Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe
-
Size
454KB
-
MD5
c1a6d16797759cc2ac63467c40536031
-
SHA1
0f02a4f8b8c7793588138fd16dd8839725fcd011
-
SHA256
bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee
-
SHA512
5ffcef3740fd971c52c1913f04428a22062973442116438d79e7d3ff5aa8b71cd2335cfe138cadd6d4de1bc34fbf763b14eb19b07aa553352bf77c4a0482a646
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeqC:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4748-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-1143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2216 pjpjj.exe 4748 xxffffl.exe 864 hbhbhh.exe 3684 hhtthh.exe 2984 9rrflfr.exe 4852 pvjdv.exe 1752 rlllxxx.exe 4192 jdpjj.exe 4620 nhtnhh.exe 1072 vdjdv.exe 2688 hbbttn.exe 3560 jvppd.exe 3180 hnnhbb.exe 2956 jvvpd.exe 1920 3fffxlf.exe 4156 hbhbbt.exe 4596 vpvdd.exe 4636 rrfffrx.exe 4028 jjppv.exe 3516 1rrlllf.exe 1380 9bbbbn.exe 1548 5vvpp.exe 1820 lxffxxl.exe 116 dpvpj.exe 3924 jvdvv.exe 1504 htbnnb.exe 1696 xxlrxlx.exe 4372 nbhtnh.exe 2932 hnttth.exe 4212 5vddd.exe 436 vddvp.exe 2704 jvdvj.exe 2168 5jddv.exe 1336 pdddv.exe 2104 jvvjd.exe 2660 flxrxxl.exe 448 hbhbnh.exe 1684 vdpjd.exe 1096 lffxxxr.exe 2140 nhnhbh.exe 2608 xrrxxlf.exe 5048 rlrlffx.exe 4240 hhnnnn.exe 4652 pdjjp.exe 4112 lfrlrxl.exe 4936 bhtnnn.exe 3692 vjpjd.exe 3696 lxxxrrr.exe 3212 lflfffx.exe 404 hhhhbn.exe 1384 jpdvp.exe 60 7lrfllx.exe 4496 rflfxxr.exe 2208 bbhnnt.exe 216 7vdvp.exe 4960 rlffllf.exe 3808 nhhbtt.exe 3968 dvjdd.exe 2904 5pdvp.exe 3192 xfrfxxx.exe 3272 hhnhhh.exe 3252 hbbbnt.exe 2984 jvddd.exe 3108 llrxrfx.exe -
resource yara_rule behavioral2/memory/4748-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-1143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-1533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-1543-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2216 3024 bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe 82 PID 3024 wrote to memory of 2216 3024 bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe 82 PID 3024 wrote to memory of 2216 3024 bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe 82 PID 2216 wrote to memory of 4748 2216 pjpjj.exe 83 PID 2216 wrote to memory of 4748 2216 pjpjj.exe 83 PID 2216 wrote to memory of 4748 2216 pjpjj.exe 83 PID 4748 wrote to memory of 864 4748 xxffffl.exe 84 PID 4748 wrote to memory of 864 4748 xxffffl.exe 84 PID 4748 wrote to memory of 864 4748 xxffffl.exe 84 PID 864 wrote to memory of 3684 864 hbhbhh.exe 85 PID 864 wrote to memory of 3684 864 hbhbhh.exe 85 PID 864 wrote to memory of 3684 864 hbhbhh.exe 85 PID 3684 wrote to memory of 2984 3684 hhtthh.exe 86 PID 3684 wrote to memory of 2984 3684 hhtthh.exe 86 PID 3684 wrote to memory of 2984 3684 hhtthh.exe 86 PID 2984 wrote to memory of 4852 2984 9rrflfr.exe 87 PID 2984 wrote to memory of 4852 2984 9rrflfr.exe 87 PID 2984 wrote to memory of 4852 2984 9rrflfr.exe 87 PID 4852 wrote to memory of 1752 4852 pvjdv.exe 88 PID 4852 wrote to memory of 1752 4852 pvjdv.exe 88 PID 4852 wrote to memory of 1752 4852 pvjdv.exe 88 PID 1752 wrote to memory of 4192 1752 rlllxxx.exe 89 PID 1752 wrote to memory of 4192 1752 