Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 00:46
Behavioral task
behavioral1
Sample
83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe
-
Size
254KB
-
MD5
fc060d217850a4df874b74629b60b0b8
-
SHA1
b18be5a044eae2aa6f25936952473d0a67ad7bfd
-
SHA256
83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f
-
SHA512
749a2c23aaf5c29cd2546558652c5895667ef18080328473522f476dc9b42a43e4ed292b2afd509449a00e0024d476146dee3a8547c3d6d95fe946a38e99427d
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpolTjZXvEQo9dfBP/f:y4wFHoS3eFaKHpKT9XvEhdfBP/f
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3836-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/752-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/996-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/832-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-565-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-611-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-697-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-725-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-763-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-883-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-893-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-1237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-1280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1488 llfxflx.exe 1880 ppjvj.exe 1392 3xxxrrf.exe 2860 ppvjj.exe 3448 flrxrrl.exe 3488 hnnhbn.exe 1248 pddvd.exe 4800 hhnbnh.exe 8 jpjdv.exe 4600 flxlfxr.exe 3084 vvjjj.exe 3608 5xrfrxr.exe 1372 hthnnn.exe 4204 lffxrrf.exe 3952 hhhhbb.exe 3436 rlxrrlx.exe 908 bttnnh.exe 2132 dvdvd.exe 5072 5flffff.exe 1628 lrrfxrf.exe 2296 btnnhb.exe 2684 7pppd.exe 2924 lrfxrxx.exe 548 nnnhtt.exe 3500 1bbnhh.exe 4928 5ffxrll.exe 4264 thbttn.exe 4284 dpvjj.exe 880 xlxrrrr.exe 1072 nhhbbt.exe 1636 vpvpp.exe 4340 jdjjp.exe 4448 lffxxxx.exe 4632 hnnhbt.exe 1832 dvpjd.exe 2456 jpppd.exe 2180 fllffxx.exe 1396 bnhbtn.exe 752 jjdvp.exe 2220 9btnbb.exe 3404 hbhbth.exe 1992 fxfxlfr.exe 712 nbnntt.exe 4856 httttt.exe 1884 vvvpp.exe 3128 rfllllr.exe 680 thhhbb.exe 1088 jddvp.exe 2204 rflfflf.exe 2976 3htthh.exe 388 dvvpp.exe 3836 lrrxrrl.exe 1584 fxxxrxr.exe 1572 1bhbhh.exe 3604 dvpjv.exe 1360 lxlfxrr.exe 2860 lrfxfff.exe 2164 tbbnbh.exe 4940 jddvj.exe 4864 rffrllf.exe 556 fxrfxrx.exe 1964 hbnnhh.exe 4312 dpvpd.exe 4408 fffrlrr.exe -
resource yara_rule behavioral2/memory/3836-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c9a-3.dat upx behavioral2/memory/1488-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3836-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-14.dat upx behavioral2/files/0x0008000000023c9e-13.dat upx behavioral2/memory/1880-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1488-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-23.dat upx behavioral2/memory/1392-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2860-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-27.dat upx behavioral2/files/0x0007000000023ca6-32.dat upx behavioral2/memory/3448-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-38.dat upx behavioral2/memory/3488-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-43.dat