Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 04:05
Behavioral task
behavioral1
Sample
fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
General
-
Target
fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe
-
Size
85KB
-
MD5
a0465d47e68aa08c02995761c9d29022
-
SHA1
6d76a73c8fc54dcf350d6ee04fa06fabc2b00a8c
-
SHA256
fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01
-
SHA512
874e53d68730a103d308cf04523adf2ff1558f437ef26f9ad31fca2b63a464ce07d8e69a07948808a6e7d6bf1b4d8489c64f6289fef7bd6e3e2487c3e246296b
-
SSDEEP
1536:hBvQBeOGtrYS3srx93UBWfwC6Ggnouy8uXuBGYRXs92kHEXHWbK:hBhOmTsF93UYfwC6GIoutYuBGYR/km
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4472-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/264-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1864-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1460-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-789-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-817-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-848-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-847-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-879-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-965-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/4472-0-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4472-5-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2004-8-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x000700000001ebc7-10.dat UPX behavioral2/files/0x000500000001e735-4.dat UPX behavioral2/files/0x000d000000023163-12.dat UPX behavioral2/memory/4104-15-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00080000000231ea-20.dat UPX behavioral2/files/0x00070000000231eb-26.dat UPX behavioral2/memory/1800-29-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3252-27-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2484-19-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231ec-33.dat UPX behavioral2/files/0x00070000000231ee-43.dat UPX behavioral2/memory/5036-37-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231ed-38.dat UPX behavioral2/memory/1700-46-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3092-40-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5016-53-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f0-56.dat UPX behavioral2/memory/1052-59-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f0-55.dat UPX behavioral2/files/0x00070000000231ef-50.dat UPX behavioral2/files/0x00070000000231f1-61.dat UPX behavioral2/memory/3112-64-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f2-66.dat UPX behavioral2/files/0x000d000000023163-72.dat UPX behavioral2/memory/1564-76-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f3-78.dat UPX behavioral2/memory/4760-82-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f4-83.dat UPX behavioral2/files/0x00070000000231f5-87.dat UPX behavioral2/memory/2228-88-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/748-90-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/748-94-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f7-93.dat UPX behavioral2/files/0x00070000000231f8-98.dat UPX behavioral2/memory/1444-99-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3120-102-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231f9-106.dat UPX behavioral2/memory/3428-108-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231fa-110.dat UPX behavioral2/memory/864-113-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/864-117-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231fb-116.dat UPX behavioral2/memory/3768-122-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231fc-121.dat UPX behavioral2/files/0x00070000000231fd-126.dat UPX behavioral2/memory/1912-127-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x00070000000231fe-131.dat UPX