Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 00:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe
-
Size
456KB
-
MD5
abc45e7e40bded452877935ebac8a4f0
-
SHA1
777244ab61d2fcb45f499325cc8e615aafe55560
-
SHA256
86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15
-
SHA512
bbda582bbaff8c3fa546bebaff30223bc84b8539104c40b53bd91fd31f346c04c6f89048c4e991aa9eee9a19dd03d8766b6a775b5b52aa301d15e18cd87138c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2588-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-1151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3836 dpvpp.exe 3164 5rffxfr.exe 4660 nhtntt.exe 508 1ttnnn.exe 1984 3jvpv.exe 4216 nhbbtb.exe 3620 7hhhbb.exe 3508 3hbthb.exe 2656 vdpjv.exe 2816 xffxxlf.exe 2512 7nnbtt.exe 2788 hbtnbt.exe 3472 pjvjp.exe 2064 xllrrrl.exe 640 bhbhnb.exe 836 vdjdv.exe 4368 pdjdd.exe 880 rlfxrll.exe 1916 bbbtnn.exe 3544 flrrfff.exe 4228 rrxrllf.exe 3436 7pjjd.exe 1948 lrxrfxr.exe 4780 xrfxxxx.exe 2760 hhhnht.exe 4388 vjjdv.exe 4828 vppdv.exe 4176 lllffxx.exe 3208 bbtnnh.exe 4224 vjjdv.exe 4800 1pvpj.exe 4156 3lfxrfx.exe 3812 flxfrlr.exe 4676 5hbthb.exe 1288 pddvp.exe 1640 dpvpd.exe 4608 lxffffl.exe 4072 1hhhbh.exe 4684 dvddv.exe 1848 djpjd.exe 4348 fxllfxr.exe 1128 7bbbtt.exe 3924 bhtnbn.exe 3460 1dvvp.exe 1576 5nhbtt.exe 2228 vpppj.exe 620 xrxrrrr.exe 2336 jdvpj.exe 4220 jjpjv.exe 2080 lfrffxf.exe 4996 jvvvp.exe 3980 dpvpj.exe 4496 vddvv.exe 4144 1xfxrrr.exe 4312 xxlfxxr.exe 4216 nthhhh.exe 1884 pjjdp.exe 3620 xfllxxr.exe 552 1tbhbh.exe 3608 btbthh.exe 2816 3lfxlrl.exe 2512 rxxrllf.exe 4944 dddjp.exe 4872 vvvpd.exe -
resource yara_rule behavioral2/memory/2588-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-609-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 3836 2588 86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe 82 PID 2588 wrote to memory of 3836 2588 86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe 82 PID 2588 wrote to memory of 3836 2588 86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe 82 PID 3836 wrote to memory of 3164 3836 dpvpp.exe 83 PID 3836 wrote to memory of 3164 3836 dpvpp.exe 83 PID 3836 wrote to memory of 3164 3836 dpvpp.exe 83 PID 3164 wrote to memory of 4660 3164 5rffxfr.exe 84 PID 3164 wrote to memory of 4660 3164 5rffxfr.exe 84 PID 3164 wrote to memory of 4660 3164 5rffxfr.exe 84 PID 4660 wrote to memory of 508 4660 nhtntt.exe 85 PID 4660 wrote to memory of 508 4660 nhtntt.exe 85 PID 4660 wrote to memory of 508 4660 nhtntt.exe 85 PID 508 wrote to memory of 1984 508 1ttnnn.exe 86 PID 508 wrote to memory of 1984 508 1ttnnn.exe 86 PID 508 wrote to memory of 1984 508 1ttnnn.exe 86 PID 1984 wrote to memory of 4216 1984 3jvpv.exe 87 PID 1984 wrote to memory of 4216 1984 3jvpv.exe 87 PID 1984 wrote to memory of 4216 1984 3jvpv.exe 87 PID 4216 wrote to memory of 3620 4216 nhbbtb.exe 88 PID 4216 wrote to memory of 3620 4216 nhbbtb.exe 88 PID 4216 wrote to memory of 3620 4216 nhbbtb.exe 88 PID 3620 wrote to memory of 3508 3620 7hhhbb.exe 89 PID 3620 wrote to memory of 3508 3620 7hhhbb.exe 89 PID 3620 wrote to memory of 3508 3620 7hhhbb.exe 