Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 05:54
Behavioral task
behavioral1
Sample
c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe
-
Size
91KB
-
MD5
eb5dc8c09e2b06d3af59a140424afba5
-
SHA1
eac6e72b9654e69919fa4f1925a91aad0812d8a0
-
SHA256
c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5
-
SHA512
57b57003cb992f4650cf1612c40d6c627e51fe15acdc2745fea9e817e38caa24a7d613e5eeaf0e4dba9c9480cde2b8001ce26a37fba2c1c72155c7488e7f71a8
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w801ouAsG9ZoPEudJGdXRKXR5Z/2m:xhOmTsF93UYfwC6GIout03Fv9KdJoQ3J
Malware Config
Signatures
-
Detect Blackmoon payload 51 IoCs
Processes:
resource yara_rule behavioral1/memory/1672-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2500-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2860-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-64-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2696-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2552-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2076-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1048-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1924-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2544-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2652-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3008-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/868-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1352-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1504-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2016-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2384-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1408-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2672-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/544-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/868-505-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1640-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-585-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-609-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2988-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-636-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1080-682-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/272-706-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/928-798-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2360-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-862-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2360-861-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2764-876-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2672-928-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2672-927-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1052-1029-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1240-1202-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1672-0-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\nhbbnn.exe UPX behavioral1/memory/1672-8-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2224-9-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\pvjjj.exe UPX behavioral1/memory/2224-16-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2500-20-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\tbntbb.exe UPX behavioral1/memory/2500-27-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\nbhhnh.exe UPX behavioral1/memory/2364-36-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\ttthth.exe UPX behavioral1/memory/2776-46-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2860-56-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lrfxfrf.exe UPX