behavioral2/memory/4960-132-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2800-141-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x000a000000023168-139.dat UPX behavioral2/files/0x00070000000231ff-145.dat UPX behavioral2/files/0x0007000000023200-148.dat UPX behavioral2/files/0x0007000000023201-153.dat UPX behavioral2/memory/4840-154-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x0007000000023202-160.dat UPX behavioral2/memory/1276-162-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x0007000000023203-165.dat UPX behavioral2/memory/2668-159-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2140-134-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/files/0x0007000000023204-171.dat UPX behavioral2/memory/1476-170-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2004 rrlxxrl.exe 4104 xxrxlxl.exe 2484 xlfxlfx.exe 3252 7fxrfxr.exe 1800 fxlfxrl.exe 5036 hbthtn.exe 3092 vdjvj.exe 1700 lllxfxl.exe 5016 jjjdv.exe 1052 llrlxrr.exe 3112 djddp.exe 996 vjdvj.exe 1564 xlfxlfx.exe 4760 httnhb.exe 2228 jppjv.exe 748 rxxrxxr.exe 1444 thhbtt.exe 3120 pvdpp.exe 3428 1ddpj.exe 864 xrlfxxr.exe 3768 ttttth.exe 1912 nhnbbt.exe 4960 jvjvj.exe 2140 lfxffrx.exe 2800 lrlxxxl.exe 544 hnnhtt.exe 4840 xrfxrrr.exe 2668 3xxxxxx.exe 1276 tbbnhh.exe 1476 bthbnt.exe 3392 1pdvj.exe 4712 9djdp.exe 264 pvdvj.exe 452 hnhtbt.exe 4344 tnthnh.exe 5024 3ppjv.exe 4560 1ddjp.exe 4364 pjdvj.exe 1864 xffxlfr.exe 2888 bnhbnh.exe 212 9jjjv.exe 548 5jdvj.exe 536 lffxfxx.exe 2020 nhhbtn.exe 2580 dvjvd.exe 4764 xxrxxxl.exe 2960 tttnbt.exe 1572 hhtnhn.exe 780 xllllxx.exe 4736 pjpjd.exe 1448 dvjvd.exe 4204 1llxlfx.exe 4504 nbbtnh.exe 4740 ppjjv.exe 952 flfxlfx.exe 1348 lrrlfxr.exe 3208 btbhhh.exe 4980 jdvjj.exe 2104 nttbth.exe 4756 nbhhbh.exe 1740 jjjjp.exe 1396 xflflxx.exe 3108 3vvpv.exe 1520 lrrrlfx.exe -
resource yara_rule behavioral2/memory/4472-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2004-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000001ebc7-10.dat upx behavioral2/files/0x000500000001e735-4.dat upx behavioral2/files/0x000d000000023163-12.dat upx behavioral2/memory/4104-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000231ea-20.dat upx behavioral2/files/0x00070000000231eb-26.dat upx behavioral2/memory/1800-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3252-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2484-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231ec-33.dat upx behavioral2/files/0x00070000000231ee-43.dat upx behavioral2/memory/5036-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231ed-38.dat upx behavioral2/memory/1700-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3092-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5016-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f0-56.dat upx behavioral2/memory/1052-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f0-55.dat upx behavioral2/files/0x00070000000231ef-50.dat upx behavioral2/files/0x00070000000231f1-61.dat upx behavioral2/memory/3112-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f2-66.dat upx behavioral2/files/0x000d000000023163-72.dat upx behavioral2/memory/1564-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f3-78.dat upx behavioral2/memory/4760-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f4-83.dat upx behavioral2/files/0x00070000000231f5-87.dat upx behavioral2/memory/2228-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/748-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/748-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f7-93.dat upx behavioral2/files/0x00070000000231f8-98.dat upx behavioral2/memory/1444-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3120-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231f9-106.dat upx behavioral2/memory/3428-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231fa-110.dat upx