Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe
-
Size
454KB
-
MD5
34e136b6e0a5194c2fbf75b4190e2428
-
SHA1
11984032f83f3422e253591378fd5bf3a4d8c9ae
-
SHA256
7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1
-
SHA512
eddbb0bfbd3e847893e5e1b851f1a7c5e6d51a0ed2e01e29c8f4f8fcbb572ab2a33db1c4f474910e055e97836cc7aa34973b413451890f24f405fc95e33184a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTS:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4080-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-1183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-1586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-1786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5096 ffxxxxr.exe 4340 vdpjj.exe 4232 dvdvv.exe 4124 rfllfxx.exe 756 hthhbb.exe 1728 vpvpv.exe 2796 fxxxrrl.exe 1016 rflxrxr.exe 3040 5nttnb.exe 3432 fffxrll.exe 1224 lfrlrrx.exe 4788 jdjdd.exe 2948 bbbbtn.exe 916 hbbnnb.exe 4012 vvdvv.exe 2828 3rrxrxr.exe 3860 pjjjj.exe 4996 rrfxxff.exe 3372 3hhbbb.exe 3660 xlxrllf.exe 1588 hnthhb.exe 1900 dpvvp.exe 4436 fxfxrrl.exe 3376 9llfxxr.exe 3772 7bhthh.exe 5028 jjjdv.exe 2728 fxllxfl.exe 4152 xlrxfxl.exe 1012 pdvdv.exe 1528 hhbbbb.exe 3420 vpdvd.exe 4344 rfffxxr.exe 4440 1httbh.exe 4640 jdvpv.exe 8 frrlffr.exe 4660 jjvpd.exe 4360 9fxrllf.exe 2020 nbtnnn.exe 3032 xxrfllx.exe 624 5ffxxxx.exe 4860 hbhhhn.exe 2284 1rrlffx.exe 3888 hthhhn.exe 4456 7vdvp.exe 4876 lxlfxxr.exe 1996 3ntthb.exe 1680 pjvvd.exe 2964 rlrlfrl.exe 2936 tnbthb.exe 4620 jvvjd.exe 3084 rxfxrlr.exe 3924 tbtnbt.exe 3844 dpvjj.exe 4240 dpvpj.exe 2796 xlrfrrr.exe 1016 5hhtnh.exe 2152 pjjvp.exe 628 xrrlxrl.exe 2356 xrfxrll.exe 1224 nhhtnh.exe 1700 pjjdp.exe 3428 fxfrlrl.exe 4288 1ttnhb.exe 2908 5vjdd.exe -
resource yara_rule behavioral2/memory/4080-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 5096 4080 7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe 82 PID 4080 wrote to memory of 5096 4080 7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe 82 PID 4080 wrote to memory of 5096 4080 7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe 82 PID 5096 wrote to memory of 4340 5096 ffxxxxr.exe 83 PID 5096 wrote to memory of 4340 5096 ffxxxxr.exe 83 PID 5096 wrote to memory of 4340 5096 ffxxxxr.exe 83 PID 4340 wrote to memory of 4232 4340 vdpjj.exe 84 PID 4340 wrote to memory of 4232 4340 vdpjj.exe 84 PID 4340 wrote to memory of 4232 4340 vdpjj.exe 84 PID 4232 wrote to memory of 4124 4232 dvdvv.exe 85 PID 4232 wrote to memory of 4124 4232 dvdvv.exe 85 PID 4232 wrote to memory of 4124 4232 dvdvv.exe 85 PID 4124 wrote to memory of 756 4124 rfllfxx.exe 86 PID 4124 wrote to memory of 756 4124 rfllfxx.exe 86 PID 4124 wrote to memory of 756 4124 rfllfxx.exe 86 PID 756 wrote to memory of 1728 756 hthhbb.exe 87 PID 756 wrote to memory of 1728 756 hthhbb.exe 87 PID 756 wrote to memory of 1728 756 hthhbb.exe 87 PID 1728 wrote to memory of 2796 1728 vpvpv.exe 88 PID 1728 wrote to memory of 2796 1728 vpvpv.exe 88 PID 1728 wrote to memory of 2796 1728 vpvpv.exe 88 PID 2796 wrote to memory of 1016 2796 fxxxrrl.exe 89 PID 2796 wrote to memory of 1016 2796 fxxxrrl.exe 89 PID 2796 