Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe
-
Size
453KB
-
MD5
58ff3c78deb7507550c8cc33a2bab2ea
-
SHA1
b415980c795b02e126d7df4787cf6e5fea182549
-
SHA256
43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a
-
SHA512
2854cc10ef2b0f05e9de90f89e291d73b472f92ebe8381a1110097c313ebc8b7eac34da3d1ce0ea584a4347e8cab099190898bb6b279bd88432cd1369b35c97b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/748-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-903-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3300 5nnbhb.exe 1684 rllxlfr.exe 4864 llfllrr.exe 2412 hbtnht.exe 1028 pvpjd.exe 2116 fllxlfx.exe 2420 dvjpd.exe 4444 9nttnn.exe 2304 7pjdv.exe 3604 nhnhnh.exe 2868 fxfffxx.exe 2136 hnnhtt.exe 1132 pddpj.exe 4192 fxffxrr.exe 4964 bhhtnh.exe 1568 jdvpj.exe 4768 fllfffr.exe 4128 lllfffx.exe 2244 tntntn.exe 1676 ttbthn.exe 4388 llrrxff.exe 2580 tttnhh.exe 1076 rffxrfx.exe 1348 3rxrflf.exe 2376 pvvpd.exe 2708 nbbtnh.exe 3600 lrxrlff.exe 2672 1hhbnb.exe 1648 vvpjv.exe 3440 btbbnn.exe 4848 7pvjd.exe 4880 frrrlff.exe 1088 jjjdj.exe 2076 vjpjd.exe 4828 xllxlxl.exe 1312 jpvjd.exe 2844 rrflxxr.exe 4504 tbhtnn.exe 4312 1hhbhb.exe 3844 pjjvp.exe 2480 lxxxrlf.exe 4596 rrlxrrf.exe 1732 vjjdv.exe 2428 lfrfxrl.exe 4520 bnnbtb.exe 1464 bhnbtn.exe 4084 9jvdj.exe 1532 xllxlfx.exe 4088 nhbtnh.exe 2264 jdvpd.exe 3056 7rrfxxr.exe 2816 lffxrrl.exe 2724 thnhhb.exe 3916 vjjvp.exe 1940 fxxlxxr.exe 2052 hntnbb.exe 2964 hhhbhh.exe 4884 dpppj.exe 1672 fxfxlfr.exe 2184 nhbthn.exe 2136 vvdvj.exe 4688 dvvpj.exe 4156 fxfrfxr.exe 4996 ntnthh.exe -
resource yara_rule behavioral2/memory/748-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-771-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 3300 748 43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe 82 PID 748 wrote to memory of 3300 748 43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe 82 PID 748 wrote to memory of 3300 748 43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe 82 PID 3300 wrote to memory of 1684 3300 5nnbhb.exe 83 PID 3300 wrote to memory of 1684 3300 5nnbhb.exe 83 PID 3300 wrote to memory of 1684 3300 5nnbhb.exe 83 PID 1684 wrote to memory of 4864 1684 rllxlfr.exe 84 PID 1684 wrote to memory of 4864 1684 rllxlfr.exe 84 PID 1684 wrote to memory of 4864 1684 rllxlfr.exe 84 PID 4864 wrote to memory of 2412 4864 llfllrr.exe 85 PID 4864 wrote to memory of 2412 4864 llfllrr.exe 85 PID 4864 wrote to memory of 2412 4864 llfllrr.exe 85 PID 2412 wrote to memory of 1028 2412 hbtnht.exe 86 PID 2412 wrote to memory of 1028 2412 hbtnht.exe 86 PID 2412 wrote to memory of 1028 2412 hbtnht.exe 86 PID 1028 wrote to memory of 2116 1028 pvpjd.exe 87 PID 1028 wrote to memory of 2116 1028 pvpjd.exe 87 PID 1028 wrote to memory of 2116 1028 pvpjd.exe 87 PID 2116 wrote to memory of 2420 2116 fllxlfx.exe 88 PID 2116 wrote to memory of 2420 2116 fllxlfx.exe 88 PID 2116 wrote to memory of 2420 2116 fllxlfx.exe 88 PID 2420 wrote to memory of 4444 2420 dvjpd.exe 89 PID 2420 wrote to memory of 4444 2420 dvjpd.exe 89 PID 2420 wrote to memory of 4444 2420 dvjpd.exe 89 PID 4444 wrote to memory of 2304 4444 9nttnn.exe 