Analysis
-
max time kernel
58s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 04:41
Behavioral task
behavioral1
Sample
adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe
Resource
win7-20240220-en
6 signatures
150 seconds
General
-
Target
adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe
-
Size
334KB
-
MD5
564e9ad5fcfa227de35ad81162140bdc
-
SHA1
bfbb7a1e440c207c72f6a9a2c380c87283e3a932
-
SHA256
adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7
-
SHA512
6aaf557e6d538d0ee98e4e8de6faad0614dbe1808eea04c2b4e786d72f2ed3908164d6e9c47bd64162db480aaa217fc5e6a9921154b12f2cf6acb554fd03a8bd
-
SSDEEP
6144:rcm4FmowdHoSphraHcpOaKHpXfRo0V8JcgE+ezpg1i/R:x4wFHoS3eFaKHpv/VycgE8oR
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/5064-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3704-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1620-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-585-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-630-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-634-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-756-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-772-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/5064-0-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5064-5-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\xlrrrxx.exe UPX behavioral2/memory/3384-8-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\bnbnbn.exe UPX C:\jdpjj.exe UPX behavioral2/memory/1304-17-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\rrlffxx.exe UPX behavioral2/memory/1844-24-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\nhnbnt.exe UPX behavioral2/memory/1056-32-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1556-26-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\vpdvv.exe UPX \??\c:\dddjj.exe UPX C:\rffrlll.exe UPX behavioral2/memory/4276-45-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\flxrrxf.exe UPX behavioral2/memory/4580-53-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jjpdp.exe UPX C:\dpppv.exe UPX behavioral2/memory/2756-64-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2976-65-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\xlxxlrl.exe UPX behavioral2/memory/2976-70-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\bttbht.exe UPX behavioral2/memory/2472-76-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\djppv.exe UPX behavioral2/memory/1028-83-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\tnbbth.exe UPX behavioral2/memory/1196-89-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\rxxfxxl.exe UPX behavioral2/memory/2328-94-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jjdjd.exe UPX behavioral2/memory/2816-101-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\bhbtbb.exe UPX behavioral2/memory/2816-107-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\hnnnnn.exe UPX \??