Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe
-
Size
453KB
-
MD5
1401a9b75c79f40df7d54ba8d44cc210
-
SHA1
abfa4f0218aee55d66b5eaf5916a034befeea20b
-
SHA256
26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37e
-
SHA512
5ee25e7d40a31446a7045bb54434c0271443ac10e7065cb111cccd3826ad9452bdd1d86a609f93fe5b49869d11c343eca3446eb12a03c0e8ee1358467cf131c6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1924-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-1465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1924 088604.exe 4672 02088.exe 3452 860866.exe 3996 42608.exe 1636 tbnbnh.exe 2708 pppdp.exe 2436 dpddv.exe 2108 0448826.exe 1060 068260.exe 2880 ppvpj.exe 1496 pvpdj.exe 2916 jjppj.exe 3056 vpvvj.exe 4968 4060480.exe 1372 22820.exe 1084 8006000.exe 2616 pjdvp.exe 2552 3rlfffx.exe 2828 ntbtnn.exe 4168 2282606.exe 2548 84266.exe 1244 nhhhth.exe 3460 6208226.exe 976 80068.exe 4660 dpdpp.exe 1652 jppjv.exe 3836 2800000.exe 2944 btthbb.exe 2748 rrlxlxl.exe 4356 860864.exe 2092 4482044.exe 4400 bnhthh.exe 4680 m8420.exe 1572 000860.exe 2668 lfxxlxx.exe 4636 82264.exe 1680 0888608.exe 2248 422648.exe 2768 426642.exe 1964 pvvjp.exe 1592 66688.exe 2620 02622.exe 1448 jvpdv.exe 4524 6624208.exe 2152 ntbtth.exe 224 20080.exe 716 bnhbnh.exe 2104 bhbntn.exe 3876 hnhbnb.exe 4696 bthtbt.exe 1384 2226820.exe 4732 hbthth.exe 452 682060.exe 3452 tttntn.exe 3996 2060820.exe 2568 0060448.exe 3524 hbbbtn.exe 4336 42084.exe 4892 xrlfxxx.exe 3060 xlfrfxl.exe 532 k24426.exe 5016 26264.exe 4392 2008482.exe 2764 lflfxxf.exe -
resource yara_rule behavioral2/memory/1924-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-734-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6464488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4648888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 1924 1236 26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe 85 PID 1236 wrote to memory of 1924 1236 26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe 85 PID 1236 wrote to memory of 1924 1236 26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe 85 PID 1924 wrote to memory of 4672 1924 088604.exe 86 PID 1924 wrote to memory of 4672 1924 088604.exe 86 PID 1924 wrote to memory of 4672 1924 088604.exe 86 PID 4672 wrote to memory of 3452 4672 02088.exe 87 PID 4672 wrote to memory of 3452 4672 02088.exe 87 PID 4672 wrote to memory of 3452 4672 02088.exe 87 PID 3452 wrote to memory of 3996 3452 860866.exe 88 PID 3452 wrote to memory of 3996 3452 860866.exe 88 PID 3452 wrote to memory of 3996 3452 860866.exe 88 PID 3996 wrote to memory of 1636 3996 42608.exe 89 PID 3996 wrote to memory of 1636 3996 42608.exe 89 PID 3996 wrote to memory of 1636 3996 42608.exe 89 PID 1636 wrote to memory of 2708 1636 tbnbnh.exe 90 PID 1636 wrote to memory of 2708 1636 tbnbnh.exe 90 PID 1636 wrote to memory of 2708 1636 tbnbnh.exe 90 PID 2708 wrote to memory of 2436 2708 pppdp.exe 91 PID 2708 wrote to memory of 2436 2708 pppdp.exe 91 PID 2708 wrote to memory of 2436 2708 pppdp.exe 91 PID 2436 wrote to memory of 2108 2436 dpddv.exe 92 PID 2436 wrote to memory of 2108 2436 dpddv.exe 92 PID 2436 