Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe
-
Size
453KB
-
MD5
ae0c8696e320fcc071dc4fe3e0c0cd00
-
SHA1
c23d284ee60f45744e16b9143e66cdeab0464c41
-
SHA256
98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6
-
SHA512
6317afdfff2565b284670f41f7379a083792e35721d4b4014b43bcb55f053830d363a7242ad167989e7c33cb0d3945fc87d0188853078cb1fa08c95e3029e20d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1384-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1968 bbhhnh.exe 1720 httnhh.exe 5104 3tbtnb.exe 396 jdpjv.exe 2364 hbbbhh.exe 4400 vjpvj.exe 2308 vpppp.exe 4044 nbhhhh.exe 5088 dvdvp.exe 3976 fxxfrrf.exe 3644 fffxrrr.exe 4808 bhtthh.exe 932 jvvvd.exe 1920 1vpjd.exe 3360 jddvj.exe 3348 fffxrrr.exe 2240 xflllrr.exe 1252 bbbttn.exe 4092 nnnhhb.exe 2144 3xlfxlf.exe 940 rxxxlll.exe 1308 xrfxxxx.exe 2008 xxfxrlf.exe 1276 bbbbtn.exe 3932 pvdvv.exe 1740 xfrllrl.exe 4468 5htnnt.exe 2688 vjvvp.exe 4700 5rrlffx.exe 5036 3tbthn.exe 872 hbbttt.exe 1012 vvjdj.exe 2016 lflfffx.exe 4408 bhttnn.exe 1548 jdpjp.exe 1204 ppdvv.exe 2940 lxffxfx.exe 1800 hthhhb.exe 1488 nhhbbt.exe 1296 vpvpj.exe 732 9flffff.exe 4140 xrlfllr.exe 3688 hbntbb.exe 4868 vdppj.exe 1212 flfxrlf.exe 4308 bttttn.exe 4500 pdvpj.exe 3460 rllfffx.exe 4620 jpvpj.exe 1560 ntnnhh.exe 4028 fxlllrx.exe 4436 bbhtht.exe 4440 dvppv.exe 1372 5jjdj.exe 1968 1rxrrff.exe 1448 xlrrlll.exe 4392 fxfxffx.exe 2276 bhnhhh.exe 384 ppdjj.exe 1948 lfrlrxx.exe 2092 bnnhbb.exe 3596 5vvpj.exe 2096 fxxrllx.exe 2792 nhnhhh.exe -
resource yara_rule behavioral2/memory/1384-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-806-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1384 wrote to memory of 1968 1384 98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe 83 PID 1384 wrote to memory of 1968 1384 98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe 83 PID 1384 wrote to memory of 1968 1384 98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe 83 PID 1968 wrote to memory of 1720 1968 bbhhnh.exe 84 PID 1968 wrote to memory of 1720 1968 bbhhnh.exe 84 PID 1968 wrote to memory of 1720 1968 bbhhnh.exe 84 PID 1720 wrote to memory of 5104 1720 httnhh.exe 85 PID 1720 wrote to memory of 5104 1720 httnhh.exe 85 PID 1720 wrote to memory of 5104 1720 httnhh.exe 85 PID 5104 wrote to memory of 396 5104 3tbtnb.exe 86 PID 5104 wrote to memory of 396 5104 3tbtnb.exe 86 PID 5104 wrote to memory of 396 5104 3tbtnb.exe 86 PID 396 wrote to memory of 2364 396 jdpjv.exe 87 PID 396 wrote to memory of 2364 396 jdpjv.exe 87 PID 396 wrote to memory of 2364 396 jdpjv.exe 87 PID 2364 wrote to memory of 4400 2364 hbbbhh.exe 88 PID 2364 wrote to memory of 4400 2364 hbbbhh.exe 88 PID 2364 wrote to memory of 4400 2364 hbbbhh.exe 88 PID 4400 wrote to memory of 2308 4400 vjpvj.exe 89 PID 4400 wrote to memory of 2308 4400 vjpvj.exe 89 PID 4400 wrote to memory of 2308 4400 vjpvj.exe 89 PID 2308 wrote to memory of 4044 2308 vpppp.exe 90 PID 2308 wrote to memory of 4044 2308 vpppp.exe 90 PID 2308 wrote to memory of 4044 2308 vpppp.exe 90 PID 4044 wrote to memory of 5088 4044 nbhhhh.exe 91 PID 4044 wrote to memory of 5088 4044 nbhhhh.exe 