Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 22:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe
-
Size
454KB
-
MD5
8d8de69063556a9aff9805d2c76c4a00
-
SHA1
d382fe74d04b26ce27676847b69bf3e2c74f2233
-
SHA256
848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060
-
SHA512
ed4486182abc5f94412bbe443ea5982c982cfaa701b4a1be892ab87bd2b297d514ce124dc959c2da5e9b2cf4e244053f9a1b2377b3dc6c0d48c07b0de8955ac0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1228-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-986-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1576 bbtnth.exe 1504 5rxrrxx.exe 3260 bhbbnt.exe 2068 jpvvj.exe 1320 xflllrr.exe 3288 nntttt.exe 3252 fxxrrll.exe 4988 7pvjp.exe 1992 ppdvp.exe 2716 jjvpj.exe 2644 xrxrxxr.exe 2324 9tbhhb.exe 3036 lxrxlrx.exe 4204 vvppj.exe 4644 jpdjd.exe 4872 lxlrxrf.exe 856 3dvpj.exe 3448 xrlfxxl.exe 3700 ppjdp.exe 3272 xxlfffx.exe 2508 nthbtt.exe 1176 3lfflrr.exe 4460 bbbbbb.exe 4064 xrllffx.exe 1588 bbnbhb.exe 4352 dvdpj.exe 3012 3jjjd.exe 3244 fxfffrl.exe 3548 dvdpp.exe 4844 nttnhb.exe 1500 thbthh.exe 2964 btnbtn.exe 1880 3vvvd.exe 4756 lffxxfx.exe 2228 hbbnbt.exe 2524 1vvpd.exe 3632 rfflxfl.exe 3008 7fxfllr.exe 2464 hnbbhn.exe 4120 dpvpp.exe 1576 rlxrrrl.exe 4416 btnhnt.exe 3020 dvddd.exe 1432 dvdpp.exe 3672 frxfllx.exe 2016 3nhbtt.exe 3076 7hhbbh.exe 788 ppddp.exe 2876 rffffff.exe 968 3ntttt.exe 4176 jpddd.exe 4480 xxllrxx.exe 384 btbbnh.exe 2584 hnnttn.exe 3128 vdvvp.exe 4208 fxrfxxl.exe 3736 bbbbbb.exe 1128 hhhhhb.exe 1104 jjvvp.exe 64 rlxxxff.exe 4140 nntthn.exe 2640 btnnnn.exe 60 pjvvv.exe 4496 fllfflf.exe -
resource yara_rule behavioral2/memory/1228-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-773-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1576 1228 848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe 84 PID 1228 wrote to memory of 1576 1228 848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe 84 PID 1228 wrote to memory of 1576 1228 848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe 84 PID 1576 wrote to memory of 1504 1576 bbtnth.exe 85 PID 1576 wrote to memory of 1504 1576 bbtnth.exe 85 PID 1576 wrote to memory of 1504 1576 bbtnth.exe 85 PID 1504 wrote to memory of 3260 1504 5rxrrxx.exe 86 PID 1504 wrote to memory of 3260 1504 5rxrrxx.exe 86 PID 1504 wrote to memory of 3260 1504 5rxrrxx.exe 86 PID 3260 wrote to memory of 2068 3260 bhbbnt.exe 87 PID 3260 wrote to memory of 2068 3260 bhbbnt.exe 87 PID 3260 wrote to memory of 2068 3260 bhbbnt.exe 87 PID 2068 wrote to memory of 1320 2068 jpvvj.exe 88 PID 2068 wrote to memory of 1320 2068 jpvvj.exe 88 PID 2068 wrote to memory of 1320 2068 jpvvj.exe 88 PID 1320 wrote to memory of 3288 1320 xflllrr.exe 89 PID 1320 wrote to memory of 3288 1320 xflllrr.exe 89 PID 1320 wrote to memory of 3288 1320 xflllrr.exe 89 PID 3288 wrote to memory of 3252 3288 nntttt.exe 90 PID 3288 wrote to memory of 3252 3288 nntttt.exe 90 PID 3288 wrote to memory of 3252 3288 nntttt.exe 90 PID 3252 wrote to memory of 4988 3252 fxxrrll.exe 91 PID 3252 wrote to memory of 4988 3252 fxxrrll.exe 91 PID 3252 wrote to memory of 4988 3252 fxxrrll.exe 