rlllxxx.exe 89 PID 1752 wrote to memory of 4192 1752 rlllxxx.exe 89 PID 4192 wrote to memory of 4620 4192 jdpjj.exe 90 PID 4192 wrote to memory of 4620 4192 jdpjj.exe 90 PID 4192 wrote to memory of 4620 4192 jdpjj.exe 90 PID 4620 wrote to memory of 1072 4620 nhtnhh.exe 91 PID 4620 wrote to memory of 1072 4620 nhtnhh.exe 91 PID 4620 wrote to memory of 1072 4620 nhtnhh.exe 91 PID 1072 wrote to memory of 2688 1072 vdjdv.exe 92 PID 1072 wrote to memory of 2688 1072 vdjdv.exe 92 PID 1072 wrote to memory of 2688 1072 vdjdv.exe 92 PID 2688 wrote to memory of 3560 2688 hbbttn.exe 93 PID 2688 wrote to memory of 3560 2688 hbbttn.exe 93 PID 2688 wrote to memory of 3560 2688 hbbttn.exe 93 PID 3560 wrote to memory of 3180 3560 jvppd.exe 94 PID 3560 wrote to memory of 3180 3560 jvppd.exe 94 PID 3560 wrote to memory of 3180 3560 jvppd.exe 94 PID 3180 wrote to memory of 2956 3180 hnnhbb.exe 95 PID 3180 wrote to memory of 2956 3180 hnnhbb.exe 95 PID 3180 wrote to memory of 2956 3180 hnnhbb.exe 95 PID 2956 wrote to memory of 1920 2956 jvvpd.exe 96 PID 2956 wrote to memory of 1920 2956 jvvpd.exe 96 PID 2956 wrote to memory of 1920 2956 jvvpd.exe 96 PID 1920 wrote to memory of 4156 1920 3fffxlf.exe 97 PID 1920 wrote to memory of 4156 1920 3fffxlf.exe 97 PID 1920 wrote to memory of 4156 1920 3fffxlf.exe 97 PID 4156 wrote to memory of 4596 4156 hbhbbt.exe 98 PID 4156 wrote to memory of 4596 4156 hbhbbt.exe 98 PID 4156 wrote to memory of 4596 4156 hbhbbt.exe 98 PID 4596 wrote to memory of 4636 4596 vpvdd.exe 99 PID 4596 wrote to memory of 4636 4596 vpvdd.exe 99 PID 4596 wrote to memory of 4636 4596 vpvdd.exe 99 PID 4636 wrote to memory of 4028 4636 rrfffrx.exe 100 PID 4636 wrote to memory of 4028 4636 rrfffrx.exe 100 PID 4636 wrote to memory of 4028 4636 rrfffrx.exe 100 PID 4028 wrote to memory of 3516 4028 jjppv.exe 101 PID 4028 wrote to memory of 3516 4028 jjppv.exe 101 PID 4028 wrote to memory of 3516 4028 jjppv.exe 101 PID 3516 wrote to memory of 1380 3516 1rrlllf.exe 102 PID 3516 wrote to memory of 1380 3516 1rrlllf.exe 102 PID 3516 wrote to memory of 1380 3516 1rrlllf.exe 102 PID 1380 wrote to memory of 1548 1380 9bbbbn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe"C:\Users\Admin\AppData\Local\Temp\bceb796d470029a0803eeb8d6c6124b38536a44d837481c6d7bfadc5418500ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\pjpjj.exec:\pjpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\xxffffl.exec:\xxffffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\hbhbhh.exec:\hbhbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\hhtthh.exec:\hhtthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\9rrflfr.exec:\9rrflfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\pvjdv.exec:\pvjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\rlllxxx.exec:\rlllxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\jdpjj.exec:\jdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\nhtnhh.exec:\nhtnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\vdjdv.exec:\vdjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\hbbttn.exec:\hbbttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\jvppd.exec:\jvppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\hnnhbb.exec:\hnnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\jvvpd.exec:\jvvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\3fffxlf.exec:\3fffxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\hbhbbt.exec:\hbhbbt.