Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 14:32
Behavioral task
behavioral1
Sample
0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe
-
Size
66KB
-
MD5
80feb676fd7f318f1c77dedd9cdeccec
-
SHA1
846ab76503e1c53bd5fad4bb248916c45c444729
-
SHA256
0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39
-
SHA512
3365ddd94aff10b2ecfd4da11d9a92ed6d1cbe858ed7cae5ad7bd2f40755738406e9b8df945032689f201f41c5a81300f190a56bdadb730b17eced407fcc0418
-
SSDEEP
1536:/vQBeOGtrYS3srx93UBWfwC6Ggnouy8jb5DiLKrb03:/hOmTsF93UYfwC6GIoutcKbW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2924-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/180-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2832-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4648-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-564-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-581-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-594-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-649-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-680-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-831-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-859-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-863-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-1333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-1508-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3272 hhttnh.exe 2012 djvvj.exe 3124 lffxrlf.exe 3236 thhbnh.exe 4744 pvvvv.exe 2040 rfxfxrr.exe 1556 hnnhbb.exe 3168 3bnbtt.exe 3600 vjpjv.exe 180 lfxrllf.exe 3732 hbbtnt.exe 2180 vvdvp.exe 3604 lxffxfx.exe 444 nnttht.exe 2432 vjppj.exe 3560 vjpjj.exe 3636 7rffxfl.exe 4020 bttnbb.exe 3076 jdjdd.exe 720 rlxxlrr.exe 1576 lxrrlfx.exe 404 bbnhbt.exe 3728 3jpjd.exe 2724 3ddvj.exe 376 lfrlxxr.exe 4692 nbhbhn.exe 3616 pjjjv.exe 1308 5rrrffx.exe 4832 3rrrxxr.exe 1372 7djjd.exe 2280 rrfffxx.exe 3316 3tttnn.exe 3908 jvvvj.exe 4376 xlffrrl.exe 4944 xxxxrlx.exe 1156 bttnhn.exe 4552 hnhbtn.exe 1004 ppdjd.exe 3504 rfrfrxr.exe 4232 nhttbh.exe 2720 bhnnhh.exe 1000 djdvj.exe 5040 rrlfxrr.exe 2832 xrlxrlf.exe 4884 tntnbb.exe 3356 3djdj.exe 1988 rrxxrxx.exe 2332 btntnh.exe 1580 nhhhtt.exe 2924 5djdp.exe 2580 3xxrffx.exe 4028 9xrrffr.exe 2916 nhbbnt.exe 2544 dvdvj.exe 2644 xfrlxrl.exe 3236 llfxrlf.exe 2168 bhtthb.exe 2632 httnnb.exe 3044 vjdvp.exe 1352 fxfxlfx.exe 1668 5bhhbb.exe 3600 rlfrlfx.exe 392 1rrxlxf.exe 732 9htnhh.exe -
resource yara_rule behavioral2/memory/2924-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x001200000001e75a-3.dat upx behavioral2/memory/2924-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023b26-9.dat upx behavioral2/memory/3272-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b32-13.dat upx behavioral2/memory/2012-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b33-22.dat upx behavioral2/memory/3124-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3236-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b34-28.dat upx behavioral2/memory/3236-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b35-33.dat upx behavioral2/memory/4744-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b36-39.dat upx behavioral2/memory/2040-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b37-45.dat upx