Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe
-
Size
455KB
-
MD5
e0d00ed264faec5d76d903c971c763e0
-
SHA1
ad09bd392b05e1e7363977bb402f5fb82ff0e1b7
-
SHA256
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2
-
SHA512
92da5a8971317a490735ef7fbce0ff19a513c585adb5f279e4e015d39fef09cadd399e67311eb4b03c8ea9644b3332db6363b262714ad2b1a9e3bdd6cc3f0a81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/5104-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-1030-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3096 pdjvj.exe 1396 60268.exe 2004 pdvjd.exe 4428 a2482.exe 1180 840484.exe 4440 ththbb.exe 5060 828282.exe 1764 xfrlllf.exe 2128 660488.exe 4104 vjvpj.exe 4252 06264.exe 3108 tttbbn.exe 3204 rfrrlff.exe 3016 vpvvp.exe 2024 rfllxxr.exe 4836 8628266.exe 2188 pjjpp.exe 3644 8026260.exe 4488 xrrxrff.exe 4272 60226.exe 4116 2682228.exe 1696 q60422.exe 312 866004.exe 4780 dvvpj.exe 2080 08482.exe 4148 82888.exe 368 dpddj.exe 1432 g0200.exe 4992 tnbttn.exe 1196 s6606.exe 5088 866644.exe 2692 rxffrff.exe 2484 dvdvp.exe 2724 q62426.exe 3940 htbnhb.exe 3516 62248.exe 4456 rxfxrlf.exe 4468 jjvjd.exe 2384 1hnhtt.exe 1500 tntnnb.exe 5092 2064882.exe 4604 w40044.exe 1872 428822.exe 4420 lflfxfx.exe 3284 82604.exe 4276 g4448.exe 3324 6662686.exe 4376 pjpvp.exe 1968 g6260.exe 3892 xfrlffx.exe 1352 bntnhb.exe 4768 02482.exe 3992 ffxrxrl.exe 1536 g6282.exe 4464 0448226.exe 1632 rfxfrlr.exe 4564 i282266.exe 4572 62820.exe 3876 nnnnnn.exe 2812 6004444.exe 3240 pvjdd.exe 4976 4222600.exe 2644 882600.exe 1868 tbhtnn.exe -
resource yara_rule behavioral2/memory/5104-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-856-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5104 wrote to memory of 3096 5104 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 83 PID 5104 wrote to memory of 3096 5104 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 83 PID 5104 wrote to memory of 3096 5104 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 83 PID 3096 wrote to memory of 1396 3096 pdjvj.exe 84 PID 3096 wrote to memory of 1396 3096 pdjvj.exe 84 PID 3096 wrote to memory of 1396 3096 pdjvj.exe 84 PID 1396 wrote to memory of 2004 1396 60268.exe 85 PID 1396 wrote to memory of 2004 1396 60268.exe 85 PID 1396 wrote to memory of 2004 1396 60268.exe 85 PID 2004 wrote to memory of 4428 2004 pdvjd.exe 86 PID 2004 wrote to memory of 4428 2004 pdvjd.exe 86 PID 2004 wrote to memory of 4428 2004 pdvjd.exe 86 PID 4428 wrote to memory of 1180 4428 a2482.exe 87 PID 4428 wrote to memory of 1180 4428 a2482.exe 87 PID 4428 wrote to memory of 1180 4428 a2482.exe 87 PID 1180 wrote to memory of 4440 1180 840484.exe 88 PID 1180 wrote to memory of 4440 1180 840484.exe 88 PID 1180 wrote to memory of 4440 1180 840484.exe 88 PID 4440 wrote to memory of 5060 4440 ththbb.exe 89 PID 4440 wrote to memory of 5060 4440 ththbb.exe 89 PID 4440 wrote to memory of 5060 4440 ththbb.exe 89 PID 5060 wrote to memory of 1764 5060 828282.exe 90 PID 5060 wrote to memory of 1764 5060 828282.exe 90 PID 5060 wrote to memory of 1764 5060 828282.exe 90 PID 1764 wrote to memory of 2128 1764 xfrlllf.exe 91 PID 1764 wrote to memory of 2128 1764 xfrlllf.exe 91 PID 1764 