Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 02:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe
-
Size
453KB
-
MD5
1ed920f9954d0971060e9a75577cd7ac
-
SHA1
16f3876f008c05239a2ea00423cda1762a2959ac
-
SHA256
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720
-
SHA512
66ac63cab28eeddc2b79905b29fc94fff96ca64956406ee7e3e8aa71ba9bf00420627f45bf904a8bedf43b31091af88bd20a40267f363ad97214333224cd69c8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1960-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-1180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-1196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4832 bhnbnh.exe 3012 vpvvv.exe 760 pddvj.exe 4272 9fxxrlf.exe 452 5tbthh.exe 736 pvvjd.exe 2420 lrxrlff.exe 4200 llrflfx.exe 4276 bnhbnh.exe 3720 jjdvj.exe 2148 xrfxlfx.exe 2220 9lxlfxr.exe 3500 hbhtnb.exe 1772 pdjvj.exe 2988 3lfrlfx.exe 3668 lxxlfrl.exe 4008 htnbtt.exe 4912 vppjj.exe 2956 dvvjv.exe 1048 xxxlfxr.exe 1808 bbhttt.exe 4928 jvvjj.exe 3588 pjvpj.exe 1144 7rrffxx.exe 4480 bttnbt.exe 2888 nhhbnn.exe 2224 pddvj.exe 2544 5frlxrf.exe 3688 hbhbtn.exe 2124 3hbhtn.exe 696 pdvjj.exe 4012 1lllrrl.exe 2304 xrrlfxl.exe 3332 thbhtb.exe 4468 jvvpd.exe 2600 lfrxfff.exe 2248 lxfxxxl.exe 3032 5btnnh.exe 748 vvdvv.exe 1748 fflflfx.exe 4032 rfflrlr.exe 412 5hbtnh.exe 1256 dppdp.exe 3472 vjjvj.exe 4388 lfxrxxf.exe 2532 tbnhbt.exe 4088 pvvpd.exe 2840 pddvj.exe 3088 fxfrfxr.exe 4728 5bnnnh.exe 2008 dpvpd.exe 2712 3pvjp.exe 5008 7lllxrr.exe 4364 7bnhhn.exe 4220 3ffxllx.exe 1960 nbtnhh.exe 4316 pddpd.exe 3012 xrfxfxr.exe 4868 lfrlfxr.exe 4104 btnhbt.exe 2228 djjvj.exe 4216 9xxrrrl.exe 904 lrxlrlf.exe 3396 hhntnb.exe -
resource yara_rule behavioral2/memory/1960-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-1180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-1196-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 4832 1960 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 82 PID 1960 wrote to memory of 4832 1960 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 82 PID 1960 wrote to memory of 4832 1960 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 82 PID 4832 wrote to memory of 3012 4832 bhnbnh.exe 139 PID 4832 wrote to memory of 3012 4832 bhnbnh.exe 139 PID 4832 wrote to memory of 3012 4832 bhnbnh.exe 139 PID 3012 wrote to memory of 760 3012 vpvvv.exe 84 PID 3012 wrote to memory of 760 3012 vpvvv.exe 84 PID 3012 wrote to memory of 760 3012 vpvvv.exe 84 PID 760 wrote to memory of 4272 760 pddvj.exe 85 PID 760 wrote to memory of 4272 760 pddvj.exe 85 PID 760 wrote to memory of 4272 760 pddvj.exe 85 PID 4272 wrote to memory of 452 4272 9fxxrlf.exe 86 PID 4272 wrote to memory of 452 4272 9fxxrlf.exe 86 PID 4272 wrote to memory of 452 4272 9fxxrlf.exe 86 PID 452 wrote to memory of 736 452 5tbthh.exe 87 PID 452 wrote to memory of 736 452 5tbthh.exe 87 PID 452 wrote to memory of 736 452 5tbthh.exe 87 PID 736 wrote to memory of 2420 736 pvvjd.exe 88 PID 736 wrote to memory of 2420 736 pvvjd.exe 88 PID 736 wrote to memory of 2420 736 pvvjd.exe 88 PID 2420 wrote to memory of 4200 2420 lrxrlff.exe 89 PID 2420 wrote to