Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 05:31
Behavioral task
behavioral1
Sample
eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe
-
Size
331KB
-
MD5
ed013e150197635be29fd0555c56e745
-
SHA1
cadf784f76f07de47c0b1f7d492be773f66dcba3
-
SHA256
eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939
-
SHA512
d7517ef2925a921b2070db7a7180fc498120b6f5bc4d9d84284fc208afece1208b54bcaca19b2baf11feed48b6cc1f7512800b24dc03b6a28ff78e0a476641d1
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbem:R4wFHoSHYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2308-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1932-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3776-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/728-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/560-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3080-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-481-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-900-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-928-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-1246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-1388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1504 7rlllrl.exe 1716 tbtttb.exe 4680 jvddd.exe 4856 7nbbtb.exe 544 ddjjj.exe 4008 ntbbbh.exe 1564 bbhhnt.exe 4636 xllllrl.exe 3516 ddjjj.exe 2276 fllfflx.exe 3228 hhnnnt.exe 3532 hbtttn.exe 1832 jdvpp.exe 736 rxlrrxl.exe 5060 bhhnth.exe 1868 dvjdd.exe 1156 thhbtn.exe 4896 pdvpj.exe 1828 hbtntt.exe 2320 5hnbhb.exe 4976 xxfxfll.exe 2680 7tbhnn.exe 3560 9nhhhh.exe 1584 ppvdp.exe 1932 fxflllr.exe 640 hbhthh.exe 1904 ppdvd.exe 4412 jdvvv.exe 3676 ffxxxff.exe 4892 rlxxxxx.exe 4244 bbnthh.exe 3652 5vppp.exe 4428 7rrrrxr.exe 3032 tttnnt.exe 540 vpddd.exe 3776 3xlrrff.exe 2456 hnttnt.exe 728 7bttbb.exe 1008 9pddd.exe 4664 llffrxf.exe 4736 fxrrxfl.exe 2508 nbbhbh.exe 840 ddpvd.exe 4176 lffxlfx.exe 4676 hbhnhh.exe 220 dvdpv.exe 1456 xxllrxr.exe 1984 3xffrxl.exe 3052 3tttnn.exe 560 djvdd.exe 652 lfxffxr.exe 2920 lxlfxrl.exe 4840 bhnhbt.exe 5044 vpjvp.exe 3476 jdjjj.exe 3080 rrxrrrf.exe 4044 7nthnn.exe 3732 hhhbtt.exe 4104 ppvvv.exe 3964 djppp.exe 4456 ttbhhn.exe 4804 tntttt.exe 4312 vvvvd.exe 3764 frlffxx.exe -
resource yara_rule behavioral2/memory/2308-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bb0-3.dat upx behavioral2/memory/2308-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bb3-8.dat upx behavioral2/memory/1504-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd1-11.dat upx behavioral2/memory/1716-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4680-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd2-19.dat upx behavioral2/memory/4856-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd3-24.dat upx behavioral2/files/0x000e000000023bd7-29.dat upx behavioral2/memory/544-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd9-33.dat upx behavioral2/memory/4008-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdc-38.dat upx behavioral2/memory/1564-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd3-43.dat upx behavioral2/memory/4636-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdd-48.dat upx