Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe
-
Size
455KB
-
MD5
61dce5939c45622c9995ff8a063968dd
-
SHA1
c4e0bb4253ea8ede87d9ffa3bd2583ec8811d48e
-
SHA256
acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900
-
SHA512
ed81ae810e4f00147e705d1a33e06a432fb6352d1ec3431a99faef6213879d04b1d933f9a2fd2d35ff04aff7d474d30b7b6310d27a0c3aaaf4ac3f78f125fb89
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbew:q7Tc2NYHUrAwfMp3CDw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5020-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-1021-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-1753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-1928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4056 tnnhnn.exe 3928 1rlllrf.exe 2608 nbhttb.exe 4376 rxfrxrx.exe 1676 vvdjj.exe 2108 fffxlll.exe 3576 hbhbtt.exe 4428 jpddj.exe 1840 djvvv.exe 2372 btbhhb.exe 3464 ppjvp.exe 2064 llffrrr.exe 4112 bntnhh.exe 948 ddjjd.exe 4924 xxxlfxl.exe 4344 nhnbnh.exe 632 1jdpv.exe 4500 hbbtth.exe 4300 1bhnth.exe 5008 jjjdp.exe 408 ttbbtt.exe 2628 nhttnb.exe 2364 xlllflf.exe 2392 pjppj.exe 3076 9flfxxf.exe 5068 vvddv.exe 2708 9rxlllf.exe 3492 hhhnbt.exe 3632 7vpdp.exe 4688 btbtbt.exe 3524 7vjdv.exe 348 3tbtbb.exe 3596 vdvpv.exe 4456 frrfrlr.exe 1668 hhbthb.exe 4148 htthtn.exe 2936 vddvj.exe 976 ffxxrxr.exe 4448 nnhtnb.exe 4732 jjjdp.exe 3652 jpppp.exe 4592 xlxrfxr.exe 3132 htthtn.exe 464 3hhtnh.exe 3264 dvvdp.exe 2672 xrrlfxr.exe 1512 pdjjd.exe 1972 rfxrfxr.exe 4588 5lfrlfx.exe 624 nhhtbt.exe 3160 xllflrl.exe 1680 lflxrll.exe 4972 ttnbhn.exe 4932 pdjdj.exe 2112 lfxrfxl.exe 4840 5hhbtt.exe 4280 ddjjp.exe 916 frxrlfx.exe 2108 llrlllf.exe 3560 nbnbtn.exe 4584 1pvpj.exe 1616 lffrlff.exe 2500 tttnbb.exe 4444 vvjdj.exe -
resource yara_rule behavioral2/memory/5020-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-762-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4056 5020 acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe 82 PID 5020 wrote to memory of 4056 5020 acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe 82 PID 5020 wrote to memory of 4056 5020 acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe 82 PID 4056 wrote to memory of 3928 4056 tnnhnn.exe 83 PID 4056 wrote to memory of 3928 4056 tnnhnn.exe 83 PID 4056 wrote to memory of 3928 4056 tnnhnn.exe 83 PID 3928 wrote to memory of 2608 3928 1rlllrf.exe 84 PID 3928 wrote to memory of 2608 3928 1rlllrf.exe 84 PID 3928 wrote to memory of 2608 3928 1rlllrf.exe 84 PID 2608 wrote to memory of 4376 2608 nbhttb.exe 85 PID 2608 wrote to memory of 4376 2608 nbhttb.exe 85 PID 2608 wrote to memory of 4376 2608 nbhttb.exe 85 PID 4376 wrote to memory of 1676 4376 rxfrxrx.exe 86 PID 4376 wrote to memory of 1676 4376 rxfrxrx.exe 86 PID 4376 wrote to memory of 1676 4376 rxfrxrx.exe 86 PID 1676 wrote to memory of 2108 1676 vvdjj.exe 87 PID 1676 wrote to memory of 2108 1676 vvdjj.exe 87 PID 1676 wrote to memory of 2108 1676 vvdjj.exe 87 PID 2108 wrote to memory of 3576 2108 fffxlll.exe 88 PID 2108 wrote to memory of 3576 2108 fffxlll.exe 88 PID 2108 wrote to memory of 3576 2108 fffxlll.exe 88 PID 3576 wrote to memory of 4428 3576 