Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2024, 00:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe
-
Size
452KB
-
MD5
55aafb79b029db8c12cd5d5663eae23e
-
SHA1
b2b7064d25177f4aad984dcf457916d233171548
-
SHA256
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb
-
SHA512
a7250f7106df55a40a4c43d33c420f29f9d47215d0068d2a2aa1363341747f80bc8d8fc2b679f05d1dbd9ccae071dce9a79cad28bcd74e054e635c9bc3d1a526
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4944-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-1129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-1425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2600 vddjj.exe 5056 djjjv.exe 1020 xlrfxff.exe 3828 flflllr.exe 2552 thbbnt.exe 4000 vjjpp.exe 2736 hhhhnt.exe 4308 dpdjd.exe 4168 jppjv.exe 3992 nbhhbn.exe 4928 lxfxfff.exe 3332 tbbbtn.exe 2664 jjppp.exe 1000 pjdvd.exe 4372 rfxlrxf.exe 1804 flfrlff.exe 1972 jpvvv.exe 5016 5btnnn.exe 3136 9jvdj.exe 2900 lxrfrlf.exe 220 bbtthn.exe 3164 vvvdd.exe 5092 djvdd.exe 1368 xlfffrx.exe 1524 pjjvp.exe 1132 fxlffll.exe 4520 bnbhtt.exe 1552 jjvvp.exe 2904 bthtbn.exe 2944 1dvjj.exe 1540 llrrxxx.exe 3364 hbttnt.exe 3180 vvdjp.exe 4400 bttbbh.exe 1044 hbtttb.exe 4788 7fllfrr.exe 3928 tntttt.exe 552 3ffllrx.exe 1716 1nntth.exe 4756 lxrllfx.exe 4688 rlfxrlf.exe 2580 llxflrr.exe 4064 nbnntb.exe 632 vpjjj.exe 2060 flxxffl.exe 1164 tttttt.exe 4456 5jpdd.exe 1944 lrrfxrx.exe 4368 hbbbnn.exe 2816 pvjdd.exe 3512 dpdvv.exe 3736 7xfrrlf.exe 2216 ntnhbt.exe 2720 9jpjj.exe 4472 llrrrrx.exe 3828 1bhhhn.exe 3628 hbnntb.exe 1136 dppjp.exe 4132 xflflrx.exe 4212 thbthh.exe 2324 pjjdv.exe 2716 ddjdd.exe 3332 llfxxfl.exe 4868 ttbbtn.exe -
resource yara_rule behavioral2/memory/4944-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2600 4944 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 82 PID 4944 wrote to memory of 2600 4944 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 82 PID 4944 wrote to memory of 2600 4944 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 82 PID 2600 wrote to memory of 5056 2600 vddjj.exe 83 PID 2600 wrote to memory of 5056 2600 vddjj.exe 83 PID 2600 wrote to memory of 5056 2600 vddjj.exe 83 PID 5056 wrote to memory of 1020 5056 djjjv.exe 84 PID 5056 wrote to memory of 1020 5056 djjjv.exe 84 PID 5056 wrote to memory of 1020 5056 djjjv.exe 84 PID 1020 wrote to memory of 3828 1020 xlrfxff.exe 85 PID 1020 wrote to memory of 3828 1020 xlrfxff.exe 85 PID 1020 wrote to memory of 3828 1020 xlrfxff.exe 85 PID 3828 wrote to memory of 2552 3828 flflllr.exe 86 PID 3828 wrote to memory of 2552 3828 flflllr.exe 86 PID 3828 wrote to memory of 2552 3828 flflllr.exe 86 PID 2552 wrote to memory of 4000 2552 thbbnt.exe 87 PID 2552 wrote to memory of 4000 2552 thbbnt.exe 87 PID 2552 wrote to memory of 4000 2552 thbbnt.exe 87 PID 4000 wrote to memory of 2736 4000 vjjpp.exe 88 PID 4000 wrote to memory of 2736 4000 vjjpp.exe 88 PID 4000 wrote to memory of 2736 4000 vjjpp.exe 88 PID 2736 wrote to memory of 4308 2736 hhhhnt.exe 89 PID 2736 wrote to memory of 4308 2736 hhhhnt.exe 89 PID 2736 wrote to memory of 4308 2736 hhhhnt.exe 