Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
-
Size
455KB
-
MD5
bcd0f66fa1c1e3f79613b76df340bacc
-
SHA1
707fae71aa8138faa299a140e6962175c7524018
-
SHA256
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31
-
SHA512
dd636eecf5e6047e601d5a981b231916191efd9478789f4bd45a40487780efe85699b47a44589ba1c7b6bef6e5dcda221e878886758e968d4a43d83123db4591
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3228-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3580 ffxfxrl.exe 3260 5nhhbt.exe 1032 vdpjp.exe 2544 frrllff.exe 4248 9pvpj.exe 624 rrfxffl.exe 4596 1bhbtb.exe 3396 bbtnhh.exe 2632 vpddj.exe 940 ffrrrrf.exe 1196 rrrllxx.exe 2128 ttttnn.exe 3544 pjvvd.exe 232 1xxxxfx.exe 1732 fflfllr.exe 2284 bhbtnh.exe 2944 7vvdv.exe 4328 pjvpj.exe 1552 rlrlrxr.exe 2592 3tttnn.exe 464 dpvpj.exe 1468 lrrrrll.exe 1308 9rfxrrl.exe 4388 tnttbh.exe 512 dvdpj.exe 3524 jjpjj.exe 3860 jpdvv.exe 2672 llfxxxr.exe 3016 btbttt.exe 2024 dddjj.exe 1352 xfffxrf.exe 868 9bhbbb.exe 380 ntbttb.exe 3252 xrrlffx.exe 4376 7ttnnh.exe 752 nhbnhh.exe 4992 vvvpp.exe 1472 lxrrrrr.exe 368 rllffff.exe 3448 nbnhhb.exe 3968 hhtnnn.exe 1100 dvdvv.exe 2472 frlrfrf.exe 3156 bttnhh.exe 2416 hbttnb.exe 4600 7vppj.exe 4792 dddvv.exe 1676 xfxrrrl.exe 2616 9nhtnn.exe 1596 tbtbth.exe 3240 dvvpp.exe 4300 pvvpj.exe 3036 5xlfxll.exe 4628 1ttnhh.exe 2004 jvdvv.exe 4348 1pvpj.exe 1032 3flxrrl.exe 5056 nhnhnh.exe 2220 hthbbb.exe 2896 pvvpj.exe 1944 dvdjd.exe 696 rlffxxr.exe 2904 7ttnhh.exe 3300 hbhbhh.exe -
resource yara_rule behavioral2/memory/3228-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-521-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 3580 3228 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 82 PID 3228 wrote to memory of 3580 3228 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 82 PID 3228 wrote to memory of 3580 3228 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 82 PID 3580 wrote to memory of 3260 3580 ffxfxrl.exe 83 PID 3580 wrote to memory of 3260 3580 ffxfxrl.exe 83 PID 3580 wrote to memory of 3260 3580 ffxfxrl.exe 83 PID 3260 wrote to memory of 1032 3260 5nhhbt.exe 138 PID 3260 wrote to memory of 1032 3260 5nhhbt.exe 138 PID 3260 wrote to memory of 1032 3260 5nhhbt.exe 138 PID 1032 wrote to memory of 2544 1032 vdpjp.exe 85 PID 1032 wrote to memory of 2544 1032 vdpjp.exe 85 PID 1032 wrote to memory of 2544 1032 vdpjp.exe 85 PID 2544 wrote to memory of 4248 2544 frrllff.exe 86 PID 2544 wrote to memory of 4248 2544 frrllff.exe 86 PID 2544 wrote to memory of 4248 2544 frrllff.exe 86 PID 4248 wrote to memory of 624 4248 9pvpj.exe 87 PID 4248 wrote to memory of 624 4248 9pvpj.exe 87 PID 4248 wrote to memory of 624 4248 9pvpj.exe 87 PID 624 wrote to memory of 4596 624 rrfxffl.exe 88 PID 624 wrote to memory of 4596 624 rrfxffl.exe 88 PID 624 wrote to memory of 4596 624 rrfxffl.exe 88 PID 4596 wrote to memory of 3396 4596 1bhbtb.exe 89 PID 4596 wrote to memory of 3396 4596 1bhbtb.exe 89 PID 4596 wrote to memory of 3396 4596 1bhbtb.exe 89 PID 3396 wrote to memory of 2632 3396 bbtnhh.exe 90 PID 3396 