Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 23:42
Behavioral task
behavioral1
Sample
8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe
-
Size
346KB
-
MD5
a37dedc7860c4cceedefa649775cfe67
-
SHA1
33631b12e89181de4a7bfa827dfdbfa0124661d8
-
SHA256
8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c
-
SHA512
a37a58f097efae5be84398f4346ffb716c0d2f5a913d8b1fefbb8f587311e154e1b896f285914784256ae0d10ed6d6206837115d26630ebb5ae79f80c079c74f
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAk:R4wFHoS3WXZshJX2VGdk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4768-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1784-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/752-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-708-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1628 ppjdv.exe 1572 3vpjd.exe 1196 fflrlfr.exe 3516 lfxrrll.exe 4464 nhttbb.exe 1380 dpjdj.exe 2448 vpdvv.exe 3472 btnnhh.exe 1216 pvddv.exe 1540 1hhhhh.exe 4572 jdpjj.exe 1496 dvpjd.exe 1144 1lfffff.exe 4800 1fxrllf.exe 4072 bnthbt.exe 4492 rffrrlr.exe 3276 bbnhnn.exe 4204 ddvdd.exe 4928 htbtbb.exe 4544 pdvpp.exe 1784 7xxrlfx.exe 2896 3hnhhh.exe 4884 dvppj.exe 3132 9jvpp.exe 3728 rllxlff.exe 4472 bthbnn.exe 4060 7xrlxrl.exe 1992 vjjjv.exe 4480 lfxrlfx.exe 2484 ddjvp.exe 4892 ntnhtt.exe 3188 fxlffxx.exe 1900 tthbhb.exe 1192 vvvpd.exe 4568 1nbnbb.exe 776 dpddj.exe 3528 rfrffxr.exe 2544 xlxfxrr.exe 4584 nhhtbb.exe 388 3jpdp.exe 244 vjppj.exe 4788 9fffxxl.exe 2400 1nnbnn.exe 3336 bhnhtt.exe 4052 3pdpj.exe 2204 3rlxllx.exe 228 httthb.exe 4408 thhbnn.exe 2184 3pvjp.exe 1068 fxxlfrx.exe 1628 tbhbtn.exe 4592 1thtnh.exe 8 1dvpd.exe 336 llrrffx.exe 3688 nbthnh.exe 3676 jdpjj.exe 5116 vdjpj.exe 3376 xrfxlxf.exe 1864 hbhhnn.exe 5052 bnttnt.exe 1040 lfrxlrr.exe 1116 5nbtbh.exe 540 tnhbnh.exe 1216 7ddvp.exe -
resource yara_rule behavioral2/memory/4768-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b27-3.dat upx behavioral2/memory/4768-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1628-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-12.dat upx behavioral2/memory/1572-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1572-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b7a-9.dat upx behavioral2/files/0x000a000000023b80-19.dat upx behavioral2/memory/1196-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-23.dat upx behavioral2/memory/3516-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-29.dat upx behavioral2/memory/4464-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-34.dat upx behavioral2/memory/1380-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-39.dat upx behavioral2/memory/2448-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-44.dat upx behavioral2/memory/3472-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-50.dat upx behavioral2/memory/1216-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1540-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-55.dat upx behavioral2/memory/4572-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-61.dat upx behavioral2/files/0x000a000000023b89-65.dat upx