behavioral2/memory/1556-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b38-50.dat upx behavioral2/memory/3168-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b39-55.dat upx behavioral2/memory/3600-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3a-63.dat upx behavioral2/memory/180-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3b-67.dat upx behavioral2/memory/3732-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3c-73.dat upx behavioral2/memory/2180-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3d-79.dat upx behavioral2/memory/3604-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3e-84.dat upx behavioral2/files/0x000a000000023b3f-89.dat upx behavioral2/files/0x000a000000023b40-96.dat upx behavioral2/memory/3560-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b41-100.dat upx behavioral2/memory/3636-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4020-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b43-106.dat upx behavioral2/memory/3076-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b44-114.dat upx behavioral2/files/0x000a000000023b45-119.dat upx behavioral2/memory/1576-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b46-124.dat upx behavioral2/files/0x000a000000023b47-131.dat upx behavioral2/files/0x000a000000023b48-135.dat upx behavioral2/memory/3728-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b49-141.dat upx behavioral2/files/0x000d000000023b2e-147.dat upx behavioral2/memory/376-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4a-151.dat upx behavioral2/memory/4692-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3616-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4b-160.dat upx behavioral2/files/0x000a000000023b4c-163.dat upx behavioral2/files/0x000a000000023b4d-171.dat upx behavioral2/memory/4832-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4e-175.dat upx behavioral2/files/0x000a000000023b4f-179.dat upx behavioral2/memory/4552-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3504-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2720-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2832-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4884-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3356-231-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3272 2924 0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe 83 PID 2924 wrote to memory of 3272 2924 0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe 83 PID 2924 wrote to memory of 3272 2924 0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe 83 PID 3272 wrote to memory of 2012 3272 hhttnh.exe 84 PID 3272 wrote to memory of 2012 3272 hhttnh.exe 84 PID 3272 wrote to memory of 2012 3272 hhttnh.exe 84 PID 2012 wrote to memory of 3124 2012 djvvj.exe 85 PID 2012 wrote to memory of 3124 2012 djvvj.exe 85 PID 2012 wrote to memory of 3124 2012 djvvj.exe 85 PID 3124 wrote to memory of 3236 3124 lffxrlf.exe 86 PID 3124 wrote to memory of 3236 3124 lffxrlf.exe 86 PID 3124 wrote to memory of 3236 3124 lffxrlf.exe 86 PID 3236 wrote to memory of 4744 3236 thhbnh.exe 87 PID 3236 wrote to memory of 4744 3236 thhbnh.exe 87 PID 3236 wrote to memory of 4744 3236 thhbnh.exe 87 PID 4744 wrote to memory of 2040 4744 pvvvv.exe 88 PID 4744 wrote