wrote to memory of 2632 3396 bbtnhh.exe 90 PID 3396 wrote to memory of 2632 3396 bbtnhh.exe 90 PID 2632 wrote to memory of 940 2632 vpddj.exe 91 PID 2632 wrote to memory of 940 2632 vpddj.exe 91 PID 2632 wrote to memory of 940 2632 vpddj.exe 91 PID 940 wrote to memory of 1196 940 ffrrrrf.exe 92 PID 940 wrote to memory of 1196 940 ffrrrrf.exe 92 PID 940 wrote to memory of 1196 940 ffrrrrf.exe 92 PID 1196 wrote to memory of 2128 1196 rrrllxx.exe 93 PID 1196 wrote to memory of 2128 1196 rrrllxx.exe 93 PID 1196 wrote to memory of 2128 1196 rrrllxx.exe 93 PID 2128 wrote to memory of 3544 2128 ttttnn.exe 94 PID 2128 wrote to memory of 3544 2128 ttttnn.exe 94 PID 2128 wrote to memory of 3544 2128 ttttnn.exe 94 PID 3544 wrote to memory of 232 3544 pjvvd.exe 95 PID 3544 wrote to memory of 232 3544 pjvvd.exe 95 PID 3544 wrote to memory of 232 3544 pjvvd.exe 95 PID 232 wrote to memory of 1732 232 1xxxxfx.exe 96 PID 232 wrote to memory of 1732 232 1xxxxfx.exe 96 PID 232 wrote to memory of 1732 232 1xxxxfx.exe 96 PID 1732 wrote to memory of 2284 1732 fflfllr.exe 97 PID 1732 wrote to memory of 2284 1732 fflfllr.exe 97 PID 1732 wrote to memory of 2284 1732 fflfllr.exe 97 PID 2284 wrote to memory of 2944 2284 bhbtnh.exe 98 PID 2284 wrote to memory of 2944 2284 bhbtnh.exe 98 PID 2284 wrote to memory of 2944 2284 bhbtnh.exe 98 PID 2944 wrote to memory of 4328 2944 7vvdv.exe 99 PID 2944 wrote to memory of 4328 2944 7vvdv.exe 99 PID 2944 wrote to memory of 4328 2944 7vvdv.exe 99 PID 4328 wrote to memory of 1552 4328 pjvpj.exe 100 PID 4328 wrote to memory of 1552 4328 pjvpj.exe 100 PID 4328 wrote to memory of 1552 4328 pjvpj.exe 100 PID 1552 wrote to memory of 2592 1552 rlrlrxr.exe 101 PID 1552 wrote to memory of 2592 1552 rlrlrxr.exe 101 PID 1552 wrote to memory of 2592 1552 rlrlrxr.exe 101 PID 2592 wrote to memory of 464 2592 3tttnn.exe 102 PID 2592 wrote to memory of 464 2592 3tttnn.exe 102 PID 2592 wrote to memory of 464 2592 3tttnn.exe 102 PID 464 wrote to memory of 1468 464 dpvpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\ffxfxrl.exec:\ffxfxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\5nhhbt.exec:\5nhhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\vdpjp.exec:\vdpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\frrllff.exec:\frrllff.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\9pvpj.exec:\9pvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\rrfxffl.exec:\rrfxffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\1bhbtb.exec:\1bhbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\bbtnhh.exec:\bbtnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\vpddj.exec:\vpddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\ffrrrrf.exec:\ffrrrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\rrrllxx.exec:\rrrllxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\ttttnn.exec:\ttttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\pjvvd.exec:\pjvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\1xxxxfx.exec:\1xxxxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