wrote to memory of 2128 1764 xfrlllf.exe 91 PID 2128 wrote to memory of 4104 2128 660488.exe 92 PID 2128 wrote to memory of 4104 2128 660488.exe 92 PID 2128 wrote to memory of 4104 2128 660488.exe 92 PID 4104 wrote to memory of 4252 4104 vjvpj.exe 93 PID 4104 wrote to memory of 4252 4104 vjvpj.exe 93 PID 4104 wrote to memory of 4252 4104 vjvpj.exe 93 PID 4252 wrote to memory of 3108 4252 06264.exe 94 PID 4252 wrote to memory of 3108 4252 06264.exe 94 PID 4252 wrote to memory of 3108 4252 06264.exe 94 PID 3108 wrote to memory of 3204 3108 tttbbn.exe 95 PID 3108 wrote to memory of 3204 3108 tttbbn.exe 95 PID 3108 wrote to memory of 3204 3108 tttbbn.exe 95 PID 3204 wrote to memory of 3016 3204 rfrrlff.exe 96 PID 3204 wrote to memory of 3016 3204 rfrrlff.exe 96 PID 3204 wrote to memory of 3016 3204 rfrrlff.exe 96 PID 3016 wrote to memory of 2024 3016 vpvvp.exe 97 PID 3016 wrote to memory of 2024 3016 vpvvp.exe 97 PID 3016 wrote to memory of 2024 3016 vpvvp.exe 97 PID 2024 wrote to memory of 4836 2024 rfllxxr.exe 155 PID 2024 wrote to memory of 4836 2024 rfllxxr.exe 155 PID 2024 wrote to memory of 4836 2024 rfllxxr.exe 155 PID 4836 wrote to memory of 2188 4836 8628266.exe 99 PID 4836 wrote to memory of 2188 4836 8628266.exe 99 PID 4836 wrote to memory of 2188 4836 8628266.exe 99 PID 2188 wrote to memory of 3644 2188 pjjpp.exe 157 PID 2188 wrote to memory of 3644 2188 pjjpp.exe 157 PID 2188 wrote to memory of 3644 2188 pjjpp.exe 157 PID 3644 wrote to memory of 4488 3644 8026260.exe 158 PID 3644 wrote to memory of 4488 3644 8026260.exe 158 PID 3644 wrote to memory of 4488 3644 8026260.exe 158 PID 4488 wrote to memory of 4272 4488 xrrxrff.exe 102 PID 4488 wrote to memory of 4272 4488 xrrxrff.exe 102 PID 4488 wrote to memory of 4272 4488 xrrxrff.exe 102 PID 4272 wrote to memory of 4116 4272 60226.exe 103 PID 4272 wrote to memory of 4116 4272 60226.exe 103 PID 4272 wrote to memory of 4116 4272 60226.exe 103 PID 4116 wrote to memory of 1696 4116 2682228.exe 160
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe"C:\Users\Admin\AppData\Local\Temp\bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\pdjvj.exec:\pdjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\60268.exec:\60268.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\pdvjd.exec:\pdvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\a2482.exec:\a2482.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\840484.exec:\840484.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\ththbb.exec:\ththbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\828282.exec:\828282.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\xfrlllf.exec:\xfrlllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\660488.exec:\660488.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\vjvpj.exec:\vjvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\06264.exec:\06264.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\tttbbn.exec:\tttbbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\rfrrlff.exec:\rfrrlff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\vpvvp.exec:\vpvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\rfllxxr.exec:\rfllxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\8628266.exec:\8628266.