Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe
-
Size
453KB
-
MD5
a1116d6bfa61125560eaff75ac26caa0
-
SHA1
f0cb409e123ad4c8d2942881d2b88dfaac46e842
-
SHA256
29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918f
-
SHA512
3cbc69b08a451cdeae09bf71cdd989516036c9822419b7cd930d3d1dd5916e9102a501f97fb86b96405b25b931f7dfb1073b8019ea49fe3865ff04c55767cea3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2728-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-1060-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-1121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-1673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1264 xxrlxlx.exe 1564 hnbhtb.exe 1988 jjvvv.exe 2268 jvvdd.exe 1388 fflllff.exe 4724 hbbttt.exe 3172 nhtttb.exe 4964 pvddj.exe 3344 xlrlfxr.exe 1460 btbtnh.exe 1552 hhtbtb.exe 4548 9vvjd.exe 4688 lfxfllx.exe 5112 bhnhbb.exe 2784 7nttbh.exe 1656 jvjjp.exe 1212 rlfxrxx.exe 2668 nthnhn.exe 3940 bhtnnn.exe 2824 pjdvd.exe 1168 xflfffx.exe 4376 tnhhtn.exe 2396 hnbtnn.exe 1076 ddvjj.exe 4768 xlxllrl.exe 2536 frxrrff.exe 4916 tnhbtn.exe 1004 jvjdv.exe 3596 3lrllrr.exe 4072 5rxrlrl.exe 4928 hbnhnn.exe 4200 pddvp.exe 3476 1fllfrl.exe 4640 bthhbt.exe 2520 1nhbtt.exe 3480 vpvpd.exe 760 rflflff.exe 1416 xxxfxxr.exe 3184 bthnnb.exe 3176 dvjjj.exe 1348 rlfrllx.exe 2448 xfrllfx.exe 1984 hbbtnn.exe 2376 ppddp.exe 2820 vpvvv.exe 3388 fxffxxx.exe 1492 1ntnbb.exe 1844 nbhbtb.exe 3440 pdddp.exe 2132 3rfrxxl.exe 4692 lffxrrf.exe 1544 1tbtbb.exe 4040 jvddv.exe 5108 vjpdd.exe 1968 rlxrlfr.exe 4444 hnnnhh.exe 4424 vdjvp.exe 1284 vvddv.exe 4508 frxrrlf.exe 4308 tnbntt.exe 4232 ppvvp.exe 2268 djpjd.exe 2200 fxrlxxx.exe 4192 nntbbn.exe -
resource yara_rule behavioral2/memory/2728-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-953-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 1264 2728 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 82 PID 2728 wrote to memory of 1264 2728 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 82 PID 2728 wrote to memory of 1264 2728 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 82 PID 1264 wrote to memory of 1564 1264 xxrlxlx.exe 83 PID 1264 wrote to memory of 1564 1264 xxrlxlx.exe 83 PID 1264 wrote to memory of 1564 1264 xxrlxlx.exe 83 PID 1564 wrote to memory of 1988 1564 hnbhtb.exe 84 PID 1564 wrote to memory of 1988 1564 hnbhtb.exe 84 PID 1564 wrote to memory of 1988 1564 hnbhtb.exe 84 PID 1988 wrote to memory of 2268 1988 jjvvv.exe 143 PID 1988 wrote to memory of 2268 1988 jjvvv.exe 143 PID 1988 wrote to memory of 2268 1988 jjvvv.exe 143 PID 2268 wrote to memory of 1388 2268 jvvdd.exe 86 PID 2268 wrote to memory of 1388 2268 jvvdd.exe 86 PID 2268 wrote to memory of 1388 2268 jvvdd.exe 86 PID 1388 wrote to memory of 4724 1388 fflllff.exe 87 PID 1388 wrote to memory of 4724 1388 fflllff.exe 87 PID 1388 wrote to memory of 4724 1388 fflllff.exe 87 PID 4724 wrote to memory of 3172 4724 hbbttt.exe 88 PID 4724 wrote to memory of 3172 4724 hbbttt.exe 88 PID 4724 wrote to memory of 3172 4724 hbbttt.exe 88 PID 3172 wrote to memory of 4964 3172 nhtttb.exe 89 PID 3172 wrote to memory