropped EXE
PID:2164 -
\??\c:\7xfxrrr.exec:\7xfxrrr.exe25⤵
- Executes dropped EXE
PID:1484 -
\??\c:\5hbtnn.exec:\5hbtnn.exe26⤵
- Executes dropped EXE
PID:1460 -
\??\c:\thbnbt.exec:\thbnbt.exe27⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vjppj.exec:\vjppj.exe28⤵
- Executes dropped EXE
PID:924 -
\??\c:\fxxlfxl.exec:\fxxlfxl.exe29⤵
- Executes dropped EXE
PID:3088 -
\??\c:\jjjdv.exec:\jjjdv.exe30⤵
- Executes dropped EXE
PID:3604 -
\??\c:\vpppj.exec:\vpppj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
\??\c:\1tnhbn.exec:\1tnhbn.exe32⤵
- Executes dropped EXE
PID:516 -
\??\c:\jvdpd.exec:\jvdpd.exe33⤵
- Executes dropped EXE
PID:1896 -
\??\c:\jpdvv.exec:\jpdvv.exe34⤵
- Executes dropped EXE
PID:2220 -
\??\c:\bbbbtb.exec:\bbbbtb.exe35⤵
- Executes dropped EXE
PID:3992 -
\??\c:\rxlfxff.exec:\rxlfxff.exe36⤵
- Executes dropped EXE
PID:3676 -
\??\c:\nnthtb.exec:\nnthtb.exe37⤵
- Executes dropped EXE
PID:2488 -
\??\c:\3dpjv.exec:\3dpjv.exe38⤵
- Executes dropped EXE
PID:4800 -
\??\c:\7btthn.exec:\7btthn.exe39⤵
- Executes dropped EXE
PID:1704 -
\??\c:\1tnnnn.exec:\1tnnnn.exe40⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nnhbnt.exec:\nnhbnt.exe41⤵
- Executes dropped EXE
PID:1916 -
\??\c:\htthbt.exec:\htthbt.exe42⤵
- Executes dropped EXE
PID:4684 -
\??\c:\pdppj.exec:\pdppj.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\xrffffx.exec:\xrffffx.exe44⤵
- Executes dropped EXE
PID:740 -
\??\c:\nhttnn.exec:\nhttnn.exe45⤵
- Executes dropped EXE
PID:3704 -
\??\c:\ppvpd.exec:\ppvpd.exe46⤵
- Executes dropped EXE
PID:4884 -
\??\c:\rxrrxxl.exec:\rxrrxxl.exe47⤵
- Executes dropped EXE
PID:4736 -
\??\c:\9nbthb.exec:\9nbthb.exe48⤵
- Executes dropped EXE
PID:3136 -
\??\c:\ddvpj.exec:\ddvpj.exe49⤵
- Executes dropped EXE
PID:1352 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe50⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bhbthn.exec:\bhbthn.exe51⤵
- Executes dropped EXE
PID:4592 -
\??\c:\jdjdd.exec:\jdjdd.exe52⤵
- Executes dropped EXE
PID:4412 -
\??\c:\dvvvj.exec:\dvvvj.exe53⤵
- Executes dropped EXE
PID:5100 -
\??\c:\5fxrlrf.exec:\5fxrlrf.exe54⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hbhbbt.exec:\hbhbbt.exe55⤵
- Executes dropped EXE
PID:4040 -
\??\c:\jppjd.exec:\jppjd.exe56⤵
- Executes dropped EXE
PID:4796 -
\??\c:\7jjvp.exec:\7jjvp.exe57⤵
- Executes dropped EXE
PID:3076 -
\??\c:\flrlfff.exec:\flrlfff.exe58⤵
- Executes dropped EXE
PID:4080 -
\??\c:\tbhbtn.exec:\tbhbtn.exe59⤵
- Executes dropped EXE
PID:4948 -
\??\c:\ddvpj.exec:\ddvpj.exe60⤵
- Executes dropped EXE
PID:3000 -
\??\c:\hthtnh.exec:\hthtnh.exe61⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jpvjd.exec:\jpvjd.exe62⤵
- Executes dropped EXE
PID:4272 -
\??\c:\xlfrfrl.exec:\xlfrfrl.exe63⤵
- Executes dropped EXE
PID:2944 -