wrote to memory of 2108 2436 dpddv.exe 92 PID 2108 wrote to memory of 1060 2108 0448826.exe 93 PID 2108 wrote to memory of 1060 2108 0448826.exe 93 PID 2108 wrote to memory of 1060 2108 0448826.exe 93 PID 1060 wrote to memory of 2880 1060 068260.exe 94 PID 1060 wrote to memory of 2880 1060 068260.exe 94 PID 1060 wrote to memory of 2880 1060 068260.exe 94 PID 2880 wrote to memory of 1496 2880 ppvpj.exe 95 PID 2880 wrote to memory of 1496 2880 ppvpj.exe 95 PID 2880 wrote to memory of 1496 2880 ppvpj.exe 95 PID 1496 wrote to memory of 2916 1496 pvpdj.exe 96 PID 1496 wrote to memory of 2916 1496 pvpdj.exe 96 PID 1496 wrote to memory of 2916 1496 pvpdj.exe 96 PID 2916 wrote to memory of 3056 2916 jjppj.exe 97 PID 2916 wrote to memory of 3056 2916 jjppj.exe 97 PID 2916 wrote to memory of 3056 2916 jjppj.exe 97 PID 3056 wrote to memory of 4968 3056 vpvvj.exe 98 PID 3056 wrote to memory of 4968 3056 vpvvj.exe 98 PID 3056 wrote to memory of 4968 3056 vpvvj.exe 98 PID 4968 wrote to memory of 1372 4968 4060480.exe 99 PID 4968 wrote to memory of 1372 4968 4060480.exe 99 PID 4968 wrote to memory of 1372 4968 4060480.exe 99 PID 1372 wrote to memory of 1084 1372 22820.exe 100 PID 1372 wrote to memory of 1084 1372 22820.exe 100 PID 1372 wrote to memory of 1084 1372 22820.exe 100 PID 1084 wrote to memory of 2616 1084 8006000.exe 101 PID 1084 wrote to memory of 2616 1084 8006000.exe 101 PID 1084 wrote to memory of 2616 1084 8006000.exe 101 PID 2616 wrote to memory of 2552 2616 pjdvp.exe 102 PID 2616 wrote to memory of 2552 2616 pjdvp.exe 102 PID 2616 wrote to memory of 2552 2616 pjdvp.exe 102 PID 2552 wrote to memory of 2828 2552 3rlfffx.exe 103 PID 2552 wrote to memory of 2828 2552 3rlfffx.exe 103 PID 2552 wrote to memory of 2828 2552 3rlfffx.exe 103 PID 2828 wrote to memory of 4168 2828 ntbtnn.exe 104 PID 2828 wrote to memory of 4168 2828 ntbtnn.exe 104 PID 2828 wrote to memory of 4168 2828 ntbtnn.exe 104 PID 4168 wrote to memory of 2548 4168 2282606.exe 105 PID 4168 wrote to memory of 2548 4168 2282606.exe 105 PID 4168 wrote to memory of 2548 4168 2282606.exe 105 PID 2548 wrote to memory of 1244 2548 84266.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe"C:\Users\Admin\AppData\Local\Temp\26b7115b9451daed5dd2e3cbfb6f9a14baed6698545be3af2ef42a7a067fb37eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\088604.exec:\088604.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\02088.exec:\02088.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\860866.exec:\860866.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\42608.exec:\42608.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\tbnbnh.exec:\tbnbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\pppdp.exec:\pppdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\dpddv.exec:\dpddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\0448826.exec:\0448826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\068260.exec:\068260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\ppvpj.exec:\ppvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\pvpdj.exec:\pvpdj.