Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 02:34
Behavioral task
behavioral1
Sample
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe
-
Size
159KB
-
MD5
527ed2836e7c27e2e9c38e4ea0d0b364
-
SHA1
9f3ee1054796614179ca89d492ecba0c58f06c92
-
SHA256
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422
-
SHA512
6331b25b6555a1df4610d1e3d6f0a49eae8aaeb0adeb2b5c71c2e96c7f64a6ff48aa7cbf64f8db2c1c563059eee1bb3e66f57113ad0fbed668328d494a1b0e43
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yL5:ccm4FmowdHoSi9EE
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2396-4-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2492-11-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/228-13-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4296-35-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4512-30-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1980-29-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2724-24-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4796-46-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1336-48-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/936-55-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4256-75-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3068-77-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1692-83-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3860-89-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3288-106-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2096-103-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3492-115-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2120-122-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1252-127-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5048-138-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1084-145-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2108-148-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1424-163-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4104-182-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3680-186-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3552-199-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/412-206-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2732-222-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/264-229-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1396-233-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5060-243-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4016-257-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/984-266-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1616-274-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3164-294-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3896-305-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2684-314-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4076-316-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/640-326-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2172-332-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1084-351-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2088-353-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4812-359-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1248-398-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1148-424-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5056-441-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4524-445-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1488-457-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2564-467-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3248-480-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4488-493-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4076-509-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2160-525-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2908-601-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3760-614-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2636-680-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3232-773-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2596-847-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/404-895-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1188-921-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4688-975-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2372-1438-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4092-1477-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4904-1523-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2396-0-0x0000000000400000-0x0000000000436000-memory.dmp UPX \??