Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe
-
Size
454KB
-
MD5
c2a6cf711c7dd1a203202a4bccabfea0
-
SHA1
ce800c6238ffc5172615a8d60d6070ba17c31ed9
-
SHA256
f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273a
-
SHA512
3076e135782908258e296b748d31b2e44dc245666e02f18879823134d5ca3a7a5bbc7afbc9f3928ea5323c423d33bfeaa6d7d0c9bf719001ea508f26c6381e91
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1464-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-1098-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-1265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2888 7hhbtn.exe 4448 vvdvp.exe 4108 rlffxxr.exe 1980 9bhbtn.exe 4004 ntntnh.exe 1372 jvvpj.exe 3328 xxrlffx.exe 3528 rxrrfll.exe 3768 3ntnhh.exe 4820 jjjjd.exe 3096 vppvp.exe 4488 lllfxxr.exe 2688 3bbttt.exe 1056 btbtnh.exe 2832 vpvvp.exe 4356 rrfxrrr.exe 2224 bhbbtt.exe 2696 ntnnhh.exe 912 pjjjd.exe 4372 lflfxfx.exe 2172 xrrlfxr.exe 592 ntbtnt.exe 2876 1pppj.exe 3268 9vvjd.exe 1624 7lrlffx.exe 1692 7nnhbt.exe 1196 thbtnn.exe 1704 vjjdd.exe 2136 xfxxffl.exe 4220 xffllrf.exe 1456 nbhttn.exe 4960 ppddj.exe 3680 vvdvd.exe 4724 rlrlrxf.exe 5084 tnnnhh.exe 4688 hhtnhh.exe 4616 vdjdv.exe 2616 7llfxxr.exe 4612 rfrllff.exe 3384 nnnhhh.exe 1752 vdvvp.exe 728 xfrlffr.exe 1124 rlrfxxl.exe 2656 nhhbbt.exe 4740 7djjd.exe 4848 vppjd.exe 3620 7xrrlxr.exe 2140 bbbnhh.exe 4920 bnhbbb.exe 996 vjvpp.exe 2180 xxrllrf.exe 1872 btttnt.exe 2228 bhbttn.exe 4796 jpjvp.exe 4756 rxffllr.exe 5096 7lrrxxf.exe 4348 hbhbtn.exe 1800 pvpdv.exe 4548 1vjdv.exe 4208 fflfrrl.exe 2408 hthbtt.exe 212 thbnhb.exe 4952 jdjjd.exe 3664 flrlrlr.exe -
resource yara_rule behavioral2/memory/1464-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2888 1464 f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe 83 PID 1464 wrote to memory of 2888 1464 f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe 83 PID 1464 wrote to memory of 2888 1464 f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe 83 PID 2888 wrote to memory of 4448 2888 7hhbtn.exe 84 PID 2888 wrote to memory of 4448 2888 7hhbtn.exe 84 PID 2888 wrote to memory of 4448 2888 7hhbtn.exe 84 PID 4448 wrote to memory of 4108 4448 vvdvp.exe 85 PID 4448 wrote to memory of 4108 4448 vvdvp.exe 85 PID 4448 wrote to memory of 4108 4448 vvdvp.exe 85 PID 4108 wrote to memory of 1980 4108 rlffxxr.exe 86 PID 4108 wrote to memory of 1980 4108 rlffxxr.exe 86 PID 4108 wrote to memory of 1980 4108 rlffxxr.exe 86 PID 1980 wrote to memory of 4004 1980 9bhbtn.exe 87 PID 1980 wrote to memory of 4004 1980 9bhbtn.exe 87 PID 1980 wrote to memory of 4004 1980 9bhbtn.exe 87 PID 4004 wrote to memory of 1372 4004 ntntnh.exe 88 PID 4004 wrote to memory of 1372 4004 ntntnh.exe 88 PID 4004 wrote to memory of 1372 4004 ntntnh.exe 88 PID 1372 wrote to memory of 3328 1372 jvvpj.exe 89 PID 1372 wrote to memory of 3328 1372 jvvpj.exe 89 PID 1372 wrote to memory of 3328 1372 jvvpj.exe 89 PID 3328 wrote to memory of 3528 3328 xxrlffx.exe 90 PID 3328 wrote to memory of 3528 3328 xxrlffx.exe 90 PID 3328 wrote to memory of 3528 3328 xxrlffx.exe 90 PID 3528 wrote to memory of 3768 