Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe
-
Size
453KB
-
MD5
ce508bfd001b2ddc018c3bd0edaa4d20
-
SHA1
f63cd4b198e924ab8a96ffa1af17ea75dfc70ef0
-
SHA256
cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03
-
SHA512
a9eac797636efa78a7e5afb3cd9587823f0ddcd17b7a8a2d499a45705c9cd7ad8ea9744abb9a101c0e00fc0a6b34d4706c7fd4660376ad70e6f2d9394c3ab90f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2764-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-1267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-1452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-1636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2404 pjddd.exe 2276 jjppp.exe 3348 7lfxfff.exe 4820 fxllrrf.exe 3368 vvjjj.exe 1116 bbbbtn.exe 1576 pjppj.exe 2364 jvddd.exe 2268 pjpjd.exe 4556 tttnnb.exe 4620 hbnhhb.exe 4320 rlfxrxf.exe 3504 frfrlrr.exe 4516 jdppp.exe 1928 tbbtnn.exe 5104 vpvvp.exe 4052 rxllfll.exe 4436 hbhhhh.exe 2724 lxffflf.exe 2524 hhbtnn.exe 4624 tnnnhb.exe 8 pvdjd.exe 2640 lxlllrr.exe 4044 bnbttt.exe 4800 xxfxfxf.exe 1852 jvdvp.exe 3168 pvjjp.exe 3852 lrxxrrx.exe 2068 jjdvp.exe 772 7pppd.exe 5004 7bhhhh.exe 3952 5jpjd.exe 4484 dpvjd.exe 4120 3rxrlll.exe 1736 hnnhtt.exe 4796 vpjdd.exe 3260 rflllll.exe 3144 5llrxfx.exe 2244 jdpdv.exe 1044 rlrxxfr.exe 4124 bbhhnn.exe 3840 nhhhhh.exe 4476 ddjjj.exe 364 fflxrll.exe 228 nbnttt.exe 2016 jdjjd.exe 3508 xrlrflx.exe 4464 nnnttb.exe 4048 djppv.exe 2764 hhbbhn.exe 2576 hbhbbb.exe 3196 jjvvv.exe 4852 xxrxlrr.exe 1008 bthnbh.exe 608 thnnth.exe 4288 rrxlfll.exe 1052 ttbbtb.exe 1116 bhthbh.exe 2484 dvddv.exe 1396 frrrlll.exe 2364 nhnhbb.exe 2280 pjdvv.exe 4208 9lrlxff.exe 2356 tnhhhn.exe -
resource yara_rule behavioral2/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-803-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2404 2764 cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe 83 PID 2764 wrote to memory of 2404 2764 cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe 83 PID 2764 wrote to memory of 2404 2764 cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe 83 PID 2404 wrote to memory of 2276 2404 pjddd.exe 84 PID 2404 wrote to memory of 2276 2404 pjddd.exe 84 PID 2404 wrote to memory of 2276 2404 pjddd.exe 84 PID 2276 wrote to memory of 3348 2276 jjppp.exe 85 PID 2276 wrote to memory of 3348 2276 jjppp.exe 85 PID 2276 wrote to memory of 3348 2276 jjppp.exe 85 PID 3348 wrote to memory of 4820 3348 7lfxfff.exe 86 PID 3348 wrote to memory of 4820 3348 7lfxfff.exe 86 PID 3348 wrote to memory of 4820 3348 7lfxfff.exe 86 PID 4820 wrote to memory of 3368 4820 fxllrrf.exe 87 PID 4820 wrote to memory of 3368 4820 fxllrrf.exe 87 PID 4820 wrote to memory of 3368 4820 fxllrrf.exe 87 PID 3368 wrote to memory of 1116 3368 vvjjj.exe 88 PID 3368 wrote to memory of 1116 3368 vvjjj.exe 88 PID 3368 wrote to memory of 1116 3368 vvjjj.exe 88 PID 1116 wrote to memory of 1576 1116 bbbbtn.exe 89 PID 1116 wrote to memory of 1576 1116 bbbbtn.exe 89 PID 1116 wrote to memory of 1576 1116 bbbbtn.exe 89 PID 1576 wrote to memory of 2364 1576 pjppj.exe 90 PID 1576 wrote to memory of 2364 1576 pjppj.exe 90 PID 1576 