Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 00:55
Behavioral task
behavioral1
Sample
900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe
-
Size
364KB
-
MD5
ebbd5a6cf9ce73a30d8f9ee044787581
-
SHA1
1adb17411b215052106b971c0d464bcd4548efc1
-
SHA256
900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97
-
SHA512
fb63589fbfd127d77b08953d4aba89917e749960f93dfc6a79ca540dbc8de615b10be4ab0c96b40408b773e11e8a259b44374a46958ed4cf7350def1048cb01f
-
SSDEEP
6144:9cm4FmowdHoSdSyEAxyx/ZrTTr4qIMgE8L:/4wFHoSQuxy3rTXIM18L
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3244-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4136-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/720-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1908-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/432-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-565-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-567-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-701-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-723-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-769-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3064-773-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-823-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-1088-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3244-0-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3244-5-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jddpd.exe UPX behavioral2/memory/4136-8-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lxrfxlx.exe UPX C:\1tthtn.exe UPX behavioral2/memory/2296-20-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\ppdvp.exe UPX behavioral2/memory/3628-25-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\dpjpj.exe UPX \??\c:\frrfxlf.exe UPX behavioral2/memory/4608-31-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1856-37-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/720-13-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1856-41-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\rrfrfxl.exe UPX behavioral2/memory/2376-44-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jjdvp.exe UPX behavioral2/memory/2376-48-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/2608-55-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\xlrlrlf.exe UPX behavioral2/memory/4720-57-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\tttnhh.exe UPX behavioral2/memory/1264-62-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lrrlrlx.exe UPX behavioral2/memory/1264-67-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1748-69-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\vjjvj.exe UPX C:\flxlfrl.exe UPX behavioral2/memory/5016-80-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\nthbtn.exe UPX behavioral2/memory/428-86-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\vvvjv.exe UPX \??