behavioral2/memory/2276-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3516-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bde-54.dat upx behavioral2/files/0x0008000000023bdf-58.dat upx behavioral2/memory/3228-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0e-63.dat upx behavioral2/memory/3532-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0f-68.dat upx behavioral2/memory/736-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1832-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c10-75.dat upx behavioral2/memory/5060-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c11-79.dat upx behavioral2/memory/1868-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c12-85.dat upx behavioral2/memory/1868-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c13-89.dat upx behavioral2/files/0x0008000000023c18-94.dat upx behavioral2/files/0x0008000000023c19-98.dat upx behavioral2/memory/1828-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1a-102.dat upx behavioral2/memory/2320-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2c-109.dat upx behavioral2/memory/4976-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c32-112.dat upx behavioral2/memory/2680-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c33-117.dat upx behavioral2/memory/3560-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c34-122.dat upx behavioral2/files/0x0008000000023c35-128.dat upx behavioral2/files/0x0008000000023c36-132.dat upx behavioral2/memory/1932-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1584-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c37-136.dat upx behavioral2/files/0x000b000000023c4c-140.dat upx behavioral2/files/0x0016000000023c4d-144.dat upx behavioral2/memory/3676-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c53-149.dat upx behavioral2/files/0x0008000000023c57-153.dat upx behavioral2/memory/4244-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4428-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3032-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3776-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2456-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1504 2308 eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe 82 PID 2308 wrote to memory of 1504 2308 eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe 82 PID 2308 wrote to memory of 1504 2308 eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe 82 PID 1504 wrote to memory of 1716 1504 7rlllrl.exe 83 PID 1504 wrote to memory of 1716 1504 7rlllrl.exe 83 PID 1504 wrote to memory of 1716 1504 7rlllrl.exe 83 PID 1716 wrote to memory of 4680 1716 tbtttb.exe 84 PID 1716 wrote to memory of 4680 1716 tbtttb.exe 84 PID 1716 wrote to memory of 4680 1716 tbtttb.exe 84 PID 4680 wrote to memory of 4856 4680 jvddd.exe 85 PID 4680 wrote to memory of 4856 4680 jvddd.exe 85 PID 4680 wrote to memory of 4856 4680 jvddd.exe 85 PID 4856 wrote to memory of 544 4856 7nbbtb.exe 86 PID 4856 wrote to memory of 544 4856 7nbbtb.exe 86 PID 4856 wrote to memory of 544 4856 7nbbtb.exe 86 PID 544 wrote to memory of 4008 544 ddjjj.exe 87 PID 544 wrote to memory of 4008 544 ddjjj.exe 87 PID 544 wrote to memory of 4008 544 ddjjj.exe 87 PID 4008 wrote to memory of 1564 4008 ntbbbh.exe 