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\vpvdd.exec:\vpvdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\rrfffrx.exec:\rrfffrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\jjppv.exec:\jjppv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\1rrlllf.exec:\1rrlllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\9bbbbn.exec:\9bbbbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\5vvpp.exec:\5vvpp.exe23⤵
- Executes dropped EXE
PID:1548 -
\??\c:\lxffxxl.exec:\lxffxxl.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\dpvpj.exec:\dpvpj.exe25⤵
- Executes dropped EXE
PID:116 -
\??\c:\jvdvv.exec:\jvdvv.exe26⤵
- Executes dropped EXE
PID:3924 -
\??\c:\htbnnb.exec:\htbnnb.exe27⤵
- Executes dropped EXE
PID:1504 -
\??\c:\xxlrxlx.exec:\xxlrxlx.exe28⤵
- Executes dropped EXE
PID:1696 -
\??\c:\nbhtnh.exec:\nbhtnh.exe29⤵
- Executes dropped EXE
PID:4372 -
\??\c:\hnttth.exec:\hnttth.exe30⤵
- Executes dropped EXE
PID:2932 -
\??\c:\5vddd.exec:\5vddd.exe31⤵
- Executes dropped EXE
PID:4212 -
\??\c:\vddvp.exec:\vddvp.exe32⤵
- Executes dropped EXE
PID:436 -
\??\c:\jvdvj.exec:\jvdvj.exe33⤵
- Executes dropped EXE
PID:2704 -
\??\c:\5jddv.exec:\5jddv.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\pdddv.exec:\pdddv.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336 -
\??\c:\jvvjd.exec:\jvvjd.exe36⤵
- Executes dropped EXE
PID:2104 -
\??\c:\flxrxxl.exec:\flxrxxl.exe37⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hbhbnh.exec:\hbhbnh.exe38⤵
- Executes dropped EXE
PID:448 -
\??\c:\vdpjd.exec:\vdpjd.exe39⤵
- Executes dropped EXE
PID:1684 -
\??\c:\lffxxxr.exec:\lffxxxr.exe40⤵
- Executes dropped EXE
PID:1096 -
\??\c:\nhnhbh.exec:\nhnhbh.exe41⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xrrxxlf.exec:\xrrxxlf.exe42⤵
- Executes dropped EXE
PID:2608 -
\??\c:\rlrlffx.exec:\rlrlffx.exe43⤵
- Executes dropped EXE
PID:5048 -
\??\c:\hhnnnn.exec:\hhnnnn.exe44⤵
- Executes dropped EXE
PID:4240 -
\??\c:\pdjjp.exec:\pdjjp.exe45⤵
- Executes dropped EXE
PID:4652 -
\??\c:\lfrlrxl.exec:\lfrlrxl.exe46⤵
- Executes dropped EXE
PID:4112 -
\??\c:\bhtnnn.exec:\bhtnnn.exe47⤵
- Executes dropped EXE
PID:4936 -
\??\c:\vjpjd.exec:\vjpjd.exe48⤵
- Executes dropped EXE
PID:3692 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe49⤵
- Executes dropped EXE
PID:3696 -
\??\c:\lflfffx.exec:\lflfffx.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3212 -
\??\c:\hhhhbn.exec:\hhhhbn.exe51⤵
- Executes dropped EXE
PID:404 -
\??\c:\jpdvp.exec:\jpdvp.exe52⤵
- Executes dropped EXE
PID:1384 -
\??\c:\7lrfllx.exec:\7lrfllx.exe53⤵
- Executes dropped EXE
PID:60 -
\??\c:\rflfxxr.exec:\rflfxxr.exe54⤵
- Executes dropped EXE
PID:4496 -
\??\c:\bbhnnt.exec:\bbhnnt.exe55⤵
- Executes dropped EXE
PID:2208 -
\??\c:\7vdvp.exec:\7vdvp.exe56⤵
- Executes dropped EXE
PID:216 -
\??\c:\rlffllf.exec:\rlffllf.exe57⤵
- Executes dropped EXE
PID:4960 -
