Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe
-
Size
453KB
-
MD5
158dcbfc6c9d9db047e1397ffb2c5860
-
SHA1
2900eef7504a2e065290e3fd4223fedfa1498307
-
SHA256
10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7c
-
SHA512
c57ffa5bafe1f1e4380766c3ade8a43d95a38681abc39d75d17a0bfa782e1a26da50a5253d4601ee19c0e67f36637cac6165dc3d544de393a5aa1b4e1b2b7c08
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/716-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-1131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-1219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-1492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-1643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1888 btnnnn.exe 2796 ffffffr.exe 712 bthbnb.exe 2136 dvvvd.exe 3944 llxrlff.exe 3232 hhbbbb.exe 3656 7hhbtb.exe 748 pppjd.exe 232 fffffll.exe 3136 bnbtnh.exe 2776 vpjjj.exe 3752 rxxxxxx.exe 1968 xflrrxx.exe 4032 pdppp.exe 3968 lffxxxr.exe 3132 pvvjd.exe 3392 rrxllrl.exe 3356 5ttttt.exe 876 5jppp.exe 3580 fxxxxff.exe 208 htnhbn.exe 740 bbhbtn.exe 2984 xrfxrxr.exe 2780 3pddj.exe 4080 pvjjd.exe 1584 xxffrxx.exe 5072 htnntt.exe 1832 nnbbtt.exe 1040 vdjvd.exe 3020 xrrrrrf.exe 4544 pdpjd.exe 4084 bnbbhn.exe 3548 xxllrrl.exe 4984 bttntt.exe 4956 vddvv.exe 2808 xllfxll.exe 2020 5jppj.exe 220 dvddv.exe 1712 xxxfxxx.exe 1200 btnntt.exe 4444 pvddd.exe 4616 7lxxlrr.exe 3352 lxrllll.exe 1836 nntttt.exe 2880 jdppj.exe 2796 1vddv.exe 4892 xffffff.exe 3124 btbttt.exe 844 djjjd.exe 3500 dvvdv.exe 3412 frllxfx.exe 5004 5tbhnb.exe 428 pdjjj.exe 3888 vvvvv.exe 2176 bntntt.exe 1168 tnttbb.exe 4464 7jjjv.exe 3460 rxlfrxr.exe 2416 nntntt.exe 2080 tbnnhh.exe 4468 9jjjd.exe 4456 rfrrflf.exe 3628 frxxxxr.exe 4132 1bbbtt.exe -
resource yara_rule behavioral2/memory/716-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-1131-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 716 wrote to memory of 1888 716 10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe 83 PID 716 wrote to memory of 1888 716 10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe 83 PID 716 wrote to memory of 1888 716 10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe 83 PID 1888 wrote to memory of 2796 1888 btnnnn.exe 84 PID 1888 wrote to memory of 2796 1888 btnnnn.exe 84 PID 1888 wrote to memory of 2796 1888 btnnnn.exe 84 PID 2796 wrote to memory of 712 2796 ffffffr.exe 85 PID 2796 wrote to memory of 712 2796 ffffffr.exe 85 PID 2796 wrote to memory of 712 2796 ffffffr.exe 85 PID 712 wrote to memory of 2136 712 bthbnb.exe 86 PID 712 wrote to memory of 2136 712 bthbnb.exe 86 PID 712 wrote to memory of 2136 712 bthbnb.exe 86 PID 2136 wrote to memory of 3944 2136 dvvvd.exe 87 PID 2136 wrote to memory of 3944 2136 dvvvd.exe 87 PID 2136 wrote to memory of 3944 2136 dvvvd.exe 87 PID 3944 wrote to memory of 3232 3944 llxrlff.exe 88 PID 3944 wrote to memory of 3232 3944 llxrlff.exe 88 PID 3944 wrote to memory of 3232 3944 llxrlff.exe 88 PID 3232 wrote to memory of 3656 3232 hhbbbb.exe 89 PID 3232 wrote to memory of 3656 3232 hhbbbb.exe 89 PID 3232 wrote to memory of 3656 3232 hhbbbb.exe 89 PID 3656 wrote to memory of 748 3656 7hhbtb.exe 90 PID 3656 wrote