91 PID 4988 wrote to memory of 1992 4988 7pvjp.exe 92 PID 4988 wrote to memory of 1992 4988 7pvjp.exe 92 PID 4988 wrote to memory of 1992 4988 7pvjp.exe 92 PID 1992 wrote to memory of 2716 1992 ppdvp.exe 93 PID 1992 wrote to memory of 2716 1992 ppdvp.exe 93 PID 1992 wrote to memory of 2716 1992 ppdvp.exe 93 PID 2716 wrote to memory of 2644 2716 jjvpj.exe 94 PID 2716 wrote to memory of 2644 2716 jjvpj.exe 94 PID 2716 wrote to memory of 2644 2716 jjvpj.exe 94 PID 2644 wrote to memory of 2324 2644 xrxrxxr.exe 95 PID 2644 wrote to memory of 2324 2644 xrxrxxr.exe 95 PID 2644 wrote to memory of 2324 2644 xrxrxxr.exe 95 PID 2324 wrote to memory of 3036 2324 9tbhhb.exe 96 PID 2324 wrote to memory of 3036 2324 9tbhhb.exe 96 PID 2324 wrote to memory of 3036 2324 9tbhhb.exe 96 PID 3036 wrote to memory of 4204 3036 lxrxlrx.exe 98 PID 3036 wrote to memory of 4204 3036 lxrxlrx.exe 98 PID 3036 wrote to memory of 4204 3036 lxrxlrx.exe 98 PID 4204 wrote to memory of 4644 4204 vvppj.exe 99 PID 4204 wrote to memory of 4644 4204 vvppj.exe 99 PID 4204 wrote to memory of 4644 4204 vvppj.exe 99 PID 4644 wrote to memory of 4872 4644 jpdjd.exe 100 PID 4644 wrote to memory of 4872 4644 jpdjd.exe 100 PID 4644 wrote to memory of 4872 4644 jpdjd.exe 100 PID 4872 wrote to memory of 856 4872 lxlrxrf.exe 101 PID 4872 wrote to memory of 856 4872 lxlrxrf.exe 101 PID 4872 wrote to memory of 856 4872 lxlrxrf.exe 101 PID 856 wrote to memory of 3448 856 3dvpj.exe 103 PID 856 wrote to memory of 3448 856 3dvpj.exe 103 PID 856 wrote to memory of 3448 856 3dvpj.exe 103 PID 3448 wrote to memory of 3700 3448 xrlfxxl.exe 104 PID 3448 wrote to memory of 3700 3448 xrlfxxl.exe 104 PID 3448 wrote to memory of 3700 3448 xrlfxxl.exe 104 PID 3700 wrote to memory of 3272 3700 ppjdp.exe 105 PID 3700 wrote to memory of 3272 3700 ppjdp.exe 105 PID 3700 wrote to memory of 3272 3700 ppjdp.exe 105 PID 3272 wrote to memory of 2508 3272 xxlfffx.exe 106 PID 3272 wrote to memory of 2508 3272 xxlfffx.exe 106 PID 3272 wrote to memory of 2508 3272 xxlfffx.exe 106 PID 2508 wrote to memory of 1176 2508 nthbtt.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe"C:\Users\Admin\AppData\Local\Temp\848a9f145d6634b8b415ba22653f468ba9e7356f825b94787a28fb475f763060N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\bbtnth.exec:\bbtnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\5rxrrxx.exec:\5rxrrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\bhbbnt.exec:\bhbbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\jpvvj.exec:\jpvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\xflllrr.exec:\xflllrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\nntttt.exec:\nntttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\fxxrrll.exec:\fxxrrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\7pvjp.exec:\7pvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\ppdvp.exec:\ppdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\jjvpj.exec:\jjvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\xrxrxxr.exec:\xrxrxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\9tbhhb.exec:\9tbhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