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\pjjpp.exec:\pjjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\8026260.exec:\8026260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\xrrxrff.exec:\xrrxrff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\60226.exec:\60226.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\2682228.exec:\2682228.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\q60422.exec:\q60422.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\866004.exec:\866004.exe24⤵
- Executes dropped EXE
PID:312 -
\??\c:\dvvpj.exec:\dvvpj.exe25⤵
- Executes dropped EXE
PID:4780 -
\??\c:\08482.exec:\08482.exe26⤵
- Executes dropped EXE
PID:2080 -
\??\c:\82888.exec:\82888.exe27⤵
- Executes dropped EXE
PID:4148 -
\??\c:\dpddj.exec:\dpddj.exe28⤵
- Executes dropped EXE
PID:368 -
\??\c:\g0200.exec:\g0200.exe29⤵
- Executes dropped EXE
PID:1432 -
\??\c:\tnbttn.exec:\tnbttn.exe30⤵
- Executes dropped EXE
PID:4992 -
\??\c:\s6606.exec:\s6606.exe31⤵
- Executes dropped EXE
PID:1196 -
\??\c:\866644.exec:\866644.exe32⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rxffrff.exec:\rxffrff.exe33⤵
- Executes dropped EXE
PID:2692 -
\??\c:\dvdvp.exec:\dvdvp.exe34⤵
- Executes dropped EXE
PID:2484 -
\??\c:\q62426.exec:\q62426.exe35⤵
- Executes dropped EXE
PID:2724 -
\??\c:\htbnhb.exec:\htbnhb.exe36⤵
- Executes dropped EXE
PID:3940 -
\??\c:\62248.exec:\62248.exe37⤵
- Executes dropped EXE
PID:3516 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe38⤵
- Executes dropped EXE
PID:4456 -
\??\c:\jjvjd.exec:\jjvjd.exe39⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1hnhtt.exec:\1hnhtt.exe40⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tntnnb.exec:\tntnnb.exe41⤵
- Executes dropped EXE
PID:1500 -
\??\c:\2064882.exec:\2064882.exe42⤵
- Executes dropped EXE
PID:5092 -
\??\c:\w40044.exec:\w40044.exe43⤵
- Executes dropped EXE
PID:4604 -
\??\c:\428822.exec:\428822.exe44⤵
- Executes dropped EXE
PID:1872 -
\??\c:\lflfxfx.exec:\lflfxfx.exe45⤵
- Executes dropped EXE
PID:4420 -
\??\c:\82604.exec:\82604.exe46⤵
- Executes dropped EXE
PID:3284 -
\??\c:\g4448.exec:\g4448.exe47⤵
- Executes dropped EXE
PID:4276 -
\??\c:\6662686.exec:\6662686.exe48⤵
- Executes dropped EXE
PID:3324 -
\??\c:\pjpvp.exec:\pjpvp.exe49⤵
- Executes dropped EXE
PID:4376 -
\??\c:\g6260.exec:\g6260.exe50⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xfrlffx.exec:\xfrlffx.exe51⤵
- Executes dropped EXE
PID:3892 -
\??\c:\bntnhb.exec:\bntnhb.exe52⤵
- Executes dropped EXE
PID:1352 -
\??\c:\02482.exec:\02482.exe53⤵
- Executes dropped EXE
PID:4768 -
\??\c:\ffxrxrl.exec:\ffxrxrl.exe54⤵
- Executes dropped EXE
PID:3992 -
\??\c:\g6282.exec:\g6282.exe55⤵
- Executes dropped EXE
PID:1536 -
\??\c:\0448226.exec:\0448226.exe56⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rfxfrlr.exec:\rfxfrlr.exe57⤵
- Executes dropped EXE
PID:1632 -
\??\c:\i282266.exec:\i282266.exe58⤵
- Executes dropped EXE
PID:4564 -
\??\c:\62820.exec:\62820.exe59⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nnnnnn.exec:\nnnnnn.exe60⤵
- Executes dropped EXE
PID:3876 -
\??\c:\6004444.exec:\6004444.exe61⤵
