Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 05:22
Behavioral task
behavioral1
Sample
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe
-
Size
328KB
-
MD5
e3f92e0a47a3073006269a7e42e77f12
-
SHA1
9c75aee026fed5ab8e7048faa97ac4dad3796846
-
SHA256
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47
-
SHA512
be4685b3e57a05c9b73727696de82ac8aa6ce2bc54c796456d108ec76e9282b9e8b27723433b7c9dc21fa9407a86b97996f1090a596af304fd55925cde65759c
-
SSDEEP
6144:9cm4FmowdHoS4BftapTs8Hoo+6MjTVhRD4:/4wFHoS4d0G8HoljTVhRD4
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4500-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3396-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1784-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/100-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3840-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-567-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-715-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-788-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-918-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-1075-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1204-0-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\rllfffx.exe UPX C:\fxfxffx.exe UPX behavioral2/memory/4144-13-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4500-10-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1204-8-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\bhhbbt.exe UPX behavioral2/memory/116-21-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hhnhbb.exe UPX behavioral2/memory/1560-27-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\vvjdp.exe UPX \??\c:\lflfxxr.exe UPX behavioral2/memory/4036-37-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\fxllxxr.exe UPX behavioral2/memory/2512-43-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hhhbtt.exe UPX behavioral2/memory/1468-49-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\vdppp.exe UPX C:\llllllr.exe UPX behavioral2/memory/4144-20-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\rrrlfxx.exe UPX behavioral2/memory/3892-65-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2272-66-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1124-72-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hbbbbb.exe UPX C:\1djjj.exe UPX behavioral2/memory/3132-79-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hnhtnn.exe UPX behavioral2/memory/3396-84-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\vvvvp.exe UPX C:\bnnhbt.exe UPX C:\dvpdd.exe UPX behavioral2/memory/1812-99-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\nhnbtt.exe UPX behavioral2/memory/3700-104-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4360-110-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jjvvd.exe UPX C:\fxxxrrl.exe UPX behavioral2/memory/4048-118-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3324-122-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\7dddd.exe UPX behavioral2/memory/1784-130-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\htnnbt.exe UPX behavioral2/memory/100-137-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1940-136-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\rffxxxx.exe UPX C:\9vdpp.exe UPX behavioral2/memory/3868-143-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\rlrlfrl.exe UPX behavioral2/memory/868-149-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\bttnnn.exe UPX C:\pjvpv.exe UPX behavioral2/memory/1904-160-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\bntnhn.exe UPX behavioral2/memory/8-172-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\3lllflf.exe UPX \??