hbhbtt.exe 89 PID 3576 wrote to memory of 4428 3576 hbhbtt.exe 89 PID 3576 wrote to memory of 4428 3576 hbhbtt.exe 89 PID 4428 wrote to memory of 1840 4428 jpddj.exe 90 PID 4428 wrote to memory of 1840 4428 jpddj.exe 90 PID 4428 wrote to memory of 1840 4428 jpddj.exe 90 PID 1840 wrote to memory of 2372 1840 djvvv.exe 91 PID 1840 wrote to memory of 2372 1840 djvvv.exe 91 PID 1840 wrote to memory of 2372 1840 djvvv.exe 91 PID 2372 wrote to memory of 3464 2372 btbhhb.exe 92 PID 2372 wrote to memory of 3464 2372 btbhhb.exe 92 PID 2372 wrote to memory of 3464 2372 btbhhb.exe 92 PID 3464 wrote to memory of 2064 3464 ppjvp.exe 93 PID 3464 wrote to memory of 2064 3464 ppjvp.exe 93 PID 3464 wrote to memory of 2064 3464 ppjvp.exe 93 PID 2064 wrote to memory of 4112 2064 llffrrr.exe 94 PID 2064 wrote to memory of 4112 2064 llffrrr.exe 94 PID 2064 wrote to memory of 4112 2064 llffrrr.exe 94 PID 4112 wrote to memory of 948 4112 bntnhh.exe 95 PID 4112 wrote to memory of 948 4112 bntnhh.exe 95 PID 4112 wrote to memory of 948 4112 bntnhh.exe 95 PID 948 wrote to memory of 4924 948 ddjjd.exe 96 PID 948 wrote to memory of 4924 948 ddjjd.exe 96 PID 948 wrote to memory of 4924 948 ddjjd.exe 96 PID 4924 wrote to memory of 4344 4924 xxxlfxl.exe 97 PID 4924 wrote to memory of 4344 4924 xxxlfxl.exe 97 PID 4924 wrote to memory of 4344 4924 xxxlfxl.exe 97 PID 4344 wrote to memory of 632 4344 nhnbnh.exe 98 PID 4344 wrote to memory of 632 4344 nhnbnh.exe 98 PID 4344 wrote to memory of 632 4344 nhnbnh.exe 98 PID 632 wrote to memory of 4500 632 1jdpv.exe 99 PID 632 wrote to memory of 4500 632 1jdpv.exe 99 PID 632 wrote to memory of 4500 632 1jdpv.exe 99 PID 4500 wrote to memory of 4300 4500 hbbtth.exe 100 PID 4500 wrote to memory of 4300 4500 hbbtth.exe 100 PID 4500 wrote to memory of 4300 4500 hbbtth.exe 100 PID 4300 wrote to memory of 5008 4300 1bhnth.exe 101 PID 4300 wrote to memory of 5008 4300 1bhnth.exe 101 PID 4300 wrote to memory of 5008 4300 1bhnth.exe 101 PID 5008 wrote to memory of 408 5008 jjjdp.exe 102 PID 5008 wrote to memory of 408 5008 jjjdp.exe 102 PID 5008 wrote to memory of 408 5008 jjjdp.exe 102 PID 408 wrote to memory of 2628 408 ttbbtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe"C:\Users\Admin\AppData\Local\Temp\acbea3b6008d38e56c2eb82050c57d9b7109503f66b58696475fa97190270900.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\tnnhnn.exec:\tnnhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\1rlllrf.exec:\1rlllrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\nbhttb.exec:\nbhttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rxfrxrx.exec:\rxfrxrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\vvdjj.exec:\vvdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\fffxlll.exec:\fffxlll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\hbhbtt.exec:\hbhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\jpddj.exec:\jpddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\djvvv.exec:\djvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\btbhhb.exec:\btbhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\ppjvp.exec:\ppjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