memory of 4200 2420 lrxrlff.exe 89 PID 2420 wrote to memory of 4200 2420 lrxrlff.exe 89 PID 4200 wrote to memory of 4276 4200 llrflfx.exe 90 PID 4200 wrote to memory of 4276 4200 llrflfx.exe 90 PID 4200 wrote to memory of 4276 4200 llrflfx.exe 90 PID 4276 wrote to memory of 3720 4276 bnhbnh.exe 146 PID 4276 wrote to memory of 3720 4276 bnhbnh.exe 146 PID 4276 wrote to memory of 3720 4276 bnhbnh.exe 146 PID 3720 wrote to memory of 2148 3720 jjdvj.exe 92 PID 3720 wrote to memory of 2148 3720 jjdvj.exe 92 PID 3720 wrote to memory of 2148 3720 jjdvj.exe 92 PID 2148 wrote to memory of 2220 2148 xrfxlfx.exe 93 PID 2148 wrote to memory of 2220 2148 xrfxlfx.exe 93 PID 2148 wrote to memory of 2220 2148 xrfxlfx.exe 93 PID 2220 wrote to memory of 3500 2220 9lxlfxr.exe 94 PID 2220 wrote to memory of 3500 2220 9lxlfxr.exe 94 PID 2220 wrote to memory of 3500 2220 9lxlfxr.exe 94 PID 3500 wrote to memory of 1772 3500 hbhtnb.exe 95 PID 3500 wrote to memory of 1772 3500 hbhtnb.exe 95 PID 3500 wrote to memory of 1772 3500 hbhtnb.exe 95 PID 1772 wrote to memory of 2988 1772 pdjvj.exe 96 PID 1772 wrote to memory of 2988 1772 pdjvj.exe 96 PID 1772 wrote to memory of 2988 1772 pdjvj.exe 96 PID 2988 wrote to memory of 3668 2988 3lfrlfx.exe 97 PID 2988 wrote to memory of 3668 2988 3lfrlfx.exe 97 PID 2988 wrote to memory of 3668 2988 3lfrlfx.exe 97 PID 3668 wrote to memory of 4008 3668 lxxlfrl.exe 98 PID 3668 wrote to memory of 4008 3668 lxxlfrl.exe 98 PID 3668 wrote to memory of 4008 3668 lxxlfrl.exe 98 PID 4008 wrote to memory of 4912 4008 htnbtt.exe 99 PID 4008 wrote to memory of 4912 4008 htnbtt.exe 99 PID 4008 wrote to memory of 4912 4008 htnbtt.exe 99 PID 4912 wrote to memory of 2956 4912 vppjj.exe 100 PID 4912 wrote to memory of 2956 4912 vppjj.exe 100 PID 4912 wrote to memory of 2956 4912 vppjj.exe 100 PID 2956 wrote to memory of 1048 2956 dvvjv.exe 101 PID 2956 wrote to memory of 1048 2956 dvvjv.exe 101 PID 2956 wrote to memory of 1048 2956 dvvjv.exe 101 PID 1048 wrote to memory of 1808 1048 xxxlfxr.exe 102 PID 1048 wrote to memory of 1808 1048 xxxlfxr.exe 102 PID 1048 wrote to memory of 1808 1048 xxxlfxr.exe 102 PID 1808 wrote to memory of 4928 1808 bbhttt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe"C:\Users\Admin\AppData\Local\Temp\98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\bhnbnh.exec:\bhnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\vpvvv.exec:\vpvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\pddvj.exec:\pddvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\9fxxrlf.exec:\9fxxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\5tbthh.exec:\5tbthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\pvvjd.exec:\pvvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\lrxrlff.exec:\lrxrlff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\llrflfx.exec:\llrflfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\bnhbnh.exec:\bnhbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\jjdvj.exec:\jjdvj.