Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe
-
Size
456KB
-
MD5
58bd07b7e29e7df66a44acc8e3fc0578
-
SHA1
550997c935ab7bd6dc41619be911e74899ef6f24
-
SHA256
0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480
-
SHA512
3edd0bd4655c4a605c6e2b5a983507c66882dd714d2943a00701fb9ebbfe0a97695ca5a20d48b8d10a0b0e4a9da68f4b216fe5774b3538f1220ccb5fef518a03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2568-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2500 jdpdj.exe 4220 3llrflx.exe 3584 bhhbbh.exe 3236 jjjdv.exe 4704 1pddv.exe 3804 7lrlllx.exe 2544 tttnnn.exe 3572 3pvpv.exe 2356 jjjpd.exe 3608 7llxlll.exe 1096 nnbtnn.exe 1708 htbhtt.exe 5076 7djdj.exe 1912 3tnbtt.exe 2384 nhhbhh.exe 3184 7fxlxlx.exe 4408 pvjpp.exe 4912 xxlfrxx.exe 3524 fllllfr.exe 1980 vddpj.exe 952 ffrxfrf.exe 2820 nttbth.exe 1468 xrfrlxl.exe 3056 7xxlfxl.exe 668 hbtnbb.exe 900 vddpd.exe 2160 ppvjv.exe 2212 7ffrlfl.exe 2064 vvpdp.exe 2136 pvpvv.exe 2952 lrrfxrf.exe 3268 rrfrlfx.exe 3816 5ntnnb.exe 4596 dpdvd.exe 1820 lxfrrxl.exe 2908 1jpdp.exe 4844 jpdpd.exe 3528 3rlxxrl.exe 1040 nnhtht.exe 4724 tntntn.exe 2648 fffxlfx.exe 3176 1bthtn.exe 5028 vjppv.exe 4436 xllxfxr.exe 744 nttbbt.exe 3144 hththb.exe 3360 1jdpv.exe 2920 vvjjv.exe 2860 lfxllff.exe 2188 tbhbnh.exe 4348 bththb.exe 2208 jvdvv.exe 2740 rfxlxlf.exe 2152 tnnthb.exe 3316 bnthbh.exe 2312 pdjvp.exe 2104 fllfllx.exe 3740 bnnbnh.exe 3804 9pjvj.exe 4696 1ppdp.exe 4292 rfxrfxr.exe 3784 hnbnbt.exe 4132 9jdpv.exe 1580 1xxlrlf.exe -
resource yara_rule behavioral2/memory/2568-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-781-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2500 2568 0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe 82 PID 2568 wrote to memory of 2500 2568 0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe 82 PID 2568 wrote to memory of 2500 2568 0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe 82 PID 2500 wrote to memory of 4220 2500 jdpdj.exe 83 PID 2500 wrote to memory of 4220 2500 jdpdj.exe 83 PID 2500 wrote to memory of 4220 2500 jdpdj.exe 83 PID 4220 wrote to memory of 3584 4220 3llrflx.exe 84 PID 4220 wrote to memory of 3584 4220 3llrflx.exe 84 PID 4220 wrote to memory of 3584 4220 3llrflx.exe 84 PID 3584 wrote to memory of 3236 3584 bhhbbh.exe 85 PID 3584 wrote to memory of 3236 3584 bhhbbh.exe 85 PID 3584 wrote to memory of 3236 3584 bhhbbh.exe 85 PID 3236 wrote to memory of 4704 3236 jjjdv.exe 86 PID 3236 wrote to memory of 4704 3236 jjjdv.exe 86 PID 3236 wrote to memory of 4704 3236 jjjdv.exe 86 PID 4704 wrote to memory of 3804 4704 1pddv.exe 87 PID 4704 wrote to memory of 3804 4704 1pddv.exe 87 PID 4704 wrote to memory of 3804 4704 1pddv.exe 87 PID 3804 wrote to memory of 2544 3804 7lrlllx.exe 88 PID 3804 wrote to memory of 2544 3804 7lrlllx.exe 88 PID 3804 wrote to memory of 2544 3804 7lrlllx.exe 88 PID 2544 wrote to memory of 3572 2544 tttnnn.exe 89 PID 2544 wrote to memory of 3572 2544 tttnnn.exe 89 PID 2544 wrote to memory of 3572 2544 tttnnn.exe 89 PID 3572 wrote to memory of 2356 3572 3pvpv.exe 90 PID 3572 wrote to memory of 2356 3572 