\c:\1xfrfxr.exe UPX behavioral2/memory/2396-4-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\3fxrlxr.exe UPX behavioral2/memory/2492-11-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/228-13-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\hbthhb.exe UPX C:\ddpdp.exe UPX C:\3lfrlfx.exe UPX behavioral2/memory/4296-35-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4512-30-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1980-29-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2724-24-0x0000000000400000-0x0000000000436000-memory.dmp UPX \??\c:\dddpd.exe UPX C:\xrrlfxr.exe UPX C:\tthhtn.exe UPX behavioral2/memory/4796-46-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1336-48-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\bnthnn.exe UPX behavioral2/memory/936-55-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\ddvvj.exe UPX C:\1fxxlfr.exe UPX C:\bhhbth.exe UPX \??\c:\pjjdv.exe UPX behavioral2/memory/4256-75-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3068-77-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\xxlfrrl.exe UPX behavioral2/memory/1692-83-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\tbtthb.exe UPX behavioral2/memory/3860-89-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\vvvpj.exe UPX \??\c:\5lffllx.exe UPX behavioral2/memory/2096-99-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\jppjd.exe UPX behavioral2/memory/3288-106-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2096-103-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3492-111-0x0000000000400000-0x0000000000436000-memory.dmp UPX \??\c:\pjdvj.exe UPX C:\fxlffxx.exe UPX behavioral2/memory/3492-115-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\vjddp.exe UPX behavioral2/memory/2120-122-0x0000000000400000-0x0000000000436000-memory.dmp UPX \??\c:\lrlxlrf.exe UPX \??\c:\3rlrfxf.exe UPX behavioral2/memory/1252-127-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\3ppjv.exe UPX behavioral2/memory/5048-138-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\lrrfxfx.exe UPX behavioral2/memory/1084-145-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2108-148-0x0000000000400000-0x0000000000436000-memory.dmp UPX \??\c:\rxxxxxl.exe UPX \??\c:\hthbhh.exe UPX \??\c:\1pjvp.exe UPX behavioral2/memory/1424-163-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\xrxxlll.exe UPX C:\5hnbnh.exe UPX C:\djjdp.exe UPX C:\pdjdv.exe UPX behavioral2/memory/4104-182-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3680-186-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3552-199-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/412-206-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2732-222-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/264-229-0x0000000000400000-0x0000000000436000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
1xfrfxr.exe3fxrlxr.exehbthhb.exedddpd.exeddpdp.exe3lfrlfx.exexrrlfxr.exetthhtn.exebnthnn.exeddvvj.exe1fxxlfr.exebhhbth.exepjjdv.exexxlfrrl.exetbtthb.exevvvpj.exe5lffllx.exejppjd.exepjdvj.exefxlffxx.exevjddp.exelrlxlrf.exe3rlrfxf.exe3ppjv.exelrrfxfx.exerxxxxxl.exehthbhh.exe1pjvp.exexrxxlll.exe5hnbnh.exedjjdp.exepdjdv.exe1rxrxxr.exexxrxfxl.exebbbhbb.exe5dpjd.exedjdjd.exellrlxrf.exe9bhhtn.exetnthtn.exedpjpj.exevdpjv.exefrlfxxr.exe7hhtnb.exenbttnn.exe5vpdv.exe9dvjd.exe7lxfllx.exe7bbtnn.exenntnnh.exedpvjv.exevpvjd.exefffrxrx.exefxffxrx.exeffxlfxl.exe3hbthb.exehbbnbt.exe9ppdv.exexxxlxrf.exexlxrrll.exebbbthb.exepvvpd.exevddvd.exe9xrlxxr.exepid