Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
-
Size
454KB
-
MD5
cb4056c9e5c23957acee0948c044000b
-
SHA1
959b04a402d162153895bc73e01f1d831eb81ed6
-
SHA256
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce
-
SHA512
35bab2530a68303252e7522750f930f2e48e3f828ebd20203db939b55dcd3bd3cfc0b9cc3fa2557a88fc95f2a639c2223b466910f182b3b021522df7c5faddeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/552-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/340-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-1526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1624 ppjvp.exe 3392 lrrlfxl.exe 3208 nnhbtb.exe 3936 tbnbbh.exe 3480 jvddj.exe 5044 flrfrlx.exe 3624 thnbtn.exe 4736 xxxllff.exe 2132 jvdvv.exe 768 hbhhht.exe 3516 pdvpd.exe 3252 rxfxllx.exe 4204 jvvvd.exe 2716 jdvdj.exe 2596 rxrlfxx.exe 1128 dvvdv.exe 1428 frrrfxr.exe 2860 nnhbtt.exe 2460 lfxlfxr.exe 4020 ttnhtn.exe 4492 nttnbt.exe 2464 5tnbth.exe 3756 pvpdp.exe 208 xrrfxrl.exe 1536 vjdpd.exe 1488 ttbnnn.exe 4748 xlrfrrf.exe 4888 hhnbhb.exe 2196 jppdv.exe 4436 nhtntn.exe 1640 3jjdv.exe 1596 htnbtt.exe 3676 5hnhhh.exe 1196 1ffrfxl.exe 4420 7hbthb.exe 1616 djpjv.exe 2480 rxxlxrr.exe 2648 9llfxrl.exe 3264 nbbttt.exe 3968 pjdpp.exe 632 frrfrlf.exe 1136 tthtnt.exe 1248 hbhbbt.exe 3248 pdjdp.exe 2536 xrxrlfr.exe 5100 hnbbtn.exe 340 pddvj.exe 4592 dpjvj.exe 1804 frrlxlf.exe 468 1nthbb.exe 3392 pdvjv.exe 2080 lxxlxxl.exe 1144 1btnbb.exe 3452 pdvvj.exe 3608 1xxxrxr.exe 4916 tbbthb.exe 2052 9ppjv.exe 4444 xrxrllx.exe 3624 rrxfxfl.exe 2920 7hhtnn.exe 4168 jpvdd.exe 216 3xxrlfx.exe 3880 lrrlffx.exe 628 hbhhnh.exe -
resource yara_rule behavioral2/memory/552-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/340-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-726-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 552 wrote to memory of 1624 552 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 82 PID 552 wrote to memory of 1624 552 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 82 PID 552 wrote to memory of 1624 552 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 82 PID 1624 wrote to memory of 3392 1624 ppjvp.exe 83 PID 1624 wrote to memory of 3392 1624 ppjvp.exe 83 PID 1624 wrote to memory of 3392 1624 ppjvp.exe 83 PID 3392 wrote to memory of 3208 3392 lrrlfxl.exe 84 PID 3392 wrote to memory of 3208 3392 lrrlfxl.exe 84 PID 3392 wrote to memory of 3208 3392 lrrlfxl.exe 84 PID 3208 wrote to memory of 3936 3208 nnhbtb.exe 85 PID 3208 wrote to memory of 3936 3208 nnhbtb.exe 85 PID 3208 wrote to memory of 3936 3208 nnhbtb.exe 85 PID 3936 wrote to memory of 3480 3936 tbnbbh.exe 86 PID 3936 wrote to memory of 3480 3936 tbnbbh.exe 86 PID 3936 wrote to memory of 3480 3936 tbnbbh.exe 86 PID 3480 wrote to memory of 5044 3480 jvddj.exe 87 PID 3480 wrote to memory of 5044 3480 jvddj.exe 87 PID 3480 wrote to memory of 5044 3480 jvddj.exe 87 PID 5044 wrote to memory of 3624 5044 flrfrlx.exe 88 PID 5044 wrote to memory of 3624 5044 flrfrlx.exe 88 PID 5044 wrote to memory of 3624 5044 flrfrlx.exe 88 PID 3624 wrote to memory of 4736 3624 thnbtn.exe 89 PID 3624 