Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe
-
Size
454KB
-
MD5
e1ec185ebf4ca0fc093c485aad0db828
-
SHA1
90dcf7c45ea9d563955a84b5239a44fb9e055cd7
-
SHA256
98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2
-
SHA512
be0160ead2fa54ef5e9a56a20a6ea4810528db2a4e9f63de7c03ebb88e1ab9f5851479acffcc7cdfa8b9b38ac3bc66ef79eda4250ca60369c930af3c51f50dfd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4016-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-1667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-1696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4284 jpvjv.exe 5048 xxxrfrf.exe 4060 tbthth.exe 4532 hhhthb.exe 4056 vdjvd.exe 2968 rffrfxl.exe 1628 frrlrlx.exe 4276 hhnbnb.exe 3432 pjjvp.exe 3144 xlfrfrl.exe 4580 bhhtbt.exe 2712 htnntt.exe 5032 jddpv.exe 464 frrflff.exe 1340 1ththb.exe 3964 htbhht.exe 3100 vjjvd.exe 536 frfrfxl.exe 1580 flrfrfx.exe 1456 thhnbn.exe 3904 vvpdp.exe 5108 ppdpd.exe 3984 lxfrrfl.exe 3216 nbhtth.exe 4568 dvvpv.exe 3296 pjjvd.exe 2648 xlrflxf.exe 3772 bnnbnh.exe 5024 nbbhbn.exe 3624 pjvjv.exe 2672 1lxrxrx.exe 2696 frrlxrl.exe 1228 bbtnhh.exe 772 pvvjd.exe 3576 dddpd.exe 1596 lfflxlx.exe 4452 thbnbb.exe 4520 pdvjv.exe 3388 fxrxlxl.exe 2684 lxfxrll.exe 4404 nhbnbt.exe 4036 vppjj.exe 2136 3xlrfrl.exe 1404 nbnhbt.exe 3312 jdvvj.exe 2020 1pvjv.exe 880 7rxrlll.exe 4068 hhhhbn.exe 1744 hthtnb.exe 1508 vdjdv.exe 4360 fxfxflf.exe 848 lxrlxfx.exe 1996 7bhbtn.exe 4968 pvddd.exe 4600 jjvjd.exe 4532 xxxlxxl.exe 100 rlrxrrl.exe 2968 7bbnbn.exe 1280 ddjdv.exe 1664 pjddp.exe 3432 3xlxfxf.exe 4712 btnnth.exe 2324 vdvvv.exe 3892 lflxrll.exe -
resource yara_rule behavioral2/memory/4016-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-1558-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4284 4016 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 83 PID 4016 wrote to memory of 4284 4016 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 83 PID 4016 wrote to memory of 4284 4016 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 83 PID 4284 wrote to memory of 5048 4284 jpvjv.exe 84 PID 4284 wrote to memory of 5048 4284 jpvjv.exe 84 PID 4284 wrote to memory of 5048 4284 jpvjv.exe 84 PID 5048 wrote to memory of 4060 5048 xxxrfrf.exe 85 PID 5048 wrote to memory of 4060 5048 xxxrfrf.exe 85 PID 5048 wrote to memory of 4060 5048 xxxrfrf.exe 85 PID 4060 wrote to memory of 4532 4060 tbthth.exe 86 PID 4060 wrote to memory of 4532 4060 tbthth.exe 86 PID 4060 wrote to memory of 4532 4060 tbthth.exe 86 PID 4532 wrote to memory of 4056 4532 hhhthb.exe 87 PID 4532 wrote to memory of 4056 4532 hhhthb.exe 87 PID 4532 wrote to memory of 4056 4532 hhhthb.exe 87 PID 4056 wrote to memory of 2968 4056 vdjvd.exe 88 PID 4056 wrote to memory of 2968 4056 vdjvd.exe 88 PID 4056 wrote to memory of 2968 4056 vdjvd.exe 88 PID 2968 wrote to memory of 1628 2968 rffrfxl.exe 89 PID 2968 wrote to memory of 1628 2968 rffrfxl.exe 89 PID 2968 wrote to memory of 1628 2968 rffrfxl.exe 89 PID 1628 wrote to memory of 4276 1628 frrlrlx.exe 90 PID 1628 wrote to memory of 4276 1628 frrlrlx.exe 90 PID 1628 wrote to memory of 4276 1628 frrlrlx.exe 90 PID 