behavioral1/memory/2720-58-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\hbbttb.exe UPX C:\lrxfrll.exe UPX behavioral1/memory/2696-75-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\bbtthn.exe UPX behavioral1/memory/2552-83-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\5vvpv.exe UPX behavioral1/memory/2076-93-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\xxffrxx.exe UPX behavioral1/memory/2076-101-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\vpppv.exe UPX behavioral1/memory/2932-121-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\9ddjj.exe UPX behavioral1/memory/2932-112-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2800-111-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/1048-129-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\hbhtbb.exe UPX C:\vvpdp.exe UPX C:\llxlxll.exe UPX C:\7ffxxxf.exe UPX behavioral1/memory/1924-146-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\nhhhtb.exe UPX behavioral1/memory/2544-163-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2516-165-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\vdvdj.exe UPX \??\c:\lxlxlxf.exe UPX behavioral1/memory/2652-183-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\bntbbt.exe UPX C:\jjdpd.exe UPX behavioral1/memory/3008-198-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\1vpvv.exe UPX behavioral1/memory/3008-206-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\hhtnnn.exe UPX behavioral1/memory/868-217-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\9hthnn.exe UPX behavioral1/memory/1352-234-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\5jjvp.exe UPX C:\lfxlrrf.exe UPX C:\hhbhtn.exe UPX C:\jjddv.exe UPX behavioral1/memory/1504-260-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/1504-268-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\rlrrfxf.exe UPX C:\httnhh.exe UPX \??\c:\vjvjv.exe UPX behavioral1/memory/2016-287-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2016-295-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2384-308-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2172-315-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
nhbbnn.exepvjjj.exetbntbb.exenbhhnh.exettthth.exelrfxfrf.exehbbttb.exelrxfrll.exebbtthn.exe5vvpv.exexxffrxx.exe9ddjj.exevpppv.exehbhtbb.exevvpdp.exellxlxll.exe7ffxxxf.exenhhhtb.exevdvdj.exelxlxlxf.exebntbbt.exejjdpd.exe1vpvv.exehhtnnn.exe9hthnn.exe5jjvp.exelfxlrrf.exehhbhtn.exejjddv.exerlrrfxf.exehttnhh.exevjvjv.exelrrfxfx.exenbhttn.exe9nbhtn.exedjvdj.exe1xrxlrl.exe7tnbnt.exe1htthh.exeppjpp.exerrlffrr.exexfrlxrr.exetbbtth.exeddppj.exe7fflrxx.exe9hhnbb.exenbbnht.exepjvdj.exefxflxfr.exelfflrrf.exebhhttb.exe3jjvj.exexxffllx.exerrflxfr.exenbhtnt.exevvvdp.exejddvp.exerllxrll.exexrfxrrf.exehtbbth.exe1ddpd.exedppjj.exefflfrll.exebbbnbt.exepid process 2224 nhbbnn.exe 2500 pvjjj.exe 2364 tbntbb.exe 2776 nbhhnh.exe 2860 ttthth.exe 2720 lrfxfrf.exe 2696 hbbttb.exe 2552 lrxfrll.exe 3068 bbtthn.exe 2076 5vvpv.exe 2800 xxffrxx.exe 2932 9ddjj.exe 1048 vpppv.exe 1876 hbhtbb.exe 1924 vvpdp.exe 1780 llxlxll.exe 2544 7ffxxxf.exe 2516 nhhhtb.exe 1764 vdvdj.exe 2652 lxlxlxf.exe 2960 bntbbt.exe 3008 jjdpd.exe 264 1vpvv.exe 868 hhtnnn.exe 1484 9hthnn.exe 1352 5jjvp.exe 2296 lfxlrrf.exe 748 hhbhtn.exe 1504 jjddv.exe 3032 rlrrfxf.exe 280 httnhh.exe 2016 vjvjv.exe 2108 lrrfxfx.exe 2384 nbhttn.exe 2172 9nbhtn.exe 2740 djvdj.exe 1408 1xrxlrl.exe 2992 7tnbnt.exe 2708 1htthh.exe 2188 ppjpp.exe 2940 rrlffrr.exe 2720 xfrlxrr.exe 2672 tbbtth.exe 2628 ddppj.exe 2852 7fflrxx.exe 1700 9hhnbb.exe 2808 nbbnht.exe 2916 pjvdj.exe 2920 fxflxfr.exe 2356 lfflrrf.exe 1900 bhhttb.exe 1876 3jjvj.exe 1516 xxffllx.exe 1896 rrflxfr.exe 2868 nbhtnt.exe 2380 vvvdp.exe 288 jddvp.exe 304 rllxrll.exe 1284 xrfxrrf.exe 2340 htbbth.exe 3012 1ddpd.exe 2052 dppjj.exe 544 fflfrll.exe 776 bbbnbt.exe -