\fflfllr.exec:\fflfllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\bhbtnh.exec:\bhbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\7vvdv.exec:\7vvdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\pjvpj.exec:\pjvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\rlrlrxr.exec:\rlrlrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\3tttnn.exec:\3tttnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\dpvpj.exec:\dpvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\lrrrrll.exec:\lrrrrll.exe23⤵
- Executes dropped EXE
PID:1468 -
\??\c:\9rfxrrl.exec:\9rfxrrl.exe24⤵
- Executes dropped EXE
PID:1308 -
\??\c:\tnttbh.exec:\tnttbh.exe25⤵
- Executes dropped EXE
PID:4388 -
\??\c:\dvdpj.exec:\dvdpj.exe26⤵
- Executes dropped EXE
PID:512 -
\??\c:\jjpjj.exec:\jjpjj.exe27⤵
- Executes dropped EXE
PID:3524 -
\??\c:\jpdvv.exec:\jpdvv.exe28⤵
- Executes dropped EXE
PID:3860 -
\??\c:\llfxxxr.exec:\llfxxxr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
\??\c:\btbttt.exec:\btbttt.exe30⤵
- Executes dropped EXE
PID:3016 -
\??\c:\dddjj.exec:\dddjj.exe31⤵
- Executes dropped EXE
PID:2024 -
\??\c:\xfffxrf.exec:\xfffxrf.exe32⤵
- Executes dropped EXE
PID:1352 -
\??\c:\9bhbbb.exec:\9bhbbb.exe33⤵
- Executes dropped EXE
PID:868 -
\??\c:\ntbttb.exec:\ntbttb.exe34⤵
- Executes dropped EXE
PID:380 -
\??\c:\xrrlffx.exec:\xrrlffx.exe35⤵
- Executes dropped EXE
PID:3252 -
\??\c:\7ttnnh.exec:\7ttnnh.exe36⤵
- Executes dropped EXE
PID:4376 -
\??\c:\nhbnhh.exec:\nhbnhh.exe37⤵
- Executes dropped EXE
PID:752 -
\??\c:\vvvpp.exec:\vvvpp.exe38⤵
- Executes dropped EXE
PID:4992 -
\??\c:\lxrrrrr.exec:\lxrrrrr.exe39⤵
- Executes dropped EXE
PID:1472 -
\??\c:\rllffff.exec:\rllffff.exe40⤵
- Executes dropped EXE
PID:368 -
\??\c:\nbnhhb.exec:\nbnhhb.exe41⤵
- Executes dropped EXE
PID:3448 -
\??\c:\hhtnnn.exec:\hhtnnn.exe42⤵
- Executes dropped EXE
PID:3968 -
\??\c:\dvdvv.exec:\dvdvv.exe43⤵
- Executes dropped EXE
PID:1100 -
\??\c:\frlrfrf.exec:\frlrfrf.exe44⤵
- Executes dropped EXE
PID:2472 -
\??\c:\bttnhh.exec:\bttnhh.exe45⤵
- Executes dropped EXE
PID:3156 -
\??\c:\hbttnb.exec:\hbttnb.exe46⤵
- Executes dropped EXE
PID:2416 -
\??\c:\7vppj.exec:\7vppj.exe47⤵
- Executes dropped EXE
PID:4600 -
\??\c:\dddvv.exec:\dddvv.exe48⤵
- Executes dropped EXE
PID:4792 -
\??\c:\xfxrrrl.exec:\xfxrrrl.exe49⤵
- Executes dropped EXE
PID:1676 -
\??\c:\9nhtnn.exec:\9nhtnn.exe50⤵
- Executes dropped EXE
PID:2616 -
\??\c:\tbtbth.exec:\tbtbth.exe51⤵
- Executes dropped EXE
PID:1596 -
\??\c:\dvvpp.exec:\dvvpp.exe52⤵
- Executes dropped EXE
PID:3240 -
\??\c:\pvvpj.exec:\pvvpj.exe53⤵
- Executes dropped EXE
PID:4300 -
\??\c:\5xlfxll.exec:\5xlfxll.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\1ttnhh.exec:\1ttnhh.exe55⤵
- Executes dropped EXE
PID:4628 -
\??\c:\jvdvv.exec:\jvdvv.exe56⤵
- Executes dropped EXE
PID:2004 -
\??\c:\1pvpj.exec:\1pvpj.exe57⤵
- Executes dropped EXE
PID:4348 -
\??\c:\3flxrrl.exec:\3flxrrl.exe58⤵
- Executes dropped EXE
PID:1032 -
\??\c:\nhnhnh.exec:\nhnhnh.exe59⤵
- Executes dropped EXE
PID:5056 -
