Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe
-
Size
453KB
-
MD5
56323addaaeb8269821b75e373f2bb90
-
SHA1
1b94c54762a065dcf8415dc37cf8f4aec847e886
-
SHA256
cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7fae
-
SHA512
9367ab394fb39fb79b2ba882e5f4b7fd4f321aa870c0dc6afa1a9ceb5fa5ffa09b69e6d63199836379db380f514cc422facddaee966518256a1afedef8489c32
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-1151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-1706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2464 jppdp.exe 4476 rffxxrr.exe 1640 7hbnhb.exe 4560 xlxlxlx.exe 2740 3hbtnh.exe 3840 1vvvp.exe 3468 xrrlfxf.exe 1836 nntnht.exe 1048 5rfrrll.exe 1448 bhhhhh.exe 3428 dvjdv.exe 5056 tnnhbb.exe 1728 vvpdv.exe 1536 xxfrfxl.exe 1556 7tbnbh.exe 2052 xrxfrlx.exe 4508 1nnbbt.exe 1576 dvjdj.exe 2924 jddvd.exe 5024 fffxlrl.exe 4784 9nbnbt.exe 4672 dpdjd.exe 4488 fllxrlx.exe 452 vjjvj.exe 2704 7frfrxf.exe 552 rxfxxfl.exe 1896 pdvjj.exe 2356 vjpjj.exe 3408 nhtbtt.exe 4656 vjvpj.exe 4076 3xrrfxr.exe 1132 nhtbbn.exe 2612 5bbnnh.exe 116 pvvjd.exe 2460 lrxrllf.exe 2820 bnhnbt.exe 2216 dppjv.exe 4160 9xrfxlf.exe 2188 bnhnnt.exe 3184 tnthnb.exe 4960 pjpjj.exe 4648 btbthb.exe 4480 1flfxxr.exe 1256 bnnnhb.exe 1352 jdjvj.exe 516 lfxrlxr.exe 644 9xrlxxr.exe 3404 7rlrfxr.exe 4888 7ddvj.exe 1020 rfxrfrf.exe 1072 xffrfxl.exe 2804 jvdvp.exe 1608 vvddp.exe 1560 5fxlfxl.exe 3808 7llxrrr.exe 4628 nntbbn.exe 1048 ffrfxlx.exe 2468 lffrfxl.exe 404 5bhbnb.exe 3552 5ddvp.exe 2884 xxxrxrx.exe 464 tnthnh.exe 3204 jpdvp.exe 836 3xlllrr.exe -
resource yara_rule behavioral2/memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-625-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 2464 3352 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 82 PID 3352 wrote to memory of 2464 3352 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 82 PID 3352 wrote to memory of 2464 3352 cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe 82 PID 2464 wrote to memory of 4476 2464 jppdp.exe 83 PID 2464 wrote to memory of 4476 2464 jppdp.exe 83 PID 2464 wrote to memory of 4476 2464 jppdp.exe 83 PID 4476 wrote to memory of 1640 4476 rffxxrr.exe 84 PID 4476 wrote to memory of 1640 4476 rffxxrr.exe 84 PID 4476 wrote to memory of 1640 4476 rffxxrr.exe 84 PID 1640 wrote to memory of 4560 1640 7hbnhb.exe 85 PID 1640 wrote to memory of 4560 1640 7hbnhb.exe 85 PID 1640 wrote to memory of 4560 1640 7hbnhb.exe 85 PID 4560 wrote to memory of 2740 4560 xlxlxlx.exe 86 PID 4560 wrote to memory of 2740 4560 xlxlxlx.exe 86 PID 4560 wrote to memory of 2740 4560 xlxlxlx.exe 86 PID 2740 wrote to memory of 3840 2740 3hbtnh.exe 87 PID 2740 wrote to memory of 3840 2740 3hbtnh.exe 87 PID 2740 wrote to memory of 3840 2740 3hbtnh.exe 87 PID 3840 wrote to memory of 3468 3840 1vvvp.exe 88 PID 3840 wrote to memory of 3468 3840 1vvvp.exe 88 PID 3840 wrote to memory of 3468 3840 1vvvp.exe 88 PID 3468 wrote to memory of 1836 3468 xrrlfxf.exe 89 PID 3468 wrote to memory of 1836 3468 xrrlfxf.exe 89 PID 3468 wrote to memory of 1836 3468 xrrlfxf.exe 89 PID 1836 wrote to memory of 1048 1836 nntnht.exe 90 PID 1836 