wrote to memory of 2364 1576 pjppj.exe 90 PID 2364 wrote to memory of 2268 2364 jvddd.exe 91 PID 2364 wrote to memory of 2268 2364 jvddd.exe 91 PID 2364 wrote to memory of 2268 2364 jvddd.exe 91 PID 2268 wrote to memory of 4556 2268 pjpjd.exe 92 PID 2268 wrote to memory of 4556 2268 pjpjd.exe 92 PID 2268 wrote to memory of 4556 2268 pjpjd.exe 92 PID 4556 wrote to memory of 4620 4556 tttnnb.exe 93 PID 4556 wrote to memory of 4620 4556 tttnnb.exe 93 PID 4556 wrote to memory of 4620 4556 tttnnb.exe 93 PID 4620 wrote to memory of 4320 4620 hbnhhb.exe 94 PID 4620 wrote to memory of 4320 4620 hbnhhb.exe 94 PID 4620 wrote to memory of 4320 4620 hbnhhb.exe 94 PID 4320 wrote to memory of 3504 4320 rlfxrxf.exe 95 PID 4320 wrote to memory of 3504 4320 rlfxrxf.exe 95 PID 4320 wrote to memory of 3504 4320 rlfxrxf.exe 95 PID 3504 wrote to memory of 4516 3504 frfrlrr.exe 96 PID 3504 wrote to memory of 4516 3504 frfrlrr.exe 96 PID 3504 wrote to memory of 4516 3504 frfrlrr.exe 96 PID 4516 wrote to memory of 1928 4516 jdppp.exe 97 PID 4516 wrote to memory of 1928 4516 jdppp.exe 97 PID 4516 wrote to memory of 1928 4516 jdppp.exe 97 PID 1928 wrote to memory of 5104 1928 tbbtnn.exe 98 PID 1928 wrote to memory of 5104 1928 tbbtnn.exe 98 PID 1928 wrote to memory of 5104 1928 tbbtnn.exe 98 PID 5104 wrote to memory of 4052 5104 vpvvp.exe 99 PID 5104 wrote to memory of 4052 5104 vpvvp.exe 99 PID 5104 wrote to memory of 4052 5104 vpvvp.exe 99 PID 4052 wrote to memory of 4436 4052 rxllfll.exe 100 PID 4052 wrote to memory of 4436 4052 rxllfll.exe 100 PID 4052 wrote to memory of 4436 4052 rxllfll.exe 100 PID 4436 wrote to memory of 2724 4436 hbhhhh.exe 101 PID 4436 wrote to memory of 2724 4436 hbhhhh.exe 101 PID 4436 wrote to memory of 2724 4436 hbhhhh.exe 101 PID 2724 wrote to memory of 2524 2724 lxffflf.exe 102 PID 2724 wrote to memory of 2524 2724 lxffflf.exe 102 PID 2724 wrote to memory of 2524 2724 lxffflf.exe 102 PID 2524 wrote to memory of 4624 2524 hhbtnn.exe 103 PID 2524 wrote to memory of 4624 2524 hhbtnn.exe 103 PID 2524 wrote to memory of 4624 2524 hhbtnn.exe 103 PID 4624 wrote to memory of 8 4624 tnnnhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe"C:\Users\Admin\AppData\Local\Temp\cd80ed8aa170da06981d5007e3ebf3f22820bf610b32d8bc0e78cda4aa0d3e03N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\pjddd.exec:\pjddd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\jjppp.exec:\jjppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\7lfxfff.exec:\7lfxfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\fxllrrf.exec:\fxllrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\vvjjj.exec:\vvjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\bbbbtn.exec:\bbbbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\pjppj.exec:\pjppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\jvddd.exec:\jvddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\pjpjd.exec:\pjpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\tttnnb.exec:\tttnnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\hbnhhb.exec:\hbnhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\rlfxrxf.exec:\rlfxrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\frfrlrr.exec:\frfrlrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\jdppp.exec:\jdppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\tbbtnn.exec:\tbbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\vpvvp.exec:\vpvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rxllfll.exec:\rxllfll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\hbhhhh.exec:\hbhhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\lxffflf.exec:\lxffflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\hhbtnn.exec:\hhbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\tnnnhb.exec:\tnnnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\pvdjd.exec:\pvdjd.exe23⤵
- Executes dropped EXE
PID:8 -
\??\c:\lxlllrr.exec:\lxlllrr.exe24⤵
- Executes dropped EXE
PID:2640 -
\??\c:\bnbttt.exec:\bnbttt.exe25⤵
- Executes dropped EXE
PID:4044 -
\??\c:\xxfxfxf.exec:\xxfxfxf.exe26⤵
- Executes dropped EXE
PID:4800 -
\??\c:\jvdvp.exec:\jvdvp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
\??\c:\pvjjp.exec:\pvjjp.exe28⤵
- Executes dropped EXE
PID:3168 -
\??\c:\lrxxrrx.exec:\lrxxrrx.exe29⤵
- Executes dropped EXE
PID:3852 -
\??\c:\jjdvp.exec:\jjdvp.exe30⤵
- Executes dropped EXE
PID:2068 -
\??\c:\7pppd.exec:\7pppd.exe31⤵
- Executes dropped EXE
PID:772 -
\??\c:\7bhhhh.exec:\7bhhhh.exe32⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5jpjd.exec:\5jpjd.exe33⤵
- Executes dropped EXE
PID:3952 -
\??\c:\dpvjd.exec:\dpvjd.exe34⤵
- Executes dropped EXE
PID:4484 -
\??\c:\3rxrlll.exec:\3rxrlll.exe35⤵
- Executes dropped EXE
PID:4120 -
\??\c:\hnnhtt.exec:\hnnhtt.exe36⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vpjdd.exec:\vpjdd.exe37⤵
- Executes dropped EXE
PID:4796 -
\??\c:\rflllll.exec:\rflllll.exe38⤵
- Executes dropped EXE
PID:3260 -
\??\c:\5llrxfx.exec:\5llrxfx.exe39⤵
- Executes dropped EXE
PID:3144 -
\??\c:\jdpdv.exec:\jdpdv.exe40⤵
- Executes dropped EXE
PID:2244 -
\??\c:\rlrxxfr.exec:\rlrxxfr.exe41⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bbhhnn.exec:\bbhhnn.exe42⤵
- Executes dropped EXE
PID:4124 -
\??\c:\nhhhhh.exec:\nhhhhh.exe43⤵
- Executes dropped EXE
PID:3840 -
\??\c:\ddjjj.exec:\ddjjj.exe44⤵
- Executes dropped EXE
PID:4476 -
\??\c:\fflxrll.exec:\fflxrll.exe45⤵
- Executes dropped EXE
PID:364 -
\??\c:\nbnttt.exec:\nbnttt.exe46⤵
- Executes dropped EXE
PID:228 -
\??\c:\jdjjd.exec:\jdjjd.exe47⤵
- Executes dropped EXE
PID:2016 -
\??\c:\xrlrflx.exec:\xrlrflx.exe48⤵
- Executes dropped EXE
PID:3508 -
\??\c:\nnnttb.exec:\nnnttb.exe49⤵
- Executes dropped EXE
PID:4464 -
\??\c:\djppv.exec:\djppv.exe50⤵
- Executes dropped EXE
PID:4048 -
\??\c:\hhbbhn.exec:\hhbbhn.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\hbhbbb.exec:\hbhbbb.exe52⤵
- Executes dropped EXE
PID:2576 -
\??\c:\jjvvv.exec:\jjvvv.exe53⤵
- Executes dropped EXE
PID:3196 -
\??\c:\xxrxlrr.exec:\xxrxlrr.exe54⤵
- Executes dropped EXE
PID:4852 -
\??\c:\bthnbh.exec:\bthnbh.exe55⤵
- Executes dropped EXE
PID:1008 -
\??\c:\thnnth.exec:\thnnth.exe56⤵
- Executes dropped EXE
PID:608 -
\??\c:\rrxlfll.exec:\rrxlfll.exe57⤵
- Executes dropped EXE