\llffrrr.exec:\llffrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\bntnhh.exec:\bntnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\ddjjd.exec:\ddjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\xxxlfxl.exec:\xxxlfxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\nhnbnh.exec:\nhnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\1jdpv.exec:\1jdpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\hbbtth.exec:\hbbtth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\1bhnth.exec:\1bhnth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\jjjdp.exec:\jjjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\ttbbtt.exec:\ttbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\nhttnb.exec:\nhttnb.exe23⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xlllflf.exec:\xlllflf.exe24⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pjppj.exec:\pjppj.exe25⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9flfxxf.exec:\9flfxxf.exe26⤵
- Executes dropped EXE
PID:3076 -
\??\c:\vvddv.exec:\vvddv.exe27⤵
- Executes dropped EXE
PID:5068 -
\??\c:\9rxlllf.exec:\9rxlllf.exe28⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hhhnbt.exec:\hhhnbt.exe29⤵
- Executes dropped EXE
PID:3492 -
\??\c:\7vpdp.exec:\7vpdp.exe30⤵
- Executes dropped EXE
PID:3632 -
\??\c:\btbtbt.exec:\btbtbt.exe31⤵
- Executes dropped EXE
PID:4688 -
\??\c:\7vjdv.exec:\7vjdv.exe32⤵
- Executes dropped EXE
PID:3524 -
\??\c:\3tbtbb.exec:\3tbtbb.exe33⤵
- Executes dropped EXE
PID:348 -
\??\c:\vdvpv.exec:\vdvpv.exe34⤵
- Executes dropped EXE
PID:3596 -
\??\c:\frrfrlr.exec:\frrfrlr.exe35⤵
- Executes dropped EXE
PID:4456 -
\??\c:\hhbthb.exec:\hhbthb.exe36⤵
- Executes dropped EXE
PID:1668 -
\??\c:\htthtn.exec:\htthtn.exe37⤵
- Executes dropped EXE
PID:4148 -
\??\c:\vddvj.exec:\vddvj.exe38⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ffxxrxr.exec:\ffxxrxr.exe39⤵
- Executes dropped EXE
PID:976 -
\??\c:\nnhtnb.exec:\nnhtnb.exe40⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jjjdp.exec:\jjjdp.exe41⤵
- Executes dropped EXE
PID:4732 -
\??\c:\jpppp.exec:\jpppp.exe42⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xlxrfxr.exec:\xlxrfxr.exe43⤵
- Executes dropped EXE
PID:4592 -
\??\c:\htthtn.exec:\htthtn.exe44⤵
- Executes dropped EXE
PID:3132 -
\??\c:\3hhtnh.exec:\3hhtnh.exe45⤵
- Executes dropped EXE
PID:464 -
\??\c:\dvvdp.exec:\dvvdp.exe46⤵
- Executes dropped EXE
PID:3264 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pdjjd.exec:\pdjjd.exe48⤵
- Executes dropped EXE
PID:1512 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe49⤵
- Executes dropped EXE
PID:1972 -
\??\c:\5lfrlfx.exec:\5lfrlfx.exe50⤵
- Executes dropped EXE
PID:4588 -
\??\c:\nhhtbt.exec:\nhhtbt.exe51⤵
- Executes dropped EXE
PID:624 -
\??\c:\jddpd.exec:\jddpd.exe52⤵PID:1636
-
\??\c:\xllflrl.exec:\xllflrl.exe53⤵
- Executes dropped EXE
PID:3160 -
\??\c:\lflxrll.exec:\lflxrll.exe54⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ttnbhn.exec:\ttnbhn.exe55⤵
- Executes dropped EXE
PID:4972 -
\??\c:\pdjdj.exec:\pdjdj.exe56⤵
- Executes dropped EXE
PID:4932 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\5hhbtt.exec:\5hhbtt.exe58⤵