89 PID 3508 wrote to memory of 2656 3508 3hbthb.exe 90 PID 3508 wrote to memory of 2656 3508 3hbthb.exe 90 PID 3508 wrote to memory of 2656 3508 3hbthb.exe 90 PID 2656 wrote to memory of 2816 2656 vdpjv.exe 91 PID 2656 wrote to memory of 2816 2656 vdpjv.exe 91 PID 2656 wrote to memory of 2816 2656 vdpjv.exe 91 PID 2816 wrote to memory of 2512 2816 xffxxlf.exe 92 PID 2816 wrote to memory of 2512 2816 xffxxlf.exe 92 PID 2816 wrote to memory of 2512 2816 xffxxlf.exe 92 PID 2512 wrote to memory of 2788 2512 7nnbtt.exe 93 PID 2512 wrote to memory of 2788 2512 7nnbtt.exe 93 PID 2512 wrote to memory of 2788 2512 7nnbtt.exe 93 PID 2788 wrote to memory of 3472 2788 hbtnbt.exe 94 PID 2788 wrote to memory of 3472 2788 hbtnbt.exe 94 PID 2788 wrote to memory of 3472 2788 hbtnbt.exe 94 PID 3472 wrote to memory of 2064 3472 pjvjp.exe 95 PID 3472 wrote to memory of 2064 3472 pjvjp.exe 95 PID 3472 wrote to memory of 2064 3472 pjvjp.exe 95 PID 2064 wrote to memory of 640 2064 xllrrrl.exe 96 PID 2064 wrote to memory of 640 2064 xllrrrl.exe 96 PID 2064 wrote to memory of 640 2064 xllrrrl.exe 96 PID 640 wrote to memory of 836 640 bhbhnb.exe 97 PID 640 wrote to memory of 836 640 bhbhnb.exe 97 PID 640 wrote to memory of 836 640 bhbhnb.exe 97 PID 836 wrote to memory of 4368 836 vdjdv.exe 98 PID 836 wrote to memory of 4368 836 vdjdv.exe 98 PID 836 wrote to memory of 4368 836 vdjdv.exe 98 PID 4368 wrote to memory of 880 4368 pdjdd.exe 99 PID 4368 wrote to memory of 880 4368 pdjdd.exe 99 PID 4368 wrote to memory of 880 4368 pdjdd.exe 99 PID 880 wrote to memory of 1916 880 rlfxrll.exe 100 PID 880 wrote to memory of 1916 880 rlfxrll.exe 100 PID 880 wrote to memory of 1916 880 rlfxrll.exe 100 PID 1916 wrote to memory of 3544 1916 bbbtnn.exe 101 PID 1916 wrote to memory of 3544 1916 bbbtnn.exe 101 PID 1916 wrote to memory of 3544 1916 bbbtnn.exe 101 PID 3544 wrote to memory of 4228 3544 flrrfff.exe 102 PID 3544 wrote to memory of 4228 3544 flrrfff.exe 102 PID 3544 wrote to memory of 4228 3544 flrrfff.exe 102 PID 4228 wrote to memory of 3436 4228 rrxrllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe"C:\Users\Admin\AppData\Local\Temp\86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\dpvpp.exec:\dpvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\5rffxfr.exec:\5rffxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\nhtntt.exec:\nhtntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\1ttnnn.exec:\1ttnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\3jvpv.exec:\3jvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\nhbbtb.exec:\nhbbtb.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\7hhhbb.exec:\7hhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\3hbthb.exec:\3hbthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\vdpjv.exec:\vdpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\xffxxlf.exec:\xffxxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\7nnbtt.exec:\7nnbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\hbtnbt.exec:\hbtnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\pjvjp.exec:\pjvjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\xllrrrl.exec:\xllrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\bhbhnb.exec:\bhbhnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\vdjdv.exec:\vdjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\pdjdd.exec:\pdjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\rlfxrll.exec:\rlfxrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\bbbtnn.exec:\bbbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\flrrfff.exec:\flrrfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\rrxrllf.exec:\rrxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\7pjjd.exec:\7pjjd.exe23⤵
- Executes dropped EXE
PID:3436 -
\??\c:\lrxrfxr.exec:\lrxrfxr.exe24⤵
- Executes dropped EXE
PID:1948 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe25⤵
- Executes dropped EXE
PID:4780 -
\??\c:\hhhnht.exec:\hhhnht.exe26⤵
- Executes dropped EXE
PID:2760 -
\??\c:\vjjdv.exec:\vjjdv.exe27⤵
- Executes dropped EXE
PID:4388 -
\??\c:\vppdv.exec:\vppdv.exe28⤵
- Executes dropped EXE
PID:4828 -
\??\c:\lllffxx.exec:\lllffxx.exe29⤵
- Executes dropped EXE
PID:4176 -
\??\c:\bbtnnh.exec:\bbtnnh.exe30⤵
- Executes dropped EXE
PID:3208 -
\??\c:\vjjdv.exec:\vjjdv.exe31⤵
- Executes dropped EXE
PID:4224 -
\??\c:\1pvpj.exec:\1pvpj.exe32⤵
- Executes dropped EXE
PID:4800 -
\??\c:\3lfxrfx.exec:\3lfxrfx.exe33⤵
- Executes dropped EXE
PID:4156 -
\??\c:\flxfrlr.exec:\flxfrlr.exe34⤵
- Executes dropped EXE
PID:3812 -
\??\c:\5hbthb.exec:\5hbthb.exe35⤵
- Executes dropped EXE
PID:4676 -
\??\c:\pddvp.exec:\pddvp.exe36⤵
- Executes dropped EXE
PID:1288 -
\??\c:\dpvpd.exec:\dpvpd.exe37⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lxffffl.exec:\lxffffl.exe38⤵
- Executes dropped EXE
PID:4608 -
\??\c:\1hhhbh.exec:\1hhhbh.exe39⤵
- Executes dropped EXE
PID:4072 -
\??\c:\dvddv.exec:\dvddv.exe40⤵
- Executes dropped EXE
PID:4684 -
\??\c:\djpjd.exec:\djpjd.exe41⤵
- Executes dropped EXE
PID:1848 -
\??\c:\fxllfxr.exec:\fxllfxr.exe42⤵
- Executes dropped EXE
PID:4348 -
\??\c:\7bbbtt.exec:\7bbbtt.exe43⤵
- Executes dropped EXE
PID:1128 -
\??\c:\bhtnbn.exec:\bhtnbn.exe44⤵
- Executes dropped EXE
PID:3924 -
\??\c:\1dvvp.exec:\1dvvp.exe45⤵
- Executes dropped EXE
PID:3460 -
\??\c:\5nhbtt.exec:\5nhbtt.exe46⤵
- Executes dropped EXE
PID:1576 -
\??\c:\vpppj.exec:\vpppj.exe47⤵
- Executes dropped EXE
PID:2228 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe48⤵
- Executes dropped EXE
PID:620 -
\??\c:\nnbnbt.exec:\nnbnbt.exe49⤵PID:4980
-
\??\c:\jdvpj.exec:\jdvpj.exe50⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jjpjv.exec:\jjpjv.exe51⤵
- Executes dropped EXE
PID:4220 -
\??\c:\lfrffxf.exec:\lfrffxf.exe52⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jvvvp.exec:\jvvvp.exe53⤵
- Executes dropped EXE
PID:4996 -
\??\c:\dpvpj.exec:\dpvpj.exe54⤵
- Executes dropped EXE
PID:3980 -
\??\c:\vddvv.exec:\vddvv.exe55⤵
- Executes dropped EXE
PID:4496 -
\??\c:\1xfxrrr.exec:\1xfxrrr.exe56⤵
- Executes dropped EXE
PID:4144 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe57⤵
- Executes dropped EXE
PID:4312 -
\??\c:\nthhhh.exec:\nthhhh.exe58⤵
- Executes dropped EXE
