Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe
-
Size
454KB
-
MD5
c435c76635b5417cf532f0e6997ae186
-
SHA1
aaad0c2ef17745490220bdb24b5ef956a82d4e12
-
SHA256
bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f
-
SHA512
cda6e71562ab0ebc99f8d91eef66e1a567f4f0bcf7a000edc214d8bd1771185b195172de6b5c4b444dfd6d4235e29057a7f4d53a9c1037346006abd877b2509c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3464-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-1190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 208 djdpv.exe 2380 082420.exe 4748 2200686.exe 1356 rxlrllf.exe 1828 4228648.exe 2428 thhthb.exe 4448 nnnbnb.exe 2932 064424.exe 1948 1jdpv.exe 1644 rrrlrlx.exe 4860 u664264.exe 4104 4486820.exe 3900 vdjdp.exe 4788 rfrfrlx.exe 4376 dppdj.exe 3276 2282604.exe 2392 jvpvp.exe 5032 860860.exe 1800 4002048.exe 2664 9bbbnh.exe 2188 1vvvp.exe 1312 rlfrfxl.exe 4740 hthtbt.exe 3544 lllllxx.exe 1580 vvpdp.exe 2472 s4048.exe 2864 k66204.exe 1424 1frflfr.exe 800 1jdpv.exe 3636 5frlrlf.exe 4960 pdvjv.exe 4724 rfxrlfr.exe 1588 68624.exe 1724 c848208.exe 512 860848.exe 1928 848208.exe 4624 8604622.exe 4872 e00826.exe 3708 xfxlxrf.exe 5040 w04804.exe 2764 a0042.exe 4012 dvvpj.exe 5008 20042.exe 1696 s6020.exe 4432 7htbnb.exe 1092 2264260.exe 3972 c442008.exe 2260 pddpd.exe 4328 q04804.exe 2152 5hthth.exe 5044 866460.exe 2984 3pjdv.exe 4948 vddpv.exe 4436 44402.exe 3400 g8826.exe 3480 hbbtnh.exe 2160 o604406.exe 5084 882604.exe 396 pvvjv.exe 1968 3bnhtn.exe 2992 7ppdp.exe 1512 5vvjv.exe 4952 1ntbnb.exe 2960 djdvv.exe -
resource yara_rule behavioral2/memory/3464-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-767-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i404826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2400822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0248888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3464 wrote to memory of 208 3464 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 85 PID 3464 wrote to memory of 208 3464 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 85 PID 3464 wrote to memory of 208 3464 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 85 PID 208 wrote to memory of 2380 208 djdpv.exe 86 PID 208 wrote to memory of 2380 208 djdpv.exe 86 PID 208 wrote to memory of 2380 208 djdpv.exe 86 PID 2380 wrote to memory of 4748 2380 082420.exe 87 PID 2380 wrote to memory of 4748 2380 082420.exe 87 PID 2380 wrote to memory of 4748 2380 082420.exe 87 PID 4748 wrote to memory of 1356 4748 2200686.exe 88 PID 4748 wrote to memory of 1356 4748 2200686.exe 88 PID 4748 wrote to memory of 1356 4748 2200686.exe 88 PID 1356 wrote to memory of 1828 1356 rxlrllf.exe 89 PID 1356 wrote to memory of 1828 1356 rxlrllf.exe 89 PID 1356 wrote to memory of 1828 1356 rxlrllf.exe 89 PID 1828 wrote to memory of 2428 1828 4228648.exe 90 PID 1828 wrote to memory of 2428 1828 4228648.exe 90 PID 1828 wrote to memory of 2428 1828 4228648.exe 90 PID 2428 wrote to memory of 4448 2428 thhthb.exe 91 PID 2428 wrote to memory of 4448 2428 thhthb.exe 91 PID 2428 wrote to memory of 4448 2428 thhthb.exe 91 PID 4448 wrote to memory of 2932 4448 nnnbnb.exe 