Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe
-
Size
456KB
-
MD5
dd45be161226ddc9be6f300487e67102
-
SHA1
ea8d876b47b68a28e49eb2341b933c10305c95be
-
SHA256
98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7
-
SHA512
7f1b9fe04e2d3009bef2b33f0b2cfe9100a29f06b4f8af880fb76a7bc85d646e064d59dabb09ab0641fd242a7494ab5c03523ed1a9403c1e54917b439a5794d9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRE:q7Tc2NYHUrAwfMp3CDRE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1240-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-1049-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-1464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-1476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2532 bbbtht.exe 3304 hhnbhh.exe 4864 7nnhhh.exe 4188 frrlffr.exe 3688 tnhbtt.exe 5028 lrrrllf.exe 3580 pdjdv.exe 464 9dvpj.exe 5000 xrrfxxx.exe 4296 5thbth.exe 2636 bntnbt.exe 1608 pvvpj.exe 3852 bhnhhh.exe 2304 3xfxxxr.exe 1708 7hbbtt.exe 3416 vpdvv.exe 4056 rllfxxr.exe 2508 ffrlfxr.exe 2716 rflfxrl.exe 3700 lflfxll.exe 1904 rllfxxr.exe 2808 xlfxxll.exe 3496 djddv.exe 3680 dpvpj.exe 3672 ffxlffx.exe 5020 nbhbtn.exe 4280 rxfxrlf.exe 4120 ddddv.exe 4424 vjpjd.exe 3992 fxxrlfx.exe 3724 vpjpj.exe 2356 xllfffr.exe 964 jdjdp.exe 828 dppjd.exe 2560 bnnthh.exe 1948 hhntbb.exe 4616 ffffllx.exe 428 tnnbtt.exe 4832 9pvpj.exe 3180 1xfxfrl.exe 5108 5hbbtt.exe 4900 pddpj.exe 2712 3ppjd.exe 1404 1frfxfr.exe 3612 bnbtnh.exe 4620 pvjdv.exe 3532 xrrrllf.exe 1148 xllfxrl.exe 2272 nhnbhh.exe 1628 jvddv.exe 312 jdjdv.exe 1216 xllfxlf.exe 2916 3hhbbt.exe 2152 3jjvp.exe 2276 rlrlfff.exe 1696 ttbbtt.exe 2188 ddpjp.exe 212 xxffrlf.exe 4188 ntthbt.exe 408 pvvvp.exe 2672 fxfxlfl.exe 2748 5ttnhn.exe 4008 tnnhhh.exe 4612 vpvpj.exe -
resource yara_rule behavioral2/memory/2532-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-697-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2532 1240 98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe 82 PID 1240 wrote to memory of 2532 1240 98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe 82 PID 1240 wrote to memory of 2532 1240 98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe 82 PID 2532 wrote to memory of 3304 2532 bbbtht.exe 83 PID 2532 wrote to memory of 3304 2532 bbbtht.exe 83 PID 2532 wrote to memory of 3304 2532 bbbtht.exe 83 PID 3304 wrote to memory of 4864 3304 hhnbhh.exe 84 PID 3304 wrote to memory of 4864 3304 hhnbhh.exe 84 PID 3304 wrote to memory of 4864 3304 hhnbhh.exe 84 PID 4864 wrote to memory of 4188 4864 7nnhhh.exe 85 PID 4864 wrote to memory of 4188 4864 7nnhhh.exe 85 PID 4864 wrote to memory of 4188 4864 7nnhhh.exe 85 PID 4188 wrote to memory of 3688 4188 frrlffr.exe 86 PID 4188 wrote to memory of 3688 4188 frrlffr.exe 86 PID 4188 wrote to memory of 3688 4188 frrlffr.exe 86 PID 3688 wrote to memory of 5028 3688 tnhbtt.exe 87 PID 3688 wrote to memory of 5028 3688 tnhbtt.exe 87 PID 3688 wrote to memory of 5028 3688 tnhbtt.exe 87 PID 5028 wrote to memory of 3580 5028 lrrrllf.exe 88 PID 5028 wrote to memory of 3580 5028 lrrrllf.exe 88 PID 5028 wrote to memory of 3580 5028 lrrrllf.exe 88 PID 3580 wrote to memory of 464 3580 