\c:\xrxrrrl.exe UPX C:\bbnhbt.exe UPX C:\fxllllr.exe UPX behavioral2/memory/3556-192-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4520-194-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1800-199-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2096-209-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1160-223-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rllfffx.exefxfxffx.exebhhbbt.exehhnhbb.exevvjdp.exelflfxxr.exefxllxxr.exehhhbtt.exevdppp.exellllllr.exerrrlfxx.exehbbbbb.exe1djjj.exehnhtnn.exevvvvp.exebnnhbt.exedvpdd.exenhnbtt.exejjvvd.exefxxxrrl.exe7dddd.exerffxxxx.exehtnnbt.exe9vdpp.exerlrlfrl.exebttnnn.exepjvpv.exebntnhn.exe3lllflf.exexrxrrrl.exebbnhbt.exefxllllr.exehbbthn.exevddvp.exellxrffr.exerlrrxlx.exehbtnhh.exepjjpj.exedvddj.exelrxrrrr.exehthttt.exenhbbtt.exepvjdd.exelfflfll.exexxrrrrr.exennttnn.exejvvpp.exexrlflfl.exehnbbbb.exenntnbt.exeflllfff.exefxffllx.exe5ntttt.exedjddd.exelxrlllr.exexlrrfff.exetnhnhb.exe5pvdj.exejdpjd.exeffxfxrr.exenhhbbb.exejvvpp.exe1xrllll.exebttbtt.exepid process 4500 rllfffx.exe 4144 fxfxffx.exe 116 bhhbbt.exe 1560 hhnhbb.exe 4320 vvjdp.exe 4036 lflfxxr.exe 2512 fxllxxr.exe 1468 hhhbtt.exe 4328 vdppp.exe 3892 llllllr.exe 2272 rrrlfxx.exe 1124 hbbbbb.exe 3132 1djjj.exe 3396 hnhtnn.exe 4704 vvvvp.exe 1812 bnnhbt.exe 3700 dvpdd.exe 4360 nhnbtt.exe 4048 jjvvd.exe 3324 fxxxrrl.exe 1784 7dddd.exe 1940 rffxxxx.exe 100 htnnbt.exe 3868 9vdpp.exe 868 rlrlfrl.exe 4852 bttnnn.exe 1904 pjvpv.exe 4364 bntnhn.exe 8 3lllflf.exe 2036 xrxrrrl.exe 3244 bbnhbt.exe 1520 fxllllr.exe 3556 hbbthn.exe 4520 vddvp.exe 1800 llxrffr.exe 4776 rlrrxlx.exe 4604 hbtnhh.exe 2096 pjjpj.exe 1104 dvddj.exe 2812 lrxrrrr.exe 2824 hthttt.exe 4436 nhbbtt.exe 1160 pvjdd.exe 3520 lfflfll.exe 4204 xxrrrrr.exe 4268 nnttnn.exe 4300 jvvpp.exe 3088 xrlflfl.exe 3432 hnbbbb.exe 4112 nntnbt.exe 3936 flllfff.exe 5044 fxffllx.exe 4408 5ntttt.exe 3068 djddd.exe 2904 lxrlllr.exe 2272 xlrrfff.exe 1664 tnhnhb.exe 2320 5pvdj.exe 872 jdpjd.exe 3396 ffxfxrr.exe 4212 nhhbbb.exe 1812 jvvpp.exe 3684 1xrllll.exe 3500 bttbtt.exe -
Processes:
resource yara_rule behavioral2/memory/1204-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rllfffx.exe upx C:\fxfxffx.exe upx behavioral2/memory/4144-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4500-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1204-8-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bhhbbt.exe upx behavioral2/memory/116-21-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hhnhbb.exe upx behavioral2/memory/1560-27-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vvjdp.exe upx \??