Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 14:53
Behavioral task
behavioral1
Sample
943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
General
-
Target
943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe
-
Size
141KB
-
MD5
55e4e99ce68987aeae4f6c3fbd86e07e
-
SHA1
9be5a91d787f24fd218ae4e8abd1fd026ebdc7fd
-
SHA256
943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47
-
SHA512
b69c90a6c72390a9dd17a66597aaae11baed0622280cdc9e259a4d89c07546d71e62e0b46048daa511219f9de7431fd5162df272d6d604b9323d4253438eab30
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yL5:ccm4FmowdHoSi9Ek
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4916-0-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3952-11-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1356-14-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4592-18-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3536-26-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3776-37-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1032-44-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/540-53-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/448-60-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4760-68-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3444-69-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4156-74-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1964-81-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4452-89-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1728-104-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/216-111-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2724-117-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2156-120-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4800-128-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2092-134-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4436-142-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1824-149-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5092-174-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2384-181-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4248-192-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4520-200-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3592-202-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/368-208-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3832-214-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3956-218-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3264-221-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3724-239-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/840-242-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4476-252-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3064-258-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4152-263-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3360-278-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4676-282-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1056-295-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1452-302-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1392-304-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1716-322-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3896-326-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3764-333-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2588-340-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1044-353-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4664-354-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4664-358-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3508-377-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1692-384-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4984-397-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4604-447-