Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 23:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe
-
Size
452KB
-
MD5
55aafb79b029db8c12cd5d5663eae23e
-
SHA1
b2b7064d25177f4aad984dcf457916d233171548
-
SHA256
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb
-
SHA512
a7250f7106df55a40a4c43d33c420f29f9d47215d0068d2a2aa1363341747f80bc8d8fc2b679f05d1dbd9ccae071dce9a79cad28bcd74e054e635c9bc3d1a526
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2124-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-1389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1584 pppdj.exe 4756 rfxxflf.exe 1032 bnthhh.exe 4064 pvvpj.exe 3448 rrffxfl.exe 2364 xfffxxx.exe 228 htbbnb.exe 3812 dpvpj.exe 4312 rlrlfrl.exe 4320 9flffff.exe 1724 hbhhhh.exe 1564 bbbtnn.exe 860 3vppj.exe 1372 rfffffr.exe 1076 thtntn.exe 2704 vjppv.exe 3196 fxxfllx.exe 4368 frxxlfx.exe 3960 bbbttt.exe 2492 pddjd.exe 2816 frxxxlf.exe 4464 9nhtbn.exe 4592 1hnbhb.exe 3540 dpppp.exe 216 1flfffx.exe 540 fxfllfl.exe 3620 thntnn.exe 4928 jjppp.exe 4232 xlrrllf.exe 1244 hbhnnh.exe 4836 1vpdv.exe 4152 frllxlr.exe 1028 lflrffx.exe 4436 tthhhh.exe 4536 7dvdp.exe 1664 lxlfxxr.exe 1144 xlxfxll.exe 1800 hnnnnn.exe 4704 jjjjd.exe 1716 rffxrrl.exe 4980 rlxxxrl.exe 2220 nhhbtb.exe 3628 5pvpp.exe 4460 5lxllxl.exe 2120 ntbthn.exe 3212 hntthn.exe 2600 jvjjd.exe 1756 xxxxrll.exe 2884 nnbbhh.exe 1340 ntttnn.exe 2920 5jddv.exe 788 rxlrffl.exe 4380 hnhnhh.exe 1876 tbnntb.exe 1308 dpjjp.exe 212 xfrlfxr.exe 1572 bbhhhn.exe 4996 hbhhbb.exe 3416 pppjj.exe 3372 5ffxrrl.exe 2364 nbbttt.exe 464 3tbttb.exe 4312 vjjdv.exe 1580 xrxrllf.exe -
resource yara_rule behavioral2/memory/2124-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-710-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1584 2124 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 83 PID 2124 wrote to memory of 1584 2124 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 83 PID 2124 wrote to memory of 1584 2124 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 83 PID 1584 wrote to memory of 4756 1584 pppdj.exe 84 PID 1584 wrote to memory of 4756 1584 pppdj.exe 84 PID 1584 wrote to memory of 4756 1584 pppdj.exe 84 PID 4756 wrote to memory of 1032 4756 rfxxflf.exe 85 PID 4756 wrote to memory of 1032 4756 rfxxflf.exe 85 PID 4756 wrote to memory of 1032 4756 rfxxflf.exe 85 PID 1032 wrote to memory of 4064 1032 bnthhh.exe 86 PID 1032 wrote to memory of 4064 1032 bnthhh.exe 86 PID 1032 wrote to memory of 4064 1032 bnthhh.exe 86 PID 4064 wrote to memory of 3448 4064 pvvpj.exe 87 PID 4064 wrote to memory of 3448 4064 pvvpj.exe 87 PID 4064 wrote to memory of 3448 4064 pvvpj.exe 87 PID 3448 wrote to memory of 2364 3448 rrffxfl.exe 88 PID 3448 wrote to memory of 2364 3448 rrffxfl.exe 88 PID 3448 wrote to memory of 2364 3448 rrffxfl.exe 88 PID 2364 wrote to memory of 228 2364 xfffxxx.exe 89 PID 2364 wrote to memory of 228 2364 xfffxxx.exe 89 PID 2364 wrote to memory of 228 2364 xfffxxx.exe 89 PID 228 wrote to memory of 3812 228 htbbnb.exe 90 PID 228 wrote to memory of 3812 228 htbbnb.exe 90 PID 228 wrote to memory of 3812 228 htbbnb.exe 