\c:\fllrflx.exe UPX behavioral2/memory/2328-98-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\btnhth.exe UPX behavioral2/memory/4080-102-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3648-105-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\xlffxlf.exe UPX C:\vjpvv.exe UPX C:\xfrlllf.exe UPX behavioral2/memory/4332-118-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\nhhhbb.exe UPX behavioral2/memory/4412-125-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\pddpj.exe UPX behavioral2/memory/5012-128-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/1960-136-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\ththht.exe UPX C:\djdpj.exe UPX C:\dpjdp.exe UPX C:\1bthtt.exe UPX behavioral2/memory/4968-155-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\9bbnbn.exe UPX behavioral2/memory/3988-159-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\lrfxrfx.exe UPX behavioral2/memory/3864-172-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\pddvp.exe UPX C:\rllfrlf.exe UPX behavioral2/memory/1048-178-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\rlxrlfx.exe UPX \??\c:\nbhtnh.exe UPX behavioral2/memory/2956-189-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/508-184-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral2/memory/3948-197-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
jddpd.exelxrfxlx.exe1tthtn.exeppdvp.exedpjpj.exefrrfxlf.exerrfrfxl.exejjdvp.exexlrlrlf.exetttnhh.exelrrlrlx.exevjjvj.exeflxlfrl.exenthbtn.exevvvjv.exefllrflx.exebtnhth.exexlffxlf.exevjpvv.exexfrlllf.exenhhhbb.exepddpj.exeththht.exedjdpj.exedpjdp.exe1bthtt.exe9bbnbn.exelrfxrfx.exepddvp.exerllfrlf.exerlxrlfx.exenbhtnh.exejjdpp.exehtbthb.exedjpdv.exedvvjv.exerrrlfrl.exerxxrfrf.exe7tthtt.exevpdpp.exedppdp.exerrxlxrf.exenhnnbt.exehbbbtn.exe5jjdv.exerffrfxr.exerlllffx.exe7hhtnh.exebnbthb.exepvdvp.exerrlfrlf.exe3hhbbb.exebbhhbb.exe3ppvj.exexffrfrl.exe1vvpj.exe3xrlllx.exejpppj.exejvvjd.exebnnhnn.exebnhthb.exevpvjj.exefrrfrlf.exerlrlllx.exepid process 4136 jddpd.exe 720 lxrfxlx.exe 2296 1tthtn.exe 3628 ppdvp.exe 4608 dpjpj.exe 1856 frrfxlf.exe 2376 rrfrfxl.exe 2608 jjdvp.exe 4720 xlrlrlf.exe 1264 tttnhh.exe 1748 lrrlrlx.exe 1456 vjjvj.exe 5016 flxlfrl.exe 428 nthbtn.exe 2328 vvvjv.exe 4080 fllrflx.exe 3648 btnhth.exe 1632 xlffxlf.exe 4332 vjpvv.exe 4412 xfrlllf.exe 5012 nhhhbb.exe 1960 pddpj.exe 2428 ththht.exe 2448 djdpj.exe 880 dpjdp.exe 4968 1bthtt.exe 3988 9bbnbn.exe 3864 lrfxrfx.exe 1048 pddvp.exe 2168 rllfrlf.exe 508 rlxrlfx.exe 2956 nbhtnh.exe 3348 jjdpp.exe 3948 htbthb.exe 1196 djpdv.exe 2804 dvvjv.exe 1908 rrrlfrl.exe 4092 rxxrfrf.exe 4600 7tthtt.exe 1244 vpdpp.exe 1700 dppdp.exe 2076 rrxlxrf.exe 3448 nhnnbt.exe 3192 hbbbtn.exe 4612 5jjdv.exe 4812 rffrfxr.exe 3620 rlllffx.exe 4596 7hhtnh.exe 4308 bnbthb.exe 2560 pvdvp.exe 4792 rrlfrlf.exe 1392 3hhbbb.exe 2736 bbhhbb.exe 2300 3ppvj.exe 1988 xffrfrl.exe 3324 1vvpj.exe 3168 3xrlllx.exe 2004 jpppj.exe 516 jvvjd.exe 3720 bnnhnn.exe 1264 bnhthb.exe 1904 vpvjj.exe 1692 frrfrlf.exe 2644 rlrlllx.exe -
Processes:
resource yara_rule behavioral2/memory/3244-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3244-5-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jddpd.exe upx behavioral2/memory/4136-8-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lxrfxlx.exe upx C:\1tthtn.exe upx behavioral2/memory/2296-20-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppdvp.exe upx behavioral2/memory/3628-25-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dpjpj.exe upx \??