90 PID 4444 wrote to memory of 2304 4444 9nttnn.exe 90 PID 4444 wrote to memory of 2304 4444 9nttnn.exe 90 PID 2304 wrote to memory of 3604 2304 7pjdv.exe 91 PID 2304 wrote to memory of 3604 2304 7pjdv.exe 91 PID 2304 wrote to memory of 3604 2304 7pjdv.exe 91 PID 3604 wrote to memory of 2868 3604 nhnhnh.exe 92 PID 3604 wrote to memory of 2868 3604 nhnhnh.exe 92 PID 3604 wrote to memory of 2868 3604 nhnhnh.exe 92 PID 2868 wrote to memory of 2136 2868 fxfffxx.exe 93 PID 2868 wrote to memory of 2136 2868 fxfffxx.exe 93 PID 2868 wrote to memory of 2136 2868 fxfffxx.exe 93 PID 2136 wrote to memory of 1132 2136 hnnhtt.exe 94 PID 2136 wrote to memory of 1132 2136 hnnhtt.exe 94 PID 2136 wrote to memory of 1132 2136 hnnhtt.exe 94 PID 1132 wrote to memory of 4192 1132 pddpj.exe 95 PID 1132 wrote to memory of 4192 1132 pddpj.exe 95 PID 1132 wrote to memory of 4192 1132 pddpj.exe 95 PID 4192 wrote to memory of 4964 4192 fxffxrr.exe 96 PID 4192 wrote to memory of 4964 4192 fxffxrr.exe 96 PID 4192 wrote to memory of 4964 4192 fxffxrr.exe 96 PID 4964 wrote to memory of 1568 4964 bhhtnh.exe 97 PID 4964 wrote to memory of 1568 4964 bhhtnh.exe 97 PID 4964 wrote to memory of 1568 4964 bhhtnh.exe 97 PID 1568 wrote to memory of 4768 1568 jdvpj.exe 98 PID 1568 wrote to memory of 4768 1568 jdvpj.exe 98 PID 1568 wrote to memory of 4768 1568 jdvpj.exe 98 PID 4768 wrote to memory of 4128 4768 fllfffr.exe 99 PID 4768 wrote to memory of 4128 4768 fllfffr.exe 99 PID 4768 wrote to memory of 4128 4768 fllfffr.exe 99 PID 4128 wrote to memory of 2244 4128 lllfffx.exe 100 PID 4128 wrote to memory of 2244 4128 lllfffx.exe 100 PID 4128 wrote to memory of 2244 4128 lllfffx.exe 100 PID 2244 wrote to memory of 1676 2244 tntntn.exe 101 PID 2244 wrote to memory of 1676 2244 tntntn.exe 101 PID 2244 wrote to memory of 1676 2244 tntntn.exe 101 PID 1676 wrote to memory of 4388 1676 ttbthn.exe 102 PID 1676 wrote to memory of 4388 1676 ttbthn.exe 102 PID 1676 wrote to memory of 4388 1676 ttbthn.exe 102 PID 4388 wrote to memory of 2580 4388 llrrxff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe"C:\Users\Admin\AppData\Local\Temp\43c18956538f3fd47aa064c9a4264ad06ca906b8b61cfb30c9aec99e26b3472a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\5nnbhb.exec:\5nnbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\rllxlfr.exec:\rllxlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\llfllrr.exec:\llfllrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\hbtnht.exec:\hbtnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\pvpjd.exec:\pvpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\fllxlfx.exec:\fllxlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\dvjpd.exec:\dvjpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\9nttnn.exec:\9nttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\7pjdv.exec:\7pjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\nhnhnh.exec:\nhnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\fxfffxx.exec:\fxfffxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hnnhtt.exec:\hnnhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\pddpj.exec:\pddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\fxffxrr.exec:\fxffxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\bhhtnh.exec:\bhhtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\jdvpj.exec:\jdvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\fllfffr.exec:\fllfffr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\lllfffx.exec:\lllfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\tntntn.exec:\tntntn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\ttbthn.exec:\ttbthn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\llrrxff.exec:\llrrxff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\tttnhh.exec:\tttnhh.exe23⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rffxrfx.exec:\rffxrfx.exe24⤵
- Executes dropped EXE
PID:1076 -
\??\c:\3rxrflf.exec:\3rxrflf.exe25⤵
- Executes dropped EXE
PID:1348 -
\??\c:\pvvpd.exec:\pvvpd.exe26⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbbtnh.exec:\nbbtnh.exe27⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lrxrlff.exec:\lrxrlff.exe28⤵
- Executes dropped EXE
PID:3600 -
\??\c:\1hhbnb.exec:\1hhbnb.exe29⤵
- Executes dropped EXE
PID:2672 -
\??\c:\vvpjv.exec:\vvpjv.exe30⤵
- Executes dropped EXE
PID:1648 -
\??\c:\btbbnn.exec:\btbbnn.exe31⤵
- Executes dropped EXE
PID:3440 -
\??\c:\7pvjd.exec:\7pvjd.exe32⤵
- Executes dropped EXE
PID:4848 -
\??\c:\frrrlff.exec:\frrrlff.exe33⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jjjdj.exec:\jjjdj.exe34⤵
- Executes dropped EXE
PID:1088 -
\??\c:\vjpjd.exec:\vjpjd.exe35⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xllxlxl.exec:\xllxlxl.exe36⤵
- Executes dropped EXE
PID:4828 -
\??\c:\jpvjd.exec:\jpvjd.exe37⤵
- Executes dropped EXE
PID:1312 -
\??\c:\rrflxxr.exec:\rrflxxr.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\tbhtnn.exec:\tbhtnn.exe39⤵
- Executes dropped EXE
PID:4504 -
\??\c:\1hhbhb.exec:\1hhbhb.exe40⤵
- Executes dropped EXE
PID:4312 -
\??\c:\pjjvp.exec:\pjjvp.exe41⤵
- Executes dropped EXE
PID:3844 -
\??\c:\lxxxrlf.exec:\lxxxrlf.exe42⤵
- Executes dropped EXE
PID:2480 -
\??\c:\rrlxrrf.exec:\rrlxrrf.exe43⤵
- Executes dropped EXE
PID:4596 -
\??\c:\tnnbnh.exec:\tnnbnh.exe44⤵PID:5020
-
\??\c:\vjjdv.exec:\vjjdv.exe45⤵
- Executes dropped EXE
PID:1732 -
\??\c:\lfrfxrl.exec:\lfrfxrl.exe46⤵
- Executes dropped EXE
PID:2428 -
\??\c:\bnnbtb.exec:\bnnbtb.exe47⤵
- Executes dropped EXE
PID:4520 -
\??\c:\bhnbtn.exec:\bhnbtn.exe48⤵
- Executes dropped EXE
PID:1464 -
\??\c:\9jvdj.exec:\9jvdj.exe49⤵
- Executes dropped EXE
PID:4084 -
\??\c:\xllxlfx.exec:\xllxlfx.exe50⤵
- Executes dropped EXE
PID:1532 -
\??\c:\nhbtnh.exec:\nhbtnh.exe51⤵
- Executes dropped EXE
PID:4088 -
\??\c:\jdvpd.exec:\jdvpd.exe52⤵
- Executes dropped EXE
PID:2264 -
\??\c:\7rrfxxr.exec:\7rrfxxr.exe53⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lffxrrl.exec:\lffxrrl.exe54⤵
- Executes dropped EXE
PID:2816 -
\??\c:\thnhhb.exec:\thnhhb.exe55⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vjjvp.exec:\vjjvp.exe56⤵
- Executes dropped EXE
PID:3916 -