92 PID 4448 wrote to memory of 2932 4448 nnnbnb.exe 92 PID 4448 wrote to memory of 2932 4448 nnnbnb.exe 92 PID 2932 wrote to memory of 1948 2932 064424.exe 93 PID 2932 wrote to memory of 1948 2932 064424.exe 93 PID 2932 wrote to memory of 1948 2932 064424.exe 93 PID 1948 wrote to memory of 1644 1948 1jdpv.exe 94 PID 1948 wrote to memory of 1644 1948 1jdpv.exe 94 PID 1948 wrote to memory of 1644 1948 1jdpv.exe 94 PID 1644 wrote to memory of 4860 1644 rrrlrlx.exe 95 PID 1644 wrote to memory of 4860 1644 rrrlrlx.exe 95 PID 1644 wrote to memory of 4860 1644 rrrlrlx.exe 95 PID 4860 wrote to memory of 4104 4860 u664264.exe 96 PID 4860 wrote to memory of 4104 4860 u664264.exe 96 PID 4860 wrote to memory of 4104 4860 u664264.exe 96 PID 4104 wrote to memory of 3900 4104 4486820.exe 97 PID 4104 wrote to memory of 3900 4104 4486820.exe 97 PID 4104 wrote to memory of 3900 4104 4486820.exe 97 PID 3900 wrote to memory of 4788 3900 vdjdp.exe 98 PID 3900 wrote to memory of 4788 3900 vdjdp.exe 98 PID 3900 wrote to memory of 4788 3900 vdjdp.exe 98 PID 4788 wrote to memory of 4376 4788 rfrfrlx.exe 99 PID 4788 wrote to memory of 4376 4788 rfrfrlx.exe 99 PID 4788 wrote to memory of 4376 4788 rfrfrlx.exe 99 PID 4376 wrote to memory of 3276 4376 dppdj.exe 100 PID 4376 wrote to memory of 3276 4376 dppdj.exe 100 PID 4376 wrote to memory of 3276 4376 dppdj.exe 100 PID 3276 wrote to memory of 2392 3276 2282604.exe 101 PID 3276 wrote to memory of 2392 3276 2282604.exe 101 PID 3276 wrote to memory of 2392 3276 2282604.exe 101 PID 2392 wrote to memory of 5032 2392 jvpvp.exe 102 PID 2392 wrote to memory of 5032 2392 jvpvp.exe 102 PID 2392 wrote to memory of 5032 2392 jvpvp.exe 102 PID 5032 wrote to memory of 1800 5032 860860.exe 103 PID 5032 wrote to memory of 1800 5032 860860.exe 103 PID 5032 wrote to memory of 1800 5032 860860.exe 103 PID 1800 wrote to memory of 2664 1800 4002048.exe 104 PID 1800 wrote to memory of 2664 1800 4002048.exe 104 PID 1800 wrote to memory of 2664 1800 4002048.exe 104 PID 2664 wrote to memory of 2188 2664 9bbbnh.exe 105 PID 2664 wrote to memory of 2188 2664 9bbbnh.exe 105 PID 2664 wrote to memory of 2188 2664 9bbbnh.exe 105 PID 2188 wrote to memory of 1312 2188 1vvvp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe"C:\Users\Admin\AppData\Local\Temp\bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\djdpv.exec:\djdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\082420.exec:\082420.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\2200686.exec:\2200686.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\rxlrllf.exec:\rxlrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\4228648.exec:\4228648.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\thhthb.exec:\thhthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\nnnbnb.exec:\nnnbnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\064424.exec:\064424.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\1jdpv.exec:\1jdpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\rrrlrlx.exec:\rrrlrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\u664264.exec:\u664264.