\??\c:\ffxrfxr.exec:\ffxrfxr.exe64⤵
- Executes dropped EXE
PID:872 -
\??\c:\5hbbtb.exec:\5hbbtb.exe65⤵
- Executes dropped EXE
PID:948 -
\??\c:\3jjjj.exec:\3jjjj.exe66⤵PID:1364
-
\??\c:\rxllxxl.exec:\rxllxxl.exe67⤵PID:832
-
\??\c:\bhhthb.exec:\bhhthb.exe68⤵PID:1392
-
\??\c:\jvvjj.exec:\jvvjj.exe69⤵PID:1480
-
\??\c:\vvdpd.exec:\vvdpd.exe70⤵PID:4956
-
\??\c:\xflfxrf.exec:\xflfxrf.exe71⤵PID:4980
-
\??\c:\bbhbbb.exec:\bbhbbb.exe72⤵PID:116
-
\??\c:\bbhbtt.exec:\bbhbtt.exe73⤵PID:2020
-
\??\c:\1pppj.exec:\1pppj.exe74⤵PID:3632
-
\??\c:\rfffrfx.exec:\rfffrfx.exe75⤵PID:4572
-
\??\c:\nthbtn.exec:\nthbtn.exe76⤵PID:1860
-
\??\c:\pddvp.exec:\pddvp.exe77⤵PID:4984
-
\??\c:\vpdpj.exec:\vpdpj.exe78⤵PID:2620
-
\??\c:\fxfffff.exec:\fxfffff.exe79⤵PID:4500
-
\??\c:\nhhbnn.exec:\nhhbnn.exe80⤵PID:1208
-
\??\c:\tnnhbb.exec:\tnnhbb.exe81⤵PID:5000
-
\??\c:\pjpjv.exec:\pjpjv.exe82⤵PID:4852
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe83⤵PID:4992
-
\??\c:\ttnhtt.exec:\ttnhtt.exe84⤵PID:2840
-
\??\c:\djpdv.exec:\djpdv.exe85⤵PID:640
-
\??\c:\frfrlfr.exec:\frfrlfr.exe86⤵PID:4908
-
\??\c:\flrlfxr.exec:\flrlfxr.exe87⤵PID:1484
-
\??\c:\hbbnhb.exec:\hbbnhb.exe88⤵PID:1460
-
\??\c:\ddjdd.exec:\ddjdd.exe89⤵PID:4744
-
\??\c:\jvdvp.exec:\jvdvp.exe90⤵PID:4520
-
\??\c:\lflxfxx.exec:\lflxfxx.exe91⤵PID:1804
-
\??\c:\htnnnh.exec:\htnnnh.exe92⤵PID:3324
-
\??\c:\dvvpd.exec:\dvvpd.exe93⤵PID:3604
-
\??\c:\dvvdv.exec:\dvvdv.exe94⤵PID:2828
-
\??\c:\bhtbnh.exec:\bhtbnh.exe95⤵PID:3084
-
\??\c:\1hnhtt.exec:\1hnhtt.exe96⤵PID:1336
-
\??\c:\dpdvj.exec:\dpdvj.exe97⤵
- System Location Discovery: System Language Discovery
PID:516 -
\??\c:\1rrrlrl.exec:\1rrrlrl.exe98⤵PID:2156
-
\??\c:\hbbtnn.exec:\hbbtnn.exe99⤵PID:4016
-
\??\c:\nnbbnn.exec:\nnbbnn.exe100⤵PID:4652
-
\??\c:\pppjv.exec:\pppjv.exe101⤵PID:1908
-
\??\c:\fxlfffl.exec:\fxlfffl.exe102⤵PID:2792
-
\??\c:\tnthht.exec:\tnthht.exe103⤵PID:1748
-
\??\c:\7ntnhh.exec:\7ntnhh.exe104⤵PID:4800
-
\??\c:\9vvjd.exec:\9vvjd.exe105⤵PID:1488
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe106⤵PID:1848
-
\??\c:\hbhnhb.exec:\hbhnhb.exe107⤵PID:3616
-
\??\c:\pjpjj.exec:\pjpjj.exe108⤵PID:3340
-
\??\c:\xxllffl.exec:\xxllffl.exe109⤵PID:4372
-
\??\c:\bhhbtt.exec:\bhhbtt.exe110⤵PID:4788
-
\??\c:\jvjpj.exec:\jvjpj.exe111⤵PID:740
-
\??\c:\lflfxrr.exec:\lflfxrr.exe112⤵PID:4484
-
\??\c:\1ffxrrr.exec:\1ffxrrr.exe113⤵PID:4792
-
\??\c:\tttttt.exec:\tttttt.exe114⤵PID:1760
-
\??\c:\vjpjd.exec:\vjpjd.exe115⤵PID:4336
-
\??\c:\fxffxxx.exec:\fxffxxx.exe116⤵PID:2592
-
\??\c:\7rxrllf.exec:\7rxrllf.exe117⤵PID:4560
-
\??\c:\bnnhbt.exec:\bnnhbt.exe118⤵PID:2300
-
\??\c:\9vpjv.exec:\9vpjv.exe119⤵PID:4412
-
\??\c:\3xrlxfx.exec:\3xrlxfx.exe120⤵PID:2268
-
\??\c:\nhbtnn.exec:\nhbtnn.exe121⤵PID:60
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-