\c:\lflfxxr.exe upx behavioral2/memory/4036-37-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\fxllxxr.exe upx behavioral2/memory/2512-43-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hhhbtt.exe upx behavioral2/memory/1468-49-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vdppp.exe upx C:\llllllr.exe upx behavioral2/memory/4144-20-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrrlfxx.exe upx behavioral2/memory/3892-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2272-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1124-72-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hbbbbb.exe upx C:\1djjj.exe upx behavioral2/memory/3132-79-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hnhtnn.exe upx behavioral2/memory/3396-84-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vvvvp.exe upx C:\bnnhbt.exe upx C:\dvpdd.exe upx behavioral2/memory/1812-99-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nhnbtt.exe upx behavioral2/memory/3700-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4360-110-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjvvd.exe upx C:\fxxxrrl.exe upx behavioral2/memory/4048-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3324-122-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7dddd.exe upx behavioral2/memory/1784-130-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\htnnbt.exe upx behavioral2/memory/100-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1940-136-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rffxxxx.exe upx C:\9vdpp.exe upx behavioral2/memory/3868-143-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rlrlfrl.exe upx behavioral2/memory/868-149-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bttnnn.exe upx C:\pjvpv.exe upx behavioral2/memory/1904-160-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bntnhn.exe upx behavioral2/memory/8-172-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\3lllflf.exe upx \??\c:\xrxrrrl.exe upx C:\bbnhbt.exe upx C:\fxllllr.exe upx behavioral2/memory/3556-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4520-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1800-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2096-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1160-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exerllfffx.exefxfxffx.exebhhbbt.exehhnhbb.exevvjdp.exelflfxxr.exefxllxxr.exehhhbtt.exevdppp.exellllllr.exerrrlfxx.exehbbbbb.exe1djjj.exehnhtnn.exevvvvp.exebnnhbt.exedvpdd.exenhnbtt.exejjvvd.exefxxxrrl.exe7dddd.exedescription pid process target process PID 1204 wrote to memory of 4500 1204 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rllfffx.exe PID 1204 wrote to memory of 4500 1204 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rllfffx.exe PID 1204 wrote to memory of 4500 1204 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rllfffx.exe PID 4500 wrote to memory of 4144 4500 rllfffx.exe fxfxffx.exe PID 4500 wrote to memory of 4144 4500 rllfffx.exe fxfxffx.exe PID 4500 wrote to memory of 4144 4500 rllfffx.exe fxfxffx.exe PID 4144 wrote to memory of 116 4144 fxfxffx.exe bhhbbt.exe PID 4144 wrote to memory of 116 4144 fxfxffx.exe bhhbbt.exe PID 4144 wrote to memory of 116 4144 fxfxffx.exe bhhbbt.exe PID 116 wrote to memory of 1560 116 bhhbbt.exe hhnhbb.exe PID 116 wrote to memory of 1560 116 bhhbbt.exe hhnhbb.exe PID 116 wrote to memory of 1560 116 bhhbbt.exe hhnhbb.exe PID 1560 wrote to memory of 4320 1560 hhnhbb.exe vvjdp.exe PID 1560 wrote to memory of 4320 1560 hhnhbb.exe vvjdp.exe PID 1560 wrote to memory of 4320 1560 hhnhbb.exe vvjdp.exe PID 4320 wrote to memory of 4036 4320 vvjdp.exe lflfxxr.exe PID 4320 wrote to memory of 4036 