\??\c:\nhhbtt.exec:\nhhbtt.exe58⤵
- Executes dropped EXE
PID:3808 -
\??\c:\dvjdd.exec:\dvjdd.exe59⤵
- Executes dropped EXE
PID:3968 -
\??\c:\5pdvp.exec:\5pdvp.exe60⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xfrfxxx.exec:\xfrfxxx.exe61⤵
- Executes dropped EXE
PID:3192 -
\??\c:\hhnhhh.exec:\hhnhhh.exe62⤵
- Executes dropped EXE
PID:3272 -
\??\c:\hbbbnt.exec:\hbbbnt.exe63⤵
- Executes dropped EXE
PID:3252 -
\??\c:\jvddd.exec:\jvddd.exe64⤵
- Executes dropped EXE
PID:2984 -
\??\c:\llrxrfx.exec:\llrxrfx.exe65⤵
- Executes dropped EXE
PID:3108 -
\??\c:\hbhbbt.exec:\hbhbbt.exe66⤵PID:428
-
\??\c:\hhhbtt.exec:\hhhbtt.exe67⤵PID:4056
-
\??\c:\dvvpj.exec:\dvvpj.exe68⤵PID:4624
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe69⤵PID:2664
-
\??\c:\llxlrfr.exec:\llxlrfr.exe70⤵PID:760
-
\??\c:\httnhh.exec:\httnhh.exe71⤵PID:1016
-
\??\c:\jjppv.exec:\jjppv.exe72⤵PID:1276
-
\??\c:\rfrlffx.exec:\rfrlffx.exe73⤵PID:1224
-
\??\c:\hhhbtb.exec:\hhhbtb.exe74⤵PID:2652
-
\??\c:\bbbtnn.exec:\bbbtnn.exe75⤵PID:2128
-
\??\c:\3ddvv.exec:\3ddvv.exe76⤵PID:3084
-
\??\c:\rrrllll.exec:\rrrllll.exe77⤵PID:2316
-
\??\c:\ttbbtt.exec:\ttbbtt.exe78⤵PID:1888
-
\??\c:\bnnttt.exec:\bnnttt.exe79⤵PID:3444
-
\??\c:\jvdvp.exec:\jvdvp.exe80⤵PID:3176
-
\??\c:\frxxxlf.exec:\frxxxlf.exe81⤵PID:4564
-
\??\c:\htbtnn.exec:\htbtnn.exe82⤵PID:2480
-
\??\c:\jjjdv.exec:\jjjdv.exe83⤵PID:552
-
\??\c:\vvpdd.exec:\vvpdd.exe84⤵PID:1688
-
\??\c:\1llflfx.exec:\1llflfx.exe85⤵PID:1952
-
\??\c:\7tbttb.exec:\7tbttb.exe86⤵PID:456
-
\??\c:\hnbbbn.exec:\hnbbbn.exe87⤵PID:4312
-
\??\c:\5vpvj.exec:\5vpvj.exe88⤵PID:3960
-
\??\c:\fxxrrrx.exec:\fxxrrrx.exe89⤵PID:3296
-
\??\c:\hhhbtn.exec:\hhhbtn.exe90⤵PID:2780
-
\??\c:\jjjvp.exec:\jjjvp.exe91⤵PID:2248
-
\??\c:\ppdpp.exec:\ppdpp.exe92⤵PID:1356
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe93⤵PID:1140
-
\??\c:\nhtttt.exec:\nhtttt.exe94⤵PID:1844
-
\??\c:\ppppj.exec:\ppppj.exe95⤵PID:3592
-
\??\c:\vvdjd.exec:\vvdjd.exe96⤵PID:2088
-
\??\c:\rrxrllf.exec:\rrxrllf.exe97⤵PID:1312
-
\??\c:\jddvv.exec:\jddvv.exe98⤵PID:1212
-
\??\c:\frrfllr.exec:\frrfllr.exe99⤵PID:4084
-
\??\c:\lflfxxx.exec:\lflfxxx.exe100⤵PID:2672
-
\??\c:\bttnht.exec:\bttnht.exe101⤵PID:1364
-
\??\c:\pppjj.exec:\pppjj.exe102⤵PID:4108
-
\??\c:\rxllffx.exec:\rxllffx.exe103⤵PID:3748
-
\??\c:\flrxlrf.exec:\flrxlrf.exe104⤵PID:4180
-
\??\c:\hbnbhb.exec:\hbnbhb.exe105⤵PID:4996
-
\??\c:\jjjpv.exec:\jjjpv.exe106⤵PID:712
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe107⤵PID:376
-
\??\c:\hhbtbh.exec:\hhbtbh.exe108⤵PID:3768
-
\??\c:\nhbtnn.exec:\nhbtnn.exe109⤵PID:1684
-
\??\c:\vvdjp.exec:\vvdjp.exe110⤵PID:1060
-
\??\c:\9rxrlrr.exec:\9rxrlrr.exe111⤵PID:3720
-
\??\c:\httttt.exec:\httttt.exe112⤵PID:4012
-
\??\c:\ddpdv.exec:\ddpdv.exe113⤵PID:3676
-
\??\c:\7fffxxx.exec:\7fffxxx.exe114⤵PID:4520
-
\??\c:\lffxfff.exec:\lffxfff.exe115⤵PID:4536
-
\??\c:\nhhbbb.exec:\nhhbbb.exe116⤵PID:964
-
\??\c:\dvdvj.exec:\dvdvj.exe117⤵PID:1320
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe118⤵PID:3004
-
\??\c:\nhthnn.exec:\nhthnn.exe119⤵PID:4444
-
\??\c:\ntnnhh.exec:\ntnnhh.exe120⤵PID:1868
-
\??\c:\ddpjp.exec:\ddpjp.exe121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-