Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 05:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe
-
Size
454KB
-
MD5
51d164a611df217c90d1c43df3f60a30
-
SHA1
591c68047794694e20bbf028e5e6df55ad3a5c11
-
SHA256
43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6
-
SHA512
426eefe977de1af40607e773dd0c07bbf42a702511ca522092efc1c190b739ac87471aac3654a5d9a94afdcd70b7bb828acf29da24502aba1056f66feac9d078
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/372-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-1816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-1868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2892 lxfxllf.exe 1556 6628004.exe 3696 dpjdv.exe 4948 3xrfxxr.exe 1548 lrlfrrf.exe 2460 08204.exe 4676 pjpjv.exe 1416 26860.exe 4092 42604.exe 1208 2086808.exe 2936 002628.exe 3120 3xlrxxf.exe 2812 04648.exe 2940 xxfxxll.exe 2980 llfxrrr.exe 4032 40604.exe 4068 g6460.exe 4792 80000.exe 1212 o622668.exe 2464 rxffxxr.exe 1916 4080460.exe 3392 048826.exe 220 5pvpj.exe 3280 q62826.exe 708 6248608.exe 1080 828282.exe 3652 pdjdp.exe 5048 c822802.exe 4996 rllfllf.exe 112 fflflfl.exe 3368 4624288.exe 4004 vjjdp.exe 1624 020088.exe 852 pppdp.exe 1728 jdpjd.exe 4484 frrlrrl.exe 1680 2604826.exe 3040 frfflfl.exe 1860 lflffff.exe 4736 28404.exe 4788 vpdvv.exe 4652 20228.exe 4708 86604.exe 3756 dpddv.exe 3068 pddvp.exe 3676 0248888.exe 4928 lxrxllx.exe 3784 m0600.exe 2108 46860.exe 4560 tnhnbn.exe 1420 1hbbtb.exe 3900 dvjjp.exe 1384 20086.exe 4052 6824024.exe 620 xlrlfxx.exe 552 nnbttn.exe 872 24604.exe 3764 26488.exe 2864 bttnhb.exe 4968 862828.exe 4520 xrrrffx.exe 2272 jddvp.exe 4092 280864.exe 2728 842264.exe -
resource yara_rule behavioral2/memory/372-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-826-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0040464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 2892 372 43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe 83 PID 372 wrote to memory of 2892 372 43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe 83 PID 372 wrote to memory of 2892 372 43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe 83 PID 2892 wrote to memory of 1556 2892 lxfxllf.exe 84 PID 2892 wrote to memory of 1556 2892 lxfxllf.exe 84 PID 2892 wrote to memory of 1556 2892 lxfxllf.exe 84 PID 1556 wrote to memory of 3696 1556 6628004.exe 85 PID 1556 wrote to memory of 3696 1556 6628004.exe 85 PID 1556 wrote to memory of 3696 1556 6628004.exe 85 PID 3696 wrote to memory of 4948 3696 dpjdv.exe 86 PID 3696 wrote to memory of 4948 3696 dpjdv.exe 86 PID 3696 wrote to memory of 4948 3696 dpjdv.exe 86 PID 4948 wrote to memory of 1548 4948 3xrfxxr.exe 87 PID 4948 wrote to memory of 1548 4948 3xrfxxr.exe 87 PID 4948 wrote to memory of 1548 4948 3xrfxxr.exe 87 PID 1548 wrote to memory of 2460 1548 lrlfrrf.exe 88 PID 1548 wrote to memory of 2460 1548 lrlfrrf.exe 88 PID 1548 wrote to memory of 2460 1548 lrlfrrf.exe 88 PID 2460 wrote to memory of 4676 2460 08204.exe 89 PID 2460 wrote to memory of 4676 2460 08204.exe 89 PID 2460 wrote to memory of 4676 2460 08204.exe 89 PID 4676 wrote to memory of 1416 4676 pjpjv.exe 90 PID 4676 wrote to memory of 