Analysis
-
max time kernel
127s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:20
Behavioral task
behavioral1
Sample
cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe
-
Size
155KB
-
MD5
b0a556ef9c48be307fccab0d898230fd
-
SHA1
1fad37ffdb9e3ff25522de7b6025901146035223
-
SHA256
cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1
-
SHA512
c6f4b823700ea66a604a42944ef77c659ca2420ef3518761e0d4377b3fa4b88dfebdbbff2bc8981ed48e820a97fd996959faf83a56c56a729cc7cbb94fd7e9b3
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH4oGPwJwJE1:kcm4FmowdHoSphraHcpOFltH4oGPjJE1
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2708-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4380-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-886-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-1225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2708-0-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2708-6-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4984-8-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\jdpvv.exe UPX C:\rxfxrrl.exe UPX behavioral2/memory/3524-16-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\dvvvp.exe UPX C:\jpppp.exe UPX behavioral2/memory/5092-24-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1132-26-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\ppjdd.exe UPX behavioral2/memory/2700-32-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lxfffxx.exe UPX behavioral2/memory/4700-43-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hbbnhn.exe UPX C:\pjpvj.exe UPX behavioral2/memory/4380-50-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3820-41-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\djvvv.exe UPX \??\c:\rlfxrrl.exe UPX behavioral2/memory/836-60-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\7tbbtb.exe UPX behavioral2/memory/836-64-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1816-66-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1816-70-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\dvdvv.exe UPX behavioral2/memory/408-73-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\9xfxrrl.exe UPX behavioral2/memory/3732-80-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\xfffxxx.exe UPX C:\bnnhht.exe UPX behavioral2/memory/3992-89-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\pjjpd.exe UPX behavioral2/memory/4436-95-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3856-100-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\1ddvv.exe UPX behavioral2/memory/1860-103-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lfxxffl.exe UPX C:\nhhbtt.exe UPX behavioral2/memory/3044-122-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\9pvvp.exe UPX C:\5dddv.exe UPX behavioral2/memory/2764-125-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lxllrlr.exe UPX behavioral2/memory/3000-118-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\1hbttn.exe UPX C:\7tbbtt.exe UPX C:\jjpjj.exe UPX behavioral2/memory/2228-145-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\rlfllff.exe UPX C:\bnttnn.exe UPX behavioral2/memory/1072-158-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\1ddvv.exe UPX C:\dvvjd.exe UPX \??\c:\lrrlllr.exe UPX \??\c:\bbnhhb.exe UPX \??\c:\1bbttt.exe UPX behavioral2/memory/2304-188-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3320-186-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1852-195-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1780-207-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/840-209-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1388-215-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/4312-219-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