of 4964 3172 nhtttb.exe 89 PID 3172 wrote to memory of 4964 3172 nhtttb.exe 89 PID 4964 wrote to memory of 3344 4964 pvddj.exe 90 PID 4964 wrote to memory of 3344 4964 pvddj.exe 90 PID 4964 wrote to memory of 3344 4964 pvddj.exe 90 PID 3344 wrote to memory of 1460 3344 xlrlfxr.exe 91 PID 3344 wrote to memory of 1460 3344 xlrlfxr.exe 91 PID 3344 wrote to memory of 1460 3344 xlrlfxr.exe 91 PID 1460 wrote to memory of 1552 1460 btbtnh.exe 92 PID 1460 wrote to memory of 1552 1460 btbtnh.exe 92 PID 1460 wrote to memory of 1552 1460 btbtnh.exe 92 PID 1552 wrote to memory of 4548 1552 hhtbtb.exe 93 PID 1552 wrote to memory of 4548 1552 hhtbtb.exe 93 PID 1552 wrote to memory of 4548 1552 hhtbtb.exe 93 PID 4548 wrote to memory of 4688 4548 9vvjd.exe 94 PID 4548 wrote to memory of 4688 4548 9vvjd.exe 94 PID 4548 wrote to memory of 4688 4548 9vvjd.exe 94 PID 4688 wrote to memory of 5112 4688 lfxfllx.exe 95 PID 4688 wrote to memory of 5112 4688 lfxfllx.exe 95 PID 4688 wrote to memory of 5112 4688 lfxfllx.exe 95 PID 5112 wrote to memory of 2784 5112 bhnhbb.exe 96 PID 5112 wrote to memory of 2784 5112 bhnhbb.exe 96 PID 5112 wrote to memory of 2784 5112 bhnhbb.exe 96 PID 2784 wrote to memory of 1656 2784 7nttbh.exe 97 PID 2784 wrote to memory of 1656 2784 7nttbh.exe 97 PID 2784 wrote to memory of 1656 2784 7nttbh.exe 97 PID 1656 wrote to memory of 1212 1656 jvjjp.exe 156 PID 1656 wrote to memory of 1212 1656 jvjjp.exe 156 PID 1656 wrote to memory of 1212 1656 jvjjp.exe 156 PID 1212 wrote to memory of 2668 1212 rlfxrxx.exe 157 PID 1212 wrote to memory of 2668 1212 rlfxrxx.exe 157 PID 1212 wrote to memory of 2668 1212 rlfxrxx.exe 157 PID 2668 wrote to memory of 3940 2668 nthnhn.exe 100 PID 2668 wrote to memory of 3940 2668 nthnhn.exe 100 PID 2668 wrote to memory of 3940 2668 nthnhn.exe 100 PID 3940 wrote to memory of 2824 3940 bhtnnn.exe 101 PID 3940 wrote to memory of 2824 3940 bhtnnn.exe 101 PID 3940 wrote to memory of 2824 3940 bhtnnn.exe 101 PID 2824 wrote to memory of 1168 2824 pjdvd.exe 160 PID 2824 wrote to memory of 1168 2824 pjdvd.exe 160 PID 2824 wrote to memory of 1168 2824 pjdvd.exe 160 PID 1168 wrote to memory of 4376 1168 xflfffx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe"C:\Users\Admin\AppData\Local\Temp\29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\xxrlxlx.exec:\xxrlxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\hnbhtb.exec:\hnbhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\jjvvv.exec:\jjvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\jvvdd.exec:\jvvdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\fflllff.exec:\fflllff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\hbbttt.exec:\hbbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\nhtttb.exec:\nhtttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\pvddj.exec:\pvddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\btbtnh.exec:\btbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\hhtbtb.exec:\hhtbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\9vvjd.exec:\9vvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\lfxfllx.exec