behavioral2/memory/1144-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1496-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1144-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-70.dat upx behavioral2/files/0x000b000000023b7b-75.dat upx behavioral2/memory/4800-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4072-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-81.dat upx behavioral2/files/0x000a000000023b8d-85.dat upx behavioral2/files/0x000a000000023b8e-91.dat upx behavioral2/memory/4204-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-95.dat upx behavioral2/files/0x000a000000023b90-100.dat upx behavioral2/memory/4928-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-105.dat upx behavioral2/memory/1784-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4544-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4492-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-111.dat upx behavioral2/files/0x000a000000023b93-115.dat upx behavioral2/files/0x000a000000023b94-118.dat upx behavioral2/files/0x000a000000023b95-121.dat upx behavioral2/memory/3132-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-127.dat upx behavioral2/memory/4472-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-132.dat upx behavioral2/files/0x000a000000023b98-136.dat upx behavioral2/files/0x000a000000023b99-141.dat upx behavioral2/memory/1992-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9a-146.dat upx behavioral2/memory/4480-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9b-151.dat upx behavioral2/memory/2484-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9c-155.dat upx behavioral2/memory/3188-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1900-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4568-167-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1628 4768 8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe 82 PID 4768 wrote to memory of 1628 4768 8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe 82 PID 4768 wrote to memory of 1628 4768 8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe 82 PID 1628 wrote to memory of 1572 1628 ppjdv.exe 83 PID 1628 wrote to memory of 1572 1628 ppjdv.exe 83 PID 1628 wrote to memory of 1572 1628 ppjdv.exe 83 PID 1572 wrote to memory of 1196 1572 3vpjd.exe 84 PID 1572 wrote to memory of 1196 1572 3vpjd.exe 84 PID 1572 wrote to memory of 1196 1572 3vpjd.exe 84 PID 1196 wrote to memory of 3516 1196 fflrlfr.exe 85 PID 1196 wrote to memory of 3516 1196 fflrlfr.exe 85 PID 1196 wrote to memory of 3516 1196 fflrlfr.exe 85 PID 3516 wrote to memory of 4464 3516 lfxrrll.exe 86 PID 3516 wrote to memory of 4464 3516 lfxrrll.exe 86 PID 3516 wrote to memory of 4464 3516 lfxrrll.exe 86 PID 4464 wrote to memory of 1380 4464 nhttbb.exe 87 PID 4464 wrote to memory of 1380 4464 nhttbb.exe 87 PID 4464 wrote to memory of 1380 4464 nhttbb.exe 87 PID 1380 wrote to memory of 2448 1380 dpjdj.exe 88 PID 1380 wrote to memory of 2448 1380 dpjdj.exe 88 PID 1380 wrote to memory of 2448 1380 dpjdj.exe 88 PID 2448 wrote to memory of 3472 2448 vpdvv.exe 89 PID 2448 wrote to memory of 3472 2448 vpdvv.exe 89 PID 2448 wrote to memory of 3472 2448 