Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 12:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe
-
Size
456KB
-
MD5
064a819bed9a53bf2ee7eff80c79efa0
-
SHA1
77224ff128faa864bedb73de7561ed3c3e32ea4a
-
SHA256
43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f
-
SHA512
48f4c654f51396ad6d07eae2b92fa40e12d891eaebcff08616bd057adaf84a714ab3d7d5d3495d2e12ad0ddede7789f7141273cc6f649f3e42e5ed0cbc7551ac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2368-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-127-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1696-133-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2092-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-147-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1156-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2184-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-242-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1824-237-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2288-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-497-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-538-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-707-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-705-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-727-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1936-740-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-747-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1176-792-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1324-800-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/640-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-825-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-859-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1968-874-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1328-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-1013-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-1033-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1772-1053-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 60624.exe 2340 3tbntb.exe 1952 pdpvd.exe 1996 4240286.exe 2224 9jdvp.exe 2792 42446.exe 2668 xxllrrx.exe 2768 042244.exe 2588 rrxfrfx.exe 2824 jdddp.exe 2592 q86400.exe 1312 60884.exe 2092 q42840.exe 1696 800482.exe 1248 64640.exe 1156 3lxxxxl.exe 2876 vjvdp.exe 2660 nhtbhn.exe 2184 4200884.exe 2904 9dvvp.exe 1016 42608.exe 2844 9frrllr.exe 1928 420028.exe 828 1hnttt.exe 1824 frxxxrx.exe 1036 pjjdd.exe 1676 680026.exe 1816 rfrlrrx.exe 2280 42444.exe 2288 9xllrlx.exe 1648 rxlrxrx.exe 2524 8202020.exe 1608 642848.exe 2320 5fxfxlr.exe 2072 808444.exe 2028 262866.exe 1952 3lllfxx.exe 2744 82066.exe 2172 rxfflfl.exe 2224 2020268.exe 2664 q64440.exe 2812 64662.exe 2676 4206880.exe 2256 s6624.exe 3040 3vpjd.exe 2728 rlrrxxx.exe 2680 bntnhh.exe 2612 rfllllr.exe 1312 dpdvp.exe 1328 82062.exe 2108 dpddd.exe 696 68224.exe 1252 o640280.exe 1588 48448.exe 2740 7bhhbb.exe 1936 260448.exe 2912 86884.exe 2660 s8666.exe 1304 8248484.exe 2160 6420662.exe 796 lxllrxl.exe 1796 5lxfffr.exe 1720 8622228.exe 1928 nhttbt.exe -
