Analysis
-
max time kernel
120s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe
-
Size
453KB
-
MD5
5b81c9a6fb6f82cce582d45bf90bc230
-
SHA1
27ea1de46b6b7eb2d15514bff7b4adbbc15e60f9
-
SHA256
bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bd
-
SHA512
03cf85704463faad269a012d4782164017924a1452aad98f731c07eefb29bb57707ed33addddb20b73c6c9aa1b42df9c4692d46200a4797460b31e51e09afdff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/5032-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1280 9bnbnh.exe 948 vpjvj.exe 2396 08660.exe 3508 440084.exe 2456 bthbtn.exe 1412 vjjvv.exe 4536 s4020.exe 1596 5pdpd.exe 1188 4442008.exe 3200 dvdpd.exe 5112 9jdpd.exe 3016 08620.exe 4492 06264.exe 3672 8486426.exe 4808 8226420.exe 2484 288204.exe 3564 5xlfrlx.exe 2504 htbnbn.exe 432 08422.exe 636 88824.exe 3372 rxxlrfr.exe 2792 jdddp.exe 2796 026426.exe 4984 2848486.exe 3336 622604.exe 2040 5rlxrfr.exe 1844 8826448.exe 3448 460204.exe 4708 ddjpj.exe 4104 628260.exe 4248 64482.exe 4796 602082.exe 904 fxlfffl.exe 4220 fxfrfll.exe 3136 rfllxfx.exe 4128 0448608.exe 2652 hnbtnn.exe 2984 04000.exe 4384 rllfxrf.exe 4044 028660.exe 4268 hnthbt.exe 2076 606044.exe 3556 e62048.exe 3484 3lfxrrl.exe 3508 6288428.exe 1876 4006048.exe 3280 w62604.exe 4432 6886426.exe 4660 426802.exe 1116 644264.exe 3108 tnttnb.exe 1596 080808.exe 3964 dvpjd.exe 4648 84666.exe 3224 08486.exe 5048 2826004.exe 4088 hhhbnh.exe 4900 lllxffr.exe 4540 nbbnhb.exe 3672 9tnhtn.exe 1900 dvpdv.exe 3872 nnthnh.exe 1252 1pdpd.exe 1640 22268.exe -
resource yara_rule behavioral2/memory/5032-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-651-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0244008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4004242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2608642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1280 5032 bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe 83 PID 5032 wrote to memory of 1280 5032 bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe 83 PID 5032 wrote to memory of 1280 5032 bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe 83 PID 1280 wrote to memory of 948 1280 9bnbnh.exe 84 PID 1280 wrote to memory of 948 1280 9bnbnh.exe 84 PID 1280 wrote to memory of 948 1280 9bnbnh.exe 84 PID 948 wrote to memory of 2396 948 vpjvj.exe 85 PID 948 wrote to memory of 2396 948 vpjvj.exe 85 PID 948 wrote to memory of 2396 948 vpjvj.exe 85 PID 2396 wrote to memory of 3508 2396 08660.exe 127 PID 2396 wrote to memory of 3508 2396 08660.exe 127 PID 2396 wrote to memory of 3508 2396 08660.exe 127 PID 3508 wrote to memory of 2456 3508 440084.exe 87 PID 3508 wrote to memory of 2456 3508 440084.exe 87 PID 3508 wrote to memory of 2456 3508 440084.exe 87 PID 2456 wrote to memory of 1412 2456 bthbtn.exe 88 PID 2456 wrote to memory of 1412 2456 bthbtn.exe 88 PID 2456 wrote to memory of 1412 2456 bthbtn.exe 88 PID 1412 wrote to memory of 4536 1412 vjjvv.exe 89 PID 1412 wrote to memory of 4536 1412 vjjvv.exe 89 PID 1412 wrote to memory of 4536 1412 vjjvv.exe 89 PID 4536 wrote to memory of 1596 4536 s4020.exe 90 PID 4536 wrote to memory