\c:\frrfxlf.exe upx behavioral2/memory/4608-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1856-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/720-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1856-41-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrfrfxl.exe upx behavioral2/memory/2376-44-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjdvp.exe upx behavioral2/memory/2376-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2608-55-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xlrlrlf.exe upx behavioral2/memory/4720-57-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\tttnhh.exe upx behavioral2/memory/1264-62-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lrrlrlx.exe upx behavioral2/memory/1264-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1748-69-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vjjvj.exe upx C:\flxlfrl.exe upx behavioral2/memory/5016-80-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nthbtn.exe upx behavioral2/memory/428-86-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vvvjv.exe upx \??\c:\fllrflx.exe upx behavioral2/memory/2328-98-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\btnhth.exe upx behavioral2/memory/4080-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3648-105-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xlffxlf.exe upx C:\vjpvv.exe upx C:\xfrlllf.exe upx behavioral2/memory/4332-118-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nhhhbb.exe upx behavioral2/memory/4412-125-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pddpj.exe upx behavioral2/memory/5012-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1960-136-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ththht.exe upx C:\djdpj.exe upx C:\dpjdp.exe upx C:\1bthtt.exe upx behavioral2/memory/4968-155-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\9bbnbn.exe upx behavioral2/memory/3988-159-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lrfxrfx.exe upx behavioral2/memory/3864-172-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\pddvp.exe upx C:\rllfrlf.exe upx behavioral2/memory/1048-178-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rlxrlfx.exe upx \??\c:\nbhtnh.exe upx behavioral2/memory/2956-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/508-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3948-197-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exejddpd.exelxrfxlx.exe1tthtn.exeppdvp.exedpjpj.exefrrfxlf.exerrfrfxl.exejjdvp.exexlrlrlf.exetttnhh.exelrrlrlx.exevjjvj.exeflxlfrl.exenthbtn.exevvvjv.exefllrflx.exebtnhth.exexlffxlf.exevjpvv.exexfrlllf.exenhhhbb.exedescription pid process target process PID 3244 wrote to memory of 4136 3244 900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe jddpd.exe PID 3244 wrote to memory of 4136 3244 900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe jddpd.exe PID 3244 wrote to memory of 4136 3244 900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe jddpd.exe PID 4136 wrote to memory of 720 4136 jddpd.exe lxrfxlx.exe PID 4136 wrote to memory of 720 4136 jddpd.exe lxrfxlx.exe PID 4136 wrote to memory of 720 4136 jddpd.exe lxrfxlx.exe PID 720 wrote to memory of 2296 720 lxrfxlx.exe 1tthtn.exe PID 720 wrote to memory of 2296 720 lxrfxlx.exe 1tthtn.exe PID 720 wrote to memory of 2296 720 lxrfxlx.exe 1tthtn.exe PID 2296 wrote to memory of 3628 2296 1tthtn.exe ppdvp.exe PID 2296 wrote to memory of 3628 2296 1tthtn.exe ppdvp.exe PID 2296 wrote to memory of 3628 2296 1tthtn.exe ppdvp.exe PID 3628 wrote to memory of 4608 3628 ppdvp.exe dpjpj.exe PID 3628 wrote to memory of 4608 3628 ppdvp.exe dpjpj.exe PID 3628 wrote to memory of 4608 3628 ppdvp.exe dpjpj.exe PID 4608 wrote to memory of 1856 4608 dpjpj.exe frrfxlf.exe PID 4608 