resource yara_rule behavioral1/memory/2368-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-133-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2092-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-692-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1800-707-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2160-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-792-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/640-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-859-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2716-924-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1328-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2024 2368 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 30 PID 2368 wrote to memory of 2024 2368 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 30 PID 2368 wrote to memory of 2024 2368 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 30 PID 2368 wrote to memory of 2024 2368 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 30 PID 2024 wrote to memory of 2340 2024 60624.exe 31 PID 2024 wrote to memory of 2340 2024 60624.exe 31 PID 2024 wrote to memory of 2340 2024 60624.exe 31 PID 2024 wrote to memory of 2340 2024 60624.exe 31 PID 2340 wrote to memory of 1952 2340 3tbntb.exe 32 PID 2340 wrote to memory of 1952 2340 3tbntb.exe 32 PID 2340 wrote to memory of 1952 2340 3tbntb.exe 32 PID 2340 wrote to memory of 1952 2340 3tbntb.exe 32 PID 1952 wrote to memory of 1996 1952 pdpvd.exe 33 PID 1952 wrote to memory of 1996 1952 pdpvd.exe 33 PID 1952 wrote to memory of 1996 1952 pdpvd.exe 33 PID 1952 wrote to memory of 1996 1952 pdpvd.exe 33 PID 1996 wrote to memory of 2224 1996 4240286.exe 34 PID 1996 wrote to memory of 2224 1996 4240286.exe 34 PID 1996 wrote to memory of 2224 1996 4240286.exe 34 PID 1996 wrote to memory of 2224 1996 4240286.exe 34 PID 2224 wrote to memory of 2792 2224 9jdvp.exe 35 PID 2224 wrote to memory of 2792 2224 9jdvp.exe 35 PID 2224 wrote to memory of 2792 2224 9jdvp.exe 35 PID 2224 wrote to memory of 2792 2224 9jdvp.exe 35 PID 2792 wrote to memory of 2668 2792 42446.exe 36 PID 2792 wrote to memory of 2668 2792 42446.exe 36 PID 2792 wrote to memory of 2668 2792 42446.exe 36 PID 2792 wrote to memory of 2668 2792 42446.exe 36 PID 2668 wrote to memory of 2768 2668 xxllrrx.exe 37 PID 2668 wrote to memory of 2768 2668 xxllrrx.exe 37 PID 2668 wrote to memory of 2768 2668 xxllrrx.exe 37 PID 2668 wrote to memory of 2768 2668 xxllrrx.exe 37 PID 2768 wrote to memory of 2588 2768 042244.exe 38 PID 2768 wrote to memory of 2588 2768 042244.exe 38 PID 2768 wrote to memory of 2588 2768 042244.exe 38 PID 2768 wrote to memory of 2588 2768 042244.exe 38 PID 2588 wrote to memory of 2824 2588 rrxfrfx.exe 39 PID 2588 wrote to memory of 2824 2588 rrxfrfx.exe 39 PID 2588 wrote to memory of 2824 2588 rrxfrfx.exe 39 PID 2588 wrote to memory of 2824 2588 rrxfrfx.exe 39 PID 2824 wrote to memory of 2592 2824 jdddp.exe 40 PID 2824 wrote to memory of 2592 2824 jdddp.exe 40 PID 2824 wrote to memory of 2592 2824 jdddp.exe 40 PID 2824 wrote to memory of 2592 2824 jdddp.exe 40 PID 2592 wrote to memory of 1312 2592 q86400.exe 41 PID 2592 wrote to memory of 1312 2592 q86400.exe 41 PID 2592 wrote to memory of 1312 2592 q86400.exe 41 PID 2592 wrote to memory of 1312 2592 q86400.exe 41 PID 1312 wrote to memory of 2092 1312 60884.exe 42 PID 1312 wrote to memory of 2092 1312 60884.exe 42 PID 1312 wrote to memory of 2092 1312 60884.exe 42 PID 1312 wrote to memory of 2092 1312 60884.exe 42 PID 2092 wrote to memory of 1696 2092 q42840.exe 43 PID 2092 wrote to memory of 1696 2092 q42840.exe 43 PID 2092 wrote to memory of 1696 2092 q42840.exe 43 PID 2092 wrote to memory of 1696 2092 q42840.exe 43 PID 1696 wrote to memory of 1248 1696 800482.exe 44 PID 1696 wrote to memory of 1248 1696 800482.exe 44 PID 1696 wrote to memory of 1248 1696 800482.exe 44 PID 1696 wrote to memory of 1248 1696 800482.exe 44 PID 1248 wrote to memory of 1156 1248 64640.exe 45 PID 1248 wrote to memory of 1156 1248 64640.exe 45 PID 1248 wrote to memory of 1156 1248 64640.exe 45 PID 1248 wrote to memory of 1156 1248 64640.