dvvvp.exejdpvv.exerxfxrrl.exejpppp.exeppjdd.exelxfffxx.exehbbnhn.exepjpvj.exedjvvv.exerlfxrrl.exe7tbbtb.exedvdvv.exe9xfxrrl.exexfffxxx.exebnnhht.exepjjpd.exe1ddvv.exelfxxffl.exenhhbtt.exe9pvvp.exe5dddv.exelxllrlr.exe1hbttn.exe7tbbtt.exejjpjj.exerlfllff.exebnttnn.exe1ddvv.exedvvjd.exelrrlllr.exebbnhhb.exe1bbttt.exepddvv.exejvpjd.exe5lrflxf.exenhnhtt.exepddjj.exefllfxll.exelxrxllf.exebnnbtt.exebnbbtt.exelflfrrx.exenbnhnh.exebhtthh.exedpvpv.exefrfxxrl.exeflrxrxr.exebbnhhh.exe9vpdp.exefxfrllx.exehbhhhh.exe7tnhbh.exedpjdj.exexllrfll.exelrxxrlf.exebtbthh.exebbbttt.exevppjd.exeflrlflf.exe3flfffx.exebtnhbb.exenhnbbt.exepvddp.exexxlxlrf.exepid process 4984 dvvvp.exe 3524 jdpvv.exe 5092 rxfxrrl.exe 1132 jpppp.exe 2700 ppjdd.exe 3820 lxfffxx.exe 4700 hbbnhn.exe 4380 pjpvj.exe 804 djvvv.exe 836 rlfxrrl.exe 1816 7tbbtb.exe 408 dvdvv.exe 3732 9xfxrrl.exe 3992 xfffxxx.exe 4436 bnnhht.exe 3856 pjjpd.exe 1860 1ddvv.exe 3684 lfxxffl.exe 3000 nhhbtt.exe 3044 9pvvp.exe 2764 5dddv.exe 4872 lxllrlr.exe 2680 1hbttn.exe 2228 7tbbtt.exe 936 jjpjj.exe 3980 rlfllff.exe 1072 bnttnn.exe 5076 1ddvv.exe 2180 dvvjd.exe 3424 lrrlllr.exe 3280 bbnhhb.exe 3320 1bbttt.exe 2304 pddvv.exe 3464 jvpjd.exe 1852 5lrflxf.exe 3968 nhnhtt.exe 2556 pddjj.exe 1780 fllfxll.exe 840 lxrxllf.exe 1388 bnnbtt.exe 4312 bnbbtt.exe 2056 lflfrrx.exe 3812 nbnhnh.exe 1808 bhtthh.exe 5092 dpvpv.exe 2080 frfxxrl.exe 4856 flrxrxr.exe 1016 bbnhhh.exe 4356 9vpdp.exe 916 fxfrllx.exe 4448 hbhhhh.exe 3688 7tnhbh.exe 412 dpjdj.exe 4184 xllrfll.exe 4172 lrxxrlf.exe 512 btbthh.exe 2612 bbbttt.exe 4332 vppjd.exe 872 flrlflf.exe 5108 3flfffx.exe 3192 btnhbb.exe 4404 nhnbbt.exe 4696 pvddp.exe 4552 xxlxlrf.exe -
Processes:
resource yara_rule behavioral2/memory/2708-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2708-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4984-8-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\jdpvv.exe upx C:\rxfxrrl.exe upx behavioral2/memory/3524-16-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\dvvvp.exe upx C:\jpppp.exe upx behavioral2/memory/5092-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1132-26-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\ppjdd.exe upx behavioral2/memory/2700-32-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lxfffxx.exe upx behavioral2/memory/4700-43-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hbbnhn.exe upx C:\pjpvj.exe upx behavioral2/memory/4380-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3820-41-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\djvvv.exe upx \??