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\4486820.exec:\4486820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\vdjdp.exec:\vdjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\rfrfrlx.exec:\rfrfrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\dppdj.exec:\dppdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\2282604.exec:\2282604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\jvpvp.exec:\jvpvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\860860.exec:\860860.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\4002048.exec:\4002048.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\9bbbnh.exec:\9bbbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\1vvvp.exec:\1vvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\rlfrfxl.exec:\rlfrfxl.exe23⤵
- Executes dropped EXE
PID:1312 -
\??\c:\hthtbt.exec:\hthtbt.exe24⤵
- Executes dropped EXE
PID:4740 -
\??\c:\lllllxx.exec:\lllllxx.exe25⤵
- Executes dropped EXE
PID:3544 -
\??\c:\vvpdp.exec:\vvpdp.exe26⤵
- Executes dropped EXE
PID:1580 -
\??\c:\s4048.exec:\s4048.exe27⤵
- Executes dropped EXE
PID:2472 -
\??\c:\k66204.exec:\k66204.exe28⤵
- Executes dropped EXE
PID:2864 -
\??\c:\1frflfr.exec:\1frflfr.exe29⤵
- Executes dropped EXE
PID:1424 -
\??\c:\1jdpv.exec:\1jdpv.exe30⤵
- Executes dropped EXE
PID:800 -
\??\c:\5frlrlf.exec:\5frlrlf.exe31⤵
- Executes dropped EXE
PID:3636 -
\??\c:\pdvjv.exec:\pdvjv.exe32⤵
- Executes dropped EXE
PID:4960 -
\??\c:\rfxrlfr.exec:\rfxrlfr.exe33⤵
- Executes dropped EXE
PID:4724 -
\??\c:\68624.exec:\68624.exe34⤵
- Executes dropped EXE
PID:1588 -
\??\c:\c848208.exec:\c848208.exe35⤵
- Executes dropped EXE
PID:1724 -
\??\c:\860848.exec:\860848.exe36⤵
- Executes dropped EXE
PID:512 -
\??\c:\848208.exec:\848208.exe37⤵
- Executes dropped EXE
PID:1928 -
\??\c:\8604622.exec:\8604622.exe38⤵
- Executes dropped EXE
PID:4624 -
\??\c:\e00826.exec:\e00826.exe39⤵
- Executes dropped EXE
PID:4872 -
\??\c:\xfxlxrf.exec:\xfxlxrf.exe40⤵
- Executes dropped EXE
PID:3708 -
\??\c:\w04804.exec:\w04804.exe41⤵
- Executes dropped EXE
PID:5040 -
\??\c:\a0042.exec:\a0042.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\dvvpj.exec:\dvvpj.exe43⤵
- Executes dropped EXE
PID:4012 -
\??\c:\20042.exec:\20042.exe44⤵
- Executes dropped EXE
PID:5008 -
\??\c:\s6020.exec:\s6020.exe45⤵
- Executes dropped EXE
PID:1696 -
\??\c:\7htbnb.exec:\7htbnb.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\2264260.exec:\2264260.exe47⤵
- Executes dropped EXE
PID:1092 -
\??\c:\c442008.exec:\c442008.exe48⤵
- Executes dropped EXE
PID:3972 -
\??\c:\pddpd.exec:\pddpd.exe49⤵
- Executes dropped EXE
PID:2260 -
\??\c:\q04804.exec:\q04804.exe50⤵
- Executes dropped EXE
PID:4328 -
\??\c:\5hthth.exec:\5hthth.exe51⤵
- Executes dropped EXE
PID:2152 -
\??\c:\866460.exec:\866460.exe52⤵
- Executes dropped EXE
PID:5044 -
\??\c:\3pjdv.exec:\3pjdv.exe53⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vddpv.exec:\vddpv.exe54⤵
- Executes dropped EXE
PID:4948 -
\??\c:\44402.exec:\44402.exe55⤵
- Executes dropped EXE
PID:4436 -
\??\c:\g8826.exec:\g8826.exe56⤵
- Executes dropped EXE
PID:3400 -
\??\c:\hbbtnh.exec:\hbbtnh.exe57⤵
- Executes dropped EXE
PID:3480 -
\??\c:\o604406.exec:\o604406.exe58⤵