4320 vvjdp.exe lflfxxr.exe PID 4320 wrote to memory of 4036 4320 vvjdp.exe lflfxxr.exe PID 4036 wrote to memory of 2512 4036 lflfxxr.exe fxllxxr.exe PID 4036 wrote to memory of 2512 4036 lflfxxr.exe fxllxxr.exe PID 4036 wrote to memory of 2512 4036 lflfxxr.exe fxllxxr.exe PID 2512 wrote to memory of 1468 2512 fxllxxr.exe hhhbtt.exe PID 2512 wrote to memory of 1468 2512 fxllxxr.exe hhhbtt.exe PID 2512 wrote to memory of 1468 2512 fxllxxr.exe hhhbtt.exe PID 1468 wrote to memory of 4328 1468 hhhbtt.exe vdppp.exe PID 1468 wrote to memory of 4328 1468 hhhbtt.exe vdppp.exe PID 1468 wrote to memory of 4328 1468 hhhbtt.exe vdppp.exe PID 4328 wrote to memory of 3892 4328 vdppp.exe llllllr.exe PID 4328 wrote to memory of 3892 4328 vdppp.exe llllllr.exe PID 4328 wrote to memory of 3892 4328 vdppp.exe llllllr.exe PID 3892 wrote to memory of 2272 3892 llllllr.exe rrrlfxx.exe PID 3892 wrote to memory of 2272 3892 llllllr.exe rrrlfxx.exe PID 3892 wrote to memory of 2272 3892 llllllr.exe rrrlfxx.exe PID 2272 wrote to memory of 1124 2272 rrrlfxx.exe hbbbbb.exe PID 2272 wrote to memory of 1124 2272 rrrlfxx.exe hbbbbb.exe PID 2272 wrote to memory of 1124 2272 rrrlfxx.exe hbbbbb.exe PID 1124 wrote to memory of 3132 1124 hbbbbb.exe 1djjj.exe PID 1124 wrote to memory of 3132 1124 hbbbbb.exe 1djjj.exe PID 1124 wrote to memory of 3132 1124 hbbbbb.exe 1djjj.exe PID 3132 wrote to memory of 3396 3132 1djjj.exe hnhtnn.exe PID 3132 wrote to memory of 3396 3132 1djjj.exe hnhtnn.exe PID 3132 wrote to memory of 3396 3132 1djjj.exe hnhtnn.exe PID 3396 wrote to memory of 4704 3396 hnhtnn.exe vvvvp.exe PID 3396 wrote to memory of 4704 3396 hnhtnn.exe vvvvp.exe PID 3396 wrote to memory of 4704 3396 hnhtnn.exe vvvvp.exe PID 4704 wrote to memory of 1812 4704 vvvvp.exe bnnhbt.exe PID 4704 wrote to memory of 1812 4704 vvvvp.exe bnnhbt.exe PID 4704 wrote to memory of 1812 4704 vvvvp.exe bnnhbt.exe PID 1812 wrote to memory of 3700 1812 bnnhbt.exe dvpdd.exe PID 1812 wrote to memory of 3700 1812 bnnhbt.exe dvpdd.exe PID 1812 wrote to memory of 3700 1812 bnnhbt.exe dvpdd.exe PID 3700 wrote to memory of 4360 3700 dvpdd.exe nhnbtt.exe PID 3700 wrote to memory of 4360 3700 dvpdd.exe nhnbtt.exe PID 3700 wrote to memory of 4360 3700 dvpdd.exe nhnbtt.exe PID 4360 wrote to memory of 4048 4360 nhnbtt.exe jjvvd.exe PID 4360 wrote to memory of 4048 4360 nhnbtt.exe jjvvd.exe PID 4360 wrote to memory of 4048 4360 nhnbtt.exe jjvvd.exe PID 4048 wrote to memory of 3324 4048 jjvvd.exe fxxxrrl.exe PID 4048 wrote to memory of 3324 4048 jjvvd.exe fxxxrrl.exe PID 4048 wrote to memory of 3324 4048 jjvvd.exe fxxxrrl.exe PID 3324 wrote to memory of 1784 3324 fxxxrrl.exe 7dddd.exe PID 3324 wrote to memory of 1784 3324 fxxxrrl.exe 7dddd.exe PID 3324 wrote to memory of 1784 3324 fxxxrrl.exe 7dddd.exe PID 1784 wrote to memory of 1940 1784 7dddd.exe