91 PID 4044 wrote to memory of 5088 4044 nbhhhh.exe 91 PID 5088 wrote to memory of 3976 5088 dvdvp.exe 92 PID 5088 wrote to memory of 3976 5088 dvdvp.exe 92 PID 5088 wrote to memory of 3976 5088 dvdvp.exe 92 PID 3976 wrote to memory of 3644 3976 fxxfrrf.exe 93 PID 3976 wrote to memory of 3644 3976 fxxfrrf.exe 93 PID 3976 wrote to memory of 3644 3976 fxxfrrf.exe 93 PID 3644 wrote to memory of 4808 3644 fffxrrr.exe 94 PID 3644 wrote to memory of 4808 3644 fffxrrr.exe 94 PID 3644 wrote to memory of 4808 3644 fffxrrr.exe 94 PID 4808 wrote to memory of 932 4808 bhtthh.exe 95 PID 4808 wrote to memory of 932 4808 bhtthh.exe 95 PID 4808 wrote to memory of 932 4808 bhtthh.exe 95 PID 932 wrote to memory of 1920 932 jvvvd.exe 96 PID 932 wrote to memory of 1920 932 jvvvd.exe 96 PID 932 wrote to memory of 1920 932 jvvvd.exe 96 PID 1920 wrote to memory of 3360 1920 1vpjd.exe 97 PID 1920 wrote to memory of 3360 1920 1vpjd.exe 97 PID 1920 wrote to memory of 3360 1920 1vpjd.exe 97 PID 3360 wrote to memory of 3348 3360 jddvj.exe 98 PID 3360 wrote to memory of 3348 3360 jddvj.exe 98 PID 3360 wrote to memory of 3348 3360 jddvj.exe 98 PID 3348 wrote to memory of 2240 3348 fffxrrr.exe 99 PID 3348 wrote to memory of 2240 3348 fffxrrr.exe 99 PID 3348 wrote to memory of 2240 3348 fffxrrr.exe 99 PID 2240 wrote to memory of 1252 2240 xflllrr.exe 100 PID 2240 wrote to memory of 1252 2240 xflllrr.exe 100 PID 2240 wrote to memory of 1252 2240 xflllrr.exe 100 PID 1252 wrote to memory of 4092 1252 bbbttn.exe 101 PID 1252 wrote to memory of 4092 1252 bbbttn.exe 101 PID 1252 wrote to memory of 4092 1252 bbbttn.exe 101 PID 4092 wrote to memory of 2144 4092 nnnhhb.exe 102 PID 4092 wrote to memory of 2144 4092 nnnhhb.exe 102 PID 4092 wrote to memory of 2144 4092 nnnhhb.exe 102 PID 2144 wrote to memory of 940 2144 3xlfxlf.exe 103 PID 2144 wrote to memory of 940 2144 3xlfxlf.exe 103 PID 2144 wrote to memory of 940 2144 3xlfxlf.exe 103 PID 940 wrote to memory of 1308 940 rxxxlll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe"C:\Users\Admin\AppData\Local\Temp\98b4a726ec08d483ff06aa31e91a7cef621e5ab3e76ce6023158ef016e0c4be6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\bbhhnh.exec:\bbhhnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\httnhh.exec:\httnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\3tbtnb.exec:\3tbtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\jdpjv.exec:\jdpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\hbbbhh.exec:\hbbbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\vjpvj.exec:\vjpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\vpppp.exec:\vpppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\nbhhhh.exec:\nbhhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\dvdvp.exec:\dvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\fxxfrrf.exec:\fxxfrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\fffxrrr.exec:\fffxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\bhtthh.exec:\bhtthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\jvvvd.exec:\jvvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\1vpjd.exec