Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe
-
Size
453KB
-
MD5
e65d18fbe1dda42036301b909ab5d2e0
-
SHA1
eba3c76a1fb3d84cb6bf9256df86f6db82ab04bc
-
SHA256
5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaa
-
SHA512
c7adc0e1695709e03d4124cd51ed42b1fa636b5bf72f401157b1a55c3dd54f6cb6bd0497a23728a752cc31da32894839b19d81d189cf27bc6d546020d6d6bf88
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2844-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-1952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3608 btbbtt.exe 936 7ddvp.exe 1040 nntntt.exe 3820 fxrlflf.exe 1884 pdjdd.exe 3388 lrrllfx.exe 4092 vpjjd.exe 3640 lfrfxff.exe 912 7jdvv.exe 4484 3rxrxxf.exe 3980 btbbtb.exe 4284 lxxxrrr.exe 4444 5nnhnn.exe 2280 xrrfxxx.exe 3972 dddjv.exe 2972 7llfxxx.exe 228 3httnt.exe 2104 vpvpp.exe 892 9dvvp.exe 3456 9xrlffx.exe 2448 bthbhb.exe 3116 3dvvp.exe 3484 xlfxxxx.exe 1816 nhhtnn.exe 1388 htnbbn.exe 3412 dpvpv.exe 4408 5lrlxrx.exe 4052 lxlxrfr.exe 3628 pdjdj.exe 1684 1lxlxrl.exe 2372 7nhbbt.exe 780 pvvpj.exe 3024 lfxrllf.exe 3304 frrflxr.exe 3636 1tbttt.exe 3736 jpjpp.exe 1860 dvvjd.exe 4940 3bttnb.exe 1888 9ttbtt.exe 364 vvdjv.exe 1624 djjvj.exe 3400 flxlxfx.exe 2740 llxfrfl.exe 3488 htttnn.exe 1852 jvvjj.exe 820 rllxffr.exe 2388 nhtnbt.exe 1316 vvdpj.exe 4876 xxllrlr.exe 4172 lflxlfr.exe 2364 bbhtbt.exe 1588 ppvvv.exe 4016 rlrlrll.exe 3744 btbbtb.exe 3760 jvdvd.exe 1584 xfrlxrr.exe 1652 hbntnn.exe 2008 vvdvv.exe 5060 djjvp.exe 912 fffrllf.exe 4004 7tnnhh.exe 540 9dpdp.exe 2472 1rlxllf.exe 4952 tntthb.exe -
resource yara_rule behavioral2/memory/2844-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-732-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 3608 2844 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 82 PID 2844 wrote to memory of 3608 2844 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 82 PID 2844 wrote to memory of 3608 2844 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 82 PID 3608 wrote to memory of 936 3608 btbbtt.exe 83 PID 3608 wrote to memory of 936 3608 btbbtt.exe 83 PID 3608 wrote to memory of 936 3608 btbbtt.exe 83 PID 936 wrote to memory of 1040 936 7ddvp.exe 84 PID 936 wrote to memory of 1040 936 7ddvp.exe 84 PID 936 wrote to memory of 1040 936 7ddvp.exe 84 PID 1040 wrote to memory of 3820 1040 nntntt.exe 85 PID 1040 wrote to memory of 3820 1040 nntntt.exe 85 PID 1040 wrote to memory of 3820 1040 nntntt.exe 85 PID 3820 wrote to memory of 1884 3820 fxrlflf.exe 86 PID 3820 wrote to memory of 1884 3820 fxrlflf.exe 86 PID 3820 wrote to memory of 1884 3820 fxrlflf.exe 86 PID 1884 wrote to memory of 3388 1884 pdjdd.exe 87 PID 1884 wrote to memory of 3388 1884 pdjdd.exe 87 PID 1884 wrote to memory of 3388 1884 pdjdd.exe 87 PID 3388 wrote to memory of 4092 3388 lrrllfx.exe 88 PID 3388 wrote to memory of 4092 3388 lrrllfx.exe 88 PID 3388 wrote to memory of 4092 3388 lrrllfx.exe 88 PID 4092 wrote to memory of 3640 4092 vpjjd.exe 89 PID 4092 wrote to memory of 3640 4092 vpjjd.exe 89 PID 4092 wrote to memory of 3640 4092 vpjjd.exe 89 PID 3640 wrote to memory of 912 3640 lfrfxff.exe 