wrote to memory of 4736 3624 thnbtn.exe 89 PID 3624 wrote to memory of 4736 3624 thnbtn.exe 89 PID 4736 wrote to memory of 2132 4736 xxxllff.exe 90 PID 4736 wrote to memory of 2132 4736 xxxllff.exe 90 PID 4736 wrote to memory of 2132 4736 xxxllff.exe 90 PID 2132 wrote to memory of 768 2132 jvdvv.exe 91 PID 2132 wrote to memory of 768 2132 jvdvv.exe 91 PID 2132 wrote to memory of 768 2132 jvdvv.exe 91 PID 768 wrote to memory of 3516 768 hbhhht.exe 92 PID 768 wrote to memory of 3516 768 hbhhht.exe 92 PID 768 wrote to memory of 3516 768 hbhhht.exe 92 PID 3516 wrote to memory of 3252 3516 pdvpd.exe 93 PID 3516 wrote to memory of 3252 3516 pdvpd.exe 93 PID 3516 wrote to memory of 3252 3516 pdvpd.exe 93 PID 3252 wrote to memory of 4204 3252 rxfxllx.exe 94 PID 3252 wrote to memory of 4204 3252 rxfxllx.exe 94 PID 3252 wrote to memory of 4204 3252 rxfxllx.exe 94 PID 4204 wrote to memory of 2716 4204 jvvvd.exe 95 PID 4204 wrote to memory of 2716 4204 jvvvd.exe 95 PID 4204 wrote to memory of 2716 4204 jvvvd.exe 95 PID 2716 wrote to memory of 2596 2716 jdvdj.exe 96 PID 2716 wrote to memory of 2596 2716 jdvdj.exe 96 PID 2716 wrote to memory of 2596 2716 jdvdj.exe 96 PID 2596 wrote to memory of 1128 2596 rxrlfxx.exe 97 PID 2596 wrote to memory of 1128 2596 rxrlfxx.exe 97 PID 2596 wrote to memory of 1128 2596 rxrlfxx.exe 97 PID 1128 wrote to memory of 1428 1128 dvvdv.exe 98 PID 1128 wrote to memory of 1428 1128 dvvdv.exe 98 PID 1128 wrote to memory of 1428 1128 dvvdv.exe 98 PID 1428 wrote to memory of 2860 1428 frrrfxr.exe 99 PID 1428 wrote to memory of 2860 1428 frrrfxr.exe 99 PID 1428 wrote to memory of 2860 1428 frrrfxr.exe 99 PID 2860 wrote to memory of 2460 2860 nnhbtt.exe 100 PID 2860 wrote to memory of 2460 2860 nnhbtt.exe 100 PID 2860 wrote to memory of 2460 2860 nnhbtt.exe 100 PID 2460 wrote to memory of 4020 2460 lfxlfxr.exe 101 PID 2460 wrote to memory of 4020 2460 lfxlfxr.exe 101 PID 2460 wrote to memory of 4020 2460 lfxlfxr.exe 101 PID 4020 wrote to memory of 4492 4020 ttnhtn.exe 102 PID 4020 wrote to memory of 4492 4020 ttnhtn.exe 102 PID 4020 wrote to memory of 4492 4020 ttnhtn.exe 102 PID 4492 wrote to memory of 2464 4492 nttnbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\ppjvp.exec:\ppjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\lrrlfxl.exec:\lrrlfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\nnhbtb.exec:\nnhbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\tbnbbh.exec:\tbnbbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\jvddj.exec:\jvddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\flrfrlx.exec:\flrfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\thnbtn.exec:\thnbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\xxxllff.exec:\xxxllff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\jvdvv.exec:\jvdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\hbhhht.exec:\hbhhht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\pdvpd.exec:\pdvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\rxfxllx.exec:\rxfxllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\jvvvd.exec:\jvvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\jdvdj.exec:\jdvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\rxrlfxx.exec:\rxrlfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\dvvdv.exec:\dvvdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\frrrfxr.exec:\frrrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\nnhbtt.exec:\nnhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\ttnhtn.exec:\ttnhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\nttnbt.exec:\nttnbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\5tnbth.exec:\5tnbth.exe23⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pvpdp.exec:\pvpdp.exe24⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe25⤵
- Executes dropped EXE
PID:208 -
\??\c:\vjdpd.exec:\vjdpd.exe26⤵
- Executes dropped EXE
PID:1536 -
\??\c:\ttbnnn.exec:\ttbnnn.exe27⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xlrfrrf.exec:\xlrfrrf.exe28⤵
- Executes dropped EXE
PID:4748 -
\??\c:\hhnbhb.exec:\hhnbhb.exe29⤵
- Executes dropped EXE
PID:4888 -
\??\c:\jppdv.exec:\jppdv.exe30⤵
- Executes dropped EXE
PID:2196 -
\??\c:\nhtntn.exec:\nhtntn.exe31⤵
- Executes dropped EXE
PID:4436 -
\??\c:\3jjdv.exec:\3jjdv.exe32⤵
- Executes dropped EXE
PID:1640 -
\??\c:\htnbtt.exec:\htnbtt.exe33⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5hnhhh.exec:\5hnhhh.exe34⤵
- Executes dropped EXE
PID:3676 -
\??\c:\1ffrfxl.exec:\1ffrfxl.exe35⤵
- Executes dropped EXE
PID:1196 -
\??\c:\7hbthb.exec:\7hbthb.exe36⤵
- Executes dropped EXE
PID:4420 -
\??\c:\djpjv.exec:\djpjv.exe37⤵
- Executes dropped EXE
PID:1616 -
\??\c:\rxxlxrr.exec:\rxxlxrr.exe38⤵
- Executes dropped EXE
PID:2480 -
\??\c:\9llfxrl.exec:\9llfxrl.exe39⤵
- Executes dropped EXE
PID:2648 -
\??\c:\nbbttt.exec:\nbbttt.exe40⤵
- Executes dropped EXE
PID:3264 -
\??\c:\pjdpp.exec:\pjdpp.exe41⤵
- Executes dropped EXE
PID:3968 -
\??\c:\frrfrlf.exec:\frrfrlf.exe42⤵
- Executes dropped EXE
PID:632 -
\??\c:\tthtnt.exec:\tthtnt.exe43⤵
- Executes dropped EXE
PID:1136 -
\??\c:\hbhbbt.exec:\hbhbbt.exe44⤵
- Executes dropped EXE
PID:1248 -
\??\c:\pdjdp.exec:\pdjdp.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248 -
\??\c:\xrxrlfr.exec:\xrxrlfr.exe46⤵
- Executes dropped EXE
PID:2536 -
\??\c:\hnbbtn.exec:\hnbbtn.exe47⤵
- Executes dropped EXE
PID:5100 -
\??\c:\pddvj.exec:\pddvj.exe48⤵
- Executes dropped EXE
PID:340 -
\??\c:\dpjvj.exec:\dpjvj.exe49⤵
- Executes dropped EXE
PID:4592 -
\??\c:\frrlxlf.exec:\frrlxlf.exe50⤵
- Executes dropped EXE
PID:1804 -
\??\c:\1nthbb.exec:\1nthbb.exe51⤵
- Executes dropped EXE
PID:468 -
\??\c:\pdvjv.exec:\pdvjv.exe52⤵
- Executes dropped EXE
PID:3392 -
\??\c:\lxxlxxl.exec:\lxxlxxl.exe53⤵
- Executes dropped EXE
PID:2080 -
\??\c:\1btnbb.exec:\1btnbb.exe54⤵
- Executes dropped EXE
PID:1144 -
\??\c:\pdvvj.exec:\pdvvj.exe55⤵
- Executes dropped EXE
PID:3452 -
\??\c:\1xxxrxr.exec:\1xxxrxr.exe56⤵
- Executes dropped EXE
PID:3608 -
\??\c:\tbbthb.exec:\tbbthb.exe57⤵
- Executes dropped EXE
PID:4916 -
\??\c:\9ppjv.exec:\9ppjv.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xrxrllx.exec:\xrxrllx.exe59⤵
- Executes dropped EXE