to memory of 748 3656 7hhbtb.exe 90 PID 3656 wrote to memory of 748 3656 7hhbtb.exe 90 PID 748 wrote to memory of 232 748 pppjd.exe 91 PID 748 wrote to memory of 232 748 pppjd.exe 91 PID 748 wrote to memory of 232 748 pppjd.exe 91 PID 232 wrote to memory of 3136 232 fffffll.exe 92 PID 232 wrote to memory of 3136 232 fffffll.exe 92 PID 232 wrote to memory of 3136 232 fffffll.exe 92 PID 3136 wrote to memory of 2776 3136 bnbtnh.exe 93 PID 3136 wrote to memory of 2776 3136 bnbtnh.exe 93 PID 3136 wrote to memory of 2776 3136 bnbtnh.exe 93 PID 2776 wrote to memory of 3752 2776 vpjjj.exe 94 PID 2776 wrote to memory of 3752 2776 vpjjj.exe 94 PID 2776 wrote to memory of 3752 2776 vpjjj.exe 94 PID 3752 wrote to memory of 1968 3752 rxxxxxx.exe 95 PID 3752 wrote to memory of 1968 3752 rxxxxxx.exe 95 PID 3752 wrote to memory of 1968 3752 rxxxxxx.exe 95 PID 1968 wrote to memory of 4032 1968 xflrrxx.exe 96 PID 1968 wrote to memory of 4032 1968 xflrrxx.exe 96 PID 1968 wrote to memory of 4032 1968 xflrrxx.exe 96 PID 4032 wrote to memory of 3968 4032 pdppp.exe 97 PID 4032 wrote to memory of 3968 4032 pdppp.exe 97 PID 4032 wrote to memory of 3968 4032 pdppp.exe 97 PID 3968 wrote to memory of 3132 3968 lffxxxr.exe 98 PID 3968 wrote to memory of 3132 3968 lffxxxr.exe 98 PID 3968 wrote to memory of 3132 3968 lffxxxr.exe 98 PID 3132 wrote to memory of 3392 3132 pvvjd.exe 99 PID 3132 wrote to memory of 3392 3132 pvvjd.exe 99 PID 3132 wrote to memory of 3392 3132 pvvjd.exe 99 PID 3392 wrote to memory of 3356 3392 rrxllrl.exe 100 PID 3392 wrote to memory of 3356 3392 rrxllrl.exe 100 PID 3392 wrote to memory of 3356 3392 rrxllrl.exe 100 PID 3356 wrote to memory of 876 3356 5ttttt.exe 101 PID 3356 wrote to memory of 876 3356 5ttttt.exe 101 PID 3356 wrote to memory of 876 3356 5ttttt.exe 101 PID 876 wrote to memory of 3580 876 5jppp.exe 102 PID 876 wrote to memory of 3580 876 5jppp.exe 102 PID 876 wrote to memory of 3580 876 5jppp.exe 102 PID 3580 wrote to memory of 208 3580 fxxxxff.exe 103 PID 3580 wrote to memory of 208 3580 fxxxxff.exe 103 PID 3580 wrote to memory of 208 3580 fxxxxff.exe 103 PID 208 wrote to memory of 740 208 htnhbn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe"C:\Users\Admin\AppData\Local\Temp\10edaea87b9eaf2e19f4fb94271d8d742b41f1a98a3354d7b54b8c4d13e1bc7cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\btnnnn.exec:\btnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\ffffffr.exec:\ffffffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\bthbnb.exec:\bthbnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\dvvvd.exec:\dvvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\llxrlff.exec:\llxrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\hhbbbb.exec:\hhbbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\7hhbtb.exec:\7hhbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\pppjd.exec:\pppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\fffffll.exec:\fffffll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\bnbtnh.exec:\bnbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\vpjjj.exec:\vpjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\rxxxxxx.exec:\rxxxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\xflrrxx.exec:\xflrrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\pdppp.exec:\pdppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\lffxxxr.exec:\lffxxxr.