wrote to memory of 1016 2796 fxxxrrl.exe 89 PID 1016 wrote to memory of 3040 1016 rflxrxr.exe 90 PID 1016 wrote to memory of 3040 1016 rflxrxr.exe 90 PID 1016 wrote to memory of 3040 1016 rflxrxr.exe 90 PID 3040 wrote to memory of 3432 3040 5nttnb.exe 91 PID 3040 wrote to memory of 3432 3040 5nttnb.exe 91 PID 3040 wrote to memory of 3432 3040 5nttnb.exe 91 PID 3432 wrote to memory of 1224 3432 fffxrll.exe 92 PID 3432 wrote to memory of 1224 3432 fffxrll.exe 92 PID 3432 wrote to memory of 1224 3432 fffxrll.exe 92 PID 1224 wrote to memory of 4788 1224 lfrlrrx.exe 93 PID 1224 wrote to memory of 4788 1224 lfrlrrx.exe 93 PID 1224 wrote to memory of 4788 1224 lfrlrrx.exe 93 PID 4788 wrote to memory of 2948 4788 jdjdd.exe 94 PID 4788 wrote to memory of 2948 4788 jdjdd.exe 94 PID 4788 wrote to memory of 2948 4788 jdjdd.exe 94 PID 2948 wrote to memory of 916 2948 bbbbtn.exe 95 PID 2948 wrote to memory of 916 2948 bbbbtn.exe 95 PID 2948 wrote to memory of 916 2948 bbbbtn.exe 95 PID 916 wrote to memory of 4012 916 hbbnnb.exe 96 PID 916 wrote to memory of 4012 916 hbbnnb.exe 96 PID 916 wrote to memory of 4012 916 hbbnnb.exe 96 PID 4012 wrote to memory of 2828 4012 vvdvv.exe 97 PID 4012 wrote to memory of 2828 4012 vvdvv.exe 97 PID 4012 wrote to memory of 2828 4012 vvdvv.exe 97 PID 2828 wrote to memory of 3860 2828 3rrxrxr.exe 98 PID 2828 wrote to memory of 3860 2828 3rrxrxr.exe 98 PID 2828 wrote to memory of 3860 2828 3rrxrxr.exe 98 PID 3860 wrote to memory of 4996 3860 pjjjj.exe 99 PID 3860 wrote to memory of 4996 3860 pjjjj.exe 99 PID 3860 wrote to memory of 4996 3860 pjjjj.exe 99 PID 4996 wrote to memory of 3372 4996 rrfxxff.exe 100 PID 4996 wrote to memory of 3372 4996 rrfxxff.exe 100 PID 4996 wrote to memory of 3372 4996 rrfxxff.exe 100 PID 3372 wrote to memory of 3660 3372 3hhbbb.exe 101 PID 3372 wrote to memory of 3660 3372 3hhbbb.exe 101 PID 3372 wrote to memory of 3660 3372 3hhbbb.exe 101 PID 3660 wrote to memory of 1588 3660 xlxrllf.exe 102 PID 3660 wrote to memory of 1588 3660 xlxrllf.exe 102 PID 3660 wrote to memory of 1588 3660 xlxrllf.exe 102 PID 1588 wrote to memory of 1900 1588 hnthhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe"C:\Users\Admin\AppData\Local\Temp\7ce5f9993366d7c4204750fac9dea2cea74a68ac19c76b628964a08b31cdc3f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\ffxxxxr.exec:\ffxxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\vdpjj.exec:\vdpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\dvdvv.exec:\dvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\rfllfxx.exec:\rfllfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\hthhbb.exec:\hthhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\vpvpv.exec:\vpvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rflxrxr.exec:\rflxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\5nttnb.exec:\5nttnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\fffxrll.exec:\fffxrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\jdjdd.exec:\jdjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\bbbbtn.exec:\bbbbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\hbbnnb.exec:\hbbnnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\vvdvv.exec:\vvdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\3rrxrxr.exec:\3rrxrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\pjjjj.exec:\pjjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\rrfxxff.exec:\rrfxxff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\3hhbbb.exec:\3hhbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\xlxrllf.exec:\xlxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\hnthhb.exec:\hnthhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\dpvvp.exec:\dpvvp.exe23⤵
- Executes dropped EXE
PID:1900 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe24⤵
- Executes dropped EXE
PID:4436 -
\??\c:\9llfxxr.exec:\9llfxxr.exe25⤵
- Executes dropped EXE
PID:3376 -
\??\c:\7bhthh.exec:\7bhthh.exe26⤵
- Executes dropped EXE
PID:3772 -
\??\c:\jjjdv.exec:\jjjdv.exe27⤵
- Executes dropped EXE
PID:5028 -
\??\c:\fxllxfl.exec:\fxllxfl.exe28⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xlrxfxl.exec:\xlrxfxl.exe29⤵
- Executes dropped EXE
PID:4152 -
\??\c:\pdvdv.exec:\pdvdv.exe30⤵
- Executes dropped EXE
PID:1012 -
\??\c:\hhbbbb.exec:\hhbbbb.exe31⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vpdvd.exec:\vpdvd.exe32⤵
- Executes dropped EXE
PID:3420 -
\??\c:\rfffxxr.exec:\rfffxxr.exe33⤵
- Executes dropped EXE
PID:4344 -
\??\c:\1httbh.exec:\1httbh.exe34⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jdvpv.exec:\jdvpv.exe35⤵
- Executes dropped EXE
PID:4640 -
\??\c:\frrlffr.exec:\frrlffr.exe36⤵
- Executes dropped EXE
PID:8 -
\??\c:\jjvpd.exec:\jjvpd.exe37⤵
- Executes dropped EXE
PID:4660 -
\??\c:\9fxrllf.exec:\9fxrllf.exe38⤵
- Executes dropped EXE
PID:4360 -
\??\c:\nbtnnn.exec:\nbtnnn.exe39⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xxrfllx.exec:\xxrfllx.exe40⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5ffxxxx.exec:\5ffxxxx.exe41⤵
- Executes dropped EXE
PID:624 -
\??\c:\hbhhhn.exec:\hbhhhn.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1rrlffx.exec:\1rrlffx.exe43⤵
- Executes dropped EXE
PID:2284 -
\??\c:\hthhhn.exec:\hthhhn.exe44⤵
- Executes dropped EXE
PID:3888 -
\??\c:\7vdvp.exec:\7vdvp.exe45⤵
- Executes dropped EXE
PID:4456 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe46⤵
- Executes dropped EXE
PID:4876 -
\??\c:\3ntthb.exec:\3ntthb.exe47⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pjvvd.exec:\pjvvd.exe48⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe49⤵
- Executes dropped EXE
PID:2964 -
\??\c:\tnbthb.exec:\tnbthb.exe50⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jvvjd.exec:\jvvjd.exe51⤵
- Executes dropped EXE
PID:4620 -
\??\c:\rxfxrlr.exec:\rxfxrlr.exe52⤵
- Executes dropped EXE
PID:3084 -
\??\c:\tbtnbt.exec:\tbtnbt.exe53⤵
- Executes dropped EXE
PID:3924 -
\??\c:\dpvjj.exec:\dpvjj.exe54⤵
- Executes dropped EXE
PID:3844 -
\??\c:\dpvpj.exec:\dpvpj.exe55⤵
- Executes dropped EXE
PID:4240 -
\??\c:\xlrfrrr.exec:\xlrfrrr.exe56⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5hhtnh.exec:\5hhtnh.exe57⤵
- Executes dropped EXE
PID:1016 -
\??\c:\pjjvp.exec:\pjjvp.exe58⤵
- Executes dropped EXE
