Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 00:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe
-
Size
456KB
-
MD5
abc45e7e40bded452877935ebac8a4f0
-
SHA1
777244ab61d2fcb45f499325cc8e615aafe55560
-
SHA256
86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15
-
SHA512
bbda582bbaff8c3fa546bebaff30223bc84b8539104c40b53bd91fd31f346c04c6f89048c4e991aa9eee9a19dd03d8766b6a775b5b52aa301d15e18cd87138c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1660-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-1196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3780 jjvjd.exe 1640 5xrlflf.exe 3040 pjpdd.exe 3456 vvpjv.exe 2900 9rxllfx.exe 1636 jdjvp.exe 4940 rxrlffx.exe 2240 xxflfrr.exe 3580 nnbtnh.exe 4848 vpvpp.exe 372 lxfxxrr.exe 5108 1nnhhh.exe 4604 xxxxffl.exe 1512 nbnhbb.exe 3476 3ppvp.exe 3360 nbhbnn.exe 4464 1vdvp.exe 812 rrfrllx.exe 4268 7ntnhn.exe 772 bntnhb.exe 4660 xrrllll.exe 632 rxfrlfx.exe 4624 rxflxxx.exe 3836 rlfrfff.exe 820 hbnhhh.exe 2124 xxfxfxr.exe 2984 lffxxxr.exe 3512 bnhtnn.exe 216 lflffff.exe 2252 7pvpj.exe 4900 xlxrflf.exe 2688 vdjdv.exe 3552 lrxrlfx.exe 3912 vjpdv.exe 944 flrlfxx.exe 3644 bntnhh.exe 5028 9vpjv.exe 1776 lflfxrr.exe 5036 llrllfx.exe 4592 nbhhbh.exe 3948 ddvjp.exe 1164 lrlxlrl.exe 4636 hhbttn.exe 1296 bnthbb.exe 408 5dvjv.exe 3524 rrrfrlx.exe 3752 thhbnh.exe 4184 thbnbt.exe 1328 1ppdp.exe 1616 9lrlllr.exe 4440 3hhbbb.exe 4560 dvpjp.exe 1148 3ppdp.exe 1844 9rxrrrf.exe 4612 3hhbtn.exe 1708 7ddvj.exe 1132 9vpjd.exe 3500 bbhttt.exe 2420 vddvj.exe 640 xlrlxxr.exe 916 hbnbtb.exe 1636 djjdp.exe 4024 5jpdd.exe 1076 7fxlrlf.exe -
resource yara_rule behavioral2/memory/1660-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-705-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3780 1660 86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe 82 PID 1660 wrote to memory of 3780 1660 86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe 82 PID 1660 wrote to memory of 3780 1660 86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe 82 PID 3780 wrote to memory of 1640 3780 jjvjd.exe 83 PID 3780 wrote to memory of 1640 3780 jjvjd.exe 83 PID 3780 wrote to memory of 1640 3780 jjvjd.exe 83 PID 1640 wrote to memory of 3040 1640 5xrlflf.exe 84 PID 1640 wrote to memory of 3040 1640 5xrlflf.exe 84 PID 1640 wrote to memory of 3040 1640 5xrlflf.exe 84 PID 3040 wrote to memory of 3456 3040 pjpdd.exe 85 PID 3040 wrote to memory of 3456 3040 pjpdd.exe 85 PID 3040 wrote to memory of 3456 3040 pjpdd.exe 85 PID 3456 wrote to memory of 2900 3456 vvpjv.exe 86 PID 3456 wrote to memory of 2900 3456 vvpjv.exe 86 PID 3456 wrote to memory of 2900 3456 vvpjv.exe 86 PID 2900 wrote to memory of 1636 2900 9rxllfx.exe 87 PID 2900 wrote to memory of 1636 2900 9rxllfx.exe 87 PID 2900 wrote to memory of 1636 2900 9rxllfx.exe 87 PID 1636 wrote to memory of 4940 1636 jdjvp.exe 88 PID 1636 wrote to memory of 4940 1636 jdjvp.exe 88 PID 1636 wrote to memory of 4940 1636 jdjvp.exe 88 PID 4940 wrote to memory of 2240 4940 rxrlffx.exe 89 PID 4940 wrote to memory of 2240 4940 rxrlffx.exe 89 PID 4940 wrote to memory of 