Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
-
Size
454KB
-
MD5
cb4056c9e5c23957acee0948c044000b
-
SHA1
959b04a402d162153895bc73e01f1d831eb81ed6
-
SHA256
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce
-
SHA512
35bab2530a68303252e7522750f930f2e48e3f828ebd20203db939b55dcd3bd3cfc0b9cc3fa2557a88fc95f2a639c2223b466910f182b3b021522df7c5faddeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1320-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/248-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1001-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2600 lllfrlx.exe 1088 5lffllx.exe 1884 dvpjj.exe 2608 nnnhbb.exe 3760 rlxrllr.exe 1044 bntnbt.exe 732 jvvpd.exe 3284 pddpv.exe 1140 vjjdv.exe 2248 lllxrlx.exe 1588 xlrrlll.exe 4160 hnnhbb.exe 4888 jvvvp.exe 248 5ttnhn.exe 4612 jdpdd.exe 5064 bnbnht.exe 3200 bntnbh.exe 3572 rrrlxxf.exe 2404 nhnbnh.exe 2792 ppdvv.exe 2964 bnntth.exe 2192 xrxlfxr.exe 3280 1ffrlfr.exe 4268 frxrxll.exe 4892 rfllfxf.exe 2080 lfrfxxx.exe 3296 5fxxfxf.exe 2632 lrxlffx.exe 3708 djpjd.exe 3840 nbbbtt.exe 660 ppdpj.exe 3616 7tbnnn.exe 1928 3jdpj.exe 4080 thbnhb.exe 4444 dvvpj.exe 2352 xffxrlf.exe 900 nbbbtn.exe 1636 btbthh.exe 1528 7vdjd.exe 2100 rffrxrf.exe 4360 fllfxfx.exe 3772 3nnhbt.exe 1664 pvvpv.exe 4092 rflfxrl.exe 3944 xlrlfrf.exe 3060 bhhbnn.exe 5096 ppvjd.exe 1520 xrxrfxx.exe 1076 thnhtn.exe 4304 1nbhbn.exe 4716 pdjvj.exe 1940 xrlxllf.exe 2600 1nhbhh.exe 1144 9dpdj.exe 2812 fxxrfff.exe 4552 flrfrrf.exe 1064 ntbtbt.exe 2608 pdpjv.exe 2800 rrfxllf.exe 4524 btbbbb.exe 4324 tbhbnh.exe 1276 ddjdp.exe 3964 lflllff.exe 4800 rllrlxr.exe -
resource yara_rule behavioral2/memory/1320-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/248-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2600 1320 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 82 PID 1320 wrote to memory of 2600 1320 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 82 PID 1320 wrote to memory of 2600 1320 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 82 PID 2600 wrote to memory of 1088 2600 lllfrlx.exe 83 PID 2600 wrote to memory of 1088 2600 lllfrlx.exe 83 PID 2600 wrote to memory of 1088 2600 lllfrlx.exe 83 PID 1088 wrote to memory of 1884 1088 5lffllx.exe 84 PID 1088 wrote to memory of 1884 1088 5lffllx.exe 84 PID 1088 wrote to memory of 1884 1088 5lffllx.exe 84 PID 1884 wrote to memory of 2608 1884 dvpjj.exe 85 PID 1884 wrote to memory of 2608 1884 dvpjj.exe 85 PID 1884 wrote to memory of 2608 1884 dvpjj.exe 85 PID 2608 wrote to memory of 3760 2608 nnnhbb.exe 86 PID 2608 wrote to memory of 3760 2608 nnnhbb.exe 86 PID 2608 wrote to memory of 3760 2608 nnnhbb.exe 86 PID 3760 wrote to memory of 1044 3760 rlxrllr.exe 87 PID 3760 wrote to memory of 1044 3760 rlxrllr.exe 87 PID 3760 wrote to memory of 1044 3760 rlxrllr.exe 87 PID 1044 wrote to memory of 732 1044 bntnbt.exe 88 PID 1044 wrote to memory of 732 1044 bntnbt.exe 88 PID 1044 wrote to memory of 732 1044 bntnbt.exe 88 PID 732 wrote to memory of 3284 732 jvvpd.exe 89 PID 732 wrote to memory of 3284 732 jvvpd.exe 89 PID 732 wrote to