3528 rxrrfll.exe 91 PID 3528 wrote to memory of 3768 3528 rxrrfll.exe 91 PID 3528 wrote to memory of 3768 3528 rxrrfll.exe 91 PID 3768 wrote to memory of 4820 3768 3ntnhh.exe 92 PID 3768 wrote to memory of 4820 3768 3ntnhh.exe 92 PID 3768 wrote to memory of 4820 3768 3ntnhh.exe 92 PID 4820 wrote to memory of 3096 4820 jjjjd.exe 93 PID 4820 wrote to memory of 3096 4820 jjjjd.exe 93 PID 4820 wrote to memory of 3096 4820 jjjjd.exe 93 PID 3096 wrote to memory of 4488 3096 vppvp.exe 94 PID 3096 wrote to memory of 4488 3096 vppvp.exe 94 PID 3096 wrote to memory of 4488 3096 vppvp.exe 94 PID 4488 wrote to memory of 2688 4488 lllfxxr.exe 95 PID 4488 wrote to memory of 2688 4488 lllfxxr.exe 95 PID 4488 wrote to memory of 2688 4488 lllfxxr.exe 95 PID 2688 wrote to memory of 1056 2688 3bbttt.exe 96 PID 2688 wrote to memory of 1056 2688 3bbttt.exe 96 PID 2688 wrote to memory of 1056 2688 3bbttt.exe 96 PID 1056 wrote to memory of 2832 1056 btbtnh.exe 97 PID 1056 wrote to memory of 2832 1056 btbtnh.exe 97 PID 1056 wrote to memory of 2832 1056 btbtnh.exe 97 PID 2832 wrote to memory of 4356 2832 vpvvp.exe 98 PID 2832 wrote to memory of 4356 2832 vpvvp.exe 98 PID 2832 wrote to memory of 4356 2832 vpvvp.exe 98 PID 4356 wrote to memory of 2224 4356 rrfxrrr.exe 99 PID 4356 wrote to memory of 2224 4356 rrfxrrr.exe 99 PID 4356 wrote to memory of 2224 4356 rrfxrrr.exe 99 PID 2224 wrote to memory of 2696 2224 bhbbtt.exe 100 PID 2224 wrote to memory of 2696 2224 bhbbtt.exe 100 PID 2224 wrote to memory of 2696 2224 bhbbtt.exe 100 PID 2696 wrote to memory of 912 2696 ntnnhh.exe 101 PID 2696 wrote to memory of 912 2696 ntnnhh.exe 101 PID 2696 wrote to memory of 912 2696 ntnnhh.exe 101 PID 912 wrote to memory of 4372 912 pjjjd.exe 102 PID 912 wrote to memory of 4372 912 pjjjd.exe 102 PID 912 wrote to memory of 4372 912 pjjjd.exe 102 PID 4372 wrote to memory of 2172 4372 lflfxfx.exe 103 PID 4372 wrote to memory of 2172 4372 lflfxfx.exe 103 PID 4372 wrote to memory of 2172 4372 lflfxfx.exe 103 PID 2172 wrote to memory of 592 2172 xrrlfxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe"C:\Users\Admin\AppData\Local\Temp\f98cc284f2ffbb1251875f8470a94fe7408bc69590f0161bec6c66162eb6273aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\7hhbtn.exec:\7hhbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vvdvp.exec:\vvdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\rlffxxr.exec:\rlffxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\9bhbtn.exec:\9bhbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\ntntnh.exec:\ntntnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\jvvpj.exec:\jvvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\xxrlffx.exec:\xxrlffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\rxrrfll.exec:\rxrrfll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\3ntnhh.exec:\3ntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\jjjjd.exec:\jjjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\vppvp.exec:\vppvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\lllfxxr.exec:\lllfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