Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe
-
Size
456KB
-
MD5
61bee24192605ddde54ac752eed43eb6
-
SHA1
49cddfb4e2cc7fe3b8a2f0c375425cb31eed6dc2
-
SHA256
86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3
-
SHA512
20948cd5bfdd8437d93d87c997e583c8eafa81bb31c7cbb1b5c9059358fb5d8473d8350e4d2e777e6345a6b6d107fb6e697ba25bb18c5c8c34a4d22625c9cdc4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRR:q7Tc2NYHUrAwfMp3CDRR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3868-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-1376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2284 fllfxrf.exe 4564 4000444.exe 5064 dppjd.exe 2140 468604.exe 3600 jdjdv.exe 4484 22666.exe 432 i682222.exe 2864 0422022.exe 3168 02444.exe 4048 bhhtnh.exe 4944 68448.exe 4824 hhhbhh.exe 1856 a8426.exe 2616 ffxrfxr.exe 3796 640860.exe 3940 864264.exe 1368 lfxfxrx.exe 1044 1vpdp.exe 3656 4288484.exe 4372 llllxlx.exe 3780 6466864.exe 4236 84086.exe 4836 htbtht.exe 4960 ttbhnh.exe 4308 24484.exe 4448 0068864.exe 1064 rffrfxl.exe 4584 20622.exe 968 jvddp.exe 1000 nnbhth.exe 3388 808660.exe 1804 42644.exe 3428 c004248.exe 2984 8622204.exe 4700 frfrlxr.exe 2476 g4464.exe 2336 08442.exe 2664 bnnnnh.exe 4508 thhbtt.exe 1712 00642.exe 1852 jjdpp.exe 752 ntnbth.exe 4880 44828.exe 3100 4824208.exe 2832 862448.exe 4444 bnnthb.exe 4704 vppvj.exe 1048 bnhhth.exe 872 bhthnh.exe 1948 5vpjv.exe 3092 hbttbb.exe 5064 044868.exe 3884 080482.exe 4540 006040.exe 4256 nntntn.exe 4024 062626.exe 3136 282200.exe 3096 vdjdv.exe 988 5lfxxxx.exe 4488 6066004.exe 1548 bnttnn.exe 4220 40222.exe 3584 4844822.exe 3444 284822.exe -
resource yara_rule behavioral2/memory/3868-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-856-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6020864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8842482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0244882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4842608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 2284 3868 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 83 PID 3868 wrote to memory of 2284 3868 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 83 PID 3868 wrote to memory of 2284 3868 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 83 PID 2284 wrote to memory of 4564 2284 fllfxrf.exe 84 PID 2284 wrote to memory of 4564 2284 fllfxrf.exe 84 PID 2284 wrote to memory of 4564 2284 fllfxrf.exe 84 PID 4564 wrote to memory of 5064 4564 4000444.exe 85 PID 4564 wrote to memory of 5064 4564 4000444.exe 85 PID 4564 wrote to memory of 5064 4564 4000444.exe 85 PID 5064 wrote to memory of 2140 5064 dppjd.exe 86 PID 5064 wrote to memory of 2140 5064 dppjd.exe 86 PID 5064 wrote to memory of 2140 5064 dppjd.exe 86 PID 2140 wrote to memory of 3600 2140 468604.exe 87 PID 2140 wrote to memory of 3600 2140 468604.exe 87 PID 2140 wrote to memory of 3600 2140 468604.exe 87 PID 3600 wrote to memory of 4484 3600 jdjdv.exe 88 PID 3600 wrote to memory of 4484 3600 jdjdv.exe 88 PID 3600 wrote to memory of 4484 3600 jdjdv.exe 88 PID 4484 wrote to memory of 432 4484 22666.exe 89 PID 4484 wrote to memory of 432 4484 22666.exe 89 PID 4484 