behavioral2/memory/864-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/864-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231fb-116.dat upx behavioral2/memory/3768-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231fc-121.dat upx behavioral2/files/0x00070000000231fd-126.dat upx behavioral2/memory/1912-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000231fe-131.dat upx behavioral2/memory/4960-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2800-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023168-139.dat upx behavioral2/files/0x00070000000231ff-145.dat upx behavioral2/files/0x0007000000023200-148.dat upx behavioral2/files/0x0007000000023201-153.dat upx behavioral2/memory/4840-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023202-160.dat upx behavioral2/memory/1276-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023203-165.dat upx behavioral2/memory/2668-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2140-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023204-171.dat upx behavioral2/memory/1476-170-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 2004 4472 fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe 91 PID 4472 wrote to memory of 2004 4472 fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe 91 PID 4472 wrote to memory of 2004 4472 fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe 91 PID 2004 wrote to memory of 4104 2004 rrlxxrl.exe 92 PID 2004 wrote to memory of 4104 2004 rrlxxrl.exe 92 PID 2004 wrote to memory of 4104 2004 rrlxxrl.exe 92 PID 4104 wrote to memory of 2484 4104 xxrxlxl.exe 93 PID 4104 wrote to memory of 2484 4104 xxrxlxl.exe 93 PID 4104 wrote to memory of 2484 4104 xxrxlxl.exe 93 PID 2484 wrote to memory of 3252 2484 xlfxlfx.exe 94 PID 2484 wrote to memory of 3252 2484 xlfxlfx.exe 94 PID 2484 wrote to memory of 3252 2484 xlfxlfx.exe 94 PID 3252 wrote to memory of 1800 3252 7fxrfxr.exe 95 PID 3252 wrote to memory of 1800 3252 7fxrfxr.exe 95 PID 3252 wrote to memory of 1800 3252 7fxrfxr.exe 95 PID 1800 wrote to memory of 5036 1800 fxlfxrl.exe 96 PID 1800 wrote to memory of 5036 1800 fxlfxrl.exe 96 PID 1800 wrote to memory of 5036 1800 fxlfxrl.exe 96 PID 5036 wrote to memory of 3092 5036 hbthtn.exe 97 PID 5036 wrote to memory of 3092 5036 hbthtn.exe 97 PID 5036 wrote to memory of 3092 5036 hbthtn.exe 97 PID 3092 wrote to memory of 1700 3092 vdjvj.exe 98 PID 3092 wrote to memory of 1700 3092 vdjvj.exe 98 PID 3092 wrote to memory of 1700 3092 vdjvj.exe 98 PID 1700 wrote to memory of 5016 1700 lllxfxl.exe 99 PID 1700 wrote to memory of 5016 1700 lllxfxl.exe 99 PID 1700 wrote to memory of 5016 1700 lllxfxl.exe 99 PID 5016 wrote to memory of 1052 5016 jjjdv.exe 100 PID 5016 wrote to memory of 1052 5016 jjjdv.exe 100 PID 5016 wrote to memory of 1052 5016 jjjdv.exe 100 PID 1052 wrote to memory of 3112 1052 llrlxrr.exe 101 PID 1052 wrote to memory of 3112 1052 llrlxrr.exe 101 PID 1052 wrote to memory of 3112 1052 llrlxrr.exe 101 PID 3112 wrote to memory of 996 3112 djddp.exe 102 PID 3112 wrote to memory of 996 3112 djddp.exe 102 PID 3112 wrote to memory of 996 3112 djddp.exe 102 PID 996 wrote to memory of 1564 996 vjdvj.exe 103 PID 996 wrote to memory of 1564 996 vjdvj.exe 103 PID 996 wrote to memory of 1564 996 vjdvj.exe 103 PID 1564 wrote to memory of 4760 1564 xlfxlfx.exe 104 PID 1564 wrote to memory of 4760 1564 xlfxlfx.exe 104 PID 1564 wrote to memory of 4760 1564 xlfxlfx.exe 104 PID 4760 wrote to memory of 2228 4760 httnhb.exe 105 PID 4760 wrote to memory of 2228 4760 httnhb.exe 105 PID 4760 wrote to memory of 2228 4760 httnhb.exe 105 PID 2228 wrote to memory of 748 2228 jppjv.exe 106 PID 2228 wrote to memory of 748 2228 jppjv.exe 106 PID 2228 wrote to memory of 748 2228 jppjv.exe 106 PID 748 wrote to memory of 1444 748 rxxrxxr.exe 107 PID 748 wrote to memory of 1444 748 rxxrxxr.exe 107 PID 748 wrote to memory of 1444 748 rxxrxxr.exe 107 PID 1444 wrote to memory of 