Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:54
Behavioral task
behavioral1
Sample
ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe
-
Size
334KB
-
MD5
b48dd837641aea91a4fa55810cd93f10
-
SHA1
fcb6ef2aae7577c2981db4940a7f210a52ef5098
-
SHA256
ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7
-
SHA512
0440c775bfd220944c934f278aff31ba1f132f5b24cd1ddc2d89e24eb34fb7037509f18af31f0af5856138d235bf5fb5bc7f700674eb49a06d22d721c0efdb74
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRB:R4wFHoSHYHUrAwfMp3CDRB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3680-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/100-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2388-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1464-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4380-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3776-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/612-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-777-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-794-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-845-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-1003-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-1094-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 100 nhnnnb.exe 1840 xflffff.exe 5008 tthbhn.exe 2388 vdppj.exe 2712 lfxxrxr.exe 4548 llffllr.exe 4600 hhtnnn.exe 3840 9llfxxr.exe 3344 thtnnh.exe 2152 vvpvp.exe 1512 jddjd.exe 2436 jpdjp.exe 5096 xxlfxxl.exe 3064 1pvpj.exe 5040 lxxxrrf.exe 2372 bthbhh.exe 2704 3vvvp.exe 2516 bhnnhn.exe 3236 rrlffrr.exe 2376 httttt.exe 2424 jdjdv.exe 4040 btnnnn.exe 1464 fxlxxrf.exe 924 9rllfll.exe 4424 tnbbbb.exe 2828 dpdvv.exe 3448 xlrrlll.exe 392 thnntt.exe 1952 fxfxxxx.exe 2444 htnntt.exe 4696 jvjdv.exe 2720 1nnhbt.exe 116 9lrlrrx.exe 3700 9tttnn.exe 4752 pjjdd.exe 4364 fxrlrlr.exe 4984 hhhnhh.exe 3556 pvvvp.exe 4760 lxffxxx.exe 4940 tntntn.exe 1684 1ddvj.exe 2652 djjdv.exe 4248 rlxrrrl.exe 4380 5nhbtt.exe 3420 hthtnn.exe 3228 vjvpp.exe 4716 xxrrrll.exe 3704 hthbtt.exe 4580 hhbhbt.exe 4796 vjppj.exe 432 lfflfrr.exe 2072 rlrllll.exe 4528 tnbtht.exe 1216 pppdd.exe 4516 3jvpv.exe 1008 3rffxll.exe 1228 9tbnnn.exe 5036 ppdjv.exe 3620 lllrlfl.exe 4960 3ttnhh.exe 100 vppjj.exe 4340 dpvpp.exe 3112 xfrllll.exe 4256 9bbttt.exe -
resource yara_rule behavioral2/memory/3680-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cad-3.dat upx behavioral2/memory/3680-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/100-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-9.dat upx behavioral2/memory/1840-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-11.dat upx behavioral2/memory/5008-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-19.dat upx behavioral2/memory/2388-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-25.dat upx behavioral2/memory/2712-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-30.dat upx behavioral2/files/0x0007000000023cb6-33.dat upx behavioral2/memory/4548-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-38.dat upx behavioral2/memory/4600-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-44.dat upx behavioral2/memory/3344-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-49.dat upx