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\9lxlfxr.exec:\9lxlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\hbhtnb.exec:\hbhtnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\pdjvj.exec:\pdjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\3lfrlfx.exec:\3lfrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\lxxlfrl.exec:\lxxlfrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\htnbtt.exec:\htnbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\vppjj.exec:\vppjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\dvvjv.exec:\dvvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\bbhttt.exec:\bbhttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\jvvjj.exec:\jvvjj.exe23⤵
- Executes dropped EXE
PID:4928 -
\??\c:\pjvpj.exec:\pjvpj.exe24⤵
- Executes dropped EXE
PID:3588 -
\??\c:\7rrffxx.exec:\7rrffxx.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\bttnbt.exec:\bttnbt.exe26⤵
- Executes dropped EXE
PID:4480 -
\??\c:\nhhbnn.exec:\nhhbnn.exe27⤵
- Executes dropped EXE
PID:2888 -
\??\c:\pddvj.exec:\pddvj.exe28⤵
- Executes dropped EXE
PID:2224 -
\??\c:\5frlxrf.exec:\5frlxrf.exe29⤵
- Executes dropped EXE
PID:2544 -
\??\c:\hbhbtn.exec:\hbhbtn.exe30⤵
- Executes dropped EXE
PID:3688 -
\??\c:\3hbhtn.exec:\3hbhtn.exe31⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pdvjj.exec:\pdvjj.exe32⤵
- Executes dropped EXE
PID:696 -
\??\c:\1lllrrl.exec:\1lllrrl.exe33⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xrrlfxl.exec:\xrrlfxl.exe34⤵
- Executes dropped EXE
PID:2304 -
\??\c:\thbhtb.exec:\thbhtb.exe35⤵
- Executes dropped EXE
PID:3332 -
\??\c:\jvvpd.exec:\jvvpd.exe36⤵
- Executes dropped EXE
PID:4468 -
\??\c:\lfrxfff.exec:\lfrxfff.exe37⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lxfxxxl.exec:\lxfxxxl.exe38⤵
- Executes dropped EXE
PID:2248 -
\??\c:\5btnnh.exec:\5btnnh.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vvdvv.exec:\vvdvv.exe40⤵
- Executes dropped EXE
PID:748 -
\??\c:\fflflfx.exec:\fflflfx.exe41⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rfflrlr.exec:\rfflrlr.exe42⤵
- Executes dropped EXE
PID:4032 -
\??\c:\5hbtnh.exec:\5hbtnh.exe43⤵
- Executes dropped EXE
PID:412 -
\??\c:\dppdp.exec:\dppdp.exe44⤵
- Executes dropped EXE
PID:1256 -
\??\c:\vjjvj.exec:\vjjvj.exe45⤵
- Executes dropped EXE
PID:3472 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe46⤵
- Executes dropped EXE
PID:4388 -
\??\c:\tbnhbt.exec:\tbnhbt.exe47⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pvvpd.exec:\pvvpd.exe48⤵
- Executes dropped EXE
PID:4088 -
\??\c:\pddvj.exec:\pddvj.exe49⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe50⤵
- Executes dropped EXE
PID:3088 -
\??\c:\5bnnnh.exec:\5bnnnh.exe51⤵
- Executes dropped EXE
PID:4728 -
\??\c:\dpvpd.exec:\dpvpd.exe52⤵
- Executes dropped EXE
PID:2008 -
\??\c:\3pvjp.exec:\3pvjp.exe53⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7lllxrr.exec:\7lllxrr.exe54⤵
- Executes dropped EXE
PID:5008 -
\??\c:\7bnhhn.exec:\7bnhhn.exe55⤵
- Executes dropped EXE
PID:4364 -
\??\c:\3ffxllx.exec:\3ffxllx.exe56⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nbtnhh.exec:\nbtnhh.exe57⤵
- Executes dropped EXE
PID:1960 -
\??\c:\pddpd.exec:\pddpd.exe58⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xrfxfxr.exec:\xrfxfxr.exe59⤵