rffxxxx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe"C:\Users\Admin\AppData\Local\Temp\b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\rllfffx.exec:\rllfffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\fxfxffx.exec:\fxfxffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\bhhbbt.exec:\bhhbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\hhnhbb.exec:\hhnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\vvjdp.exec:\vvjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\lflfxxr.exec:\lflfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\fxllxxr.exec:\fxllxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\hhhbtt.exec:\hhhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\vdppp.exec:\vdppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\llllllr.exec:\llllllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\hbbbbb.exec:\hbbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\1djjj.exec:\1djjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\hnhtnn.exec:\hnhtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\vvvvp.exec:\vvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\bnnhbt.exec:\bnnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\dvpdd.exec:\dvpdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\nhnbtt.exec:\nhnbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\jjvvd.exec:\jjvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\7dddd.exec:\7dddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\rffxxxx.exec:\rffxxxx.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\htnnbt.exec:\htnnbt.exe24⤵
- Executes dropped EXE
PID:100 -
\??\c:\9vdpp.exec:\9vdpp.exe25⤵
- Executes dropped EXE
PID:3868 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe26⤵
- Executes dropped EXE
PID:868 -
\??\c:\bttnnn.exec:\bttnnn.exe27⤵
- Executes dropped EXE
PID:4852 -
\??\c:\pjvpv.exec:\pjvpv.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\bntnhn.exec:\bntnhn.exe29⤵
- Executes dropped EXE
PID:4364 -
\??\c:\3lllflf.exec:\3lllflf.exe30⤵
- Executes dropped EXE
PID:8 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe31⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bbnhbt.exec:\bbnhbt.exe32⤵
- Executes dropped EXE
PID:3244 -
\??\c:\fxllllr.exec:\fxllllr.exe33⤵
- Executes dropped EXE
PID:1520 -
\??\c:\hbbthn.exec:\hbbthn.exe34⤵
- Executes dropped EXE
PID:3556 -
\??\c:\vddvp.exec:\vddvp.exe35⤵
- Executes dropped EXE
PID:4520 -
\??\c:\llxrffr.exec:\llxrffr.exe36⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rlrrxlx.exec:\rlrrxlx.exe37⤵
- Executes dropped EXE
PID:4776 -
\??\c:\hbtnhh.exec:\hbtnhh.exe38⤵
- Executes dropped EXE
PID:4604 -
\??\c:\pjjpj.exec:\pjjpj.exe39⤵
- Executes dropped EXE
PID:2096 -
\??\c:\dvddj.exec:\dvddj.exe40⤵
- Executes dropped EXE
PID:1104 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hthttt.exec:\hthttt.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\nhbbtt.exec:\nhbbtt.exe43⤵
- Executes dropped EXE
PID:4436 -
\??\c:\pvjdd.exec:\pvjdd.exe44⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lfflfll.exec:\lfflfll.exe45⤵
- Executes dropped EXE
PID:3520 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe46⤵
- Executes dropped EXE
PID:4204 -
\??\c:\nnttnn.exec:\nnttnn.exe47⤵
- Executes dropped EXE
PID:4268 -
\??\c:\jvvpp.exec:\jvvpp.exe48⤵
- Executes dropped EXE
PID:4300 -
\??\c:\xrlflfl.exec:\xrlflfl.exe49⤵
- Executes dropped EXE
PID:3088 -
\??\c:\hnbbbb.exec:\hnbbbb.exe50⤵
- Executes dropped EXE
PID:3432 -
\??\c:\nntnbt.exec:\nntnbt.exe51⤵
- Executes dropped EXE
PID:4112 -
\??\c:\flllfff.exec:\flllfff.exe52⤵
- Executes dropped EXE
PID:3936 -
\??\c:\fxffllx.exec:\fxffllx.exe53⤵
- Executes dropped EXE
PID:5044 -
\??\c:\5ntttt.exec:\5ntttt.exe54⤵
- Executes dropped EXE
PID:4408 -