wrote to memory of 432 4484 22666.exe 89 PID 432 wrote to memory of 2864 432 i682222.exe 90 PID 432 wrote to memory of 2864 432 i682222.exe 90 PID 432 wrote to memory of 2864 432 i682222.exe 90 PID 2864 wrote to memory of 3168 2864 0422022.exe 91 PID 2864 wrote to memory of 3168 2864 0422022.exe 91 PID 2864 wrote to memory of 3168 2864 0422022.exe 91 PID 3168 wrote to memory of 4048 3168 02444.exe 92 PID 3168 wrote to memory of 4048 3168 02444.exe 92 PID 3168 wrote to memory of 4048 3168 02444.exe 92 PID 4048 wrote to memory of 4944 4048 bhhtnh.exe 93 PID 4048 wrote to memory of 4944 4048 bhhtnh.exe 93 PID 4048 wrote to memory of 4944 4048 bhhtnh.exe 93 PID 4944 wrote to memory of 4824 4944 68448.exe 94 PID 4944 wrote to memory of 4824 4944 68448.exe 94 PID 4944 wrote to memory of 4824 4944 68448.exe 94 PID 4824 wrote to memory of 1856 4824 hhhbhh.exe 95 PID 4824 wrote to memory of 1856 4824 hhhbhh.exe 95 PID 4824 wrote to memory of 1856 4824 hhhbhh.exe 95 PID 1856 wrote to memory of 2616 1856 a8426.exe 96 PID 1856 wrote to memory of 2616 1856 a8426.exe 96 PID 1856 wrote to memory of 2616 1856 a8426.exe 96 PID 2616 wrote to memory of 3796 2616 ffxrfxr.exe 97 PID 2616 wrote to memory of 3796 2616 ffxrfxr.exe 97 PID 2616 wrote to memory of 3796 2616 ffxrfxr.exe 97 PID 3796 wrote to memory of 3940 3796 640860.exe 98 PID 3796 wrote to memory of 3940 3796 640860.exe 98 PID 3796 wrote to memory of 3940 3796 640860.exe 98 PID 3940 wrote to memory of 1368 3940 864264.exe 99 PID 3940 wrote to memory of 1368 3940 864264.exe 99 PID 3940 wrote to memory of 1368 3940 864264.exe 99 PID 1368 wrote to memory of 1044 1368 lfxfxrx.exe 100 PID 1368 wrote to memory of 1044 1368 lfxfxrx.exe 100 PID 1368 wrote to memory of 1044 1368 lfxfxrx.exe 100 PID 1044 wrote to memory of 3656 1044 1vpdp.exe 101 PID 1044 wrote to memory of 3656 1044 1vpdp.exe 101 PID 1044 wrote to memory of 3656 1044 1vpdp.exe 101 PID 3656 wrote to memory of 4372 3656 4288484.exe 102 PID 3656 wrote to memory of 4372 3656 4288484.exe 102 PID 3656 wrote to memory of 4372 3656 4288484.exe 102 PID 4372 wrote to memory of 3780 4372 llllxlx.exe 103 PID 4372 wrote to memory of 3780 4372 llllxlx.exe 103 PID 4372 wrote to memory of 3780 4372 llllxlx.exe 103 PID 3780 wrote to memory of 4236 3780 6466864.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe"C:\Users\Admin\AppData\Local\Temp\86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\fllfxrf.exec:\fllfxrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\4000444.exec:\4000444.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\dppjd.exec:\dppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\468604.exec:\468604.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\jdjdv.exec:\jdjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\22666.exec:\22666.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\i682222.exec:\i682222.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\0422022.exec:\0422022.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\02444.exec:\02444.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\bhhtnh.exec:\bhhtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\68448.exec:\68448.