of 1596 4536 s4020.exe 90 PID 4536 wrote to memory of 1596 4536 s4020.exe 90 PID 1596 wrote to memory of 1188 1596 5pdpd.exe 91 PID 1596 wrote to memory of 1188 1596 5pdpd.exe 91 PID 1596 wrote to memory of 1188 1596 5pdpd.exe 91 PID 1188 wrote to memory of 3200 1188 4442008.exe 92 PID 1188 wrote to memory of 3200 1188 4442008.exe 92 PID 1188 wrote to memory of 3200 1188 4442008.exe 92 PID 3200 wrote to memory of 5112 3200 dvdpd.exe 93 PID 3200 wrote to memory of 5112 3200 dvdpd.exe 93 PID 3200 wrote to memory of 5112 3200 dvdpd.exe 93 PID 5112 wrote to memory of 3016 5112 9jdpd.exe 94 PID 5112 wrote to memory of 3016 5112 9jdpd.exe 94 PID 5112 wrote to memory of 3016 5112 9jdpd.exe 94 PID 3016 wrote to memory of 4492 3016 08620.exe 95 PID 3016 wrote to memory of 4492 3016 08620.exe 95 PID 3016 wrote to memory of 4492 3016 08620.exe 95 PID 4492 wrote to memory of 3672 4492 06264.exe 142 PID 4492 wrote to memory of 3672 4492 06264.exe 142 PID 4492 wrote to memory of 3672 4492 06264.exe 142 PID 3672 wrote to memory of 4808 3672 8486426.exe 97 PID 3672 wrote to memory of 4808 3672 8486426.exe 97 PID 3672 wrote to memory of 4808 3672 8486426.exe 97 PID 4808 wrote to memory of 2484 4808 8226420.exe 98 PID 4808 wrote to memory of 2484 4808 8226420.exe 98 PID 4808 wrote to memory of 2484 4808 8226420.exe 98 PID 2484 wrote to memory of 3564 2484 288204.exe 99 PID 2484 wrote to memory of 3564 2484 288204.exe 99 PID 2484 wrote to memory of 3564 2484 288204.exe 99 PID 3564 wrote to memory of 2504 3564 5xlfrlx.exe 100 PID 3564 wrote to memory of 2504 3564 5xlfrlx.exe 100 PID 3564 wrote to memory of 2504 3564 5xlfrlx.exe 100 PID 2504 wrote to memory of 432 2504 htbnbn.exe 101 PID 2504 wrote to memory of 432 2504 htbnbn.exe 101 PID 2504 wrote to memory of 432 2504 htbnbn.exe 101 PID 432 wrote to memory of 636 432 08422.exe 102 PID 432 wrote to memory of 636 432 08422.exe 102 PID 432 wrote to memory of 636 432 08422.exe 102 PID 636 wrote to memory of 3372 636 88824.exe 103 PID 636 wrote to memory of 3372 636 88824.exe 103 PID 636 wrote to memory of 3372 636 88824.exe 103 PID 3372 wrote to memory of 2792 3372 rxxlrfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe"C:\Users\Admin\AppData\Local\Temp\bc5b4c86e869f1cb5902ef8b4f1546c92beb517c42864c81fd376dc918bda5bdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\9bnbnh.exec:\9bnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\vpjvj.exec:\vpjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\08660.exec:\08660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\440084.exec:\440084.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\bthbtn.exec:\bthbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vjjvv.exec:\vjjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\s4020.exec:\s4020.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\5pdpd.exec:\5pdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\4442008.exec:\4442008.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\dvdpd.exec:\dvdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\9jdpd.exec:\9jdpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\08620.exec:\08620.