memory of 3284 732 jvvpd.exe 89 PID 3284 wrote to memory of 1140 3284 pddpv.exe 90 PID 3284 wrote to memory of 1140 3284 pddpv.exe 90 PID 3284 wrote to memory of 1140 3284 pddpv.exe 90 PID 1140 wrote to memory of 2248 1140 vjjdv.exe 91 PID 1140 wrote to memory of 2248 1140 vjjdv.exe 91 PID 1140 wrote to memory of 2248 1140 vjjdv.exe 91 PID 2248 wrote to memory of 1588 2248 lllxrlx.exe 92 PID 2248 wrote to memory of 1588 2248 lllxrlx.exe 92 PID 2248 wrote to memory of 1588 2248 lllxrlx.exe 92 PID 1588 wrote to memory of 4160 1588 xlrrlll.exe 93 PID 1588 wrote to memory of 4160 1588 xlrrlll.exe 93 PID 1588 wrote to memory of 4160 1588 xlrrlll.exe 93 PID 4160 wrote to memory of 4888 4160 hnnhbb.exe 94 PID 4160 wrote to memory of 4888 4160 hnnhbb.exe 94 PID 4160 wrote to memory of 4888 4160 hnnhbb.exe 94 PID 4888 wrote to memory of 248 4888 jvvvp.exe 95 PID 4888 wrote to memory of 248 4888 jvvvp.exe 95 PID 4888 wrote to memory of 248 4888 jvvvp.exe 95 PID 248 wrote to memory of 4612 248 5ttnhn.exe 96 PID 248 wrote to memory of 4612 248 5ttnhn.exe 96 PID 248 wrote to memory of 4612 248 5ttnhn.exe 96 PID 4612 wrote to memory of 5064 4612 jdpdd.exe 97 PID 4612 wrote to memory of 5064 4612 jdpdd.exe 97 PID 4612 wrote to memory of 5064 4612 jdpdd.exe 97 PID 5064 wrote to memory of 3200 5064 bnbnht.exe 98 PID 5064 wrote to memory of 3200 5064 bnbnht.exe 98 PID 5064 wrote to memory of 3200 5064 bnbnht.exe 98 PID 3200 wrote to memory of 3572 3200 bntnbh.exe 99 PID 3200 wrote to memory of 3572 3200 bntnbh.exe 99 PID 3200 wrote to memory of 3572 3200 bntnbh.exe 99 PID 3572 wrote to memory of 2404 3572 rrrlxxf.exe 100 PID 3572 wrote to memory of 2404 3572 rrrlxxf.exe 100 PID 3572 wrote to memory of 2404 3572 rrrlxxf.exe 100 PID 2404 wrote to memory of 2792 2404 nhnbnh.exe 101 PID 2404 wrote to memory of 2792 2404 nhnbnh.exe 101 PID 2404 wrote to memory of 2792 2404 nhnbnh.exe 101 PID 2792 wrote to memory of 2964 2792 ppdvv.exe 102 PID 2792 wrote to memory of 2964 2792 ppdvv.exe 102 PID 2792 wrote to memory of 2964 2792 ppdvv.exe 102 PID 2964 wrote to memory of 2192 2964 bnntth.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\lllfrlx.exec:\lllfrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\5lffllx.exec:\5lffllx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\dvpjj.exec:\dvpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\nnnhbb.exec:\nnnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rlxrllr.exec:\rlxrllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\bntnbt.exec:\bntnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\jvvpd.exec:\jvvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\pddpv.exec:\pddpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\vjjdv.exec:\vjjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\lllxrlx.exec:\lllxrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\xlrrlll.exec:\xlrrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\hnnhbb.exec:\hnnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\jvvvp.exec:\jvvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\5ttnhn.exec:\5ttnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:248 -