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2568-457-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2948-469-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3872-485-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3404-519-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2848-527-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1136-551-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2696-579-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2068-592-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/380-602-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3308-658-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1816-841-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3088-1004-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/4916-0-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0008000000023431-3.dat UPX behavioral2/memory/3952-5-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3952-11-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0008000000023434-12.dat UPX behavioral2/memory/1356-14-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023438-16.dat UPX behavioral2/memory/4592-18-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023439-23.dat UPX behavioral2/memory/3536-26-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002343b-29.dat UPX behavioral2/memory/3776-31-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002343c-34.dat UPX behavioral2/memory/3776-37-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002343d-40.dat UPX behavioral2/memory/1032-44-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002343e-46.dat UPX behavioral2/files/0x000700000002343f-51.dat UPX behavioral2/memory/540-53-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023440-59.dat UPX behavioral2/memory/448-60-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4760-61-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023441-64.dat UPX behavioral2/memory/4760-68-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3444-69-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023442-71.dat UPX behavioral2/memory/4156-74-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023443-77.dat UPX behavioral2/memory/1964-81-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023444-85.dat UPX behavioral2/files/0x0007000000023445-88.dat UPX behavioral2/memory/4452-89-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023446-93.dat UPX behavioral2/files/0x0007000000023447-98.dat UPX behavioral2/files/0x0007000000023448-105.dat UPX behavioral2/memory/1728-104-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023449-109.dat UPX behavioral2/memory/216-111-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002344a-115.dat UPX behavioral2/memory/2724-117-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2156-120-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002344b-122.dat UPX behavioral2/memory/4800-128-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002344c-129.dat UPX behavioral2/files/0x000700000002344d-135.dat UPX behavioral2/memory/2092-134-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0008000000023435-139.dat UPX behavioral2/memory/4436-142-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002344e-145.dat UPX behavioral2/memory/1824-149-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x000700000002344f-151.dat UPX behavioral2/files/0x0007000000023450-156.dat UPX behavioral2/files/0x0007000000023451-161.dat UPX behavioral2/files/0x0007000000023452-168.dat UPX behavioral2/files/0x0007000000023453-171.dat UPX behavioral2/memory/5092-174-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023454-177.dat UPX behavioral2/memory/2384-181-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/files/0x0007000000023455-184.dat UPX