vpdvv.exe 89 PID 3472 wrote to memory of 1216 3472 btnnhh.exe 90 PID 3472 wrote to memory of 1216 3472 btnnhh.exe 90 PID 3472 wrote to memory of 1216 3472 btnnhh.exe 90 PID 1216 wrote to memory of 1540 1216 pvddv.exe 91 PID 1216 wrote to memory of 1540 1216 pvddv.exe 91 PID 1216 wrote to memory of 1540 1216 pvddv.exe 91 PID 1540 wrote to memory of 4572 1540 1hhhhh.exe 92 PID 1540 wrote to memory of 4572 1540 1hhhhh.exe 92 PID 1540 wrote to memory of 4572 1540 1hhhhh.exe 92 PID 4572 wrote to memory of 1496 4572 jdpjj.exe 93 PID 4572 wrote to memory of 1496 4572 jdpjj.exe 93 PID 4572 wrote to memory of 1496 4572 jdpjj.exe 93 PID 1496 wrote to memory of 1144 1496 dvpjd.exe 94 PID 1496 wrote to memory of 1144 1496 dvpjd.exe 94 PID 1496 wrote to memory of 1144 1496 dvpjd.exe 94 PID 1144 wrote to memory of 4800 1144 1lfffff.exe 95 PID 1144 wrote to memory of 4800 1144 1lfffff.exe 95 PID 1144 wrote to memory of 4800 1144 1lfffff.exe 95 PID 4800 wrote to memory of 4072 4800 1fxrllf.exe 96 PID 4800 wrote to memory of 4072 4800 1fxrllf.exe 96 PID 4800 wrote to memory of 4072 4800 1fxrllf.exe 96 PID 4072 wrote to memory of 4492 4072 bnthbt.exe 97 PID 4072 wrote to memory of 4492 4072 bnthbt.exe 97 PID 4072 wrote to memory of 4492 4072 bnthbt.exe 97 PID 4492 wrote to memory of 3276 4492 rffrrlr.exe 98 PID 4492 wrote to memory of 3276 4492 rffrrlr.exe 98 PID 4492 wrote to memory of 3276 4492 rffrrlr.exe 98 PID 3276 wrote to memory of 4204 3276 bbnhnn.exe 99 PID 3276 wrote to memory of 4204 3276 bbnhnn.exe 99 PID 3276 wrote to memory of 4204 3276 bbnhnn.exe 99 PID 4204 wrote to memory of 4928 4204 ddvdd.exe 100 PID 4204 wrote to memory of 4928 4204 ddvdd.exe 100 PID 4204 wrote to memory of 4928 4204 ddvdd.exe 100 PID 4928 wrote to memory of 4544 4928 htbtbb.exe 101 PID 4928 wrote to memory of 4544 4928 htbtbb.exe 101 PID 4928 wrote to memory of 4544 4928 htbtbb.exe 101 PID 4544 wrote to memory of 1784 4544 pdvpp.exe 102 PID 4544 wrote to memory of 1784 4544 pdvpp.exe 102 PID 4544 wrote to memory of 1784 4544 pdvpp.exe 102 PID 1784 wrote to memory of 2896 1784 7xxrlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe"C:\Users\Admin\AppData\Local\Temp\8392ac88015a21050bf9209bcd0bd76711cbaf760632feda57801b323603524c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\ppjdv.exec:\ppjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\3vpjd.exec:\3vpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\fflrlfr.exec:\fflrlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\lfxrrll.exec:\lfxrrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\nhttbb.exec:\nhttbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\dpjdj.exec:\dpjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\vpdvv.exec:\vpdvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\btnnhh.exec:\btnnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\pvddv.exec:\pvddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\1hhhhh.exec:\1hhhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\jdpjj.exec:\jdpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\dvpjd.exec:\dvpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