3pvpv.exe 90 PID 3572 wrote to memory of 2356 3572 3pvpv.exe 90 PID 2356 wrote to memory of 3608 2356 jjjpd.exe 91 PID 2356 wrote to memory of 3608 2356 jjjpd.exe 91 PID 2356 wrote to memory of 3608 2356 jjjpd.exe 91 PID 3608 wrote to memory of 1096 3608 7llxlll.exe 92 PID 3608 wrote to memory of 1096 3608 7llxlll.exe 92 PID 3608 wrote to memory of 1096 3608 7llxlll.exe 92 PID 1096 wrote to memory of 1708 1096 nnbtnn.exe 93 PID 1096 wrote to memory of 1708 1096 nnbtnn.exe 93 PID 1096 wrote to memory of 1708 1096 nnbtnn.exe 93 PID 1708 wrote to memory of 5076 1708 htbhtt.exe 94 PID 1708 wrote to memory of 5076 1708 htbhtt.exe 94 PID 1708 wrote to memory of 5076 1708 htbhtt.exe 94 PID 5076 wrote to memory of 1912 5076 7djdj.exe 95 PID 5076 wrote to memory of 1912 5076 7djdj.exe 95 PID 5076 wrote to memory of 1912 5076 7djdj.exe 95 PID 1912 wrote to memory of 2384 1912 3tnbtt.exe 96 PID 1912 wrote to memory of 2384 1912 3tnbtt.exe 96 PID 1912 wrote to memory of 2384 1912 3tnbtt.exe 96 PID 2384 wrote to memory of 3184 2384 nhhbhh.exe 97 PID 2384 wrote to memory of 3184 2384 nhhbhh.exe 97 PID 2384 wrote to memory of 3184 2384 nhhbhh.exe 97 PID 3184 wrote to memory of 4408 3184 7fxlxlx.exe 98 PID 3184 wrote to memory of 4408 3184 7fxlxlx.exe 98 PID 3184 wrote to memory of 4408 3184 7fxlxlx.exe 98 PID 4408 wrote to memory of 4912 4408 pvjpp.exe 99 PID 4408 wrote to memory of 4912 4408 pvjpp.exe 99 PID 4408 wrote to memory of 4912 4408 pvjpp.exe 99 PID 4912 wrote to memory of 3524 4912 xxlfrxx.exe 100 PID 4912 wrote to memory of 3524 4912 xxlfrxx.exe 100 PID 4912 wrote to memory of 3524 4912 xxlfrxx.exe 100 PID 3524 wrote to memory of 1980 3524 fllllfr.exe 101 PID 3524 wrote to memory of 1980 3524 fllllfr.exe 101 PID 3524 wrote to memory of 1980 3524 fllllfr.exe 101 PID 1980 wrote to memory of 952 1980 vddpj.exe 102 PID 1980 wrote to memory of 952 1980 vddpj.exe 102 PID 1980 wrote to memory of 952 1980 vddpj.exe 102 PID 952 wrote to memory of 2820 952 ffrxfrf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe"C:\Users\Admin\AppData\Local\Temp\0d3ba9e1ad7322fb3a56366fb050f6f4c388b756a54885273b81b449f4910480.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\jdpdj.exec:\jdpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\3llrflx.exec:\3llrflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\bhhbbh.exec:\bhhbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\jjjdv.exec:\jjjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\1pddv.exec:\1pddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\7lrlllx.exec:\7lrlllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\tttnnn.exec:\tttnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\3pvpv.exec:\3pvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\jjjpd.exec:\jjjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\7llxlll.exec:\7llxlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\nnbtnn.exec:\nnbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\htbhtt.exec:\htbhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\7djdj.exec:\7djdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