Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe
-
Size
456KB
-
MD5
064a819bed9a53bf2ee7eff80c79efa0
-
SHA1
77224ff128faa864bedb73de7561ed3c3e32ea4a
-
SHA256
43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f
-
SHA512
48f4c654f51396ad6d07eae2b92fa40e12d891eaebcff08616bd057adaf84a714ab3d7d5d3495d2e12ad0ddede7789f7141273cc6f649f3e42e5ed0cbc7551ac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4040-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/236-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-995-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-1071-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4608 4222666.exe 4932 rlrlllf.exe 3556 ffxrllf.exe 4408 jjpjv.exe 1140 62442.exe 3848 7jppj.exe 5004 4060048.exe 3388 0626000.exe 3516 lfrxxxf.exe 808 8888226.exe 4336 3nnntn.exe 236 6842660.exe 2992 c686004.exe 2244 048620.exe 3692 64640.exe 4280 tbnbnh.exe 1176 1hnbhb.exe 1404 vpjdd.exe 2388 tttnhb.exe 4376 6220864.exe 892 dvvjv.exe 664 pdpdv.exe 1056 q06040.exe 4168 466420.exe 2644 hbbntn.exe 3624 1vdpj.exe 2240 vddjv.exe 2168 bnhtht.exe 4532 806008.exe 1920 bbbhbn.exe 2344 04662.exe 3004 0860866.exe 1576 6624242.exe 1688 1nhhtn.exe 3644 8820202.exe 1164 djvpd.exe 1532 46480.exe 1616 646886.exe 2796 xxrfrlr.exe 4368 6482644.exe 4784 xrfxlfx.exe 3472 dppdp.exe 4544 rxfrfrl.exe 1900 s2864.exe 4428 xxxrlfx.exe 1168 g8648.exe 3144 2004440.exe 4492 224040.exe 4932 xrfxrrl.exe 2724 bbnhbt.exe 4520 fffxlfx.exe 1788 a4600.exe 2840 lxfxlfr.exe 4508 0042086.exe 2140 nnhbtn.exe 3848 5tnhbt.exe 2488 xrlrlfl.exe 2176 1rfrfrf.exe 3388 dpdpd.exe 1316 880082.exe 2224 tbnbth.exe 764 frfrfxl.exe 2984 k84664.exe 3476 xrlffxl.exe -
resource yara_rule behavioral2/memory/4040-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/236-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/236-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-810-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i082664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 460864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 242686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4040 wrote to memory of 4608 4040 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 85 PID 4040 wrote to memory of 4608 4040 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 85 PID 4040 wrote to memory of 4608 4040 43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe 85 PID 4608 wrote to memory of 4932 4608 4222666.exe 86 PID 4608 wrote to memory of 4932 4608 4222666.exe 86 PID 4608 wrote to memory of 4932 4608 4222666.exe 86 PID 4932 wrote to memory of 3556 4932 rlrlllf.exe 87 PID 4932 wrote to memory of 3556 4932 rlrlllf.exe 87 PID 4932 wrote to memory of 3556 4932 rlrlllf.exe 87 PID 3556 wrote to memory of 4408 3556 ffxrllf.exe 88 PID 3556 wrote to memory of 4408 3556 ffxrllf.exe 88 PID 3556 wrote to memory of 4408 3556 ffxrllf.exe 88 PID 4408 wrote to memory of 1140 4408 jjpjv.exe 89 PID 4408 wrote to memory of 1140 4408 jjpjv.exe 89 PID 4408 wrote to memory of 1140 4408 jjpjv.exe 89 PID 1140 wrote to memory of 3848 1140 62442.exe 90 PID 1140 wrote to memory of 3848 1140 62442.exe 90 PID 1140 wrote to memory of 3848 1140 62442.exe 90 PID 3848 wrote to memory of 5004 3848 7jppj.exe 