behavioral2/memory/4248-192-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4520-196-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4520-200-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3592-202-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/368-208-0x0000000000400000-0x0000000000436000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 3952 nnthbt.exe 1356 fxrfrlx.exe 4592 xrxrrll.exe 3536 hhhbbn.exe 3776 vdvjd.exe 5040 rrfrrrr.exe 1032 htbhnn.exe 540 ppppp.exe 448 3lfxxxf.exe 4760 7vdpd.exe 3444 rlffrrr.exe 4156 xlffxrr.exe 1964 tnhhnn.exe 4452 pjpjp.exe 1640 lflfrlf.exe 1900 ntbtnn.exe 1728 dpvpd.exe 216 frrlrll.exe 2724 htnhhh.exe 2156 llxrfxf.exe 4800 rfflxxr.exe 2092 tbttbh.exe 4436 jjpvv.exe 4552 llrrlrr.exe 1824 vvdvj.exe 3672 dvjvv.exe 4788 fxfxrrl.exe 1072 3nnbbt.exe 5092 5vvjv.exe 1532 rrrxlll.exe 2384 fxxxrrl.exe 2320 tbhnhb.exe 4248 vjpjv.exe 4468 9rxlllr.exe 4520 hbtnbb.exe 3592 3bhnbt.exe 368 vpppj.exe 3664 vjdvj.exe 3832 rflflrx.exe 3956 hbtbnh.exe 3264 pdvpj.exe 4744 7xxlfff.exe 1944 nnnnhh.exe 2468 bttnhh.exe 2680 jdvpv.exe 3724 lxxlxrf.exe 4976 7lxrrrx.exe 4324 nhnttt.exe 64 vvdjp.exe 4476 7rxlxrf.exe 3064 bntnnt.exe 4592 bnnnhh.exe 4152 5vjjj.exe 4172 pdvpp.exe 2356 lllfxxr.exe 2308 hhnhtn.exe 3360 bhhbtn.exe 4676 jppdv.exe 4544 3djdp.exe 3364 xlxrxff.exe 3696 7bbthb.exe 1056 nttnnt.exe 4012 vvpdj.exe 1452 xxfxxxl.exe -
resource yara_rule behavioral2/memory/4916-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0008000000023431-3.dat upx behavioral2/memory/3952-5-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3952-11-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0008000000023434-12.dat upx behavioral2/memory/1356-14-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023438-16.dat upx behavioral2/memory/4592-18-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023439-23.dat upx behavioral2/memory/3536-26-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002343b-29.dat upx behavioral2/memory/3776-31-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002343c-34.dat upx behavioral2/memory/3776-37-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002343d-40.dat upx behavioral2/memory/1032-44-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002343e-46.dat upx behavioral2/files/0x000700000002343f-51.dat upx behavioral2/memory/540-53-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023440-59.dat upx behavioral2/memory/448-60-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4760-61-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023441-64.dat upx behavioral2/memory/4760-68-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3444-69-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023442-71.dat upx behavioral2/memory/4156-74-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023443-77.dat upx behavioral2/memory/1964-81-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023444-85.dat upx behavioral2/files/0x0007000000023445-88.dat upx behavioral2/memory/4452-89-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023446-93.dat upx behavioral2/files/0x0007000000023447-98.dat upx behavioral2/files/0x0007000000023448-105.dat upx behavioral2/memory/1728-104-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023449-109.dat upx behavioral2/memory/216-111-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002344a-115.dat upx behavioral2/memory/2724-117-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2156-120-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002344b-122.dat upx behavioral2/memory/4800-128-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002344c-129.dat upx behavioral2/files/0x000700000002344d-135.dat upx behavioral2/memory/2092-134-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0008000000023435-139.dat upx behavioral2/memory/4436-142-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002344e-145.dat