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\hhhbhh.exec:\hhhbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\a8426.exec:\a8426.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\ffxrfxr.exec:\ffxrfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\640860.exec:\640860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\864264.exec:\864264.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\lfxfxrx.exec:\lfxfxrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\1vpdp.exec:\1vpdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\4288484.exec:\4288484.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\llllxlx.exec:\llllxlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\6466864.exec:\6466864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\84086.exec:\84086.exe23⤵
- Executes dropped EXE
PID:4236 -
\??\c:\htbtht.exec:\htbtht.exe24⤵
- Executes dropped EXE
PID:4836 -
\??\c:\ttbhnh.exec:\ttbhnh.exe25⤵
- Executes dropped EXE
PID:4960 -
\??\c:\24484.exec:\24484.exe26⤵
- Executes dropped EXE
PID:4308 -
\??\c:\0068864.exec:\0068864.exe27⤵
- Executes dropped EXE
PID:4448 -
\??\c:\rffrfxl.exec:\rffrfxl.exe28⤵
- Executes dropped EXE
PID:1064 -
\??\c:\20622.exec:\20622.exe29⤵
- Executes dropped EXE
PID:4584 -
\??\c:\jvddp.exec:\jvddp.exe30⤵
- Executes dropped EXE
PID:968 -
\??\c:\nnbhth.exec:\nnbhth.exe31⤵
- Executes dropped EXE
PID:1000 -
\??\c:\808660.exec:\808660.exe32⤵
- Executes dropped EXE
PID:3388 -
\??\c:\42644.exec:\42644.exe33⤵
- Executes dropped EXE
PID:1804 -
\??\c:\c004248.exec:\c004248.exe34⤵
- Executes dropped EXE
PID:3428 -
\??\c:\8622204.exec:\8622204.exe35⤵
- Executes dropped EXE
PID:2984 -
\??\c:\frfrlxr.exec:\frfrlxr.exe36⤵
- Executes dropped EXE
PID:4700 -
\??\c:\g4464.exec:\g4464.exe37⤵
- Executes dropped EXE
PID:2476 -
\??\c:\08442.exec:\08442.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bnnnnh.exec:\bnnnnh.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\thhbtt.exec:\thhbtt.exe40⤵
- Executes dropped EXE
PID:4508 -
\??\c:\00642.exec:\00642.exe41⤵
- Executes dropped EXE
PID:1712 -
\??\c:\jjdpp.exec:\jjdpp.exe42⤵
- Executes dropped EXE
PID:1852 -
\??\c:\ntnbth.exec:\ntnbth.exe43⤵
- Executes dropped EXE
PID:752 -
\??\c:\44828.exec:\44828.exe44⤵
- Executes dropped EXE
PID:4880 -
\??\c:\4824208.exec:\4824208.exe45⤵
- Executes dropped EXE
PID:3100 -
\??\c:\862448.exec:\862448.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\bnnthb.exec:\bnnthb.exe47⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vppvj.exec:\vppvj.exe48⤵
- Executes dropped EXE
PID:4704 -
\??\c:\bnhhth.exec:\bnhhth.exe49⤵
- Executes dropped EXE
PID:1048 -
\??\c:\bhthnh.exec:\bhthnh.exe50⤵
- Executes dropped EXE
PID:872 -
\??\c:\5vpjv.exec:\5vpjv.exe51⤵
- Executes dropped EXE
PID:1948 -
\??\c:\hbttbb.exec:\hbttbb.exe52⤵
- Executes dropped EXE
PID:3092 -
\??\c:\044868.exec:\044868.exe53⤵
- Executes dropped EXE
PID:5064 -
\??\c:\080482.exec:\080482.exe54⤵
- Executes dropped EXE
PID:3884 -
\??\c:\006040.exec:\006040.exe55⤵
- Executes dropped EXE
PID:4540 -
\??\c:\nntntn.exec:\nntntn.exe56⤵
- Executes dropped EXE
PID:4256 -
\??\c:\062626.exec:\062626.exe57⤵
- Executes dropped EXE
