Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe
-
Size
454KB
-
MD5
06c7390f3026daa03ab01ba70e5c8f3d
-
SHA1
3a6bd31fdbe0e0eba24d484ee42cd38f74963afc
-
SHA256
86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52
-
SHA512
b35ef62bbbcac67dc380b44b3c4b08db1a9ba8efe4ffea1f4de787f2a6540fd96ee4fc32e7f5d201f840b777a7e5ee0300ffb06250065773136281ee5b8c3701
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeDn:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4832-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-1433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-1473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4836 rfxlfxx.exe 1052 thnhtn.exe 2124 pvpjp.exe 2372 800662.exe 3992 7jjvj.exe 2012 hththb.exe 3960 s0064.exe 3676 1nhhbn.exe 3972 vjddv.exe 4768 nnbtnh.exe 4224 68848.exe 3432 lrrxlfx.exe 5080 1jjvp.exe 2336 pvdvd.exe 2180 40862.exe 2584 26220.exe 2812 hbhtnh.exe 3360 nntnnh.exe 2796 dpjvj.exe 3148 rxfxrll.exe 2660 0400444.exe 4332 484440.exe 3928 88486.exe 5064 3lrxlll.exe 764 88802.exe 2400 0666048.exe 2928 640482.exe 1700 xllffxx.exe 2460 o020000.exe 264 6262862.exe 3652 8406040.exe 1424 vdpjv.exe 3372 bhnnnn.exe 2712 8482008.exe 1036 xlxrrll.exe 3640 9hbbtb.exe 3524 nhhbtb.exe 3064 jdjdp.exe 1764 i004204.exe 4600 m0082.exe 1876 ntbnht.exe 4592 64804.exe 2844 thtthn.exe 2284 8888682.exe 2156 xxfxrlf.exe 3008 vdppj.exe 4836 vvpjv.exe 4888 8888804.exe 3164 66028.exe 2816 djddd.exe 220 tbbthb.exe 3940 5jjdj.exe 2392 dvvjd.exe 4620 200826.exe 4208 u882608.exe 3960 pjpdp.exe 3676 frxlfxx.exe 4896 1vpvp.exe 2244 486422.exe 4768 c682486.exe 3332 6004484.exe 3984 484862.exe 3988 64640.exe 2524 tbhbth.exe -
resource yara_rule behavioral2/memory/4832-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-962-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-998-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4028822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8888682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2286486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q82660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0248826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4836 4832 86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe 85 PID 4832 wrote to memory of 4836 4832 86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe 85 PID 4832 wrote to memory of 4836 4832 86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe 85 PID 4836 wrote to memory of 1052 4836 rfxlfxx.exe 86 PID 4836 wrote to memory of 1052 4836 rfxlfxx.exe 86 PID 4836 wrote to memory of 1052 4836 rfxlfxx.exe 86 PID 1052 wrote to memory of 2124 1052 thnhtn.exe 87 PID 1052 wrote to memory of 2124 1052 thnhtn.exe 87 PID 1052 wrote to memory of 2124 1052 thnhtn.exe 87 PID 2124 wrote to memory of 2372 2124 pvpjp.exe 88 PID 2124 wrote to memory of 2372 2124 pvpjp.exe 88 PID 2124 wrote to memory of 2372 2124 pvpjp.exe 88 PID 2372 wrote to memory of 3992 2372 800662.exe 89 PID 2372 wrote to memory of 3992 2372 800662.exe 89 PID 2372 wrote to memory of 3992 2372 800662.exe 89 PID 3992 wrote to memory of 2012 3992 7jjvj.exe 90 PID 3992 wrote to memory of 2012 3992 7jjvj.exe 90 PID 3992 wrote to memory of 2012 3992 7jjvj.exe 90 PID 2012 wrote