pdjdv.exe 89 PID 3580 wrote to memory of 464 3580 pdjdv.exe 89 PID 3580 wrote to memory of 464 3580 pdjdv.exe 89 PID 464 wrote to memory of 5000 464 9dvpj.exe 90 PID 464 wrote to memory of 5000 464 9dvpj.exe 90 PID 464 wrote to memory of 5000 464 9dvpj.exe 90 PID 5000 wrote to memory of 4296 5000 xrrfxxx.exe 91 PID 5000 wrote to memory of 4296 5000 xrrfxxx.exe 91 PID 5000 wrote to memory of 4296 5000 xrrfxxx.exe 91 PID 4296 wrote to memory of 2636 4296 5thbth.exe 92 PID 4296 wrote to memory of 2636 4296 5thbth.exe 92 PID 4296 wrote to memory of 2636 4296 5thbth.exe 92 PID 2636 wrote to memory of 1608 2636 bntnbt.exe 93 PID 2636 wrote to memory of 1608 2636 bntnbt.exe 93 PID 2636 wrote to memory of 1608 2636 bntnbt.exe 93 PID 1608 wrote to memory of 3852 1608 pvvpj.exe 94 PID 1608 wrote to memory of 3852 1608 pvvpj.exe 94 PID 1608 wrote to memory of 3852 1608 pvvpj.exe 94 PID 3852 wrote to memory of 2304 3852 bhnhhh.exe 95 PID 3852 wrote to memory of 2304 3852 bhnhhh.exe 95 PID 3852 wrote to memory of 2304 3852 bhnhhh.exe 95 PID 2304 wrote to memory of 1708 2304 3xfxxxr.exe 96 PID 2304 wrote to memory of 1708 2304 3xfxxxr.exe 96 PID 2304 wrote to memory of 1708 2304 3xfxxxr.exe 96 PID 1708 wrote to memory of 3416 1708 7hbbtt.exe 97 PID 1708 wrote to memory of 3416 1708 7hbbtt.exe 97 PID 1708 wrote to memory of 3416 1708 7hbbtt.exe 97 PID 3416 wrote to memory of 4056 3416 vpdvv.exe 98 PID 3416 wrote to memory of 4056 3416 vpdvv.exe 98 PID 3416 wrote to memory of 4056 3416 vpdvv.exe 98 PID 4056 wrote to memory of 2508 4056 rllfxxr.exe 99 PID 4056 wrote to memory of 2508 4056 rllfxxr.exe 99 PID 4056 wrote to memory of 2508 4056 rllfxxr.exe 99 PID 2508 wrote to memory of 2716 2508 ffrlfxr.exe 100 PID 2508 wrote to memory of 2716 2508 ffrlfxr.exe 100 PID 2508 wrote to memory of 2716 2508 ffrlfxr.exe 100 PID 2716 wrote to memory of 3700 2716 rflfxrl.exe 101 PID 2716 wrote to memory of 3700 2716 rflfxrl.exe 101 PID 2716 wrote to memory of 3700 2716 rflfxrl.exe 101 PID 3700 wrote to memory of 1904 3700 lflfxll.exe 102 PID 3700 wrote to memory of 1904 3700 lflfxll.exe 102 PID 3700 wrote to memory of 1904 3700 lflfxll.exe 102 PID 1904 wrote to memory of 2808 1904 rllfxxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe"C:\Users\Admin\AppData\Local\Temp\98e885c77bfdcbff6c3a471a8a8d63b5b80ecfb3d4aa7d11b484e927c45e98c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\bbbtht.exec:\bbbtht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\hhnbhh.exec:\hhnbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\7nnhhh.exec:\7nnhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\frrlffr.exec:\frrlffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\tnhbtt.exec:\tnhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\lrrrllf.exec:\lrrrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\pdjdv.exec:\pdjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\9dvpj.exec:\9dvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\xrrfxxx.exec:\xrrfxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\5thbth.exec:\5thbth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\bntnbt.exec:\bntnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\pvvpj.exec:\pvvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\bhnhhh.exec:\bhnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\3xfxxxr.exec:\3xfxxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\7hbbtt.exec:\7hbbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\vpdvv.exec:\vpdvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\rllfxxr.exec:\rllfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\ffrlfxr.exec:\ffrlfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\rflfxrl.exec:\rflfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\lflfxll.exec:\lflfxll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\rllfxxr.exec:\rllfxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\xlfxxll.exec:\xlfxxll.exe23⤵
- Executes dropped EXE
PID:2808 -
\??\c:\djddv.exec:\djddv.exe24⤵
- Executes dropped EXE
PID:3496 -
\??\c:\dpvpj.exec:\dpvpj.exe25⤵
- Executes dropped EXE
PID:3680 -
\??\c:\ffxlffx.exec:\ffxlffx.exe26⤵
- Executes dropped EXE
PID:3672 -
\??\c:\nbhbtn.exec:\nbhbtn.exe27⤵
- Executes dropped EXE
PID:5020 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe28⤵
- Executes dropped EXE
PID:4280 -
\??\c:\ddddv.exec:\ddddv.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4120 -
\??\c:\vjpjd.exec:\vjpjd.exe30⤵
- Executes dropped EXE
PID:4424 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe31⤵
- Executes dropped EXE
PID:3992 -
\??\c:\vpjpj.exec:\vpjpj.exe32⤵
- Executes dropped EXE
PID:3724 -
\??\c:\xllfffr.exec:\xllfffr.exe33⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jdjdp.exec:\jdjdp.exe34⤵
- Executes dropped EXE
PID:964 -
\??\c:\dppjd.exec:\dppjd.exe35⤵
- Executes dropped EXE
PID:828 -
\??\c:\bnnthh.exec:\bnnthh.exe36⤵
- Executes dropped EXE
PID:2560 -
\??\c:\hhntbb.exec:\hhntbb.exe37⤵
- Executes dropped EXE
PID:1948 -
\??\c:\ffffllx.exec:\ffffllx.exe38⤵
- Executes dropped EXE
PID:4616 -
\??\c:\tnnbtt.exec:\tnnbtt.exe39⤵
- Executes dropped EXE
PID:428 -
\??\c:\9pvpj.exec:\9pvpj.exe40⤵
- Executes dropped EXE
PID:4832 -
\??\c:\1xfxfrl.exec:\1xfxfrl.exe41⤵
- Executes dropped EXE
PID:3180 -
\??\c:\5hbbtt.exec:\5hbbtt.exe42⤵
- Executes dropped EXE
PID:5108 -
\??\c:\pddpj.exec:\pddpj.exe43⤵
- Executes dropped EXE
PID:4900 -
\??\c:\3ppjd.exec:\3ppjd.exe44⤵
- Executes dropped EXE
PID:2712 -
\??\c:\1frfxfr.exec:\1frfxfr.exe45⤵
- Executes dropped EXE
PID:1404 -
\??\c:\bnbtnh.exec:\bnbtnh.exe46⤵
- Executes dropped EXE
PID:3612 -
\??\c:\pvjdv.exec:\pvjdv.exe47⤵
- Executes dropped EXE
PID:4620 -
\??\c:\xrrrllf.exec:\xrrrllf.exe48⤵
- Executes dropped EXE
PID:3532 -
\??\c:\xllfxrl.exec:\xllfxrl.exe49⤵
- Executes dropped EXE
PID:1148 -
\??\c:\nhnbhh.exec:\nhnbhh.exe50⤵
- Executes dropped EXE
PID:2272 -
\??\c:\jvddv.exec:\jvddv.exe51⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jdjdv.exec:\jdjdv.exe52⤵
- Executes dropped EXE
PID:312 -
\??\c:\xllfxlf.exec:\xllfxlf.exe53⤵
- Executes dropped EXE
PID:1216 -
\??\c:\3hhbbt.exec:\3hhbbt.exe54⤵
- Executes dropped EXE
PID:2916 -
\??\c:\3jjvp.exec:\3jjvp.exe55⤵
- Executes dropped EXE
PID:2152 -
\??\c:\rlrlfff.exec:\rlrlfff.exe56⤵
- Executes dropped EXE
PID:2276 -