\c:\fxlrrff.exe UPX C:\htntbb.exe UPX behavioral2/memory/3704-126-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\dvjdd.exe UPX behavioral2/memory/4416-131-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/5116-122-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\vvdvv.exe UPX behavioral2/memory/3132-138-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1160-116-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hnhhhb.exe UPX behavioral2/memory/1620-143-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\hbtthn.exe UPX behavioral2/memory/1620-147-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\xrlrxff.exe UPX behavioral2/memory/904-158-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\nhnbnn.exe UPX C:\ffffxlf.exe UPX C:\dpddd.exe UPX behavioral2/memory/4900-172-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4812-170-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4900-176-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\bttbhn.exe UPX C:\xxlllrr.exe UPX C:\jdjpj.exe UPX behavioral2/memory/2760-192-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4916-199-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1368-209-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
xlrrrxx.exebnbnbn.exejdpjj.exerrlffxx.exenhnbnt.exevpdvv.exedddjj.exerffrlll.exeflxrrxf.exejjpdp.exedpppv.exexlxxlrl.exebttbht.exedjppv.exetnbbth.exerxxfxxl.exejjdjd.exebhbtbb.exehnnnnn.exefxlrrff.exehtntbb.exedvjdd.exevvdvv.exehnhhhb.exehbtthn.exexrlrxff.exenhnbnn.exeffffxlf.exedpddd.exebttbhn.exexxlllrr.exejdjpj.exerlrrrxx.exethnnnn.exedddpp.exelrrffff.exetbhbtt.exedvppp.exerrfllff.exennbttt.exevvddd.exerrlrrfr.exennnnnt.exe7pppp.exerffflll.exebhhhhh.exevdjpj.exerxfxlxr.exetthhnn.exepjppp.exerxfffff.exebnbtnh.exejjpdv.exehbntnt.exedvppd.exetbhthb.exevdvvp.exerrrlllf.exetntnhh.exerxrrllf.exennbhth.exebtntnt.exeppppp.exexxlrlxx.exepid process 3384 xlrrrxx.exe 1304 bnbnbn.exe 1556 jdpjj.exe 1844 rrlffxx.exe 1056 nhnbnt.exe 2164 vpdvv.exe 4276 dddjj.exe 2744 rffrlll.exe 4580 flxrrxf.exe 2756 jjpdp.exe 2976 dpppv.exe 2472 xlxxlrl.exe 1028 bttbht.exe 1196 djppv.exe 2344 tnbbth.exe 2328 rxxfxxl.exe 2816 jjdjd.exe 624 bhbtbb.exe 1160 hnnnnn.exe 5116 fxlrrff.exe 3704 htntbb.exe 4416 dvjdd.exe 3132 vvdvv.exe 1620 hnhhhb.exe 1016 hbtthn.exe 904 xrlrxff.exe 2796 nhnbnn.exe 4812 ffffxlf.exe 4900 dpddd.exe 3932 bttbhn.exe 1736 xxlllrr.exe 2760 jdjpj.exe 4780 rlrrrxx.exe 4916 thnnnn.exe 4432 dddpp.exe 4808 lrrffff.exe 1368 tbhbtt.exe 2348 dvppp.exe 4436 rrfllff.exe 3728 nnbttt.exe 2820 vvddd.exe 3464 rrlrrfr.exe 3512 nnnnnt.exe 1500 7pppp.exe 1896 rffflll.exe 2004 bhhhhh.exe 3516 vdjpj.exe 3528 rxfxlxr.exe 3124 tthhnn.exe 1448 pjppp.exe 2304 rxfffff.exe 880 bnbtnh.exe 368 jjpdv.exe 4404 hbntnt.exe 3000 dvppd.exe 4492 tbhthb.exe 1108 vdvvp.exe 544 rrrlllf.exe 2260 tntnhh.exe 2412 rxrrllf.exe 1176 nnbhth.exe 4700 btntnt.exe 4456 ppppp.exe 3768 xxlrlxx.exe -
Processes:
resource yara_rule behavioral2/memory/5064-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5064-5-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xlrrrxx.exe upx behavioral2/memory/3384-8-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bnbnbn.exe upx C:\jdpjj.exe upx behavioral2/memory/1304-17-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrlffxx.exe upx behavioral2/memory/1844-24-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nhnbnt.exe upx behavioral2/memory/1056-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1556-26-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vpdvv.exe upx \??