Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe
-
Size
454KB
-
MD5
965adcc33b520fa9887574931ddab55a
-
SHA1
6d6db2748fd3b694100bca0d64da43cc4050ba4f
-
SHA256
98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c
-
SHA512
57c84c36eb5bb2bfaadc4385250c196eb31d71c3218528e24e2b1d1e7a3c88d1284a62a9d8b7b66b47cecd8e5c49ab7185f3d3a672746d621bb70e2b783e24de
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1wc:q7Tc2NYHUrAwfMp3CD1V
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1724-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-1004-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-1286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1724 bbttbh.exe 4352 jpvpp.exe 4520 5xfrllx.exe 1960 pdjjp.exe 3080 nhnhnh.exe 4416 dvddd.exe 704 bnhbtt.exe 4884 tnnhbn.exe 3520 lrxxxrr.exe 3604 vpdvp.exe 4932 7nthbb.exe 3376 thhhbn.exe 3204 tnnhbt.exe 60 dpvvv.exe 4296 frxxrrr.exe 2092 lflfxxr.exe 2952 pjvvp.exe 3656 htbtnh.exe 1972 llfxxxr.exe 1436 vpjvp.exe 1668 1rlflfx.exe 3544 bnttnn.exe 656 tnnntt.exe 3196 pppjj.exe 4892 bnttnn.exe 5112 fxlfxxr.exe 464 hnnbth.exe 3884 fffllff.exe 1648 9ttnhb.exe 2260 5ntntt.exe 4848 lflflff.exe 4880 jjjjv.exe 5100 jdvvp.exe 4372 nhhbbn.exe 3288 dvjvd.exe 3436 rlrfflx.exe 2844 bbnnhh.exe 3660 vpjjv.exe 2764 rrxllll.exe 4576 nhnhbh.exe 4860 thbtnt.exe 748 pppjj.exe 4280 rrfxxfx.exe 1732 bhhhbh.exe 1724 1ppjv.exe 4408 llxxfxr.exe 4796 hntbhn.exe 1976 7jjvv.exe 4084 xxxrrrl.exe 3024 httnhb.exe 3192 btbhbh.exe 5012 jpjdv.exe 3340 fxfrxfl.exe 2724 hthbbh.exe 3716 rrrlfff.exe 4844 rlrlflf.exe 1328 htbttt.exe 1112 ppjjd.exe 3604 xxfxrrl.exe 2188 thtbnh.exe 2576 1jjjj.exe 1856 flrfrfx.exe 1004 hhnnnn.exe 2364 pjvvv.exe -
resource yara_rule behavioral2/memory/1724-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-672-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1724 2560 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 82 PID 2560 wrote to memory of 1724 2560 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 82 PID 2560 wrote to memory of 1724 2560 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 82 PID 1724 wrote to memory of 4352 1724 bbttbh.exe 83 PID 1724 wrote to memory of 4352 1724 bbttbh.exe 83 PID 1724 wrote to memory of 4352 1724 bbttbh.exe 83 PID 4352 wrote to memory of 4520 4352 jpvpp.exe 84 PID 4352 wrote to memory of 4520 4352 jpvpp.exe 84 PID 4352 wrote to memory of 4520 4352 jpvpp.exe 84 PID 4520 wrote to memory of 1960 4520 5xfrllx.exe 85 PID 4520 wrote to memory of 1960 4520 5xfrllx.exe 85 PID 4520 wrote to memory of 1960 4520 5xfrllx.exe 85 PID 1960 wrote to memory of 3080 1960 pdjjp.exe 86 PID 1960 wrote to memory of 3080 1960 pdjjp.exe 86 PID 1960 wrote to memory of 3080 1960 pdjjp.exe 86 PID 3080 wrote to memory of 4416 3080 nhnhnh.exe 87 PID 3080 wrote to memory of 4416 3080 nhnhnh.exe 87 PID 3080 wrote to memory of 4416 3080 nhnhnh.exe 87 PID 4416 wrote to memory of 704 4416 dvddd.exe 88 PID 4416 wrote to memory of 704 4416 dvddd.exe 88 PID 4416 wrote to memory of 704 4416 dvddd.exe 88 PID 704 wrote to memory of 4884 704 bnhbtt.exe 89 PID 704 wrote to memory of 4884 704 bnhbtt.exe 89 PID 704 wrote to memory