to memory of 2040 4744 pvvvv.exe 88 PID 4744 wrote to memory of 2040 4744 pvvvv.exe 88 PID 2040 wrote to memory of 1556 2040 rfxfxrr.exe 89 PID 2040 wrote to memory of 1556 2040 rfxfxrr.exe 89 PID 2040 wrote to memory of 1556 2040 rfxfxrr.exe 89 PID 1556 wrote to memory of 3168 1556 hnnhbb.exe 90 PID 1556 wrote to memory of 3168 1556 hnnhbb.exe 90 PID 1556 wrote to memory of 3168 1556 hnnhbb.exe 90 PID 3168 wrote to memory of 3600 3168 3bnbtt.exe 91 PID 3168 wrote to memory of 3600 3168 3bnbtt.exe 91 PID 3168 wrote to memory of 3600 3168 3bnbtt.exe 91 PID 3600 wrote to memory of 180 3600 vjpjv.exe 92 PID 3600 wrote to memory of 180 3600 vjpjv.exe 92 PID 3600 wrote to memory of 180 3600 vjpjv.exe 92 PID 180 wrote to memory of 3732 180 lfxrllf.exe 93 PID 180 wrote to memory of 3732 180 lfxrllf.exe 93 PID 180 wrote to memory of 3732 180 lfxrllf.exe 93 PID 3732 wrote to memory of 2180 3732 hbbtnt.exe 94 PID 3732 wrote to memory of 2180 3732 hbbtnt.exe 94 PID 3732 wrote to memory of 2180 3732 hbbtnt.exe 94 PID 2180 wrote to memory of 3604 2180 vvdvp.exe 95 PID 2180 wrote to memory of 3604 2180 vvdvp.exe 95 PID 2180 wrote to memory of 3604 2180 vvdvp.exe 95 PID 3604 wrote to memory of 444 3604 lxffxfx.exe 96 PID 3604 wrote to memory of 444 3604 lxffxfx.exe 96 PID 3604 wrote to memory of 444 3604 lxffxfx.exe 96 PID 444 wrote to memory of 2432 444 nnttht.exe 97 PID 444 wrote to memory of 2432 444 nnttht.exe 97 PID 444 wrote to memory of 2432 444 nnttht.exe 97 PID 2432 wrote to memory of 3560 2432 vjppj.exe 98 PID 2432 wrote to memory of 3560 2432 vjppj.exe 98 PID 2432 wrote to memory of 3560 2432 vjppj.exe 98 PID 3560 wrote to memory of 3636 3560 vjpjj.exe 99 PID 3560 wrote to memory of 3636 3560 vjpjj.exe 99 PID 3560 wrote to memory of 3636 3560 vjpjj.exe 99 PID 3636 wrote to memory of 4020 3636 7rffxfl.exe 100 PID 3636 wrote to memory of 4020 3636 7rffxfl.exe 100 PID 3636 wrote to memory of 4020 3636 7rffxfl.exe 100 PID 4020 wrote to memory of 3076 4020 bttnbb.exe 101 PID 4020 wrote to memory of 3076 4020 bttnbb.exe 101 PID 4020 wrote to memory of 3076 4020 bttnbb.exe 101 PID 3076 wrote to memory of 720 3076 jdjdd.exe 102 PID 3076 wrote to memory of 720 3076 jdjdd.exe 102 PID 3076 wrote to memory of 720 3076 jdjdd.exe 102 PID 720 wrote to memory of 1576 720 rlxxlrr.exe 103 PID 720 wrote to memory of 1576 720 rlxxlrr.exe 103 PID 720 wrote to memory of 1576 720 rlxxlrr.exe 103 PID 1576 wrote to memory of 404 1576 lxrrlfx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe"C:\Users\Admin\AppData\Local\Temp\0ea5c80877d2639b2f3d07c06122f694672c5d2bb28d9d927368e62b6d4bbc39.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\hhttnh.exec:\hhttnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\djvvj.exec:\djvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\lffxrlf.exec:\lffxrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\thhbnh.exec:\thhbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\pvvvv.exec:\pvvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\rfxfxrr.exec:\rfxfxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\hnnhbb.exec:\hnnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\3bnbtt.exec:\3bnbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\vjpjv.exec:\vjpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\lfxrllf.exec:\lfxrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\hbbtnt.exec:\hbbtnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\vvdvp.exec:\vvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\lxffxfx.exec:\lxffxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\nnttht.exec:\nnttht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\vjppj.exec:\vjppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\vjpjj.exec:\vjpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\7rffxfl.exec:\7rffxfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\bttnbb.exec:\bttnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\jdjdd.exec:\jdjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\rlxxlrr.exec:\rlxxlrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\lxrrlfx.exec:\lxrrlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\bbnhbt.exec:\bbnhbt.exe23⤵
- Executes dropped EXE
PID:404 -
\??\c:\3jpjd.exec:\3jpjd.exe24⤵
- Executes dropped EXE
PID:3728 -
\??\c:\3ddvj.exec:\3ddvj.exe25⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lfrlxxr.exec:\lfrlxxr.exe26⤵
- Executes dropped EXE
PID:376 -
\??\c:\nbhbhn.exec:\nbhbhn.exe27⤵
- Executes dropped EXE
PID:4692 -
\??\c:\pjjjv.exec:\pjjjv.exe28⤵
- Executes dropped EXE
PID:3616 -
\??\c:\5rrrffx.exec:\5rrrffx.exe29⤵
- Executes dropped EXE
PID:1308 -
\??\c:\3rrrxxr.exec:\3rrrxxr.exe30⤵
- Executes dropped EXE
PID:4832 -
\??\c:\7djjd.exec:\7djjd.exe31⤵
- Executes dropped EXE
PID:1372 -
\??\c:\rrfffxx.exec:\rrfffxx.exe32⤵
- Executes dropped EXE
PID:2280 -
\??\c:\3tttnn.exec:\3tttnn.exe33⤵
- Executes dropped EXE
PID:3316 -
\??\c:\jvvvj.exec:\jvvvj.exe34⤵
- Executes dropped EXE
PID:3908 -
\??\c:\xlffrrl.exec:\xlffrrl.exe35⤵
- Executes dropped EXE
PID:4376 -
\??\c:\xxxxrlx.exec:\xxxxrlx.exe36⤵
- Executes dropped EXE
PID:4944 -
\??\c:\bttnhn.exec:\bttnhn.exe37⤵
- Executes dropped EXE
PID:1156 -
\??\c:\hnhbtn.exec:\hnhbtn.exe38⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ppdjd.exec:\ppdjd.exe39⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rfrfrxr.exec:\rfrfrxr.exe40⤵
- Executes dropped EXE
PID:3504 -
\??\c:\nhttbh.exec:\nhttbh.exe41⤵
- Executes dropped EXE
PID:4232 -
\??\c:\bhnnhh.exec:\bhnnhh.exe42⤵
- Executes dropped EXE
PID:2720 -
\??\c:\djdvj.exec:\djdvj.exe43⤵
- Executes dropped EXE
PID:1000 -
\??\c:\rrlfxrr.exec:\rrlfxrr.exe44⤵
- Executes dropped EXE
PID:5040 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe45⤵
- Executes dropped EXE
PID:2832 -
\??\c:\tntnbb.exec:\tntnbb.exe46⤵
- Executes dropped EXE
PID:4884 -
\??\c:\3djdj.exec:\3djdj.exe47⤵
- Executes dropped EXE
PID:3356 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe48⤵
- Executes dropped EXE
PID:1988 -
\??\c:\btntnh.exec:\btntnh.exe49⤵
- Executes dropped EXE
PID:2332 -
\??\c:\nhhhtt.exec:\nhhhtt.exe50⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5djdp.exec:\5djdp.exe51⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3xxrffx.exec:\3xxrffx.exe52⤵
- Executes dropped EXE
PID:2580 -
\??\c:\9xrrffr.exec:\9xrrffr.exe53⤵
- Executes dropped EXE
PID:4028 -
\??\c:\nhbbnt.exec:\nhbbnt.exe54⤵
- Executes dropped EXE
PID:2916 -
\??\c:\dvdvj.exec:\dvdvj.exe55⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xfrlxrl.exec:\xfrlxrl.exe56⤵