process 228 1xfrfxr.exe 2492 3fxrlxr.exe 2724 hbthhb.exe 1980 dddpd.exe 4512 ddpdp.exe 4296 3lfrlfx.exe 4796 xrrlfxr.exe 1336 tthhtn.exe 936 bnthnn.exe 712 ddvvj.exe 2996 1fxxlfr.exe 4256 bhhbth.exe 3068 pjjdv.exe 1692 xxlfrrl.exe 3860 tbtthb.exe 448 vvvpj.exe 2096 5lffllx.exe 3288 jppjd.exe 3492 pjdvj.exe 2120 fxlffxx.exe 1252 vjddp.exe 4960 lrlxlrf.exe 5048 3rlrfxf.exe 1084 3ppjv.exe 2108 lrrfxfx.exe 3156 rxxxxxl.exe 1424 hthbhh.exe 3228 1pjvp.exe 4964 xrxxlll.exe 1600 5hnbnh.exe 4104 djjdp.exe 3680 pdjdv.exe 4604 1rxrxxr.exe 1720 xxrxfxl.exe 3968 bbbhbb.exe 3552 5dpjd.exe 844 djdjd.exe 412 llrlxrf.exe 4152 9bhhtn.exe 2052 tnthtn.exe 1568 dpjpj.exe 496 vdpjv.exe 2732 frlfxxr.exe 4316 7hhtnb.exe 264 nbttnn.exe 1396 5vpdv.exe 2264 9dvjd.exe 1256 7lxfllx.exe 5060 7bbtnn.exe 3976 nntnnh.exe 1832 dpvjv.exe 2600 vpvjd.exe 4016 fffrxrx.exe 4296 fxffxrx.exe 940 ffxlfxl.exe 984 3hbthb.exe 5084 hbbnbt.exe 1616 9ppdv.exe 2928 xxxlxrf.exe 3952 xlxrrll.exe 3272 bbbthb.exe 2068 pvvpd.exe 3164 vddvd.exe 4456 9xrlxxr.exe -
Processes:
resource yara_rule behavioral2/memory/2396-0-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\1xfrfxr.exe upx behavioral2/memory/2396-4-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\3fxrlxr.exe upx behavioral2/memory/2492-11-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/228-13-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hbthhb.exe upx C:\ddpdp.exe upx C:\3lfrlfx.exe upx behavioral2/memory/4296-35-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4512-30-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1980-29-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2724-24-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\dddpd.exe upx C:\xrrlfxr.exe upx C:\tthhtn.exe upx behavioral2/memory/4796-46-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1336-48-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\bnthnn.exe upx behavioral2/memory/936-55-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\ddvvj.exe upx C:\1fxxlfr.exe upx C:\bhhbth.exe upx \??\c:\pjjdv.exe upx behavioral2/memory/4256-75-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3068-77-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xxlfrrl.exe upx behavioral2/memory/1692-83-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\tbtthb.exe upx behavioral2/memory/3860-89-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\vvvpj.exe upx \??\c:\5lffllx.exe upx behavioral2/memory/2096-99-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jppjd.exe upx behavioral2/memory/3288-106-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2096-103-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3492-111-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\pjdvj.exe upx C:\fxlffxx.exe upx behavioral2/memory/3492-115-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\vjddp.exe upx behavioral2/memory/2120-122-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\lrlxlrf.exe upx \??\c:\3rlrfxf.exe upx behavioral2/memory/1252-127-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\3ppjv.exe upx behavioral2/memory/5048-138-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\lrrfxfx.exe upx behavioral2/memory/1084-145-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2108-148-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\rxxxxxl.exe upx \??\c:\hthbhh.exe upx \??\c:\1pjvp.exe upx behavioral2/memory/1424-163-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xrxxlll.exe upx C:\5hnbnh.exe upx C:\djjdp.exe upx C:\pdjdv.exe upx behavioral2/memory/4104-182-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3680-186-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3552-199-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/412-206-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2732-222-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/264-229-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe1xfrfxr.exe3fxrlxr.exehbthhb.exedddpd.exeddpdp.exe3lfrlfx.exexrrlfxr.exetthhtn.exebnthnn.exeddvvj.exe1fxxlfr.exebhhbth.exepjjdv.exexxlfrrl.exetbtthb.exevvvpj.exe5lffllx.exejppjd.exepjdvj.exefxlffxx.exevjddp.exedescription