PID:2152 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe59⤵
- Executes dropped EXE
PID:628 -
\??\c:\xrfxrll.exec:\xrfxrll.exe60⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhhtnh.exec:\nhhtnh.exe61⤵
- Executes dropped EXE
PID:1224 -
\??\c:\pjjdp.exec:\pjjdp.exe62⤵
- Executes dropped EXE
PID:1700 -
\??\c:\fxfrlrl.exec:\fxfrlrl.exe63⤵
- Executes dropped EXE
PID:3428 -
\??\c:\1ttnhb.exec:\1ttnhb.exe64⤵
- Executes dropped EXE
PID:4288 -
\??\c:\5vjdd.exec:\5vjdd.exe65⤵
- Executes dropped EXE
PID:2908 -
\??\c:\9rlfxxx.exec:\9rlfxxx.exe66⤵PID:4548
-
\??\c:\hbnnhh.exec:\hbnnhh.exe67⤵PID:3008
-
\??\c:\jjjdv.exec:\jjjdv.exe68⤵PID:4012
-
\??\c:\dpjjp.exec:\dpjjp.exe69⤵PID:3972
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe70⤵PID:3028
-
\??\c:\5tthtt.exec:\5tthtt.exe71⤵PID:3632
-
\??\c:\dvdvp.exec:\dvdvp.exe72⤵PID:1168
-
\??\c:\rffxlfx.exec:\rffxlfx.exe73⤵PID:988
-
\??\c:\nbbnbt.exec:\nbbnbt.exe74⤵PID:956
-
\??\c:\jdvpp.exec:\jdvpp.exe75⤵PID:5056
-
\??\c:\frxrrrr.exec:\frxrrrr.exe76⤵PID:2648
-
\??\c:\nhhbtt.exec:\nhhbtt.exe77⤵PID:4736
-
\??\c:\pjvpd.exec:\pjvpd.exe78⤵PID:4380
-
\??\c:\jdjdj.exec:\jdjdj.exe79⤵PID:1492
-
\??\c:\lflxxxr.exec:\lflxxxr.exe80⤵PID:696
-
\??\c:\bntnhb.exec:\bntnhb.exe81⤵PID:4508
-
\??\c:\vvddp.exec:\vvddp.exe82⤵PID:2400
-
\??\c:\1pjdv.exec:\1pjdv.exe83⤵PID:3528
-
\??\c:\3rlrflf.exec:\3rlrflf.exe84⤵PID:1160
-
\??\c:\thhtnh.exec:\thhtnh.exe85⤵PID:4816
-
\??\c:\nhnhbt.exec:\nhnhbt.exe86⤵PID:2276
-
\??\c:\vvvvv.exec:\vvvvv.exe87⤵PID:960
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe88⤵PID:1620
-
\??\c:\nhtnhh.exec:\nhtnhh.exe89⤵PID:2368
-
\??\c:\pjdpv.exec:\pjdpv.exe90⤵PID:4428
-
\??\c:\3ppjp.exec:\3ppjp.exe91⤵PID:3440
-
\??\c:\1rfxffr.exec:\1rfxffr.exe92⤵
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\1hhbtt.exec:\1hhbtt.exe93⤵PID:536
-
\??\c:\pddvp.exec:\pddvp.exe94⤵PID:3848
-
\??\c:\fxrlrrf.exec:\fxrlrrf.exe95⤵PID:1776
-
\??\c:\nnhbtn.exec:\nnhbtn.exe96⤵PID:4560
-
\??\c:\tntnhb.exec:\tntnhb.exe97⤵PID:2792
-
\??\c:\dpvpj.exec:\dpvpj.exe98⤵PID:3728
-
\??\c:\xxxrllf.exec:\xxxrllf.exe99⤵PID:1204
-
\??\c:\3htttt.exec:\3htttt.exe100⤵PID:1556
-
\??\c:\ddddv.exec:\ddddv.exe101⤵PID:2284
-
\??\c:\ffrlfxx.exec:\ffrlfxx.exe102⤵PID:3888
-
\??\c:\tttnhb.exec:\tttnhb.exe103⤵PID:940
-
\??\c:\ntnnnn.exec:\ntnnnn.exe104⤵PID:2980
-
\??\c:\9pppj.exec:\9pppj.exe105⤵PID:1072
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe106⤵PID:1532
-
\??\c:\tttnhh.exec:\tttnhh.exe107⤵PID:220
-
\??\c:\jvpjd.exec:\jvpjd.exe108⤵PID:772
-
\??\c:\9vdpv.exec:\9vdpv.exe109⤵PID:2588
-
\??\c:\9fxrlfx.exec:\9fxrlfx.exe110⤵PID:4232
-
\??\c:\hbtntt.exec:\hbtntt.exe111⤵PID:4124
-
\??\c:\jjpjd.exec:\jjpjd.exe112⤵PID:1856
-
\??\c:\1ffxxlf.exec:\1ffxxlf.exe113⤵PID:3084
-
\??\c:\bhhbnn.exec:\bhhbnn.exe114⤵PID:388
-
\??\c:\pdvjd.exec:\pdvjd.exe115⤵PID:3088
-
\??\c:\pddpj.exec:\pddpj.exe116⤵PID:2032
-
\??\c:\lffxrlf.exec:\lffxrlf.exe117⤵PID:4536
-
\??\c:\9bttnt.exec:\9bttnt.exe118⤵PID:2796
-
\??\c:\dddpv.exec:\dddpv.exe119⤵PID:1016
-
\??\c:\lrrlxrf.exec:\lrrlxrf.exe120⤵PID:2152
-
\??\c:\9ttnnn.exec:\9ttnnn.exe121⤵PID:1920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-