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe"C:\Users\Admin\AppData\Local\Temp\43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\60624.exec:\60624.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\3tbntb.exec:\3tbntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\pdpvd.exec:\pdpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\4240286.exec:\4240286.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\9jdvp.exec:\9jdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\42446.exec:\42446.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xxllrrx.exec:\xxllrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\042244.exec:\042244.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rrxfrfx.exec:\rrxfrfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\jdddp.exec:\jdddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\q86400.exec:\q86400.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\60884.exec:\60884.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\q42840.exec:\q42840.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\800482.exec:\800482.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\64640.exec:\64640.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\3lxxxxl.exec:\3lxxxxl.exe17⤵
- Executes dropped EXE
PID:1156 -
\??\c:\vjvdp.exec:\vjvdp.exe18⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nhtbhn.exec:\nhtbhn.exe19⤵
- Executes dropped EXE
PID:2660 -
\??\c:\4200884.exec:\4200884.exe20⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9dvvp.exec:\9dvvp.exe21⤵
- Executes dropped EXE
PID:2904 -
\??\c:\42608.exec:\42608.exe22⤵
- Executes dropped EXE
PID:1016 -
\??\c:\9frrllr.exec:\9frrllr.exe23⤵
- Executes dropped EXE
PID:2844 -
\??\c:\420028.exec:\420028.exe24⤵
- Executes dropped EXE
PID:1928 -
\??\c:\1hnttt.exec:\1hnttt.exe25⤵
- Executes dropped EXE
PID:828 -
\??\c:\frxxxrx.exec:\frxxxrx.exe26⤵
- Executes dropped EXE
PID:1824 -
\??\c:\pjjdd.exec:\pjjdd.exe27⤵
- Executes dropped EXE
PID:1036 -
\??\c:\680026.exec:\680026.exe28⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe29⤵
- Executes dropped EXE
PID:1816 -
\??\c:\42444.exec:\42444.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\9xllrlx.exec:\9xllrlx.exe31⤵
- Executes dropped EXE
PID:2288 -
\??\c:\rxlrxrx.exec:\rxlrxrx.exe32⤵
- Executes dropped EXE
PID:1648 -
\??\c:\8202020.exec:\8202020.exe33⤵
- Executes dropped EXE
PID:2524 -
\??\c:\642848.exec:\642848.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\5fxfxlr.exec:\5fxfxlr.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\808444.exec:\808444.exe36⤵
- Executes dropped EXE
PID:2072 -
\??\c:\262866.exec:\262866.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3lllfxx.exec:\3lllfxx.exe38⤵
- Executes dropped EXE
PID:1952 -
\??\c:\82066.exec:\82066.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rxfflfl.exec:\rxfflfl.exe40⤵
- Executes dropped EXE
PID:2172 -
\??\c:\2020268.exec:\2020268.exe41⤵
- Executes dropped EXE
PID:2224 -
\??\c:\q64440.exec:\q64440.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\64662.exec:\64662.exe43⤵
- Executes dropped EXE
PID:2812 -
\??\c:\4206880.exec:\4206880.exe44⤵
- Executes dropped EXE
PID:2676 -
\??\c:\s6624.exec:\s6624.exe45⤵
- Executes dropped EXE
PID:2256 -
\??\c:\3vpjd.exec:\3vpjd.exe46⤵
- Executes dropped EXE
PID:3040 -
\??\c:\rlrrxxx.exec:\rlrrxxx.exe47⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bntnhh.exec:\bntnhh.exe48⤵
- Executes dropped EXE
PID:2680 -
\??\c:\rfllllr.exec:\rfllllr.exe49⤵
- Executes dropped EXE
PID:2612 -
\??\c:\dpdvp.exec:\dpdvp.exe50⤵