4276 wrote to memory of 3432 4276 hhnbnb.exe 91 PID 4276 wrote to memory of 3432 4276 hhnbnb.exe 91 PID 4276 wrote to memory of 3432 4276 hhnbnb.exe 91 PID 3432 wrote to memory of 3144 3432 pjjvp.exe 92 PID 3432 wrote to memory of 3144 3432 pjjvp.exe 92 PID 3432 wrote to memory of 3144 3432 pjjvp.exe 92 PID 3144 wrote to memory of 4580 3144 xlfrfrl.exe 93 PID 3144 wrote to memory of 4580 3144 xlfrfrl.exe 93 PID 3144 wrote to memory of 4580 3144 xlfrfrl.exe 93 PID 4580 wrote to memory of 2712 4580 bhhtbt.exe 94 PID 4580 wrote to memory of 2712 4580 bhhtbt.exe 94 PID 4580 wrote to memory of 2712 4580 bhhtbt.exe 94 PID 2712 wrote to memory of 5032 2712 htnntt.exe 95 PID 2712 wrote to memory of 5032 2712 htnntt.exe 95 PID 2712 wrote to memory of 5032 2712 htnntt.exe 95 PID 5032 wrote to memory of 464 5032 jddpv.exe 96 PID 5032 wrote to memory of 464 5032 jddpv.exe 96 PID 5032 wrote to memory of 464 5032 jddpv.exe 96 PID 464 wrote to memory of 1340 464 frrflff.exe 97 PID 464 wrote to memory of 1340 464 frrflff.exe 97 PID 464 wrote to memory of 1340 464 frrflff.exe 97 PID 1340 wrote to memory of 3964 1340 1ththb.exe 98 PID 1340 wrote to memory of 3964 1340 1ththb.exe 98 PID 1340 wrote to memory of 3964 1340 1ththb.exe 98 PID 3964 wrote to memory of 3100 3964 htbhht.exe 99 PID 3964 wrote to memory of 3100 3964 htbhht.exe 99 PID 3964 wrote to memory of 3100 3964 htbhht.exe 99 PID 3100 wrote to memory of 536 3100 vjjvd.exe 100 PID 3100 wrote to memory of 536 3100 vjjvd.exe 100 PID 3100 wrote to memory of 536 3100 vjjvd.exe 100 PID 536 wrote to memory of 1580 536 frfrfxl.exe 101 PID 536 wrote to memory of 1580 536 frfrfxl.exe 101 PID 536 wrote to memory of 1580 536 frfrfxl.exe 101 PID 1580 wrote to memory of 1456 1580 flrfrfx.exe 102 PID 1580 wrote to memory of 1456 1580 flrfrfx.exe 102 PID 1580 wrote to memory of 1456 1580 flrfrfx.exe 102 PID 1456 wrote to memory of 3904 1456 thhnbn.exe 103 PID 1456 wrote to memory of 3904 1456 thhnbn.exe 103 PID 1456 wrote to memory of 3904 1456 thhnbn.exe 103 PID 3904 wrote to memory of 5108 3904 vvpdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe"C:\Users\Admin\AppData\Local\Temp\98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\jpvjv.exec:\jpvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\xxxrfrf.exec:\xxxrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\tbthth.exec:\tbthth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\hhhthb.exec:\hhhthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\vdjvd.exec:\vdjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\rffrfxl.exec:\rffrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\frrlrlx.exec:\frrlrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\hhnbnb.exec:\hhnbnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\pjjvp.exec:\pjjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\xlfrfrl.exec:\xlfrfrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\bhhtbt.exec:\bhhtbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\htnntt.exec:\htnntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\jddpv.exec:\jddpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