\c:\rlfxrrl.exe upx behavioral2/memory/836-60-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7tbbtb.exe upx behavioral2/memory/836-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1816-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1816-70-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\dvdvv.exe upx behavioral2/memory/408-73-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9xfxrrl.exe upx behavioral2/memory/3732-80-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xfffxxx.exe upx C:\bnnhht.exe upx behavioral2/memory/3992-89-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pjjpd.exe upx behavioral2/memory/4436-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3856-100-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1ddvv.exe upx behavioral2/memory/1860-103-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lfxxffl.exe upx C:\nhhbtt.exe upx behavioral2/memory/3044-122-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\9pvvp.exe upx C:\5dddv.exe upx behavioral2/memory/2764-125-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lxllrlr.exe upx behavioral2/memory/3000-118-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1hbttn.exe upx C:\7tbbtt.exe upx C:\jjpjj.exe upx behavioral2/memory/2228-145-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rlfllff.exe upx C:\bnttnn.exe upx behavioral2/memory/1072-158-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1ddvv.exe upx C:\dvvjd.exe upx \??\c:\lrrlllr.exe upx \??\c:\bbnhhb.exe upx \??\c:\1bbttt.exe upx behavioral2/memory/2304-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3320-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1852-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1780-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/840-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1388-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4312-219-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exedvvvp.exejdpvv.exerxfxrrl.exejpppp.exeppjdd.exelxfffxx.exehbbnhn.exepjpvj.exedjvvv.exerlfxrrl.exe7tbbtb.exedvdvv.exe9xfxrrl.exexfffxxx.exebnnhht.exepjjpd.exe1ddvv.exelfxxffl.exenhhbtt.exe9pvvp.exe5dddv.exedescription pid process target process PID 2708 wrote to memory of 4984 2708 cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe dvvvp.exe PID 2708 wrote to memory of 4984 2708 cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe dvvvp.exe PID 2708 wrote to memory of 4984 2708 cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe dvvvp.exe PID 4984 wrote to memory of 3524 4984 dvvvp.exe jdpvv.exe PID 4984 wrote to memory of 3524 4984 dvvvp.exe jdpvv.exe PID 4984 wrote to memory of 3524 4984 dvvvp.exe jdpvv.exe PID 3524 wrote to memory of 5092 3524 jdpvv.exe rxfxrrl.exe PID 3524 wrote to memory of 5092 3524 jdpvv.exe rxfxrrl.exe PID 3524 wrote to memory of 5092 3524 jdpvv.exe rxfxrrl.exe PID 5092 wrote to memory of 1132 5092 rxfxrrl.exe jpppp.exe PID 5092 wrote to memory of 1132 5092 rxfxrrl.exe jpppp.exe PID 5092 wrote to memory of 1132 5092 rxfxrrl.exe jpppp.exe PID 1132 wrote to memory of 2700 1132 jpppp.exe ppjdd.exe PID 1132 wrote to memory of 2700 1132 jpppp.exe ppjdd.exe PID 1132 wrote to memory of 2700 1132 jpppp.exe ppjdd.exe PID 2700 wrote to memory of 3820 2700 ppjdd.exe lxfffxx.exe PID 2700 wrote to memory of 3820 2700 ppjdd.exe lxfffxx.exe PID 2700 wrote to memory of 3820 2700 ppjdd.exe lxfffxx.exe PID 3820 wrote to memory of 4700 3820 lxfffxx.exe hbbnhn.exe