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\pvvjd.exec:\pvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\rrxllrl.exec:\rrxllrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\5ttttt.exec:\5ttttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\5jppp.exec:\5jppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\fxxxxff.exec:\fxxxxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\htnhbn.exec:\htnhbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\bbhbtn.exec:\bbhbtn.exe23⤵
- Executes dropped EXE
PID:740 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe24⤵
- Executes dropped EXE
PID:2984 -
\??\c:\3pddj.exec:\3pddj.exe25⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pvjjd.exec:\pvjjd.exe26⤵
- Executes dropped EXE
PID:4080 -
\??\c:\xxffrxx.exec:\xxffrxx.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\htnntt.exec:\htnntt.exe28⤵
- Executes dropped EXE
PID:5072 -
\??\c:\nnbbtt.exec:\nnbbtt.exe29⤵
- Executes dropped EXE
PID:1832 -
\??\c:\vdjvd.exec:\vdjvd.exe30⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xrrrrrf.exec:\xrrrrrf.exe31⤵
- Executes dropped EXE
PID:3020 -
\??\c:\pdpjd.exec:\pdpjd.exe32⤵
- Executes dropped EXE
PID:4544 -
\??\c:\bnbbhn.exec:\bnbbhn.exe33⤵
- Executes dropped EXE
PID:4084 -
\??\c:\xxllrrl.exec:\xxllrrl.exe34⤵
- Executes dropped EXE
PID:3548 -
\??\c:\bttntt.exec:\bttntt.exe35⤵
- Executes dropped EXE
PID:4984 -
\??\c:\vddvv.exec:\vddvv.exe36⤵
- Executes dropped EXE
PID:4956 -
\??\c:\xllfxll.exec:\xllfxll.exe37⤵
- Executes dropped EXE
PID:2808 -
\??\c:\5jppj.exec:\5jppj.exe38⤵
- Executes dropped EXE
PID:2020 -
\??\c:\dvddv.exec:\dvddv.exe39⤵
- Executes dropped EXE
PID:220 -
\??\c:\xxxfxxx.exec:\xxxfxxx.exe40⤵
- Executes dropped EXE
PID:1712 -
\??\c:\btnntt.exec:\btnntt.exe41⤵
- Executes dropped EXE
PID:1200 -
\??\c:\pvddd.exec:\pvddd.exe42⤵
- Executes dropped EXE
PID:4444 -
\??\c:\7lxxlrr.exec:\7lxxlrr.exe43⤵
- Executes dropped EXE
PID:4616 -
\??\c:\lxrllll.exec:\lxrllll.exe44⤵
- Executes dropped EXE
PID:3352 -
\??\c:\nntttt.exec:\nntttt.exe45⤵
- Executes dropped EXE
PID:1836 -
\??\c:\jdppj.exec:\jdppj.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1vddv.exec:\1vddv.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xffffff.exec:\xffffff.exe48⤵
- Executes dropped EXE
PID:4892 -
\??\c:\btbttt.exec:\btbttt.exe49⤵
- Executes dropped EXE
PID:3124 -
\??\c:\djjjd.exec:\djjjd.exe50⤵
- Executes dropped EXE
PID:844 -
\??\c:\dvvdv.exec:\dvvdv.exe51⤵
- Executes dropped EXE
PID:3500 -
\??\c:\frllxfx.exec:\frllxfx.exe52⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5tbhnb.exec:\5tbhnb.exe53⤵
- Executes dropped EXE
PID:5004 -
\??\c:\pdjjj.exec:\pdjjj.exe54⤵
- Executes dropped EXE
PID:428 -
\??\c:\vvvvv.exec:\vvvvv.exe55⤵
- Executes dropped EXE
PID:3888 -
\??\c:\bntntt.exec:\bntntt.exe56⤵
- Executes dropped EXE
PID:2176 -
\??\c:\tnttbb.exec:\tnttbb.exe57⤵
- Executes dropped EXE
PID:1168 -