\c:\dddjj.exe upx C:\rffrlll.exe upx behavioral2/memory/4276-45-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\flxrrxf.exe upx behavioral2/memory/4580-53-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjpdp.exe upx C:\dpppv.exe upx behavioral2/memory/2756-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2976-65-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xlxxlrl.exe upx behavioral2/memory/2976-70-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bttbht.exe upx behavioral2/memory/2472-76-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\djppv.exe upx behavioral2/memory/1028-83-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tnbbth.exe upx behavioral2/memory/1196-89-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rxxfxxl.exe upx behavioral2/memory/2328-94-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjdjd.exe upx behavioral2/memory/2816-101-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bhbtbb.exe upx behavioral2/memory/2816-107-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hnnnnn.exe upx \??\c:\fxlrrff.exe upx C:\htntbb.exe upx behavioral2/memory/3704-126-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvjdd.exe upx behavioral2/memory/4416-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5116-122-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vvdvv.exe upx behavioral2/memory/3132-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1160-116-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hnhhhb.exe upx behavioral2/memory/1620-143-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hbtthn.exe upx behavioral2/memory/1620-147-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xrlrxff.exe upx behavioral2/memory/904-158-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nhnbnn.exe upx C:\ffffxlf.exe upx C:\dpddd.exe upx behavioral2/memory/4900-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4812-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4900-176-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bttbhn.exe upx C:\xxlllrr.exe upx C:\jdjpj.exe upx behavioral2/memory/2760-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4916-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1368-209-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exexlrrrxx.exebnbnbn.exejdpjj.exerrlffxx.exenhnbnt.exevpdvv.exedddjj.exerffrlll.exeflxrrxf.exejjpdp.exedpppv.exexlxxlrl.exebttbht.exedjppv.exetnbbth.exerxxfxxl.exejjdjd.exebhbtbb.exehnnnnn.exefxlrrff.exehtntbb.exedescription pid process target process PID 5064 wrote to memory of 3384 5064 adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe xlrrrxx.exe PID 5064 wrote to memory of 3384 5064 adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe xlrrrxx.exe PID 5064 wrote to memory of 3384 5064 adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe xlrrrxx.exe PID 3384 wrote to memory of 1304 3384 xlrrrxx.exe bnbnbn.exe PID 3384 wrote to memory of 1304 3384 xlrrrxx.exe bnbnbn.exe PID 3384 wrote to memory of 1304 3384 xlrrrxx.exe bnbnbn.exe PID 1304 wrote to memory of 1556 1304 bnbnbn.exe jdpjj.exe PID 1304 wrote to memory of 1556 1304 bnbnbn.exe jdpjj.exe PID 1304 wrote to memory of 1556 1304 bnbnbn.exe jdpjj.exe PID 1556 wrote to memory of 1844 1556 jdpjj.exe rrlffxx.exe PID 1556 wrote to memory of 1844 1556 jdpjj.exe rrlffxx.exe PID 1556 wrote to memory of 1844 1556 jdpjj.exe rrlffxx.exe PID 1844 wrote to memory of 1056 1844 rrlffxx.exe nhnbnt.exe PID 1844 wrote to memory of 1056 1844 rrlffxx.exe nhnbnt.exe PID 1844 wrote to memory of 1056 1844 rrlffxx.exe nhnbnt.exe PID 1056 wrote to memory of 2164 1056 nhnbnt.exe vpdvv.exe PID 1056 wrote to memory of 2164 1056 