\??\c:\fxxlxxr.exec:\fxxlxxr.exe57⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hntnbb.exec:\hntnbb.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\hhhbhh.exec:\hhhbhh.exe59⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dpppj.exec:\dpppj.exe60⤵
- Executes dropped EXE
PID:4884 -
\??\c:\fxfxlfr.exec:\fxfxlfr.exe61⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nhbthn.exec:\nhbthn.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vvdvj.exec:\vvdvj.exe63⤵
- Executes dropped EXE
PID:2136 -
\??\c:\dvvpj.exec:\dvvpj.exe64⤵
- Executes dropped EXE
PID:4688 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe65⤵
- Executes dropped EXE
PID:4156 -
\??\c:\ntnthh.exec:\ntnthh.exe66⤵
- Executes dropped EXE
PID:4996 -
\??\c:\ddjdv.exec:\ddjdv.exe67⤵PID:2060
-
\??\c:\vdjdj.exec:\vdjdj.exe68⤵PID:2952
-
\??\c:\3llfxrl.exec:\3llfxrl.exe69⤵PID:3088
-
\??\c:\nbbtnh.exec:\nbbtnh.exe70⤵PID:1972
-
\??\c:\vpvpj.exec:\vpvpj.exe71⤵PID:784
-
\??\c:\jpdpp.exec:\jpdpp.exe72⤵PID:1552
-
\??\c:\rlxrxrr.exec:\rlxrxrr.exe73⤵PID:2156
-
\??\c:\1thnnh.exec:\1thnnh.exe74⤵PID:4700
-
\??\c:\xflfxxr.exec:\xflfxxr.exe75⤵PID:3888
-
\??\c:\lflrlxl.exec:\lflrlxl.exe76⤵PID:1056
-
\??\c:\thnbbn.exec:\thnbbn.exe77⤵PID:3588
-
\??\c:\3dvpj.exec:\3dvpj.exe78⤵PID:4820
-
\??\c:\dpjdp.exec:\dpjdp.exe79⤵PID:2288
-
\??\c:\3rrffrr.exec:\3rrffrr.exe80⤵PID:464
-
\??\c:\hhbnbn.exec:\hhbnbn.exe81⤵PID:4116
-
\??\c:\dvpdp.exec:\dvpdp.exe82⤵PID:2276
-
\??\c:\lflxlfl.exec:\lflxlfl.exe83⤵PID:4980
-
\??\c:\7nnbnn.exec:\7nnbnn.exe84⤵PID:4812
-
\??\c:\3bbttn.exec:\3bbttn.exe85⤵PID:2672
-
\??\c:\jjpjv.exec:\jjpjv.exe86⤵PID:392
-
\??\c:\pvvpj.exec:\pvvpj.exe87⤵PID:1708
-
\??\c:\1fxlxrl.exec:\1fxlxrl.exe88⤵PID:4448
-
\??\c:\3tthtn.exec:\3tthtn.exe89⤵PID:3576
-
\??\c:\ddppp.exec:\ddppp.exe90⤵PID:3964
-
\??\c:\pdjdd.exec:\pdjdd.exe91⤵PID:5024
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe92⤵PID:1476
-
\??\c:\htbntn.exec:\htbntn.exe93⤵PID:3920
-
\??\c:\hnntnb.exec:\hnntnb.exe94⤵PID:4436
-
\??\c:\jppjv.exec:\jppjv.exe95⤵PID:1992
-
\??\c:\xrlflfx.exec:\xrlflfx.exe96⤵PID:2112
-
\??\c:\5bbnbb.exec:\5bbnbb.exe97⤵PID:2984
-
\??\c:\bhnbtn.exec:\bhnbtn.exe98⤵PID:2772
-
\??\c:\pdvjv.exec:\pdvjv.exe99⤵PID:4212
-
\??\c:\5xxlfll.exec:\5xxlfll.exe100⤵PID:3120
-
\??\c:\ntbnbt.exec:\ntbnbt.exe101⤵PID:5044
-
\??\c:\pddvj.exec:\pddvj.exe102⤵PID:4764
-
\??\c:\7dvjv.exec:\7dvjv.exe103⤵PID:4264
-
\??\c:\rllxrlx.exec:\rllxrlx.exe104⤵PID:4408
-
\??\c:\rflffxf.exec:\rflffxf.exe105⤵PID:2876
-
\??\c:\nbnhbt.exec:\nbnhbt.exe106⤵PID:2428
-
\??\c:\jjjdv.exec:\jjjdv.exe107⤵PID:2840
-
\??\c:\9jjvp.exec:\9jjvp.exe108⤵PID:4084
-
\??\c:\rllxrlx.exec:\rllxrlx.exe109⤵PID:5032
-
\??\c:\hhttnh.exec:\hhttnh.exe110⤵PID:3056
-
\??\c:\3pjdp.exec:\3pjdp.exe111⤵PID:4068
-
\??\c:\xflxrlf.exec:\xflxrlf.exe112⤵PID:4444
-
\??\c:\rlrfrlx.exec:\rlrfrlx.exe113⤵PID:3916
-
\??\c:\tnnhtn.exec:\tnnhtn.exe114⤵PID:3688
-
\??\c:\dvvvj.exec:\dvvvj.exe115⤵PID:4584
-
\??\c:\rfffrrl.exec:\rfffrrl.exe116⤵PID:4608
-
\??\c:\bbtnnn.exec:\bbtnnn.exe117⤵PID:2224
-
\??\c:\pdjvj.exec:\pdjvj.exe118⤵PID:1672
-
\??\c:\vpjvp.exec:\vpjvp.exe119⤵PID:2184
-
\??\c:\fflffxx.exec:\fflffxx.exe120⤵PID:2824
-
\??\c:\nbhbbt.exec:\nbhbbt.exe121⤵PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-