upx behavioral2/memory/1824-149-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002344f-151.dat upx behavioral2/files/0x0007000000023450-156.dat upx behavioral2/files/0x0007000000023451-161.dat upx behavioral2/files/0x0007000000023452-168.dat upx behavioral2/files/0x0007000000023453-171.dat upx behavioral2/memory/5092-174-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023454-177.dat upx behavioral2/memory/2384-181-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023455-184.dat upx behavioral2/memory/4248-192-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4520-196-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4520-200-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3592-202-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/368-208-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 3952 4916 943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe 81 PID 4916 wrote to memory of 3952 4916 943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe 81 PID 4916 wrote to memory of 3952 4916 943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe 81 PID 3952 wrote to memory of 1356 3952 nnthbt.exe 82 PID 3952 wrote to memory of 1356 3952 nnthbt.exe 82 PID 3952 wrote to memory of 1356 3952 nnthbt.exe 82 PID 1356 wrote to memory of 4592 1356 fxrfrlx.exe 83 PID 1356 wrote to memory of 4592 1356 fxrfrlx.exe 83 PID 1356 wrote to memory of 4592 1356 fxrfrlx.exe 83 PID 4592 wrote to memory of 3536 4592 xrxrrll.exe 84 PID 4592 wrote to memory of 3536 4592 xrxrrll.exe 84 PID 4592 wrote to memory of 3536 4592 xrxrrll.exe 84 PID 3536 wrote to memory of 3776 3536 hhhbbn.exe 85 PID 3536 wrote to memory of 3776 3536 hhhbbn.exe 85 PID 3536 wrote to memory of 3776 3536 hhhbbn.exe 85 PID 3776 wrote to memory of 5040 3776 vdvjd.exe 86 PID 3776 wrote to memory of 5040 3776 vdvjd.exe 86 PID 3776 wrote to memory of 5040 3776 vdvjd.exe 86 PID 5040 wrote to memory of 1032 5040 rrfrrrr.exe 87 PID 5040 wrote to memory of 1032 5040 rrfrrrr.exe 87 PID 5040 wrote to memory of 1032 5040 rrfrrrr.exe 87 PID 1032 wrote to memory of 540 1032 htbhnn.exe 88 PID 1032 wrote to memory of 540 1032 htbhnn.exe 88 PID 1032 wrote to memory of 540 1032 htbhnn.exe 88 PID 540 wrote to memory of 448 540 ppppp.exe 89 PID 540 wrote to memory of 448 540 ppppp.exe 89 PID 540 wrote to memory of 448 540 ppppp.exe 89 PID 448 wrote to memory of 4760 448 3lfxxxf.exe 90 PID 448 wrote to memory of 4760 448 3lfxxxf.exe 90 PID 448 wrote to memory of 4760 448 3lfxxxf.exe 90 PID 4760 wrote to memory of 3444 4760 7vdpd.exe 91 PID 4760 wrote to memory of 3444 4760 7vdpd.exe 91 PID 4760 wrote to memory of 3444 4760 7vdpd.exe 91 PID 3444 wrote to memory of 4156 3444 rlffrrr.exe 92 PID 3444 wrote to memory of 4156 3444 rlffrrr.exe 92 PID 3444 wrote to memory of 4156 3444 rlffrrr.exe 92 PID 4156 wrote to memory of 1964 4156 xlffxrr.exe 93 PID 4156 wrote to memory of 1964 4156 xlffxrr.exe 93 PID 4156 wrote to memory of 1964 4156 xlffxrr.exe 93 PID 1964 wrote to memory of 4452 1964 tnhhnn.exe 94 PID 1964 wrote to memory of 4452 1964 tnhhnn.exe 94 PID 1964 wrote to memory of 4452 1964 tnhhnn.exe 94 PID 4452 wrote to memory of 1640 4452 pjpjp.exe 95 PID 4452 wrote to memory of 1640 4452 pjpjp.exe 95 PID 4452 wrote to memory of 1640 4452 pjpjp.exe 95 PID 1640 wrote to memory of 1900 1640 lflfrlf.exe 96 PID 1640 wrote to memory of 1900 1640 lflfrlf.exe 96 PID 1640 wrote to memory of 1900 1640 lflfrlf.exe 96 PID 1900 wrote to memory of 1728 1900 ntbtnn.exe 97 PID 1900 wrote to memory of 1728 1900 ntbtnn.exe 97 PID 1900 wrote to memory of 1728 1900 ntbtnn.exe 97 PID 1728 wrote to memory of 216 1728 dpvpd.exe 98 PID 1728 wrote to memory of 216 1728 dpvpd.exe 98 PID 1728 wrote to memory of 216 1728 dpvpd.exe 98 PID 216 wrote to memory of 2724 216 frrlrll.exe 99 PID 216 wrote to memory of 2724 216 frrlrll.exe 99 PID 216 wrote to memory of 2724 216 frrlrll.exe 99 PID 2724 wrote to memory of 2156 2724 htnhhh.exe 100 PID 2724 wrote to memory of 2156 2724 htnhhh.exe 100 PID 2724 wrote to memory of 2156 2724 htnhhh.exe 100 PID 2156 wrote to memory of 4800 2156 llxrfxf.exe 101 PID 2156 wrote to memory of 4800 2156 llxrfxf.exe 101 PID 2156 wrote to memory of 4800 2156 llxrfxf.exe 101 PID 4800 wrote to memory of 2092 4800 rfflxxr.