- Executes dropped EXE
PID:3012 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe60⤵
- Executes dropped EXE
PID:4868 -
\??\c:\btnhbt.exec:\btnhbt.exe61⤵
- Executes dropped EXE
PID:4104 -
\??\c:\djjvj.exec:\djjvj.exe62⤵
- Executes dropped EXE
PID:2228 -
\??\c:\9xxrrrl.exec:\9xxrrrl.exe63⤵
- Executes dropped EXE
PID:4216 -
\??\c:\lrxlrlf.exec:\lrxlrlf.exe64⤵
- Executes dropped EXE
PID:904 -
\??\c:\hhntnb.exec:\hhntnb.exe65⤵
- Executes dropped EXE
PID:3396 -
\??\c:\vvvpd.exec:\vvvpd.exe66⤵PID:3720
-
\??\c:\bbhbhh.exec:\bbhbhh.exe67⤵PID:2120
-
\??\c:\vdjvj.exec:\vdjvj.exe68⤵PID:964
-
\??\c:\ppppj.exec:\ppppj.exe69⤵PID:3652
-
\??\c:\tnnhtt.exec:\tnnhtt.exe70⤵PID:4500
-
\??\c:\vddvp.exec:\vddvp.exe71⤵PID:2756
-
\??\c:\hhnhbb.exec:\hhnhbb.exe72⤵PID:2992
-
\??\c:\jdjpj.exec:\jdjpj.exe73⤵PID:1628
-
\??\c:\lfrrllf.exec:\lfrrllf.exe74⤵PID:4212
-
\??\c:\btbttt.exec:\btbttt.exe75⤵PID:4924
-
\??\c:\dpvpv.exec:\dpvpv.exe76⤵PID:3664
-
\??\c:\pdpdv.exec:\pdpdv.exe77⤵PID:4544
-
\??\c:\rfxrllf.exec:\rfxrllf.exe78⤵PID:1364
-
\??\c:\thttbb.exec:\thttbb.exe79⤵PID:4160
-
\??\c:\9pppj.exec:\9pppj.exe80⤵PID:4724
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe81⤵PID:2888
-
\??\c:\xrrrllf.exec:\xrrrllf.exe82⤵PID:1656
-
\??\c:\tbtnhh.exec:\tbtnhh.exe83⤵PID:2072
-
\??\c:\jpvpj.exec:\jpvpj.exe84⤵PID:3060
-
\??\c:\lffxllf.exec:\lffxllf.exe85⤵PID:3436
-
\??\c:\tnbbht.exec:\tnbbht.exe86⤵PID:696
-
\??\c:\dvvpj.exec:\dvvpj.exe87⤵PID:4240
-
\??\c:\djdjp.exec:\djdjp.exe88⤵PID:4600
-
\??\c:\bnbhht.exec:\bnbhht.exe89⤵PID:808
-
\??\c:\nbnhtt.exec:\nbnhtt.exe90⤵PID:2744
-
\??\c:\vpdvj.exec:\vpdvj.exe91⤵PID:612
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe92⤵PID:4588
-
\??\c:\vpdjj.exec:\vpdjj.exe93⤵PID:3708
-
\??\c:\fxlrllx.exec:\fxlrllx.exe94⤵PID:1016
-
\??\c:\ntbhhh.exec:\ntbhhh.exe95⤵PID:684
-
\??\c:\ddpjd.exec:\ddpjd.exe96⤵PID:4032
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe97⤵PID:412
-
\??\c:\vvvpp.exec:\vvvpp.exe98⤵PID:3240
-
\??\c:\jpjdd.exec:\jpjdd.exe99⤵PID:2460
-
\??\c:\1rfxflf.exec:\1rfxflf.exe100⤵PID:4388
-
\??\c:\hhhhbb.exec:\hhhhbb.exe101⤵PID:4432
-
\??\c:\dddvp.exec:\dddvp.exe102⤵PID:4076
-
\??\c:\nhnhbb.exec:\nhnhbb.exe103⤵PID:844
-
\??\c:\bntnbb.exec:\bntnbb.exe104⤵PID:2996
-
\??\c:\vpdjd.exec:\vpdjd.exe105⤵PID:2664
-
\??\c:\llfxrfx.exec:\llfxrfx.exe106⤵PID:1936
-
\??\c:\nntntt.exec:\nntntt.exe107⤵PID:2328
-
\??\c:\hbnhhb.exec:\hbnhhb.exe108⤵PID:4720
-
\??\c:\7vppd.exec:\7vppd.exe109⤵PID:3872
-
\??\c:\hbnbtb.exec:\hbnbtb.exe110⤵PID:1844
-
\??\c:\jvvpp.exec:\jvvpp.exe111⤵PID:5036
-
\??\c:\7rrlfxx.exec:\7rrlfxx.exe112⤵PID:3076
-
\??\c:\hhtntt.exec:\hhtntt.exe113⤵PID:3096
-
\??\c:\pppjv.exec:\pppjv.exe114⤵PID:4316
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe115⤵PID:3744
-
\??\c:\lrrllll.exec:\lrrllll.exe116⤵PID:3272
-
\??\c:\jpvpj.exec:\jpvpj.exe117⤵PID:2384
-
\??\c:\ddjpj.exec:\ddjpj.exe118⤵PID:4868
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe119⤵PID:3104
-
\??\c:\bhnnbb.exec:\bhnnbb.exe120⤵PID:4420
-
\??\c:\vdjvp.exec:\vdjvp.exe121⤵PID:4452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-