PID:4444 -
\??\c:\rrxfxfl.exec:\rrxfxfl.exe60⤵
- Executes dropped EXE
PID:3624 -
\??\c:\7hhtnn.exec:\7hhtnn.exe61⤵
- Executes dropped EXE
PID:2920 -
\??\c:\jpvdd.exec:\jpvdd.exe62⤵
- Executes dropped EXE
PID:4168 -
\??\c:\3xxrlfx.exec:\3xxrlfx.exe63⤵
- Executes dropped EXE
PID:216 -
\??\c:\lrrlffx.exec:\lrrlffx.exe64⤵
- Executes dropped EXE
PID:3880 -
\??\c:\hbhhnh.exec:\hbhhnh.exe65⤵
- Executes dropped EXE
PID:628 -
\??\c:\jjjdv.exec:\jjjdv.exe66⤵PID:3824
-
\??\c:\7vpdp.exec:\7vpdp.exe67⤵PID:2500
-
\??\c:\xrrlxxl.exec:\xrrlxxl.exe68⤵PID:1892
-
\??\c:\9xxrllf.exec:\9xxrllf.exe69⤵PID:916
-
\??\c:\htttnn.exec:\htttnn.exe70⤵PID:1088
-
\??\c:\ppjvj.exec:\ppjvj.exe71⤵PID:8
-
\??\c:\xlrrrrf.exec:\xlrrrrf.exe72⤵PID:3944
-
\??\c:\5ffrlfx.exec:\5ffrlfx.exe73⤵PID:2948
-
\??\c:\3hhbtn.exec:\3hhbtn.exe74⤵PID:556
-
\??\c:\dpvpd.exec:\dpvpd.exe75⤵PID:1200
-
\??\c:\rlrllll.exec:\rlrllll.exe76⤵PID:4608
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe77⤵PID:4344
-
\??\c:\jvjjd.exec:\jvjjd.exe78⤵PID:4056
-
\??\c:\jdjdv.exec:\jdjdv.exe79⤵PID:1996
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe80⤵PID:2124
-
\??\c:\tnhtnh.exec:\tnhtnh.exe81⤵PID:944
-
\??\c:\jjpdv.exec:\jjpdv.exe82⤵PID:4580
-
\??\c:\pjjdv.exec:\pjjdv.exe83⤵PID:4792
-
\??\c:\ffllfxr.exec:\ffllfxr.exe84⤵PID:2560
-
\??\c:\hnthbt.exec:\hnthbt.exe85⤵
- System Location Discovery: System Language Discovery
PID:4176 -
\??\c:\5nhbhh.exec:\5nhbhh.exe86⤵PID:2216
-
\??\c:\jvpdj.exec:\jvpdj.exe87⤵PID:4748
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe88⤵PID:3576
-
\??\c:\lxfxrll.exec:\lxfxrll.exe89⤵PID:3380
-
\??\c:\9tbnbb.exec:\9tbnbb.exe90⤵PID:452
-
\??\c:\dpvjv.exec:\dpvjv.exe91⤵PID:1796
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe92⤵PID:2432
-
\??\c:\hhnhbt.exec:\hhnhbt.exe93⤵PID:2956
-
\??\c:\vpjdp.exec:\vpjdp.exe94⤵PID:3860
-
\??\c:\jddjd.exec:\jddjd.exe95⤵PID:4092
-
\??\c:\7xfrxrl.exec:\7xfrxrl.exe96⤵PID:3348
-
\??\c:\fxxlffx.exec:\fxxlffx.exe97⤵PID:4324
-
\??\c:\nhhntn.exec:\nhhntn.exe98⤵PID:4008
-
\??\c:\7pjvd.exec:\7pjvd.exe99⤵PID:4000
-
\??\c:\pddpj.exec:\pddpj.exe100⤵PID:800
-
\??\c:\rrfrlfx.exec:\rrfrlfx.exe101⤵PID:2996
-
\??\c:\1nttnh.exec:\1nttnh.exe102⤵PID:2300
-
\??\c:\vdvjj.exec:\vdvjj.exe103⤵PID:1528
-
\??\c:\lflflfr.exec:\lflflfr.exe104⤵PID:1432
-
\??\c:\7lrlfxr.exec:\7lrlfxr.exe105⤵PID:4884
-
\??\c:\ntnhbb.exec:\ntnhbb.exe106⤵PID:2212
-
\??\c:\vpjdv.exec:\vpjdv.exe107⤵PID:2936
-
\??\c:\jdvpv.exec:\jdvpv.exe108⤵PID:1580
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe109⤵PID:4384
-
\??\c:\1tntnh.exec:\1tntnh.exe110⤵PID:2396
-
\??\c:\jdvpd.exec:\jdvpd.exe111⤵PID:3296
-
\??\c:\lffrxfr.exec:\lffrxfr.exe112⤵PID:2088
-
\??\c:\3nhbtb.exec:\3nhbtb.exe113⤵PID:2728
-
\??\c:\bbbtnb.exec:\bbbtnb.exe114⤵PID:3536
-
\??\c:\vdjvp.exec:\vdjvp.exe115⤵PID:2268
-
\??\c:\1flxflf.exec:\1flxflf.exe116⤵PID:4876
-
\??\c:\lrrrfrf.exec:\lrrrfrf.exe117⤵PID:4900
-
\??\c:\htbttn.exec:\htbttn.exe118⤵PID:3608
-
\??\c:\ddvpp.exec:\ddvpp.exe119⤵PID:3600
-
\??\c:\vvpdv.exec:\vvpdv.exe120⤵PID:2052
-
\??\c:\fllxrlx.exec:\fllxrlx.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-