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\jjppj.exec:\jjppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\vpvvj.exec:\vpvvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\4060480.exec:\4060480.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\22820.exec:\22820.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\8006000.exec:\8006000.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pjdvp.exec:\pjdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\3rlfffx.exec:\3rlfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\ntbtnn.exec:\ntbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\2282606.exec:\2282606.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\84266.exec:\84266.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\nhhhth.exec:\nhhhth.exe23⤵
- Executes dropped EXE
PID:1244 -
\??\c:\6208226.exec:\6208226.exe24⤵
- Executes dropped EXE
PID:3460 -
\??\c:\80068.exec:\80068.exe25⤵
- Executes dropped EXE
PID:976 -
\??\c:\dpdpp.exec:\dpdpp.exe26⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jppjv.exec:\jppjv.exe27⤵
- Executes dropped EXE
PID:1652 -
\??\c:\2800000.exec:\2800000.exe28⤵
- Executes dropped EXE
PID:3836 -
\??\c:\btthbb.exec:\btthbb.exe29⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rrlxlxl.exec:\rrlxlxl.exe30⤵
- Executes dropped EXE
PID:2748 -
\??\c:\860864.exec:\860864.exe31⤵
- Executes dropped EXE
PID:4356 -
\??\c:\4482044.exec:\4482044.exe32⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bnhthh.exec:\bnhthh.exe33⤵
- Executes dropped EXE
PID:4400 -
\??\c:\m8420.exec:\m8420.exe34⤵
- Executes dropped EXE
PID:4680 -
\??\c:\000860.exec:\000860.exe35⤵
- Executes dropped EXE
PID:1572 -
\??\c:\lfxxlxx.exec:\lfxxlxx.exe36⤵
- Executes dropped EXE
PID:2668 -
\??\c:\82264.exec:\82264.exe37⤵
- Executes dropped EXE
PID:4636 -
\??\c:\0888608.exec:\0888608.exe38⤵
- Executes dropped EXE
PID:1680 -
\??\c:\422648.exec:\422648.exe39⤵
- Executes dropped EXE
PID:2248 -
\??\c:\426642.exec:\426642.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\pvvjp.exec:\pvvjp.exe41⤵
- Executes dropped EXE
PID:1964 -
\??\c:\66688.exec:\66688.exe42⤵
- Executes dropped EXE
PID:1592 -
\??\c:\02622.exec:\02622.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jvpdv.exec:\jvpdv.exe44⤵
- Executes dropped EXE
PID:1448 -
\??\c:\6624208.exec:\6624208.exe45⤵
- Executes dropped EXE
PID:4524 -
\??\c:\ntbtth.exec:\ntbtth.exe46⤵
- Executes dropped EXE
PID:2152 -
\??\c:\20080.exec:\20080.exe47⤵
- Executes dropped EXE
PID:224 -
\??\c:\bnhbnh.exec:\bnhbnh.exe48⤵
- Executes dropped EXE
PID:716 -
\??\c:\bhbntn.exec:\bhbntn.exe49⤵
- Executes dropped EXE
PID:2104 -
\??\c:\hnhbnb.exec:\hnhbnb.exe50⤵
- Executes dropped EXE
PID:3876 -
\??\c:\bthtbt.exec:\bthtbt.exe51⤵
- Executes dropped EXE
PID:4696 -
\??\c:\2226820.exec:\2226820.exe52⤵
- Executes dropped EXE
PID:1384 -
\??\c:\hbthth.exec:\hbthth.exe53⤵
- Executes dropped EXE
PID:4732 -
\??\c:\682060.exec:\682060.exe54⤵
- Executes dropped EXE
PID:452 -
\??\c:\tttntn.exec:\tttntn.exe55⤵
- Executes dropped EXE
PID:3452 -
\??\c:\2060820.exec:\2060820.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\0060448.exec:\0060448.exe57⤵
- Executes dropped EXE