89 PID 4308 wrote to memory of 4168 4308 dpdjd.exe 90 PID 4308 wrote to memory of 4168 4308 dpdjd.exe 90 PID 4308 wrote to memory of 4168 4308 dpdjd.exe 90 PID 4168 wrote to memory of 3992 4168 jppjv.exe 91 PID 4168 wrote to memory of 3992 4168 jppjv.exe 91 PID 4168 wrote to memory of 3992 4168 jppjv.exe 91 PID 3992 wrote to memory of 4928 3992 nbhhbn.exe 92 PID 3992 wrote to memory of 4928 3992 nbhhbn.exe 92 PID 3992 wrote to memory of 4928 3992 nbhhbn.exe 92 PID 4928 wrote to memory of 3332 4928 lxfxfff.exe 93 PID 4928 wrote to memory of 3332 4928 lxfxfff.exe 93 PID 4928 wrote to memory of 3332 4928 lxfxfff.exe 93 PID 3332 wrote to memory of 2664 3332 tbbbtn.exe 94 PID 3332 wrote to memory of 2664 3332 tbbbtn.exe 94 PID 3332 wrote to memory of 2664 3332 tbbbtn.exe 94 PID 2664 wrote to memory of 1000 2664 jjppp.exe 95 PID 2664 wrote to memory of 1000 2664 jjppp.exe 95 PID 2664 wrote to memory of 1000 2664 jjppp.exe 95 PID 1000 wrote to memory of 4372 1000 pjdvd.exe 96 PID 1000 wrote to memory of 4372 1000 pjdvd.exe 96 PID 1000 wrote to memory of 4372 1000 pjdvd.exe 96 PID 4372 wrote to memory of 1804 4372 rfxlrxf.exe 97 PID 4372 wrote to memory of 1804 4372 rfxlrxf.exe 97 PID 4372 wrote to memory of 1804 4372 rfxlrxf.exe 97 PID 1804 wrote to memory of 1972 1804 flfrlff.exe 98 PID 1804 wrote to memory of 1972 1804 flfrlff.exe 98 PID 1804 wrote to memory of 1972 1804 flfrlff.exe 98 PID 1972 wrote to memory of 5016 1972 jpvvv.exe 99 PID 1972 wrote to memory of 5016 1972 jpvvv.exe 99 PID 1972 wrote to memory of 5016 1972 jpvvv.exe 99 PID 5016 wrote to memory of 3136 5016 5btnnn.exe 100 PID 5016 wrote to memory of 3136 5016 5btnnn.exe 100 PID 5016 wrote to memory of 3136 5016 5btnnn.exe 100 PID 3136 wrote to memory of 2900 3136 9jvdj.exe 101 PID 3136 wrote to memory of 2900 3136 9jvdj.exe 101 PID 3136 wrote to memory of 2900 3136 9jvdj.exe 101 PID 2900 wrote to memory of 220 2900 lxrfrlf.exe 102 PID 2900 wrote to memory of 220 2900 lxrfrlf.exe 102 PID 2900 wrote to memory of 220 2900 lxrfrlf.exe 102 PID 220 wrote to memory of 3164 220 bbtthn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe"C:\Users\Admin\AppData\Local\Temp\7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\vddjj.exec:\vddjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\djjjv.exec:\djjjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\xlrfxff.exec:\xlrfxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\flflllr.exec:\flflllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\thbbnt.exec:\thbbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\vjjpp.exec:\vjjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\hhhhnt.exec:\hhhhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\dpdjd.exec:\dpdjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\jppjv.exec:\jppjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\nbhhbn.exec:\nbhhbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\lxfxfff.exec:\lxfxfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\tbbbtn.exec:\tbbbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\jjppp.exec:\jjppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\pjdvd.exec:\pjdvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\rfxlrxf.exec:\rfxlrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\flfrlff.exec:\flfrlff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\jpvvv.exec:\jpvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\5btnnn.exec:\5btnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\9jvdj.exec:\9jvdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\lxrfrlf.exec:\lxrfrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\bbtthn.exec:\bbtthn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\vvvdd.exec:\vvvdd.exe23⤵
- Executes dropped EXE
PID:3164 -
\??\c:\djvdd.exec:\djvdd.exe24⤵
- Executes dropped EXE
PID:5092 -
\??\c:\xlfffrx.exec:\xlfffrx.exe25⤵
- Executes dropped EXE
PID:1368 -
\??\c:\pjjvp.exec:\pjjvp.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\fxlffll.exec:\fxlffll.exe27⤵
- Executes dropped EXE
PID:1132 -
\??\c:\bnbhtt.exec:\bnbhtt.exe28⤵
- Executes dropped EXE
PID:4520 -
\??\c:\jjvvp.exec:\jjvvp.exe29⤵
- Executes dropped EXE
PID:1552 -
\??\c:\bthtbn.exec:\bthtbn.exe30⤵
- Executes dropped EXE
PID:2904 -
\??\c:\1dvjj.exec:\1dvjj.exe31⤵
- Executes dropped EXE
PID:2944 -
\??\c:\llrrxxx.exec:\llrrxxx.exe32⤵
- Executes dropped EXE
PID:1540 -
\??\c:\hbttnt.exec:\hbttnt.exe33⤵
- Executes dropped EXE
PID:3364 -
\??\c:\vvdjp.exec:\vvdjp.exe34⤵
- Executes dropped EXE
PID:3180 -
\??\c:\bttbbh.exec:\bttbbh.exe35⤵
- Executes dropped EXE
PID:4400 -
\??\c:\hbtttb.exec:\hbtttb.exe36⤵
- Executes dropped EXE
PID:1044 -
\??\c:\7fllfrr.exec:\7fllfrr.exe37⤵
- Executes dropped EXE
PID:4788 -
\??\c:\tntttt.exec:\tntttt.exe38⤵
- Executes dropped EXE
PID:3928 -
\??\c:\3ffllrx.exec:\3ffllrx.exe39⤵
- Executes dropped EXE
PID:552 -
\??\c:\1nntth.exec:\1nntth.exe40⤵
- Executes dropped EXE
PID:1716 -
\??\c:\lxrllfx.exec:\lxrllfx.exe41⤵
- Executes dropped EXE
PID:4756 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe42⤵
- Executes dropped EXE
PID:4688 -
\??\c:\llxflrr.exec:\llxflrr.exe43⤵
- Executes dropped EXE
PID:2580 -
\??\c:\nbnntb.exec:\nbnntb.exe44⤵
- Executes dropped EXE
PID:4064 -
\??\c:\vpjjj.exec:\vpjjj.exe45⤵
- Executes dropped EXE
PID:632 -
\??\c:\flxxffl.exec:\flxxffl.exe46⤵
- Executes dropped EXE
PID:2060 -
\??\c:\tttttt.exec:\tttttt.exe47⤵
- Executes dropped EXE
PID:1164 -
\??\c:\5jpdd.exec:\5jpdd.exe48⤵
- Executes dropped EXE
PID:4456 -
\??\c:\lrrfxrx.exec:\lrrfxrx.exe49⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hbbbnn.exec:\hbbbnn.exe50⤵
- Executes dropped EXE
PID:4368 -
\??\c:\pvjdd.exec:\pvjdd.exe51⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dpdvv.exec:\dpdvv.exe52⤵
- Executes dropped EXE
PID:3512 -
\??\c:\7xfrrlf.exec:\7xfrrlf.exe53⤵
- Executes dropped EXE
PID:3736 -
\??\c:\ntnhbt.exec:\ntnhbt.exe54⤵
- Executes dropped EXE
PID:2216 -
\??\c:\9jpjj.exec:\9jpjj.exe55⤵
- Executes dropped EXE
PID:2720 -
\??\c:\llrrrrx.exec:\llrrrrx.exe56⤵
- Executes dropped EXE
PID:4472 -
\??\c:\1bhhhn.exec:\1bhhhn.exe57⤵
- Executes dropped EXE
PID:3828 -
\??\c:\hbnntb.exec:\hbnntb.exe58⤵
- Executes dropped EXE