90 PID 3640 wrote to memory of 912 3640 lfrfxff.exe 90 PID 3640 wrote to memory of 912 3640 lfrfxff.exe 90 PID 912 wrote to memory of 4484 912 7jdvv.exe 91 PID 912 wrote to memory of 4484 912 7jdvv.exe 91 PID 912 wrote to memory of 4484 912 7jdvv.exe 91 PID 4484 wrote to memory of 3980 4484 3rxrxxf.exe 92 PID 4484 wrote to memory of 3980 4484 3rxrxxf.exe 92 PID 4484 wrote to memory of 3980 4484 3rxrxxf.exe 92 PID 3980 wrote to memory of 4284 3980 btbbtb.exe 93 PID 3980 wrote to memory of 4284 3980 btbbtb.exe 93 PID 3980 wrote to memory of 4284 3980 btbbtb.exe 93 PID 4284 wrote to memory of 4444 4284 lxxxrrr.exe 94 PID 4284 wrote to memory of 4444 4284 lxxxrrr.exe 94 PID 4284 wrote to memory of 4444 4284 lxxxrrr.exe 94 PID 4444 wrote to memory of 2280 4444 5nnhnn.exe 95 PID 4444 wrote to memory of 2280 4444 5nnhnn.exe 95 PID 4444 wrote to memory of 2280 4444 5nnhnn.exe 95 PID 2280 wrote to memory of 3972 2280 xrrfxxx.exe 96 PID 2280 wrote to memory of 3972 2280 xrrfxxx.exe 96 PID 2280 wrote to memory of 3972 2280 xrrfxxx.exe 96 PID 3972 wrote to memory of 2972 3972 dddjv.exe 97 PID 3972 wrote to memory of 2972 3972 dddjv.exe 97 PID 3972 wrote to memory of 2972 3972 dddjv.exe 97 PID 2972 wrote to memory of 228 2972 7llfxxx.exe 98 PID 2972 wrote to memory of 228 2972 7llfxxx.exe 98 PID 2972 wrote to memory of 228 2972 7llfxxx.exe 98 PID 228 wrote to memory of 2104 228 3httnt.exe 99 PID 228 wrote to memory of 2104 228 3httnt.exe 99 PID 228 wrote to memory of 2104 228 3httnt.exe 99 PID 2104 wrote to memory of 892 2104 vpvpp.exe 100 PID 2104 wrote to memory of 892 2104 vpvpp.exe 100 PID 2104 wrote to memory of 892 2104 vpvpp.exe 100 PID 892 wrote to memory of 3456 892 9dvvp.exe 101 PID 892 wrote to memory of 3456 892 9dvvp.exe 101 PID 892 wrote to memory of 3456 892 9dvvp.exe 101 PID 3456 wrote to memory of 2448 3456 9xrlffx.exe 102 PID 3456 wrote to memory of 2448 3456 9xrlffx.exe 102 PID 3456 wrote to memory of 2448 3456 9xrlffx.exe 102 PID 2448 wrote to memory of 3116 2448 bthbhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe"C:\Users\Admin\AppData\Local\Temp\5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\btbbtt.exec:\btbbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\7ddvp.exec:\7ddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\nntntt.exec:\nntntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\fxrlflf.exec:\fxrlflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\pdjdd.exec:\pdjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\lrrllfx.exec:\lrrllfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\vpjjd.exec:\vpjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\lfrfxff.exec:\lfrfxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\7jdvv.exec:\7jdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\3rxrxxf.exec:\3rxrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\btbbtb.exec:\btbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\5nnhnn.exec:\5nnhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\xrrfxxx.exec:\xrrfxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\dddjv.exec:\dddjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\7llfxxx.exec:\7llfxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\3httnt.exec:\3httnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\vpvpp.exec:\vpvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\9dvvp.exec:\9dvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\9xrlffx.exec:\9xrlffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\bthbhb.exec:\bthbhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\3dvvp.exec:\3dvvp.exe23⤵
- Executes dropped EXE
PID:3116 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe24⤵
- Executes dropped EXE
PID:3484 -
\??\c:\nhhtnn.exec:\nhhtnn.exe25⤵
- Executes dropped EXE
PID:1816 -
\??\c:\htnbbn.exec:\htnbbn.exe26⤵
- Executes dropped EXE
PID:1388 -
\??\c:\dpvpv.exec:\dpvpv.exe27⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5lrlxrx.exec:\5lrlxrx.exe28⤵
- Executes dropped EXE
PID:4408 -
\??\c:\lxlxrfr.exec:\lxlxrfr.exe29⤵
- Executes dropped EXE
PID:4052 -
\??\c:\pdjdj.exec:\pdjdj.exe30⤵
- Executes dropped EXE
PID:3628 -
\??\c:\1lxlxrl.exec:\1lxlxrl.exe31⤵
- Executes dropped EXE
PID:1684 -
\??\c:\7nhbbt.exec:\7nhbbt.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pvvpj.exec:\pvvpj.exe33⤵
- Executes dropped EXE
PID:780 -
\??\c:\lfxrllf.exec:\lfxrllf.exe34⤵
- Executes dropped EXE
PID:3024 -
\??\c:\frrflxr.exec:\frrflxr.exe35⤵
- Executes dropped EXE
PID:3304 -
\??\c:\1tbttt.exec:\1tbttt.exe36⤵
- Executes dropped EXE
PID:3636 -
\??\c:\jpjpp.exec:\jpjpp.exe37⤵
- Executes dropped EXE
PID:3736 -
\??\c:\dvvjd.exec:\dvvjd.exe38⤵
- Executes dropped EXE
PID:1860 -
\??\c:\3bttnb.exec:\3bttnb.exe39⤵
- Executes dropped EXE
PID:4940 -
\??\c:\9ttbtt.exec:\9ttbtt.exe40⤵
- Executes dropped EXE
PID:1888 -
\??\c:\vvdjv.exec:\vvdjv.exe41⤵
- Executes dropped EXE
PID:364 -
\??\c:\djjvj.exec:\djjvj.exe42⤵
- Executes dropped EXE
PID:1624 -
\??\c:\flxlxfx.exec:\flxlxfx.exe43⤵
- Executes dropped EXE
PID:3400 -
\??\c:\llxfrfl.exec:\llxfrfl.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\htttnn.exec:\htttnn.exe45⤵
- Executes dropped EXE
PID:3488 -
\??\c:\jvvjj.exec:\jvvjj.exe46⤵
- Executes dropped EXE
PID:1852 -
\??\c:\rllxffr.exec:\rllxffr.exe47⤵
- Executes dropped EXE
PID:820 -
\??\c:\nhtnbt.exec:\nhtnbt.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vvdpj.exec:\vvdpj.exe49⤵
- Executes dropped EXE
PID:1316 -
\??\c:\xxllrlr.exec:\xxllrlr.exe50⤵
- Executes dropped EXE
PID:4876 -
\??\c:\lflxlfr.exec:\lflxlfr.exe51⤵
- Executes dropped EXE
PID:4172 -
\??\c:\bbhtbt.exec:\bbhtbt.exe52⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ppvvv.exec:\ppvvv.exe53⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rlrlrll.exec:\rlrlrll.exe54⤵
- Executes dropped EXE
PID:4016 -
\??\c:\btbbtb.exec:\btbbtb.exe55⤵
- Executes dropped EXE
PID:3744 -
\??\c:\jvdvd.exec:\jvdvd.exe56⤵
- Executes dropped EXE
PID:3760 -
\??\c:\xfrlxrr.exec:\xfrlxrr.exe57⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hbntnn.exec:\hbntnn.exe58⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vvdvv.exec:\vvdvv.exe59⤵
- Executes dropped EXE