nhnbnt.exe vpdvv.exe PID 1056 wrote to memory of 2164 1056 nhnbnt.exe vpdvv.exe PID 2164 wrote to memory of 4276 2164 vpdvv.exe dddjj.exe PID 2164 wrote to memory of 4276 2164 vpdvv.exe dddjj.exe PID 2164 wrote to memory of 4276 2164 vpdvv.exe dddjj.exe PID 4276 wrote to memory of 2744 4276 dddjj.exe rffrlll.exe PID 4276 wrote to memory of 2744 4276 dddjj.exe rffrlll.exe PID 4276 wrote to memory of 2744 4276 dddjj.exe rffrlll.exe PID 2744 wrote to memory of 4580 2744 rffrlll.exe flxrrxf.exe PID 2744 wrote to memory of 4580 2744 rffrlll.exe flxrrxf.exe PID 2744 wrote to memory of 4580 2744 rffrlll.exe flxrrxf.exe PID 4580 wrote to memory of 2756 4580 flxrrxf.exe jjpdp.exe PID 4580 wrote to memory of 2756 4580 flxrrxf.exe jjpdp.exe PID 4580 wrote to memory of 2756 4580 flxrrxf.exe jjpdp.exe PID 2756 wrote to memory of 2976 2756 jjpdp.exe dpppv.exe PID 2756 wrote to memory of 2976 2756 jjpdp.exe dpppv.exe PID 2756 wrote to memory of 2976 2756 jjpdp.exe dpppv.exe PID 2976 wrote to memory of 2472 2976 dpppv.exe xlxxlrl.exe PID 2976 wrote to memory of 2472 2976 dpppv.exe xlxxlrl.exe PID 2976 wrote to memory of 2472 2976 dpppv.exe xlxxlrl.exe PID 2472 wrote to memory of 1028 2472 xlxxlrl.exe bttbht.exe PID 2472 wrote to memory of 1028 2472 xlxxlrl.exe bttbht.exe PID 2472 wrote to memory of 1028 2472 xlxxlrl.exe bttbht.exe PID 1028 wrote to memory of 1196 1028 bttbht.exe djppv.exe PID 1028 wrote to memory of 1196 1028 bttbht.exe djppv.exe PID 1028 wrote to memory of 1196 1028 bttbht.exe djppv.exe PID 1196 wrote to memory of 2344 1196 djppv.exe tnbbth.exe PID 1196 wrote to memory of 2344 1196 djppv.exe tnbbth.exe PID 1196 wrote to memory of 2344 1196 djppv.exe tnbbth.exe PID 2344 wrote to memory of 2328 2344 tnbbth.exe rxxfxxl.exe PID 2344 wrote to memory of 2328 2344 tnbbth.exe rxxfxxl.exe PID 2344 wrote to memory of 2328 2344 tnbbth.exe rxxfxxl.exe PID 2328 wrote to memory of 2816 2328 rxxfxxl.exe jjdjd.exe PID 2328 wrote to memory of 2816 2328 rxxfxxl.exe jjdjd.exe PID 2328 wrote to memory of 2816 2328 rxxfxxl.exe jjdjd.exe PID 2816 wrote to memory of 624 2816 jjdjd.exe bhbtbb.exe PID 2816 wrote to memory of 624 2816 jjdjd.exe bhbtbb.exe PID 2816 wrote to memory of 624 2816 jjdjd.exe bhbtbb.exe PID 624 wrote to memory of 1160 624 bhbtbb.exe hnnnnn.exe PID 624 wrote to memory of 1160 624 bhbtbb.exe hnnnnn.exe PID 624 wrote to memory of 1160 624 bhbtbb.exe hnnnnn.exe PID 1160 wrote to memory of 5116 1160 hnnnnn.exe fxlrrff.exe PID 1160 wrote to memory of 5116 1160 hnnnnn.exe fxlrrff.exe PID 1160 wrote to memory of 5116 1160 hnnnnn.exe fxlrrff.exe PID 5116 wrote to memory of 3704 5116 fxlrrff.exe htntbb.exe PID 5116 wrote to memory of 3704 5116 fxlrrff.exe htntbb.exe PID 5116 wrote to memory of 3704 5116 fxlrrff.exe htntbb.exe PID 3704 wrote to memory of 4416 3704 htntbb.exe dvjdd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe"C:\Users\Admin\AppData\Local\Temp\adce6595b67d485addd7318b3930d59e4e446e383a1b839bde7f9b08b585c2a7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\xlrrrxx.exec:\xlrrrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\bnbnbn.exec:\bnbnbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\jdpjj.exec:\jdpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\rrlffxx.exec:\rrlffxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\nhnbnt.exec:\nhnbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