behavioral2/memory/2152-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-53.dat upx behavioral2/files/0x0007000000023cbb-57.dat upx behavioral2/memory/2436-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1512-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5096-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-64.dat upx behavioral2/files/0x0007000000023cbe-68.dat upx behavioral2/files/0x0007000000023cbf-73.dat upx behavioral2/files/0x0008000000023cae-78.dat upx behavioral2/files/0x0007000000023cc0-82.dat upx behavioral2/memory/2372-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5040-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-86.dat upx behavioral2/memory/2704-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2516-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-92.dat upx behavioral2/memory/3236-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-97.dat upx behavioral2/files/0x0007000000023cc4-101.dat upx behavioral2/files/0x0007000000023cc5-106.dat upx behavioral2/memory/2424-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4040-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-111.dat upx behavioral2/memory/1464-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-115.dat upx behavioral2/files/0x0007000000023cc8-120.dat upx behavioral2/files/0x0007000000023cc9-124.dat upx behavioral2/memory/2828-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-128.dat upx behavioral2/files/0x0007000000023ccb-134.dat upx behavioral2/memory/3448-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/392-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-139.dat upx behavioral2/files/0x0007000000023ccd-143.dat upx behavioral2/files/0x0007000000023cce-147.dat upx behavioral2/files/0x0007000000023ccf-152.dat upx behavioral2/memory/4696-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/116-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3700-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4752-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4364-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4984-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3556-173-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3680 wrote to memory of 100 3680 ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe 82 PID 3680 wrote to memory of 100 3680 ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe 82 PID 3680 wrote to memory of 100 3680 ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe 82 PID 100 wrote to memory of 1840 100 nhnnnb.exe 83 PID 100 wrote to memory of 1840 100 nhnnnb.exe 83 PID 100 wrote to memory of 1840 100 nhnnnb.exe 83 PID 1840 wrote to memory of 5008 1840 xflffff.exe 84 PID 1840 wrote to memory of 5008 1840 xflffff.exe 84 PID 1840 wrote to memory of 5008 1840 xflffff.exe 84 PID 5008 wrote to memory of 2388 5008 tthbhn.exe 85 PID 5008 wrote to memory of 2388 5008 tthbhn.exe 85 PID 5008 wrote to memory of 2388 5008 tthbhn.exe 85 PID 2388 wrote to memory of 2712 2388 vdppj.exe 86 PID 2388 wrote to memory of 2712 2388 vdppj.exe 86 PID 2388 wrote to memory of 2712 2388 vdppj.exe 86 PID 2712 wrote to memory of 4548 2712 lfxxrxr.exe 87 PID 2712 wrote to memory of 4548 2712 lfxxrxr.exe 87 PID 2712 wrote to memory of 4548 2712 