\??\c:\djddd.exec:\djddd.exe55⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lxrlllr.exec:\lxrlllr.exe56⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xlrrfff.exec:\xlrrfff.exe57⤵
- Executes dropped EXE
PID:2272 -
\??\c:\tnhnhb.exec:\tnhnhb.exe58⤵
- Executes dropped EXE
PID:1664 -
\??\c:\5pvdj.exec:\5pvdj.exe59⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jdpjd.exec:\jdpjd.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\ffxfxrr.exec:\ffxfxrr.exe61⤵
- Executes dropped EXE
PID:3396 -
\??\c:\nhhbbb.exec:\nhhbbb.exe62⤵
- Executes dropped EXE
PID:4212 -
\??\c:\jvvpp.exec:\jvvpp.exe63⤵
- Executes dropped EXE
PID:1812 -
\??\c:\1xrllll.exec:\1xrllll.exe64⤵
- Executes dropped EXE
PID:3684 -
\??\c:\bttbtt.exec:\bttbtt.exe65⤵
- Executes dropped EXE
PID:3500 -
\??\c:\nbhnhh.exec:\nbhnhh.exe66⤵PID:3928
-
\??\c:\djdvp.exec:\djdvp.exe67⤵PID:3644
-
\??\c:\7flxffx.exec:\7flxffx.exe68⤵PID:1252
-
\??\c:\bnbbbb.exec:\bnbbbb.exe69⤵PID:2820
-
\??\c:\nbhhtt.exec:\nbhhtt.exe70⤵PID:2400
-
\??\c:\ddddv.exec:\ddddv.exe71⤵PID:1088
-
\??\c:\xrrrxxx.exec:\xrrrxxx.exe72⤵PID:976
-
\??\c:\xrffllr.exec:\xrffllr.exe73⤵PID:4092
-
\??\c:\thnbbt.exec:\thnbbt.exe74⤵PID:3844
-
\??\c:\dvjvp.exec:\dvjvp.exe75⤵PID:4968
-
\??\c:\xfllffx.exec:\xfllffx.exe76⤵PID:1788
-
\??\c:\lrxxrrf.exec:\lrxxrrf.exe77⤵PID:208
-
\??\c:\btbtnn.exec:\btbtnn.exe78⤵PID:3328
-
\??\c:\dvvvv.exec:\dvvvv.exe79⤵PID:2624
-
\??\c:\pvddv.exec:\pvddv.exe80⤵PID:2040
-
\??\c:\lllfrfx.exec:\lllfrfx.exe81⤵PID:4772
-
\??\c:\llrxrrx.exec:\llrxrrx.exe82⤵PID:3960
-
\??\c:\bbthtt.exec:\bbthtt.exe83⤵PID:4728
-
\??\c:\pjvpj.exec:\pjvpj.exe84⤵PID:3856
-
\??\c:\fxrxlfr.exec:\fxrxlfr.exe85⤵PID:2232
-
\??\c:\nnbhhb.exec:\nnbhhb.exe86⤵PID:3156
-
\??\c:\thtnnh.exec:\thtnnh.exe87⤵PID:640
-
\??\c:\dpvpp.exec:\dpvpp.exe88⤵PID:2336
-
\??\c:\xlxxrll.exec:\xlxxrll.exe89⤵PID:1892
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe90⤵PID:4056
-
\??\c:\bbbbbh.exec:\bbbbbh.exe91⤵PID:4468
-
\??\c:\vpjdv.exec:\vpjdv.exe92⤵PID:368
-
\??\c:\hnhbtt.exec:\hnhbtt.exe93⤵PID:3780
-
\??\c:\dpppv.exec:\dpppv.exe94⤵PID:116
-
\??\c:\vvppp.exec:\vvppp.exe95⤵PID:4588
-
\??\c:\rllfflx.exec:\rllfflx.exe96⤵PID:4268
-
\??\c:\nhhbbb.exec:\nhhbbb.exe97⤵PID:2584
-
\??\c:\ttthhn.exec:\ttthhn.exe98⤵PID:1208
-
\??\c:\djpjj.exec:\djpjj.exe99⤵PID:2712
-
\??\c:\ffxxllr.exec:\ffxxllr.exe100⤵PID:4328
-
\??\c:\ffxllll.exec:\ffxllll.exe101⤵PID:3840
-
\??\c:\bbtbtt.exec:\bbtbtt.exe102⤵PID:2904
-
\??\c:\ttntbt.exec:\ttntbt.exe103⤵PID:3044
-
\??\c:\pjpjj.exec:\pjpjj.exe104⤵PID:4040
-
\??\c:\rfrlrxl.exec:\rfrlrxl.exe105⤵PID:872
-
\??\c:\nnhhhh.exec:\nnhhhh.exe106⤵PID:2084
-
\??\c:\vvddd.exec:\vvddd.exe107⤵PID:3896
-
\??\c:\ppddp.exec:\ppddp.exe108⤵PID:1348
-
\??\c:\xrxlrlr.exec:\xrxlrlr.exe109⤵PID:4048
-
\??\c:\lllrrff.exec:\lllrrff.exe110⤵PID:5048
-
\??\c:\bnbtnb.exec:\bnbtnb.exe111⤵PID:2008
-
\??\c:\vpdvp.exec:\vpdvp.exe112⤵PID:696
-
\??\c:\djpjp.exec:\djpjp.exe113⤵PID:2544
-
\??\c:\rxfrllf.exec:\rxfrllf.exe114⤵PID:3988
-
\??\c:\hbbtnn.exec:\hbbtnn.exe115⤵PID:4364
-
\??\c:\vpdpj.exec:\vpdpj.exe116⤵PID:3604
-
\??\c:\rlllflf.exec:\rlllflf.exe117⤵PID:3264
-
\??\c:\llfxxxf.exec:\llfxxxf.exe118⤵PID:4072
-
\??\c:\nthhhh.exec:\nthhhh.exe119⤵PID:2404
-
\??\c:\jvddv.exec:\jvddv.exe120⤵PID:3532
-
\??\c:\9pjjp.exec:\9pjjp.exe121⤵PID:1520
-
\??\c:\xllfxfx.exec:\xllfxfx.exe122⤵PID:4728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-