- Executes dropped EXE
PID:2160 -
\??\c:\882604.exec:\882604.exe59⤵
- Executes dropped EXE
PID:5084 -
\??\c:\pvvjv.exec:\pvvjv.exe60⤵
- Executes dropped EXE
PID:396 -
\??\c:\3bnhtn.exec:\3bnhtn.exe61⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7ppdp.exec:\7ppdp.exe62⤵
- Executes dropped EXE
PID:2992 -
\??\c:\5vvjv.exec:\5vvjv.exe63⤵
- Executes dropped EXE
PID:1512 -
\??\c:\1ntbnb.exec:\1ntbnb.exe64⤵
- Executes dropped EXE
PID:4952 -
\??\c:\djdvv.exec:\djdvv.exe65⤵
- Executes dropped EXE
PID:2960 -
\??\c:\ffllxrf.exec:\ffllxrf.exe66⤵PID:3844
-
\??\c:\rrrfrfr.exec:\rrrfrfr.exe67⤵PID:980
-
\??\c:\082486.exec:\082486.exe68⤵PID:2904
-
\??\c:\g8422.exec:\g8422.exe69⤵PID:3932
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe70⤵PID:4400
-
\??\c:\hbthtn.exec:\hbthtn.exe71⤵PID:952
-
\??\c:\44408.exec:\44408.exe72⤵PID:2696
-
\??\c:\u446086.exec:\u446086.exe73⤵PID:4904
-
\??\c:\fxlfrxr.exec:\fxlfrxr.exe74⤵PID:856
-
\??\c:\448266.exec:\448266.exe75⤵PID:224
-
\??\c:\462608.exec:\462608.exe76⤵PID:3752
-
\??\c:\q04866.exec:\q04866.exe77⤵PID:2648
-
\??\c:\44228.exec:\44228.exe78⤵PID:232
-
\??\c:\488446.exec:\488446.exe79⤵PID:640
-
\??\c:\nhhhhn.exec:\nhhhhn.exe80⤵PID:2936
-
\??\c:\hhhbtb.exec:\hhhbtb.exe81⤵PID:4916
-
\??\c:\7pjvd.exec:\7pjvd.exe82⤵PID:4504
-
\??\c:\llxrrlx.exec:\llxrrlx.exe83⤵PID:1088
-
\??\c:\44486.exec:\44486.exe84⤵PID:820
-
\??\c:\642600.exec:\642600.exe85⤵PID:1940
-
\??\c:\fxrxlfl.exec:\fxrxlfl.exe86⤵PID:184
-
\??\c:\tnhthn.exec:\tnhthn.exe87⤵PID:1756
-
\??\c:\rxrlxxl.exec:\rxrlxxl.exe88⤵PID:2052
-
\??\c:\4220886.exec:\4220886.exe89⤵PID:4716
-
\??\c:\082042.exec:\082042.exe90⤵PID:3200
-
\??\c:\1lrlfrl.exec:\1lrlfrl.exe91⤵PID:1928
-
\??\c:\htbntn.exec:\htbntn.exe92⤵PID:1776
-
\??\c:\c066688.exec:\c066688.exe93⤵PID:220
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe94⤵PID:5040
-
\??\c:\00604.exec:\00604.exe95⤵PID:3568
-
\??\c:\26448.exec:\26448.exe96⤵PID:4660
-
\??\c:\48008.exec:\48008.exe97⤵PID:1548
-
\??\c:\vdjdj.exec:\vdjdj.exe98⤵PID:1600
-
\??\c:\g4660.exec:\g4660.exe99⤵PID:3656
-
\??\c:\lflffff.exec:\lflffff.exe100⤵PID:2340
-
\??\c:\7tbtnn.exec:\7tbtnn.exe101⤵PID:2296
-
\??\c:\0282666.exec:\0282666.exe102⤵PID:3884
-
\??\c:\9rfrfxr.exec:\9rfrfxr.exe103⤵PID:4256
-
\??\c:\9jjdv.exec:\9jjdv.exe104⤵PID:3692
-
\??\c:\440428.exec:\440428.exe105⤵PID:1824
-
\??\c:\664400.exec:\664400.exe106⤵PID:2304
-
\??\c:\68064.exec:\68064.exe107⤵PID:2984
-
\??\c:\rffrfrl.exec:\rffrfrl.exe108⤵PID:3464
-
\??\c:\xflfxrr.exec:\xflfxrr.exe109⤵PID:1028
-
\??\c:\xxffffl.exec:\xxffffl.exe110⤵PID:2680
-
\??\c:\2882266.exec:\2882266.exe111⤵PID:4796
-
\??\c:\a0648.exec:\a0648.exe112⤵PID:3992
-
\??\c:\04486.exec:\04486.exe113⤵PID:2704
-
\??\c:\42862.exec:\42862.exe114⤵PID:4384
-
\??\c:\htttnn.exec:\htttnn.exe115⤵PID:3192
-
\??\c:\1tnhtt.exec:\1tnhtt.exe116⤵PID:396
-
\??\c:\rfrfrfl.exec:\rfrfrfl.exe117⤵PID:1180
-
\??\c:\9lllfxx.exec:\9lllfxx.exe118⤵PID:3588
-
\??\c:\nhnhhh.exec:\nhnhhh.exe119⤵PID:3196
-
\??\c:\fxllfrl.exec:\fxllfrl.exe120⤵PID:4484
-
\??\c:\xffrfxl.exec:\xffrfxl.exe121⤵PID:4192
-
\??\c:\28426.exec:\28426.exe122⤵PID:3172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-