PID:4024 -
\??\c:\282200.exec:\282200.exe58⤵
- Executes dropped EXE
PID:3136 -
\??\c:\vdjdv.exec:\vdjdv.exe59⤵
- Executes dropped EXE
PID:3096 -
\??\c:\5lfxxxx.exec:\5lfxxxx.exe60⤵
- Executes dropped EXE
PID:988 -
\??\c:\6066004.exec:\6066004.exe61⤵
- Executes dropped EXE
PID:4488 -
\??\c:\bnttnn.exec:\bnttnn.exe62⤵
- Executes dropped EXE
PID:1548 -
\??\c:\40222.exec:\40222.exe63⤵
- Executes dropped EXE
PID:4220 -
\??\c:\4844822.exec:\4844822.exe64⤵
- Executes dropped EXE
PID:3584 -
\??\c:\284822.exec:\284822.exe65⤵
- Executes dropped EXE
PID:3444 -
\??\c:\6000882.exec:\6000882.exe66⤵PID:5000
-
\??\c:\vppjj.exec:\vppjj.exe67⤵PID:3088
-
\??\c:\1nhthh.exec:\1nhthh.exe68⤵PID:4264
-
\??\c:\7lllfxx.exec:\7lllfxx.exe69⤵PID:2412
-
\??\c:\s2882.exec:\s2882.exe70⤵PID:5108
-
\??\c:\nbtttn.exec:\nbtttn.exe71⤵PID:2444
-
\??\c:\i404882.exec:\i404882.exe72⤵PID:2304
-
\??\c:\4866626.exec:\4866626.exe73⤵PID:2156
-
\??\c:\8804260.exec:\8804260.exe74⤵PID:788
-
\??\c:\xxrrxrx.exec:\xxrrxrx.exe75⤵PID:3656
-
\??\c:\dvvpp.exec:\dvvpp.exe76⤵PID:4528
-
\??\c:\3jvjd.exec:\3jvjd.exe77⤵PID:5020
-
\??\c:\0020448.exec:\0020448.exe78⤵PID:4556
-
\??\c:\4282002.exec:\4282002.exe79⤵PID:5040
-
\??\c:\thtnnt.exec:\thtnnt.exe80⤵PID:2320
-
\??\c:\nbbttt.exec:\nbbttt.exe81⤵PID:2424
-
\??\c:\tthtnn.exec:\tthtnn.exe82⤵PID:4960
-
\??\c:\s2860.exec:\s2860.exe83⤵
- System Location Discovery: System Language Discovery
PID:3460 -
\??\c:\66226.exec:\66226.exe84⤵PID:100
-
\??\c:\g0266.exec:\g0266.exe85⤵PID:4448
-
\??\c:\a8640.exec:\a8640.exe86⤵PID:4848
-
\??\c:\0208248.exec:\0208248.exe87⤵PID:768
-
\??\c:\062266.exec:\062266.exe88⤵PID:1676
-
\??\c:\nbnhtt.exec:\nbnhtt.exe89⤵PID:2808
-
\??\c:\7btnnn.exec:\7btnnn.exe90⤵PID:4976
-
\??\c:\26084.exec:\26084.exe91⤵PID:3280
-
\??\c:\c408820.exec:\c408820.exe92⤵PID:1776
-
\??\c:\7xxrlfx.exec:\7xxrlfx.exe93⤵PID:1716
-
\??\c:\9rxrxrx.exec:\9rxrxrx.exe94⤵PID:3308
-
\??\c:\2044826.exec:\2044826.exe95⤵PID:1652
-
\??\c:\rffxrrl.exec:\rffxrrl.exe96⤵PID:5112
-
\??\c:\k62282.exec:\k62282.exe97⤵PID:1860
-
\??\c:\62822.exec:\62822.exe98⤵PID:5016
-
\??\c:\xlrlllr.exec:\xlrlllr.exe99⤵PID:4560
-
\??\c:\hnnhbb.exec:\hnnhbb.exe100⤵PID:880
-
\??\c:\jjjvp.exec:\jjjvp.exe101⤵PID:2040
-
\??\c:\446088.exec:\446088.exe102⤵PID:1372
-
\??\c:\6000880.exec:\6000880.exe103⤵PID:4908
-
\??\c:\frxxlll.exec:\frxxlll.exe104⤵PID:4864
-
\??\c:\0408860.exec:\0408860.exe105⤵PID:1388
-
\??\c:\dvvpp.exec:\dvvpp.exe106⤵PID:3412
-
\??\c:\5bnnhh.exec:\5bnnhh.exe107⤵PID:2284
-
\??\c:\686488.exec:\686488.exe108⤵PID:3908
-
\??\c:\fxxrffx.exec:\fxxrffx.exe109⤵PID:2640
-
\??\c:\lflfffl.exec:\lflfffl.exe110⤵PID:1844
-
\??\c:\dvdvd.exec:\dvdvd.exe111⤵PID:3356
-
\??\c:\82000.exec:\82000.exe112⤵PID:4736
-
\??\c:\xrfxrlx.exec:\xrfxrlx.exe113⤵PID:3788
-
\??\c:\m2404.exec:\m2404.exe114⤵PID:3600
-
\??\c:\22808.exec:\22808.exe115⤵PID:2780
-
\??\c:\0882824.exec:\0882824.exe116⤵PID:2052
-
\??\c:\xflxrrr.exec:\xflxrrr.exe117⤵PID:3136
-
\??\c:\ddjdv.exec:\ddjdv.exe118⤵PID:1924
-
\??\c:\thnbtt.exec:\thnbtt.exe119⤵PID:4104
-
\??\c:\048822.exec:\048822.exe120⤵PID:4220
-
\??\c:\pjddv.exec:\pjddv.exe121⤵PID:3596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-