Processes:
resource yara_rule behavioral1/memory/1672-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nhbbnn.exe upx behavioral1/memory/1672-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2224-9-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pvjjj.exe upx behavioral1/memory/2224-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2500-20-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tbntbb.exe upx behavioral1/memory/2500-27-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nbhhnh.exe upx behavioral1/memory/2364-36-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ttthth.exe upx behavioral1/memory/2776-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-56-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lrfxfrf.exe upx behavioral1/memory/2720-58-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hbbttb.exe upx C:\lrxfrll.exe upx behavioral1/memory/2696-75-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bbtthn.exe upx behavioral1/memory/2552-83-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5vvpv.exe upx behavioral1/memory/2076-93-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xxffrxx.exe upx behavioral1/memory/2076-101-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vpppv.exe upx behavioral1/memory/2932-121-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\9ddjj.exe upx behavioral1/memory/2932-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2800-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1048-129-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hbhtbb.exe upx C:\vvpdp.exe upx C:\llxlxll.exe upx C:\7ffxxxf.exe upx behavioral1/memory/1924-146-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nhhhtb.exe upx behavioral1/memory/2544-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2516-165-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vdvdj.exe upx \??\c:\lxlxlxf.exe upx behavioral1/memory/2652-183-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bntbbt.exe upx C:\jjdpd.exe upx behavioral1/memory/3008-198-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1vpvv.exe upx behavioral1/memory/3008-206-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hhtnnn.exe upx behavioral1/memory/868-217-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9hthnn.exe upx behavioral1/memory/1352-234-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\5jjvp.exe upx C:\lfxlrrf.exe upx C:\hhbhtn.exe upx C:\jjddv.exe upx behavioral1/memory/1504-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1504-268-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rlrrfxf.exe upx C:\httnhh.exe upx \??\c:\vjvjv.exe upx behavioral1/memory/2016-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2016-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2384-308-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2172-315-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exenhbbnn.exepvjjj.exetbntbb.exenbhhnh.exettthth.exelrfxfrf.exehbbttb.exelrxfrll.exebbtthn.exe5vvpv.exexxffrxx.exe9ddjj.exevpppv.exehbhtbb.exevvpdp.exedescription pid process target process PID 1672 wrote to memory of 2224 1672 c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe nhbbnn.exe PID 1672 wrote to memory of 2224 1672 c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe nhbbnn.exe PID 1672 wrote to memory of 2224 1672 c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe nhbbnn.exe PID 1672 wrote to memory of 2224 1672 c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe nhbbnn.exe PID 2224 wrote to memory of 2500 2224 nhbbnn.exe pvjjj.exe PID 2224 wrote to memory of 2500 2224 nhbbnn.exe pvjjj.exe PID 2224 wrote to memory of 2500 2224 nhbbnn.exe pvjjj.exe PID 2224 wrote to memory of 2500 2224 nhbbnn.exe pvjjj.exe PID 2500 wrote to memory of 2364 2500 pvjjj.exe tbntbb.exe PID 2500 wrote to memory of 2364 2500 pvjjj.exe tbntbb.exe PID 2500 wrote to memory of 2364 2500 pvjjj.exe tbntbb.exe PID 2500 wrote to memory of 2364 2500 pvjjj.exe tbntbb.exe PID 2364 wrote to memory of 2776 2364 tbntbb.exe nbhhnh.exe PID 2364 wrote to memory of 2776 2364 tbntbb.exe nbhhnh.exe PID 2364 wrote to memory of 2776 2364 tbntbb.exe nbhhnh.exe PID 2364 wrote to memory of 2776 2364 tbntbb.exe nbhhnh.exe PID 2776 wrote to memory of 2860 2776 nbhhnh.exe ttthth.exe PID 2776 wrote to memory of 2860 2776 nbhhnh.exe ttthth.exe PID 2776 wrote to memory of 2860 2776 nbhhnh.exe ttthth.exe PID 2776 wrote to memory of 2860 2776 nbhhnh.exe ttthth.exe PID 2860 wrote to memory of 2720 2860 ttthth.exe lrfxfrf.exe PID 2860 wrote to memory of 2720 2860 ttthth.exe lrfxfrf.exe PID 2860 wrote to memory of 2720 2860 ttthth.exe lrfxfrf.exe PID 2860 wrote to memory of 2720 2860 ttthth.exe lrfxfrf.exe PID 2720 wrote to memory of 2696 2720 lrfxfrf.exe hbbttb.exe PID 2720 wrote to memory of 2696 2720 lrfxfrf.exe hbbttb.exe PID 2720 wrote to memory of 2696 2720 lrfxfrf.exe hbbttb.exe PID 2720 wrote to memory of 2696 2720 lrfxfrf.exe hbbttb.exe PID 2696 wrote to memory of 2552 2696 hbbttb.exe lrxfrll.exe PID 2696 wrote to memory of 2552 2696 hbbttb.exe lrxfrll.exe PID 2696 wrote to memory of 2552 2696 hbbttb.exe lrxfrll.exe PID 2696 wrote to memory of 2552 2696 hbbttb.exe lrxfrll.exe PID 2552 wrote to memory of 3068 2552 lrxfrll.exe bbtthn.exe PID 2552 wrote to memory of 3068 2552 lrxfrll.exe bbtthn.exe PID 2552 wrote to memory of 3068 2552 lrxfrll.exe bbtthn.exe PID 2552 wrote to memory of 3068 2552 lrxfrll.exe bbtthn.exe PID 3068 wrote to memory of 2076 3068 bbtthn.exe 5vvpv.exe PID 3068 wrote to memory of 2076 3068 bbtthn.exe 5vvpv.exe PID 3068 wrote to memory of 2076 3068 bbtthn.exe 5vvpv.exe PID 3068 wrote to memory of 2076 3068 bbtthn.exe 5vvpv.exe PID 2076 wrote to memory of 2800 2076 5vvpv.exe xxffrxx.exe PID 2076 wrote to memory of 2800 2076 5vvpv.exe xxffrxx.exe PID 2076 wrote to memory of 2800 2076 5vvpv.exe xxffrxx.exe PID 2076 wrote to memory of 2800 2076 5vvpv.exe xxffrxx.exe PID 2800 wrote to memory of 2932 2800 xxffrxx.exe 9ddjj.exe PID 2800 wrote to memory of 2932 2800 xxffrxx.exe 9ddjj.exe PID 2800 wrote to memory of 2932 2800 xxffrxx.exe 9ddjj.exe PID 2800 wrote to memory of 2932 2800 xxffrxx.exe 9ddjj.exe PID 2932 wrote to memory of 1048 2932 9ddjj.exe vpppv.exe PID 2932 wrote to memory of 1048 2932 9ddjj.exe vpppv.exe PID 2932 wrote to memory of 1048 2932 9ddjj.exe vpppv.exe PID 2932 wrote to memory of 1048 2932 9ddjj.exe vpppv.exe PID 1048 wrote to memory of 1876 1048 vpppv.exe hbhtbb.exe PID 1048 wrote to memory of 1876 1048 vpppv.exe hbhtbb.exe PID 1048 wrote to memory of 1876 1048 vpppv.exe hbhtbb.exe PID 1048 wrote to memory of 1876 1048 vpppv.exe hbhtbb.exe PID 1876 wrote to memory of 1924 1876 hbhtbb.exe vvpdp.exe PID 1876 wrote to memory of 1924 1876 hbhtbb.exe vvpdp.exe PID 1876 wrote to memory of 1924 1876 hbhtbb.exe vvpdp.exe PID 1876 wrote to memory of 1924 1876 hbhtbb.exe vvpdp.exe PID 1924 wrote to memory of 1780 1924 vvpdp.exe llxlxll.exe PID 1924 wrote to memory of 1780 1924 vvpdp.exe llxlxll.exe PID 1924 wrote to memory of 1780 1924 vvpdp.exe llxlxll.exe PID 1924 wrote to memory of 1780 1924 vvpdp.exe