\frrflff.exec:\frrflff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\1ththb.exec:\1ththb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\htbhht.exec:\htbhht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\vjjvd.exec:\vjjvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\frfrfxl.exec:\frfrfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\flrfrfx.exec:\flrfrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\thhnbn.exec:\thhnbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\vvpdp.exec:\vvpdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\ppdpd.exec:\ppdpd.exe23⤵
- Executes dropped EXE
PID:5108 -
\??\c:\lxfrrfl.exec:\lxfrrfl.exe24⤵
- Executes dropped EXE
PID:3984 -
\??\c:\nbhtth.exec:\nbhtth.exe25⤵
- Executes dropped EXE
PID:3216 -
\??\c:\dvvpv.exec:\dvvpv.exe26⤵
- Executes dropped EXE
PID:4568 -
\??\c:\pjjvd.exec:\pjjvd.exe27⤵
- Executes dropped EXE
PID:3296 -
\??\c:\xlrflxf.exec:\xlrflxf.exe28⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bnnbnh.exec:\bnnbnh.exe29⤵
- Executes dropped EXE
PID:3772 -
\??\c:\nbbhbn.exec:\nbbhbn.exe30⤵
- Executes dropped EXE
PID:5024 -
\??\c:\pjvjv.exec:\pjvjv.exe31⤵
- Executes dropped EXE
PID:3624 -
\??\c:\1lxrxrx.exec:\1lxrxrx.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
\??\c:\frrlxrl.exec:\frrlxrl.exe33⤵
- Executes dropped EXE
PID:2696 -
\??\c:\bbtnhh.exec:\bbtnhh.exe34⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pvvjd.exec:\pvvjd.exe35⤵
- Executes dropped EXE
PID:772 -
\??\c:\dddpd.exec:\dddpd.exe36⤵
- Executes dropped EXE
PID:3576 -
\??\c:\lfflxlx.exec:\lfflxlx.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\thbnbb.exec:\thbnbb.exe38⤵
- Executes dropped EXE
PID:4452 -
\??\c:\pdvjv.exec:\pdvjv.exe39⤵
- Executes dropped EXE
PID:4520 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe40⤵
- Executes dropped EXE
PID:3388 -
\??\c:\lxfxrll.exec:\lxfxrll.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nhbnbt.exec:\nhbnbt.exe42⤵
- Executes dropped EXE
PID:4404 -
\??\c:\vppjj.exec:\vppjj.exe43⤵
- Executes dropped EXE
PID:4036 -
\??\c:\3xlrfrl.exec:\3xlrfrl.exe44⤵
- Executes dropped EXE
PID:2136 -
\??\c:\nbnhbt.exec:\nbnhbt.exe45⤵
- Executes dropped EXE
PID:1404 -
\??\c:\jdvvj.exec:\jdvvj.exe46⤵
- Executes dropped EXE
PID:3312 -
\??\c:\1pvjv.exec:\1pvjv.exe47⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7rxrlll.exec:\7rxrlll.exe48⤵
- Executes dropped EXE
PID:880 -
\??\c:\hhhhbn.exec:\hhhhbn.exe49⤵
- Executes dropped EXE
PID:4068 -
\??\c:\hthtnb.exec:\hthtnb.exe50⤵
- Executes dropped EXE
PID:1744 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:1508 -
\??\c:\fxfxflf.exec:\fxfxflf.exe52⤵
- Executes dropped EXE
PID:4360 -
\??\c:\lxrlxfx.exec:\lxrlxfx.exe53⤵
- Executes dropped EXE
PID:848 -
\??\c:\7bhbtn.exec:\7bhbtn.exe54⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pvddd.exec:\pvddd.exe55⤵
- Executes dropped EXE
PID:4968 -
\??\c:\jjvjd.exec:\jjvjd.exe56⤵
- Executes dropped EXE
PID:4600 -
\??\c:\xxxlxxl.exec:\xxxlxxl.exe57⤵
- Executes dropped EXE
PID:4532 -
\??\c:\rlrxrrl.exec:\rlrxrrl.exe58⤵
- Executes dropped EXE
PID:100 -