\1lfffff.exec:\1lfffff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\1fxrllf.exec:\1fxrllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\bnthbt.exec:\bnthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\rffrrlr.exec:\rffrrlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\bbnhnn.exec:\bbnhnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\ddvdd.exec:\ddvdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\htbtbb.exec:\htbtbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\pdvpp.exec:\pdvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\7xxrlfx.exec:\7xxrlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\3hnhhh.exec:\3hnhhh.exe23⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dvppj.exec:\dvppj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884 -
\??\c:\9jvpp.exec:\9jvpp.exe25⤵
- Executes dropped EXE
PID:3132 -
\??\c:\rllxlff.exec:\rllxlff.exe26⤵
- Executes dropped EXE
PID:3728 -
\??\c:\bthbnn.exec:\bthbnn.exe27⤵
- Executes dropped EXE
PID:4472 -
\??\c:\7xrlxrl.exec:\7xrlxrl.exe28⤵
- Executes dropped EXE
PID:4060 -
\??\c:\vjjjv.exec:\vjjjv.exe29⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe30⤵
- Executes dropped EXE
PID:4480 -
\??\c:\ddjvp.exec:\ddjvp.exe31⤵
- Executes dropped EXE
PID:2484 -
\??\c:\ntnhtt.exec:\ntnhtt.exe32⤵
- Executes dropped EXE
PID:4892 -
\??\c:\fxlffxx.exec:\fxlffxx.exe33⤵
- Executes dropped EXE
PID:3188 -
\??\c:\tthbhb.exec:\tthbhb.exe34⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vvvpd.exec:\vvvpd.exe35⤵
- Executes dropped EXE
PID:1192 -
\??\c:\1nbnbb.exec:\1nbnbb.exe36⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dpddj.exec:\dpddj.exe37⤵
- Executes dropped EXE
PID:776 -
\??\c:\rfrffxr.exec:\rfrffxr.exe38⤵
- Executes dropped EXE
PID:3528 -
\??\c:\xlxfxrr.exec:\xlxfxrr.exe39⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhhtbb.exec:\nhhtbb.exe40⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3jpdp.exec:\3jpdp.exe41⤵
- Executes dropped EXE
PID:388 -
\??\c:\vjppj.exec:\vjppj.exe42⤵
- Executes dropped EXE
PID:244 -
\??\c:\9fffxxl.exec:\9fffxxl.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\1nnbnn.exec:\1nnbnn.exe44⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bhnhtt.exec:\bhnhtt.exe45⤵
- Executes dropped EXE
PID:3336 -
\??\c:\3pdpj.exec:\3pdpj.exe46⤵
- Executes dropped EXE
PID:4052 -
\??\c:\3rlxllx.exec:\3rlxllx.exe47⤵
- Executes dropped EXE
PID:2204 -
\??\c:\httthb.exec:\httthb.exe48⤵
- Executes dropped EXE
PID:228 -
\??\c:\thhbnn.exec:\thhbnn.exe49⤵
- Executes dropped EXE
PID:4408 -
\??\c:\3pvjp.exec:\3pvjp.exe50⤵
- Executes dropped EXE
PID:2184 -
\??\c:\fxxlfrx.exec:\fxxlfrx.exe51⤵
- Executes dropped EXE
PID:1068 -
\??\c:\tbhbtn.exec:\tbhbtn.exe52⤵
- Executes dropped EXE
PID:1628 -
\??\c:\1thtnh.exec:\1thtnh.exe53⤵
- Executes dropped EXE
PID:4592 -
\??\c:\1dvpd.exec:\1dvpd.exe54⤵
- Executes dropped EXE
PID:8 -
\??\c:\llrrffx.exec:\llrrffx.exe55⤵
- Executes dropped EXE
PID:336 -
\??\c:\nbthnh.exec:\nbthnh.exe56⤵
- Executes dropped EXE
PID:3688 -
\??\c:\jdpjj.exec:\jdpjj.exe57⤵
- Executes dropped EXE
PID:3676 -
\??\c:\vdjpj.exec:\vdjpj.exe58⤵