1416 4676 pjpjv.exe 90 PID 4676 wrote to memory of 1416 4676 pjpjv.exe 90 PID 1416 wrote to memory of 4092 1416 26860.exe 91 PID 1416 wrote to memory of 4092 1416 26860.exe 91 PID 1416 wrote to memory of 4092 1416 26860.exe 91 PID 4092 wrote to memory of 1208 4092 42604.exe 92 PID 4092 wrote to memory of 1208 4092 42604.exe 92 PID 4092 wrote to memory of 1208 4092 42604.exe 92 PID 1208 wrote to memory of 2936 1208 2086808.exe 93 PID 1208 wrote to memory of 2936 1208 2086808.exe 93 PID 1208 wrote to memory of 2936 1208 2086808.exe 93 PID 2936 wrote to memory of 3120 2936 002628.exe 94 PID 2936 wrote to memory of 3120 2936 002628.exe 94 PID 2936 wrote to memory of 3120 2936 002628.exe 94 PID 3120 wrote to memory of 2812 3120 3xlrxxf.exe 95 PID 3120 wrote to memory of 2812 3120 3xlrxxf.exe 95 PID 3120 wrote to memory of 2812 3120 3xlrxxf.exe 95 PID 2812 wrote to memory of 2940 2812 04648.exe 96 PID 2812 wrote to memory of 2940 2812 04648.exe 96 PID 2812 wrote to memory of 2940 2812 04648.exe 96 PID 2940 wrote to memory of 2980 2940 xxfxxll.exe 97 PID 2940 wrote to memory of 2980 2940 xxfxxll.exe 97 PID 2940 wrote to memory of 2980 2940 xxfxxll.exe 97 PID 2980 wrote to memory of 4032 2980 llfxrrr.exe 98 PID 2980 wrote to memory of 4032 2980 llfxrrr.exe 98 PID 2980 wrote to memory of 4032 2980 llfxrrr.exe 98 PID 4032 wrote to memory of 4068 4032 40604.exe 99 PID 4032 wrote to memory of 4068 4032 40604.exe 99 PID 4032 wrote to memory of 4068 4032 40604.exe 99 PID 4068 wrote to memory of 4792 4068 g6460.exe 100 PID 4068 wrote to memory of 4792 4068 g6460.exe 100 PID 4068 wrote to memory of 4792 4068 g6460.exe 100 PID 4792 wrote to memory of 1212 4792 80000.exe 101 PID 4792 wrote to memory of 1212 4792 80000.exe 101 PID 4792 wrote to memory of 1212 4792 80000.exe 101 PID 1212 wrote to memory of 2464 1212 o622668.exe 102 PID 1212 wrote to memory of 2464 1212 o622668.exe 102 PID 1212 wrote to memory of 2464 1212 o622668.exe 102 PID 2464 wrote to memory of 1916 2464 rxffxxr.exe 103 PID 2464 wrote to memory of 1916 2464 rxffxxr.exe 103 PID 2464 wrote to memory of 1916 2464 rxffxxr.exe 103 PID 1916 wrote to memory of 3392 1916 4080460.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe"C:\Users\Admin\AppData\Local\Temp\43ee5d36da2b4f862e709eeca36f4150698e5cb0f8440900b0daa9df969c12a6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\lxfxllf.exec:\lxfxllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\6628004.exec:\6628004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\dpjdv.exec:\dpjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\3xrfxxr.exec:\3xrfxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\lrlfrrf.exec:\lrlfrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\08204.exec:\08204.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\pjpjv.exec:\pjpjv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\26860.exec:\26860.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\42604.exec:\42604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\2086808.exec:\2086808.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\002628.exec:\002628.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\3xlrxxf.exec:\3xlrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\04648.exec:\04648.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xxfxxll.exec:\xxfxxll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\llfxrrr.exec:\llfxrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\40604.exec:\40604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\g6460.exec:\g6460.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\80000.exec:\80000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\o622668.exec:\o622668.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\rxffxxr.exec:\rxffxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\4080460.exec:\4080460.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\048826.exec:\048826.exe23⤵
- Executes dropped EXE
PID:3392 -
\??\c:\5pvpj.exec:\5pvpj.exe24⤵
- Executes dropped EXE
PID:220 -
\??\c:\q62826.exec:\q62826.exe25⤵
- Executes dropped EXE
PID:3280 -
\??\c:\6248608.exec:\6248608.exe26⤵
- Executes dropped EXE
PID:708 -
\??\c:\828282.exec:\828282.exe27⤵
- Executes dropped EXE
PID:1080 -
\??\c:\pdjdp.exec:\pdjdp.exe28⤵
- Executes dropped EXE
PID:3652 -
\??\c:\c822802.exec:\c822802.exe29⤵
- Executes dropped EXE
PID:5048 -
\??\c:\rllfllf.exec:\rllfllf.exe30⤵
- Executes dropped EXE
PID:4996 -
\??\c:\fflflfl.exec:\fflflfl.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:112 -
\??\c:\4624288.exec:\4624288.exe32⤵
- Executes dropped EXE
PID:3368 -
\??\c:\vjjdp.exec:\vjjdp.exe33⤵
- Executes dropped EXE
PID:4004 -
\??\c:\020088.exec:\020088.exe34⤵
- Executes dropped EXE
PID:1624 -
\??\c:\pppdp.exec:\pppdp.exe35⤵
- Executes dropped EXE
PID:852 -
\??\c:\jdpjd.exec:\jdpjd.exe36⤵
- Executes dropped EXE
PID:1728 -
\??\c:\frrlrrl.exec:\frrlrrl.exe37⤵
- Executes dropped EXE
PID:4484 -
\??\c:\2604826.exec:\2604826.exe38⤵
- Executes dropped EXE
PID:1680 -
\??\c:\frfflfl.exec:\frfflfl.exe39⤵
- Executes dropped EXE
PID:3040 -
\??\c:\lflffff.exec:\lflffff.exe40⤵
- Executes dropped EXE
PID:1860 -
\??\c:\28404.exec:\28404.exe41⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vpdvv.exec:\vpdvv.exe42⤵
- Executes dropped EXE
PID:4788 -
\??\c:\20228.exec:\20228.exe43⤵
- Executes dropped EXE
PID:4652 -
\??\c:\86604.exec:\86604.exe44⤵
- Executes dropped EXE
PID:4708 -
\??\c:\dpddv.exec:\dpddv.exe45⤵
- Executes dropped EXE
PID:3756 -
\??\c:\pddvp.exec:\pddvp.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\0248888.exec:\0248888.exe47⤵
- Executes dropped EXE
PID:3676 -
\??\c:\lxrxllx.exec:\lxrxllx.exe48⤵
- Executes dropped EXE
PID:4928 -
\??\c:\m0600.exec:\m0600.exe49⤵
- Executes dropped EXE
PID:3784 -
\??\c:\46860.exec:\46860.exe50⤵
- Executes dropped EXE
PID:2108 -
\??\c:\028868.exec:\028868.exe51⤵PID:4592
-
\??\c:\tnhnbn.exec:\tnhnbn.exe52⤵
- Executes dropped EXE
PID:4560 -
\??\c:\1hbbtb.exec:\1hbbtb.exe53⤵
- Executes dropped EXE
PID:1420 -
\??\c:\dvjjp.exec:\dvjjp.exe54⤵
- Executes dropped EXE
PID:3900 -
\??\c:\20086.exec:\20086.exe55⤵
- Executes dropped EXE
PID:1384 -
\??\c:\6824024.exec:\6824024.exe56⤵
- Executes dropped EXE
PID:4052 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe57⤵
- Executes dropped EXE
PID:620 -
\??\c:\nnbttn.exec:\nnbttn.exe58⤵