\vpdvv.exec:\vpdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\dddjj.exec:\dddjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\rffrlll.exec:\rffrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\flxrrxf.exec:\flxrrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\jjpdp.exec:\jjpdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\dpppv.exec:\dpppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xlxxlrl.exec:\xlxxlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\bttbht.exec:\bttbht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\djppv.exec:\djppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\tnbbth.exec:\tnbbth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\rxxfxxl.exec:\rxxfxxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\jjdjd.exec:\jjdjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\bhbtbb.exec:\bhbtbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\hnnnnn.exec:\hnnnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\fxlrrff.exec:\fxlrrff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\htntbb.exec:\htntbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\dvjdd.exec:\dvjdd.exe23⤵
- Executes dropped EXE
PID:4416 -
\??\c:\vvdvv.exec:\vvdvv.exe24⤵
- Executes dropped EXE
PID:3132 -
\??\c:\hnhhhb.exec:\hnhhhb.exe25⤵
- Executes dropped EXE
PID:1620 -
\??\c:\hbtthn.exec:\hbtthn.exe26⤵
- Executes dropped EXE
PID:1016 -
\??\c:\xrlrxff.exec:\xrlrxff.exe27⤵
- Executes dropped EXE
PID:904 -
\??\c:\nhnbnn.exec:\nhnbnn.exe28⤵
- Executes dropped EXE
PID:2796 -
\??\c:\ffffxlf.exec:\ffffxlf.exe29⤵
- Executes dropped EXE
PID:4812 -
\??\c:\dpddd.exec:\dpddd.exe30⤵
- Executes dropped EXE
PID:4900 -
\??\c:\bttbhn.exec:\bttbhn.exe31⤵
- Executes dropped EXE
PID:3932 -
\??\c:\xxlllrr.exec:\xxlllrr.exe32⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jdjpj.exec:\jdjpj.exe33⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rlrrrxx.exec:\rlrrrxx.exe34⤵
- Executes dropped EXE
PID:4780 -
\??\c:\thnnnn.exec:\thnnnn.exe35⤵
- Executes dropped EXE
PID:4916 -
\??\c:\dddpp.exec:\dddpp.exe36⤵
- Executes dropped EXE
PID:4432 -
\??\c:\lrrffff.exec:\lrrffff.exe37⤵
- Executes dropped EXE
PID:4808 -
\??\c:\tbhbtt.exec:\tbhbtt.exe38⤵
- Executes dropped EXE
PID:1368 -
\??\c:\dvppp.exec:\dvppp.exe39⤵
- Executes dropped EXE
PID:2348 -
\??\c:\rrfllff.exec:\rrfllff.exe40⤵
- Executes dropped EXE
PID:4436 -
\??\c:\nnbttt.exec:\nnbttt.exe41⤵
- Executes dropped EXE
PID:3728 -
\??\c:\vvddd.exec:\vvddd.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rrlrrfr.exec:\rrlrrfr.exe43⤵
- Executes dropped EXE
PID:3464 -
\??\c:\nnnnnt.exec:\nnnnnt.exe44⤵
- Executes dropped EXE
PID:3512 -
\??\c:\7pppp.exec:\7pppp.exe45⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rffflll.exec:\rffflll.exe46⤵
- Executes dropped EXE
PID:1896 -
\??\c:\bhhhhh.exec:\bhhhhh.exe47⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vdjpj.exec:\vdjpj.exe48⤵
- Executes dropped EXE
PID:3516 -
\??\c:\rxfxlxr.exec:\rxfxlxr.exe49⤵
- Executes dropped EXE
PID:3528 -
\??\c:\tthhnn.exec:\tthhnn.exe50⤵
- Executes dropped EXE
PID:3124 -
\??\c:\pjppp.exec:\pjppp.exe51⤵
- Executes dropped EXE
PID:1448 -
\??\c:\rxfffff.exec:\rxfffff.exe52⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bnbtnh.exec:\bnbtnh.exe53⤵
- Executes dropped EXE
PID:880 -
\??\c:\jjpdv.exec:\jjpdv.exe54⤵
- Executes dropped EXE