PID:3628 -
\??\c:\dppjp.exec:\dppjp.exe59⤵
- Executes dropped EXE
PID:1136 -
\??\c:\xflflrx.exec:\xflflrx.exe60⤵
- Executes dropped EXE
PID:4132 -
\??\c:\thbthh.exec:\thbthh.exe61⤵
- Executes dropped EXE
PID:4212 -
\??\c:\pjjdv.exec:\pjjdv.exe62⤵
- Executes dropped EXE
PID:2324 -
\??\c:\ddjdd.exec:\ddjdd.exe63⤵
- Executes dropped EXE
PID:2716 -
\??\c:\llfxxfl.exec:\llfxxfl.exe64⤵
- Executes dropped EXE
PID:3332 -
\??\c:\ttbbtn.exec:\ttbbtn.exe65⤵
- Executes dropped EXE
PID:4868 -
\??\c:\ppjjd.exec:\ppjjd.exe66⤵PID:4996
-
\??\c:\btbbbt.exec:\btbbbt.exe67⤵PID:4372
-
\??\c:\vjvvv.exec:\vjvvv.exe68⤵PID:2160
-
\??\c:\xflfrxf.exec:\xflfrxf.exe69⤵PID:4728
-
\??\c:\bhnnhn.exec:\bhnnhn.exe70⤵PID:1428
-
\??\c:\jpvpp.exec:\jpvpp.exe71⤵PID:3112
-
\??\c:\xffrfll.exec:\xffrfll.exe72⤵PID:4844
-
\??\c:\flrfflr.exec:\flrfflr.exe73⤵PID:3892
-
\??\c:\jjjdj.exec:\jjjdj.exe74⤵PID:3296
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe75⤵PID:2000
-
\??\c:\hnbbnt.exec:\hnbbnt.exe76⤵PID:3400
-
\??\c:\httthb.exec:\httthb.exe77⤵PID:5072
-
\??\c:\vjdvj.exec:\vjdvj.exe78⤵PID:3484
-
\??\c:\rrrxxrx.exec:\rrrxxrx.exe79⤵PID:4012
-
\??\c:\nnhtnn.exec:\nnhtnn.exe80⤵PID:3668
-
\??\c:\pdjdp.exec:\pdjdp.exe81⤵PID:4396
-
\??\c:\ddvvv.exec:\ddvvv.exe82⤵PID:3396
-
\??\c:\lffflfx.exec:\lffflfx.exe83⤵PID:3280
-
\??\c:\nbbbbh.exec:\nbbbbh.exe84⤵PID:2412
-
\??\c:\vdpvj.exec:\vdpvj.exe85⤵PID:956
-
\??\c:\tnnhbt.exec:\tnnhbt.exe86⤵PID:2312
-
\??\c:\jjppj.exec:\jjppj.exe87⤵PID:1532
-
\??\c:\dpddj.exec:\dpddj.exe88⤵PID:1692
-
\??\c:\ttbtbb.exec:\ttbtbb.exe89⤵PID:1528
-
\??\c:\nbnbnh.exec:\nbnbnh.exe90⤵PID:1448
-
\??\c:\9jppd.exec:\9jppd.exe91⤵PID:1464
-
\??\c:\xrrrfrx.exec:\xrrrfrx.exe92⤵PID:1124
-
\??\c:\nhnnhn.exec:\nhnnhn.exe93⤵PID:2348
-
\??\c:\djvdj.exec:\djvdj.exe94⤵PID:696
-
\??\c:\lfrrrxx.exec:\lfrrrxx.exe95⤵PID:440
-
\??\c:\hnhbth.exec:\hnhbth.exe96⤵PID:3476
-
\??\c:\jdjjj.exec:\jdjjj.exe97⤵PID:2864
-
\??\c:\flrllrl.exec:\flrllrl.exe98⤵PID:2572
-
\??\c:\bthbtb.exec:\bthbtb.exe99⤵PID:4268
-
\??\c:\vdjjd.exec:\vdjjd.exe100⤵PID:648
-
\??\c:\fxxffxr.exec:\fxxffxr.exe101⤵PID:3024
-
\??\c:\7ttttt.exec:\7ttttt.exe102⤵PID:1832
-
\??\c:\pvjpv.exec:\pvjpv.exe103⤵PID:1172
-
\??\c:\flxllrl.exec:\flxllrl.exe104⤵PID:1792
-
\??\c:\nthhbb.exec:\nthhbb.exe105⤵
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\pvppv.exec:\pvppv.exe106⤵PID:5036
-
\??\c:\rlrlffx.exec:\rlrlffx.exe107⤵
- System Location Discovery: System Language Discovery
PID:2920 -
\??\c:\bttnnh.exec:\bttnnh.exe108⤵PID:2604
-
\??\c:\jjjjj.exec:\jjjjj.exe109⤵PID:4020
-
\??\c:\lxlrrff.exec:\lxlrrff.exe110⤵PID:3696
-
\??\c:\1htttb.exec:\1htttb.exe111⤵PID:4260
-
\??\c:\djvvp.exec:\djvvp.exe112⤵PID:4852
-
\??\c:\rfrfxrf.exec:\rfrfxrf.exe113⤵PID:1020
-
\??\c:\thtbhb.exec:\thtbhb.exe114⤵PID:1560
-
\??\c:\djvvd.exec:\djvvd.exe115⤵PID:2064
-
\??\c:\lllllll.exec:\lllllll.exe116⤵PID:3628
-
\??\c:\bhnnhn.exec:\bhnnhn.exe117⤵PID:4888
-
\??\c:\jvjdv.exec:\jvjdv.exe118⤵PID:4052
-
\??\c:\1xfrxxx.exec:\1xfrxxx.exe119⤵PID:4344
-
\??\c:\5nbhhn.exec:\5nbhhn.exe120⤵PID:1688
-
\??\c:\dpddp.exec:\dpddp.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-