91 PID 3848 wrote to memory of 5004 3848 7jppj.exe 91 PID 3848 wrote to memory of 5004 3848 7jppj.exe 91 PID 5004 wrote to memory of 3388 5004 4060048.exe 92 PID 5004 wrote to memory of 3388 5004 4060048.exe 92 PID 5004 wrote to memory of 3388 5004 4060048.exe 92 PID 3388 wrote to memory of 3516 3388 0626000.exe 93 PID 3388 wrote to memory of 3516 3388 0626000.exe 93 PID 3388 wrote to memory of 3516 3388 0626000.exe 93 PID 3516 wrote to memory of 808 3516 lfrxxxf.exe 94 PID 3516 wrote to memory of 808 3516 lfrxxxf.exe 94 PID 3516 wrote to memory of 808 3516 lfrxxxf.exe 94 PID 808 wrote to memory of 4336 808 8888226.exe 95 PID 808 wrote to memory of 4336 808 8888226.exe 95 PID 808 wrote to memory of 4336 808 8888226.exe 95 PID 4336 wrote to memory of 236 4336 3nnntn.exe 96 PID 4336 wrote to memory of 236 4336 3nnntn.exe 96 PID 4336 wrote to memory of 236 4336 3nnntn.exe 96 PID 236 wrote to memory of 2992 236 6842660.exe 97 PID 236 wrote to memory of 2992 236 6842660.exe 97 PID 236 wrote to memory of 2992 236 6842660.exe 97 PID 2992 wrote to memory of 2244 2992 c686004.exe 98 PID 2992 wrote to memory of 2244 2992 c686004.exe 98 PID 2992 wrote to memory of 2244 2992 c686004.exe 98 PID 2244 wrote to memory of 3692 2244 048620.exe 99 PID 2244 wrote to memory of 3692 2244 048620.exe 99 PID 2244 wrote to memory of 3692 2244 048620.exe 99 PID 3692 wrote to memory of 4280 3692 64640.exe 100 PID 3692 wrote to memory of 4280 3692 64640.exe 100 PID 3692 wrote to memory of 4280 3692 64640.exe 100 PID 4280 wrote to memory of 1176 4280 tbnbnh.exe 101 PID 4280 wrote to memory of 1176 4280 tbnbnh.exe 101 PID 4280 wrote to memory of 1176 4280 tbnbnh.exe 101 PID 1176 wrote to memory of 1404 1176 1hnbhb.exe 102 PID 1176 wrote to memory of 1404 1176 1hnbhb.exe 102 PID 1176 wrote to memory of 1404 1176 1hnbhb.exe 102 PID 1404 wrote to memory of 2388 1404 vpjdd.exe 103 PID 1404 wrote to memory of 2388 1404 vpjdd.exe 103 PID 1404 wrote to memory of 2388 1404 vpjdd.exe 103 PID 2388 wrote to memory of 4376 2388 tttnhb.exe 104 PID 2388 wrote to memory of 4376 2388 tttnhb.exe 104 PID 2388 wrote to memory of 4376 2388 tttnhb.exe 104 PID 4376 wrote to memory of 892 4376 6220864.exe 105 PID 4376 wrote to memory of 892 4376 6220864.exe 105 PID 4376 wrote to memory of 892 4376 6220864.exe 105 PID 892 wrote to memory of 664 892 dvvjv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe"C:\Users\Admin\AppData\Local\Temp\43b11c1aed3239751598eb1d50118576067accec4b0197a338b3205449cb6a1f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\4222666.exec:\4222666.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\rlrlllf.exec:\rlrlllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\ffxrllf.exec:\ffxrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\jjpjv.exec:\jjpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\62442.exec:\62442.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\7jppj.exec:\7jppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\4060048.exec:\4060048.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\0626000.exec:\0626000.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\lfrxxxf.exec:\lfrxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\8888226.exec:\8888226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\3nnntn.exec:\3nnntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\6842660.exec:\6842660.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:236 -
