Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe
-
Size
453KB
-
MD5
cbafce6e9b0eb73203f9aa2cfbb79650
-
SHA1
8eb6100695f6da98677e1e33cab02669ecf553f8
-
SHA256
bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4
-
SHA512
aaa6ffa35b7fa3760f91807892ad49d92c734da42e4ca60826c7bb84c8811f276a0f2eca704dbdf9b67383f79880d6e312c1b4660efdcc79ab2e865da15875d4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5004-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-1311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-1375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-1422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-1573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 9nhhbh.exe 2144 jvddd.exe 2184 frllffx.exe 3588 3ntnnt.exe 2368 lfrrxxf.exe 2296 1vvpj.exe 4384 llllffx.exe 2284 hbhhbb.exe 4556 pdjdv.exe 3872 rfxfffx.exe 2632 fffflrl.exe 3176 nbbbth.exe 1820 frxrrrf.exe 3252 btnhhb.exe 2524 pvvvv.exe 3208 vvvjd.exe 4040 jvdvp.exe 1180 9bbnhn.exe 1352 hbbnhh.exe 3972 xrfxxxf.exe 1052 btbbtt.exe 3148 dppjd.exe 4652 7jvpv.exe 2664 1rxrllf.exe 2528 nthtnh.exe 3212 pvddv.exe 3044 3dvpj.exe 1408 xlfxrlf.exe 2844 5xxrrll.exe 4112 vjjdv.exe 3924 rrxfrxf.exe 2084 bthbth.exe 4928 flxrrff.exe 2052 5hbbtn.exe 1360 fxxxffr.exe 452 bhtnhh.exe 2228 jvdpp.exe 3548 9rllllf.exe 3880 hbbbtt.exe 4492 ddjjd.exe 2156 9bbbtb.exe 4620 ddjdv.exe 4068 rxlfffx.exe 3712 btbbbb.exe 3088 jpddd.exe 2888 ffxrrxl.exe 4964 lrlrlll.exe 396 dvjjj.exe 4872 llxxffx.exe 4436 tttbbb.exe 4796 thbtbt.exe 1108 dpvpj.exe 2020 lxfxxxx.exe 4432 bbtnhh.exe 2388 vppjj.exe 3504 hnbnhh.exe 1580 5nbbtn.exe 3036 vvjpp.exe 3528 9xfxxff.exe 1840 frffxxr.exe 224 btbtnn.exe 3476 pvdvp.exe 1400 xlxrllf.exe 3704 thnbnh.exe -
resource yara_rule behavioral2/memory/5004-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-1311-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3004 5004 bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe 83 PID 5004 wrote to memory of 3004 5004 bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe 83 PID 5004 wrote to memory of 3004 5004 bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe 83 PID 3004 wrote to memory of 2144 3004 9nhhbh.exe 84 PID 3004 wrote to memory of 2144 3004 9nhhbh.exe 84 PID 3004 wrote to memory of 2144 3004 9nhhbh.exe 84 PID 2144 wrote to memory of 2184 2144 jvddd.exe 85 PID 2144 wrote to memory of 2184 2144 jvddd.exe 85 PID 2144 wrote to memory of 2184 2144 jvddd.exe 85 PID 2184 wrote to memory of 3588 2184 frllffx.exe 86 PID 2184 wrote to memory of 3588 2184 frllffx.exe 86 PID 2184 wrote to memory of 3588 2184 frllffx.exe 86 PID 3588 wrote to memory of 2368 3588 3ntnnt.exe 87 PID 3588 wrote to memory of 2368 3588 3ntnnt.exe 87 PID 3588 wrote to memory of 2368 3588 3ntnnt.exe 87 PID 2368 wrote to memory of 2296 2368 lfrrxxf.exe 88 PID 2368 wrote to memory of 2296 2368 lfrrxxf.exe 88 PID 2368 wrote to memory of 2296 2368 lfrrxxf.exe 88 PID 2296 wrote to memory of 4384 2296 1vvpj.exe 89 PID 2296 wrote to memory of 4384 2296 1vvpj.exe 89 PID 2296 wrote to memory of 4384 2296 1vvpj.exe 89 PID 4384 wrote to memory of 2284 4384 llllffx.exe 90 