lfxxrxr.exe 87 PID 4548 wrote to memory of 4600 4548 llffllr.exe 88 PID 4548 wrote to memory of 4600 4548 llffllr.exe 88 PID 4548 wrote to memory of 4600 4548 llffllr.exe 88 PID 4600 wrote to memory of 3840 4600 hhtnnn.exe 89 PID 4600 wrote to memory of 3840 4600 hhtnnn.exe 89 PID 4600 wrote to memory of 3840 4600 hhtnnn.exe 89 PID 3840 wrote to memory of 3344 3840 9llfxxr.exe 90 PID 3840 wrote to memory of 3344 3840 9llfxxr.exe 90 PID 3840 wrote to memory of 3344 3840 9llfxxr.exe 90 PID 3344 wrote to memory of 2152 3344 thtnnh.exe 91 PID 3344 wrote to memory of 2152 3344 thtnnh.exe 91 PID 3344 wrote to memory of 2152 3344 thtnnh.exe 91 PID 2152 wrote to memory of 1512 2152 vvpvp.exe 92 PID 2152 wrote to memory of 1512 2152 vvpvp.exe 92 PID 2152 wrote to memory of 1512 2152 vvpvp.exe 92 PID 1512 wrote to memory of 2436 1512 jddjd.exe 93 PID 1512 wrote to memory of 2436 1512 jddjd.exe 93 PID 1512 wrote to memory of 2436 1512 jddjd.exe 93 PID 2436 wrote to memory of 5096 2436 jpdjp.exe 94 PID 2436 wrote to memory of 5096 2436 jpdjp.exe 94 PID 2436 wrote to memory of 5096 2436 jpdjp.exe 94 PID 5096 wrote to memory of 3064 5096 xxlfxxl.exe 95 PID 5096 wrote to memory of 3064 5096 xxlfxxl.exe 95 PID 5096 wrote to memory of 3064 5096 xxlfxxl.exe 95 PID 3064 wrote to memory of 5040 3064 1pvpj.exe 96 PID 3064 wrote to memory of 5040 3064 1pvpj.exe 96 PID 3064 wrote to memory of 5040 3064 1pvpj.exe 96 PID 5040 wrote to memory of 2372 5040 lxxxrrf.exe 97 PID 5040 wrote to memory of 2372 5040 lxxxrrf.exe 97 PID 5040 wrote to memory of 2372 5040 lxxxrrf.exe 97 PID 2372 wrote to memory of 2704 2372 bthbhh.exe 98 PID 2372 wrote to memory of 2704 2372 bthbhh.exe 98 PID 2372 wrote to memory of 2704 2372 bthbhh.exe 98 PID 2704 wrote to memory of 2516 2704 3vvvp.exe 99 PID 2704 wrote to memory of 2516 2704 3vvvp.exe 99 PID 2704 wrote to memory of 2516 2704 3vvvp.exe 99 PID 2516 wrote to memory of 3236 2516 bhnnhn.exe 100 PID 2516 wrote to memory of 3236 2516 bhnnhn.exe 100 PID 2516 wrote to memory of 3236 2516 bhnnhn.exe 100 PID 3236 wrote to memory of 2376 3236 rrlffrr.exe 101 PID 3236 wrote to memory of 2376 3236 rrlffrr.exe 101 PID 3236 wrote to memory of 2376 3236 rrlffrr.exe 101 PID 2376 wrote to memory of 2424 2376 httttt.exe 102 PID 2376 wrote to memory of 2424 2376 httttt.exe 102 PID 2376 wrote to memory of 2424 2376 httttt.exe 102 PID 2424 wrote to memory of 4040 2424 jdjdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe"C:\Users\Admin\AppData\Local\Temp\ab4ecf8acd4d392dcf8ad638e6edc436d320dddd512f29ce1ef2993fcd8e6ad7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\nhnnnb.exec:\nhnnnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\xflffff.exec:\xflffff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\tthbhn.exec:\tthbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\vdppj.exec:\vdppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\llffllr.exec:\llffllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\hhtnnn.exec:\hhtnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\9llfxxr.exec:\9llfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\thtnnh.exec:\thtnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\vvpvp.exec:\vvpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