- Executes dropped EXE
PID:2644 -
\??\c:\llfxrlf.exec:\llfxrlf.exe57⤵
- Executes dropped EXE
PID:3236 -
\??\c:\bhtthb.exec:\bhtthb.exe58⤵
- Executes dropped EXE
PID:2168 -
\??\c:\httnnb.exec:\httnnb.exe59⤵
- Executes dropped EXE
PID:2632 -
\??\c:\vjdvp.exec:\vjdvp.exe60⤵
- Executes dropped EXE
PID:3044 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe61⤵
- Executes dropped EXE
PID:1352 -
\??\c:\5bhhbb.exec:\5bhhbb.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe63⤵
- Executes dropped EXE
PID:3600 -
\??\c:\1rrxlxf.exec:\1rrxlxf.exe64⤵
- Executes dropped EXE
PID:392 -
\??\c:\9htnhh.exec:\9htnhh.exe65⤵
- Executes dropped EXE
PID:732 -
\??\c:\bhtnhb.exec:\bhtnhb.exe66⤵PID:1836
-
\??\c:\vpjdp.exec:\vpjdp.exe67⤵PID:4068
-
\??\c:\9ddpd.exec:\9ddpd.exe68⤵PID:1104
-
\??\c:\flrlxfr.exec:\flrlxfr.exe69⤵PID:1100
-
\??\c:\bbnnnt.exec:\bbnnnt.exe70⤵PID:984
-
\??\c:\djjpv.exec:\djjpv.exe71⤵PID:444
-
\??\c:\llrrllx.exec:\llrrllx.exe72⤵PID:2192
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe73⤵PID:4616
-
\??\c:\bhtnhh.exec:\bhtnhh.exe74⤵PID:4480
-
\??\c:\tnnhtt.exec:\tnnhtt.exe75⤵PID:932
-
\??\c:\3vddv.exec:\3vddv.exe76⤵PID:4468
-
\??\c:\xlllffx.exec:\xlllffx.exe77⤵PID:3308
-
\??\c:\ttbbbn.exec:\ttbbbn.exe78⤵PID:3496
-
\??\c:\jpdjv.exec:\jpdjv.exe79⤵PID:1688
-
\??\c:\9fxrfxr.exec:\9fxrfxr.exe80⤵PID:5104
-
\??\c:\xxrrfff.exec:\xxrrfff.exe81⤵PID:3856
-
\??\c:\nttbbb.exec:\nttbbb.exe82⤵PID:2692
-
\??\c:\djjdd.exec:\djjdd.exe83⤵PID:3700
-
\??\c:\lxrlrlf.exec:\lxrlrlf.exe84⤵PID:2724
-
\??\c:\5btttt.exec:\5btttt.exe85⤵PID:4336
-
\??\c:\bttnnn.exec:\bttnnn.exe86⤵PID:416
-
\??\c:\jpvpp.exec:\jpvpp.exe87⤵PID:1820
-
\??\c:\pjjdd.exec:\pjjdd.exe88⤵PID:4992
-
\??\c:\nhbbnn.exec:\nhbbnn.exe89⤵PID:3992
-
\??\c:\ntnnhn.exec:\ntnnhn.exe90⤵PID:2372
-
\??\c:\9pvvp.exec:\9pvvp.exe91⤵PID:4396
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe92⤵PID:4004
-
\??\c:\7llfxxr.exec:\7llfxxr.exe93⤵PID:3132
-
\??\c:\tntttt.exec:\tntttt.exe94⤵PID:1396
-
\??\c:\ddppv.exec:\ddppv.exe95⤵PID:1840
-
\??\c:\djjjd.exec:\djjjd.exe96⤵PID:4376
-
\??\c:\ffxffxx.exec:\ffxffxx.exe97⤵PID:4944
-
\??\c:\tnhhhb.exec:\tnhhhb.exe98⤵PID:1156
-
\??\c:\bhhhhh.exec:\bhhhhh.exe99⤵PID:2716
-
\??\c:\jpvvj.exec:\jpvvj.exe100⤵PID:3696
-
\??\c:\lllfxrl.exec:\lllfxrl.exe101⤵PID:2812
-
\??\c:\9bbttb.exec:\9bbttb.exe102⤵PID:4232
-
\??\c:\nbtnnh.exec:\nbtnnh.exe103⤵PID:2768
-
\??\c:\vdddv.exec:\vdddv.exe104⤵PID:3276
-
\??\c:\9pdvv.exec:\9pdvv.exe105⤵PID:1336
-
\??\c:\frfffff.exec:\frfffff.exe106⤵PID:3576
-
\??\c:\xfxllfr.exec:\xfxllfr.exe107⤵PID:3624
-
\??\c:\nhnhnt.exec:\nhnhnt.exe108⤵PID:636
-
\??\c:\pvdjv.exec:\pvdjv.exe109⤵PID:4456
-
\??\c:\flrrrxx.exec:\flrrrxx.exe110⤵PID:4452
-
\??\c:\lffffxx.exec:\lffffxx.exe111⤵PID:3596
-
\??\c:\5hnnnt.exec:\5hnnnt.exe112⤵PID:1492
-
\??\c:\dvvpv.exec:\dvvpv.exe113⤵PID:1552
-
\??\c:\5jjjv.exec:\5jjjv.exe114⤵PID:2012
-
\??\c:\xllfxfx.exec:\xllfxfx.exe115⤵PID:1792
-
\??\c:\ffrxxff.exec:\ffrxxff.exe116⤵PID:1016
-
\??\c:\vpvpp.exec:\vpvpp.exe117⤵PID:1348
-
\??\c:\jppjd.exec:\jppjd.exe118⤵PID:1496
-
\??\c:\frrfrxx.exec:\frrfrxx.exe119⤵PID:1556
-
\??\c:\lflflxl.exec:\lflflxl.exe120⤵PID:1764
-
\??\c:\ttttnt.exec:\ttttnt.exe121⤵PID:696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-