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\06264.exec:\06264.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\8486426.exec:\8486426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\8226420.exec:\8226420.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\288204.exec:\288204.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\5xlfrlx.exec:\5xlfrlx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\htbnbn.exec:\htbnbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\08422.exec:\08422.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\88824.exec:\88824.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\rxxlrfr.exec:\rxxlrfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\jdddp.exec:\jdddp.exe23⤵
- Executes dropped EXE
PID:2792 -
\??\c:\026426.exec:\026426.exe24⤵
- Executes dropped EXE
PID:2796 -
\??\c:\2848486.exec:\2848486.exe25⤵
- Executes dropped EXE
PID:4984 -
\??\c:\622604.exec:\622604.exe26⤵
- Executes dropped EXE
PID:3336 -
\??\c:\5rlxrfr.exec:\5rlxrfr.exe27⤵
- Executes dropped EXE
PID:2040 -
\??\c:\8826448.exec:\8826448.exe28⤵
- Executes dropped EXE
PID:1844 -
\??\c:\460204.exec:\460204.exe29⤵
- Executes dropped EXE
PID:3448 -
\??\c:\ddjpj.exec:\ddjpj.exe30⤵
- Executes dropped EXE
PID:4708 -
\??\c:\628260.exec:\628260.exe31⤵
- Executes dropped EXE
PID:4104 -
\??\c:\64482.exec:\64482.exe32⤵
- Executes dropped EXE
PID:4248 -
\??\c:\602082.exec:\602082.exe33⤵
- Executes dropped EXE
PID:4796 -
\??\c:\fxlfffl.exec:\fxlfffl.exe34⤵
- Executes dropped EXE
PID:904 -
\??\c:\fxfrfll.exec:\fxfrfll.exe35⤵
- Executes dropped EXE
PID:4220 -
\??\c:\rfllxfx.exec:\rfllxfx.exe36⤵
- Executes dropped EXE
PID:3136 -
\??\c:\0448608.exec:\0448608.exe37⤵
- Executes dropped EXE
PID:4128 -
\??\c:\hnbtnn.exec:\hnbtnn.exe38⤵
- Executes dropped EXE
PID:2652 -
\??\c:\04000.exec:\04000.exe39⤵
- Executes dropped EXE
PID:2984 -
\??\c:\rllfxrf.exec:\rllfxrf.exe40⤵
- Executes dropped EXE
PID:4384 -
\??\c:\028660.exec:\028660.exe41⤵
- Executes dropped EXE
PID:4044 -
\??\c:\hnthbt.exec:\hnthbt.exe42⤵
- Executes dropped EXE
PID:4268 -
\??\c:\606044.exec:\606044.exe43⤵
- Executes dropped EXE
PID:2076 -
\??\c:\e62048.exec:\e62048.exe44⤵
- Executes dropped EXE
PID:3556 -
\??\c:\3lfxrrl.exec:\3lfxrrl.exe45⤵
- Executes dropped EXE
PID:3484 -
\??\c:\6288428.exec:\6288428.exe46⤵
- Executes dropped EXE
PID:3508 -
\??\c:\4006048.exec:\4006048.exe47⤵
- Executes dropped EXE
PID:1876 -
\??\c:\w62604.exec:\w62604.exe48⤵
- Executes dropped EXE
PID:3280 -
\??\c:\6886426.exec:\6886426.exe49⤵
- Executes dropped EXE
PID:4432 -
\??\c:\426802.exec:\426802.exe50⤵
- Executes dropped EXE
PID:4660 -
\??\c:\644264.exec:\644264.exe51⤵
- Executes dropped EXE
PID:1116 -
\??\c:\tnttnb.exec:\tnttnb.exe52⤵
- Executes dropped EXE
PID:3108 -
\??\c:\080808.exec:\080808.exe53⤵
- Executes dropped EXE
PID:1596 -
\??\c:\dvpjd.exec:\dvpjd.exe54⤵
- Executes dropped EXE
PID:3964 -
\??\c:\84666.exec:\84666.exe55⤵
- Executes dropped EXE
PID:4648 -
\??\c:\08486.exec:\08486.exe56⤵
- Executes dropped EXE
PID:3224 -
\??\c:\2826004.exec:\2826004.exe57⤵
- Executes dropped EXE