2240 4940 rxrlffx.exe 89 PID 2240 wrote to memory of 3580 2240 xxflfrr.exe 90 PID 2240 wrote to memory of 3580 2240 xxflfrr.exe 90 PID 2240 wrote to memory of 3580 2240 xxflfrr.exe 90 PID 3580 wrote to memory of 4848 3580 nnbtnh.exe 91 PID 3580 wrote to memory of 4848 3580 nnbtnh.exe 91 PID 3580 wrote to memory of 4848 3580 nnbtnh.exe 91 PID 4848 wrote to memory of 372 4848 vpvpp.exe 92 PID 4848 wrote to memory of 372 4848 vpvpp.exe 92 PID 4848 wrote to memory of 372 4848 vpvpp.exe 92 PID 372 wrote to memory of 5108 372 lxfxxrr.exe 93 PID 372 wrote to memory of 5108 372 lxfxxrr.exe 93 PID 372 wrote to memory of 5108 372 lxfxxrr.exe 93 PID 5108 wrote to memory of 4604 5108 1nnhhh.exe 94 PID 5108 wrote to memory of 4604 5108 1nnhhh.exe 94 PID 5108 wrote to memory of 4604 5108 1nnhhh.exe 94 PID 4604 wrote to memory of 1512 4604 xxxxffl.exe 95 PID 4604 wrote to memory of 1512 4604 xxxxffl.exe 95 PID 4604 wrote to memory of 1512 4604 xxxxffl.exe 95 PID 1512 wrote to memory of 3476 1512 nbnhbb.exe 96 PID 1512 wrote to memory of 3476 1512 nbnhbb.exe 96 PID 1512 wrote to memory of 3476 1512 nbnhbb.exe 96 PID 3476 wrote to memory of 3360 3476 3ppvp.exe 97 PID 3476 wrote to memory of 3360 3476 3ppvp.exe 97 PID 3476 wrote to memory of 3360 3476 3ppvp.exe 97 PID 3360 wrote to memory of 4464 3360 nbhbnn.exe 98 PID 3360 wrote to memory of 4464 3360 nbhbnn.exe 98 PID 3360 wrote to memory of 4464 3360 nbhbnn.exe 98 PID 4464 wrote to memory of 812 4464 1vdvp.exe 99 PID 4464 wrote to memory of 812 4464 1vdvp.exe 99 PID 4464 wrote to memory of 812 4464 1vdvp.exe 99 PID 812 wrote to memory of 4268 812 rrfrllx.exe 100 PID 812 wrote to memory of 4268 812 rrfrllx.exe 100 PID 812 wrote to memory of 4268 812 rrfrllx.exe 100 PID 4268 wrote to memory of 772 4268 7ntnhn.exe 101 PID 4268 wrote to memory of 772 4268 7ntnhn.exe 101 PID 4268 wrote to memory of 772 4268 7ntnhn.exe 101 PID 772 wrote to memory of 4660 772 bntnhb.exe 102 PID 772 wrote to memory of 4660 772 bntnhb.exe 102 PID 772 wrote to memory of 4660 772 bntnhb.exe 102 PID 4660 wrote to memory of 632 4660 xrrllll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe"C:\Users\Admin\AppData\Local\Temp\86b75aa205cc9a8b086dc79d9d76f08260fbec4daceaf8245f274f46c6545a15.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\jjvjd.exec:\jjvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\5xrlflf.exec:\5xrlflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\pjpdd.exec:\pjpdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\vvpjv.exec:\vvpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\9rxllfx.exec:\9rxllfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\jdjvp.exec:\jdjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\rxrlffx.exec:\rxrlffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\xxflfrr.exec:\xxflfrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\nnbtnh.exec:\nnbtnh.