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe"C:\Users\Admin\AppData\Local\Temp\943f67b8ebabdd51c90512854325e308e688375c8cacdd636ff9002c7e157c47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\nnthbt.exec:\nnthbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\xrxrrll.exec:\xrxrrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\hhhbbn.exec:\hhhbbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\vdvjd.exec:\vdvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\rrfrrrr.exec:\rrfrrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\htbhnn.exec:\htbhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\ppppp.exec:\ppppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\3lfxxxf.exec:\3lfxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\7vdpd.exec:\7vdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\rlffrrr.exec:\rlffrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\xlffxrr.exec:\xlffxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\tnhhnn.exec:\tnhhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\pjpjp.exec:\pjpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\lflfrlf.exec:\lflfrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\ntbtnn.exec:\ntbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\dpvpd.exec:\dpvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\frrlrll.exec:\frrlrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\htnhhh.exec:\htnhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\llxrfxf.exec:\llxrfxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\rfflxxr.exec:\rfflxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\tbttbh.exec:\tbttbh.exe23⤵
- Executes dropped EXE
PID:2092 -
\??\c:\jjpvv.exec:\jjpvv.exe24⤵
- Executes dropped EXE
PID:4436 -
\??\c:\llrrlrr.exec:\llrrlrr.exe25⤵
- Executes dropped EXE
PID:4552 -
\??\c:\vvdvj.exec:\vvdvj.exe26⤵
- Executes dropped EXE
PID:1824 -
\??\c:\dvjvv.exec:\dvjvv.exe27⤵
- Executes dropped EXE
PID:3672 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe28⤵
- Executes dropped EXE
PID:4788 -
\??\c:\3nnbbt.exec:\3nnbbt.exe29⤵
- Executes dropped EXE
PID:1072 -
\??\c:\5vvjv.exec:\5vvjv.exe30⤵
- Executes dropped EXE
PID:5092 -
\??\c:\rrrxlll.exec:\rrrxlll.exe31⤵
- Executes dropped EXE
PID:1532 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe32⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tbhnhb.exec:\tbhnhb.exe33⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vjpjv.exec:\vjpjv.exe34⤵
- Executes dropped EXE
PID:4248 -
\??\c:\9rxlllr.exec:\9rxlllr.exe35⤵
- Executes dropped EXE
PID:4468 -
\??\c:\hbtnbb.exec:\hbtnbb.exe36⤵
- Executes dropped EXE
PID:4520 -
\??\c:\3bhnbt.exec:\3bhnbt.exe37⤵
- Executes dropped EXE
PID:3592 -
\??\c:\vpppj.exec:\vpppj.exe38⤵
- Executes dropped EXE
PID:368 -
\??\c:\vjdvj.exec:\vjdvj.exe39⤵
- Executes dropped EXE
PID:3664 -
\??\c:\rflflrx.exec:\rflflrx.exe40⤵
- Executes dropped EXE
PID:3832 -
\??\c:\hbtbnh.exec:\hbtbnh.exe41⤵
- Executes dropped EXE
PID:3956 -
\??\c:\pdvpj.exec:\pdvpj.exe42⤵
- Executes dropped EXE
PID:3264 -
\??\c:\7xxlfff.exec:\7xxlfff.exe43⤵
- Executes dropped EXE
PID:4744 -
\??\c:\nnnnhh.exec:\nnnnhh.exe44⤵
- Executes dropped EXE
PID:1944 -
\??\c:\bttnhh.exec:\bttnhh.exe45⤵
- Executes dropped EXE
PID:2468 -
\??\c:\jdvpv.exec:\jdvpv.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe47⤵
- Executes dropped EXE