upx behavioral2/memory/1248-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-52.dat upx behavioral2/memory/4800-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-56.dat upx behavioral2/memory/4600-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/8-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-62.dat upx behavioral2/memory/4600-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-68.dat upx behavioral2/memory/3084-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-74.dat upx behavioral2/memory/3608-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-82.dat upx behavioral2/memory/1372-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4204-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-88.dat upx behavioral2/memory/3952-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-94.dat upx behavioral2/files/0x0007000000023cb1-98.dat upx behavioral2/memory/3436-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-105.dat upx behavioral2/files/0x0007000000023cb3-110.dat upx behavioral2/files/0x0007000000023cb4-115.dat upx behavioral2/memory/5072-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-122.dat upx behavioral2/memory/1628-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-126.dat upx behavioral2/memory/2296-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-132.dat upx behavioral2/files/0x0007000000023cb8-137.dat upx behavioral2/memory/2924-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-143.dat upx behavioral2/memory/548-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3500-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-151.dat upx behavioral2/files/0x0007000000023cbb-156.dat upx behavioral2/files/0x0007000000023cbc-161.dat upx behavioral2/files/0x0007000000023cbd-166.dat upx behavioral2/files/0x0007000000023cbe-169.dat upx behavioral2/files/0x0007000000023cbf-175.dat upx behavioral2/files/0x0007000000023cc0-181.dat upx behavioral2/memory/1072-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4448-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1832-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2456-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/752-212-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 1488 3836 83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe 83 PID 3836 wrote to memory of 1488 3836 83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe 83 PID 3836 wrote to memory of 1488 3836 83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe 83 PID 1488 wrote to memory of 1880 1488 llfxflx.exe 84 PID 1488 wrote to memory of 1880 1488 llfxflx.exe 84 PID 1488 wrote to memory of 1880 1488 llfxflx.exe 84 PID 1880 wrote to memory of 1392 1880 ppjvj.exe 85 PID 1880 wrote to memory of 1392 1880 ppjvj.exe 85 PID 1880 wrote to memory of 1392 1880 ppjvj.exe 85 PID 1392 wrote to memory of 2860 1392 3xxxrrf.exe 86 PID 1392 wrote to memory of 2860 1392 3xxxrrf.exe 86 PID 1392 wrote to memory of 2860 1392 3xxxrrf.exe 86 PID 2860 wrote to memory of 3448 2860 ppvjj.exe 87 PID 2860 wrote to memory of 3448 2860 ppvjj.exe 87 PID 2860 wrote to memory of 3448 2860 ppvjj.exe 87 PID 3448 wrote to memory of 3488 3448 flrxrrl.exe 88 PID 3448 wrote to memory of 3488 