pid process target process PID 2396 wrote to memory of 228 2396 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 1xfrfxr.exe PID 2396 wrote to memory of 228 2396 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 1xfrfxr.exe PID 2396 wrote to memory of 228 2396 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 1xfrfxr.exe PID 228 wrote to memory of 2492 228 1xfrfxr.exe 3fxrlxr.exe PID 228 wrote to memory of 2492 228 1xfrfxr.exe 3fxrlxr.exe PID 228 wrote to memory of 2492 228 1xfrfxr.exe 3fxrlxr.exe PID 2492 wrote to memory of 2724 2492 3fxrlxr.exe hbthhb.exe PID 2492 wrote to memory of 2724 2492 3fxrlxr.exe hbthhb.exe PID 2492 wrote to memory of 2724 2492 3fxrlxr.exe hbthhb.exe PID 2724 wrote to memory of 1980 2724 hbthhb.exe dddpd.exe PID 2724 wrote to memory of 1980 2724 hbthhb.exe dddpd.exe PID 2724 wrote to memory of 1980 2724 hbthhb.exe dddpd.exe PID 1980 wrote to memory of 4512 1980 dddpd.exe ddpdp.exe PID 1980 wrote to memory of 4512 1980 dddpd.exe ddpdp.exe PID 1980 wrote to memory of 4512 1980 dddpd.exe ddpdp.exe PID 4512 wrote to memory of 4296 4512 ddpdp.exe 3lfrlfx.exe PID 4512 wrote to memory of 4296 4512 ddpdp.exe 3lfrlfx.exe PID 4512 wrote to memory of 4296 4512 ddpdp.exe 3lfrlfx.exe PID 4296 wrote to memory of 4796 4296 3lfrlfx.exe xrrlfxr.exe PID 4296 wrote to memory of 4796 4296 3lfrlfx.exe xrrlfxr.exe PID 4296 wrote to memory of 4796 4296 3lfrlfx.exe xrrlfxr.exe PID 4796 wrote to memory of 1336 4796 xrrlfxr.exe tthhtn.exe PID 4796 wrote to memory of 1336 4796 xrrlfxr.exe tthhtn.exe PID 4796 wrote to memory of 1336 4796 xrrlfxr.exe tthhtn.exe PID 1336 wrote to memory of 936 1336 tthhtn.exe bnthnn.exe PID 1336 wrote to memory of 936 1336 tthhtn.exe bnthnn.exe PID 1336 wrote to memory of 936 1336 tthhtn.exe bnthnn.exe PID 936 wrote to memory of 712 936 bnthnn.exe ddvvj.exe PID 936 wrote to memory of 712 936 bnthnn.exe ddvvj.exe PID 936 wrote to memory of 712 936 bnthnn.exe ddvvj.exe PID 712 wrote to memory of 2996 712 ddvvj.exe 1fxxlfr.exe PID 712 wrote to memory of 2996 712 ddvvj.exe 1fxxlfr.exe PID 712 wrote to memory of 2996 712 ddvvj.exe 1fxxlfr.exe PID 2996 wrote to memory of 4256 2996 1fxxlfr.exe bhhbth.exe PID 2996 wrote to memory of 4256 2996 1fxxlfr.exe bhhbth.exe PID 2996 wrote to memory of 4256 2996 1fxxlfr.exe bhhbth.exe PID 4256 wrote to memory of 3068 4256 bhhbth.exe pjjdv.exe PID 4256 wrote to memory of 3068 4256 bhhbth.exe pjjdv.exe PID 4256 wrote to memory of 3068 4256 bhhbth.exe pjjdv.exe PID 3068 wrote to memory of 1692 3068 pjjdv.exe xxlfrrl.exe PID 3068 wrote to memory of 1692 3068 pjjdv.exe xxlfrrl.exe PID 3068 wrote to memory of 1692 3068 pjjdv.exe xxlfrrl.exe PID 1692 wrote to memory of 3860 1692 xxlfrrl.exe tbtthb.exe PID 1692 wrote to memory of 3860 1692 xxlfrrl.exe tbtthb.exe PID 1692 wrote to memory of 3860 1692 xxlfrrl.exe tbtthb.exe PID 3860 wrote to memory of 448 3860 tbtthb.exe vvvpj.exe PID 3860 wrote to memory of 448 3860 tbtthb.exe vvvpj.exe PID 3860 wrote to memory of 448 3860 tbtthb.exe vvvpj.exe PID 448 wrote to memory of 2096 448 vvvpj.exe 5lffllx.exe PID 448 wrote to memory of 2096 448 vvvpj.exe 5lffllx.exe PID 448 wrote to memory of 2096 448 vvvpj.exe 5lffllx.exe PID 2096 wrote to memory of 3288 2096 5lffllx.exe jppjd.exe PID 2096 wrote to memory of 3288 2096 5lffllx.exe jppjd.exe PID 2096 wrote to memory of 3288 2096 5lffllx.exe jppjd.exe PID 3288 wrote to memory of 3492 3288 jppjd.exe pjdvj.exe PID 3288 wrote to memory of 3492 3288 jppjd.exe pjdvj.exe PID 3288 wrote to memory of 3492 3288 jppjd.exe pjdvj.exe PID 3492 wrote to memory of 2120 3492 pjdvj.exe fxlffxx.exe PID 3492 wrote to memory of 2120 3492 pjdvj.exe fxlffxx.exe PID 3492 wrote to memory of 2120 3492 pjdvj.exe fxlffxx.exe PID 2120 wrote to memory of 1252 2120 fxlffxx.exe vjddp.exe PID 2120 wrote to memory of 1252 2120 fxlffxx.exe vjddp.exe PID 2120 wrote to memory of 1252 2120 fxlffxx.exe vjddp.exe PID 1252 