:\1vpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\jddvj.exec:\jddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\fffxrrr.exec:\fffxrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\xflllrr.exec:\xflllrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\bbbttn.exec:\bbbttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\nnnhhb.exec:\nnnhhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\3xlfxlf.exec:\3xlfxlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\rxxxlll.exec:\rxxxlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe23⤵
- Executes dropped EXE
PID:1308 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\bbbbtn.exec:\bbbbtn.exe25⤵
- Executes dropped EXE
PID:1276 -
\??\c:\pvdvv.exec:\pvdvv.exe26⤵
- Executes dropped EXE
PID:3932 -
\??\c:\xfrllrl.exec:\xfrllrl.exe27⤵
- Executes dropped EXE
PID:1740 -
\??\c:\5htnnt.exec:\5htnnt.exe28⤵
- Executes dropped EXE
PID:4468 -
\??\c:\vjvvp.exec:\vjvvp.exe29⤵
- Executes dropped EXE
PID:2688 -
\??\c:\5rrlffx.exec:\5rrlffx.exe30⤵
- Executes dropped EXE
PID:4700 -
\??\c:\3tbthn.exec:\3tbthn.exe31⤵
- Executes dropped EXE
PID:5036 -
\??\c:\hbbttt.exec:\hbbttt.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\vvjdj.exec:\vvjdj.exe33⤵
- Executes dropped EXE
PID:1012 -
\??\c:\lflfffx.exec:\lflfffx.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
\??\c:\bhttnn.exec:\bhttnn.exe35⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jdpjp.exec:\jdpjp.exe36⤵
- Executes dropped EXE
PID:1548 -
\??\c:\ppdvv.exec:\ppdvv.exe37⤵
- Executes dropped EXE
PID:1204 -
\??\c:\lxffxfx.exec:\lxffxfx.exe38⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hthhhb.exec:\hthhhb.exe39⤵
- Executes dropped EXE
PID:1800 -
\??\c:\nhhbbt.exec:\nhhbbt.exe40⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vpvpj.exec:\vpvpj.exe41⤵
- Executes dropped EXE
PID:1296 -
\??\c:\9flffff.exec:\9flffff.exe42⤵
- Executes dropped EXE
PID:732 -
\??\c:\xrlfllr.exec:\xrlfllr.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4140 -
\??\c:\hbntbb.exec:\hbntbb.exe44⤵
- Executes dropped EXE
PID:3688 -
\??\c:\vdppj.exec:\vdppj.exe45⤵
- Executes dropped EXE
PID:4868 -
\??\c:\flfxrlf.exec:\flfxrlf.exe46⤵
- Executes dropped EXE
PID:1212 -
\??\c:\bttttn.exec:\bttttn.exe47⤵
- Executes dropped EXE
PID:4308 -
\??\c:\pdvpj.exec:\pdvpj.exe48⤵
- Executes dropped EXE
PID:4500 -
\??\c:\rllfffx.exec:\rllfffx.exe49⤵
- Executes dropped EXE
PID:3460 -
\??\c:\jpvpj.exec:\jpvpj.exe50⤵
- Executes dropped EXE
PID:4620 -
\??\c:\ntnnhh.exec:\ntnnhh.exe51⤵
- Executes dropped EXE
PID:1560 -
\??\c:\fxlllrx.exec:\fxlllrx.exe52⤵
- Executes dropped EXE
PID:4028 -
\??\c:\bbhtht.exec:\bbhtht.exe53⤵
- Executes dropped EXE
PID:4436 -
\??\c:\dvppv.exec:\dvppv.exe54⤵
- Executes dropped EXE
PID:4440 -
\??\c:\5jjdj.exec:\5jjdj.exe55⤵
- Executes dropped EXE
PID:1372 -
\??\c:\1rxrrff.exec:\1rxrrff.exe56⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xlrrlll.exec:\xlrrlll.exe57⤵
- Executes dropped EXE
PID:1448 -
\??\c:\fxfxffx.exec:\fxfxffx.exe58⤵
- Executes dropped EXE
PID:4392 -
\??\c:\bhnhhh.exec:\bhnhhh.exe59⤵
- Executes dropped EXE
PID:2276 -