\lxrxlrx.exec:\lxrxlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\vvppj.exec:\vvppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\jpdjd.exec:\jpdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\lxlrxrf.exec:\lxlrxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\3dvpj.exec:\3dvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\xrlfxxl.exec:\xrlfxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\ppjdp.exec:\ppjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\xxlfffx.exec:\xxlfffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\nthbtt.exec:\nthbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\3lfflrr.exec:\3lfflrr.exe23⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bbbbbb.exec:\bbbbbb.exe24⤵
- Executes dropped EXE
PID:4460 -
\??\c:\xrllffx.exec:\xrllffx.exe25⤵
- Executes dropped EXE
PID:4064 -
\??\c:\bbnbhb.exec:\bbnbhb.exe26⤵
- Executes dropped EXE
PID:1588 -
\??\c:\dvdpj.exec:\dvdpj.exe27⤵
- Executes dropped EXE
PID:4352 -
\??\c:\3jjjd.exec:\3jjjd.exe28⤵
- Executes dropped EXE
PID:3012 -
\??\c:\fxfffrl.exec:\fxfffrl.exe29⤵
- Executes dropped EXE
PID:3244 -
\??\c:\dvdpp.exec:\dvdpp.exe30⤵
- Executes dropped EXE
PID:3548 -
\??\c:\nttnhb.exec:\nttnhb.exe31⤵
- Executes dropped EXE
PID:4844 -
\??\c:\thbthh.exec:\thbthh.exe32⤵
- Executes dropped EXE
PID:1500 -
\??\c:\btnbtn.exec:\btnbtn.exe33⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3vvvd.exec:\3vvvd.exe34⤵
- Executes dropped EXE
PID:1880 -
\??\c:\lffxxfx.exec:\lffxxfx.exe35⤵
- Executes dropped EXE
PID:4756 -
\??\c:\hbbnbt.exec:\hbbnbt.exe36⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1vvpd.exec:\1vvpd.exe37⤵
- Executes dropped EXE
PID:2524 -
\??\c:\rfflxfl.exec:\rfflxfl.exe38⤵
- Executes dropped EXE
PID:3632 -
\??\c:\7fxfllr.exec:\7fxfllr.exe39⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hnbbhn.exec:\hnbbhn.exe40⤵
- Executes dropped EXE
PID:2464 -
\??\c:\dpvpp.exec:\dpvpp.exe41⤵
- Executes dropped EXE
PID:4120 -
\??\c:\rlxrrrl.exec:\rlxrrrl.exe42⤵
- Executes dropped EXE
PID:1576 -
\??\c:\btnhnt.exec:\btnhnt.exe43⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dvddd.exec:\dvddd.exe44⤵
- Executes dropped EXE
PID:3020 -
\??\c:\dvdpp.exec:\dvdpp.exe45⤵
- Executes dropped EXE
PID:1432 -
\??\c:\frxfllx.exec:\frxfllx.exe46⤵
- Executes dropped EXE
PID:3672 -
\??\c:\3nhbtt.exec:\3nhbtt.exe47⤵
- Executes dropped EXE
PID:2016 -
\??\c:\7hhbbh.exec:\7hhbbh.exe48⤵
- Executes dropped EXE
PID:3076 -
\??\c:\ppddp.exec:\ppddp.exe49⤵
- Executes dropped EXE
PID:788 -
\??\c:\rffffff.exec:\rffffff.exe50⤵
- Executes dropped EXE
PID:2876 -
\??\c:\3ntttt.exec:\3ntttt.exe51⤵
- Executes dropped EXE
PID:968 -
\??\c:\jpddd.exec:\jpddd.exe52⤵
- Executes dropped EXE
PID:4176 -
\??\c:\xxllrxx.exec:\xxllrxx.exe53⤵
- Executes dropped EXE
PID:4480 -
\??\c:\btbbnh.exec:\btbbnh.exe54⤵
- Executes dropped EXE
PID:384 -
\??\c:\hnnttn.exec:\hnnttn.exe55⤵
- Executes dropped EXE
PID:2584 -
\??\c:\vdvvp.exec:\vdvvp.exe56⤵
- Executes dropped EXE
PID:3128 -
\??\c:\fxrfxxl.exec:\fxrfxxl.exe57⤵
- Executes dropped EXE
PID:4208 -
\??\c:\bbbbbb.exec:\bbbbbb.exe58⤵