PID:3724 -
\??\c:\7lxrrrx.exec:\7lxrrrx.exe48⤵
- Executes dropped EXE
PID:4976 -
\??\c:\nbnhbb.exec:\nbnhbb.exe49⤵PID:840
-
\??\c:\nhnttt.exec:\nhnttt.exe50⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vvdjp.exec:\vvdjp.exe51⤵
- Executes dropped EXE
PID:64 -
\??\c:\7rxlxrf.exec:\7rxlxrf.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\bntnnt.exec:\bntnnt.exe53⤵
- Executes dropped EXE
PID:3064 -
\??\c:\bnnnhh.exec:\bnnnhh.exe54⤵
- Executes dropped EXE
PID:4592 -
\??\c:\5vjjj.exec:\5vjjj.exe55⤵
- Executes dropped EXE
PID:4152 -
\??\c:\pdvpp.exec:\pdvpp.exe56⤵
- Executes dropped EXE
PID:4172 -
\??\c:\lllfxxr.exec:\lllfxxr.exe57⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhnhtn.exec:\hhnhtn.exe58⤵
- Executes dropped EXE
PID:2308 -
\??\c:\bhhbtn.exec:\bhhbtn.exe59⤵
- Executes dropped EXE
PID:3360 -
\??\c:\jppdv.exec:\jppdv.exe60⤵
- Executes dropped EXE
PID:4676 -
\??\c:\3djdp.exec:\3djdp.exe61⤵
- Executes dropped EXE
PID:4544 -
\??\c:\xlxrxff.exec:\xlxrxff.exe62⤵
- Executes dropped EXE
PID:3364 -
\??\c:\7bbthb.exec:\7bbthb.exe63⤵
- Executes dropped EXE
PID:3696 -
\??\c:\nttnnt.exec:\nttnnt.exe64⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vvpdj.exec:\vvpdj.exe65⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xxfxxxl.exec:\xxfxxxl.exe66⤵
- Executes dropped EXE
PID:1452 -
\??\c:\3frllll.exec:\3frllll.exe67⤵PID:1392
-
\??\c:\frxxrrl.exec:\frxxrrl.exe68⤵PID:1816
-
\??\c:\rlrrrrx.exec:\rlrrrrx.exe69⤵PID:4292
-
\??\c:\hhbbtb.exec:\hhbbtb.exe70⤵PID:3704
-
\??\c:\5dddp.exec:\5dddp.exe71⤵PID:2612
-
\??\c:\9pjjv.exec:\9pjjv.exe72⤵PID:1716
-
\??\c:\rxflxfx.exec:\rxflxfx.exe73⤵PID:3896
-
\??\c:\nhtttt.exec:\nhtttt.exe74⤵PID:1292
-
\??\c:\tnbtnt.exec:\tnbtnt.exe75⤵PID:3764
-
\??\c:\3jpdv.exec:\3jpdv.exe76⤵PID:772
-
\??\c:\5xfrxlx.exec:\5xfrxlx.exe77⤵PID:2588
-
\??\c:\thbthh.exec:\thbthh.exe78⤵PID:724
-
\??\c:\tbhhbb.exec:\tbhhbb.exe79⤵PID:4800
-
\??\c:\jpjdp.exec:\jpjdp.exe80⤵PID:3136
-
\??\c:\ppdpd.exec:\ppdpd.exe81⤵PID:1044
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe82⤵PID:4664
-
\??\c:\hbhbnn.exec:\hbhbnn.exe83⤵PID:4040
-
\??\c:\vjjjv.exec:\vjjjv.exe84⤵PID:1824
-
\??\c:\9jpjd.exec:\9jpjd.exe85⤵PID:408
-
\??\c:\xxlllrf.exec:\xxlllrf.exe86⤵PID:1448
-
\??\c:\thhnhn.exec:\thhnhn.exe87⤵PID:4788
-
\??\c:\thnnnn.exec:\thnnnn.exe88⤵PID:3508
-
\??\c:\dpjjd.exec:\dpjjd.exe89⤵PID:3500
-
\??\c:\jpppj.exec:\jpppj.exe90⤵PID:1692
-
\??\c:\7rxxllf.exec:\7rxxllf.exe91⤵PID:5080
-
\??\c:\hhbbbb.exec:\hhbbbb.exe92⤵PID:3448
-
\??\c:\jvpvd.exec:\jvpvd.exe93⤵PID:2320
-
\??\c:\9vdvp.exec:\9vdvp.exe94⤵PID:4984
-
\??\c:\rlfxrff.exec:\rlfxrff.exe95⤵PID:4184
-
\??\c:\bbtttb.exec:\bbtttb.exe96⤵PID:2684
-
\??\c:\7nnnnt.exec:\7nnnnt.exe97⤵PID:4560
-
\??\c:\dvvpd.exec:\dvvpd.exe98⤵PID:4236
-
\??\c:\3vpvd.exec:\3vpvd.exe99⤵PID:380
-
\??\c:\rlrlfff.exec:\rlrlfff.exe100⤵PID:3664
-
\??\c:\rrfxlfr.exec:\rrfxlfr.exe101⤵PID:2488
-
\??\c:\nbhbbb.exec:\nbhbbb.exe102⤵PID:3956
-
\??\c:\bntnhh.exec:\bntnhh.exe103⤵PID:3336
-
\??\c:\vppjv.exec:\vppjv.exe104⤵PID:4992
-
\??\c:\7xfxffr.exec:\7xfxffr.exe105⤵PID:3220
-
\??\c:\rfxrfxx.exec:\rfxrfxx.exe106⤵PID:3024
-
\??\c:\nbbtnh.exec:\nbbtnh.exe107⤵PID:2776
-
\??\c:\pdvdd.exec:\pdvdd.exe108⤵PID:4352
-
\??\c:\vppdv.exec:\vppdv.exe109⤵PID:2264
-
\??\c:\rrrrllf.exec:\rrrrllf.exe110⤵PID:820
-
\??\c:\hhhbtn.exec:\hhhbtn.exe111⤵PID:4604
-
\??\c:\7thtnn.exec:\7thtnn.exe112⤵PID:3952
-
\??\c:\lrrrrlf.exec:\lrrrrlf.exe113⤵PID:4724
-
\??\c:\tbhtth.exec:\tbhtth.exe114⤵PID:2568
-
\??\c:\pdjvj.exec:\pdjvj.exe115⤵PID:3536
-
\??\c:\5jjvj.exec:\5jjvj.exe116⤵PID:5100
-
\??\c:\rfrlxrf.exec:\rfrlxrf.exe117⤵PID:2948
-
\??\c:\3xxrflx.exec:\3xxrflx.exe118⤵PID:892
-
\??\c:\bhbthn.exec:\bhbthn.exe119⤵PID:4588
-
\??\c:\1jdpj.exec:\1jdpj.exe120⤵PID:1580
-
\??\c:\vjdvd.exec:\vjdvd.exe121⤵PID:4740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-