wrote to memory of 1856 4608 dpjpj.exe frrfxlf.exe PID 4608 wrote to memory of 1856 4608 dpjpj.exe frrfxlf.exe PID 1856 wrote to memory of 2376 1856 frrfxlf.exe rrfrfxl.exe PID 1856 wrote to memory of 2376 1856 frrfxlf.exe rrfrfxl.exe PID 1856 wrote to memory of 2376 1856 frrfxlf.exe rrfrfxl.exe PID 2376 wrote to memory of 2608 2376 rrfrfxl.exe jjdvp.exe PID 2376 wrote to memory of 2608 2376 rrfrfxl.exe jjdvp.exe PID 2376 wrote to memory of 2608 2376 rrfrfxl.exe jjdvp.exe PID 2608 wrote to memory of 4720 2608 jjdvp.exe xlrlrlf.exe PID 2608 wrote to memory of 4720 2608 jjdvp.exe xlrlrlf.exe PID 2608 wrote to memory of 4720 2608 jjdvp.exe xlrlrlf.exe PID 4720 wrote to memory of 1264 4720 xlrlrlf.exe tttnhh.exe PID 4720 wrote to memory of 1264 4720 xlrlrlf.exe tttnhh.exe PID 4720 wrote to memory of 1264 4720 xlrlrlf.exe tttnhh.exe PID 1264 wrote to memory of 1748 1264 tttnhh.exe lrrlrlx.exe PID 1264 wrote to memory of 1748 1264 tttnhh.exe lrrlrlx.exe PID 1264 wrote to memory of 1748 1264 tttnhh.exe lrrlrlx.exe PID 1748 wrote to memory of 1456 1748 lrrlrlx.exe vjjvj.exe PID 1748 wrote to memory of 1456 1748 lrrlrlx.exe vjjvj.exe PID 1748 wrote to memory of 1456 1748 lrrlrlx.exe vjjvj.exe PID 1456 wrote to memory of 5016 1456 vjjvj.exe flxlfrl.exe PID 1456 wrote to memory of 5016 1456 vjjvj.exe flxlfrl.exe PID 1456 wrote to memory of 5016 1456 vjjvj.exe flxlfrl.exe PID 5016 wrote to memory of 428 5016 flxlfrl.exe nthbtn.exe PID 5016 wrote to memory of 428 5016 flxlfrl.exe nthbtn.exe PID 5016 wrote to memory of 428 5016 flxlfrl.exe nthbtn.exe PID 428 wrote to memory of 2328 428 nthbtn.exe vvvjv.exe PID 428 wrote to memory of 2328 428 nthbtn.exe vvvjv.exe PID 428 wrote to memory of 2328 428 nthbtn.exe vvvjv.exe PID 2328 wrote to memory of 4080 2328 vvvjv.exe fllrflx.exe PID 2328 wrote to memory of 4080 2328 vvvjv.exe fllrflx.exe PID 2328 wrote to memory of 4080 2328 vvvjv.exe fllrflx.exe PID 4080 wrote to memory of 3648 4080 fllrflx.exe btnhth.exe PID 4080 wrote to memory of 3648 4080 fllrflx.exe btnhth.exe PID 4080 wrote to memory of 3648 4080 fllrflx.exe btnhth.exe PID 3648 wrote to memory of 1632 3648 btnhth.exe xlffxlf.exe PID 3648 wrote to memory of 1632 3648 btnhth.exe xlffxlf.exe PID 3648 wrote to memory of 1632 3648 btnhth.exe xlffxlf.exe PID 1632 wrote to memory of 4332 1632 xlffxlf.exe vjpvv.exe PID 1632 wrote to memory of 4332 1632 xlffxlf.exe vjpvv.exe PID 1632 wrote to memory of 4332 1632 xlffxlf.exe vjpvv.exe PID 4332 wrote to memory of 4412 4332 vjpvv.exe xfrlllf.exe PID 4332 wrote to memory of 4412 4332 vjpvv.exe xfrlllf.exe PID 4332 wrote to memory of 4412 4332 vjpvv.exe xfrlllf.exe PID 4412 wrote to memory of 5012 4412 xfrlllf.exe nhhhbb.exe PID 4412 wrote to memory of 5012 4412 xfrlllf.exe nhhhbb.exe PID 4412 wrote to memory of 5012 4412 xfrlllf.exe nhhhbb.exe PID 5012 wrote to memory of 1960 5012 nhhhbb.exe pddpj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe"C:\Users\Admin\AppData\Local\Temp\900e8ea10e9e9800025d5bad4c3560982c1a1bd4006ba5c23334029e64968f97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\jddpd.exec:\jddpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\lxrfxlx.exec:\lxrfxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\1tthtn.exec:\1tthtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\ppdvp.exec:\ppdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\dpjpj.exec:\dpjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\frrfxlf.exec:\frrfxlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\rrfrfxl.exec:\rrfrfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\jjdvp.exec:\jjdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\xlrlrlf.exec:\xlrlrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\tttnhh.exec:\tttnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\lrrlrlx.exec:\lrrlrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\vjjvj.exec:\vjjvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\flxlfrl.exec:\flxlfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\nthbtn.exec:\nthbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\vvvjv.exec:\vvvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\fllrflx.exec:\fllrflx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\btnhth.exec:\btnhth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\xlffxlf.exec:\xlffxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\vjpvv.exec:\vjpvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\xfrlllf.exec:\xfrlllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\nhhhbb.exec:\nhhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\pddpj.exec:\pddpj.exe23⤵
- Executes dropped EXE
PID:1960 -
\??\c:\ththht.exec:\ththht.exe24⤵
- Executes dropped EXE
PID:2428 -
\??\c:\djdpj.exec:\djdpj.exe25⤵
- Executes dropped EXE
PID:2448 -
\??\c:\dpjdp.exec:\dpjdp.exe26⤵
- Executes dropped EXE
PID:880 -
\??\c:\1bthtt.exec:\1bthtt.exe27⤵
- Executes dropped EXE
PID:4968 -
\??\c:\9bbnbn.exec:\9bbnbn.exe28⤵
- Executes dropped EXE
PID:3988 -
\??\c:\lrfxrfx.exec:\lrfxrfx.exe29⤵
- Executes dropped EXE
PID:3864 -
\??\c:\pddvp.exec:\pddvp.exe30⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rllfrlf.exec:\rllfrlf.exe31⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe32⤵
- Executes dropped EXE
PID:508 -
\??\c:\nbhtnh.exec:\nbhtnh.exe33⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jjdpp.exec:\jjdpp.exe34⤵
- Executes dropped EXE
PID:3348 -
\??\c:\htbthb.exec:\htbthb.exe35⤵
- Executes dropped EXE
PID:3948 -
\??\c:\djpdv.exec:\djpdv.exe36⤵
- Executes dropped EXE
PID:1196 -
\??\c:\dvvjv.exec:\dvvjv.exe37⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rrrlfrl.exec:\rrrlfrl.exe38⤵
- Executes dropped EXE
PID:1908 -
\??\c:\rxxrfrf.exec:\rxxrfrf.exe39⤵
- Executes dropped EXE
PID:4092 -
\??\c:\7tthtt.exec:\7tthtt.exe40⤵
- Executes dropped EXE
PID:4600 -
\??\c:\vpdpp.exec:\vpdpp.exe41⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dppdp.exec:\dppdp.exe42⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe43⤵
- Executes dropped EXE
PID:2076 -
\??\c:\nhnnbt.exec:\nhnnbt.exe44⤵
- Executes dropped EXE
PID:3448 -
\??\c:\hbbbtn.exec:\hbbbtn.exe45⤵
- Executes dropped EXE
PID:3192 -
\??\c:\5jjdv.exec:\5jjdv.exe46⤵
- Executes dropped EXE
PID:4612 -
\??\c:\rffrfxr.exec:\rffrfxr.exe47⤵
- Executes dropped EXE
PID:4812 -
\??\c:\rlllffx.exec:\rlllffx.exe48⤵
- Executes dropped EXE
PID:3620 -
\??\c:\7hhtnh.exec:\7hhtnh.exe49⤵
- Executes dropped EXE
PID:4596 -
\??\c:\bnbthb.exec:\bnbthb.exe50⤵
- Executes dropped EXE
PID:4308 -
\??\c:\pvdvp.exec:\pvdvp.exe51⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rrlfrlf.exec:\rrlfrlf.exe52⤵
- Executes dropped EXE
PID:4792 -
\??\c:\3hhbbb.exec:\3hhbbb.exe53⤵
- Executes dropped EXE
PID:1392 -
\??\c:\bbhhbb.exec:\bbhhbb.exe54⤵
- Executes dropped EXE
PID:2736 -