90 PID 3812 wrote to memory of 4312 3812 dpvpj.exe 91 PID 3812 wrote to memory of 4312 3812 dpvpj.exe 91 PID 3812 wrote to memory of 4312 3812 dpvpj.exe 91 PID 4312 wrote to memory of 4320 4312 rlrlfrl.exe 92 PID 4312 wrote to memory of 4320 4312 rlrlfrl.exe 92 PID 4312 wrote to memory of 4320 4312 rlrlfrl.exe 92 PID 4320 wrote to memory of 1724 4320 9flffff.exe 93 PID 4320 wrote to memory of 1724 4320 9flffff.exe 93 PID 4320 wrote to memory of 1724 4320 9flffff.exe 93 PID 1724 wrote to memory of 1564 1724 hbhhhh.exe 94 PID 1724 wrote to memory of 1564 1724 hbhhhh.exe 94 PID 1724 wrote to memory of 1564 1724 hbhhhh.exe 94 PID 1564 wrote to memory of 860 1564 bbbtnn.exe 150 PID 1564 wrote to memory of 860 1564 bbbtnn.exe 150 PID 1564 wrote to memory of 860 1564 bbbtnn.exe 150 PID 860 wrote to memory of 1372 860 3vppj.exe 96 PID 860 wrote to memory of 1372 860 3vppj.exe 96 PID 860 wrote to memory of 1372 860 3vppj.exe 96 PID 1372 wrote to memory of 1076 1372 rfffffr.exe 97 PID 1372 wrote to memory of 1076 1372 rfffffr.exe 97 PID 1372 wrote to memory of 1076 1372 rfffffr.exe 97 PID 1076 wrote to memory of 2704 1076 thtntn.exe 98 PID 1076 wrote to memory of 2704 1076 thtntn.exe 98 PID 1076 wrote to memory of 2704 1076 thtntn.exe 98 PID 2704 wrote to memory of 3196 2704 vjppv.exe 99 PID 2704 wrote to memory of 3196 2704 vjppv.exe 99 PID 2704 wrote to memory of 3196 2704 vjppv.exe 99 PID 3196 wrote to memory of 4368 3196 fxxfllx.exe 100 PID 3196 wrote to memory of 4368 3196 fxxfllx.exe 100 PID 3196 wrote to memory of 4368 3196 fxxfllx.exe 100 PID 4368 wrote to memory of 3960 4368 frxxlfx.exe 101 PID 4368 wrote to memory of 3960 4368 frxxlfx.exe 101 PID 4368 wrote to memory of 3960 4368 frxxlfx.exe 101 PID 3960 wrote to memory of 2492 3960 bbbttt.exe 102 PID 3960 wrote to memory of 2492 3960 bbbttt.exe 102 PID 3960 wrote to memory of 2492 3960 bbbttt.exe 102 PID 2492 wrote to memory of 2816 2492 pddjd.exe 103 PID 2492 wrote to memory of 2816 2492 pddjd.exe 103 PID 2492 wrote to memory of 2816 2492 pddjd.exe 103 PID 2816 wrote to memory of 4464 2816 frxxxlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe"C:\Users\Admin\AppData\Local\Temp\7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\pppdj.exec:\pppdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\rfxxflf.exec:\rfxxflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\bnthhh.exec:\bnthhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\pvvpj.exec:\pvvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\rrffxfl.exec:\rrffxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\xfffxxx.exec:\xfffxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\htbbnb.exec:\htbbnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\dpvpj.exec:\dpvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\9flffff.exec:\9flffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\hbhhhh.exec:\hbhhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\bbbtnn.exec:\bbbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\3vppj.exec:\3vppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\rfffffr.exec:\rfffffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\thtntn.exec:\thtntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\vjppv.exec:\vjppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\fxxfllx.exec:\fxxfllx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\frxxlfx.exec:\frxxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\bbbttt.exec:\bbbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\pddjd.exec:\pddjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\frxxxlf.exec:\frxxxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\9nhtbn.exec:\9nhtbn.exe23⤵
- Executes dropped EXE
PID:4464 -
\??\c:\1hnbhb.exec:\1hnbhb.exe24⤵
- Executes dropped EXE
PID:4592 -
\??\c:\dpppp.exec:\dpppp.exe25⤵
- Executes dropped EXE
PID:3540 -
\??\c:\1flfffx.exec:\1flfffx.exe26⤵
- Executes dropped EXE
PID:216 -
\??\c:\fxfllfl.exec:\fxfllfl.exe27⤵
- Executes dropped EXE
PID:540 -
\??\c:\thntnn.exec:\thntnn.exe28⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jjppp.exec:\jjppp.exe29⤵
- Executes dropped EXE
PID:4928 -
\??\c:\xlrrllf.exec:\xlrrllf.exe30⤵
- Executes dropped EXE
PID:4232 -
\??\c:\hbhnnh.exec:\hbhnnh.exe31⤵
- Executes dropped EXE
PID:1244 -
\??\c:\1vpdv.exec:\1vpdv.exe32⤵
- Executes dropped EXE
PID:4836 -
\??\c:\frllxlr.exec:\frllxlr.exe33⤵
- Executes dropped EXE
PID:4152 -
\??\c:\lflrffx.exec:\lflrffx.exe34⤵
- Executes dropped EXE
PID:1028 -
\??\c:\tthhhh.exec:\tthhhh.exe35⤵
- Executes dropped EXE
PID:4436 -
\??\c:\7dvdp.exec:\7dvdp.exe36⤵
- Executes dropped EXE
PID:4536 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe37⤵
- Executes dropped EXE
PID:1664 -
\??\c:\xlxfxll.exec:\xlxfxll.exe38⤵
- Executes dropped EXE
PID:1144 -
\??\c:\hnnnnn.exec:\hnnnnn.exe39⤵
- Executes dropped EXE
PID:1800 -
\??\c:\jjjjd.exec:\jjjjd.exe40⤵
- Executes dropped EXE
PID:4704 -
\??\c:\rffxrrl.exec:\rffxrrl.exe41⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rlxxxrl.exec:\rlxxxrl.exe42⤵
- Executes dropped EXE
PID:4980 -
\??\c:\nhhbtb.exec:\nhhbtb.exe43⤵
- Executes dropped EXE
PID:2220 -
\??\c:\5pvpp.exec:\5pvpp.exe44⤵
- Executes dropped EXE
PID:3628 -
\??\c:\5lxllxl.exec:\5lxllxl.exe45⤵
- Executes dropped EXE
PID:4460 -
\??\c:\ntbthn.exec:\ntbthn.exe46⤵
- Executes dropped EXE
PID:2120 -
\??\c:\hntthn.exec:\hntthn.exe47⤵
- Executes dropped EXE
PID:3212 -
\??\c:\jvjjd.exec:\jvjjd.exe48⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xxxxrll.exec:\xxxxrll.exe49⤵
- Executes dropped EXE
PID:1756 -
\??\c:\nnbbhh.exec:\nnbbhh.exe50⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ntttnn.exec:\ntttnn.exe51⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5jddv.exec:\5jddv.exe52⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rxlrffl.exec:\rxlrffl.exe53⤵
- Executes dropped EXE
PID:788 -
\??\c:\hnhnhh.exec:\hnhnhh.exe54⤵
- Executes dropped EXE
PID:4380 -
\??\c:\tbnntb.exec:\tbnntb.exe55⤵
- Executes dropped EXE
PID:1876 -
\??\c:\dpjjp.exec:\dpjjp.exe56⤵
- Executes dropped EXE
PID:1308 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe57⤵
- Executes dropped EXE
PID:212 -
\??\c:\bbhhhn.exec:\bbhhhn.exe58⤵
- Executes dropped EXE
PID:1572 -