88 PID 4008 wrote to memory of 1564 4008 ntbbbh.exe 88 PID 4008 wrote to memory of 1564 4008 ntbbbh.exe 88 PID 1564 wrote to memory of 4636 1564 bbhhnt.exe 89 PID 1564 wrote to memory of 4636 1564 bbhhnt.exe 89 PID 1564 wrote to memory of 4636 1564 bbhhnt.exe 89 PID 4636 wrote to memory of 3516 4636 xllllrl.exe 90 PID 4636 wrote to memory of 3516 4636 xllllrl.exe 90 PID 4636 wrote to memory of 3516 4636 xllllrl.exe 90 PID 3516 wrote to memory of 2276 3516 ddjjj.exe 91 PID 3516 wrote to memory of 2276 3516 ddjjj.exe 91 PID 3516 wrote to memory of 2276 3516 ddjjj.exe 91 PID 2276 wrote to memory of 3228 2276 fllfflx.exe 92 PID 2276 wrote to memory of 3228 2276 fllfflx.exe 92 PID 2276 wrote to memory of 3228 2276 fllfflx.exe 92 PID 3228 wrote to memory of 3532 3228 hhnnnt.exe 93 PID 3228 wrote to memory of 3532 3228 hhnnnt.exe 93 PID 3228 wrote to memory of 3532 3228 hhnnnt.exe 93 PID 3532 wrote to memory of 1832 3532 hbtttn.exe 94 PID 3532 wrote to memory of 1832 3532 hbtttn.exe 94 PID 3532 wrote to memory of 1832 3532 hbtttn.exe 94 PID 1832 wrote to memory of 736 1832 jdvpp.exe 95 PID 1832 wrote to memory of 736 1832 jdvpp.exe 95 PID 1832 wrote to memory of 736 1832 jdvpp.exe 95 PID 736 wrote to memory of 5060 736 rxlrrxl.exe 96 PID 736 wrote to memory of 5060 736 rxlrrxl.exe 96 PID 736 wrote to memory of 5060 736 rxlrrxl.exe 96 PID 5060 wrote to memory of 1868 5060 bhhnth.exe 97 PID 5060 wrote to memory of 1868 5060 bhhnth.exe 97 PID 5060 wrote to memory of 1868 5060 bhhnth.exe 97 PID 1868 wrote to memory of 1156 1868 dvjdd.exe 98 PID 1868 wrote to memory of 1156 1868 dvjdd.exe 98 PID 1868 wrote to memory of 1156 1868 dvjdd.exe 98 PID 1156 wrote to memory of 4896 1156 thhbtn.exe 99 PID 1156 wrote to memory of 4896 1156 thhbtn.exe 99 PID 1156 wrote to memory of 4896 1156 thhbtn.exe 99 PID 4896 wrote to memory of 1828 4896 pdvpj.exe 100 PID 4896 wrote to memory of 1828 4896 pdvpj.exe 100 PID 4896 wrote to memory of 1828 4896 pdvpj.exe 100 PID 1828 wrote to memory of 2320 1828 hbtntt.exe 101 PID 1828 wrote to memory of 2320 1828 hbtntt.exe 101 PID 1828 wrote to memory of 2320 1828 hbtntt.exe 101 PID 2320 wrote to memory of 4976 2320 5hnbhb.exe 102 PID 2320 wrote to memory of 4976 2320 5hnbhb.exe 102 PID 2320 wrote to memory of 4976 2320 5hnbhb.exe 102 PID 4976 wrote to memory of 2680 4976 xxfxfll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe"C:\Users\Admin\AppData\Local\Temp\eb446efbef6b33ba2daca817e308bed15fd22eb61b916f3f9afcfc1f27681939.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\7rlllrl.exec:\7rlllrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\tbtttb.exec:\tbtttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\jvddd.exec:\jvddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\7nbbtb.exec:\7nbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\ddjjj.exec:\ddjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\ntbbbh.exec:\ntbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\bbhhnt.exec:\bbhhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\xllllrl.exec:\xllllrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\ddjjj.exec:\ddjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\fllfflx.exec:\fllfflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\hhnnnt.exec:\hhnnnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\hbtttn.exec:\hbtttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\jdvpp.exec:\jdvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\rxlrrxl.exec:\rxlrrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\bhhnth.exec:\bhhnth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\dvjdd.exec:\dvjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\thhbtn.exec:\thhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\pdvpj.exec:\pdvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\hbtntt.exec:\hbtntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\5hnbhb.exec:\5hnbhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\xxfxfll.exec:\xxfxfll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\7tbhnn.exec:\7tbhnn.exe23⤵
- Executes dropped EXE
PID:2680 -
\??\c:\9nhhhh.exec:\9nhhhh.exe24⤵
- Executes dropped EXE
PID:3560 -
\??\c:\ppvdp.exec:\ppvdp.exe25⤵
- Executes dropped EXE
PID:1584 -
\??\c:\fxflllr.exec:\fxflllr.exe26⤵
- Executes dropped EXE
PID:1932 -
\??\c:\hbhthh.exec:\hbhthh.exe27⤵
- Executes dropped EXE
PID:640 -
\??\c:\ppdvd.exec:\ppdvd.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jdvvv.exec:\jdvvv.exe29⤵
- Executes dropped EXE
PID:4412 -
\??\c:\ffxxxff.exec:\ffxxxff.exe30⤵
- Executes dropped EXE
PID:3676 -
\??\c:\rlxxxxx.exec:\rlxxxxx.exe31⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bbnthh.exec:\bbnthh.exe32⤵
- Executes dropped EXE
PID:4244 -
\??\c:\5vppp.exec:\5vppp.exe33⤵
- Executes dropped EXE
PID:3652 -
\??\c:\7rrrrxr.exec:\7rrrrxr.exe34⤵
- Executes dropped EXE
PID:4428 -
\??\c:\tttnnt.exec:\tttnnt.exe35⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vpddd.exec:\vpddd.exe36⤵
- Executes dropped EXE
PID:540 -
\??\c:\3xlrrff.exec:\3xlrrff.exe37⤵
- Executes dropped EXE
PID:3776 -
\??\c:\hnttnt.exec:\hnttnt.exe38⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7bttbb.exec:\7bttbb.exe39⤵
- Executes dropped EXE
PID:728 -
\??\c:\9pddd.exec:\9pddd.exe40⤵
- Executes dropped EXE
PID:1008 -
\??\c:\llffrxf.exec:\llffrxf.exe41⤵
- Executes dropped EXE
PID:4664 -
\??\c:\fxrrxfl.exec:\fxrrxfl.exe42⤵
- Executes dropped EXE
PID:4736 -
\??\c:\nbbhbh.exec:\nbbhbh.exe43⤵
- Executes dropped EXE
PID:2508 -
\??\c:\ddpvd.exec:\ddpvd.exe44⤵
- Executes dropped EXE
PID:840 -
\??\c:\lffxlfx.exec:\lffxlfx.exe45⤵
- Executes dropped EXE
PID:4176 -
\??\c:\hbhnhh.exec:\hbhnhh.exe46⤵
- Executes dropped EXE
PID:4676 -
\??\c:\dvdpv.exec:\dvdpv.exe47⤵
- Executes dropped EXE
PID:220 -
\??\c:\xxllrxr.exec:\xxllrxr.exe48⤵
- Executes dropped EXE
PID:1456 -
\??\c:\3xffrxl.exec:\3xffrxl.exe49⤵
- Executes dropped EXE
PID:1984 -
\??\c:\3tttnn.exec:\3tttnn.exe50⤵
- Executes dropped EXE
PID:3052 -
\??\c:\djvdd.exec:\djvdd.exe51⤵
- Executes dropped EXE
PID:560 -
\??\c:\lfxffxr.exec:\lfxffxr.exe52⤵
- Executes dropped EXE
PID:652 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe53⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bhnhbt.exec:\bhnhbt.exe54⤵
- Executes dropped EXE
PID:4840 -
\??\c:\vpjvp.exec:\vpjvp.exe55⤵
- Executes dropped EXE
PID:5044 -
\??\c:\jdjjj.exec:\jdjjj.exe56⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rrxrrrf.exec:\rrxrrrf.exe57⤵