of 4884 704 bnhbtt.exe 89 PID 4884 wrote to memory of 3520 4884 tnnhbn.exe 90 PID 4884 wrote to memory of 3520 4884 tnnhbn.exe 90 PID 4884 wrote to memory of 3520 4884 tnnhbn.exe 90 PID 3520 wrote to memory of 3604 3520 lrxxxrr.exe 91 PID 3520 wrote to memory of 3604 3520 lrxxxrr.exe 91 PID 3520 wrote to memory of 3604 3520 lrxxxrr.exe 91 PID 3604 wrote to memory of 4932 3604 vpdvp.exe 92 PID 3604 wrote to memory of 4932 3604 vpdvp.exe 92 PID 3604 wrote to memory of 4932 3604 vpdvp.exe 92 PID 4932 wrote to memory of 3376 4932 7nthbb.exe 93 PID 4932 wrote to memory of 3376 4932 7nthbb.exe 93 PID 4932 wrote to memory of 3376 4932 7nthbb.exe 93 PID 3376 wrote to memory of 3204 3376 thhhbn.exe 94 PID 3376 wrote to memory of 3204 3376 thhhbn.exe 94 PID 3376 wrote to memory of 3204 3376 thhhbn.exe 94 PID 3204 wrote to memory of 60 3204 tnnhbt.exe 95 PID 3204 wrote to memory of 60 3204 tnnhbt.exe 95 PID 3204 wrote to memory of 60 3204 tnnhbt.exe 95 PID 60 wrote to memory of 4296 60 dpvvv.exe 96 PID 60 wrote to memory of 4296 60 dpvvv.exe 96 PID 60 wrote to memory of 4296 60 dpvvv.exe 96 PID 4296 wrote to memory of 2092 4296 frxxrrr.exe 97 PID 4296 wrote to memory of 2092 4296 frxxrrr.exe 97 PID 4296 wrote to memory of 2092 4296 frxxrrr.exe 97 PID 2092 wrote to memory of 2952 2092 lflfxxr.exe 98 PID 2092 wrote to memory of 2952 2092 lflfxxr.exe 98 PID 2092 wrote to memory of 2952 2092 lflfxxr.exe 98 PID 2952 wrote to memory of 3656 2952 pjvvp.exe 99 PID 2952 wrote to memory of 3656 2952 pjvvp.exe 99 PID 2952 wrote to memory of 3656 2952 pjvvp.exe 99 PID 3656 wrote to memory of 1972 3656 htbtnh.exe 100 PID 3656 wrote to memory of 1972 3656 htbtnh.exe 100 PID 3656 wrote to memory of 1972 3656 htbtnh.exe 100 PID 1972 wrote to memory of 1436 1972 llfxxxr.exe 101 PID 1972 wrote to memory of 1436 1972 llfxxxr.exe 101 PID 1972 wrote to memory of 1436 1972 llfxxxr.exe 101 PID 1436 wrote to memory of 1668 1436 vpjvp.exe 102 PID 1436 wrote to memory of 1668 1436 vpjvp.exe 102 PID 1436 wrote to memory of 1668 1436 vpjvp.exe 102 PID 1668 wrote to memory of 3544 1668 1rlflfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe"C:\Users\Admin\AppData\Local\Temp\98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\bbttbh.exec:\bbttbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\jpvpp.exec:\jpvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\5xfrllx.exec:\5xfrllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\pdjjp.exec:\pdjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\nhnhnh.exec:\nhnhnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\dvddd.exec:\dvddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\bnhbtt.exec:\bnhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\tnnhbn.exec:\tnnhbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\lrxxxrr.exec:\lrxxxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\vpdvp.exec:\vpdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\7nthbb.exec:\7nthbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\thhhbn.exec:\thhhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\tnnhbt.exec:\tnnhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