PID:368 -
\??\c:\hbntnt.exec:\hbntnt.exe55⤵
- Executes dropped EXE
PID:4404 -
\??\c:\dvppd.exec:\dvppd.exe56⤵
- Executes dropped EXE
PID:3000 -
\??\c:\tbhthb.exec:\tbhthb.exe57⤵
- Executes dropped EXE
PID:4492 -
\??\c:\vdvvp.exec:\vdvvp.exe58⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rrrlllf.exec:\rrrlllf.exe59⤵
- Executes dropped EXE
PID:544 -
\??\c:\tntnhh.exec:\tntnhh.exe60⤵
- Executes dropped EXE
PID:2260 -
\??\c:\rxrrllf.exec:\rxrrllf.exe61⤵
- Executes dropped EXE
PID:2412 -
\??\c:\nnbhth.exec:\nnbhth.exe62⤵
- Executes dropped EXE
PID:1176 -
\??\c:\btntnt.exec:\btntnt.exe63⤵
- Executes dropped EXE
PID:4700 -
\??\c:\ppppp.exec:\ppppp.exe64⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xxlrlxx.exec:\xxlrlxx.exe65⤵
- Executes dropped EXE
PID:3768 -
\??\c:\tnbhnb.exec:\tnbhnb.exe66⤵PID:4480
-
\??\c:\dvppv.exec:\dvppv.exe67⤵PID:3096
-
\??\c:\rfllfxx.exec:\rfllfxx.exe68⤵PID:3312
-
\??\c:\bhttbh.exec:\bhttbh.exe69⤵PID:4524
-
\??\c:\pdjvd.exec:\pdjvd.exe70⤵PID:4544
-
\??\c:\xxflrff.exec:\xxflrff.exe71⤵PID:2384
-
\??\c:\htttnb.exec:\htttnb.exe72⤵PID:2428
-
\??\c:\jjpjv.exec:\jjpjv.exe73⤵PID:2784
-
\??\c:\xflrrfr.exec:\xflrrfr.exe74⤵PID:1620
-
\??\c:\hhbbnt.exec:\hhbbnt.exe75⤵PID:2740
-
\??\c:\vjpdp.exec:\vjpdp.exe76⤵PID:3436
-
\??\c:\xfxxxfl.exec:\xfxxxfl.exe77⤵PID:2096
-
\??\c:\ntttnt.exec:\ntttnt.exe78⤵PID:2936
-
\??\c:\ppvvp.exec:\ppvvp.exe79⤵PID:780
-
\??\c:\xfffllf.exec:\xfffllf.exe80⤵PID:3960
-
\??\c:\nhhnnb.exec:\nhhnnb.exe81⤵PID:2284
-
\??\c:\7jvvv.exec:\7jvvv.exe82⤵PID:1068
-
\??\c:\1xlllrr.exec:\1xlllrr.exe83⤵PID:1736
-
\??\c:\nnhhhn.exec:\nnhhhn.exe84⤵PID:2760
-
\??\c:\ddpvv.exec:\ddpvv.exe85⤵PID:3700
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe86⤵PID:4616
-
\??\c:\bhtbtn.exec:\bhtbtn.exe87⤵PID:4808
-
\??\c:\dpvpp.exec:\dpvpp.exe88⤵PID:3460
-
\??\c:\lxffflx.exec:\lxffflx.exe89⤵PID:3236
-
\??\c:\bhtnnb.exec:\bhtnnb.exe90⤵PID:1132
-
\??\c:\jjdjd.exec:\jjdjd.exe91⤵PID:1476
-
\??\c:\vpvjd.exec:\vpvjd.exe92⤵PID:2448
-
\??\c:\rxrxlff.exec:\rxrxlff.exe93⤵PID:1896
-
\??\c:\9ntnhh.exec:\9ntnhh.exe94⤵PID:1732
-
\??\c:\ddvvj.exec:\ddvvj.exe95⤵PID:3516
-
\??\c:\9flllfx.exec:\9flllfx.exe96⤵PID:464
-
\??\c:\hbbbbh.exec:\hbbbbh.exe97⤵PID:4984
-
\??\c:\pvjjp.exec:\pvjjp.exe98⤵PID:736
-
\??\c:\jjjjd.exec:\jjjjd.exe99⤵PID:4528
-
\??\c:\bhtnbb.exec:\bhtnbb.exe100⤵PID:828
-
\??\c:\jjjjp.exec:\jjjjp.exe101⤵PID:2476
-
\??\c:\xxlrrrr.exec:\xxlrrrr.exe102⤵PID:4188
-
\??\c:\rrflrrf.exec:\rrflrrf.exe103⤵PID:2976
-
\??\c:\tbttbh.exec:\tbttbh.exe104⤵PID:3692
-
\??\c:\7jppv.exec:\7jppv.exe105⤵PID:748
-
\??\c:\pjvvd.exec:\pjvvd.exe106⤵PID:544
-
\??\c:\pppvd.exec:\pppvd.exe107⤵PID:5040
-
\??\c:\7rrffll.exec:\7rrffll.exe108⤵PID:2412
-
\??\c:\3hnnnn.exec:\3hnnnn.exe109⤵PID:1176
-
\??\c:\jvddp.exec:\jvddp.exe110⤵PID:4700
-
\??\c:\llxffrr.exec:\llxffrr.exe111⤵PID:4456
-
\??\c:\thhhnn.exec:\thhhnn.exe112⤵PID:4552
-
\??\c:\xlfrxrx.exec:\xlfrxrx.exe113⤵PID:2536
-
\??\c:\hnbthb.exec:\hnbthb.exe114⤵PID:1716
-
\??\c:\pvjjj.exec:\pvjjj.exe115⤵PID:3412
-
\??\c:\3lfxlfx.exec:\3lfxlfx.exe116⤵PID:4904
-
\??\c:\djjpj.exec:\djjpj.exe117⤵PID:612
-
\??\c:\xlxrrxx.exec:\xlxrrxx.exe118⤵PID:1708
-
\??\c:\btnhth.exec:\btnhth.exe119⤵PID:2428
-
\??\c:\frrxfff.exec:\frrxfff.exe120⤵PID:2784
-
\??\c:\vjvpd.exec:\vjvpd.exe121⤵PID:1620
-
\??\c:\xrrlrxl.exec:\xrrlrxl.exe122⤵PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-