\??\c:\ppdjj.exec:\ppdjj.exe60⤵
- Executes dropped EXE
PID:384 -
\??\c:\lfrlrxx.exec:\lfrlrxx.exe61⤵
- Executes dropped EXE
PID:1948 -
\??\c:\bnnhbb.exec:\bnnhbb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
\??\c:\5vvpj.exec:\5vvpj.exe63⤵
- Executes dropped EXE
PID:3596 -
\??\c:\fxxrllx.exec:\fxxrllx.exe64⤵
- Executes dropped EXE
PID:2096 -
\??\c:\nhnhhh.exec:\nhnhhh.exe65⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nbbbbb.exec:\nbbbbb.exe66⤵PID:4708
-
\??\c:\ddvvv.exec:\ddvvv.exe67⤵PID:4332
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe68⤵PID:3936
-
\??\c:\btttnn.exec:\btttnn.exe69⤵
- System Location Discovery: System Language Discovery
PID:4112 -
\??\c:\dvjdj.exec:\dvjdj.exe70⤵PID:2160
-
\??\c:\7lxxrrr.exec:\7lxxrrr.exe71⤵PID:3328
-
\??\c:\nhnhbb.exec:\nhnhbb.exe72⤵PID:2024
-
\??\c:\9hnntb.exec:\9hnntb.exe73⤵PID:2516
-
\??\c:\dvvvp.exec:\dvvvp.exe74⤵PID:4108
-
\??\c:\3jjdv.exec:\3jjdv.exe75⤵PID:1724
-
\??\c:\xxllxxf.exec:\xxllxxf.exe76⤵PID:3252
-
\??\c:\5vjdv.exec:\5vjdv.exe77⤵PID:1136
-
\??\c:\pjpjj.exec:\pjpjj.exe78⤵PID:3764
-
\??\c:\frxxxxr.exec:\frxxxxr.exe79⤵PID:3928
-
\??\c:\1hntbb.exec:\1hntbb.exe80⤵PID:5012
-
\??\c:\5jjdd.exec:\5jjdd.exe81⤵PID:816
-
\??\c:\jvjdv.exec:\jvjdv.exe82⤵PID:4560
-
\??\c:\fxlllll.exec:\fxlllll.exe83⤵PID:3008
-
\??\c:\bbbtnn.exec:\bbbtnn.exe84⤵PID:2272
-
\??\c:\dpjjj.exec:\dpjjj.exe85⤵PID:752
-
\??\c:\ddvpp.exec:\ddvpp.exe86⤵PID:2888
-
\??\c:\5fxfxxx.exec:\5fxfxxx.exe87⤵PID:2624
-
\??\c:\nhtntt.exec:\nhtntt.exe88⤵PID:2036
-
\??\c:\jdpjd.exec:\jdpjd.exe89⤵PID:1896
-
\??\c:\vvvpj.exec:\vvvpj.exe90⤵PID:2660
-
\??\c:\frxfxlx.exec:\frxfxlx.exe91⤵
- System Location Discovery: System Language Discovery
PID:4956 -
\??\c:\bhtnhh.exec:\bhtnhh.exe92⤵PID:2644
-
\??\c:\jpvpj.exec:\jpvpj.exe93⤵PID:4304
-
\??\c:\5jpjd.exec:\5jpjd.exe94⤵PID:4852
-
\??\c:\fxxrffr.exec:\fxxrffr.exe95⤵PID:1116
-
\??\c:\tnthhb.exec:\tnthhb.exe96⤵PID:4172
-
\??\c:\dvvvv.exec:\dvvvv.exe97⤵PID:684
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe98⤵PID:3096
-
\??\c:\xrrrlll.exec:\xrrrlll.exe99⤵PID:740
-
\??\c:\bhnbnb.exec:\bhnbnb.exe100⤵PID:1204
-
\??\c:\5pvpj.exec:\5pvpj.exe101⤵PID:4032
-
\??\c:\5rlfffx.exec:\5rlfffx.exe102⤵PID:3948
-
\??\c:\xlxrlff.exec:\xlxrlff.exe103⤵PID:1296
-
\??\c:\9ntnbb.exec:\9ntnbb.exe104⤵PID:1996
-
\??\c:\1jdvp.exec:\1jdvp.exe105⤵PID:3476
-
\??\c:\3llfflf.exec:\3llfflf.exe106⤵PID:4256
-
\??\c:\hbnhbn.exec:\hbnhbn.exe107⤵PID:264
-
\??\c:\hnbttt.exec:\hnbttt.exe108⤵PID:1636
-
\??\c:\vpdvp.exec:\vpdvp.exe109⤵PID:3772
-
\??\c:\lllffff.exec:\lllffff.exe110⤵PID:4020
-
\??\c:\llllfrl.exec:\llllfrl.exe111⤵PID:2444
-
\??\c:\bhtnnh.exec:\bhtnnh.exe112⤵PID:2760
-
\??\c:\jdjdd.exec:\jdjdd.exe113⤵PID:1476
-
\??\c:\dpjdj.exec:\dpjdj.exe114⤵PID:2788
-
\??\c:\fflrllr.exec:\fflrllr.exe115⤵PID:2440
-
\??\c:\1nbtnt.exec:\1nbtnt.exe116⤵PID:3112
-
\??\c:\vpddj.exec:\vpddj.exe117⤵PID:2476
-
\??\c:\rlrrllf.exec:\rlrrllf.exe118⤵PID:532
-
\??\c:\rrrlfxx.exec:\rrrlfxx.exe119⤵PID:4944
-
\??\c:\9hbbtt.exec:\9hbbtt.exe120⤵PID:1248
-
\??\c:\5hhbth.exec:\5hhbth.exe121⤵PID:3504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-