- Executes dropped EXE
PID:1312 -
\??\c:\82062.exec:\82062.exe51⤵
- Executes dropped EXE
PID:1328 -
\??\c:\dpddd.exec:\dpddd.exe52⤵
- Executes dropped EXE
PID:2108 -
\??\c:\68224.exec:\68224.exe53⤵
- Executes dropped EXE
PID:696 -
\??\c:\o640280.exec:\o640280.exe54⤵
- Executes dropped EXE
PID:1252 -
\??\c:\48448.exec:\48448.exe55⤵
- Executes dropped EXE
PID:1588 -
\??\c:\7bhhbb.exec:\7bhhbb.exe56⤵
- Executes dropped EXE
PID:2740 -
\??\c:\260448.exec:\260448.exe57⤵
- Executes dropped EXE
PID:1936 -
\??\c:\86884.exec:\86884.exe58⤵
- Executes dropped EXE
PID:2912 -
\??\c:\s8666.exec:\s8666.exe59⤵
- Executes dropped EXE
PID:2660 -
\??\c:\8248484.exec:\8248484.exe60⤵
- Executes dropped EXE
PID:1304 -
\??\c:\6420662.exec:\6420662.exe61⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lxllrxl.exec:\lxllrxl.exe62⤵
- Executes dropped EXE
PID:796 -
\??\c:\5lxfffr.exec:\5lxfffr.exe63⤵
- Executes dropped EXE
PID:1796 -
\??\c:\8622228.exec:\8622228.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\nhttbt.exec:\nhttbt.exe65⤵
- Executes dropped EXE
PID:1928 -
\??\c:\frfxxrx.exec:\frfxxrx.exe66⤵PID:1556
-
\??\c:\hthnbt.exec:\hthnbt.exe67⤵PID:640
-
\??\c:\dvppv.exec:\dvppv.exe68⤵PID:1564
-
\??\c:\28240.exec:\28240.exe69⤵PID:908
-
\??\c:\q24466.exec:\q24466.exe70⤵PID:1812
-
\??\c:\40404.exec:\40404.exe71⤵PID:2416
-
\??\c:\rflffxx.exec:\rflffxx.exe72⤵PID:1200
-
\??\c:\8644062.exec:\8644062.exe73⤵PID:2280
-
\??\c:\862840.exec:\862840.exe74⤵PID:896
-
\??\c:\vjjpp.exec:\vjjpp.exe75⤵PID:320
-
\??\c:\42884.exec:\42884.exe76⤵PID:540
-
\??\c:\k82288.exec:\k82288.exe77⤵PID:2524
-
\??\c:\020022.exec:\020022.exe78⤵PID:2316
-
\??\c:\9rlrrlr.exec:\9rlrrlr.exe79⤵PID:2100
-
\??\c:\464466.exec:\464466.exe80⤵PID:1712
-
\??\c:\60828.exec:\60828.exe81⤵PID:1752
-
\??\c:\w86244.exec:\w86244.exe82⤵PID:2532
-
\??\c:\vpjvp.exec:\vpjvp.exe83⤵PID:2012
-
\??\c:\0288822.exec:\0288822.exe84⤵PID:2784
-
\??\c:\thhhbb.exec:\thhhbb.exe85⤵PID:2816
-
\??\c:\e42200.exec:\e42200.exe86⤵PID:2000
-
\??\c:\428222.exec:\428222.exe87⤵PID:2668
-
\??\c:\42884.exec:\42884.exe88⤵PID:2584
-
\??\c:\1rlrrrx.exec:\1rlrrrx.exe89⤵PID:2908
-
\??\c:\424004.exec:\424004.exe90⤵PID:2560
-
\??\c:\6406288.exec:\6406288.exe91⤵PID:2632
-
\??\c:\424464.exec:\424464.exe92⤵PID:2232
-
\??\c:\g4280.exec:\g4280.exe93⤵PID:2736
-
\??\c:\lxfflfl.exec:\lxfflfl.exe94⤵PID:1496
-
\??\c:\22468.exec:\22468.exe95⤵PID:2092
-
\??\c:\flfxffr.exec:\flfxffr.exe96⤵PID:1800
-
\??\c:\44628.exec:\44628.exe97⤵PID:2312
-
\??\c:\24008.exec:\24008.exe98⤵PID:2620
-
\??\c:\lfxlflx.exec:\lfxlflx.exe99⤵PID:2648
-
\??\c:\48280.exec:\48280.exe100⤵PID:2548
-
\??\c:\240000.exec:\240000.exe101⤵PID:1936
-
\??\c:\tbnbbt.exec:\tbnbbt.exe102⤵PID:3016
-
\??\c:\ffrxxxr.exec:\ffrxxxr.exe103⤵PID:2396
-
\??\c:\bbhttt.exec:\bbhttt.exe104⤵PID:1660
-
\??\c:\0204488.exec:\0204488.exe105⤵PID:2160
-
\??\c:\428888.exec:\428888.exe106⤵PID:1056
-
\??\c:\c862446.exec:\c862446.exe107⤵PID:1796
-
\??\c:\086688.exec:\086688.exe108⤵PID:2880
-
\??\c:\60828.exec:\60828.exe109⤵PID:1176
-
\??\c:\248666.exec:\248666.exe110⤵PID:1324
-
\??\c:\08006.exec:\08006.exe111⤵PID:640
-
\??\c:\2022828.exec:\2022828.exe112⤵PID:916
-
\??\c:\1lllllr.exec:\1lllllr.exe113⤵PID:1676
-
\??\c:\8684062.exec:\8684062.exe114⤵PID:1816
-
\??\c:\rllxxrx.exec:\rllxxrx.exe115⤵PID:2216
-
\??\c:\60228.exec:\60228.exe116⤵PID:2424
-
\??\c:\bbhhhh.exec:\bbhhhh.exe117⤵PID:1980
-
\??\c:\vjvjj.exec:\vjvjj.exe118⤵PID:2992
-
\??\c:\jdjdv.exec:\jdjdv.exe119⤵PID:2508
-
\??\c:\9xrrxfr.exec:\9xrrxfr.exe120⤵PID:2528
-
\??\c:\1frrrxf.exec:\1frrrxf.exe121⤵PID:1968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-