:\lfxfllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\bhnhbb.exec:\bhnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\7nttbh.exec:\7nttbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\jvjjp.exec:\jvjjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\rlfxrxx.exec:\rlfxrxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\nthnhn.exec:\nthnhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bhtnnn.exec:\bhtnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\pjdvd.exec:\pjdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\xflfffx.exec:\xflfffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\tnhhtn.exec:\tnhhtn.exe23⤵
- Executes dropped EXE
PID:4376 -
\??\c:\hnbtnn.exec:\hnbtnn.exe24⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ddvjj.exec:\ddvjj.exe25⤵
- Executes dropped EXE
PID:1076 -
\??\c:\xlxllrl.exec:\xlxllrl.exe26⤵
- Executes dropped EXE
PID:4768 -
\??\c:\frxrrff.exec:\frxrrff.exe27⤵
- Executes dropped EXE
PID:2536 -
\??\c:\tnhbtn.exec:\tnhbtn.exe28⤵
- Executes dropped EXE
PID:4916 -
\??\c:\jvjdv.exec:\jvjdv.exe29⤵
- Executes dropped EXE
PID:1004 -
\??\c:\3lrllrr.exec:\3lrllrr.exe30⤵
- Executes dropped EXE
PID:3596 -
\??\c:\5rxrlrl.exec:\5rxrlrl.exe31⤵
- Executes dropped EXE
PID:4072 -
\??\c:\hbnhnn.exec:\hbnhnn.exe32⤵
- Executes dropped EXE
PID:4928 -
\??\c:\pddvp.exec:\pddvp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200 -
\??\c:\1fllfrl.exec:\1fllfrl.exe34⤵
- Executes dropped EXE
PID:3476 -
\??\c:\bthhbt.exec:\bthhbt.exe35⤵
- Executes dropped EXE
PID:4640 -
\??\c:\1nhbtt.exec:\1nhbtt.exe36⤵
- Executes dropped EXE
PID:2520 -
\??\c:\vpvpd.exec:\vpvpd.exe37⤵
- Executes dropped EXE
PID:3480 -
\??\c:\rflflff.exec:\rflflff.exe38⤵
- Executes dropped EXE
PID:760 -
\??\c:\xxxfxxr.exec:\xxxfxxr.exe39⤵
- Executes dropped EXE
PID:1416 -
\??\c:\bthnnb.exec:\bthnnb.exe40⤵
- Executes dropped EXE
PID:3184 -
\??\c:\dvjjj.exec:\dvjjj.exe41⤵
- Executes dropped EXE
PID:3176 -
\??\c:\rlfrllx.exec:\rlfrllx.exe42⤵
- Executes dropped EXE
PID:1348 -
\??\c:\xfrllfx.exec:\xfrllfx.exe43⤵
- Executes dropped EXE
PID:2448 -
\??\c:\hbbtnn.exec:\hbbtnn.exe44⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ppddp.exec:\ppddp.exe45⤵
- Executes dropped EXE
PID:2376 -
\??\c:\vpvvv.exec:\vpvvv.exe46⤵
- Executes dropped EXE
PID:2820 -
\??\c:\fxffxxx.exec:\fxffxxx.exe47⤵
- Executes dropped EXE
PID:3388 -
\??\c:\1ntnbb.exec:\1ntnbb.exe48⤵
- Executes dropped EXE
PID:1492 -
\??\c:\nbhbtb.exec:\nbhbtb.exe49⤵
- Executes dropped EXE
PID:1844 -
\??\c:\pdddp.exec:\pdddp.exe50⤵
- Executes dropped EXE
PID:3440 -
\??\c:\3rfrxxl.exec:\3rfrxxl.exe51⤵
- Executes dropped EXE
PID:2132 -
\??\c:\lffxrrf.exec:\lffxrrf.exe52⤵
- Executes dropped EXE
PID:4692 -
\??\c:\1tbtbb.exec:\1tbtbb.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
\??\c:\jvddv.exec:\jvddv.exe54⤵
- Executes dropped EXE
PID:4040 -
\??\c:\vjpdd.exec:\vjpdd.exe55⤵
- Executes dropped EXE
PID:5108 -
\??\c:\rlxrlfr.exec:\rlxrlfr.exe56⤵
- Executes dropped EXE
PID:1968 -
\??\c:\hnnnhh.exec:\hnnnhh.exe57⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vdjvp.exec:\vdjvp.exe58⤵