- Executes dropped EXE
PID:2812 -
\??\c:\pvjdd.exec:\pvjdd.exe62⤵
- Executes dropped EXE
PID:3240 -
\??\c:\4222600.exec:\4222600.exe63⤵
- Executes dropped EXE
PID:4976 -
\??\c:\882600.exec:\882600.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\tbhtnn.exec:\tbhtnn.exe65⤵
- Executes dropped EXE
PID:1868 -
\??\c:\26848.exec:\26848.exe66⤵PID:3252
-
\??\c:\2822626.exec:\2822626.exe67⤵PID:4340
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe68⤵PID:224
-
\??\c:\tttnhh.exec:\tttnhh.exe69⤵PID:3236
-
\??\c:\8684826.exec:\8684826.exe70⤵PID:3108
-
\??\c:\046060.exec:\046060.exe71⤵PID:1028
-
\??\c:\a8422.exec:\a8422.exe72⤵PID:3016
-
\??\c:\5jdvp.exec:\5jdvp.exe73⤵PID:2512
-
\??\c:\vppjd.exec:\vppjd.exe74⤵PID:4836
-
\??\c:\264488.exec:\264488.exe75⤵PID:2336
-
\??\c:\042228.exec:\042228.exe76⤵PID:3644
-
\??\c:\flrlflf.exec:\flrlflf.exe77⤵PID:4488
-
\??\c:\tbnhbb.exec:\tbnhbb.exe78⤵PID:2824
-
\??\c:\9xllxxl.exec:\9xllxxl.exe79⤵PID:1696
-
\??\c:\w24444.exec:\w24444.exe80⤵PID:2328
-
\??\c:\8426048.exec:\8426048.exe81⤵PID:4024
-
\??\c:\tthhbh.exec:\tthhbh.exe82⤵PID:3520
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe83⤵PID:4904
-
\??\c:\242400.exec:\242400.exe84⤵PID:984
-
\??\c:\frfxxxx.exec:\frfxxxx.exe85⤵
- System Location Discovery: System Language Discovery
PID:4796 -
\??\c:\g4226.exec:\g4226.exe86⤵PID:3268
-
\??\c:\28204.exec:\28204.exe87⤵PID:3156
-
\??\c:\lfllffr.exec:\lfllffr.exe88⤵PID:4080
-
\??\c:\8064466.exec:\8064466.exe89⤵PID:2724
-
\??\c:\fxxlxlx.exec:\fxxlxlx.exe90⤵
- System Location Discovery: System Language Discovery
PID:3564 -
\??\c:\9pjjd.exec:\9pjjd.exe91⤵PID:2992
-
\??\c:\024888.exec:\024888.exe92⤵PID:4960
-
\??\c:\062486.exec:\062486.exe93⤵PID:4484
-
\??\c:\262266.exec:\262266.exe94⤵PID:3996
-
\??\c:\422260.exec:\422260.exe95⤵PID:4480
-
\??\c:\244440.exec:\244440.exe96⤵PID:836
-
\??\c:\7lffllr.exec:\7lffllr.exe97⤵PID:884
-
\??\c:\xxrxflr.exec:\xxrxflr.exe98⤵PID:4420
-
\??\c:\llxfflr.exec:\llxfflr.exe99⤵PID:1852
-
\??\c:\2404888.exec:\2404888.exe100⤵PID:3324
-
\??\c:\bthbtt.exec:\bthbtt.exe101⤵PID:2580
-
\??\c:\02024.exec:\02024.exe102⤵
- System Location Discovery: System Language Discovery
PID:4244 -
\??\c:\dvdvd.exec:\dvdvd.exe103⤵PID:3976
-
\??\c:\3pjvp.exec:\3pjvp.exe104⤵PID:4472
-
\??\c:\rlrxflx.exec:\rlrxflx.exe105⤵PID:2776
-
\??\c:\628200.exec:\628200.exe106⤵PID:1372
-
\??\c:\6844844.exec:\6844844.exe107⤵PID:4788
-
\??\c:\060400.exec:\060400.exe108⤵PID:4464
-
\??\c:\xrlrrfx.exec:\xrlrrfx.exe109⤵PID:1632
-
\??\c:\60260.exec:\60260.exe110⤵PID:2672
-
\??\c:\bnntbn.exec:\bnntbn.exe111⤵
- System Location Discovery: System Language Discovery
PID:2300 -
\??\c:\80228.exec:\80228.exe112⤵PID:804
-
\??\c:\8402662.exec:\8402662.exe113⤵PID:1456
-
\??\c:\4480282.exec:\4480282.exe114⤵PID:3492
-
\??\c:\1hhbhh.exec:\1hhbhh.exe115⤵PID:4976
-
\??\c:\08084.exec:\08084.exe116⤵PID:1180
-
\??\c:\w02264.exec:\w02264.exe117⤵PID:4400
-
\??\c:\lxxrlrf.exec:\lxxrlrf.exe118⤵PID:2644
-
\??\c:\flxllfx.exec:\flxllfx.exe119⤵PID:1920
-
\??\c:\vjvvp.exec:\vjvvp.exe120⤵
- System Location Discovery: System Language Discovery
PID:1764 -
\??\c:\i008226.exec:\i008226.exe121⤵PID:3424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-