\jddjd.exec:\jddjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\jpdjp.exec:\jpdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\xxlfxxl.exec:\xxlfxxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\1pvpj.exec:\1pvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\lxxxrrf.exec:\lxxxrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\bthbhh.exec:\bthbhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\3vvvp.exec:\3vvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\bhnnhn.exec:\bhnnhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\rrlffrr.exec:\rrlffrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\httttt.exec:\httttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\jdjdv.exec:\jdjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\btnnnn.exec:\btnnnn.exe23⤵
- Executes dropped EXE
PID:4040 -
\??\c:\fxlxxrf.exec:\fxlxxrf.exe24⤵
- Executes dropped EXE
PID:1464 -
\??\c:\9rllfll.exec:\9rllfll.exe25⤵
- Executes dropped EXE
PID:924 -
\??\c:\tnbbbb.exec:\tnbbbb.exe26⤵
- Executes dropped EXE
PID:4424 -
\??\c:\dpdvv.exec:\dpdvv.exe27⤵
- Executes dropped EXE
PID:2828 -
\??\c:\xlrrlll.exec:\xlrrlll.exe28⤵
- Executes dropped EXE
PID:3448 -
\??\c:\thnntt.exec:\thnntt.exe29⤵
- Executes dropped EXE
PID:392 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe30⤵
- Executes dropped EXE
PID:1952 -
\??\c:\htnntt.exec:\htnntt.exe31⤵
- Executes dropped EXE
PID:2444 -
\??\c:\jvjdv.exec:\jvjdv.exe32⤵
- Executes dropped EXE
PID:4696 -
\??\c:\1nnhbt.exec:\1nnhbt.exe33⤵
- Executes dropped EXE
PID:2720 -
\??\c:\9lrlrrx.exec:\9lrlrrx.exe34⤵
- Executes dropped EXE
PID:116 -
\??\c:\9tttnn.exec:\9tttnn.exe35⤵
- Executes dropped EXE
PID:3700 -
\??\c:\pjjdd.exec:\pjjdd.exe36⤵
- Executes dropped EXE
PID:4752 -
\??\c:\fxrlrlr.exec:\fxrlrlr.exe37⤵
- Executes dropped EXE
PID:4364 -
\??\c:\hhhnhh.exec:\hhhnhh.exe38⤵
- Executes dropped EXE
PID:4984 -
\??\c:\pvvvp.exec:\pvvvp.exe39⤵
- Executes dropped EXE
PID:3556 -
\??\c:\lxffxxx.exec:\lxffxxx.exe40⤵
- Executes dropped EXE
PID:4760 -
\??\c:\tntntn.exec:\tntntn.exe41⤵
- Executes dropped EXE
PID:4940 -
\??\c:\1ddvj.exec:\1ddvj.exe42⤵
- Executes dropped EXE
PID:1684 -
\??\c:\djjdv.exec:\djjdv.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rlxrrrl.exec:\rlxrrrl.exe44⤵
- Executes dropped EXE
PID:4248 -
\??\c:\5nhbtt.exec:\5nhbtt.exe45⤵
- Executes dropped EXE
PID:4380 -
\??\c:\hthtnn.exec:\hthtnn.exe46⤵
- Executes dropped EXE
PID:3420 -
\??\c:\vjvpp.exec:\vjvpp.exe47⤵
- Executes dropped EXE
PID:3228 -
\??\c:\xxrrrll.exec:\xxrrrll.exe48⤵
- Executes dropped EXE
PID:4716 -
\??\c:\hthbtt.exec:\hthbtt.exe49⤵
- Executes dropped EXE
PID:3704 -
\??\c:\hhbhbt.exec:\hhbhbt.exe50⤵
- Executes dropped EXE
PID:4580 -
\??\c:\vjppj.exec:\vjppj.exe51⤵
- Executes dropped EXE
PID:4796 -
\??\c:\lfflfrr.exec:\lfflfrr.exe52⤵
- Executes dropped EXE
PID:432 -
\??\c:\rlrllll.exec:\rlrllll.exe53⤵
- Executes dropped EXE
PID:2072 -
\??\c:\tnbtht.exec:\tnbtht.exe54⤵
- Executes dropped EXE
PID:4528 -
\??\c:\pppdd.exec:\pppdd.exe55⤵
- Executes dropped EXE
PID:1216 -
\??\c:\3jvpv.exec:\3jvpv.exe56⤵
- Executes dropped EXE
PID:4516 -
\??\c:\3rffxll.exec:\3rffxll.exe57⤵
- Executes dropped EXE
PID:1008 -
\??\c:\9tbnnn.exec:\9tbnnn.exe58⤵
- Executes dropped EXE