3120 1444 thhbtt.exe 108 PID 1444 wrote to memory of 3120 1444 thhbtt.exe 108 PID 1444 wrote to memory of 3120 1444 thhbtt.exe 108 PID 3120 wrote to memory of 3428 3120 pvdpp.exe 109 PID 3120 wrote to memory of 3428 3120 pvdpp.exe 109 PID 3120 wrote to memory of 3428 3120 pvdpp.exe 109 PID 3428 wrote to memory of 864 3428 1ddpj.exe 110 PID 3428 wrote to memory of 864 3428 1ddpj.exe 110 PID 3428 wrote to memory of 864 3428 1ddpj.exe 110 PID 864 wrote to memory of 3768 864 xrlfxxr.exe 111 PID 864 wrote to memory of 3768 864 xrlfxxr.exe 111 PID 864 wrote to memory of 3768 864 xrlfxxr.exe 111 PID 3768 wrote to memory of 1912 3768 ttttth.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe"C:\Users\Admin\AppData\Local\Temp\fceb3fbd2800e7b015b4858c845d4b3e961d1ae7c8e00ee59a8e449897194e01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\rrlxxrl.exec:\rrlxxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\xxrxlxl.exec:\xxrxlxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\xlfxlfx.exec:\xlfxlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\7fxrfxr.exec:\7fxrfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\hbthtn.exec:\hbthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\vdjvj.exec:\vdjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lllxfxl.exec:\lllxfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\jjjdv.exec:\jjjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\llrlxrr.exec:\llrlxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\djddp.exec:\djddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\vjdvj.exec:\vjdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\xlfxlfx.exec:\xlfxlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\httnhb.exec:\httnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\jppjv.exec:\jppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\rxxrxxr.exec:\rxxrxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\thhbtt.exec:\thhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\pvdpp.exec:\pvdpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\1ddpj.exec:\1ddpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\ttttth.exec:\ttttth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\nhnbbt.exec:\nhnbbt.exe23⤵
- Executes dropped EXE
PID:1912 -
\??\c:\jvjvj.exec:\jvjvj.exe24⤵
- Executes dropped EXE
PID:4960 -
\??\c:\lfxffrx.exec:\lfxffrx.exe25⤵
- Executes dropped EXE
PID:2140 -
\??\c:\lrlxxxl.exec:\lrlxxxl.exe26⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hnnhtt.exec:\hnnhtt.exe27⤵
- Executes dropped EXE
PID:544 -
\??\c:\xrfxrrr.exec:\xrfxrrr.exe28⤵
- Executes dropped EXE
PID:4840 -
\??\c:\3xxxxxx.exec:\3xxxxxx.exe29⤵
- Executes dropped EXE
PID:2668 -
\??\c:\tbbnhh.exec:\tbbnhh.exe30⤵
- Executes dropped EXE
PID:1276 -
\??\c:\bthbnt.exec:\bthbnt.exe31⤵
- Executes dropped EXE
PID:1476 -
\??\c:\1pdvj.exec:\1pdvj.exe32⤵
- Executes dropped EXE
PID:3392 -
\??\c:\9djdp.exec:\9djdp.exe33⤵
- Executes dropped EXE
PID:4712 -
\??\c:\pvdvj.exec:\pvdvj.exe34⤵
- Executes dropped EXE
PID:264 -
\??\c:\hnhtbt.exec:\hnhtbt.exe35⤵
- Executes dropped EXE
PID:452 -
\??\c:\tnthnh.exec:\tnthnh.exe36⤵
- Executes dropped EXE
PID:4344 -
\??\c:\3ppjv.exec:\3ppjv.exe37⤵
- Executes dropped EXE
PID:5024 -
\??\c:\1ddjp.exec:\1ddjp.exe38⤵
- Executes dropped EXE
PID:4560 -
\??\c:\pjdvj.exec:\pjdvj.exe39⤵
- Executes dropped EXE
PID:4364 -
\??\c:\xffxlfr.exec:\xffxlfr.exe40⤵
- Executes dropped EXE
PID:1864 -
\??\c:\bnhbnh.exec:\bnhbnh.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\9jjjv.exec:\9jjjv.exe42⤵
- Executes dropped EXE
PID:212 -
\??\c:\5jdvj.exec:\5jdvj.exe43⤵
- Executes dropped EXE
PID:548 -
\??\c:\lffxfxx.exec:\lffxfxx.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\nhhbtn.exec:\nhhbtn.exe45⤵
- Executes dropped EXE
PID:2020 -
\??\c:\dvjvd.exec:\dvjvd.exe46⤵
- Executes dropped EXE
PID:2580 -
\??\c:\xxrxxxl.exec:\xxrxxxl.exe47⤵