\??\c:\hthbbb.exec:\hthbbb.exe60⤵
- Executes dropped EXE
PID:2220 -
\??\c:\pvvpj.exec:\pvvpj.exe61⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dvdjd.exec:\dvdjd.exe62⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rlffxxr.exec:\rlffxxr.exe63⤵
- Executes dropped EXE
PID:696 -
\??\c:\7ttnhh.exec:\7ttnhh.exe64⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hbhbhh.exec:\hbhbhh.exe65⤵
- Executes dropped EXE
PID:3300 -
\??\c:\jvdvp.exec:\jvdvp.exe66⤵PID:3600
-
\??\c:\vjpdv.exec:\vjpdv.exe67⤵PID:4620
-
\??\c:\rrlfrxr.exec:\rrlfrxr.exe68⤵PID:2640
-
\??\c:\xlllfff.exec:\xlllfff.exe69⤵PID:2768
-
\??\c:\5btnhh.exec:\5btnhh.exe70⤵PID:1688
-
\??\c:\hnttnn.exec:\hnttnn.exe71⤵PID:3544
-
\??\c:\vdpdv.exec:\vdpdv.exe72⤵PID:2892
-
\??\c:\7lllxlf.exec:\7lllxlf.exe73⤵PID:4456
-
\??\c:\rrrfxrl.exec:\rrrfxrl.exe74⤵PID:112
-
\??\c:\nbbbtt.exec:\nbbbtt.exe75⤵PID:1616
-
\??\c:\1jddv.exec:\1jddv.exe76⤵PID:4532
-
\??\c:\vpvpp.exec:\vpvpp.exe77⤵PID:1040
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe78⤵PID:4672
-
\??\c:\rrrlffx.exec:\rrrlffx.exe79⤵PID:3836
-
\??\c:\3hnhbh.exec:\3hnhbh.exe80⤵PID:4772
-
\??\c:\ddpjj.exec:\ddpjj.exe81⤵PID:464
-
\??\c:\vjppj.exec:\vjppj.exe82⤵PID:2268
-
\??\c:\xrrlfff.exec:\xrrlfff.exe83⤵PID:4856
-
\??\c:\hbbtnn.exec:\hbbtnn.exe84⤵PID:3920
-
\??\c:\rlfrllf.exec:\rlfrllf.exe85⤵PID:1828
-
\??\c:\ddpdv.exec:\ddpdv.exe86⤵PID:432
-
\??\c:\tttnbb.exec:\tttnbb.exe87⤵PID:2908
-
\??\c:\7bhhnn.exec:\7bhhnn.exe88⤵PID:3088
-
\??\c:\9rllfff.exec:\9rllfff.exe89⤵PID:3536
-
\??\c:\tttntn.exec:\tttntn.exe90⤵PID:2816
-
\??\c:\pjpdj.exec:\pjpdj.exe91⤵PID:2596
-
\??\c:\ttbbnh.exec:\ttbbnh.exe92⤵PID:3912
-
\??\c:\jdpvj.exec:\jdpvj.exe93⤵PID:4284
-
\??\c:\ffxxrll.exec:\ffxxrll.exe94⤵PID:4464
-
\??\c:\rxxxxxr.exec:\rxxxxxr.exe95⤵PID:1500
-
\??\c:\7xrxrlf.exec:\7xrxrlf.exe96⤵PID:2744
-
\??\c:\btbbhh.exec:\btbbhh.exe97⤵PID:868
-
\??\c:\9jvjv.exec:\9jvjv.exe98⤵PID:3496
-
\??\c:\lrrlxxf.exec:\lrrlxxf.exe99⤵PID:5096
-
\??\c:\bhnntt.exec:\bhnntt.exe100⤵PID:4376
-
\??\c:\7bhbbb.exec:\7bhbbb.exe101⤵PID:1012
-
\??\c:\ddjpj.exec:\ddjpj.exe102⤵PID:1152
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe103⤵PID:3972
-
\??\c:\9ttttt.exec:\9ttttt.exe104⤵PID:2740
-
\??\c:\dpdjd.exec:\dpdjd.exe105⤵PID:3752
-
\??\c:\lffxxrr.exec:\lffxxrr.exe106⤵PID:3076
-
\??\c:\rxlfffl.exec:\rxlfffl.exe107⤵PID:3244
-
\??\c:\bttnnt.exec:\bttnnt.exe108⤵PID:4936
-
\??\c:\pvjjj.exec:\pvjjj.exe109⤵PID:3464
-
\??\c:\lrlffff.exec:\lrlffff.exe110⤵PID:3248
-
\??\c:\hnnthb.exec:\hnnthb.exe111⤵PID:4800
-
\??\c:\jvpdv.exec:\jvpdv.exe112⤵PID:1476
-
\??\c:\3fffxll.exec:\3fffxll.exe113⤵PID:3592
-
\??\c:\bhbtnh.exec:\bhbtnh.exe114⤵PID:4792
-
\??\c:\bhtnnn.exec:\bhtnnn.exe115⤵PID:1676
-
\??\c:\vppjv.exec:\vppjv.exe116⤵PID:4172
-
\??\c:\fxffxxr.exec:\fxffxxr.exe117⤵PID:4296
-
\??\c:\bbbttt.exec:\bbbttt.exe118⤵PID:4932
-
\??\c:\9vjdv.exec:\9vjdv.exe119⤵PID:3400
-
\??\c:\lxlxfxr.exec:\lxlxfxr.exe120⤵PID:3908
-
\??\c:\nbhnnn.exec:\nbhnnn.exe121⤵PID:532
-
\??\c:\vvppj.exec:\vvppj.exe122⤵PID:4592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-