wrote to memory of 1048 1836 nntnht.exe 90 PID 1836 wrote to memory of 1048 1836 nntnht.exe 90 PID 1048 wrote to memory of 1448 1048 5rfrrll.exe 91 PID 1048 wrote to memory of 1448 1048 5rfrrll.exe 91 PID 1048 wrote to memory of 1448 1048 5rfrrll.exe 91 PID 1448 wrote to memory of 3428 1448 bhhhhh.exe 92 PID 1448 wrote to memory of 3428 1448 bhhhhh.exe 92 PID 1448 wrote to memory of 3428 1448 bhhhhh.exe 92 PID 3428 wrote to memory of 5056 3428 dvjdv.exe 93 PID 3428 wrote to memory of 5056 3428 dvjdv.exe 93 PID 3428 wrote to memory of 5056 3428 dvjdv.exe 93 PID 5056 wrote to memory of 1728 5056 tnnhbb.exe 94 PID 5056 wrote to memory of 1728 5056 tnnhbb.exe 94 PID 5056 wrote to memory of 1728 5056 tnnhbb.exe 94 PID 1728 wrote to memory of 1536 1728 vvpdv.exe 95 PID 1728 wrote to memory of 1536 1728 vvpdv.exe 95 PID 1728 wrote to memory of 1536 1728 vvpdv.exe 95 PID 1536 wrote to memory of 1556 1536 xxfrfxl.exe 96 PID 1536 wrote to memory of 1556 1536 xxfrfxl.exe 96 PID 1536 wrote to memory of 1556 1536 xxfrfxl.exe 96 PID 1556 wrote to memory of 2052 1556 7tbnbh.exe 97 PID 1556 wrote to memory of 2052 1556 7tbnbh.exe 97 PID 1556 wrote to memory of 2052 1556 7tbnbh.exe 97 PID 2052 wrote to memory of 4508 2052 xrxfrlx.exe 98 PID 2052 wrote to memory of 4508 2052 xrxfrlx.exe 98 PID 2052 wrote to memory of 4508 2052 xrxfrlx.exe 98 PID 4508 wrote to memory of 1576 4508 1nnbbt.exe 99 PID 4508 wrote to memory of 1576 4508 1nnbbt.exe 99 PID 4508 wrote to memory of 1576 4508 1nnbbt.exe 99 PID 1576 wrote to memory of 2924 1576 dvjdj.exe 100 PID 1576 wrote to memory of 2924 1576 dvjdj.exe 100 PID 1576 wrote to memory of 2924 1576 dvjdj.exe 100 PID 2924 wrote to memory of 5024 2924 jddvd.exe 101 PID 2924 wrote to memory of 5024 2924 jddvd.exe 101 PID 2924 wrote to memory of 5024 2924 jddvd.exe 101 PID 5024 wrote to memory of 4784 5024 fffxlrl.exe 102 PID 5024 wrote to memory of 4784 5024 fffxlrl.exe 102 PID 5024 wrote to memory of 4784 5024 fffxlrl.exe 102 PID 4784 wrote to memory of 4672 4784 9nbnbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe"C:\Users\Admin\AppData\Local\Temp\cabadb97edb48e5fc4094fc82793ddd8b7c13e5575fd073fcc8c0d3fb3ae7faeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\jppdp.exec:\jppdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\rffxxrr.exec:\rffxxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\7hbnhb.exec:\7hbnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\3hbtnh.exec:\3hbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\1vvvp.exec:\1vvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\xrrlfxf.exec:\xrrlfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\nntnht.exec:\nntnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\5rfrrll.exec:\5rfrrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\bhhhhh.exec:\bhhhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\dvjdv.exec:\dvjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\tnnhbb.exec:\tnnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\vvpdv.exec:\vvpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\7tbnbh.exec:\7tbnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\xrxfrlx.exec:\xrxfrlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\1nnbbt.exec:\1nnbbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\dvjdj.exec:\dvjdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\jddvd.exec:\jddvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\fffxlrl.exec:\fffxlrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\9nbnbt.exec:\9nbnbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\dpdjd.exec:\dpdjd.exe23⤵
- Executes dropped EXE
PID:4672 -
\??\c:\fllxrlx.exec:\fllxrlx.exe24⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vjjvj.exec:\vjjvj.exe25⤵
- Executes dropped EXE
PID:452 -
\??\c:\7frfrxf.exec:\7frfrxf.exe26⤵
- Executes dropped EXE
PID:2704 -
\??\c:\rxfxxfl.exec:\rxfxxfl.exe27⤵
- Executes dropped EXE
PID:552 -
\??\c:\pdvjj.exec:\pdvjj.exe28⤵
- Executes dropped EXE
PID:1896 -
\??\c:\vjpjj.exec:\vjpjj.exe29⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhtbtt.exec:\nhtbtt.exe30⤵
- Executes dropped EXE
PID:3408 -
\??\c:\vjvpj.exec:\vjvpj.exe31⤵
- Executes dropped EXE
PID:4656 -
\??\c:\3xrrfxr.exec:\3xrrfxr.exe32⤵
- Executes dropped EXE
PID:4076 -
\??\c:\nhtbbn.exec:\nhtbbn.exe33⤵
- Executes dropped EXE
PID:1132 -
\??\c:\5bbnnh.exec:\5bbnnh.exe34⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pvvjd.exec:\pvvjd.exe35⤵
- Executes dropped EXE
PID:116 -
\??\c:\lrxrllf.exec:\lrxrllf.exe36⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bnhnbt.exec:\bnhnbt.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\dppjv.exec:\dppjv.exe38⤵
- Executes dropped EXE
PID:2216 -
\??\c:\9xrfxlf.exec:\9xrfxlf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160 -
\??\c:\bnhnnt.exec:\bnhnnt.exe40⤵
- Executes dropped EXE
PID:2188 -
\??\c:\tnthnb.exec:\tnthnb.exe41⤵
- Executes dropped EXE
PID:3184 -
\??\c:\pjpjj.exec:\pjpjj.exe42⤵
- Executes dropped EXE
PID:4960 -
\??\c:\btbthb.exec:\btbthb.exe43⤵
- Executes dropped EXE
PID:4648 -
\??\c:\1flfxxr.exec:\1flfxxr.exe44⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bnnnhb.exec:\bnnnhb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256 -
\??\c:\jdjvj.exec:\jdjvj.exe46⤵
- Executes dropped EXE
PID:1352 -
\??\c:\lfxrlxr.exec:\lfxrlxr.exe47⤵
- Executes dropped EXE
PID:516 -
\??\c:\9xrlxxr.exec:\9xrlxxr.exe48⤵
- Executes dropped EXE
PID:644 -
\??\c:\7rlrfxr.exec:\7rlrfxr.exe49⤵
- Executes dropped EXE
PID:3404 -
\??\c:\7ddvj.exec:\7ddvj.exe50⤵
- Executes dropped EXE
PID:4888 -
\??\c:\rfxrfrf.exec:\rfxrfrf.exe51⤵
- Executes dropped EXE
PID:1020 -
\??\c:\xffrfxl.exec:\xffrfxl.exe52⤵
- Executes dropped EXE
PID:1072 -
\??\c:\jvdvp.exec:\jvdvp.exe53⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vvddp.exec:\vvddp.exe54⤵
- Executes dropped EXE
PID:1608 -
\??\c:\5fxlfxl.exec:\5fxlfxl.exe55⤵
- Executes dropped EXE
PID:1560 -
\??\c:\7llxrrr.exec:\7llxrrr.exe56⤵
- Executes dropped EXE
PID:3808 -
\??\c:\nntbbn.exec:\nntbbn.exe57⤵
- Executes dropped EXE
PID:4628 -
\??\c:\ffrfxlx.exec:\ffrfxlx.exe58⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lffrfxl.exec:\lffrfxl.exe59⤵
- Executes dropped EXE
PID:2468 -
\??\c:\5bhbnb.exec:\5bhbnb.exe60⤵