\??\c:\jdpdd.exec:\jdpdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\bnbnht.exec:\bnbnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\bntnbh.exec:\bntnbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\rrrlxxf.exec:\rrrlxxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\nhnbnh.exec:\nhnbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\ppdvv.exec:\ppdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\bnntth.exec:\bnntth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe23⤵
- Executes dropped EXE
PID:2192 -
\??\c:\1ffrlfr.exec:\1ffrlfr.exe24⤵
- Executes dropped EXE
PID:3280 -
\??\c:\frxrxll.exec:\frxrxll.exe25⤵
- Executes dropped EXE
PID:4268 -
\??\c:\rfllfxf.exec:\rfllfxf.exe26⤵
- Executes dropped EXE
PID:4892 -
\??\c:\lfrfxxx.exec:\lfrfxxx.exe27⤵
- Executes dropped EXE
PID:2080 -
\??\c:\5fxxfxf.exec:\5fxxfxf.exe28⤵
- Executes dropped EXE
PID:3296 -
\??\c:\lrxlffx.exec:\lrxlffx.exe29⤵
- Executes dropped EXE
PID:2632 -
\??\c:\djpjd.exec:\djpjd.exe30⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nbbbtt.exec:\nbbbtt.exe31⤵
- Executes dropped EXE
PID:3840 -
\??\c:\ppdpj.exec:\ppdpj.exe32⤵
- Executes dropped EXE
PID:660 -
\??\c:\7tbnnn.exec:\7tbnnn.exe33⤵
- Executes dropped EXE
PID:3616 -
\??\c:\3jdpj.exec:\3jdpj.exe34⤵
- Executes dropped EXE
PID:1928 -
\??\c:\thbnhb.exec:\thbnhb.exe35⤵
- Executes dropped EXE
PID:4080 -
\??\c:\dvvpj.exec:\dvvpj.exe36⤵
- Executes dropped EXE
PID:4444 -
\??\c:\xffxrlf.exec:\xffxrlf.exe37⤵
- Executes dropped EXE
PID:2352 -
\??\c:\nbbbtn.exec:\nbbbtn.exe38⤵
- Executes dropped EXE
PID:900 -
\??\c:\btbthh.exec:\btbthh.exe39⤵
- Executes dropped EXE
PID:1636 -
\??\c:\7vdjd.exec:\7vdjd.exe40⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rffrxrf.exec:\rffrxrf.exe41⤵
- Executes dropped EXE
PID:2100 -
\??\c:\fllfxfx.exec:\fllfxfx.exe42⤵
- Executes dropped EXE
PID:4360 -
\??\c:\3nnhbt.exec:\3nnhbt.exe43⤵
- Executes dropped EXE
PID:3772 -
\??\c:\pvvpv.exec:\pvvpv.exe44⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rflfxrl.exec:\rflfxrl.exe45⤵
- Executes dropped EXE
PID:4092 -
\??\c:\xlrlfrf.exec:\xlrlfrf.exe46⤵
- Executes dropped EXE
PID:3944 -
\??\c:\bhhbnn.exec:\bhhbnn.exe47⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ppvjd.exec:\ppvjd.exe48⤵
- Executes dropped EXE
PID:5096 -
\??\c:\xrxrfxx.exec:\xrxrfxx.exe49⤵
- Executes dropped EXE
PID:1520 -
\??\c:\thnhtn.exec:\thnhtn.exe50⤵
- Executes dropped EXE
PID:1076 -
\??\c:\1nbhbn.exec:\1nbhbn.exe51⤵
- Executes dropped EXE
PID:4304 -
\??\c:\pdjvj.exec:\pdjvj.exe52⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xrlxllf.exec:\xrlxllf.exe53⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1nhbhh.exec:\1nhbhh.exe54⤵
- Executes dropped EXE
PID:2600 -
\??\c:\9dpdj.exec:\9dpdj.exe55⤵
- Executes dropped EXE
PID:1144 -
\??\c:\fxxrfff.exec:\fxxrfff.exe56⤵
- Executes dropped EXE
PID:2812 -
\??\c:\flrfrrf.exec:\flrfrrf.exe57⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ntbtbt.exec:\ntbtbt.exe58⤵
- Executes dropped EXE