PID 4384 wrote to memory of 2284 4384 llllffx.exe 90 PID 4384 wrote to memory of 2284 4384 llllffx.exe 90 PID 2284 wrote to memory of 4556 2284 hbhhbb.exe 91 PID 2284 wrote to memory of 4556 2284 hbhhbb.exe 91 PID 2284 wrote to memory of 4556 2284 hbhhbb.exe 91 PID 4556 wrote to memory of 3872 4556 pdjdv.exe 92 PID 4556 wrote to memory of 3872 4556 pdjdv.exe 92 PID 4556 wrote to memory of 3872 4556 pdjdv.exe 92 PID 3872 wrote to memory of 2632 3872 rfxfffx.exe 93 PID 3872 wrote to memory of 2632 3872 rfxfffx.exe 93 PID 3872 wrote to memory of 2632 3872 rfxfffx.exe 93 PID 2632 wrote to memory of 3176 2632 fffflrl.exe 94 PID 2632 wrote to memory of 3176 2632 fffflrl.exe 94 PID 2632 wrote to memory of 3176 2632 fffflrl.exe 94 PID 3176 wrote to memory of 1820 3176 nbbbth.exe 95 PID 3176 wrote to memory of 1820 3176 nbbbth.exe 95 PID 3176 wrote to memory of 1820 3176 nbbbth.exe 95 PID 1820 wrote to memory of 3252 1820 frxrrrf.exe 96 PID 1820 wrote to memory of 3252 1820 frxrrrf.exe 96 PID 1820 wrote to memory of 3252 1820 frxrrrf.exe 96 PID 3252 wrote to memory of 2524 3252 btnhhb.exe 97 PID 3252 wrote to memory of 2524 3252 btnhhb.exe 97 PID 3252 wrote to memory of 2524 3252 btnhhb.exe 97 PID 2524 wrote to memory of 3208 2524 pvvvv.exe 98 PID 2524 wrote to memory of 3208 2524 pvvvv.exe 98 PID 2524 wrote to memory of 3208 2524 pvvvv.exe 98 PID 3208 wrote to memory of 4040 3208 vvvjd.exe 99 PID 3208 wrote to memory of 4040 3208 vvvjd.exe 99 PID 3208 wrote to memory of 4040 3208 vvvjd.exe 99 PID 4040 wrote to memory of 1180 4040 jvdvp.exe 100 PID 4040 wrote to memory of 1180 4040 jvdvp.exe 100 PID 4040 wrote to memory of 1180 4040 jvdvp.exe 100 PID 1180 wrote to memory of 1352 1180 9bbnhn.exe 101 PID 1180 wrote to memory of 1352 1180 9bbnhn.exe 101 PID 1180 wrote to memory of 1352 1180 9bbnhn.exe 101 PID 1352 wrote to memory of 3972 1352 hbbnhh.exe 102 PID 1352 wrote to memory of 3972 1352 hbbnhh.exe 102 PID 1352 wrote to memory of 3972 1352 hbbnhh.exe 102 PID 3972 wrote to memory of 1052 3972 xrfxxxf.exe 103 PID 3972 wrote to memory of 1052 3972 xrfxxxf.exe 103 PID 3972 wrote to memory of 1052 3972 xrfxxxf.exe 103 PID 1052 wrote to memory of 3148 1052 btbbtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe"C:\Users\Admin\AppData\Local\Temp\bccb5b023a41d94d422b640912fa94cb6fef2fb04f6f24a690fb7bf88da839b4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\9nhhbh.exec:\9nhhbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\jvddd.exec:\jvddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\frllffx.exec:\frllffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\3ntnnt.exec:\3ntnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\1vvpj.exec:\1vvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\llllffx.exec:\llllffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\hbhhbb.exec:\hbhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\pdjdv.exec:\pdjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\rfxfffx.exec:\rfxfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\fffflrl.exec:\fffflrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\nbbbth.exec:\nbbbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\frxrrrf.exec:\frxrrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\btnhhb.exec:\btnhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\pvvvv.exec:\pvvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\vvvjd.exec:\vvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\jvdvp.exec:\jvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\9bbnhn.exec:\9bbnhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\hbbnhh.exec:\hbbnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\xrfxxxf.exec:\xrfxxxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\btbbtt.exec:\btbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\dppjd.exec:\dppjd.exe23⤵
- Executes dropped EXE
PID:3148 -
\??\c:\7jvpv.exec:\7jvpv.exe24⤵
- Executes dropped EXE
PID:4652 -
\??\c:\1rxrllf.exec:\1rxrllf.exe25⤵
- Executes dropped EXE
PID:2664 -
\??\c:\nthtnh.exec:\nthtnh.exe26⤵
- Executes dropped EXE
PID:2528 -
\??\c:\pvddv.exec:\pvddv.exe27⤵
- Executes dropped EXE
PID:3212 -
\??\c:\3dvpj.exec:\3dvpj.exe28⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xlfxrlf.exec:\xlfxrlf.exe29⤵
- Executes dropped EXE
PID:1408 -
\??\c:\5xxrrll.exec:\5xxrrll.exe30⤵
- Executes dropped EXE
PID:2844 -
\??\c:\vjjdv.exec:\vjjdv.exe31⤵
- Executes dropped EXE
PID:4112 -
\??\c:\rrxfrxf.exec:\rrxfrxf.exe32⤵
- Executes dropped EXE
PID:3924 -
\??\c:\bthbth.exec:\bthbth.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\flxrrff.exec:\flxrrff.exe34⤵
- Executes dropped EXE
PID:4928 -
\??\c:\5hbbtn.exec:\5hbbtn.exe35⤵
- Executes dropped EXE
PID:2052 -
\??\c:\fxxxffr.exec:\fxxxffr.exe36⤵
- Executes dropped EXE
PID:1360 -
\??\c:\bhtnhh.exec:\bhtnhh.exe37⤵
- Executes dropped EXE
PID:452 -
\??\c:\jvdpp.exec:\jvdpp.exe38⤵
- Executes dropped EXE
PID:2228 -
\??\c:\9rllllf.exec:\9rllllf.exe39⤵
- Executes dropped EXE
PID:3548 -
\??\c:\hbbbtt.exec:\hbbbtt.exe40⤵
- Executes dropped EXE
PID:3880 -
\??\c:\ddjjd.exec:\ddjjd.exe41⤵
- Executes dropped EXE
PID:4492 -
\??\c:\9bbbtb.exec:\9bbbtb.exe42⤵
- Executes dropped EXE
PID:2156 -
\??\c:\ddjdv.exec:\ddjdv.exe43⤵
- Executes dropped EXE
PID:4620 -
\??\c:\rxlfffx.exec:\rxlfffx.exe44⤵
- Executes dropped EXE
PID:4068 -
\??\c:\btbbbb.exec:\btbbbb.exe45⤵
- Executes dropped EXE
PID:3712 -
\??\c:\jpddd.exec:\jpddd.exe46⤵
- Executes dropped EXE
PID:3088 -
\??\c:\ffxrrxl.exec:\ffxrrxl.exe47⤵
- Executes dropped EXE
PID:2888 -
\??\c:\lrlrlll.exec:\lrlrlll.exe48⤵
- Executes dropped EXE
PID:4964 -
\??\c:\dvjjj.exec:\dvjjj.exe49⤵
- Executes dropped EXE
PID:396 -
\??\c:\llxxffx.exec:\llxxffx.exe50⤵
- Executes dropped EXE
PID:4872 -
\??\c:\tttbbb.exec:\tttbbb.exe51⤵
- Executes dropped EXE
PID:4436 -
\??\c:\thbtbt.exec:\thbtbt.exe52⤵
- Executes dropped EXE
PID:4796 -
\??\c:\dpvpj.exec:\dpvpj.exe53⤵
- Executes dropped EXE
PID:1108 -
\??\c:\lxfxxxx.exec:\lxfxxxx.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bbtnhh.exec:\bbtnhh.exe55⤵
- Executes dropped EXE
PID:4432 -
\??\c:\vppjj.exec:\vppjj.exe56⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hnbnhh.exec:\hnbnhh.exe57⤵
- Executes dropped EXE
PID:3504 -
\??\c:\5nbbtn.exec:\5nbbtn.exe58⤵