\3tnbtt.exec:\3tnbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\nhhbhh.exec:\nhhbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\7fxlxlx.exec:\7fxlxlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\pvjpp.exec:\pvjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\xxlfrxx.exec:\xxlfrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\fllllfr.exec:\fllllfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\vddpj.exec:\vddpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\ffrxfrf.exec:\ffrxfrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\nttbth.exec:\nttbth.exe23⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xrfrlxl.exec:\xrfrlxl.exe24⤵
- Executes dropped EXE
PID:1468 -
\??\c:\7xxlfxl.exec:\7xxlfxl.exe25⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hbtnbb.exec:\hbtnbb.exe26⤵
- Executes dropped EXE
PID:668 -
\??\c:\vddpd.exec:\vddpd.exe27⤵
- Executes dropped EXE
PID:900 -
\??\c:\ppvjv.exec:\ppvjv.exe28⤵
- Executes dropped EXE
PID:2160 -
\??\c:\7ffrlfl.exec:\7ffrlfl.exe29⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vvpdp.exec:\vvpdp.exe30⤵
- Executes dropped EXE
PID:2064 -
\??\c:\pvpvv.exec:\pvpvv.exe31⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe32⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rrfrlfx.exec:\rrfrlfx.exe33⤵
- Executes dropped EXE
PID:3268 -
\??\c:\5ntnnb.exec:\5ntnnb.exe34⤵
- Executes dropped EXE
PID:3816 -
\??\c:\dpdvd.exec:\dpdvd.exe35⤵
- Executes dropped EXE
PID:4596 -
\??\c:\lxfrrxl.exec:\lxfrrxl.exe36⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1jpdp.exec:\1jpdp.exe37⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jpdpd.exec:\jpdpd.exe38⤵
- Executes dropped EXE
PID:4844 -
\??\c:\3rlxxrl.exec:\3rlxxrl.exe39⤵
- Executes dropped EXE
PID:3528 -
\??\c:\nnhtht.exec:\nnhtht.exe40⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tntntn.exec:\tntntn.exe41⤵
- Executes dropped EXE
PID:4724 -
\??\c:\fffxlfx.exec:\fffxlfx.exe42⤵
- Executes dropped EXE
PID:2648 -
\??\c:\1bthtn.exec:\1bthtn.exe43⤵
- Executes dropped EXE
PID:3176 -
\??\c:\vjppv.exec:\vjppv.exe44⤵
- Executes dropped EXE
PID:5028 -
\??\c:\xllxfxr.exec:\xllxfxr.exe45⤵
- Executes dropped EXE
PID:4436 -
\??\c:\nttbbt.exec:\nttbbt.exe46⤵
- Executes dropped EXE
PID:744 -
\??\c:\hththb.exec:\hththb.exe47⤵
- Executes dropped EXE
PID:3144 -
\??\c:\1jdpv.exec:\1jdpv.exe48⤵
- Executes dropped EXE
PID:3360 -
\??\c:\vvjjv.exec:\vvjjv.exe49⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lfxllff.exec:\lfxllff.exe50⤵
- Executes dropped EXE
PID:2860 -
\??\c:\tbhbnh.exec:\tbhbnh.exe51⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bththb.exec:\bththb.exe52⤵
- Executes dropped EXE
PID:4348 -
\??\c:\jvdvv.exec:\jvdvv.exe53⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rfxlxlf.exec:\rfxlxlf.exe54⤵
- Executes dropped EXE
PID:2740 -
\??\c:\tnnthb.exec:\tnnthb.exe55⤵
- Executes dropped EXE
PID:2152 -
\??\c:\bnthbh.exec:\bnthbh.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3316 -
\??\c:\pdjvp.exec:\pdjvp.exe57⤵
- Executes dropped EXE
PID:2312 -