\??\c:\3ppvj.exec:\3ppvj.exe55⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xffrfrl.exec:\xffrfrl.exe56⤵
- Executes dropped EXE
PID:1988 -
\??\c:\1vvpj.exec:\1vvpj.exe57⤵
- Executes dropped EXE
PID:3324 -
\??\c:\3xrlllx.exec:\3xrlllx.exe58⤵
- Executes dropped EXE
PID:3168 -
\??\c:\jpppj.exec:\jpppj.exe59⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jvvjd.exec:\jvvjd.exe60⤵
- Executes dropped EXE
PID:516 -
\??\c:\bnnhnn.exec:\bnnhnn.exe61⤵
- Executes dropped EXE
PID:3720 -
\??\c:\bnhthb.exec:\bnhthb.exe62⤵
- Executes dropped EXE
PID:1264 -
\??\c:\vpvjj.exec:\vpvjj.exe63⤵
- Executes dropped EXE
PID:1904 -
\??\c:\frrfrlf.exec:\frrfrlf.exe64⤵
- Executes dropped EXE
PID:1692 -
\??\c:\rlrlllx.exec:\rlrlllx.exe65⤵
- Executes dropped EXE
PID:2644 -
\??\c:\nhtntt.exec:\nhtntt.exe66⤵PID:2668
-
\??\c:\jjvpj.exec:\jjvpj.exe67⤵PID:4100
-
\??\c:\3rxlrrf.exec:\3rxlrrf.exe68⤵PID:2432
-
\??\c:\rxxlfxl.exec:\rxxlfxl.exe69⤵PID:428
-
\??\c:\hbbttn.exec:\hbbttn.exe70⤵PID:3236
-
\??\c:\bthbtn.exec:\bthbtn.exe71⤵PID:3308
-
\??\c:\jvvpp.exec:\jvvpp.exe72⤵PID:644
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe73⤵PID:3648
-
\??\c:\lllrfxl.exec:\lllrfxl.exe74⤵PID:4784
-
\??\c:\nnhtnh.exec:\nnhtnh.exe75⤵PID:968
-
\??\c:\vdddj.exec:\vdddj.exe76⤵PID:2492
-
\??\c:\fffxlfr.exec:\fffxlfr.exe77⤵PID:4456
-
\??\c:\3xrrffx.exec:\3xrrffx.exe78⤵PID:5012
-
\??\c:\bnhbnh.exec:\bnhbnh.exe79⤵PID:3784
-
\??\c:\jdjvv.exec:\jdjvv.exe80⤵PID:2588
-
\??\c:\pdjdj.exec:\pdjdj.exe81⤵PID:1056
-
\??\c:\1ffrfxr.exec:\1ffrfxr.exe82⤵PID:1256
-
\??\c:\frxrllf.exec:\frxrllf.exe83⤵PID:1084
-
\??\c:\nhhhhb.exec:\nhhhhb.exe84⤵PID:1540
-
\??\c:\1hthbt.exec:\1hthbt.exe85⤵PID:4440
-
\??\c:\rffrrll.exec:\rffrrll.exe86⤵PID:660
-
\??\c:\flrllfr.exec:\flrllfr.exe87⤵PID:1772
-
\??\c:\thnnbt.exec:\thnnbt.exe88⤵PID:2012
-
\??\c:\tnnbtn.exec:\tnnbtn.exe89⤵PID:5088
-
\??\c:\pjdvp.exec:\pjdvp.exe90⤵PID:1824
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe91⤵PID:388
-
\??\c:\fffxllx.exec:\fffxllx.exe92⤵PID:508
-
\??\c:\thhthb.exec:\thhthb.exe93⤵PID:1208
-
\??\c:\1dvjv.exec:\1dvjv.exe94⤵PID:1948
-
\??\c:\jppjd.exec:\jppjd.exe95⤵PID:1424
-
\??\c:\9rlflfx.exec:\9rlflfx.exe96⤵PID:4940
-
\??\c:\xffxrlf.exec:\xffxrlf.exe97⤵PID:4444
-
\??\c:\nhnbnh.exec:\nhnbnh.exe98⤵PID:4496
-
\??\c:\djpdp.exec:\djpdp.exe99⤵PID:432
-
\??\c:\3ppjj.exec:\3ppjj.exe100⤵PID:1464
-
\??\c:\1lfxlfr.exec:\1lfxlfr.exe101⤵PID:1936
-
\??\c:\tbbnhb.exec:\tbbnhb.exe102⤵PID:5072
-
\??\c:\nnnhbt.exec:\nnnhbt.exe103⤵PID:4884
-
\??\c:\pvdvj.exec:\pvdvj.exe104⤵PID:4616
-
\??\c:\flllfrr.exec:\flllfrr.exe105⤵PID:4480
-
\??\c:\rrrfxlf.exec:\rrrfxlf.exe106⤵PID:4756
-
\??\c:\3hnbtn.exec:\3hnbtn.exe107⤵PID:2452
-
\??\c:\1htnbt.exec:\1htnbt.exe108⤵PID:3568
-
\??\c:\dvjjv.exec:\dvjjv.exe109⤵PID:3620
-
\??\c:\xlfrxrr.exec:\xlfrxrr.exe110⤵PID:3636
-
\??\c:\frxxrlr.exec:\frxxrlr.exe111⤵PID:3552
-
\??\c:\tttntt.exec:\tttntt.exe112⤵PID:3336
-
\??\c:\9jjdd.exec:\9jjdd.exe113⤵PID:1328
-
\??\c:\djjdv.exec:\djjdv.exe114⤵PID:1348
-
\??\c:\rllxlfx.exec:\rllxlfx.exe115⤵PID:2840
-
\??\c:\xllxrlx.exec:\xllxrlx.exe116⤵PID:5064
-
\??\c:\htbnhb.exec:\htbnhb.exe117⤵PID:1364
-
\??\c:\9bthhb.exec:\9bthhb.exe118⤵PID:4620
-
\??\c:\3pvjv.exec:\3pvjv.exe119⤵PID:2696
-
\??\c:\lllfxrf.exec:\lllfxrf.exe120⤵PID:2608
-
\??\c:\rxxrflx.exec:\rxxrflx.exe121⤵PID:2072
-
\??\c:\7btnnn.exec:\7btnnn.exe122⤵PID:4980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-