to memory of 3960 2012 hththb.exe 91 PID 2012 wrote to memory of 3960 2012 hththb.exe 91 PID 2012 wrote to memory of 3960 2012 hththb.exe 91 PID 3960 wrote to memory of 3676 3960 s0064.exe 92 PID 3960 wrote to memory of 3676 3960 s0064.exe 92 PID 3960 wrote to memory of 3676 3960 s0064.exe 92 PID 3676 wrote to memory of 3972 3676 1nhhbn.exe 93 PID 3676 wrote to memory of 3972 3676 1nhhbn.exe 93 PID 3676 wrote to memory of 3972 3676 1nhhbn.exe 93 PID 3972 wrote to memory of 4768 3972 vjddv.exe 94 PID 3972 wrote to memory of 4768 3972 vjddv.exe 94 PID 3972 wrote to memory of 4768 3972 vjddv.exe 94 PID 4768 wrote to memory of 4224 4768 nnbtnh.exe 95 PID 4768 wrote to memory of 4224 4768 nnbtnh.exe 95 PID 4768 wrote to memory of 4224 4768 nnbtnh.exe 95 PID 4224 wrote to memory of 3432 4224 68848.exe 96 PID 4224 wrote to memory of 3432 4224 68848.exe 96 PID 4224 wrote to memory of 3432 4224 68848.exe 96 PID 3432 wrote to memory of 5080 3432 lrrxlfx.exe 97 PID 3432 wrote to memory of 5080 3432 lrrxlfx.exe 97 PID 3432 wrote to memory of 5080 3432 lrrxlfx.exe 97 PID 5080 wrote to memory of 2336 5080 1jjvp.exe 98 PID 5080 wrote to memory of 2336 5080 1jjvp.exe 98 PID 5080 wrote to memory of 2336 5080 1jjvp.exe 98 PID 2336 wrote to memory of 2180 2336 pvdvd.exe 99 PID 2336 wrote to memory of 2180 2336 pvdvd.exe 99 PID 2336 wrote to memory of 2180 2336 pvdvd.exe 99 PID 2180 wrote to memory of 2584 2180 40862.exe 100 PID 2180 wrote to memory of 2584 2180 40862.exe 100 PID 2180 wrote to memory of 2584 2180 40862.exe 100 PID 2584 wrote to memory of 2812 2584 26220.exe 101 PID 2584 wrote to memory of 2812 2584 26220.exe 101 PID 2584 wrote to memory of 2812 2584 26220.exe 101 PID 2812 wrote to memory of 3360 2812 hbhtnh.exe 102 PID 2812 wrote to memory of 3360 2812 hbhtnh.exe 102 PID 2812 wrote to memory of 3360 2812 hbhtnh.exe 102 PID 3360 wrote to memory of 2796 3360 nntnnh.exe 103 PID 3360 wrote to memory of 2796 3360 nntnnh.exe 103 PID 3360 wrote to memory of 2796 3360 nntnnh.exe 103 PID 2796 wrote to memory of 3148 2796 dpjvj.exe 104 PID 2796 wrote to memory of 3148 2796 dpjvj.exe 104 PID 2796 wrote to memory of 3148 2796 dpjvj.exe 104 PID 3148 wrote to memory of 2660 3148 rxfxrll.exe 105 PID 3148 wrote to memory of 2660 3148 rxfxrll.exe 105 PID 3148 wrote to memory of 2660 3148 rxfxrll.exe 105 PID 2660 wrote to memory of 4332 2660 0400444.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe"C:\Users\Admin\AppData\Local\Temp\86b251aa2804f7828b14035ad3141368d058a54c36481b0404180349208eca52.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\rfxlfxx.exec:\rfxlfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\thnhtn.exec:\thnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\pvpjp.exec:\pvpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\800662.exec:\800662.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\7jjvj.exec:\7jjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\hththb.exec:\hththb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\s0064.exec:\s0064.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\1nhhbn.exec:\1nhhbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\vjddv.exec:\vjddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\nnbtnh.exec:\nnbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\68848.exec:\68848.