- Executes dropped EXE
PID:4840 -
\??\c:\ddjjp.exec:\ddjjp.exe59⤵
- Executes dropped EXE
PID:4280 -
\??\c:\frxrlfx.exec:\frxrlfx.exe60⤵
- Executes dropped EXE
PID:916 -
\??\c:\llrlllf.exec:\llrlllf.exe61⤵
- Executes dropped EXE
PID:2108 -
\??\c:\nbnbtn.exec:\nbnbtn.exe62⤵
- Executes dropped EXE
PID:3560 -
\??\c:\1pvpj.exec:\1pvpj.exe63⤵
- Executes dropped EXE
PID:4584 -
\??\c:\lffrlff.exec:\lffrlff.exe64⤵
- Executes dropped EXE
PID:1616 -
\??\c:\tttnbb.exec:\tttnbb.exe65⤵
- Executes dropped EXE
PID:2500 -
\??\c:\vvjdj.exec:\vvjdj.exe66⤵
- Executes dropped EXE
PID:4444 -
\??\c:\9rfflfl.exec:\9rfflfl.exe67⤵PID:2260
-
\??\c:\ththbb.exec:\ththbb.exe68⤵
- System Location Discovery: System Language Discovery
PID:3172 -
\??\c:\tbbthh.exec:\tbbthh.exe69⤵PID:3700
-
\??\c:\dvvjv.exec:\dvvjv.exe70⤵PID:3464
-
\??\c:\9llfxfx.exec:\9llfxfx.exe71⤵PID:3656
-
\??\c:\htthtn.exec:\htthtn.exe72⤵PID:900
-
\??\c:\jdjdj.exec:\jdjdj.exe73⤵PID:228
-
\??\c:\llxxrrl.exec:\llxxrrl.exe74⤵PID:4924
-
\??\c:\9nbbtn.exec:\9nbbtn.exe75⤵PID:2184
-
\??\c:\7pvjd.exec:\7pvjd.exe76⤵PID:632
-
\??\c:\5lfxrrl.exec:\5lfxrrl.exe77⤵PID:1776
-
\??\c:\lxlrrrr.exec:\lxlrrrr.exe78⤵PID:4060
-
\??\c:\ddpjv.exec:\ddpjv.exe79⤵PID:4124
-
\??\c:\xxrflfr.exec:\xxrflfr.exe80⤵PID:1244
-
\??\c:\lxxllxl.exec:\lxxllxl.exe81⤵PID:3476
-
\??\c:\3tbnnn.exec:\3tbnnn.exe82⤵PID:1864
-
\??\c:\vpvdv.exec:\vpvdv.exe83⤵PID:1464
-
\??\c:\3fffflf.exec:\3fffflf.exe84⤵PID:2860
-
\??\c:\rlxflll.exec:\rlxflll.exe85⤵PID:428
-
\??\c:\hntnbt.exec:\hntnbt.exe86⤵PID:824
-
\??\c:\hththh.exec:\hththh.exe87⤵PID:3428
-
\??\c:\5jppj.exec:\5jppj.exe88⤵PID:2948
-
\??\c:\lfxrxxr.exec:\lfxrxxr.exe89⤵PID:1124
-
\??\c:\bbbhtt.exec:\bbbhtt.exe90⤵PID:2744
-
\??\c:\vpvjd.exec:\vpvjd.exe91⤵PID:2204
-
\??\c:\9lxrlrl.exec:\9lxrlrl.exe92⤵PID:5104
-
\??\c:\xflxrlx.exec:\xflxrlx.exe93⤵PID:3492
-
\??\c:\bnthbt.exec:\bnthbt.exe94⤵PID:3632
-
\??\c:\jpvjv.exec:\jpvjv.exe95⤵PID:3520
-
\??\c:\7xxlxrf.exec:\7xxlxrf.exe96⤵PID:3840
-
\??\c:\hnbhhb.exec:\hnbhhb.exe97⤵PID:2328
-
\??\c:\vvvdj.exec:\vvvdj.exe98⤵PID:3676
-
\??\c:\frrrrll.exec:\frrrrll.exe99⤵PID:3888
-
\??\c:\fffxlfr.exec:\fffxlfr.exe100⤵PID:4456
-
\??\c:\htthbt.exec:\htthbt.exe101⤵PID:4572
-
\??\c:\dppdd.exec:\dppdd.exe102⤵PID:4384
-
\??\c:\3xlxlfr.exec:\3xlxlfr.exe103⤵PID:1808
-
\??\c:\xllxrlx.exec:\xllxrlx.exe104⤵PID:2532
-
\??\c:\hbtbnh.exec:\hbtbnh.exe105⤵PID:3124
-
\??\c:\dvddd.exec:\dvddd.exe106⤵PID:2440
-
\??\c:\frfrflf.exec:\frfrflf.exe107⤵PID:2940
-
\??\c:\xlfrllf.exec:\xlfrllf.exe108⤵PID:3652
-
\??\c:\bnnnbt.exec:\bnnnbt.exe109⤵PID:4592
-
\??\c:\ddjvp.exec:\ddjvp.exe110⤵PID:3132
-
\??\c:\pvpdv.exec:\pvpdv.exe111⤵PID:1232
-
\??\c:\xrrlrff.exec:\xrrlrff.exe112⤵PID:1492
-
\??\c:\nbnhbb.exec:\nbnhbb.exe113⤵PID:4356
-
\??\c:\dvdvp.exec:\dvdvp.exe114⤵PID:3440
-
\??\c:\flrlxxr.exec:\flrlxxr.exe115⤵PID:3344
-
\??\c:\nhhhnn.exec:\nhhhnn.exe116⤵PID:2208
-
\??\c:\nhhttn.exec:\nhhttn.exe117⤵PID:4420
-
\??\c:\vpdpp.exec:\vpdpp.exe118⤵PID:1212
-
\??\c:\frrxxrr.exec:\frrxxrr.exe119⤵PID:2072
-
\??\c:\tnhbhh.exec:\tnhbhh.exe120⤵PID:4380
-
\??\c:\nnnhtn.exec:\nnnhtn.exe121⤵PID:8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-