\??\c:\hbhhbb.exec:\hbhhbb.exe59⤵
- Executes dropped EXE
PID:4996 -
\??\c:\pppjj.exec:\pppjj.exe60⤵
- Executes dropped EXE
PID:3416 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe61⤵
- Executes dropped EXE
PID:3372 -
\??\c:\nbbttt.exec:\nbbttt.exe62⤵
- Executes dropped EXE
PID:2364 -
\??\c:\3tbttb.exec:\3tbttb.exe63⤵
- Executes dropped EXE
PID:464 -
\??\c:\vjjdv.exec:\vjjdv.exe64⤵
- Executes dropped EXE
PID:4312 -
\??\c:\xrxrllf.exec:\xrxrllf.exe65⤵
- Executes dropped EXE
PID:1580 -
\??\c:\hnnhtb.exec:\hnnhtb.exe66⤵PID:3932
-
\??\c:\ppppj.exec:\ppppj.exe67⤵
- System Location Discovery: System Language Discovery
PID:4960 -
\??\c:\fxlllfx.exec:\fxlllfx.exe68⤵PID:3084
-
\??\c:\lffxlll.exec:\lffxlll.exe69⤵PID:860
-
\??\c:\hbbbbn.exec:\hbbbbn.exe70⤵PID:2044
-
\??\c:\dpvjd.exec:\dpvjd.exe71⤵PID:32
-
\??\c:\pdddv.exec:\pdddv.exe72⤵PID:1248
-
\??\c:\1xlrlll.exec:\1xlrlll.exe73⤵PID:4580
-
\??\c:\tnnnnb.exec:\tnnnnb.exe74⤵PID:4992
-
\??\c:\jjppv.exec:\jjppv.exe75⤵PID:1404
-
\??\c:\9fxfxxr.exec:\9fxfxxr.exe76⤵PID:2968
-
\??\c:\xxxffff.exec:\xxxffff.exe77⤵PID:1736
-
\??\c:\nhhntt.exec:\nhhntt.exe78⤵PID:2472
-
\??\c:\pjjvp.exec:\pjjvp.exe79⤵PID:2320
-
\??\c:\htnbnh.exec:\htnbnh.exe80⤵PID:2264
-
\??\c:\vdddd.exec:\vdddd.exe81⤵PID:2924
-
\??\c:\rlxxrxr.exec:\rlxxrxr.exe82⤵PID:2236
-
\??\c:\pvvpd.exec:\pvvpd.exe83⤵PID:4232
-
\??\c:\flrxxxx.exec:\flrxxxx.exe84⤵PID:2828
-
\??\c:\1bhhbh.exec:\1bhhbh.exe85⤵PID:3444
-
\??\c:\pjdjj.exec:\pjdjj.exe86⤵PID:3608
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe87⤵PID:4476
-
\??\c:\9hbtnt.exec:\9hbtnt.exe88⤵PID:2384
-
\??\c:\dpdvp.exec:\dpdvp.exe89⤵PID:1368
-
\??\c:\1lrlflf.exec:\1lrlflf.exe90⤵PID:1816
-
\??\c:\1lllffx.exec:\1lllffx.exe91⤵PID:3124
-
\??\c:\hbtnnh.exec:\hbtnnh.exe92⤵PID:1636
-
\??\c:\vdvvp.exec:\vdvvp.exe93⤵PID:1456
-
\??\c:\xlflfxl.exec:\xlflfxl.exe94⤵PID:4980
-
\??\c:\hhbntb.exec:\hhbntb.exe95⤵PID:2392
-
\??\c:\1vdvp.exec:\1vdvp.exe96⤵PID:4632
-
\??\c:\1llffff.exec:\1llffff.exe97⤵PID:1884
-
\??\c:\tntthh.exec:\tntthh.exe98⤵PID:5020
-
\??\c:\dpvpp.exec:\dpvpp.exe99⤵PID:2696
-
\??\c:\lrlxfrf.exec:\lrlxfrf.exe100⤵PID:440
-
\??\c:\bnhhhn.exec:\bnhhhn.exe101⤵PID:692
-
\??\c:\dpjvp.exec:\dpjvp.exe102⤵PID:3164
-
\??\c:\7rrlflf.exec:\7rrlflf.exe103⤵PID:1392
-
\??\c:\hnhbhn.exec:\hnhbhn.exe104⤵PID:4064
-
\??\c:\xffxrxr.exec:\xffxrxr.exe105⤵PID:3160
-
\??\c:\tntnhh.exec:\tntnhh.exe106⤵PID:228
-
\??\c:\dvdvv.exec:\dvdvv.exe107⤵PID:3416
-
\??\c:\vdjjd.exec:\vdjjd.exe108⤵PID:1824
-
\??\c:\rxlllrr.exec:\rxlllrr.exe109⤵PID:1264
-
\??\c:\ttntth.exec:\ttntth.exe110⤵PID:5068
-
\??\c:\vdjdd.exec:\vdjdd.exe111⤵PID:4256
-
\??\c:\bhbbnn.exec:\bhbbnn.exe112⤵PID:3984
-
\??\c:\dppjv.exec:\dppjv.exe113⤵PID:1464
-
\??\c:\rlxllff.exec:\rlxllff.exe114⤵PID:5116
-
\??\c:\tbnnth.exec:\tbnnth.exe115⤵PID:4764
-
\??\c:\7jvpp.exec:\7jvpp.exe116⤵PID:4512
-
\??\c:\rlllrlr.exec:\rlllrlr.exe117⤵PID:1344
-
\??\c:\bbttnn.exec:\bbttnn.exe118⤵PID:3112
-
\??\c:\vppjd.exec:\vppjd.exe119⤵PID:3564
-
\??\c:\ffrlllx.exec:\ffrlllx.exe120⤵PID:4320
-
\??\c:\bnbbtt.exec:\bnbbtt.exe121⤵PID:4368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-