- Executes dropped EXE
PID:1580 -
\??\c:\vvjpp.exec:\vvjpp.exe59⤵
- Executes dropped EXE
PID:3036 -
\??\c:\9xfxxff.exec:\9xfxxff.exe60⤵
- Executes dropped EXE
PID:3528 -
\??\c:\frffxxr.exec:\frffxxr.exe61⤵
- Executes dropped EXE
PID:1840 -
\??\c:\btbtnn.exec:\btbtnn.exe62⤵
- Executes dropped EXE
PID:224 -
\??\c:\pvdvp.exec:\pvdvp.exe63⤵
- Executes dropped EXE
PID:3476 -
\??\c:\xlxrllf.exec:\xlxrllf.exe64⤵
- Executes dropped EXE
PID:1400 -
\??\c:\thnbnh.exec:\thnbnh.exe65⤵
- Executes dropped EXE
PID:3704 -
\??\c:\dvvpj.exec:\dvvpj.exe66⤵PID:2824
-
\??\c:\rrfxllf.exec:\rrfxllf.exe67⤵PID:3292
-
\??\c:\hhttbh.exec:\hhttbh.exe68⤵PID:2952
-
\??\c:\ntnnnt.exec:\ntnnnt.exe69⤵PID:2208
-
\??\c:\jdjdv.exec:\jdjdv.exe70⤵PID:3972
-
\??\c:\frrllfx.exec:\frrllfx.exe71⤵PID:2552
-
\??\c:\frfxfxf.exec:\frfxfxf.exe72⤵PID:1440
-
\??\c:\nhbtnn.exec:\nhbtnn.exe73⤵PID:2648
-
\??\c:\jdppj.exec:\jdppj.exe74⤵PID:3400
-
\??\c:\lrfxllf.exec:\lrfxllf.exe75⤵PID:2252
-
\??\c:\7rxxxxf.exec:\7rxxxxf.exe76⤵PID:4440
-
\??\c:\nbnhnh.exec:\nbnhnh.exe77⤵PID:4568
-
\??\c:\dvjdd.exec:\dvjdd.exe78⤵PID:4444
-
\??\c:\1flfxxx.exec:\1flfxxx.exe79⤵PID:1416
-
\??\c:\thnhbb.exec:\thnhbb.exe80⤵PID:3632
-
\??\c:\hbnntt.exec:\hbnntt.exe81⤵PID:2172
-
\??\c:\ppppj.exec:\ppppj.exe82⤵PID:2488
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe83⤵PID:2088
-
\??\c:\bttnhb.exec:\bttnhb.exe84⤵PID:2340
-
\??\c:\hbhnhh.exec:\hbhnhh.exe85⤵PID:5060
-
\??\c:\dvppp.exec:\dvppp.exe86⤵PID:4916
-
\??\c:\flxrlfx.exec:\flxrlfx.exe87⤵PID:1676
-
\??\c:\xfxxllr.exec:\xfxxllr.exe88⤵PID:2760
-
\??\c:\bntnhb.exec:\bntnhb.exe89⤵PID:3040
-
\??\c:\jdpjp.exec:\jdpjp.exe90⤵PID:4280
-
\??\c:\lffxllr.exec:\lffxllr.exe91⤵PID:1612
-
\??\c:\thbtnn.exec:\thbtnn.exe92⤵PID:2604
-
\??\c:\bttthh.exec:\bttthh.exe93⤵PID:4028
-
\??\c:\djvpj.exec:\djvpj.exe94⤵PID:2784
-
\??\c:\xxxrllx.exec:\xxxrllx.exe95⤵PID:1340
-
\??\c:\bnnhbt.exec:\bnnhbt.exe96⤵PID:2168
-
\??\c:\dppdv.exec:\dppdv.exe97⤵PID:1508
-
\??\c:\jjdvp.exec:\jjdvp.exe98⤵PID:4428
-
\??\c:\rllxrll.exec:\rllxrll.exe99⤵PID:1640
-
\??\c:\hbnbhb.exec:\hbnbhb.exe100⤵PID:3904
-
\??\c:\jpvpj.exec:\jpvpj.exe101⤵PID:3000
-
\??\c:\vpvjv.exec:\vpvjv.exe102⤵PID:536
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe103⤵PID:2864
-
\??\c:\nntnhh.exec:\nntnhh.exe104⤵PID:3708
-
\??\c:\vddvp.exec:\vddvp.exe105⤵PID:8
-
\??\c:\rxrlfxx.exec:\rxrlfxx.exe106⤵PID:744
-
\??\c:\bbnbbb.exec:\bbnbbb.exe107⤵PID:4800
-
\??\c:\btthhb.exec:\btthhb.exe108⤵PID:4796
-
\??\c:\vpvpj.exec:\vpvpj.exe109⤵PID:2424
-
\??\c:\xllfrrl.exec:\xllfrrl.exe110⤵PID:2284
-
\??\c:\bhhbtn.exec:\bhhbtn.exe111⤵PID:2020
-
\??\c:\djjvp.exec:\djjvp.exe112⤵PID:664
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe113⤵PID:1008
-
\??\c:\bntnhb.exec:\bntnhb.exe114⤵PID:2388
-
\??\c:\nhtntn.exec:\nhtntn.exe115⤵PID:3504
-
\??\c:\xfxfrxl.exec:\xfxfrxl.exe116⤵PID:4464
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe117⤵PID:228
-
\??\c:\hbhhtn.exec:\hbhhtn.exe118⤵PID:1568
-
\??\c:\dvpjd.exec:\dvpjd.exe119⤵PID:3528
-
\??\c:\9lrrxxx.exec:\9lrrxxx.exe120⤵PID:2832
-
\??\c:\nhnhbb.exec:\nhnhbb.exe121⤵PID:3244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-