PID:2568 -
\??\c:\hbbbtn.exec:\hbbbtn.exe58⤵
- Executes dropped EXE
PID:3524 -
\??\c:\42084.exec:\42084.exe59⤵
- Executes dropped EXE
PID:4336 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe60⤵
- Executes dropped EXE
PID:4892 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe61⤵
- Executes dropped EXE
PID:3060 -
\??\c:\k24426.exec:\k24426.exe62⤵
- Executes dropped EXE
PID:532 -
\??\c:\26264.exec:\26264.exe63⤵
- Executes dropped EXE
PID:5016 -
\??\c:\2008482.exec:\2008482.exe64⤵
- Executes dropped EXE
PID:4392 -
\??\c:\lflfxxf.exec:\lflfxxf.exe65⤵
- Executes dropped EXE
PID:2764 -
\??\c:\llrllll.exec:\llrllll.exe66⤵PID:4844
-
\??\c:\pdvvp.exec:\pdvvp.exe67⤵PID:968
-
\??\c:\606042.exec:\606042.exe68⤵PID:412
-
\??\c:\vddpv.exec:\vddpv.exe69⤵PID:3568
-
\??\c:\pdpvv.exec:\pdpvv.exe70⤵PID:1064
-
\??\c:\nbnhbb.exec:\nbnhbb.exe71⤵PID:2384
-
\??\c:\84420.exec:\84420.exe72⤵PID:3852
-
\??\c:\fllxrff.exec:\fllxrff.exe73⤵PID:1584
-
\??\c:\i804002.exec:\i804002.exe74⤵PID:752
-
\??\c:\08864.exec:\08864.exe75⤵PID:1828
-
\??\c:\84486.exec:\84486.exe76⤵PID:4436
-
\??\c:\8000264.exec:\8000264.exe77⤵PID:448
-
\??\c:\hhnnbt.exec:\hhnnbt.exe78⤵PID:1312
-
\??\c:\fllflfx.exec:\fllflfx.exe79⤵PID:3092
-
\??\c:\jdjdj.exec:\jdjdj.exe80⤵PID:2028
-
\??\c:\6480820.exec:\6480820.exe81⤵PID:4056
-
\??\c:\862604.exec:\862604.exe82⤵PID:4420
-
\??\c:\26268.exec:\26268.exe83⤵PID:4748
-
\??\c:\640848.exec:\640848.exe84⤵PID:1180
-
\??\c:\5dvvp.exec:\5dvvp.exe85⤵PID:2636
-
\??\c:\2882448.exec:\2882448.exe86⤵PID:4700
-
\??\c:\hnnbnh.exec:\hnnbnh.exe87⤵PID:904
-
\??\c:\3tnbnb.exec:\3tnbnb.exe88⤵PID:3264
-
\??\c:\6626048.exec:\6626048.exe89⤵PID:2188
-
\??\c:\vpvpv.exec:\vpvpv.exe90⤵PID:4896
-
\??\c:\hnnbhb.exec:\hnnbhb.exe91⤵PID:1524
-
\??\c:\vjjdd.exec:\vjjdd.exe92⤵PID:2280
-
\??\c:\llrfrfx.exec:\llrfrfx.exe93⤵PID:4708
-
\??\c:\6880820.exec:\6880820.exe94⤵PID:4248
-
\??\c:\hbbnbh.exec:\hbbnbh.exe95⤵PID:3364
-
\??\c:\600000.exec:\600000.exe96⤵PID:3576
-
\??\c:\tbhthb.exec:\tbhthb.exe97⤵PID:1816
-
\??\c:\htbthh.exec:\htbthh.exe98⤵PID:2668
-
\??\c:\xflfrfx.exec:\xflfrfx.exe99⤵PID:4636
-
\??\c:\jpvpj.exec:\jpvpj.exe100⤵PID:3584
-
\??\c:\08226.exec:\08226.exe101⤵PID:3228
-
\??\c:\vjdpj.exec:\vjdpj.exe102⤵PID:2768
-
\??\c:\04662.exec:\04662.exe103⤵PID:1964
-
\??\c:\868648.exec:\868648.exe104⤵PID:1592
-
\??\c:\444264.exec:\444264.exe105⤵PID:2232
-
\??\c:\ntthnh.exec:\ntthnh.exe106⤵PID:3128
-
\??\c:\66680.exec:\66680.exe107⤵PID:3224
-
\??\c:\vddvd.exec:\vddvd.exe108⤵PID:3344
-
\??\c:\htnbnh.exec:\htnbnh.exe109⤵PID:3984
-
\??\c:\49vdvpj.exec:\49vdvpj.exe110⤵PID:348
-
\??\c:\dpvpp.exec:\dpvpp.exe111⤵PID:2104
-
\??\c:\4420826.exec:\4420826.exe112⤵PID:4064
-
\??\c:\u622660.exec:\u622660.exe113⤵PID:1236
-
\??\c:\pddpj.exec:\pddpj.exe114⤵PID:436
-
\??\c:\dvvpj.exec:\dvvpj.exe115⤵PID:3928
-
\??\c:\8068024.exec:\8068024.exe116⤵PID:2164
-
\??\c:\dvvpp.exec:\dvvpp.exe117⤵PID:3480
-
\??\c:\82260.exec:\82260.exe118⤵PID:5112
-
\??\c:\9tbnbb.exec:\9tbnbb.exe119⤵PID:4204
-
\??\c:\22082.exec:\22082.exe120⤵PID:3996
-
\??\c:\llfrllr.exec:\llfrllr.exe121⤵PID:3436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-