- Executes dropped EXE
PID:404 -
\??\c:\5ddvp.exec:\5ddvp.exe61⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xxxrxrx.exec:\xxxrxrx.exe62⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tnthnh.exec:\tnthnh.exe63⤵
- Executes dropped EXE
PID:464 -
\??\c:\jpdvp.exec:\jpdvp.exe64⤵
- Executes dropped EXE
PID:3204 -
\??\c:\3xlllrr.exec:\3xlllrr.exe65⤵
- Executes dropped EXE
PID:836 -
\??\c:\tnhhtt.exec:\tnhhtt.exe66⤵PID:3012
-
\??\c:\5nnhbn.exec:\5nnhbn.exe67⤵PID:4776
-
\??\c:\vjpjp.exec:\vjpjp.exe68⤵PID:4880
-
\??\c:\7rrfrlx.exec:\7rrfrlx.exe69⤵PID:4972
-
\??\c:\nbnbbt.exec:\nbnbbt.exe70⤵
- System Location Discovery: System Language Discovery
PID:2368 -
\??\c:\jdjvj.exec:\jdjvj.exe71⤵PID:2420
-
\??\c:\jvdvj.exec:\jvdvj.exe72⤵PID:2924
-
\??\c:\xrrrflx.exec:\xrrrflx.exe73⤵PID:5024
-
\??\c:\nbbttt.exec:\nbbttt.exe74⤵PID:4784
-
\??\c:\thhttn.exec:\thhttn.exe75⤵PID:3936
-
\??\c:\9vjjp.exec:\9vjjp.exe76⤵PID:1400
-
\??\c:\7llfrrf.exec:\7llfrrf.exe77⤵PID:1616
-
\??\c:\thtnnb.exec:\thtnnb.exe78⤵PID:4608
-
\??\c:\dvdpd.exec:\dvdpd.exe79⤵PID:1636
-
\??\c:\xllfrlx.exec:\xllfrlx.exe80⤵PID:1160
-
\??\c:\frfxrrl.exec:\frfxrrl.exe81⤵PID:432
-
\??\c:\hnhthh.exec:\hnhthh.exe82⤵PID:2840
-
\??\c:\pjvdd.exec:\pjvdd.exe83⤵PID:372
-
\??\c:\7lfxffr.exec:\7lfxffr.exe84⤵PID:2536
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe85⤵PID:3620
-
\??\c:\9hhnnt.exec:\9hhnnt.exe86⤵PID:3700
-
\??\c:\1jdpp.exec:\1jdpp.exe87⤵PID:4408
-
\??\c:\jdjdp.exec:\jdjdp.exe88⤵PID:1332
-
\??\c:\5flxrrl.exec:\5flxrrl.exe89⤵PID:3812
-
\??\c:\bhnnbt.exec:\bhnnbt.exe90⤵PID:3716
-
\??\c:\jdjjd.exec:\jdjjd.exe91⤵PID:2688
-
\??\c:\frlrfrf.exec:\frlrfrf.exe92⤵PID:1824
-
\??\c:\5bbbtt.exec:\5bbbtt.exe93⤵PID:4884
-
\??\c:\jpjpp.exec:\jpjpp.exe94⤵PID:1132
-
\??\c:\pvvjv.exec:\pvvjv.exe95⤵PID:4856
-
\??\c:\frlxrlx.exec:\frlxrlx.exe96⤵PID:3500
-
\??\c:\bnbhnb.exec:\bnbhnb.exe97⤵PID:4976
-
\??\c:\dppjv.exec:\dppjv.exe98⤵PID:3656
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe99⤵PID:3596
-
\??\c:\nbhtth.exec:\nbhtth.exe100⤵PID:2592
-
\??\c:\vpvpp.exec:\vpvpp.exe101⤵PID:4964
-
\??\c:\xllxrlx.exec:\xllxrlx.exe102⤵PID:4280
-
\??\c:\3rxrrrl.exec:\3rxrrrl.exe103⤵PID:3744
-
\??\c:\nhnbtn.exec:\nhnbtn.exe104⤵PID:2016
-
\??\c:\pjpjj.exec:\pjpjj.exe105⤵PID:4960
-
\??\c:\5ddvp.exec:\5ddvp.exe106⤵PID:4384
-
\??\c:\5flllll.exec:\5flllll.exe107⤵PID:2816
-
\??\c:\1tbtnn.exec:\1tbtnn.exe108⤵PID:3352
-
\??\c:\dppjp.exec:\dppjp.exe109⤵PID:4376
-
\??\c:\fflfffx.exec:\fflfffx.exe110⤵PID:3864
-
\??\c:\7ffxxrl.exec:\7ffxxrl.exe111⤵PID:4136
-
\??\c:\ppvpj.exec:\ppvpj.exe112⤵PID:4180
-
\??\c:\9xrfrrf.exec:\9xrfrrf.exe113⤵PID:1572
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe114⤵PID:3996
-
\??\c:\bnhbnh.exec:\bnhbnh.exe115⤵PID:656
-
\??\c:\pvddv.exec:\pvddv.exe116⤵PID:3240
-
\??\c:\xrfffff.exec:\xrfffff.exe117⤵PID:3432
-
\??\c:\1xrlxrl.exec:\1xrlxrl.exe118⤵PID:3468
-
\??\c:\jddvp.exec:\jddvp.exe119⤵
- System Location Discovery: System Language Discovery
PID:3412 -
\??\c:\rrxllfx.exec:\rrxllfx.exe120⤵PID:2664
-
\??\c:\rxxrfrl.exec:\rxxrfrl.exe121⤵PID:4444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-