\3bbttt.exec:\3bbttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\btbtnh.exec:\btbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\vpvvp.exec:\vpvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\bhbbtt.exec:\bhbbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\ntnnhh.exec:\ntnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\pjjjd.exec:\pjjjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\lflfxfx.exec:\lflfxfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\ntbtnt.exec:\ntbtnt.exe23⤵
- Executes dropped EXE
PID:592 -
\??\c:\1pppj.exec:\1pppj.exe24⤵
- Executes dropped EXE
PID:2876 -
\??\c:\9vvjd.exec:\9vvjd.exe25⤵
- Executes dropped EXE
PID:3268 -
\??\c:\7lrlffx.exec:\7lrlffx.exe26⤵
- Executes dropped EXE
PID:1624 -
\??\c:\7nnhbt.exec:\7nnhbt.exe27⤵
- Executes dropped EXE
PID:1692 -
\??\c:\thbtnn.exec:\thbtnn.exe28⤵
- Executes dropped EXE
PID:1196 -
\??\c:\vjjdd.exec:\vjjdd.exe29⤵
- Executes dropped EXE
PID:1704 -
\??\c:\xfxxffl.exec:\xfxxffl.exe30⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xffllrf.exec:\xffllrf.exe31⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nbhttn.exec:\nbhttn.exe32⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ppddj.exec:\ppddj.exe33⤵
- Executes dropped EXE
PID:4960 -
\??\c:\vvdvd.exec:\vvdvd.exe34⤵
- Executes dropped EXE
PID:3680 -
\??\c:\rlrlrxf.exec:\rlrlrxf.exe35⤵
- Executes dropped EXE
PID:4724 -
\??\c:\tnnnhh.exec:\tnnnhh.exe36⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hhtnhh.exec:\hhtnhh.exe37⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vdjdv.exec:\vdjdv.exe38⤵
- Executes dropped EXE
PID:4616 -
\??\c:\7llfxxr.exec:\7llfxxr.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rfrllff.exec:\rfrllff.exe40⤵
- Executes dropped EXE
PID:4612 -
\??\c:\nnnhhh.exec:\nnnhhh.exe41⤵
- Executes dropped EXE
PID:3384 -
\??\c:\vdvvp.exec:\vdvvp.exe42⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xfrlffr.exec:\xfrlffr.exe43⤵
- Executes dropped EXE
PID:728 -
\??\c:\rlrfxxl.exec:\rlrfxxl.exe44⤵
- Executes dropped EXE
PID:1124 -
\??\c:\nhhbbt.exec:\nhhbbt.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\7djjd.exec:\7djjd.exe46⤵
- Executes dropped EXE
PID:4740 -
\??\c:\vppjd.exec:\vppjd.exe47⤵
- Executes dropped EXE
PID:4848 -
\??\c:\7xrrlxr.exec:\7xrrlxr.exe48⤵
- Executes dropped EXE
PID:3620 -
\??\c:\bbbnhh.exec:\bbbnhh.exe49⤵
- Executes dropped EXE
PID:2140 -
\??\c:\bnhbbb.exec:\bnhbbb.exe50⤵
- Executes dropped EXE
PID:4920 -
\??\c:\vjvpp.exec:\vjvpp.exe51⤵
- Executes dropped EXE
PID:996 -
\??\c:\xxrllrf.exec:\xxrllrf.exe52⤵
- Executes dropped EXE
PID:2180 -
\??\c:\btttnt.exec:\btttnt.exe53⤵
- Executes dropped EXE
PID:1872 -
\??\c:\bhbttn.exec:\bhbttn.exe54⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jpjvp.exec:\jpjvp.exe55⤵
- Executes dropped EXE
PID:4796 -
\??\c:\rxffllr.exec:\rxffllr.exe56⤵
- Executes dropped EXE
PID:4756 -
\??\c:\7lrrxxf.exec:\7lrrxxf.exe57⤵
- Executes dropped EXE
PID:5096 -
\??\c:\hbhbtn.exec:\hbhbtn.exe58⤵
- Executes dropped EXE
PID:4348 -
\??\c:\pvpdv.exec:\pvpdv.exe59⤵
- Executes dropped EXE