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\lrrxlfx.exec:\lrrxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\1jjvp.exec:\1jjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\pvdvd.exec:\pvdvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\40862.exec:\40862.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\26220.exec:\26220.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\hbhtnh.exec:\hbhtnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\nntnnh.exec:\nntnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\dpjvj.exec:\dpjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rxfxrll.exec:\rxfxrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\0400444.exec:\0400444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\484440.exec:\484440.exe23⤵
- Executes dropped EXE
PID:4332 -
\??\c:\88486.exec:\88486.exe24⤵
- Executes dropped EXE
PID:3928 -
\??\c:\3lrxlll.exec:\3lrxlll.exe25⤵
- Executes dropped EXE
PID:5064 -
\??\c:\88802.exec:\88802.exe26⤵
- Executes dropped EXE
PID:764 -
\??\c:\0666048.exec:\0666048.exe27⤵
- Executes dropped EXE
PID:2400 -
\??\c:\640482.exec:\640482.exe28⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xllffxx.exec:\xllffxx.exe29⤵
- Executes dropped EXE
PID:1700 -
\??\c:\o020000.exec:\o020000.exe30⤵
- Executes dropped EXE
PID:2460 -
\??\c:\6262862.exec:\6262862.exe31⤵
- Executes dropped EXE
PID:264 -
\??\c:\8406040.exec:\8406040.exe32⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vdpjv.exec:\vdpjv.exe33⤵
- Executes dropped EXE
PID:1424 -
\??\c:\bhnnnn.exec:\bhnnnn.exe34⤵
- Executes dropped EXE
PID:3372 -
\??\c:\8482008.exec:\8482008.exe35⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xlxrrll.exec:\xlxrrll.exe36⤵
- Executes dropped EXE
PID:1036 -
\??\c:\9hbbtb.exec:\9hbbtb.exe37⤵
- Executes dropped EXE
PID:3640 -
\??\c:\nhhbtb.exec:\nhhbtb.exe38⤵
- Executes dropped EXE
PID:3524 -
\??\c:\jdjdp.exec:\jdjdp.exe39⤵
- Executes dropped EXE
PID:3064 -
\??\c:\i004204.exec:\i004204.exe40⤵
- Executes dropped EXE
PID:1764 -
\??\c:\m0082.exec:\m0082.exe41⤵
- Executes dropped EXE
PID:4600 -
\??\c:\ntbnht.exec:\ntbnht.exe42⤵
- Executes dropped EXE
PID:1876 -
\??\c:\64804.exec:\64804.exe43⤵
- Executes dropped EXE
PID:4592 -
\??\c:\thtthn.exec:\thtthn.exe44⤵
- Executes dropped EXE
PID:2844 -
\??\c:\8888682.exec:\8888682.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe46⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vdppj.exec:\vdppj.exe47⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vvpjv.exec:\vvpjv.exe48⤵
- Executes dropped EXE
PID:4836 -
\??\c:\8888804.exec:\8888804.exe49⤵
- Executes dropped EXE
PID:4888 -
\??\c:\66028.exec:\66028.exe50⤵
- Executes dropped EXE
PID:3164 -
\??\c:\djddd.exec:\djddd.exe51⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tbbthb.exec:\tbbthb.exe52⤵
- Executes dropped EXE
PID:220 -
\??\c:\5jjdj.exec:\5jjdj.exe53⤵
- Executes dropped EXE
PID:3940 -
\??\c:\dvvjd.exec:\dvvjd.exe54⤵
- Executes dropped EXE
PID:2392 -
\??\c:\200826.exec:\200826.exe55⤵
- Executes dropped EXE
PID:4620 -
\??\c:\u882608.exec:\u882608.exe56⤵
- Executes dropped EXE
PID:4208 -
\??\c:\pjpdp.exec:\pjpdp.exe57⤵