\dpvvv.exec:\dpvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\frxxrrr.exec:\frxxrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\lflfxxr.exec:\lflfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\pjvvp.exec:\pjvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\htbtnh.exec:\htbtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\llfxxxr.exec:\llfxxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\vpjvp.exec:\vpjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\1rlflfx.exec:\1rlflfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\bnttnn.exec:\bnttnn.exe23⤵
- Executes dropped EXE
PID:3544 -
\??\c:\tnnntt.exec:\tnnntt.exe24⤵
- Executes dropped EXE
PID:656 -
\??\c:\pppjj.exec:\pppjj.exe25⤵
- Executes dropped EXE
PID:3196 -
\??\c:\bnttnn.exec:\bnttnn.exe26⤵
- Executes dropped EXE
PID:4892 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe27⤵
- Executes dropped EXE
PID:5112 -
\??\c:\hnnbth.exec:\hnnbth.exe28⤵
- Executes dropped EXE
PID:464 -
\??\c:\fffllff.exec:\fffllff.exe29⤵
- Executes dropped EXE
PID:3884 -
\??\c:\9ttnhb.exec:\9ttnhb.exe30⤵
- Executes dropped EXE
PID:1648 -
\??\c:\5ntntt.exec:\5ntntt.exe31⤵
- Executes dropped EXE
PID:2260 -
\??\c:\lflflff.exec:\lflflff.exe32⤵
- Executes dropped EXE
PID:4848 -
\??\c:\jjjjv.exec:\jjjjv.exe33⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jdvvp.exec:\jdvvp.exe34⤵
- Executes dropped EXE
PID:5100 -
\??\c:\nhhbbn.exec:\nhhbbn.exe35⤵
- Executes dropped EXE
PID:4372 -
\??\c:\dvjvd.exec:\dvjvd.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\rlrfflx.exec:\rlrfflx.exe37⤵
- Executes dropped EXE
PID:3436 -
\??\c:\bbnnhh.exec:\bbnnhh.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\vpjjv.exec:\vpjjv.exe39⤵
- Executes dropped EXE
PID:3660 -
\??\c:\rrxllll.exec:\rrxllll.exe40⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nhnhbh.exec:\nhnhbh.exe41⤵
- Executes dropped EXE
PID:4576 -
\??\c:\thbtnt.exec:\thbtnt.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pppjj.exec:\pppjj.exe43⤵
- Executes dropped EXE
PID:748 -
\??\c:\rrfxxfx.exec:\rrfxxfx.exe44⤵
- Executes dropped EXE
PID:4280 -
\??\c:\bhhhbh.exec:\bhhhbh.exe45⤵
- Executes dropped EXE
PID:1732 -
\??\c:\1ppjv.exec:\1ppjv.exe46⤵
- Executes dropped EXE
PID:1724 -
\??\c:\llxxfxr.exec:\llxxfxr.exe47⤵
- Executes dropped EXE
PID:4408 -
\??\c:\hntbhn.exec:\hntbhn.exe48⤵
- Executes dropped EXE
PID:4796 -
\??\c:\7jjvv.exec:\7jjvv.exe49⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe50⤵
- Executes dropped EXE
PID:4084 -
\??\c:\httnhb.exec:\httnhb.exe51⤵
- Executes dropped EXE
PID:3024 -
\??\c:\btbhbh.exec:\btbhbh.exe52⤵
- Executes dropped EXE
PID:3192 -
\??\c:\jpjdv.exec:\jpjdv.exe53⤵
- Executes dropped EXE
PID:5012 -
\??\c:\fxfrxfl.exec:\fxfrxfl.exe54⤵
- Executes dropped EXE
PID:3340 -
\??\c:\hthbbh.exec:\hthbbh.exe55⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rrrlfff.exec:\rrrlfff.exe56⤵
- Executes dropped EXE
PID:3716 -
\??\c:\rlrlflf.exec:\rlrlflf.exe57⤵
- Executes dropped EXE
PID:4844 -
\??\c:\htbttt.exec:\htbttt.exe58⤵
- Executes dropped EXE
PID:1328 -
\??\c:\ppjjd.exec:\ppjjd.exe59⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe60⤵