- Executes dropped EXE
PID:5116 -
\??\c:\xrfxlxf.exec:\xrfxlxf.exe59⤵
- Executes dropped EXE
PID:3376 -
\??\c:\hbhhnn.exec:\hbhhnn.exe60⤵
- Executes dropped EXE
PID:1864 -
\??\c:\bnttnt.exec:\bnttnt.exe61⤵
- Executes dropped EXE
PID:5052 -
\??\c:\lfrxlrr.exec:\lfrxlrr.exe62⤵
- Executes dropped EXE
PID:1040 -
\??\c:\5nbtbh.exec:\5nbtbh.exe63⤵
- Executes dropped EXE
PID:1116 -
\??\c:\tnhbnh.exec:\tnhbnh.exe64⤵
- Executes dropped EXE
PID:540 -
\??\c:\7ddvp.exec:\7ddvp.exe65⤵
- Executes dropped EXE
PID:1216 -
\??\c:\rlxlfxf.exec:\rlxlfxf.exe66⤵PID:1540
-
\??\c:\nhnhnn.exec:\nhnhnn.exe67⤵PID:2924
-
\??\c:\jpvjv.exec:\jpvjv.exe68⤵PID:1496
-
\??\c:\3jjdp.exec:\3jjdp.exe69⤵PID:4156
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe70⤵PID:4032
-
\??\c:\hhhbtt.exec:\hhhbtt.exe71⤵PID:1144
-
\??\c:\5vvvp.exec:\5vvvp.exe72⤵PID:4632
-
\??\c:\djppd.exec:\djppd.exe73⤵PID:1656
-
\??\c:\xrfxxlf.exec:\xrfxxlf.exe74⤵PID:4980
-
\??\c:\hththb.exec:\hththb.exe75⤵PID:632
-
\??\c:\vpjdp.exec:\vpjdp.exe76⤵PID:3068
-
\??\c:\1ffxllx.exec:\1ffxllx.exe77⤵PID:3276
-
\??\c:\lflxrlx.exec:\lflxrlx.exe78⤵PID:3080
-
\??\c:\bhhtnh.exec:\bhhtnh.exe79⤵PID:2892
-
\??\c:\pjpdv.exec:\pjpdv.exe80⤵PID:4500
-
\??\c:\7pdvv.exec:\7pdvv.exe81⤵PID:4128
-
\??\c:\lflfxxr.exec:\lflfxxr.exe82⤵PID:3252
-
\??\c:\bbbhhb.exec:\bbbhhb.exe83⤵PID:4792
-
\??\c:\9dvpd.exec:\9dvpd.exe84⤵PID:2372
-
\??\c:\xllffxr.exec:\xllffxr.exe85⤵PID:1368
-
\??\c:\bnthbt.exec:\bnthbt.exe86⤵PID:4884
-
\??\c:\btbtnn.exec:\btbtnn.exe87⤵PID:3132
-
\??\c:\5pjpj.exec:\5pjpj.exe88⤵PID:2876
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe89⤵PID:2988
-
\??\c:\lffxlfr.exec:\lffxlfr.exe90⤵PID:3512
-
\??\c:\hnbhht.exec:\hnbhht.exe91⤵PID:3404
-
\??\c:\dppdv.exec:\dppdv.exe92⤵PID:5004
-
\??\c:\rxfxrll.exec:\rxfxrll.exe93⤵PID:2408
-
\??\c:\3xfxllf.exec:\3xfxllf.exe94⤵PID:752
-
\??\c:\httnhb.exec:\httnhb.exe95⤵PID:1780
-
\??\c:\dvdvj.exec:\dvdvj.exe96⤵PID:2444
-
\??\c:\llxrlfl.exec:\llxrlfl.exe97⤵PID:4652
-
\??\c:\7llfrlf.exec:\7llfrlf.exe98⤵PID:1816
-
\??\c:\hhbnbt.exec:\hhbnbt.exe99⤵PID:3188
-
\??\c:\3vdpp.exec:\3vdpp.exe100⤵PID:4108
-
\??\c:\dpvjj.exec:\dpvjj.exe101⤵PID:2468
-
\??\c:\5ffrfxl.exec:\5ffrfxl.exe102⤵PID:3264
-
\??\c:\nbnntn.exec:\nbnntn.exe103⤵PID:3584
-
\??\c:\pjppp.exec:\pjppp.exe104⤵PID:4568
-
\??\c:\lxllxxr.exec:\lxllxxr.exe105⤵PID:4616
-
\??\c:\7fxlrlx.exec:\7fxlrlx.exe106⤵PID:4824
-
\??\c:\tnnbnh.exec:\tnnbnh.exe107⤵PID:3712
-
\??\c:\3tnhbb.exec:\3tnhbb.exe108⤵PID:4004
-
\??\c:\jdvjd.exec:\jdvjd.exe109⤵PID:100
-
\??\c:\9dpdv.exec:\9dpdv.exe110⤵PID:4656
-
\??\c:\xflxrll.exec:\xflxrll.exe111⤵PID:4068
-
\??\c:\3bbttn.exec:\3bbttn.exe112⤵PID:2580
-
\??\c:\vvpjp.exec:\vvpjp.exe113⤵PID:4152
-
\??\c:\vjdpp.exec:\vjdpp.exe114⤵PID:3496
-
\??\c:\rfllffx.exec:\rfllffx.exe115⤵PID:744
-
\??\c:\htbtnb.exec:\htbtnb.exe116⤵PID:232
-
\??\c:\9ththb.exec:\9ththb.exe117⤵PID:4556
-
\??\c:\jdvdp.exec:\jdvdp.exe118⤵PID:2392
-
\??\c:\vjvpv.exec:\vjvpv.exe119⤵
- System Location Discovery: System Language Discovery
PID:4528 -
\??\c:\fflflfx.exec:\fflflfx.exe120⤵PID:4876
-
\??\c:\bhnbnh.exec:\bhnbnh.exe121⤵PID:4028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-