\??\c:\c686004.exec:\c686004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\048620.exec:\048620.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\64640.exec:\64640.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\tbnbnh.exec:\tbnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\1hnbhb.exec:\1hnbhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\vpjdd.exec:\vpjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\tttnhb.exec:\tttnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\6220864.exec:\6220864.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\dvvjv.exec:\dvvjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\pdpdv.exec:\pdpdv.exe23⤵
- Executes dropped EXE
PID:664 -
\??\c:\q06040.exec:\q06040.exe24⤵
- Executes dropped EXE
PID:1056 -
\??\c:\466420.exec:\466420.exe25⤵
- Executes dropped EXE
PID:4168 -
\??\c:\hbbntn.exec:\hbbntn.exe26⤵
- Executes dropped EXE
PID:2644 -
\??\c:\1vdpj.exec:\1vdpj.exe27⤵
- Executes dropped EXE
PID:3624 -
\??\c:\vddjv.exec:\vddjv.exe28⤵
- Executes dropped EXE
PID:2240 -
\??\c:\bnhtht.exec:\bnhtht.exe29⤵
- Executes dropped EXE
PID:2168 -
\??\c:\806008.exec:\806008.exe30⤵
- Executes dropped EXE
PID:4532 -
\??\c:\bbbhbn.exec:\bbbhbn.exe31⤵
- Executes dropped EXE
PID:1920 -
\??\c:\04662.exec:\04662.exe32⤵
- Executes dropped EXE
PID:2344 -
\??\c:\0860866.exec:\0860866.exe33⤵
- Executes dropped EXE
PID:3004 -
\??\c:\6624242.exec:\6624242.exe34⤵
- Executes dropped EXE
PID:1576 -
\??\c:\1nhhtn.exec:\1nhhtn.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\8820202.exec:\8820202.exe36⤵
- Executes dropped EXE
PID:3644 -
\??\c:\djvpd.exec:\djvpd.exe37⤵
- Executes dropped EXE
PID:1164 -
\??\c:\46480.exec:\46480.exe38⤵
- Executes dropped EXE
PID:1532 -
\??\c:\646886.exec:\646886.exe39⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xxrfrlr.exec:\xxrfrlr.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\6482644.exec:\6482644.exe41⤵
- Executes dropped EXE
PID:4368 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe42⤵
- Executes dropped EXE
PID:4784 -
\??\c:\dppdp.exec:\dppdp.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3472 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe44⤵
- Executes dropped EXE
PID:4544 -
\??\c:\s2864.exec:\s2864.exe45⤵
- Executes dropped EXE
PID:1900 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe46⤵
- Executes dropped EXE
PID:4428 -
\??\c:\g8648.exec:\g8648.exe47⤵
- Executes dropped EXE
PID:1168 -
\??\c:\2004440.exec:\2004440.exe48⤵
- Executes dropped EXE
PID:3144 -
\??\c:\224040.exec:\224040.exe49⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe50⤵
- Executes dropped EXE
PID:4932 -
\??\c:\bbnhbt.exec:\bbnhbt.exe51⤵
- Executes dropped EXE
PID:2724 -
\??\c:\fffxlfx.exec:\fffxlfx.exe52⤵
- Executes dropped EXE
PID:4520 -
\??\c:\a4600.exec:\a4600.exe53⤵
- Executes dropped EXE
PID:1788 -
\??\c:\lxfxlfr.exec:\lxfxlfr.exe54⤵
- Executes dropped EXE
PID:2840 -
\??\c:\0042086.exec:\0042086.exe55⤵
- Executes dropped EXE
PID:4508 -