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\vpvpp.exec:\vpvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\1nnhhh.exec:\1nnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\xxxxffl.exec:\xxxxffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\nbnhbb.exec:\nbnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\3ppvp.exec:\3ppvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\nbhbnn.exec:\nbhbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\1vdvp.exec:\1vdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\rrfrllx.exec:\rrfrllx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\7ntnhn.exec:\7ntnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\bntnhb.exec:\bntnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\xrrllll.exec:\xrrllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe23⤵
- Executes dropped EXE
PID:632 -
\??\c:\rxflxxx.exec:\rxflxxx.exe24⤵
- Executes dropped EXE
PID:4624 -
\??\c:\rlfrfff.exec:\rlfrfff.exe25⤵
- Executes dropped EXE
PID:3836 -
\??\c:\hbnhhh.exec:\hbnhhh.exe26⤵
- Executes dropped EXE
PID:820 -
\??\c:\xxfxfxr.exec:\xxfxfxr.exe27⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lffxxxr.exec:\lffxxxr.exe28⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bnhtnn.exec:\bnhtnn.exe29⤵
- Executes dropped EXE
PID:3512 -
\??\c:\lflffff.exec:\lflffff.exe30⤵
- Executes dropped EXE
PID:216 -
\??\c:\7pvpj.exec:\7pvpj.exe31⤵
- Executes dropped EXE
PID:2252 -
\??\c:\xlxrflf.exec:\xlxrflf.exe32⤵
- Executes dropped EXE
PID:4900 -
\??\c:\vdjdv.exec:\vdjdv.exe33⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe34⤵
- Executes dropped EXE
PID:3552 -
\??\c:\vjpdv.exec:\vjpdv.exe35⤵
- Executes dropped EXE
PID:3912 -
\??\c:\flrlfxx.exec:\flrlfxx.exe36⤵
- Executes dropped EXE
PID:944 -
\??\c:\bntnhh.exec:\bntnhh.exe37⤵
- Executes dropped EXE
PID:3644 -
\??\c:\9vpjv.exec:\9vpjv.exe38⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lflfxrr.exec:\lflfxrr.exe39⤵
- Executes dropped EXE
PID:1776 -
\??\c:\llrllfx.exec:\llrllfx.exe40⤵
- Executes dropped EXE
PID:5036 -
\??\c:\nbhhbh.exec:\nbhhbh.exe41⤵
- Executes dropped EXE
PID:4592 -
\??\c:\ddvjp.exec:\ddvjp.exe42⤵
- Executes dropped EXE
PID:3948 -
\??\c:\lrlxlrl.exec:\lrlxlrl.exe43⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hhbttn.exec:\hhbttn.exe44⤵
- Executes dropped EXE
PID:4636 -
\??\c:\bnthbb.exec:\bnthbb.exe45⤵
- Executes dropped EXE
PID:1296 -
\??\c:\5dvjv.exec:\5dvjv.exe46⤵
- Executes dropped EXE
PID:408 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe47⤵
- Executes dropped EXE
PID:3524 -
\??\c:\thhbnh.exec:\thhbnh.exe48⤵
- Executes dropped EXE
PID:3752 -
\??\c:\thbnbt.exec:\thbnbt.exe49⤵
- Executes dropped EXE
PID:4184 -
\??\c:\1ppdp.exec:\1ppdp.exe50⤵
- Executes dropped EXE
PID:1328 -
\??\c:\9lrlllr.exec:\9lrlllr.exe51⤵
- Executes dropped EXE
PID:1616 -
\??\c:\3hhbbb.exec:\3hhbbb.exe52⤵
- Executes dropped EXE
PID:4440 -
\??\c:\dvpjp.exec:\dvpjp.exe53⤵
- Executes dropped EXE
PID:4560 -
\??\c:\3ppdp.exec:\3ppdp.exe54⤵
- Executes dropped EXE
PID:1148 -
\??\c:\9rxrrrf.exec:\9rxrrrf.exe55⤵
- Executes dropped EXE
PID:1844 -
\??\c:\3hhbtn.exec:\3hhbtn.exe56⤵
- Executes dropped EXE
PID:4612 -
\??\c:\7ddvj.exec:\7ddvj.exe57⤵
- Executes dropped EXE
PID:1708 -
\??\c:\9vpjd.exec:\9vpjd.exe58⤵
- Executes dropped EXE