- Executes dropped EXE
PID:3604 -
\??\c:\thtbnh.exec:\thtbnh.exe61⤵
- Executes dropped EXE
PID:2188 -
\??\c:\1jjjj.exec:\1jjjj.exe62⤵
- Executes dropped EXE
PID:2576 -
\??\c:\flrfrfx.exec:\flrfrfx.exe63⤵
- Executes dropped EXE
PID:1856 -
\??\c:\hhnnnn.exec:\hhnnnn.exe64⤵
- Executes dropped EXE
PID:1004 -
\??\c:\pjvvv.exec:\pjvvv.exe65⤵
- Executes dropped EXE
PID:2364 -
\??\c:\fxrrrrl.exec:\fxrrrrl.exe66⤵PID:4472
-
\??\c:\lllfxxl.exec:\lllfxxl.exe67⤵PID:4740
-
\??\c:\1hbtnt.exec:\1hbtnt.exe68⤵PID:2952
-
\??\c:\vdddd.exec:\vdddd.exe69⤵PID:4036
-
\??\c:\9xxrlff.exec:\9xxrlff.exe70⤵PID:628
-
\??\c:\hbhhbh.exec:\hbhhbh.exe71⤵PID:5088
-
\??\c:\ppvpp.exec:\ppvpp.exe72⤵PID:1676
-
\??\c:\rrxfxlf.exec:\rrxfxlf.exe73⤵
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\1fffxff.exec:\1fffxff.exe74⤵PID:4780
-
\??\c:\hthbbb.exec:\hthbbb.exe75⤵PID:3540
-
\??\c:\jdjdv.exec:\jdjdv.exe76⤵PID:3820
-
\??\c:\7rrxllf.exec:\7rrxllf.exe77⤵PID:4092
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe78⤵PID:760
-
\??\c:\tthhnn.exec:\tthhnn.exe79⤵PID:3416
-
\??\c:\dvdpj.exec:\dvdpj.exe80⤵
- System Location Discovery: System Language Discovery
PID:556 -
\??\c:\rxrxxxr.exec:\rxrxxxr.exe81⤵PID:2708
-
\??\c:\hbhhht.exec:\hbhhht.exe82⤵PID:1908
-
\??\c:\jdjjp.exec:\jdjjp.exe83⤵PID:2012
-
\??\c:\fffxrrl.exec:\fffxrrl.exe84⤵PID:3960
-
\??\c:\bttttt.exec:\bttttt.exe85⤵PID:4116
-
\??\c:\1vppj.exec:\1vppj.exe86⤵PID:4224
-
\??\c:\jpjdv.exec:\jpjdv.exe87⤵PID:4812
-
\??\c:\lflfxxl.exec:\lflfxxl.exe88⤵PID:4436
-
\??\c:\tnhbth.exec:\tnhbth.exe89⤵PID:828
-
\??\c:\jvppj.exec:\jvppj.exe90⤵PID:4468
-
\??\c:\3rlffll.exec:\3rlffll.exe91⤵PID:1988
-
\??\c:\nttnhh.exec:\nttnhh.exe92⤵PID:3752
-
\??\c:\vjjvj.exec:\vjjvj.exe93⤵PID:3816
-
\??\c:\xffxrrl.exec:\xffxrrl.exe94⤵PID:2024
-
\??\c:\1bhnhh.exec:\1bhnhh.exe95⤵PID:4496
-
\??\c:\bnbbht.exec:\bnbbht.exe96⤵PID:632
-
\??\c:\pjdpj.exec:\pjdpj.exe97⤵PID:4020
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe98⤵PID:3556
-
\??\c:\xflxxxx.exec:\xflxxxx.exe99⤵PID:5032
-
\??\c:\5hnnht.exec:\5hnnht.exe100⤵PID:4272
-
\??\c:\vdddv.exec:\vdddv.exe101⤵PID:1000
-
\??\c:\fxlrlll.exec:\fxlrlll.exe102⤵PID:4692
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe103⤵PID:4968
-
\??\c:\thhhnt.exec:\thhhnt.exe104⤵PID:4352
-
\??\c:\9pvvp.exec:\9pvvp.exe105⤵PID:4516
-
\??\c:\jvdvv.exec:\jvdvv.exe106⤵PID:4520
-
\??\c:\xxlrrrr.exec:\xxlrrrr.exe107⤵PID:2264
-
\??\c:\vvdvv.exec:\vvdvv.exe108⤵PID:1480
-
\??\c:\vddvv.exec:\vddvv.exe109⤵PID:2144
-
\??\c:\fxllfxr.exec:\fxllfxr.exe110⤵PID:4376
-
\??\c:\tttnnh.exec:\tttnnh.exe111⤵PID:1612
-
\??\c:\vjdjp.exec:\vjdjp.exe112⤵PID:864
-
\??\c:\xlxlffr.exec:\xlxlffr.exe113⤵PID:3916
-
\??\c:\bntnhh.exec:\bntnhh.exe114⤵PID:3780
-
\??\c:\1vpjp.exec:\1vpjp.exe115⤵PID:2304
-
\??\c:\xlrlfrr.exec:\xlrlfrr.exe116⤵PID:2980
-
\??\c:\3lfxxxx.exec:\3lfxxxx.exe117⤵PID:1112
-
\??\c:\hbnhbb.exec:\hbnhbb.exe118⤵PID:2184
-
\??\c:\9pjdd.exec:\9pjdd.exe119⤵PID:4932
-
\??\c:\jdjpp.exec:\jdjpp.exe120⤵PID:452
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe121⤵PID:5008
-
\??\c:\bhtthn.exec:\bhtthn.exe122⤵PID:5052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-