PID:5048 -
\??\c:\hhhbnh.exec:\hhhbnh.exe58⤵
- Executes dropped EXE
PID:4088 -
\??\c:\lllxffr.exec:\lllxffr.exe59⤵
- Executes dropped EXE
PID:4900 -
\??\c:\nbbnhb.exec:\nbbnhb.exe60⤵
- Executes dropped EXE
PID:4540 -
\??\c:\9tnhtn.exec:\9tnhtn.exe61⤵
- Executes dropped EXE
PID:3672 -
\??\c:\dvpdv.exec:\dvpdv.exe62⤵
- Executes dropped EXE
PID:1900 -
\??\c:\nnthnh.exec:\nnthnh.exe63⤵
- Executes dropped EXE
PID:3872 -
\??\c:\1pdpd.exec:\1pdpd.exe64⤵
- Executes dropped EXE
PID:1252 -
\??\c:\22268.exec:\22268.exe65⤵
- Executes dropped EXE
PID:1640 -
\??\c:\w82048.exec:\w82048.exe66⤵PID:3960
-
\??\c:\406000.exec:\406000.exe67⤵PID:4884
-
\??\c:\bhhhbb.exec:\bhhhbb.exe68⤵PID:3088
-
\??\c:\6888226.exec:\6888226.exe69⤵PID:4544
-
\??\c:\hnhtht.exec:\hnhtht.exe70⤵PID:3644
-
\??\c:\0626222.exec:\0626222.exe71⤵PID:4916
-
\??\c:\4282266.exec:\4282266.exe72⤵PID:3232
-
\??\c:\e40482.exec:\e40482.exe73⤵PID:1180
-
\??\c:\828288.exec:\828288.exe74⤵PID:652
-
\??\c:\408608.exec:\408608.exe75⤵PID:5052
-
\??\c:\64042.exec:\64042.exe76⤵PID:1548
-
\??\c:\i220088.exec:\i220088.exe77⤵PID:2796
-
\??\c:\02444.exec:\02444.exe78⤵PID:3540
-
\??\c:\pddpv.exec:\pddpv.exe79⤵PID:2540
-
\??\c:\48484.exec:\48484.exe80⤵PID:4448
-
\??\c:\826262.exec:\826262.exe81⤵PID:1092
-
\??\c:\62066.exec:\62066.exe82⤵PID:3524
-
\??\c:\04042.exec:\04042.exe83⤵PID:1936
-
\??\c:\046266.exec:\046266.exe84⤵PID:4396
-
\??\c:\jvjdp.exec:\jvjdp.exe85⤵PID:4708
-
\??\c:\20226.exec:\20226.exe86⤵PID:1916
-
\??\c:\8882086.exec:\8882086.exe87⤵PID:2564
-
\??\c:\lfxlxrx.exec:\lfxlxrx.exe88⤵PID:632
-
\??\c:\nhtbhn.exec:\nhtbhn.exe89⤵PID:4936
-
\??\c:\dddvv.exec:\dddvv.exe90⤵PID:4956
-
\??\c:\xrxlfrl.exec:\xrxlfrl.exe91⤵PID:4152
-
\??\c:\nbbbnn.exec:\nbbbnn.exe92⤵PID:1724
-
\??\c:\9nnhhn.exec:\9nnhhn.exe93⤵PID:3188
-
\??\c:\k02248.exec:\k02248.exe94⤵PID:4556
-
\??\c:\jdjdd.exec:\jdjdd.exe95⤵PID:3160
-
\??\c:\i404826.exec:\i404826.exe96⤵PID:4296
-
\??\c:\90820.exec:\90820.exe97⤵PID:1504
-
\??\c:\1pjdp.exec:\1pjdp.exe98⤵PID:728
-
\??\c:\088222.exec:\088222.exe99⤵PID:4004
-
\??\c:\thbtnn.exec:\thbtnn.exe100⤵PID:3652
-
\??\c:\ddvvd.exec:\ddvvd.exe101⤵PID:2400
-
\??\c:\06848.exec:\06848.exe102⤵PID:1660
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe103⤵PID:1616
-
\??\c:\hnhbbb.exec:\hnhbbb.exe104⤵PID:3424
-
\??\c:\06604.exec:\06604.exe105⤵PID:3324
-
\??\c:\7ddvp.exec:\7ddvp.exe106⤵PID:3928
-
\??\c:\04420.exec:\04420.exe107⤵PID:2272
-
\??\c:\84664.exec:\84664.exe108⤵PID:3428
-
\??\c:\lrllxfx.exec:\lrllxfx.exe109⤵PID:4416
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe110⤵PID:3216
-
\??\c:\4404462.exec:\4404462.exe111⤵PID:1712
-
\??\c:\bnhhhh.exec:\bnhhhh.exe112⤵PID:1116
-
\??\c:\xlllflf.exec:\xlllflf.exe113⤵PID:1516
-
\??\c:\ddpjd.exec:\ddpjd.exe114⤵PID:1596
-
\??\c:\20608.exec:\20608.exe115⤵PID:3964
-
\??\c:\q88682.exec:\q88682.exe116⤵PID:744
-
\??\c:\5xxlffx.exec:\5xxlffx.exe117⤵PID:5112
-
\??\c:\282020.exec:\282020.exe118⤵PID:4424
-
\??\c:\frfxxxr.exec:\frfxxxr.exe119⤵PID:3676
-
\??\c:\0460662.exec:\0460662.exe120⤵PID:3164
-
\??\c:\2404886.exec:\2404886.exe121⤵PID:5076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-