PID:1228 -
\??\c:\ppdjv.exec:\ppdjv.exe59⤵
- Executes dropped EXE
PID:5036 -
\??\c:\rllfxxx.exec:\rllfxxx.exe60⤵PID:4436
-
\??\c:\lllrlfl.exec:\lllrlfl.exe61⤵
- Executes dropped EXE
PID:3620 -
\??\c:\3ttnhh.exec:\3ttnhh.exe62⤵
- Executes dropped EXE
PID:4960 -
\??\c:\vppjj.exec:\vppjj.exe63⤵
- Executes dropped EXE
PID:100 -
\??\c:\dpvpp.exec:\dpvpp.exe64⤵
- Executes dropped EXE
PID:4340 -
\??\c:\xfrllll.exec:\xfrllll.exe65⤵
- Executes dropped EXE
PID:3112 -
\??\c:\9bbttt.exec:\9bbttt.exe66⤵
- Executes dropped EXE
PID:4256 -
\??\c:\vddpp.exec:\vddpp.exe67⤵PID:3868
-
\??\c:\lfxrllf.exec:\lfxrllf.exe68⤵PID:1876
-
\??\c:\rlrxrrx.exec:\rlrxrrx.exe69⤵
- System Location Discovery: System Language Discovery
PID:3424 -
\??\c:\thtnnn.exec:\thtnnn.exe70⤵PID:4928
-
\??\c:\7bbbnn.exec:\7bbbnn.exe71⤵PID:4548
-
\??\c:\7jpjd.exec:\7jpjd.exe72⤵PID:4872
-
\??\c:\lxlrxxx.exec:\lxlrxxx.exe73⤵PID:1792
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe74⤵PID:4944
-
\??\c:\hbhhbn.exec:\hbhhbn.exe75⤵
- System Location Discovery: System Language Discovery
PID:3244 -
\??\c:\ddddv.exec:\ddddv.exe76⤵PID:2484
-
\??\c:\3rfxrrl.exec:\3rfxrrl.exe77⤵PID:1936
-
\??\c:\rrxfllr.exec:\rrxfllr.exe78⤵PID:1512
-
\??\c:\pdjvp.exec:\pdjvp.exe79⤵PID:4228
-
\??\c:\rxxllfx.exec:\rxxllfx.exe80⤵PID:3144
-
\??\c:\hbbtnn.exec:\hbbtnn.exe81⤵PID:5096
-
\??\c:\jpvjd.exec:\jpvjd.exe82⤵PID:3140
-
\??\c:\fxfffrl.exec:\fxfffrl.exe83⤵PID:3584
-
\??\c:\lxxxxxr.exec:\lxxxxxr.exe84⤵PID:3776
-
\??\c:\ttnnth.exec:\ttnnth.exe85⤵PID:2696
-
\??\c:\jdjpp.exec:\jdjpp.exe86⤵PID:3220
-
\??\c:\5lllrxx.exec:\5lllrxx.exe87⤵PID:3108
-
\??\c:\nnbtbb.exec:\nnbtbb.exe88⤵
- System Location Discovery: System Language Discovery
PID:1964 -
\??\c:\bhtnhh.exec:\bhtnhh.exe89⤵PID:4052
-
\??\c:\jpvjv.exec:\jpvjv.exe90⤵PID:4768
-
\??\c:\1rxxllf.exec:\1rxxllf.exe91⤵PID:1348
-
\??\c:\thtnht.exec:\thtnht.exe92⤵PID:4108
-
\??\c:\httnhb.exec:\httnhb.exe93⤵PID:2424
-
\??\c:\dpppd.exec:\dpppd.exe94⤵PID:4040
-
\??\c:\frxrllf.exec:\frxrllf.exe95⤵PID:4276
-
\??\c:\9rrlffx.exec:\9rrlffx.exe96⤵PID:3708
-
\??\c:\tnbhbb.exec:\tnbhbb.exe97⤵PID:3964
-
\??\c:\3jpdv.exec:\3jpdv.exe98⤵PID:1748
-
\??\c:\7rlfffx.exec:\7rlfffx.exe99⤵PID:1616
-
\??\c:\7lfxxxr.exec:\7lfxxxr.exe100⤵PID:2828
-
\??\c:\hbbbbn.exec:\hbbbbn.exe101⤵PID:2296
-
\??\c:\vpdpp.exec:\vpdpp.exe102⤵PID:3772
-
\??\c:\pppjd.exec:\pppjd.exe103⤵PID:2556
-
\??\c:\rrxrflx.exec:\rrxrflx.exe104⤵PID:1952
-
\??\c:\9hhbtt.exec:\9hhbtt.exe105⤵PID:1352
-
\??\c:\3pvvv.exec:\3pvvv.exe106⤵PID:4776
-
\??\c:\xfffflf.exec:\xfffflf.exe107⤵PID:4824
-
\??\c:\flxrrff.exec:\flxrrff.exe108⤵PID:744
-
\??\c:\tthbhh.exec:\tthbhh.exe109⤵PID:4480
-
\??\c:\ddvjp.exec:\ddvjp.exe110⤵PID:4820
-
\??\c:\jppjd.exec:\jppjd.exe111⤵PID:2780
-
\??\c:\lllrrll.exec:\lllrrll.exe112⤵PID:1012
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe113⤵PID:1232
-
\??\c:\vppjd.exec:\vppjd.exe114⤵PID:2204
-
\??\c:\jpvpj.exec:\jpvpj.exe115⤵PID:4896
-
\??\c:\rxrrrlf.exec:\rxrrrlf.exe116⤵PID:400
-
\??\c:\rflxfff.exec:\rflxfff.exe117⤵PID:4336
-
\??\c:\thbbtn.exec:\thbbtn.exe118⤵PID:2236
-
\??\c:\dpddj.exec:\dpddj.exe119⤵PID:2400
-
\??\c:\lffxllx.exec:\lffxllx.exe120⤵PID:1788
-
\??\c:\frlfxxx.exec:\frlfxxx.exe121⤵PID:1080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-