\??\c:\7bbnbn.exec:\7bbnbn.exe59⤵
- Executes dropped EXE
PID:2968 -
\??\c:\ddjdv.exec:\ddjdv.exe60⤵
- Executes dropped EXE
PID:1280 -
\??\c:\pjddp.exec:\pjddp.exe61⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3xlxfxf.exec:\3xlxfxf.exe62⤵
- Executes dropped EXE
PID:3432 -
\??\c:\btnnth.exec:\btnnth.exe63⤵
- Executes dropped EXE
PID:4712 -
\??\c:\vdvvv.exec:\vdvvv.exe64⤵
- Executes dropped EXE
PID:2324 -
\??\c:\lflxrll.exec:\lflxrll.exe65⤵
- Executes dropped EXE
PID:3892 -
\??\c:\3lrrllf.exec:\3lrrllf.exe66⤵PID:2588
-
\??\c:\7nnhnn.exec:\7nnhnn.exe67⤵PID:3988
-
\??\c:\3jvjp.exec:\3jvjp.exe68⤵PID:1204
-
\??\c:\9fxrffx.exec:\9fxrffx.exe69⤵PID:1852
-
\??\c:\fxrlrll.exec:\fxrlrll.exe70⤵PID:3964
-
\??\c:\ntbnnb.exec:\ntbnnb.exe71⤵PID:5008
-
\??\c:\hbthbh.exec:\hbthbh.exe72⤵PID:1764
-
\??\c:\jppjv.exec:\jppjv.exe73⤵PID:528
-
\??\c:\jjvpv.exec:\jjvpv.exe74⤵
- System Location Discovery: System Language Discovery
PID:2412 -
\??\c:\frlfrlf.exec:\frlfrlf.exe75⤵PID:2272
-
\??\c:\vddvp.exec:\vddvp.exe76⤵PID:1556
-
\??\c:\7pjvj.exec:\7pjvj.exe77⤵PID:4892
-
\??\c:\5fxllfx.exec:\5fxllfx.exe78⤵PID:5016
-
\??\c:\lllffxx.exec:\lllffxx.exe79⤵PID:3216
-
\??\c:\9hhtht.exec:\9hhtht.exe80⤵PID:4268
-
\??\c:\hnbnbn.exec:\hnbnbn.exe81⤵PID:3296
-
\??\c:\ppjvp.exec:\ppjvp.exe82⤵PID:1084
-
\??\c:\vpddd.exec:\vpddd.exe83⤵PID:4824
-
\??\c:\rrrffff.exec:\rrrffff.exe84⤵PID:3772
-
\??\c:\nthbtt.exec:\nthbtt.exe85⤵PID:5024
-
\??\c:\dvppv.exec:\dvppv.exe86⤵PID:3612
-
\??\c:\jppjd.exec:\jppjd.exe87⤵PID:4364
-
\??\c:\5frlllr.exec:\5frlllr.exe88⤵PID:4796
-
\??\c:\htbnnb.exec:\htbnnb.exe89⤵PID:3852
-
\??\c:\tttnbt.exec:\tttnbt.exe90⤵PID:368
-
\??\c:\djjvd.exec:\djjvd.exe91⤵PID:1784
-
\??\c:\fxxlrfx.exec:\fxxlrfx.exe92⤵PID:2220
-
\??\c:\9flxxrl.exec:\9flxxrl.exe93⤵PID:3776
-
\??\c:\bttbnb.exec:\bttbnb.exe94⤵PID:4248
-
\??\c:\jpdpj.exec:\jpdpj.exe95⤵PID:3112
-
\??\c:\vdjjd.exec:\vdjjd.exe96⤵PID:4708
-
\??\c:\rlrfxll.exec:\rlrfxll.exe97⤵PID:540
-
\??\c:\1ththb.exec:\1ththb.exe98⤵PID:1000
-
\??\c:\bnntht.exec:\bnntht.exe99⤵PID:3648
-
\??\c:\7pvvp.exec:\7pvvp.exe100⤵PID:3236
-
\??\c:\dpdvj.exec:\dpdvj.exe101⤵PID:2012
-
\??\c:\llrlffx.exec:\llrlffx.exe102⤵PID:4636
-
\??\c:\tbbtht.exec:\tbbtht.exe103⤵PID:3104
-
\??\c:\djjdd.exec:\djjdd.exe104⤵PID:3312
-
\??\c:\vddvj.exec:\vddvj.exe105⤵PID:1168
-
\??\c:\rflfxrl.exec:\rflfxrl.exe106⤵PID:3024
-
\??\c:\1bbttt.exec:\1bbttt.exe107⤵PID:4836
-
\??\c:\3tbbnt.exec:\3tbbnt.exe108⤵PID:5076
-
\??\c:\9dvjj.exec:\9dvjj.exe109⤵PID:4372
-
\??\c:\pjdpv.exec:\pjdpv.exe110⤵PID:1508
-
\??\c:\9rrlrrl.exec:\9rrlrrl.exe111⤵PID:4360
-
\??\c:\htnbtn.exec:\htnbtn.exe112⤵PID:848
-
\??\c:\hbhbbb.exec:\hbhbbb.exe113⤵PID:4020
-
\??\c:\9vpdp.exec:\9vpdp.exe114⤵PID:4060
-
\??\c:\lfxrflf.exec:\lfxrflf.exe115⤵PID:3248
-
\??\c:\lrrlxrf.exec:\lrrlxrf.exe116⤵PID:2920
-
\??\c:\hbnbnb.exec:\hbnbnb.exe117⤵PID:3288
-
\??\c:\thhbhh.exec:\thhbhh.exe118⤵PID:3764
-
\??\c:\pjpjd.exec:\pjpjd.exe119⤵PID:3564
-
\??\c:\3ffxxxf.exec:\3ffxxxf.exe120⤵PID:4840
-
\??\c:\llrrrlr.exec:\llrrrlr.exe121⤵PID:3080
-
\??\c:\tnbnhn.exec:\tnbnhn.exe122⤵PID:1188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-