3448 flrxrrl.exe 88 PID 3448 wrote to memory of 3488 3448 flrxrrl.exe 88 PID 3488 wrote to memory of 1248 3488 hnnhbn.exe 89 PID 3488 wrote to memory of 1248 3488 hnnhbn.exe 89 PID 3488 wrote to memory of 1248 3488 hnnhbn.exe 89 PID 1248 wrote to memory of 4800 1248 pddvd.exe 90 PID 1248 wrote to memory of 4800 1248 pddvd.exe 90 PID 1248 wrote to memory of 4800 1248 pddvd.exe 90 PID 4800 wrote to memory of 8 4800 hhnbnh.exe 91 PID 4800 wrote to memory of 8 4800 hhnbnh.exe 91 PID 4800 wrote to memory of 8 4800 hhnbnh.exe 91 PID 8 wrote to memory of 4600 8 jpjdv.exe 92 PID 8 wrote to memory of 4600 8 jpjdv.exe 92 PID 8 wrote to memory of 4600 8 jpjdv.exe 92 PID 4600 wrote to memory of 3084 4600 flxlfxr.exe 93 PID 4600 wrote to memory of 3084 4600 flxlfxr.exe 93 PID 4600 wrote to memory of 3084 4600 flxlfxr.exe 93 PID 3084 wrote to memory of 3608 3084 vvjjj.exe 94 PID 3084 wrote to memory of 3608 3084 vvjjj.exe 94 PID 3084 wrote to memory of 3608 3084 vvjjj.exe 94 PID 3608 wrote to memory of 1372 3608 5xrfrxr.exe 95 PID 3608 wrote to memory of 1372 3608 5xrfrxr.exe 95 PID 3608 wrote to memory of 1372 3608 5xrfrxr.exe 95 PID 1372 wrote to memory of 4204 1372 hthnnn.exe 96 PID 1372 wrote to memory of 4204 1372 hthnnn.exe 96 PID 1372 wrote to memory of 4204 1372 hthnnn.exe 96 PID 4204 wrote to memory of 3952 4204 lffxrrf.exe 97 PID 4204 wrote to memory of 3952 4204 lffxrrf.exe 97 PID 4204 wrote to memory of 3952 4204 lffxrrf.exe 97 PID 3952 wrote to memory of 3436 3952 hhhhbb.exe 98 PID 3952 wrote to memory of 3436 3952 hhhhbb.exe 98 PID 3952 wrote to memory of 3436 3952 hhhhbb.exe 98 PID 3436 wrote to memory of 908 3436 rlxrrlx.exe 99 PID 3436 wrote to memory of 908 3436 rlxrrlx.exe 99 PID 3436 wrote to memory of 908 3436 rlxrrlx.exe 99 PID 908 wrote to memory of 2132 908 bttnnh.exe 100 PID 908 wrote to memory of 2132 908 bttnnh.exe 100 PID 908 wrote to memory of 2132 908 bttnnh.exe 100 PID 2132 wrote to memory of 5072 2132 dvdvd.exe 101 PID 2132 wrote to memory of 5072 2132 dvdvd.exe 101 PID 2132 wrote to memory of 5072 2132 dvdvd.exe 101 PID 5072 wrote to memory of 1628 5072 5flffff.exe 102 PID 5072 wrote to memory of 1628 5072 5flffff.exe 102 PID 5072 wrote to memory of 1628 5072 5flffff.exe 102 PID 1628 wrote to memory of 2296 1628 lrrfxrf.exe 103 PID 1628 wrote to memory of 2296 1628 lrrfxrf.exe 103 PID 1628 wrote to memory of 2296 1628 lrrfxrf.exe 103 PID 2296 wrote to memory of 2684 2296 btnnhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe"C:\Users\Admin\AppData\Local\Temp\83b891b92deb2ce659083bdf939a47004344c6bd3973fc40777681711c22054f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\llfxflx.exec:\llfxflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\ppjvj.exec:\ppjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\3xxxrrf.exec:\3xxxrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\ppvjj.exec:\ppvjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\flrxrrl.exec:\flrxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\hnnhbn.exec:\hnnhbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\pddvd.exec:\pddvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\hhnbnh.exec:\hhnbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