- Executes dropped EXE
PID:3960 -
\??\c:\frxlfxx.exec:\frxlfxx.exe58⤵
- Executes dropped EXE
PID:3676 -
\??\c:\1vpvp.exec:\1vpvp.exe59⤵
- Executes dropped EXE
PID:4896 -
\??\c:\486422.exec:\486422.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\c682486.exec:\c682486.exe61⤵
- Executes dropped EXE
PID:4768 -
\??\c:\6004484.exec:\6004484.exe62⤵
- Executes dropped EXE
PID:3332 -
\??\c:\484862.exec:\484862.exe63⤵
- Executes dropped EXE
PID:3984 -
\??\c:\64640.exec:\64640.exe64⤵
- Executes dropped EXE
PID:3988 -
\??\c:\tbhbth.exec:\tbhbth.exe65⤵
- Executes dropped EXE
PID:2524 -
\??\c:\4064886.exec:\4064886.exe66⤵PID:4820
-
\??\c:\hbbthh.exec:\hbbthh.exe67⤵PID:1856
-
\??\c:\1hbnhb.exec:\1hbnhb.exe68⤵PID:4944
-
\??\c:\6486482.exec:\6486482.exe69⤵PID:2584
-
\??\c:\2066228.exec:\2066228.exe70⤵PID:3512
-
\??\c:\0004204.exec:\0004204.exe71⤵PID:1696
-
\??\c:\rfrffxl.exec:\rfrffxl.exe72⤵PID:3484
-
\??\c:\2286486.exec:\2286486.exe73⤵
- System Location Discovery: System Language Discovery
PID:4584 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe74⤵PID:1388
-
\??\c:\ddjdp.exec:\ddjdp.exe75⤵PID:2660
-
\??\c:\26604.exec:\26604.exe76⤵PID:4848
-
\??\c:\s0220.exec:\s0220.exe77⤵PID:5072
-
\??\c:\88420.exec:\88420.exe78⤵PID:2772
-
\??\c:\o448608.exec:\o448608.exe79⤵PID:1648
-
\??\c:\888644.exec:\888644.exe80⤵PID:3520
-
\??\c:\o226486.exec:\o226486.exe81⤵PID:4840
-
\??\c:\jjdpd.exec:\jjdpd.exe82⤵PID:1884
-
\??\c:\vvvjv.exec:\vvvjv.exe83⤵PID:1952
-
\??\c:\668642.exec:\668642.exe84⤵PID:3416
-
\??\c:\m2242.exec:\m2242.exe85⤵PID:1000
-
\??\c:\4882222.exec:\4882222.exe86⤵PID:3744
-
\??\c:\5pdvj.exec:\5pdvj.exe87⤵PID:4388
-
\??\c:\hbthtn.exec:\hbthtn.exe88⤵PID:1904
-
\??\c:\w00804.exec:\w00804.exe89⤵PID:2864
-
\??\c:\nbbhtn.exec:\nbbhtn.exe90⤵PID:3832
-
\??\c:\bnhthh.exec:\bnhthh.exe91⤵PID:1752
-
\??\c:\fxlxrrl.exec:\fxlxrrl.exe92⤵PID:4288
-
\??\c:\86266.exec:\86266.exe93⤵PID:4052
-
\??\c:\c004664.exec:\c004664.exe94⤵PID:2196
-
\??\c:\o820820.exec:\o820820.exe95⤵PID:664
-
\??\c:\3bhbtn.exec:\3bhbtn.exe96⤵PID:3152
-
\??\c:\w26426.exec:\w26426.exe97⤵PID:5004
-
\??\c:\6842484.exec:\6842484.exe98⤵PID:3848
-
\??\c:\4286822.exec:\4286822.exe99⤵PID:4912
-
\??\c:\htnbtn.exec:\htnbtn.exe100⤵PID:5048
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe101⤵PID:4444
-
\??\c:\jvjdv.exec:\jvjdv.exe102⤵PID:4284
-
\??\c:\08268.exec:\08268.exe103⤵PID:4844
-
\??\c:\846484.exec:\846484.exe104⤵PID:3420
-
\??\c:\7hbnbt.exec:\7hbnbt.exe105⤵PID:4872
-
\??\c:\djjvj.exec:\djjvj.exe106⤵PID:2212
-
\??\c:\00646.exec:\00646.exe107⤵PID:4708
-
\??\c:\82642.exec:\82642.exe108⤵PID:2236
-
\??\c:\22642.exec:\22642.exe109⤵PID:1704
-
\??\c:\7thtnh.exec:\7thtnh.exe110⤵PID:1936
-
\??\c:\vvvpj.exec:\vvvpj.exe111⤵PID:4108
-
\??\c:\7tnhbh.exec:\7tnhbh.exe112⤵PID:5016
-
\??\c:\4402602.exec:\4402602.exe113⤵PID:4688
-
\??\c:\1ffrffl.exec:\1ffrffl.exe114⤵PID:2656
-
\??\c:\802088.exec:\802088.exe115⤵PID:2640
-
\??\c:\rlrflxr.exec:\rlrflxr.exe116⤵PID:2192
-
\??\c:\40044.exec:\40044.exe117⤵PID:4696
-
\??\c:\20446.exec:\20446.exe118⤵PID:1820
-
\??\c:\2648800.exec:\2648800.exe119⤵PID:4300
-
\??\c:\0440488.exec:\0440488.exe120⤵PID:2932
-
\??\c:\7tnhth.exec:\7tnhth.exe121⤵PID:412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-