llxlxll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe"C:\Users\Admin\AppData\Local\Temp\c5f7b6d81ec8c9ccc71927c24f0f42fbe0e0246f85908eb52e18888d7b6094a5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\nhbbnn.exec:\nhbbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\pvjjj.exec:\pvjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\tbntbb.exec:\tbntbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\nbhhnh.exec:\nbhhnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\ttthth.exec:\ttthth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\lrfxfrf.exec:\lrfxfrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\hbbttb.exec:\hbbttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\lrxfrll.exec:\lrxfrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\bbtthn.exec:\bbtthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\5vvpv.exec:\5vvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\xxffrxx.exec:\xxffrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\9ddjj.exec:\9ddjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\vpppv.exec:\vpppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\hbhtbb.exec:\hbhtbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\vvpdp.exec:\vvpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\llxlxll.exec:\llxlxll.exe17⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7ffxxxf.exec:\7ffxxxf.exe18⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhhhtb.exec:\nhhhtb.exe19⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vdvdj.exec:\vdvdj.exe20⤵
- Executes dropped EXE
PID:1764 -
\??\c:\lxlxlxf.exec:\lxlxlxf.exe21⤵
- Executes dropped EXE
PID:2652 -
\??\c:\bntbbt.exec:\bntbbt.exe22⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jjdpd.exec:\jjdpd.exe23⤵
- Executes dropped EXE
PID:3008 -
\??\c:\1vpvv.exec:\1vpvv.exe24⤵
- Executes dropped EXE
PID:264 -
\??\c:\hhtnnn.exec:\hhtnnn.exe25⤵
- Executes dropped EXE
PID:868 -
\??\c:\9hthnn.exec:\9hthnn.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\5jjvp.exec:\5jjvp.exe27⤵
- Executes dropped EXE
PID:1352 -
\??\c:\lfxlrrf.exec:\lfxlrrf.exe28⤵
- Executes dropped EXE
PID:2296 -
\??\c:\hhbhtn.exec:\hhbhtn.exe29⤵
- Executes dropped EXE
PID:748 -
\??\c:\jjddv.exec:\jjddv.exe30⤵
- Executes dropped EXE
PID:1504 -
\??\c:\rlrrfxf.exec:\rlrrfxf.exe31⤵
- Executes dropped EXE
PID:3032 -
\??\c:\httnhh.exec:\httnhh.exe32⤵
- Executes dropped EXE
PID:280 -
\??\c:\vjvjv.exec:\vjvjv.exe33⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lrrfxfx.exec:\lrrfxfx.exe34⤵
- Executes dropped EXE
PID:2108 -
\??\c:\nbhttn.exec:\nbhttn.exe35⤵
- Executes dropped EXE
PID:2384 -
\??\c:\9nbhtn.exec:\9nbhtn.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\djvdj.exec:\djvdj.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\1xrxlrl.exec:\1xrxlrl.exe38⤵
- Executes dropped EXE
PID:1408 -
\??\c:\7tnbnt.exec:\7tnbnt.exe39⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1htthh.exec:\1htthh.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\ppjpp.exec:\ppjpp.exe41⤵
- Executes dropped EXE
PID:2188 -
\??\c:\rrlffrr.exec:\rrlffrr.exe42⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xfrlxrr.exec:\xfrlxrr.exe43⤵
- Executes dropped EXE
PID:2720 -
\??\c:\tbbtth.exec:\tbbtth.exe44⤵
- Executes dropped EXE
PID:2672 -
\??\c:\ddppj.exec:\ddppj.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\7fflrxx.exec:\7fflrxx.exe46⤵
- Executes dropped EXE
PID:2852 -
\??\c:\9hhnbb.exec:\9hhnbb.exe47⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nbbnht.exec:\nbbnht.exe48⤵
- Executes dropped EXE
PID:2808 -
\??\c:\pjvdj.exec:\pjvdj.exe49⤵
- Executes dropped EXE
PID:2916 -