PID:1132 -
\??\c:\bbhttt.exec:\bbhttt.exe59⤵
- Executes dropped EXE
PID:3500 -
\??\c:\vddvj.exec:\vddvj.exe60⤵
- Executes dropped EXE
PID:2420 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe61⤵
- Executes dropped EXE
PID:640 -
\??\c:\hbnbtb.exec:\hbnbtb.exe62⤵
- Executes dropped EXE
PID:916 -
\??\c:\djjdp.exec:\djjdp.exe63⤵
- Executes dropped EXE
PID:1636 -
\??\c:\5jpdd.exec:\5jpdd.exe64⤵
- Executes dropped EXE
PID:4024 -
\??\c:\7fxlrlf.exec:\7fxlrlf.exe65⤵
- Executes dropped EXE
PID:1076 -
\??\c:\1tnhtt.exec:\1tnhtt.exe66⤵PID:5032
-
\??\c:\jdddp.exec:\jdddp.exe67⤵PID:844
-
\??\c:\xrrlffr.exec:\xrrlffr.exe68⤵PID:3972
-
\??\c:\xxflfrf.exec:\xxflfrf.exe69⤵PID:4972
-
\??\c:\nnthbn.exec:\nnthbn.exe70⤵PID:5020
-
\??\c:\jdpdd.exec:\jdpdd.exe71⤵PID:116
-
\??\c:\dvvpd.exec:\dvvpd.exe72⤵PID:4000
-
\??\c:\xrxxrll.exec:\xrxxrll.exe73⤵PID:4476
-
\??\c:\bnnhtn.exec:\bnnhtn.exe74⤵PID:1532
-
\??\c:\vpvdp.exec:\vpvdp.exe75⤵PID:1552
-
\??\c:\fxffrfx.exec:\fxffrfx.exe76⤵PID:2976
-
\??\c:\3lxrfxl.exec:\3lxrfxl.exe77⤵PID:3684
-
\??\c:\hnhbnh.exec:\hnhbnh.exe78⤵PID:2284
-
\??\c:\7dpjv.exec:\7dpjv.exe79⤵PID:4932
-
\??\c:\pdjjd.exec:\pdjjd.exe80⤵PID:1772
-
\??\c:\xflxxxl.exec:\xflxxxl.exe81⤵PID:3832
-
\??\c:\bhhtnb.exec:\bhhtnb.exe82⤵PID:1864
-
\??\c:\pppjv.exec:\pppjv.exe83⤵PID:316
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe84⤵PID:1324
-
\??\c:\llrlffx.exec:\llrlffx.exe85⤵PID:5084
-
\??\c:\nhtntt.exec:\nhtntt.exe86⤵PID:1176
-
\??\c:\1pjvp.exec:\1pjvp.exe87⤵PID:1360
-
\??\c:\xrxlxrr.exec:\xrxlxrr.exe88⤵PID:636
-
\??\c:\lllxrrf.exec:\lllxrrf.exe89⤵PID:1376
-
\??\c:\bnnhhb.exec:\bnnhhb.exe90⤵PID:712
-
\??\c:\nhtnbb.exec:\nhtnbb.exe91⤵PID:4548
-
\??\c:\vvdvp.exec:\vvdvp.exe92⤵PID:3620
-
\??\c:\xflxrlf.exec:\xflxrlf.exe93⤵PID:3608
-
\??\c:\1ntnhh.exec:\1ntnhh.exe94⤵PID:3800
-
\??\c:\nbhhbt.exec:\nbhhbt.exe95⤵PID:3940
-
\??\c:\ppvpd.exec:\ppvpd.exe96⤵PID:3048
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe97⤵PID:3280
-
\??\c:\1bhbnb.exec:\1bhbnb.exe98⤵PID:2252
-
\??\c:\pvpjv.exec:\pvpjv.exe99⤵PID:2088
-
\??\c:\pjjvp.exec:\pjjvp.exe100⤵PID:2904
-
\??\c:\rlfrlxr.exec:\rlfrlxr.exe101⤵PID:2688
-
\??\c:\ntbnbt.exec:\ntbnbt.exe102⤵PID:2036
-
\??\c:\7jjvp.exec:\7jjvp.exe103⤵PID:1292
-
\??\c:\fxxfxxr.exec:\fxxfxxr.exe104⤵PID:1528
-
\??\c:\fllffxr.exec:\fllffxr.exe105⤵PID:676
-
\??\c:\bnnhbn.exec:\bnnhbn.exe106⤵PID:1584
-
\??\c:\jdvpj.exec:\jdvpj.exe107⤵PID:4252
-
\??\c:\3xfrfrf.exec:\3xfrfrf.exe108⤵PID:1888
-
\??\c:\7ffrfxr.exec:\7ffrfxr.exe109⤵PID:3216
-
\??\c:\bbhtnh.exec:\bbhtnh.exe110⤵PID:1548
-
\??\c:\7dpdp.exec:\7dpdp.exe111⤵PID:2448
-
\??\c:\xffrfxl.exec:\xffrfxl.exe112⤵PID:3628
-
\??\c:\7llxxxr.exec:\7llxxxr.exe113⤵PID:4144
-
\??\c:\hhnbtn.exec:\hhnbtn.exe114⤵PID:4668
-
\??\c:\pddvj.exec:\pddvj.exe115⤵PID:3944
-
\??\c:\jpdpd.exec:\jpdpd.exe116⤵PID:2364
-
\??\c:\fllflfx.exec:\fllflfx.exe117⤵PID:2760
-
\??\c:\hbntnb.exec:\hbntnb.exe118⤵PID:3272
-
\??\c:\ntbnbt.exec:\ntbnbt.exe119⤵PID:1612
-
\??\c:\1djdv.exec:\1djdv.exe120⤵PID:3980
-
\??\c:\rlrffxx.exec:\rlrffxx.exe121⤵PID:3292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-