PID 3820 wrote to memory of 4700 3820 lxfffxx.exe hbbnhn.exe PID 3820 wrote to memory of 4700 3820 lxfffxx.exe hbbnhn.exe PID 4700 wrote to memory of 4380 4700 hbbnhn.exe pjpvj.exe PID 4700 wrote to memory of 4380 4700 hbbnhn.exe pjpvj.exe PID 4700 wrote to memory of 4380 4700 hbbnhn.exe pjpvj.exe PID 4380 wrote to memory of 804 4380 pjpvj.exe djvvv.exe PID 4380 wrote to memory of 804 4380 pjpvj.exe djvvv.exe PID 4380 wrote to memory of 804 4380 pjpvj.exe djvvv.exe PID 804 wrote to memory of 836 804 djvvv.exe rlfxrrl.exe PID 804 wrote to memory of 836 804 djvvv.exe rlfxrrl.exe PID 804 wrote to memory of 836 804 djvvv.exe rlfxrrl.exe PID 836 wrote to memory of 1816 836 rlfxrrl.exe 7tbbtb.exe PID 836 wrote to memory of 1816 836 rlfxrrl.exe 7tbbtb.exe PID 836 wrote to memory of 1816 836 rlfxrrl.exe 7tbbtb.exe PID 1816 wrote to memory of 408 1816 7tbbtb.exe dvdvv.exe PID 1816 wrote to memory of 408 1816 7tbbtb.exe dvdvv.exe PID 1816 wrote to memory of 408 1816 7tbbtb.exe dvdvv.exe PID 408 wrote to memory of 3732 408 dvdvv.exe 9xfxrrl.exe PID 408 wrote to memory of 3732 408 dvdvv.exe 9xfxrrl.exe PID 408 wrote to memory of 3732 408 dvdvv.exe 9xfxrrl.exe PID 3732 wrote to memory of 3992 3732 9xfxrrl.exe xfffxxx.exe PID 3732 wrote to memory of 3992 3732 9xfxrrl.exe xfffxxx.exe PID 3732 wrote to memory of 3992 3732 9xfxrrl.exe xfffxxx.exe PID 3992 wrote to memory of 4436 3992 xfffxxx.exe bnnhht.exe PID 3992 wrote to memory of 4436 3992 xfffxxx.exe bnnhht.exe PID 3992 wrote to memory of 4436 3992 xfffxxx.exe bnnhht.exe PID 4436 wrote to memory of 3856 4436 bnnhht.exe pjjpd.exe PID 4436 wrote to memory of 3856 4436 bnnhht.exe pjjpd.exe PID 4436 wrote to memory of 3856 4436 bnnhht.exe pjjpd.exe PID 3856 wrote to memory of 1860 3856 pjjpd.exe 1ddvv.exe PID 3856 wrote to memory of 1860 3856 pjjpd.exe 1ddvv.exe PID 3856 wrote to memory of 1860 3856 pjjpd.exe 1ddvv.exe PID 1860 wrote to memory of 3684 1860 1ddvv.exe lfxxffl.exe PID 1860 wrote to memory of 3684 1860 1ddvv.exe lfxxffl.exe PID 1860 wrote to memory of 3684 1860 1ddvv.exe lfxxffl.exe PID 3684 wrote to memory of 3000 3684 lfxxffl.exe nhhbtt.exe PID 3684 wrote to memory of 3000 3684 lfxxffl.exe nhhbtt.exe PID 3684 wrote to memory of 3000 3684 lfxxffl.exe nhhbtt.exe PID 3000 wrote to memory of 3044 3000 nhhbtt.exe 9pvvp.exe PID 3000 wrote to memory of 3044 3000 nhhbtt.exe 9pvvp.exe PID 3000 wrote to memory of 3044 3000 nhhbtt.exe 9pvvp.exe PID 3044 wrote to memory of 2764 3044 9pvvp.exe 5dddv.exe PID 3044 wrote to memory of 2764 3044 9pvvp.exe 5dddv.exe PID 3044 wrote to memory of 2764 3044 9pvvp.exe 5dddv.exe PID 2764 wrote to memory of 4872 2764 5dddv.exe lxllrlr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe"C:\Users\Admin\AppData\Local\Temp\cb7d957b5df854d4ad011fd33c7f38a6ffe7656f2ae1b6a5cff4b6ee97485ec1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\dvvvp.exec:\dvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\jdpvv.exec:\jdpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\jpppp.exec:\jpppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\ppjdd.exec:\ppjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\lxfffxx.exec:\lxfffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\hbbnhn.exec:\hbbnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\pjpvj.exec:\pjpvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\djvvv.exec:\djvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\7tbbtb.exec:\7tbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\dvdvv.exec:\dvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\xfffxxx.exec:\xfffxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\bnnhht.exec:\bnnhht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\pjjpd.exec:\pjjpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\1ddvv.exec:\1ddvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\lfxxffl.exec:\lfxxffl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\nhhbtt.exec:\nhhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\9pvvp.exec:\9pvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\5dddv.exec:\5dddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\lxllrlr.exec:\lxllrlr.exe23⤵
- Executes dropped EXE
PID:4872 -
\??\c:\1hbttn.exec:\1hbttn.exe24⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7tbbtt.exec:\7tbbtt.exe25⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jjpjj.exec:\jjpjj.exe26⤵
- Executes dropped EXE
PID:936 -
\??\c:\rlfllff.exec:\rlfllff.exe27⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bnttnn.exec:\bnttnn.exe28⤵
- Executes dropped EXE
PID:1072 -
\??\c:\1ddvv.exec:\1ddvv.exe29⤵
- Executes dropped EXE
PID:5076 -
\??\c:\dvvjd.exec:\dvvjd.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\lrrlllr.exec:\lrrlllr.exe31⤵
- Executes dropped EXE
PID:3424 -
\??\c:\bbnhhb.exec:\bbnhhb.exe32⤵
- Executes dropped EXE
PID:3280 -
\??\c:\1bbttt.exec:\1bbttt.exe33⤵
- Executes dropped EXE
PID:3320 -
\??\c:\pddvv.exec:\pddvv.exe34⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jvpjd.exec:\jvpjd.exe35⤵
- Executes dropped EXE
PID:3464 -
\??\c:\5lrflxf.exec:\5lrflxf.exe36⤵
- Executes dropped EXE
PID:1852 -
\??\c:\nhnhtt.exec:\nhnhtt.exe37⤵
- Executes dropped EXE
PID:3968 -
\??\c:\pddjj.exec:\pddjj.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\fllfxll.exec:\fllfxll.exe39⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lxrxllf.exec:\lxrxllf.exe40⤵
- Executes dropped EXE
PID:840 -
\??\c:\bnnbtt.exec:\bnnbtt.exe41⤵
- Executes dropped EXE
PID:1388 -
\??\c:\bnbbtt.exec:\bnbbtt.exe42⤵
- Executes dropped EXE
PID:4312 -
\??\c:\lflfrrx.exec:\lflfrrx.exe43⤵
- Executes dropped EXE
PID:2056 -
\??\c:\nbnhnh.exec:\nbnhnh.exe44⤵
- Executes dropped EXE
PID:3812 -
\??\c:\bhtthh.exec:\bhtthh.exe45⤵
- Executes dropped EXE
PID:1808 -
\??\c:\dpvpv.exec:\dpvpv.exe46⤵
- Executes dropped EXE
PID:5092 -
\??\c:\frfxxrl.exec:\frfxxrl.exe47⤵
- Executes dropped EXE
PID:2080 -
\??\c:\flrxrxr.exec:\flrxrxr.exe48⤵
- Executes dropped EXE
PID:4856 -
\??\c:\bbnhhh.exec:\bbnhhh.exe49⤵
- Executes dropped EXE
PID:1016 -
\??\c:\9vpdp.exec:\9vpdp.exe50⤵
- Executes dropped EXE
PID:4356 -
\??\c:\fxfrllx.exec:\fxfrllx.exe51⤵
- Executes dropped EXE
PID:916 -
\??\c:\hbhhhh.exec:\hbhhhh.exe52⤵
- Executes dropped EXE
PID:4448 -
\??\c:\7tnhbh.exec:\7tnhbh.exe53⤵
- Executes dropped EXE
PID:3688 -
\??\c:\dpjdj.exec:\dpjdj.exe54⤵
- Executes dropped EXE
PID:412 -
\??\c:\xllrfll.exec:\xllrfll.exe55⤵
- Executes dropped EXE
PID:4184 -
\??\c:\lrxxrlf.exec:\lrxxrlf.exe56⤵
- Executes dropped EXE