PID:1064 -
\??\c:\pdpjv.exec:\pdpjv.exe59⤵
- Executes dropped EXE
PID:2608 -
\??\c:\rrfxllf.exec:\rrfxllf.exe60⤵
- Executes dropped EXE
PID:2800 -
\??\c:\btbbbb.exec:\btbbbb.exe61⤵
- Executes dropped EXE
PID:4524 -
\??\c:\tbhbnh.exec:\tbhbnh.exe62⤵
- Executes dropped EXE
PID:4324 -
\??\c:\ddjdp.exec:\ddjdp.exe63⤵
- Executes dropped EXE
PID:1276 -
\??\c:\lflllff.exec:\lflllff.exe64⤵
- Executes dropped EXE
PID:3964 -
\??\c:\rllrlxr.exec:\rllrlxr.exe65⤵
- Executes dropped EXE
PID:4800 -
\??\c:\nbhtnh.exec:\nbhtnh.exe66⤵PID:980
-
\??\c:\pjdvd.exec:\pjdvd.exe67⤵PID:408
-
\??\c:\frfrffx.exec:\frfrffx.exe68⤵PID:8
-
\??\c:\tnnnhh.exec:\tnnnhh.exe69⤵PID:4952
-
\??\c:\vjjdv.exec:\vjjdv.exe70⤵PID:2972
-
\??\c:\rrffffl.exec:\rrffffl.exe71⤵PID:564
-
\??\c:\bthbhh.exec:\bthbhh.exe72⤵PID:544
-
\??\c:\dvdvj.exec:\dvdvj.exe73⤵PID:3500
-
\??\c:\fxfrllf.exec:\fxfrllf.exe74⤵PID:4964
-
\??\c:\bnnhbt.exec:\bnnhbt.exe75⤵PID:4948
-
\??\c:\5nnbtt.exec:\5nnbtt.exe76⤵PID:4060
-
\??\c:\djpdv.exec:\djpdv.exe77⤵PID:2656
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe78⤵PID:4428
-
\??\c:\1hthhb.exec:\1hthhb.exe79⤵PID:3872
-
\??\c:\jvvvp.exec:\jvvvp.exe80⤵PID:4820
-
\??\c:\5pjdj.exec:\5pjdj.exe81⤵PID:352
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe82⤵PID:3360
-
\??\c:\hnhbbt.exec:\hnhbbt.exe83⤵PID:532
-
\??\c:\bnnthb.exec:\bnnthb.exe84⤵PID:3620
-
\??\c:\dpdvj.exec:\dpdvj.exe85⤵PID:3196
-
\??\c:\9rxrffx.exec:\9rxrffx.exe86⤵PID:2552
-
\??\c:\bntnnh.exec:\bntnnh.exe87⤵PID:2560
-
\??\c:\7ppdv.exec:\7ppdv.exe88⤵PID:2664
-
\??\c:\vjvvv.exec:\vjvvv.exe89⤵PID:4892
-
\??\c:\3rrllrx.exec:\3rrllrx.exe90⤵PID:2420
-
\??\c:\9hbtnt.exec:\9hbtnt.exe91⤵PID:5036
-
\??\c:\pvdvp.exec:\pvdvp.exe92⤵PID:4224
-
\??\c:\vjdpj.exec:\vjdpj.exe93⤵PID:2632
-
\??\c:\1llxxrx.exec:\1llxxrx.exe94⤵PID:3788
-
\??\c:\tnbtnh.exec:\tnbtnh.exe95⤵PID:4920
-
\??\c:\nhhbtb.exec:\nhhbtb.exe96⤵PID:4924
-
\??\c:\3vpdp.exec:\3vpdp.exe97⤵PID:4368
-
\??\c:\jddpj.exec:\jddpj.exe98⤵PID:4516
-
\??\c:\lffrlfx.exec:\lffrlfx.exe99⤵PID:2568
-
\??\c:\7bhthh.exec:\7bhthh.exe100⤵PID:4080
-
\??\c:\dvvjd.exec:\dvvjd.exe101⤵PID:4788
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe102⤵PID:2352
-
\??\c:\xrlxrlf.exec:\xrlxrlf.exe103⤵PID:1904
-
\??\c:\bbbhbn.exec:\bbbhbn.exe104⤵PID:2768
-
\??\c:\djjdj.exec:\djjdj.exe105⤵PID:1708
-
\??\c:\9rrlfrl.exec:\9rrlfrl.exe106⤵PID:5056
-
\??\c:\htbtnh.exec:\htbtnh.exe107⤵PID:2144
-
\??\c:\pjddj.exec:\pjddj.exe108⤵PID:3832
-
\??\c:\ppdpv.exec:\ppdpv.exe109⤵PID:2148
-
\??\c:\lllfxxr.exec:\lllfxxr.exe110⤵PID:3672
-
\??\c:\nhbttn.exec:\nhbttn.exe111⤵PID:1524
-
\??\c:\dvjvv.exec:\dvjvv.exe112⤵PID:4488
-
\??\c:\lrxlxlx.exec:\lrxlxlx.exe113⤵PID:5080
-
\??\c:\nttnbt.exec:\nttnbt.exe114⤵PID:5044
-
\??\c:\5nhbtn.exec:\5nhbtn.exe115⤵PID:4328
-
\??\c:\vvvjv.exec:\vvvjv.exe116⤵PID:4320
-
\??\c:\1lrrfxf.exec:\1lrrfxf.exe117⤵PID:3776
-
\??\c:\xrrxrrr.exec:\xrrxrrr.exe118⤵PID:4716
-
\??\c:\ntbbnn.exec:\ntbbnn.exe119⤵PID:1316
-
\??\c:\9vvjv.exec:\9vvjv.exe120⤵PID:2364
-
\??\c:\rrrrffx.exec:\rrrrffx.exe121⤵PID:1144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-