\??\c:\nnhbtn.exec:\nnhbtn.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\5tnhbt.exec:\5tnhbt.exe57⤵
- Executes dropped EXE
PID:3848 -
\??\c:\xrlrlfl.exec:\xrlrlfl.exe58⤵
- Executes dropped EXE
PID:2488 -
\??\c:\1rfrfrf.exec:\1rfrfrf.exe59⤵
- Executes dropped EXE
PID:2176 -
\??\c:\dpdpd.exec:\dpdpd.exe60⤵
- Executes dropped EXE
PID:3388 -
\??\c:\880082.exec:\880082.exe61⤵
- Executes dropped EXE
PID:1316 -
\??\c:\tbnbth.exec:\tbnbth.exe62⤵
- Executes dropped EXE
PID:2224 -
\??\c:\frfrfxl.exec:\frfrfxl.exe63⤵
- Executes dropped EXE
PID:764 -
\??\c:\k84664.exec:\k84664.exe64⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xrlffxl.exec:\xrlffxl.exe65⤵
- Executes dropped EXE
PID:3476 -
\??\c:\6486020.exec:\6486020.exe66⤵PID:236
-
\??\c:\c242666.exec:\c242666.exe67⤵PID:1080
-
\??\c:\nhnhbb.exec:\nhnhbb.exe68⤵PID:2188
-
\??\c:\5pjvd.exec:\5pjvd.exe69⤵PID:3540
-
\??\c:\ntbtnn.exec:\ntbtnn.exe70⤵PID:3648
-
\??\c:\vjpvv.exec:\vjpvv.exe71⤵PID:884
-
\??\c:\44868.exec:\44868.exe72⤵PID:4120
-
\??\c:\lxffrrf.exec:\lxffrrf.exe73⤵PID:2212
-
\??\c:\8042086.exec:\8042086.exe74⤵PID:5096
-
\??\c:\826044.exec:\826044.exe75⤵PID:3560
-
\??\c:\62886.exec:\62886.exe76⤵
- System Location Discovery: System Language Discovery
PID:4376 -
\??\c:\428626.exec:\428626.exe77⤵PID:1784
-
\??\c:\0804226.exec:\0804226.exe78⤵PID:4328
-
\??\c:\nbtntn.exec:\nbtntn.exe79⤵PID:2896
-
\??\c:\600046.exec:\600046.exe80⤵PID:3984
-
\??\c:\w88882.exec:\w88882.exe81⤵PID:3296
-
\??\c:\thtnnn.exec:\thtnnn.exe82⤵PID:3032
-
\??\c:\jjpjd.exec:\jjpjd.exe83⤵PID:476
-
\??\c:\000864.exec:\000864.exe84⤵PID:2928
-
\??\c:\jpvdv.exec:\jpvdv.exe85⤵PID:3624
-
\??\c:\20648.exec:\20648.exe86⤵PID:2240
-
\??\c:\rlfrxff.exec:\rlfrxff.exe87⤵PID:2168
-
\??\c:\vpdvp.exec:\vpdvp.exe88⤵PID:3188
-
\??\c:\462622.exec:\462622.exe89⤵PID:4532
-
\??\c:\1pdpd.exec:\1pdpd.exe90⤵PID:552
-
\??\c:\40642.exec:\40642.exe91⤵PID:4936
-
\??\c:\k66048.exec:\k66048.exe92⤵PID:4952
-
\??\c:\pvjdv.exec:\pvjdv.exe93⤵PID:1940
-
\??\c:\jjdvj.exec:\jjdvj.exe94⤵PID:3160
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe95⤵PID:220
-
\??\c:\w40044.exec:\w40044.exe96⤵PID:3644
-
\??\c:\200400.exec:\200400.exe97⤵PID:1164
-
\??\c:\7thtnt.exec:\7thtnt.exe98⤵PID:1044
-
\??\c:\tnbnbt.exec:\tnbnbt.exe99⤵PID:3216
-
\??\c:\448682.exec:\448682.exe100⤵PID:4636
-
\??\c:\862660.exec:\862660.exe101⤵PID:5024
-
\??\c:\00486.exec:\00486.exe102⤵PID:4640
-
\??\c:\vpppp.exec:\vpppp.exe103⤵PID:4724
-
\??\c:\6046044.exec:\6046044.exe104⤵PID:116
-
\??\c:\60022.exec:\60022.exe105⤵PID:2800
-
\??\c:\hhhbbt.exec:\hhhbbt.exe106⤵PID:472
-
\??\c:\ffxxrlr.exec:\ffxxrlr.exe107⤵PID:272
-
\??\c:\pvvpj.exec:\pvvpj.exe108⤵PID:2732
-
\??\c:\jvjjd.exec:\jvjjd.exe109⤵PID:3988
-
\??\c:\i064886.exec:\i064886.exe110⤵PID:3856
-
\??\c:\tnnhhh.exec:\tnnhhh.exe111⤵PID:3420
-
\??\c:\rlxrxrr.exec:\rlxrxrr.exe112⤵PID:2196
-
\??\c:\40826.exec:\40826.exe113⤵PID:1916
-
\??\c:\bttttt.exec:\bttttt.exe114⤵PID:2472
-
\??\c:\u888266.exec:\u888266.exe115⤵PID:4704
-
\??\c:\806868.exec:\806868.exe116⤵PID:4316
-
\??\c:\866004.exec:\866004.exe117⤵PID:5020
-
\??\c:\8260060.exec:\8260060.exe118⤵PID:4304
-
\??\c:\9rffxxl.exec:\9rffxxl.exe119⤵PID:700
-
\??\c:\jjvdd.exec:\jjvdd.exe120⤵PID:2144
-
\??\c:\428204.exec:\428204.exe121⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-