\??\c:\7jjjv.exec:\7jjjv.exe58⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rxlfrxr.exec:\rxlfrxr.exe59⤵
- Executes dropped EXE
PID:3460 -
\??\c:\nntntt.exec:\nntntt.exe60⤵
- Executes dropped EXE
PID:2416 -
\??\c:\tbnnhh.exec:\tbnnhh.exe61⤵
- Executes dropped EXE
PID:2080 -
\??\c:\9jjjd.exec:\9jjjd.exe62⤵
- Executes dropped EXE
PID:4468 -
\??\c:\rfrrflf.exec:\rfrrflf.exe63⤵
- Executes dropped EXE
PID:4456 -
\??\c:\frxxxxr.exec:\frxxxxr.exe64⤵
- Executes dropped EXE
PID:3628 -
\??\c:\1bbbtt.exec:\1bbbtt.exe65⤵
- Executes dropped EXE
PID:4132 -
\??\c:\frxxrxr.exec:\frxxrxr.exe66⤵PID:2704
-
\??\c:\nhnhhb.exec:\nhnhhb.exe67⤵PID:4880
-
\??\c:\hhhhbb.exec:\hhhhbb.exe68⤵PID:3392
-
\??\c:\jvppj.exec:\jvppj.exe69⤵PID:2892
-
\??\c:\xrllxxl.exec:\xrllxxl.exe70⤵PID:2288
-
\??\c:\tntbtb.exec:\tntbtb.exe71⤵PID:2828
-
\??\c:\bbnhtt.exec:\bbnhtt.exe72⤵PID:4216
-
\??\c:\dpvvv.exec:\dpvvv.exe73⤵PID:1664
-
\??\c:\7xfxxxx.exec:\7xfxxxx.exe74⤵PID:3348
-
\??\c:\5rxllrr.exec:\5rxllrr.exe75⤵PID:4496
-
\??\c:\ttttnt.exec:\ttttnt.exe76⤵PID:3388
-
\??\c:\jdvvp.exec:\jdvvp.exe77⤵PID:512
-
\??\c:\rlxxrrr.exec:\rlxxrrr.exe78⤵PID:1540
-
\??\c:\lfxxflx.exec:\lfxxflx.exe79⤵PID:1728
-
\??\c:\1nnnnh.exec:\1nnnnh.exe80⤵PID:1748
-
\??\c:\5pjjd.exec:\5pjjd.exe81⤵PID:2224
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe82⤵PID:1832
-
\??\c:\1nhhhh.exec:\1nhhhh.exe83⤵PID:4696
-
\??\c:\vpvvv.exec:\vpvvv.exe84⤵PID:3664
-
\??\c:\rfrlflf.exec:\rfrlflf.exe85⤵PID:4728
-
\??\c:\lffxflf.exec:\lffxflf.exe86⤵PID:4996
-
\??\c:\thbnhn.exec:\thbnhn.exe87⤵PID:3396
-
\??\c:\vdjdd.exec:\vdjdd.exe88⤵PID:3796
-
\??\c:\1ffrfrf.exec:\1ffrfrf.exe89⤵PID:5040
-
\??\c:\3fllrrr.exec:\3fllrrr.exe90⤵PID:4128
-
\??\c:\hbhhnn.exec:\hbhhnn.exe91⤵PID:3824
-
\??\c:\vdvpj.exec:\vdvpj.exe92⤵PID:3088
-
\??\c:\rxllfff.exec:\rxllfff.exe93⤵PID:5108
-
\??\c:\rrxffll.exec:\rrxffll.exe94⤵PID:4536
-
\??\c:\7btnhn.exec:\7btnhn.exe95⤵
- System Location Discovery: System Language Discovery
PID:1712 -
\??\c:\ppvvj.exec:\ppvvj.exe96⤵PID:1200
-
\??\c:\rflffff.exec:\rflffff.exe97⤵PID:3588
-
\??\c:\xrxrlrx.exec:\xrxrlrx.exe98⤵PID:2248
-
\??\c:\hbnttt.exec:\hbnttt.exe99⤵PID:2580
-
\??\c:\ddvpv.exec:\ddvpv.exe100⤵PID:648
-
\??\c:\lffffll.exec:\lffffll.exe101⤵PID:3456
-
\??\c:\nhnhtt.exec:\nhnhtt.exe102⤵PID:2796
-
\??\c:\jjpjd.exec:\jjpjd.exe103⤵PID:3220
-
\??\c:\pjpjd.exec:\pjpjd.exe104⤵PID:3944
-
\??\c:\lxllxll.exec:\lxllxll.exe105⤵PID:2744
-
\??\c:\7bbbbn.exec:\7bbbbn.exe106⤵PID:4100
-
\??\c:\vpddv.exec:\vpddv.exe107⤵PID:4324
-
\??\c:\rffllrr.exec:\rffllrr.exe108⤵PID:5004
-
\??\c:\nnttnn.exec:\nnttnn.exe109⤵PID:1892
-
\??\c:\bhtnnt.exec:\bhtnnt.exe110⤵PID:4328
-
\??\c:\jjjdv.exec:\jjjdv.exe111⤵PID:3924
-
\??\c:\lrxxxff.exec:\lrxxxff.exe112⤵PID:1060
-
\??\c:\llrxxxx.exec:\llrxxxx.exe113⤵PID:2776
-
\??\c:\nbnnhh.exec:\nbnnhh.exe114⤵PID:1680
-
\??\c:\vvjjp.exec:\vvjjp.exe115⤵PID:1132
-
\??\c:\rrrrfrr.exec:\rrrrfrr.exe116⤵PID:3752
-
\??\c:\hbtttt.exec:\hbtttt.exe117⤵PID:4016
-
\??\c:\jdjdd.exec:\jdjdd.exe118⤵PID:1968
-
\??\c:\rlrlfff.exec:\rlrlfff.exe119⤵PID:2812
-
\??\c:\9lrlllf.exec:\9lrlllf.exe120⤵PID:212
-
\??\c:\bntttt.exec:\bntttt.exe121⤵PID:3132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-