PID:4288 -
\??\c:\ttbbtb.exec:\ttbbtb.exe58⤵
- Executes dropped EXE
PID:1052 -
\??\c:\bhthbh.exec:\bhthbh.exe59⤵
- Executes dropped EXE
PID:1116 -
\??\c:\dvddv.exec:\dvddv.exe60⤵
- Executes dropped EXE
PID:2484 -
\??\c:\frrrlll.exec:\frrrlll.exe61⤵
- Executes dropped EXE
PID:1396 -
\??\c:\nhnhbb.exec:\nhnhbb.exe62⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pjdvv.exec:\pjdvv.exe63⤵
- Executes dropped EXE
PID:2280 -
\??\c:\9lrlxff.exec:\9lrlxff.exe64⤵
- Executes dropped EXE
PID:4208 -
\??\c:\tnhhhn.exec:\tnhhhn.exe65⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vdpdp.exec:\vdpdp.exe66⤵PID:2804
-
\??\c:\pjdvv.exec:\pjdvv.exe67⤵PID:4976
-
\??\c:\3xxxllr.exec:\3xxxllr.exe68⤵PID:4536
-
\??\c:\7tbhht.exec:\7tbhht.exe69⤵PID:2516
-
\??\c:\jvpjd.exec:\jvpjd.exe70⤵PID:1664
-
\??\c:\ttbhhb.exec:\ttbhhb.exe71⤵PID:2488
-
\??\c:\bhbnnn.exec:\bhbnnn.exe72⤵PID:2852
-
\??\c:\jvjjp.exec:\jvjjp.exe73⤵PID:2492
-
\??\c:\9rxxrrl.exec:\9rxxrrl.exe74⤵PID:4816
-
\??\c:\nnhtbb.exec:\nnhtbb.exe75⤵PID:4436
-
\??\c:\ntnnbh.exec:\ntnnbh.exe76⤵PID:2020
-
\??\c:\jppvp.exec:\jppvp.exe77⤵PID:4696
-
\??\c:\9rxxrrr.exec:\9rxxrrr.exe78⤵PID:4840
-
\??\c:\bhtbhh.exec:\bhtbhh.exe79⤵PID:3640
-
\??\c:\jdddv.exec:\jdddv.exe80⤵PID:3160
-
\??\c:\9rlllll.exec:\9rlllll.exe81⤵PID:4108
-
\??\c:\tbnhhb.exec:\tbnhhb.exe82⤵PID:3440
-
\??\c:\hnhbnh.exec:\hnhbnh.exe83⤵PID:3128
-
\??\c:\ppdjj.exec:\ppdjj.exe84⤵PID:760
-
\??\c:\9xlfxll.exec:\9xlfxll.exe85⤵PID:740
-
\??\c:\hbttnn.exec:\hbttnn.exe86⤵PID:216
-
\??\c:\ddpjj.exec:\ddpjj.exe87⤵PID:3060
-
\??\c:\3xrxflr.exec:\3xrxflr.exe88⤵PID:2044
-
\??\c:\1ttttb.exec:\1ttttb.exe89⤵PID:3852
-
\??\c:\pvdvd.exec:\pvdvd.exe90⤵PID:1444
-
\??\c:\jjpjj.exec:\jjpjj.exe91⤵PID:2460
-
\??\c:\rfxxrrr.exec:\rfxxrrr.exe92⤵PID:2208
-
\??\c:\9tnnnn.exec:\9tnnnn.exe93⤵PID:5004
-
\??\c:\pjvpv.exec:\pjvpv.exe94⤵PID:4488
-
\??\c:\5fxxrrr.exec:\5fxxrrr.exe95⤵PID:3520
-
\??\c:\bhnbtb.exec:\bhnbtb.exe96⤵PID:4544
-
\??\c:\vpvpp.exec:\vpvpp.exe97⤵PID:1288
-
\??\c:\frfxrlr.exec:\frfxrlr.exe98⤵PID:3872
-
\??\c:\bhnnhh.exec:\bhnnhh.exe99⤵PID:4172
-
\??\c:\jpvpp.exec:\jpvpp.exe100⤵PID:3956
-
\??\c:\lflllrr.exec:\lflllrr.exe101⤵PID:2140
-
\??\c:\7nnnhh.exec:\7nnnhh.exe102⤵PID:652
-
\??\c:\5jjdv.exec:\5jjdv.exe103⤵PID:4524
-
\??\c:\7xllrxx.exec:\7xllrxx.exe104⤵PID:4692
-
\??\c:\llxxxff.exec:\llxxxff.exe105⤵PID:1568
-
\??\c:\thbnnn.exec:\thbnnn.exe106⤵PID:2092
-
\??\c:\vpppp.exec:\vpppp.exe107⤵PID:3792
-
\??\c:\rlflrff.exec:\rlflrff.exe108⤵PID:2016
-
\??\c:\nnntnn.exec:\nnntnn.exe109⤵PID:4468
-
\??\c:\1hhntt.exec:\1hhntt.exe110⤵PID:4464
-
\??\c:\1pjjd.exec:\1pjjd.exe111⤵PID:2740
-
\??\c:\rfxfflr.exec:\rfxfflr.exe112⤵PID:2764
-
\??\c:\7hnnht.exec:\7hnnht.exe113⤵PID:3036
-
\??\c:\vvdjj.exec:\vvdjj.exe114⤵PID:720
-
\??\c:\xrlrxxx.exec:\xrlrxxx.exe115⤵PID:4852
-
\??\c:\3btbbh.exec:\3btbbh.exe116⤵PID:1008
-
\??\c:\hhntnn.exec:\hhntnn.exe117⤵PID:4188
-
\??\c:\jdppp.exec:\jdppp.exe118⤵PID:4388
-
\??\c:\hhtnhb.exec:\hhtnhb.exe119⤵PID:4848
-
\??\c:\ttbbbb.exec:\ttbbbb.exe120⤵PID:1364
-
\??\c:\jdddv.exec:\jdddv.exe121⤵PID:4520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-