- Executes dropped EXE
PID:3736 -
\??\c:\hhhhhb.exec:\hhhhhb.exe59⤵
- Executes dropped EXE
PID:1128 -
\??\c:\jjvvp.exec:\jjvvp.exe60⤵
- Executes dropped EXE
PID:1104 -
\??\c:\rlxxxff.exec:\rlxxxff.exe61⤵
- Executes dropped EXE
PID:64 -
\??\c:\nntthn.exec:\nntthn.exe62⤵
- Executes dropped EXE
PID:4140 -
\??\c:\btnnnn.exec:\btnnnn.exe63⤵
- Executes dropped EXE
PID:2640 -
\??\c:\pjvvv.exec:\pjvvv.exe64⤵
- Executes dropped EXE
PID:60 -
\??\c:\fllfflf.exec:\fllfflf.exe65⤵
- Executes dropped EXE
PID:4496 -
\??\c:\hnhtbn.exec:\hnhtbn.exe66⤵PID:3588
-
\??\c:\jjvvp.exec:\jjvvp.exe67⤵PID:3916
-
\??\c:\5xlfflf.exec:\5xlfflf.exe68⤵PID:3720
-
\??\c:\btnnnh.exec:\btnnnh.exe69⤵PID:636
-
\??\c:\vvjjj.exec:\vvjjj.exe70⤵PID:3304
-
\??\c:\fxlfxrr.exec:\fxlfxrr.exe71⤵PID:1444
-
\??\c:\1bbbtt.exec:\1bbbtt.exe72⤵PID:3336
-
\??\c:\llrffxx.exec:\llrffxx.exe73⤵PID:3784
-
\??\c:\ntbhtt.exec:\ntbhtt.exe74⤵PID:4172
-
\??\c:\vjdvp.exec:\vjdvp.exe75⤵PID:4412
-
\??\c:\frrlfll.exec:\frrlfll.exe76⤵PID:4568
-
\??\c:\nhbbtn.exec:\nhbbtn.exe77⤵PID:632
-
\??\c:\pdvvp.exec:\pdvvp.exe78⤵PID:5036
-
\??\c:\vpvpj.exec:\vpvpj.exe79⤵PID:3248
-
\??\c:\1lxxfxx.exec:\1lxxfxx.exe80⤵PID:5044
-
\??\c:\ddvpp.exec:\ddvpp.exe81⤵PID:3984
-
\??\c:\llffxxx.exec:\llffxxx.exe82⤵PID:4620
-
\??\c:\lllxrlf.exec:\lllxrlf.exe83⤵PID:1800
-
\??\c:\hbbttn.exec:\hbbttn.exe84⤵PID:3452
-
\??\c:\hbhhtt.exec:\hbhhtt.exe85⤵PID:4756
-
\??\c:\vjpjd.exec:\vjpjd.exe86⤵PID:2344
-
\??\c:\5xfxlfl.exec:\5xfxlfl.exe87⤵PID:4584
-
\??\c:\7htbnb.exec:\7htbnb.exe88⤵PID:2460
-
\??\c:\vpjdd.exec:\vpjdd.exe89⤵PID:1408
-
\??\c:\dddjd.exec:\dddjd.exe90⤵PID:4092
-
\??\c:\xfrrffl.exec:\xfrrffl.exe91⤵PID:1412
-
\??\c:\nbtnnn.exec:\nbtnnn.exe92⤵PID:1384
-
\??\c:\vpjdd.exec:\vpjdd.exe93⤵PID:1848
-
\??\c:\vvvdv.exec:\vvvdv.exe94⤵PID:1184
-
\??\c:\fxxxxrl.exec:\fxxxxrl.exe95⤵PID:1596
-
\??\c:\hbbttn.exec:\hbbttn.exe96⤵PID:3296
-
\??\c:\djvvd.exec:\djvvd.exe97⤵PID:2272
-
\??\c:\7lfxrrr.exec:\7lfxrrr.exe98⤵PID:3540
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe99⤵PID:4728
-
\??\c:\tnbtbt.exec:\tnbtbt.exe100⤵PID:1796
-
\??\c:\pjvvd.exec:\pjvvd.exe101⤵PID:3596
-
\??\c:\xfflllr.exec:\xfflllr.exe102⤵PID:2584
-
\??\c:\nnhnth.exec:\nnhnth.exe103⤵PID:3128
-
\??\c:\7vjdj.exec:\7vjdj.exe104⤵PID:1636
-
\??\c:\rxfrrrr.exec:\rxfrrrr.exe105⤵PID:4684
-
\??\c:\llxrfrl.exec:\llxrfrl.exe106⤵PID:4140
-
\??\c:\ttthbn.exec:\ttthbn.exe107⤵PID:3480
-
\??\c:\ddddd.exec:\ddddd.exe108⤵PID:60
-
\??\c:\3xrrrxx.exec:\3xrrrxx.exe109⤵PID:4496
-
\??\c:\lxfffxx.exec:\lxfffxx.exe110⤵PID:3508
-
\??\c:\hhttbn.exec:\hhttbn.exe111⤵PID:2628
-
\??\c:\vdpdv.exec:\vdpdv.exe112⤵PID:636
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe113⤵PID:4900
-
\??\c:\hbbttt.exec:\hbbttt.exe114⤵PID:4064
-
\??\c:\thtttt.exec:\thtttt.exe115⤵PID:2284
-
\??\c:\dppjd.exec:\dppjd.exe116⤵PID:1180
-
\??\c:\lfllfll.exec:\lfllfll.exe117⤵PID:2028
-
\??\c:\thtnhh.exec:\thtnhh.exe118⤵PID:3012
-
\??\c:\vvddd.exec:\vvddd.exe119⤵PID:660
-
\??\c:\ppvdp.exec:\ppvdp.exe120⤵PID:368
-
\??\c:\lrfxfrr.exec:\lrfxfrr.exe121⤵PID:1572
-
\??\c:\hhbnhn.exec:\hhbnhn.exe122⤵PID:3664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-