- Executes dropped EXE
PID:4424 -
\??\c:\vvddv.exec:\vvddv.exe59⤵
- Executes dropped EXE
PID:1284 -
\??\c:\frxrrlf.exec:\frxrrlf.exe60⤵
- Executes dropped EXE
PID:4508 -
\??\c:\tnbntt.exec:\tnbntt.exe61⤵
- Executes dropped EXE
PID:4308 -
\??\c:\ppvvp.exec:\ppvvp.exe62⤵
- Executes dropped EXE
PID:4232 -
\??\c:\djpjd.exec:\djpjd.exe63⤵
- Executes dropped EXE
PID:2268 -
\??\c:\fxrlxxx.exec:\fxrlxxx.exe64⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nntbbn.exec:\nntbbn.exe65⤵
- Executes dropped EXE
PID:4192 -
\??\c:\jddvp.exec:\jddvp.exe66⤵PID:1064
-
\??\c:\5jppj.exec:\5jppj.exe67⤵PID:2388
-
\??\c:\9llffll.exec:\9llffll.exe68⤵PID:4080
-
\??\c:\hbbtnn.exec:\hbbtnn.exe69⤵PID:3344
-
\??\c:\bbhbbb.exec:\bbhbbb.exe70⤵PID:1692
-
\??\c:\jpdvp.exec:\jpdvp.exe71⤵PID:2260
-
\??\c:\lxrrrxx.exec:\lxrrrxx.exe72⤵PID:4968
-
\??\c:\3tbbtb.exec:\3tbbtb.exe73⤵PID:4748
-
\??\c:\pvvpj.exec:\pvvpj.exe74⤵PID:3568
-
\??\c:\lxrflff.exec:\lxrflff.exe75⤵PID:5072
-
\??\c:\3nnhbb.exec:\3nnhbb.exe76⤵PID:1212
-
\??\c:\dpdvv.exec:\dpdvv.exe77⤵PID:2668
-
\??\c:\rxfrlll.exec:\rxfrlll.exe78⤵PID:3012
-
\??\c:\tntnnn.exec:\tntnnn.exe79⤵PID:1748
-
\??\c:\vvddv.exec:\vvddv.exe80⤵PID:1168
-
\??\c:\xrrlllf.exec:\xrrlllf.exe81⤵PID:1128
-
\??\c:\dppjd.exec:\dppjd.exe82⤵PID:3208
-
\??\c:\xxrrrxf.exec:\xxrrrxf.exe83⤵PID:4744
-
\??\c:\lxlfffl.exec:\lxlfffl.exe84⤵PID:1100
-
\??\c:\hbbbnt.exec:\hbbbnt.exe85⤵PID:1308
-
\??\c:\jjvvj.exec:\jjvvj.exe86⤵PID:3896
-
\??\c:\flxrrrx.exec:\flxrrrx.exe87⤵PID:412
-
\??\c:\djjjd.exec:\djjjd.exe88⤵PID:4300
-
\??\c:\ffllfff.exec:\ffllfff.exe89⤵PID:4216
-
\??\c:\lllrxfl.exec:\lllrxfl.exe90⤵PID:764
-
\??\c:\nbhbtn.exec:\nbhbtn.exe91⤵PID:3168
-
\??\c:\pjdpj.exec:\pjdpj.exe92⤵PID:4640
-
\??\c:\1lrlllf.exec:\1lrlllf.exe93⤵PID:1624
-
\??\c:\hbtnbt.exec:\hbtnbt.exe94⤵PID:116
-
\??\c:\djjdv.exec:\djjdv.exe95⤵PID:2024
-
\??\c:\rflffrr.exec:\rflffrr.exe96⤵PID:2760
-
\??\c:\bhnnhn.exec:\bhnnhn.exe97⤵PID:1144
-
\??\c:\bntbbt.exec:\bntbbt.exe98⤵PID:3176
-
\??\c:\jdjjv.exec:\jdjjv.exe99⤵PID:4936
-
\??\c:\7lxxlxl.exec:\7lxxlxl.exe100⤵PID:400
-
\??\c:\ntntnt.exec:\ntntnt.exe101⤵PID:224
-
\??\c:\pvppd.exec:\pvppd.exe102⤵PID:2820
-
\??\c:\xxfffll.exec:\xxfffll.exe103⤵PID:1668
-
\??\c:\bbnhhn.exec:\bbnhhn.exe104⤵PID:2568
-
\??\c:\ppvvv.exec:\ppvvv.exe105⤵PID:2780
-
\??\c:\rxllllf.exec:\rxllllf.exe106⤵PID:4020
-
\??\c:\httbnb.exec:\httbnb.exe107⤵PID:4940
-
\??\c:\lfflllr.exec:\lfflllr.exe108⤵PID:4416
-
\??\c:\hhntbb.exec:\hhntbb.exe109⤵PID:3380
-
\??\c:\djvpj.exec:\djvpj.exe110⤵PID:3936
-
\??\c:\htttth.exec:\htttth.exe111⤵PID:2248
-
\??\c:\bbhhhn.exec:\bbhhhn.exe112⤵PID:3016
-
\??\c:\9bbbbh.exec:\9bbbbh.exe113⤵PID:1968
-
\??\c:\xfxxxfl.exec:\xfxxxfl.exe114⤵PID:5064
-
\??\c:\dvpjj.exec:\dvpjj.exe115⤵PID:728
-
\??\c:\xxlllll.exec:\xxlllll.exe116⤵PID:1772
-
\??\c:\vjvvv.exec:\vjvvv.exe117⤵PID:2928
-
\??\c:\1bhntb.exec:\1bhntb.exe118⤵PID:1564
-
\??\c:\jjvvv.exec:\jjvvv.exe119⤵PID:3076
-
\??\c:\rrlrlrr.exec:\rrlrlrr.exe120⤵PID:3908
-
\??\c:\dvvpp.exec:\dvvpp.exe121⤵PID:4380
-
\??\c:\xfxrxxl.exec:\xfxrxxl.exe122⤵PID:3636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-