\??\c:\fllfllx.exec:\fllfllx.exe58⤵
- Executes dropped EXE
PID:2104 -
\??\c:\bnnbnh.exec:\bnnbnh.exe59⤵
- Executes dropped EXE
PID:3740 -
\??\c:\9pjvj.exec:\9pjvj.exe60⤵
- Executes dropped EXE
PID:3804 -
\??\c:\1ppdp.exec:\1ppdp.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe62⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hnbnbt.exec:\hnbnbt.exe63⤵
- Executes dropped EXE
PID:3784 -
\??\c:\9jdpv.exec:\9jdpv.exe64⤵
- Executes dropped EXE
PID:4132 -
\??\c:\1xxlrlf.exec:\1xxlrlf.exe65⤵
- Executes dropped EXE
PID:1580 -
\??\c:\bnhbnh.exec:\bnhbnh.exe66⤵PID:1148
-
\??\c:\1jjvj.exec:\1jjvj.exe67⤵PID:4460
-
\??\c:\rxxlxll.exec:\rxxlxll.exe68⤵PID:2196
-
\??\c:\hnttbn.exec:\hnttbn.exe69⤵PID:5072
-
\??\c:\btnbnh.exec:\btnbnh.exe70⤵PID:3408
-
\??\c:\vpvjv.exec:\vpvjv.exe71⤵PID:1788
-
\??\c:\rlfrxll.exec:\rlfrxll.exe72⤵PID:3256
-
\??\c:\7hbhtn.exec:\7hbhtn.exe73⤵PID:4288
-
\??\c:\5ttntt.exec:\5ttntt.exe74⤵PID:948
-
\??\c:\1pdvj.exec:\1pdvj.exe75⤵PID:3644
-
\??\c:\rfxxfrf.exec:\rfxxfrf.exe76⤵PID:4076
-
\??\c:\rfrfrlr.exec:\rfrfrlr.exe77⤵PID:4308
-
\??\c:\htthbt.exec:\htthbt.exe78⤵PID:4912
-
\??\c:\dvdjv.exec:\dvdjv.exe79⤵PID:1032
-
\??\c:\3lfrxrf.exec:\3lfrxrf.exe80⤵PID:1216
-
\??\c:\hbtnbt.exec:\hbtnbt.exe81⤵PID:1932
-
\??\c:\dpvjj.exec:\dpvjj.exe82⤵PID:3792
-
\??\c:\pvvdv.exec:\pvvdv.exe83⤵PID:1128
-
\??\c:\bhhthb.exec:\bhhthb.exe84⤵PID:1672
-
\??\c:\hnnbhb.exec:\hnnbhb.exe85⤵PID:1476
-
\??\c:\jppvj.exec:\jppvj.exe86⤵PID:1964
-
\??\c:\rlrxrfx.exec:\rlrxrfx.exe87⤵PID:1400
-
\??\c:\3bhnbn.exec:\3bhnbn.exe88⤵PID:1004
-
\??\c:\thhbnh.exec:\thhbnh.exe89⤵PID:2220
-
\??\c:\9jdvj.exec:\9jdvj.exe90⤵PID:2160
-
\??\c:\frxlfxx.exec:\frxlfxx.exe91⤵PID:4468
-
\??\c:\xlxrxrl.exec:\xlxrxrl.exe92⤵PID:856
-
\??\c:\5hhthb.exec:\5hhthb.exe93⤵PID:4144
-
\??\c:\7dvpd.exec:\7dvpd.exe94⤵PID:4760
-
\??\c:\xrfrfrl.exec:\xrfrfrl.exe95⤵PID:2672
-
\??\c:\flllxfr.exec:\flllxfr.exe96⤵PID:2456
-
\??\c:\bbbnbn.exec:\bbbnbn.exe97⤵PID:1220
-
\??\c:\vddvj.exec:\vddvj.exe98⤵PID:4412
-
\??\c:\3rrfrlx.exec:\3rrfrlx.exe99⤵PID:4920
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe100⤵PID:2332
-
\??\c:\ttnhbn.exec:\ttnhbn.exe101⤵PID:2796
-
\??\c:\9dvjp.exec:\9dvjp.exe102⤵PID:3116
-
\??\c:\pdvjp.exec:\pdvjp.exe103⤵PID:4320
-
\??\c:\lxfrxrf.exec:\lxfrxrf.exe104⤵PID:1088
-
\??\c:\9nhbnh.exec:\9nhbnh.exe105⤵PID:324
-
\??\c:\dvpvj.exec:\dvpvj.exe106⤵PID:1716
-
\??\c:\fflxlfx.exec:\fflxlfx.exe107⤵PID:5068
-
\??\c:\1nhbnh.exec:\1nhbnh.exe108⤵PID:3952
-
\??\c:\thhbnn.exec:\thhbnn.exe109⤵PID:420
-
\??\c:\vjvjv.exec:\vjvjv.exe110⤵PID:3532
-
\??\c:\5xxxlfr.exec:\5xxxlfr.exe111⤵PID:4680
-
\??\c:\7tnbnh.exec:\7tnbnh.exe112⤵PID:2644
-
\??\c:\7bbtnn.exec:\7bbtnn.exe113⤵PID:3212
-
\??\c:\5vpdp.exec:\5vpdp.exe114⤵PID:3312
-
\??\c:\9xxxlfr.exec:\9xxxlfr.exe115⤵PID:4328
-
\??\c:\bntnbb.exec:\bntnbb.exe116⤵PID:2100
-
\??\c:\ttnbth.exec:\ttnbth.exe117⤵PID:4780
-
\??\c:\9vpdp.exec:\9vpdp.exe118⤵PID:3464
-
\??\c:\rxrrfxl.exec:\rxrrfxl.exe119⤵PID:320
-
\??\c:\bnnhtb.exec:\bnnhtb.exe120⤵PID:2764
-
\??\c:\3bhnth.exec:\3bhnth.exe121⤵PID:3584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-