- Executes dropped EXE
PID:4764 -
\??\c:\tttnbt.exec:\tttnbt.exe48⤵
- Executes dropped EXE
PID:2960 -
\??\c:\hhtnhn.exec:\hhtnhn.exe49⤵
- Executes dropped EXE
PID:1572 -
\??\c:\xllllxx.exec:\xllllxx.exe50⤵
- Executes dropped EXE
PID:780 -
\??\c:\pjpjd.exec:\pjpjd.exe51⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dvjvd.exec:\dvjvd.exe52⤵
- Executes dropped EXE
PID:1448 -
\??\c:\1llxlfx.exec:\1llxlfx.exe53⤵
- Executes dropped EXE
PID:4204 -
\??\c:\nbbtnh.exec:\nbbtnh.exe54⤵
- Executes dropped EXE
PID:4504 -
\??\c:\ppjjv.exec:\ppjjv.exe55⤵
- Executes dropped EXE
PID:4740 -
\??\c:\flfxlfx.exec:\flfxlfx.exe56⤵
- Executes dropped EXE
PID:952 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe57⤵
- Executes dropped EXE
PID:1348 -
\??\c:\btbhhh.exec:\btbhhh.exe58⤵
- Executes dropped EXE
PID:3208 -
\??\c:\jdvjj.exec:\jdvjj.exe59⤵
- Executes dropped EXE
PID:4980 -
\??\c:\nttbth.exec:\nttbth.exe60⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nbhhbh.exec:\nbhhbh.exe61⤵
- Executes dropped EXE
PID:4756 -
\??\c:\jjjjp.exec:\jjjjp.exe62⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xflflxx.exec:\xflflxx.exe63⤵
- Executes dropped EXE
PID:1396 -
\??\c:\3vvpv.exec:\3vvpv.exe64⤵
- Executes dropped EXE
PID:3108 -
\??\c:\lrrrlfx.exec:\lrrrlfx.exe65⤵
- Executes dropped EXE
PID:1520 -
\??\c:\rxrxrfx.exec:\rxrxrfx.exe66⤵PID:4816
-
\??\c:\vppdv.exec:\vppdv.exe67⤵PID:384
-
\??\c:\tbbtnn.exec:\tbbtnn.exe68⤵PID:4984
-
\??\c:\thnhbb.exec:\thnhbb.exe69⤵PID:4572
-
\??\c:\jvvpp.exec:\jvvpp.exe70⤵PID:2140
-
\??\c:\5llrffx.exec:\5llrffx.exe71⤵PID:220
-
\??\c:\hbtbtb.exec:\hbtbtb.exe72⤵PID:5012
-
\??\c:\nbthtn.exec:\nbthtn.exe73⤵PID:3264
-
\??\c:\1vjdp.exec:\1vjdp.exe74⤵PID:4828
-
\??\c:\rlfrrrl.exec:\rlfrrrl.exe75⤵PID:876
-
\??\c:\fxrrlff.exec:\fxrrlff.exe76⤵PID:1632
-
\??\c:\3ttthh.exec:\3ttthh.exe77⤵PID:1536
-
\??\c:\djddp.exec:\djddp.exe78⤵PID:3708
-
\??\c:\3pdvj.exec:\3pdvj.exe79⤵PID:3696
-
\??\c:\vppjj.exec:\vppjj.exe80⤵PID:2260
-
\??\c:\fllfllf.exec:\fllfllf.exe81⤵PID:3056
-
\??\c:\tnhbtn.exec:\tnhbtn.exe82⤵PID:3780
-
\??\c:\7ddpd.exec:\7ddpd.exe83⤵PID:3572
-
\??\c:\jjpdp.exec:\jjpdp.exe84⤵PID:4320
-
\??\c:\nbtnhb.exec:\nbtnhb.exe85⤵PID:2776
-
\??\c:\pdvpv.exec:\pdvpv.exe86⤵PID:4364
-
\??\c:\vjvvj.exec:\vjvvj.exe87⤵PID:1864
-
\??\c:\flxrfxr.exec:\flxrfxr.exe88⤵PID:4924
-
\??\c:\hhhbnh.exec:\hhhbnh.exe89⤵PID:2524
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe90⤵PID:4032
-
\??\c:\bthtbb.exec:\bthtbb.exe91⤵PID:4872
-
\??\c:\9jjdp.exec:\9jjdp.exe92⤵PID:3092
-
\??\c:\7pjvj.exec:\7pjvj.exe93⤵PID:1480
-
\??\c:\fffxrlf.exec:\fffxrlf.exe94⤵PID:1460
-
\??\c:\5llflfr.exec:\5llflfr.exe95⤵PID:4356
-
\??\c:\bnbtbt.exec:\bnbtbt.exe96⤵PID:1052
-
\??\c:\hbhnnb.exec:\hbhnnb.exe97⤵PID:5116
-
\??\c:\hbnbbn.exec:\hbnbbn.exe98⤵PID:3608
-
\??\c:\5pjdp.exec:\5pjdp.exe99⤵PID:3988
-
\??\c:\5pjdp.exec:\5pjdp.exe100⤵PID:4316
-
\??\c:\rfllxrx.exec:\rfllxrx.exe101⤵PID:1664
-
\??\c:\rrffrlx.exec:\rrffrlx.exe102⤵PID:1592
-
\??\c:\nhbthh.exec:\nhbthh.exe103⤵PID:1456
-
\??\c:\hbhbtn.exec:\hbhbtn.exe104⤵PID:432
-
\??\c:\vddvd.exec:\vddvd.exe105⤵PID:1060
-
\??\c:\jdvjd.exec:\jdvjd.exe106⤵PID:2340
-
\??\c:\lrllrrf.exec:\lrllrrf.exe107⤵PID:1012
-
\??\c:\djjjj.exec:\djjjj.exe108⤵PID:3668
-
\??\c:\7fxrllf.exec:\7fxrllf.exe109⤵PID:1136
-
\??\c:\tnttnt.exec:\tnttnt.exe110⤵PID:2664
-
\??\c:\dvdvj.exec:\dvdvj.exe111⤵PID:1520
-
\??\c:\dpvvv.exec:\dpvvv.exe112⤵PID:1760
-
\??\c:\rllrlrf.exec:\rllrlrf.exe113⤵PID:2932
-
\??\c:\hbtbtb.exec:\hbtbtb.exe114⤵PID:1704
-
\??\c:\3nhhbh.exec:\3nhhbh.exe115⤵PID:4824
-
\??\c:\frlfxrf.exec:\frlfxrf.exe116⤵PID:2356
-
\??\c:\frlflfl.exec:\frlflfl.exe117⤵PID:4332
-
\??\c:\thhtnh.exec:\thhtnh.exe118⤵PID:2248
-
\??\c:\dvjdd.exec:\dvjdd.exe119⤵PID:1708
-
\??\c:\pddpd.exec:\pddpd.exe120⤵PID:1688
-
\??\c:\vpvpp.exec:\vpvpp.exe121⤵PID:3740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-