\??\c:\fxflxfr.exec:\fxflxfr.exe50⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lfflrrf.exec:\lfflrrf.exe51⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bhhttb.exec:\bhhttb.exe52⤵
- Executes dropped EXE
PID:1900 -
\??\c:\3jjvj.exec:\3jjvj.exe53⤵
- Executes dropped EXE
PID:1876 -
\??\c:\xxffllx.exec:\xxffllx.exe54⤵
- Executes dropped EXE
PID:1516 -
\??\c:\rrflxfr.exec:\rrflxfr.exe55⤵
- Executes dropped EXE
PID:1896 -
\??\c:\nbhtnt.exec:\nbhtnt.exe56⤵
- Executes dropped EXE
PID:2868 -
\??\c:\vvvdp.exec:\vvvdp.exe57⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jddvp.exec:\jddvp.exe58⤵
- Executes dropped EXE
PID:288 -
\??\c:\rllxrll.exec:\rllxrll.exe59⤵
- Executes dropped EXE
PID:304 -
\??\c:\xrfxrrf.exec:\xrfxrrf.exe60⤵
- Executes dropped EXE
PID:1284 -
\??\c:\htbbth.exec:\htbbth.exe61⤵
- Executes dropped EXE
PID:2340 -
\??\c:\1ddpd.exec:\1ddpd.exe62⤵
- Executes dropped EXE
PID:3012 -
\??\c:\dppjj.exec:\dppjj.exe63⤵
- Executes dropped EXE
PID:2052 -
\??\c:\fflfrll.exec:\fflfrll.exe64⤵
- Executes dropped EXE
PID:544 -
\??\c:\bbbnbt.exec:\bbbnbt.exe65⤵
- Executes dropped EXE
PID:776 -
\??\c:\pjdvp.exec:\pjdvp.exe66⤵PID:868
-
\??\c:\vddpp.exec:\vddpp.exe67⤵PID:1604
-
\??\c:\fxlxllf.exec:\fxlxllf.exe68⤵PID:1820
-
\??\c:\htbbnt.exec:\htbbnt.exe69⤵PID:1640
-
\??\c:\jjdpp.exec:\jjdpp.exe70⤵PID:1960
-
\??\c:\flrflll.exec:\flrflll.exe71⤵PID:748
-
\??\c:\fxxfxxx.exec:\fxxfxxx.exe72⤵PID:1692
-
\??\c:\nbntbb.exec:\nbntbb.exe73⤵PID:2104
-
\??\c:\jpdpj.exec:\jpdpj.exe74⤵PID:1092
-
\??\c:\llfrlxl.exec:\llfrlxl.exe75⤵PID:2232
-
\??\c:\hbhnhn.exec:\hbhnhn.exe76⤵PID:2204
-
\??\c:\nttbnt.exec:\nttbnt.exe77⤵PID:1332
-
\??\c:\jjdjp.exec:\jjdjp.exe78⤵PID:2108
-
\??\c:\flfrrfl.exec:\flfrrfl.exe79⤵PID:1344
-
\??\c:\lfffxxf.exec:\lfffxxf.exe80⤵PID:2500
-
\??\c:\hbntnb.exec:\hbntnb.exe81⤵PID:2648
-
\??\c:\3pvpd.exec:\3pvpd.exe82⤵PID:2668
-
\??\c:\flfxxrf.exec:\flfxxrf.exe83⤵PID:2988
-
\??\c:\lrfxllf.exec:\lrfxllf.exe84⤵PID:2900
-
\??\c:\bnhnnt.exec:\bnhnnt.exe85⤵PID:2984
-
\??\c:\jdpdd.exec:\jdpdd.exe86⤵PID:2580
-
\??\c:\ppjpd.exec:\ppjpd.exe87⤵PID:2264
-
\??\c:\lrfrlfr.exec:\lrfrlfr.exe88⤵PID:2588
-
\??\c:\frfffll.exec:\frfffll.exe89⤵PID:2604
-
\??\c:\thhtnh.exec:\thhtnh.exe90⤵PID:2020
-
\??\c:\tnbbtt.exec:\tnbbtt.exe91⤵PID:1536
-
\??\c:\pjddp.exec:\pjddp.exe92⤵PID:2812
-
\??\c:\lxlxlxf.exec:\lxlxlxf.exe93⤵PID:2816
-
\??\c:\bntbnn.exec:\bntbnn.exe94⤵PID:1080
-
\??\c:\vvjpd.exec:\vvjpd.exe95⤵PID:1916
-
\??\c:\djpdv.exec:\djpdv.exe96⤵PID:1048
-
\??\c:\xfxfrxx.exec:\xfxfrxx.exe97⤵PID:272
-
\??\c:\bhnnnt.exec:\bhnnnt.exe98⤵PID:1920
-
\??\c:\dpvdj.exec:\dpvdj.exe99⤵PID:2828
-
\??\c:\3dvpv.exec:\3dvpv.exe100⤵PID:2836
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe101⤵PID:800
-
\??\c:\7bbntn.exec:\7bbntn.exe102⤵PID:2516
-
\??\c:\hhhbbt.exec:\hhhbbt.exe103⤵PID:304
-
\??\c:\dvddv.exec:\dvddv.exe104⤵PID:1940
-
\??\c:\1llflfx.exec:\1llflfx.exe105⤵PID:1664
-
\??\c:\hhntht.exec:\hhntht.exe106⤵PID:2132
-
\??\c:\thtbbh.exec:\thtbbh.exe107⤵PID:2128
-
\??\c:\vdpjp.exec:\vdpjp.exe108⤵PID:1264
-
\??\c:\1rxlrrr.exec:\1rxlrrr.exe109⤵PID:720
-
\??\c:\lrxfllr.exec:\lrxfllr.exe110⤵PID:2436
-
\??\c:\hbnnnt.exec:\hbnnnt.exe111⤵PID:928
-
\??\c:\3jvvp.exec:\3jvvp.exe112⤵PID:2276
-
\??\c:\rxfrxxl.exec:\rxfrxxl.exe113⤵PID:900
-
\??\c:\bthtbn.exec:\bthtbn.exe114⤵PID:1512
-
\??\c:\7jvpj.exec:\7jvpj.exe115⤵PID:1736
-
\??\c:\lrxxrrf.exec:\lrxxrrf.exe116⤵PID:2088
-
\??\c:\rxfrxfx.exec:\rxfrxfx.exe117⤵PID:3032
-
\??\c:\7hnnnb.exec:\7hnnnb.exe118⤵PID:988
-
\??\c:\9rxflrf.exec:\9rxflrf.exe119⤵PID:3040
-
\??\c:\1xrffxx.exec:\1xrffxx.exe120⤵PID:876
-
\??\c:\7htnbb.exec:\7htnbb.exe121⤵PID:2360
-
\??\c:\hbhnbh.exec:\hbhnbh.exe122⤵PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-