- Executes dropped EXE
PID:3080 -
\??\c:\7nthnn.exec:\7nthnn.exe58⤵
- Executes dropped EXE
PID:4044 -
\??\c:\hhhbtt.exec:\hhhbtt.exe59⤵
- Executes dropped EXE
PID:3732 -
\??\c:\ppvvv.exec:\ppvvv.exe60⤵
- Executes dropped EXE
PID:4104 -
\??\c:\djppp.exec:\djppp.exe61⤵
- Executes dropped EXE
PID:3964 -
\??\c:\ttbhhn.exec:\ttbhhn.exe62⤵
- Executes dropped EXE
PID:4456 -
\??\c:\tntttt.exec:\tntttt.exe63⤵
- Executes dropped EXE
PID:4804 -
\??\c:\vvvvd.exec:\vvvvd.exe64⤵
- Executes dropped EXE
PID:4312 -
\??\c:\frlffxx.exec:\frlffxx.exe65⤵
- Executes dropped EXE
PID:3764 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe66⤵PID:3956
-
\??\c:\bnbbhh.exec:\bnbbhh.exe67⤵PID:3944
-
\??\c:\vpvpp.exec:\vpvpp.exe68⤵PID:4552
-
\??\c:\1lxrxfl.exec:\1lxrxfl.exe69⤵PID:3332
-
\??\c:\fxrrxrx.exec:\fxrrxrx.exe70⤵PID:4904
-
\??\c:\bbtnnt.exec:\bbtnnt.exe71⤵PID:4480
-
\??\c:\vjdpj.exec:\vjdpj.exe72⤵PID:2056
-
\??\c:\rrlfxxx.exec:\rrlfxxx.exe73⤵PID:2096
-
\??\c:\xxrrffr.exec:\xxrrffr.exe74⤵PID:468
-
\??\c:\nhtttb.exec:\nhtttb.exe75⤵PID:3512
-
\??\c:\nhttbh.exec:\nhttbh.exe76⤵PID:4368
-
\??\c:\jpjdv.exec:\jpjdv.exe77⤵PID:916
-
\??\c:\xrfxxxf.exec:\xrfxxxf.exe78⤵PID:3500
-
\??\c:\xfrrfxf.exec:\xfrrfxf.exe79⤵PID:3092
-
\??\c:\hbnhbb.exec:\hbnhbb.exe80⤵PID:1216
-
\??\c:\pjddd.exec:\pjddd.exe81⤵PID:2620
-
\??\c:\jvvvv.exec:\jvvvv.exe82⤵PID:2728
-
\??\c:\lxxxrxx.exec:\lxxxrxx.exe83⤵PID:3132
-
\??\c:\fxrlfxf.exec:\fxrlfxf.exe84⤵PID:2696
-
\??\c:\hhtttb.exec:\hhtttb.exe85⤵PID:1832
-
\??\c:\vdjjp.exec:\vdjjp.exe86⤵PID:2796
-
\??\c:\5xrrlff.exec:\5xrrlff.exe87⤵PID:4908
-
\??\c:\thnnhh.exec:\thnnhh.exe88⤵PID:1116
-
\??\c:\hhttbh.exec:\hhttbh.exe89⤵PID:312
-
\??\c:\jvjjd.exec:\jvjjd.exe90⤵PID:1768
-
\??\c:\xfflflf.exec:\xfflflf.exe91⤵PID:1156
-
\??\c:\9thhbh.exec:\9thhbh.exe92⤵PID:4436
-
\??\c:\7ddpj.exec:\7ddpj.exe93⤵PID:4420
-
\??\c:\vjvdj.exec:\vjvdj.exe94⤵PID:2536
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe95⤵PID:2320
-
\??\c:\hhbbhh.exec:\hhbbhh.exe96⤵PID:2280
-
\??\c:\vppjj.exec:\vppjj.exe97⤵PID:4580
-
\??\c:\jdjdd.exec:\jdjdd.exe98⤵PID:3068
-
\??\c:\lfflrrf.exec:\lfflrrf.exe99⤵PID:3000
-
\??\c:\rrlrlrx.exec:\rrlrlrx.exe100⤵PID:1640
-
\??\c:\hbnttb.exec:\hbnttb.exe101⤵PID:4156
-
\??\c:\pvvdv.exec:\pvvdv.exe102⤵PID:1364
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe103⤵PID:2644
-
\??\c:\hbnnnt.exec:\hbnnnt.exe104⤵PID:640
-
\??\c:\bthhtn.exec:\bthhtn.exe105⤵PID:3812
-
\??\c:\dvdvj.exec:\dvdvj.exe106⤵PID:4936
-
\??\c:\vvddv.exec:\vvddv.exe107⤵PID:3156
-
\??\c:\9flfxff.exec:\9flfxff.exe108⤵PID:2372
-
\??\c:\hnhbhb.exec:\hnhbhb.exe109⤵PID:4892
-
\??\c:\bbtbtb.exec:\bbtbtb.exe110⤵PID:3096
-
\??\c:\ddddv.exec:\ddddv.exe111⤵PID:2112
-
\??\c:\3jpjj.exec:\3jpjj.exe112⤵PID:3028
-
\??\c:\fxffffl.exec:\fxffffl.exe113⤵PID:3256
-
\??\c:\bhnttt.exec:\bhnttt.exe114⤵PID:3032
-
\??\c:\jjddj.exec:\jjddj.exe115⤵PID:2776
-
\??\c:\5pddd.exec:\5pddd.exe116⤵PID:1112
-
\??\c:\rrfllxx.exec:\rrfllxx.exe117⤵PID:1404
-
\??\c:\nhttbh.exec:\nhttbh.exe118⤵PID:1944
-
\??\c:\tttttb.exec:\tttttb.exe119⤵PID:1292
-
\??\c:\dpvvv.exec:\dpvvv.exe120⤵PID:1340
-
\??\c:\7lxxxfx.exec:\7lxxxfx.exe121⤵PID:4736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-