\jpjdv.exec:\jpjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\flxlfxr.exec:\flxlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\vvjjj.exec:\vvjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\5xrfrxr.exec:\5xrfrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\hthnnn.exec:\hthnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\lffxrrf.exec:\lffxrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\hhhhbb.exec:\hhhhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\rlxrrlx.exec:\rlxrrlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\bttnnh.exec:\bttnnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\dvdvd.exec:\dvdvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\5flffff.exec:\5flffff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\btnnhb.exec:\btnnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\7pppd.exec:\7pppd.exe23⤵
- Executes dropped EXE
PID:2684 -
\??\c:\lrfxrxx.exec:\lrfxrxx.exe24⤵
- Executes dropped EXE
PID:2924 -
\??\c:\nnnhtt.exec:\nnnhtt.exe25⤵
- Executes dropped EXE
PID:548 -
\??\c:\1bbnhh.exec:\1bbnhh.exe26⤵
- Executes dropped EXE
PID:3500 -
\??\c:\5ffxrll.exec:\5ffxrll.exe27⤵
- Executes dropped EXE
PID:4928 -
\??\c:\thbttn.exec:\thbttn.exe28⤵
- Executes dropped EXE
PID:4264 -
\??\c:\dpvjj.exec:\dpvjj.exe29⤵
- Executes dropped EXE
PID:4284 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe30⤵
- Executes dropped EXE
PID:880 -
\??\c:\nhhbbt.exec:\nhhbbt.exe31⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vpvpp.exec:\vpvpp.exe32⤵
- Executes dropped EXE
PID:1636 -
\??\c:\jdjjp.exec:\jdjjp.exe33⤵
- Executes dropped EXE
PID:4340 -
\??\c:\lffxxxx.exec:\lffxxxx.exe34⤵
- Executes dropped EXE
PID:4448 -
\??\c:\hnnhbt.exec:\hnnhbt.exe35⤵
- Executes dropped EXE
PID:4632 -
\??\c:\dvpjd.exec:\dvpjd.exe36⤵
- Executes dropped EXE
PID:1832 -
\??\c:\jpppd.exec:\jpppd.exe37⤵
- Executes dropped EXE
PID:2456 -
\??\c:\fllffxx.exec:\fllffxx.exe38⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bnhbtn.exec:\bnhbtn.exe39⤵
- Executes dropped EXE
PID:1396 -
\??\c:\jjdvp.exec:\jjdvp.exe40⤵
- Executes dropped EXE
PID:752 -
\??\c:\9btnbb.exec:\9btnbb.exe41⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hbhbth.exec:\hbhbth.exe42⤵
- Executes dropped EXE
PID:3404 -
\??\c:\fxfxlfr.exec:\fxfxlfr.exe43⤵
- Executes dropped EXE
PID:1992 -
\??\c:\nbnntt.exec:\nbnntt.exe44⤵
- Executes dropped EXE
PID:712 -
\??\c:\httttt.exec:\httttt.exe45⤵
- Executes dropped EXE
PID:4856 -
\??\c:\vvvpp.exec:\vvvpp.exe46⤵
- Executes dropped EXE
PID:1884 -
\??\c:\rfllllr.exec:\rfllllr.exe47⤵
- Executes dropped EXE
PID:3128 -
\??\c:\thhhbb.exec:\thhhbb.exe48⤵
- Executes dropped EXE
PID:680 -
\??\c:\jddvp.exec:\jddvp.exe49⤵
- Executes dropped EXE
PID:1088 -
\??\c:\rflfflf.exec:\rflfflf.exe50⤵
- Executes dropped EXE
PID:2204 -
\??\c:\3htthh.exec:\3htthh.exe51⤵
- Executes dropped EXE
PID:2976 -
\??\c:\dvvpp.exec:\dvvpp.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:388 -
\??\c:\lrrxrrl.exec:\lrrxrrl.exe53⤵
- Executes dropped EXE
PID:3836 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe54⤵
- Executes dropped EXE
PID:1584 -
\??\c:\1bhbhh.exec:\1bhbhh.exe55⤵
- Executes dropped EXE
PID:1572 -