PID:1800 -
\??\c:\1vjdv.exec:\1vjdv.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548 -
\??\c:\fflfrrl.exec:\fflfrrl.exe61⤵
- Executes dropped EXE
PID:4208 -
\??\c:\hthbtt.exec:\hthbtt.exe62⤵
- Executes dropped EXE
PID:2408 -
\??\c:\thbnhb.exec:\thbnhb.exe63⤵
- Executes dropped EXE
PID:212 -
\??\c:\jdjjd.exec:\jdjjd.exe64⤵
- Executes dropped EXE
PID:4952 -
\??\c:\flrlrlr.exec:\flrlrlr.exe65⤵
- Executes dropped EXE
PID:3664 -
\??\c:\lflfxfr.exec:\lflfxfr.exe66⤵PID:2992
-
\??\c:\hhttnn.exec:\hhttnn.exe67⤵PID:1524
-
\??\c:\djddv.exec:\djddv.exe68⤵PID:3756
-
\??\c:\5jjdp.exec:\5jjdp.exe69⤵PID:3528
-
\??\c:\fffxrrl.exec:\fffxrrl.exe70⤵PID:652
-
\??\c:\nntntt.exec:\nntntt.exe71⤵PID:4820
-
\??\c:\tttnbb.exec:\tttnbb.exe72⤵PID:3148
-
\??\c:\vvvpj.exec:\vvvpj.exe73⤵PID:216
-
\??\c:\rllffxx.exec:\rllffxx.exe74⤵PID:2688
-
\??\c:\5xlxfxl.exec:\5xlxfxl.exe75⤵
- System Location Discovery: System Language Discovery
PID:2376 -
\??\c:\ntbnht.exec:\ntbnht.exe76⤵PID:4172
-
\??\c:\jpvpd.exec:\jpvpd.exe77⤵PID:2912
-
\??\c:\xrrlffx.exec:\xrrlffx.exe78⤵PID:4924
-
\??\c:\nbbnhh.exec:\nbbnhh.exe79⤵PID:4676
-
\??\c:\nbtnnn.exec:\nbtnnn.exe80⤵PID:3076
-
\??\c:\vppjj.exec:\vppjj.exe81⤵PID:4040
-
\??\c:\hbbtth.exec:\hbbtth.exe82⤵PID:3268
-
\??\c:\9vpjd.exec:\9vpjd.exe83⤵PID:3684
-
\??\c:\pdpdj.exec:\pdpdj.exe84⤵PID:2132
-
\??\c:\xrrllff.exec:\xrrllff.exe85⤵PID:2136
-
\??\c:\3hbthn.exec:\3hbthn.exe86⤵PID:5076
-
\??\c:\1jppp.exec:\1jppp.exe87⤵PID:688
-
\??\c:\1dvpj.exec:\1dvpj.exe88⤵PID:184
-
\??\c:\7lfrfxr.exec:\7lfrfxr.exe89⤵PID:2344
-
\??\c:\bnbtnn.exec:\bnbtnn.exe90⤵PID:1064
-
\??\c:\jjpjp.exec:\jjpjp.exe91⤵PID:3232
-
\??\c:\9xfxfxr.exec:\9xfxfxr.exe92⤵PID:2804
-
\??\c:\ttnnhh.exec:\ttnnhh.exe93⤵PID:1052
-
\??\c:\bbbttt.exec:\bbbttt.exe94⤵PID:5040
-
\??\c:\dpjvp.exec:\dpjvp.exe95⤵PID:4224
-
\??\c:\flffxxx.exec:\flffxxx.exe96⤵PID:4840
-
\??\c:\dvvpj.exec:\dvvpj.exe97⤵PID:4260
-
\??\c:\dvvpj.exec:\dvvpj.exe98⤵
- System Location Discovery: System Language Discovery
PID:1220 -
\??\c:\lrxrllf.exec:\lrxrllf.exe99⤵PID:4392
-
\??\c:\hhhbtn.exec:\hhhbtn.exe100⤵PID:3572
-
\??\c:\vpdvj.exec:\vpdvj.exe101⤵PID:3920
-
\??\c:\xxfxffl.exec:\xxfxffl.exe102⤵PID:1728
-
\??\c:\1rrlfxr.exec:\1rrlfxr.exe103⤵PID:1688
-
\??\c:\1hnhbh.exec:\1hnhbh.exe104⤵PID:3432
-
\??\c:\9vvpj.exec:\9vvpj.exe105⤵PID:4364
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe106⤵PID:1284
-
\??\c:\3bhbbn.exec:\3bhbbn.exe107⤵PID:2228
-
\??\c:\xxlfllr.exec:\xxlfllr.exe108⤵PID:1964
-
\??\c:\lrxxrll.exec:\lrxxrll.exe109⤵PID:5096
-
\??\c:\ttnhbn.exec:\ttnhbn.exe110⤵PID:3896
-
\??\c:\jvvvp.exec:\jvvvp.exe111⤵PID:2252
-
\??\c:\9llfxfx.exec:\9llfxfx.exe112⤵PID:1748
-
\??\c:\bbhbtt.exec:\bbhbtt.exe113⤵PID:5056
-
\??\c:\9vddv.exec:\9vddv.exe114⤵PID:4344
-
\??\c:\lffrlff.exec:\lffrlff.exe115⤵PID:2368
-
\??\c:\bbbbbb.exec:\bbbbbb.exe116⤵PID:3648
-
\??\c:\nnhhhb.exec:\nnhhhb.exe117⤵PID:1660
-
\??\c:\pddvv.exec:\pddvv.exe118⤵PID:1464
-
\??\c:\rxxrlxr.exec:\rxxrlxr.exe119⤵PID:2024
-
\??\c:\vpppv.exec:\vpppv.exe120⤵PID:2560
-
\??\c:\htbbtt.exec:\htbbtt.exe121⤵PID:5064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-