PID:2008 -
\??\c:\djjvp.exec:\djjvp.exe60⤵
- Executes dropped EXE
PID:5060 -
\??\c:\fffrllf.exec:\fffrllf.exe61⤵
- Executes dropped EXE
PID:912 -
\??\c:\7tnnhh.exec:\7tnnhh.exe62⤵
- Executes dropped EXE
PID:4004 -
\??\c:\9dpdp.exec:\9dpdp.exe63⤵
- Executes dropped EXE
PID:540 -
\??\c:\1rlxllf.exec:\1rlxllf.exe64⤵
- Executes dropped EXE
PID:2472 -
\??\c:\tntthb.exec:\tntthb.exe65⤵
- Executes dropped EXE
PID:4952 -
\??\c:\bbnhtt.exec:\bbnhtt.exe66⤵PID:2904
-
\??\c:\jdjvv.exec:\jdjvv.exe67⤵PID:2396
-
\??\c:\lxxlfxx.exec:\lxxlfxx.exe68⤵PID:648
-
\??\c:\5xxrfxl.exec:\5xxrfxl.exe69⤵PID:4100
-
\??\c:\3hbbnt.exec:\3hbbnt.exe70⤵PID:1156
-
\??\c:\vjjdj.exec:\vjjdj.exe71⤵PID:4936
-
\??\c:\pdvjv.exec:\pdvjv.exe72⤵PID:4988
-
\??\c:\5rrfrlx.exec:\5rrfrlx.exe73⤵PID:1632
-
\??\c:\7hbtnn.exec:\7hbtnn.exe74⤵PID:4060
-
\??\c:\vjjdp.exec:\vjjdp.exe75⤵PID:3044
-
\??\c:\lffrffr.exec:\lffrffr.exe76⤵PID:4892
-
\??\c:\rxxlflf.exec:\rxxlflf.exe77⤵PID:5016
-
\??\c:\nhhnht.exec:\nhhnht.exe78⤵PID:1176
-
\??\c:\vdvjd.exec:\vdvjd.exe79⤵PID:4948
-
\??\c:\5vpjv.exec:\5vpjv.exe80⤵PID:636
-
\??\c:\xfrllll.exec:\xfrllll.exe81⤵PID:2892
-
\??\c:\tnnhbb.exec:\tnnhbb.exe82⤵PID:1728
-
\??\c:\1pjdv.exec:\1pjdv.exe83⤵PID:2428
-
\??\c:\9flxlll.exec:\9flxlll.exe84⤵PID:2292
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe85⤵PID:1904
-
\??\c:\thntnb.exec:\thntnb.exe86⤵
- System Location Discovery: System Language Discovery
PID:1412 -
\??\c:\vppjj.exec:\vppjj.exe87⤵PID:3168
-
\??\c:\lrxxrlf.exec:\lrxxrlf.exe88⤵PID:1684
-
\??\c:\xfffxxx.exec:\xfffxxx.exe89⤵PID:5076
-
\??\c:\tthhbb.exec:\tthhbb.exe90⤵PID:3056
-
\??\c:\1jvvj.exec:\1jvvj.exe91⤵PID:3704
-
\??\c:\frlfrrl.exec:\frlfrrl.exe92⤵PID:4056
-
\??\c:\xrfllll.exec:\xrfllll.exe93⤵PID:2220
-
\??\c:\bnbtnn.exec:\bnbtnn.exe94⤵PID:748
-
\??\c:\ppvvv.exec:\ppvvv.exe95⤵PID:4536
-
\??\c:\1llfxfr.exec:\1llfxfr.exe96⤵PID:5048
-
\??\c:\hnnntt.exec:\hnnntt.exe97⤵PID:2400
-
\??\c:\3hntnt.exec:\3hntnt.exe98⤵PID:3292
-
\??\c:\pvjdp.exec:\pvjdp.exe99⤵PID:4888
-
\??\c:\vjdvj.exec:\vjdvj.exe100⤵PID:2636
-
\??\c:\flrlffx.exec:\flrlffx.exe101⤵PID:3908
-
\??\c:\thbhhb.exec:\thbhhb.exe102⤵
- System Location Discovery: System Language Discovery
PID:2676 -
\??\c:\dvvpd.exec:\dvvpd.exe103⤵PID:828
-
\??\c:\xllfrrf.exec:\xllfrrf.exe104⤵PID:4364
-
\??\c:\llrrlfr.exec:\llrrlfr.exe105⤵PID:528
-
\??\c:\bthhbt.exec:\bthhbt.exe106⤵PID:4128
-
\??\c:\vdddp.exec:\vdddp.exe107⤵PID:4668
-
\??\c:\lflfxxr.exec:\lflfxxr.exe108⤵PID:1892
-
\??\c:\fxrrllf.exec:\fxrrllf.exe109⤵PID:2348
-
\??\c:\nbtbtt.exec:\nbtbtt.exe110⤵PID:3920
-
\??\c:\btnbnn.exec:\btnbnn.exe111⤵PID:4600
-
\??\c:\pdvdp.exec:\pdvdp.exe112⤵PID:1264
-
\??\c:\rlfxrll.exec:\rlfxrll.exe113⤵PID:4244
-
\??\c:\hbtnhh.exec:\hbtnhh.exe114⤵PID:1932
-
\??\c:\1btnhn.exec:\1btnhn.exe115⤵PID:2256
-
\??\c:\jjpjp.exec:\jjpjp.exe116⤵PID:460
-
\??\c:\flxlfrl.exec:\flxlfrl.exe117⤵PID:2616
-
\??\c:\lfrrxxr.exec:\lfrrxxr.exe118⤵PID:1652
-
\??\c:\3nbbtt.exec:\3nbbtt.exe119⤵PID:2008
-
\??\c:\vjjdv.exec:\vjjdv.exe120⤵PID:4460
-
\??\c:\pjjdd.exec:\pjjdd.exe121⤵PID:2508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-