PID:4216 -
\??\c:\pjjdp.exec:\pjjdp.exe59⤵
- Executes dropped EXE
PID:1884 -
\??\c:\xfllxxr.exec:\xfllxxr.exe60⤵
- Executes dropped EXE
PID:3620 -
\??\c:\1tbhbh.exec:\1tbhbh.exe61⤵
- Executes dropped EXE
PID:552 -
\??\c:\btbthh.exec:\btbthh.exe62⤵
- Executes dropped EXE
PID:3608 -
\??\c:\3lfxlrl.exec:\3lfxlrl.exe63⤵
- Executes dropped EXE
PID:2816 -
\??\c:\rxxrllf.exec:\rxxrllf.exe64⤵
- Executes dropped EXE
PID:2512 -
\??\c:\dddjp.exec:\dddjp.exe65⤵
- Executes dropped EXE
PID:4944 -
\??\c:\vvvpd.exec:\vvvpd.exe66⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lffxrxx.exec:\lffxrxx.exe67⤵PID:3260
-
\??\c:\7hnhhh.exec:\7hnhhh.exe68⤵PID:3536
-
\??\c:\5nnnbb.exec:\5nnnbb.exe69⤵PID:760
-
\??\c:\pjdvv.exec:\pjdvv.exe70⤵PID:2060
-
\??\c:\pddvj.exec:\pddvj.exe71⤵PID:2920
-
\??\c:\rlfxllf.exec:\rlfxllf.exe72⤵PID:3140
-
\??\c:\bbbbtt.exec:\bbbbtt.exe73⤵PID:460
-
\??\c:\vpdvd.exec:\vpdvd.exe74⤵PID:3468
-
\??\c:\ffxxlxf.exec:\ffxxlxf.exe75⤵PID:1892
-
\??\c:\9btnbb.exec:\9btnbb.exe76⤵PID:2724
-
\??\c:\bhnhbb.exec:\bhnhbb.exe77⤵PID:4152
-
\??\c:\vppjd.exec:\vppjd.exe78⤵PID:1596
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe79⤵PID:4060
-
\??\c:\hhhbbb.exec:\hhhbbb.exe80⤵PID:2964
-
\??\c:\hntntt.exec:\hntntt.exe81⤵PID:1236
-
\??\c:\ppvdv.exec:\ppvdv.exe82⤵PID:2976
-
\??\c:\rllfxxr.exec:\rllfxxr.exe83⤵PID:1880
-
\??\c:\nbbttb.exec:\nbbttb.exe84⤵PID:376
-
\??\c:\nhbttt.exec:\nhbttt.exe85⤵PID:3692
-
\??\c:\dvdvv.exec:\dvdvv.exe86⤵PID:4916
-
\??\c:\5fxrrrx.exec:\5fxrrrx.exe87⤵PID:4704
-
\??\c:\tttnnn.exec:\tttnnn.exe88⤵PID:4584
-
\??\c:\vjjdv.exec:\vjjdv.exe89⤵PID:3484
-
\??\c:\jjjvj.exec:\jjjvj.exe90⤵PID:3148
-
\??\c:\fllrlfx.exec:\fllrlfx.exe91⤵PID:2608
-
\??\c:\3nnhbb.exec:\3nnhbb.exe92⤵PID:3940
-
\??\c:\dpvpv.exec:\dpvpv.exe93⤵PID:2548
-
\??\c:\jvddp.exec:\jvddp.exe94⤵PID:3596
-
\??\c:\flxrlrr.exec:\flxrlrr.exe95⤵PID:2836
-
\??\c:\9nhbnn.exec:\9nhbnn.exe96⤵PID:4604
-
\??\c:\vppjv.exec:\vppjv.exe97⤵PID:4676
-
\??\c:\jjdvp.exec:\jjdvp.exe98⤵PID:3396
-
\??\c:\flrfrfr.exec:\flrfrfr.exe99⤵PID:2828
-
\??\c:\thhbtt.exec:\thhbtt.exe100⤵PID:3400
-
\??\c:\5jjdp.exec:\5jjdp.exe101⤵PID:2324
-
\??\c:\fxxxllf.exec:\fxxxllf.exe102⤵PID:4964
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe103⤵PID:3824
-
\??\c:\1hnhtt.exec:\1hnhtt.exe104⤵PID:2040
-
\??\c:\djpdp.exec:\djpdp.exe105⤵PID:872
-
\??\c:\lllxllf.exec:\lllxllf.exe106⤵PID:4032
-
\??\c:\hthbbt.exec:\hthbbt.exe107⤵PID:2960
-
\??\c:\vdvvj.exec:\vdvvj.exe108⤵PID:4488
-
\??\c:\rfxfrlf.exec:\rfxfrlf.exe109⤵PID:1944
-
\??\c:\3ttnhh.exec:\3ttnhh.exe110⤵PID:3052
-
\??\c:\ppdpv.exec:\ppdpv.exe111⤵PID:4380
-
\??\c:\1lfxrxx.exec:\1lfxrxx.exe112⤵PID:4304
-
\??\c:\lxxfrrr.exec:\lxxfrrr.exe113⤵PID:3184
-
\??\c:\hbnhbn.exec:\hbnhbn.exe114⤵PID:4708
-
\??\c:\pdjvp.exec:\pdjvp.exe115⤵PID:2360
-
\??\c:\flrlrrl.exec:\flrlrrl.exe116⤵PID:3988
-
\??\c:\nnntnn.exec:\nnntnn.exe117⤵PID:4996
-
\??\c:\bnnbtn.exec:\bnnbtn.exe118⤵PID:4884
-
\??\c:\pjvpj.exec:\pjvpj.exe119⤵PID:4140
-
\??\c:\xlrlfff.exec:\xlrlfff.exe120⤵PID:5084
-
\??\c:\hbhhhh.exec:\hbhhhh.exe121⤵PID:3616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-