- Executes dropped EXE
PID:552 -
\??\c:\24604.exec:\24604.exe59⤵
- Executes dropped EXE
PID:872 -
\??\c:\26488.exec:\26488.exe60⤵
- Executes dropped EXE
PID:3764 -
\??\c:\bttnhb.exec:\bttnhb.exe61⤵
- Executes dropped EXE
PID:2864 -
\??\c:\862828.exec:\862828.exe62⤵
- Executes dropped EXE
PID:4968 -
\??\c:\xrrrffx.exec:\xrrrffx.exe63⤵
- Executes dropped EXE
PID:4520 -
\??\c:\jddvp.exec:\jddvp.exe64⤵
- Executes dropped EXE
PID:2272 -
\??\c:\280864.exec:\280864.exe65⤵
- Executes dropped EXE
PID:4092 -
\??\c:\842264.exec:\842264.exe66⤵
- Executes dropped EXE
PID:2728 -
\??\c:\462200.exec:\462200.exe67⤵PID:3796
-
\??\c:\pjpvp.exec:\pjpvp.exe68⤵PID:2572
-
\??\c:\hbbnht.exec:\hbbnht.exe69⤵PID:1512
-
\??\c:\bhhbtb.exec:\bhhbtb.exe70⤵PID:4912
-
\??\c:\ddpdj.exec:\ddpdj.exe71⤵PID:1508
-
\??\c:\7jdpj.exec:\7jdpj.exe72⤵PID:3220
-
\??\c:\422688.exec:\422688.exe73⤵PID:432
-
\??\c:\vddvd.exec:\vddvd.exe74⤵PID:696
-
\??\c:\i448244.exec:\i448244.exe75⤵PID:3540
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe76⤵PID:4660
-
\??\c:\vjpjv.exec:\vjpjv.exe77⤵PID:1212
-
\??\c:\htnbtn.exec:\htnbtn.exe78⤵PID:2236
-
\??\c:\jdjdd.exec:\jdjdd.exe79⤵PID:1132
-
\??\c:\08246.exec:\08246.exe80⤵PID:3400
-
\??\c:\c844264.exec:\c844264.exe81⤵PID:3484
-
\??\c:\222860.exec:\222860.exe82⤵PID:2300
-
\??\c:\866040.exec:\866040.exe83⤵PID:940
-
\??\c:\hbntbt.exec:\hbntbt.exe84⤵PID:3280
-
\??\c:\1bthtn.exec:\1bthtn.exe85⤵PID:4932
-
\??\c:\4424646.exec:\4424646.exe86⤵PID:2696
-
\??\c:\nhtnnn.exec:\nhtnnn.exe87⤵PID:1080
-
\??\c:\840048.exec:\840048.exe88⤵PID:4048
-
\??\c:\062608.exec:\062608.exe89⤵PID:3364
-
\??\c:\o426682.exec:\o426682.exe90⤵PID:1836
-
\??\c:\bnttnh.exec:\bnttnh.exe91⤵PID:1492
-
\??\c:\u280246.exec:\u280246.exe92⤵PID:4064
-
\??\c:\jppjv.exec:\jppjv.exe93⤵PID:112
-
\??\c:\0040464.exec:\0040464.exe94⤵
- System Location Discovery: System Language Discovery
PID:4004 -
\??\c:\640088.exec:\640088.exe95⤵PID:1576
-
\??\c:\w24604.exec:\w24604.exe96⤵PID:4724
-
\??\c:\4282042.exec:\4282042.exe97⤵PID:852
-
\??\c:\1nhbnn.exec:\1nhbnn.exe98⤵PID:2364
-
\??\c:\djpdp.exec:\djpdp.exe99⤵PID:1728
-
\??\c:\0660820.exec:\0660820.exe100⤵PID:1904
-
\??\c:\2088884.exec:\2088884.exe101⤵PID:2268
-
\??\c:\828604.exec:\828604.exe102⤵PID:3040
-
\??\c:\lxlffxl.exec:\lxlffxl.exe103⤵PID:3560
-
\??\c:\o648046.exec:\o648046.exe104⤵PID:1136
-
\??\c:\9bbthh.exec:\9bbthh.exe105⤵PID:2324
-
\??\c:\806022.exec:\806022.exe106⤵PID:4652
-
\??\c:\084488.exec:\084488.exe107⤵PID:4708
-
\??\c:\vdpvp.exec:\vdpvp.exe108⤵PID:3756
-
\??\c:\vjpdd.exec:\vjpdd.exe109⤵PID:3068
-
\??\c:\40642.exec:\40642.exe110⤵PID:3676
-
\??\c:\204466.exec:\204466.exe111⤵PID:4712
-
\??\c:\w62604.exec:\w62604.exe112⤵PID:1732
-
\??\c:\pjdjv.exec:\pjdjv.exe113⤵PID:4444
-
\??\c:\pdjdp.exec:\pdjdp.exe114⤵PID:2284
-
\??\c:\7ddpp.exec:\7ddpp.exe115⤵PID:1708
-
\??\c:\08800.exec:\08800.exe116⤵PID:116
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe117⤵PID:3696
-
\??\c:\066080.exec:\066080.exe118⤵PID:4244
-
\??\c:\0244888.exec:\0244888.exe119⤵PID:1384
-
\??\c:\frlfxlf.exec:\frlfxlf.exe120⤵PID:4052
-
\??\c:\080808.exec:\080808.exe121⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-