\??\c:\dvpjv.exec:\dvpjv.exe56⤵
- Executes dropped EXE
PID:3604 -
\??\c:\lxlfxrr.exec:\lxlfxrr.exe57⤵
- Executes dropped EXE
PID:1360 -
\??\c:\lrfxfff.exec:\lrfxfff.exe58⤵
- Executes dropped EXE
PID:2860 -
\??\c:\tbbnbh.exec:\tbbnbh.exe59⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jddvj.exec:\jddvj.exe60⤵
- Executes dropped EXE
PID:4940 -
\??\c:\rffrllf.exec:\rffrllf.exe61⤵
- Executes dropped EXE
PID:4864 -
\??\c:\fxrfxrx.exec:\fxrfxrx.exe62⤵
- Executes dropped EXE
PID:556 -
\??\c:\hbnnhh.exec:\hbnnhh.exe63⤵
- Executes dropped EXE
PID:1964 -
\??\c:\dpvpd.exec:\dpvpd.exe64⤵
- Executes dropped EXE
PID:4312 -
\??\c:\fffrlrr.exec:\fffrlrr.exe65⤵
- Executes dropped EXE
PID:4408 -
\??\c:\xrffxlr.exec:\xrffxlr.exe66⤵PID:1432
-
\??\c:\nhtbtn.exec:\nhtbtn.exe67⤵PID:5116
-
\??\c:\hbbtbb.exec:\hbbtbb.exe68⤵PID:2828
-
\??\c:\djvvp.exec:\djvvp.exe69⤵PID:4252
-
\??\c:\dpvpj.exec:\dpvpj.exe70⤵PID:860
-
\??\c:\frrlffr.exec:\frrlffr.exe71⤵PID:396
-
\??\c:\hbtnhb.exec:\hbtnhb.exe72⤵PID:3096
-
\??\c:\ttttnt.exec:\ttttnt.exe73⤵PID:4204
-
\??\c:\pvppj.exec:\pvppj.exe74⤵PID:3484
-
\??\c:\xxxllfx.exec:\xxxllfx.exe75⤵PID:2740
-
\??\c:\httnnn.exec:\httnnn.exe76⤵PID:4444
-
\??\c:\jpvpd.exec:\jpvpd.exe77⤵PID:3412
-
\??\c:\vvvpj.exec:\vvvpj.exe78⤵PID:2360
-
\??\c:\frlfrlf.exec:\frlfrlf.exe79⤵PID:4592
-
\??\c:\bnnhht.exec:\bnnhht.exe80⤵PID:2852
-
\??\c:\nbhtnh.exec:\nbhtnh.exe81⤵PID:3540
-
\??\c:\dpppj.exec:\dpppj.exe82⤵PID:1436
-
\??\c:\lflfffr.exec:\lflfffr.exe83⤵PID:1180
-
\??\c:\bnntnh.exec:\bnntnh.exe84⤵PID:2236
-
\??\c:\tntnbb.exec:\tntnbb.exe85⤵PID:4972
-
\??\c:\vjpjj.exec:\vjpjj.exe86⤵PID:2172
-
\??\c:\jdvpp.exec:\jdvpp.exe87⤵PID:3500
-
\??\c:\lllfrxr.exec:\lllfrxr.exe88⤵PID:996
-
\??\c:\xrrrrrl.exec:\xrrrrrl.exe89⤵PID:4520
-
\??\c:\bthhbt.exec:\bthhbt.exe90⤵PID:1676
-
\??\c:\1pvvj.exec:\1pvvj.exe91⤵PID:1428
-
\??\c:\llxxxxf.exec:\llxxxxf.exe92⤵PID:4884
-
\??\c:\lfxxrll.exec:\lfxxrll.exe93⤵PID:2984
-
\??\c:\ththbb.exec:\ththbb.exe94⤵PID:1460
-
\??\c:\pdpjj.exec:\pdpjj.exe95⤵PID:1000
-
\??\c:\pjdvv.exec:\pjdvv.exe96⤵PID:2384
-
\??\c:\3frlllr.exec:\3frlllr.exe97⤵PID:2028
-
\??\c:\3nnnnn.exec:\3nnnnn.exe98⤵PID:5052
-
\??\c:\bnhhbb.exec:\bnhhbb.exe99⤵PID:4964
-
\??\c:\pjpjp.exec:\pjpjp.exe100⤵PID:4568
-
\??\c:\lfrlllf.exec:\lfrlllf.exe101⤵PID:3216
-
\??\c:\rrrrrll.exec:\rrrrrll.exe102⤵PID:736
-
\??\c:\nbhhbb.exec:\nbhhbb.exe103⤵PID:2624
-
\??\c:\jvjjd.exec:\jvjjd.exe104⤵PID:2220
-
\??\c:\dvjdp.exec:\dvjdp.exe105⤵PID:3404
-
\??\c:\lfffxxx.exec:\lfffxxx.exe106⤵PID:1992
-
\??\c:\tnttnt.exec:\tnttnt.exe107⤵PID:712
-
\??\c:\bbbttt.exec:\bbbttt.exe108⤵PID:4856
-
\??\c:\dvvpj.exec:\dvvpj.exe109⤵PID:3208
-
\??\c:\jdvpj.exec:\jdvpj.exe110⤵PID:3128
-
\??\c:\lflfxll.exec:\lflfxll.exe111⤵PID:680
-
\??\c:\1bbbtt.exec:\1bbbtt.exe112⤵PID:3696
-
\??\c:\bnbbtt.exec:\bnbbtt.exe113⤵PID:2204
-
\??\c:\vpddv.exec:\vpddv.exe114⤵PID:4376
-
\??\c:\lfxrlll.exec:\lfxrlll.exe115⤵PID:4140
-
\??\c:\bntnnt.exec:\bntnnt.exe116⤵PID:1264
-
\??\c:\nhhhbb.exec:\nhhhbb.exe117⤵PID:1248
-
\??\c:\jjjdd.exec:\jjjdd.exe118⤵PID:1340
-
\??\c:\lllffxx.exec:\lllffxx.exe119⤵PID:464
-
\??\c:\rlrxxfx.exec:\rlrxxfx.exe120⤵PID:820
-
\??\c:\bthbtt.exec:\bthbtt.exe121⤵PID:8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-