PID:4172 -
\??\c:\btbthh.exec:\btbthh.exe57⤵
- Executes dropped EXE
PID:512 -
\??\c:\bbbttt.exec:\bbbttt.exe58⤵
- Executes dropped EXE
PID:2612 -
\??\c:\vppjd.exec:\vppjd.exe59⤵
- Executes dropped EXE
PID:4332 -
\??\c:\flrlflf.exec:\flrlflf.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\3flfffx.exec:\3flfffx.exe61⤵
- Executes dropped EXE
PID:5108 -
\??\c:\btnhbb.exec:\btnhbb.exe62⤵
- Executes dropped EXE
PID:3192 -
\??\c:\nhnbbt.exec:\nhnbbt.exe63⤵
- Executes dropped EXE
PID:4404 -
\??\c:\pvddp.exec:\pvddp.exe64⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xxlxlrf.exec:\xxlxlrf.exe65⤵
- Executes dropped EXE
PID:4552 -
\??\c:\lffxxxf.exec:\lffxxxf.exe66⤵PID:3020
-
\??\c:\ttbthh.exec:\ttbthh.exe67⤵PID:1596
-
\??\c:\nbtnhb.exec:\nbtnhb.exe68⤵PID:3272
-
\??\c:\dpdvv.exec:\dpdvv.exe69⤵PID:556
-
\??\c:\dvvpd.exec:\dvvpd.exe70⤵PID:4664
-
\??\c:\xffxrlf.exec:\xffxrlf.exe71⤵PID:5016
-
\??\c:\3nbbtt.exec:\3nbbtt.exe72⤵PID:3496
-
\??\c:\nhnhnn.exec:\nhnhnn.exe73⤵PID:2728
-
\??\c:\dvdvp.exec:\dvdvp.exe74⤵PID:4828
-
\??\c:\1lrlflf.exec:\1lrlflf.exe75⤵PID:3908
-
\??\c:\lfxfxxr.exec:\lfxfxxr.exe76⤵PID:4236
-
\??\c:\djvvd.exec:\djvvd.exe77⤵PID:4816
-
\??\c:\jjjdv.exec:\jjjdv.exe78⤵PID:3544
-
\??\c:\lxrfxlf.exec:\lxrfxlf.exe79⤵PID:4120
-
\??\c:\frlflxl.exec:\frlflxl.exe80⤵PID:3320
-
\??\c:\btbtnh.exec:\btbtnh.exe81⤵PID:3080
-
\??\c:\pjjjp.exec:\pjjjp.exe82⤵PID:1784
-
\??\c:\1xrrlrr.exec:\1xrrlrr.exe83⤵PID:3728
-
\??\c:\bhhbbb.exec:\bhhbbb.exe84⤵PID:1852
-
\??\c:\vpjjv.exec:\vpjjv.exe85⤵PID:4604
-
\??\c:\dvvpj.exec:\dvvpj.exe86⤵PID:3400
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe87⤵PID:2012
-
\??\c:\rlxrllr.exec:\rlxrllr.exe88⤵PID:2948
-
\??\c:\thnhbb.exec:\thnhbb.exe89⤵PID:1388
-
\??\c:\rllxrlx.exec:\rllxrlx.exe90⤵PID:1708
-
\??\c:\rfllrll.exec:\rfllrll.exe91⤵PID:3812
-
\??\c:\fffxrlf.exec:\fffxrlf.exe92⤵PID:1220
-
\??\c:\ttttnb.exec:\ttttnb.exe93⤵PID:2700
-
\??\c:\vpvpj.exec:\vpvpj.exe94⤵PID:4548
-
\??\c:\dpvpv.exec:\dpvpv.exe95⤵PID:2080
-
\??\c:\7rxrrrf.exec:\7rxrrrf.exe96⤵PID:3784
-
\??\c:\fxfxffl.exec:\fxfxffl.exe97⤵PID:4700
-
\??\c:\nhnnbb.exec:\nhnnbb.exe98⤵PID:1016
-
\??\c:\tbhhtt.exec:\tbhhtt.exe99⤵PID:3108
-
\??\c:\3jjjv.exec:\3jjjv.exe100⤵PID:916
-
\??\c:\jppdd.exec:\jppdd.exe101⤵PID:4448
-
\??\c:\rlrrllx.exec:\rlrrllx.exe102⤵PID:3688
-
\??\c:\3rlfffr.exec:\3rlfffr.exe103⤵PID:408
-
\??\c:\lffxrrx.exec:\lffxrrx.exe104⤵PID:1520
-
\??\c:\btbbtb.exec:\btbbtb.exe105⤵PID:3984
-
\??\c:\hhbthh.exec:\hhbthh.exe106⤵PID:1836
-
\??\c:\djjdv.exec:\djjdv.exe107⤵PID:808
-
\??\c:\vvdvj.exec:\vvdvj.exe108⤵PID:1400
-
\??\c:\rflllll.exec:\rflllll.exe109⤵PID:3856
-
\??\c:\bnttnt.exec:\bnttnt.exe110⤵PID:2328
-
\??\c:\hbtbnh.exec:\hbtbnh.exe111⤵PID:2432
-
\??\c:\pjjjd.exec:\pjjjd.exe112⤵PID:1804
-
\??\c:\vpppv.exec:\vpppv.exe113⤵PID:3000
-
\??\c:\rlllfff.exec:\rlllfff.exe114⤵PID:4552
-
\??\c:\fxffxxx.exec:\fxffxxx.exe115⤵PID:2764
-
\??\c:\hbbtnn.exec:\hbbtnn.exe116⤵PID:4200
-
\??\c:\vppjd.exec:\vppjd.exe117⤵PID:2680
-
\??\c:\7dppj.exec:\7dppj.exe118⤵PID:4936
-
\??\c:\lflxlxx.exec:\lflxlxx.exe119⤵PID:3296
-
\??\c:\fxxxllr.exec:\fxxxllr.exe120⤵PID:1268
-
\??\c:\btnntt.exec:\btnntt.exe121⤵PID:3056
-
\??\c:\pjpjj.exec:\pjpjj.exe122⤵PID:884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-