\??\c:\ttbbtt.exec:\ttbbtt.exe57⤵
- Executes dropped EXE
PID:1696 -
\??\c:\ddpjp.exec:\ddpjp.exe58⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xxffrlf.exec:\xxffrlf.exe59⤵
- Executes dropped EXE
PID:212 -
\??\c:\ntthbt.exec:\ntthbt.exe60⤵
- Executes dropped EXE
PID:4188 -
\??\c:\pvvvp.exec:\pvvvp.exe61⤵
- Executes dropped EXE
PID:408 -
\??\c:\fxfxlfl.exec:\fxfxlfl.exe62⤵
- Executes dropped EXE
PID:2672 -
\??\c:\5ttnhn.exec:\5ttnhn.exe63⤵
- Executes dropped EXE
PID:2748 -
\??\c:\tnnhhh.exec:\tnnhhh.exe64⤵
- Executes dropped EXE
PID:4008 -
\??\c:\vpvpj.exec:\vpvpj.exe65⤵
- Executes dropped EXE
PID:4612 -
\??\c:\frxrrrl.exec:\frxrrrl.exe66⤵PID:1124
-
\??\c:\5htntt.exec:\5htntt.exe67⤵PID:1376
-
\??\c:\jjdvj.exec:\jjdvj.exe68⤵PID:2216
-
\??\c:\pddpj.exec:\pddpj.exe69⤵PID:1272
-
\??\c:\rrxxfll.exec:\rrxxfll.exe70⤵PID:1668
-
\??\c:\1thbnh.exec:\1thbnh.exe71⤵PID:1608
-
\??\c:\3pvpd.exec:\3pvpd.exe72⤵PID:3536
-
\??\c:\vjpjv.exec:\vjpjv.exe73⤵PID:2860
-
\??\c:\rllflfx.exec:\rllflfx.exe74⤵PID:2628
-
\??\c:\tnnhbb.exec:\tnnhbb.exe75⤵PID:4668
-
\??\c:\vdpjd.exec:\vdpjd.exe76⤵PID:3416
-
\??\c:\xflfxxr.exec:\xflfxxr.exe77⤵PID:3684
-
\??\c:\5ttttt.exec:\5ttttt.exe78⤵PID:4416
-
\??\c:\vvjjp.exec:\vvjjp.exe79⤵PID:1552
-
\??\c:\9flfxxr.exec:\9flfxxr.exe80⤵PID:4568
-
\??\c:\7nnhbt.exec:\7nnhbt.exe81⤵PID:1652
-
\??\c:\bhtnnn.exec:\bhtnnn.exe82⤵PID:3032
-
\??\c:\3dvpj.exec:\3dvpj.exe83⤵PID:2676
-
\??\c:\7xrlffx.exec:\7xrlffx.exe84⤵PID:4836
-
\??\c:\bhnhbb.exec:\bhnhbb.exe85⤵PID:2208
-
\??\c:\ntnbnb.exec:\ntnbnb.exe86⤵PID:2576
-
\??\c:\vpjpv.exec:\vpjpv.exe87⤵PID:1192
-
\??\c:\xrflrrx.exec:\xrflrrx.exe88⤵PID:2652
-
\??\c:\thnbtn.exec:\thnbtn.exe89⤵PID:3672
-
\??\c:\pdjpd.exec:\pdjpd.exe90⤵PID:852
-
\??\c:\9fxrffx.exec:\9fxrffx.exe91⤵PID:912
-
\??\c:\ntbtnh.exec:\ntbtnh.exe92⤵PID:3048
-
\??\c:\btnhhh.exec:\btnhhh.exe93⤵PID:3080
-
\??\c:\jdjvj.exec:\jdjvj.exe94⤵PID:4180
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe95⤵PID:1304
-
\??\c:\httnnh.exec:\httnnh.exe96⤵PID:1128
-
\??\c:\ttbbbt.exec:\ttbbbt.exe97⤵PID:3020
-
\??\c:\jjpdv.exec:\jjpdv.exe98⤵PID:5012
-
\??\c:\5rxrllf.exec:\5rxrllf.exe99⤵PID:4080
-
\??\c:\1hbtnh.exec:\1hbtnh.exe100⤵PID:1836
-
\??\c:\bttnhb.exec:\bttnhb.exe101⤵PID:2108
-
\??\c:\pjppp.exec:\pjppp.exe102⤵PID:2024
-
\??\c:\lxrlxxl.exec:\lxrlxxl.exe103⤵PID:1744
-
\??\c:\hbhbtt.exec:\hbhbtt.exe104⤵PID:2488
-
\??\c:\5bhbhn.exec:\5bhbhn.exe105⤵PID:3392
-
\??\c:\pjpjj.exec:\pjpjj.exe106⤵PID:4832
-
\??\c:\rlxrlfl.exec:\rlxrlfl.exe107⤵PID:3180
-
\??\c:\tntntt.exec:\tntntt.exe108⤵PID:1420
-
\??\c:\ntnhnh.exec:\ntnhnh.exe109⤵PID:2428
-
\??\c:\jddpj.exec:\jddpj.exe110⤵PID:4696
-
\??\c:\xlxxrrl.exec:\xlxxrrl.exe111⤵PID:2552
-
\??\c:\hnhhhn.exec:\hnhhhn.exe112⤵PID:4636
-
\??\c:\9hhbbb.exec:\9hhbbb.exe113⤵PID:4724
-
\??\c:\vjvvj.exec:\vjvvj.exe114⤵PID:2940
-
\??\c:\1rxlrxr.exec:\1rxlrxr.exe115⤵PID:5036
-
\??\c:\xxxrfxf.exec:\xxxrfxf.exe116⤵PID:4964
-
\??\c:\hnhbnn.exec:\hnhbnn.exe117⤵PID:444
-
\??\c:\pddvp.exec:\pddvp.exe118⤵PID:772
-
\??\c:\fxfxrrf.exec:\fxfxrrf.exe119⤵PID:4032
-
\??\c:\nbhbbb.exec:\nbhbbb.exe120⤵PID:3396
-
\??\c:\jpvpp.exec:\jpvpp.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-