wrote to memory of 4960 1252 vjddp.exe lrlxlrf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe"C:\Users\Admin\AppData\Local\Temp\b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\1xfrfxr.exec:\1xfrfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\3fxrlxr.exec:\3fxrlxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\hbthhb.exec:\hbthhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\dddpd.exec:\dddpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\ddpdp.exec:\ddpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\3lfrlfx.exec:\3lfrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\tthhtn.exec:\tthhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\bnthnn.exec:\bnthnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\ddvvj.exec:\ddvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\1fxxlfr.exec:\1fxxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\bhhbth.exec:\bhhbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\pjjdv.exec:\pjjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\xxlfrrl.exec:\xxlfrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\tbtthb.exec:\tbtthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\vvvpj.exec:\vvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\5lffllx.exec:\5lffllx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\jppjd.exec:\jppjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\pjdvj.exec:\pjdvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\fxlffxx.exec:\fxlffxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\vjddp.exec:\vjddp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\lrlxlrf.exec:\lrlxlrf.exe23⤵
- Executes dropped EXE
PID:4960 -
\??\c:\3rlrfxf.exec:\3rlrfxf.exe24⤵
- Executes dropped EXE
PID:5048 -
\??\c:\3ppjv.exec:\3ppjv.exe25⤵
- Executes dropped EXE
PID:1084 -
\??\c:\lrrfxfx.exec:\lrrfxfx.exe26⤵
- Executes dropped EXE
PID:2108 -
\??\c:\rxxxxxl.exec:\rxxxxxl.exe27⤵
- Executes dropped EXE
PID:3156 -
\??\c:\hthbhh.exec:\hthbhh.exe28⤵
- Executes dropped EXE
PID:1424 -
\??\c:\1pjvp.exec:\1pjvp.exe29⤵
- Executes dropped EXE
PID:3228 -
\??\c:\xrxxlll.exec:\xrxxlll.exe30⤵
- Executes dropped EXE
PID:4964 -
\??\c:\5hnbnh.exec:\5hnbnh.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\djjdp.exec:\djjdp.exe32⤵
- Executes dropped EXE
PID:4104 -
\??\c:\pdjdv.exec:\pdjdv.exe33⤵
- Executes dropped EXE
PID:3680 -
\??\c:\1rxrxxr.exec:\1rxrxxr.exe34⤵
- Executes dropped EXE
PID:4604 -
\??\c:\xxrxfxl.exec:\xxrxfxl.exe35⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bbbhbb.exec:\bbbhbb.exe36⤵
- Executes dropped EXE
PID:3968 -
\??\c:\5dpjd.exec:\5dpjd.exe37⤵
- Executes dropped EXE
PID:3552 -
\??\c:\djdjd.exec:\djdjd.exe38⤵
- Executes dropped EXE
PID:844 -
\??\c:\llrlxrf.exec:\llrlxrf.exe39⤵
- Executes dropped EXE
PID:412 -
\??\c:\9bhhtn.exec:\9bhhtn.exe40⤵
- Executes dropped EXE
PID:4152 -
\??\c:\tnthtn.exec:\tnthtn.exe41⤵
- Executes dropped EXE
PID:2052 -
\??\c:\dpjpj.exec:\dpjpj.exe42⤵
- Executes dropped EXE
PID:1568 -
\??\c:\vdpjv.exec:\vdpjv.exe43⤵
- Executes dropped EXE
PID:496 -
\??\c:\frlfxxr.exec:\frlfxxr.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\7hhtnb.exec:\7hhtnb.exe45⤵
- Executes dropped EXE
PID:4316 -
\??\c:\nbttnn.exec:\nbttnn.exe46⤵
- Executes dropped EXE
PID:264 -
\??\c:\5vpdv.exec:\5vpdv.exe47⤵
- Executes dropped EXE
PID:1396 -
\??\c:\9dvjd.exec:\9dvjd.exe48⤵
- Executes dropped EXE
PID:2264 -
\??\c:\7lxfllx.exec:\7lxfllx.exe49⤵
- Executes dropped EXE
PID:1256 -
\??\c:\7bbtnn.exec:\7bbtnn.exe50⤵
- Executes dropped EXE
PID:5060 -
\??\c:\nntnnh.exec:\nntnnh.exe51⤵
- Executes dropped EXE
PID:3976 -
\??\c:\dpvjv.exec:\dpvjv.exe52⤵
- Executes dropped EXE
PID:1832 -
\??\c:\vpvjd.exec:\vpvjd.exe53⤵
- Executes dropped EXE
PID:2600 -
\??\c:\fffrxrx.exec:\fffrxrx.exe54⤵
- Executes dropped EXE
PID:4016 -
\??\c:\fxffxrx.exec:\fxffxrx.exe55⤵
- Executes dropped EXE
PID:4296 -
\??\c:\ffxlfxl.exec:\ffxlfxl.exe56⤵
- Executes dropped EXE
PID:940 -
\??\c:\3hbthb.exec:\3hbthb.exe57⤵
- Executes dropped EXE
PID:984 -
\??\c:\hbbnbt.exec:\hbbnbt.exe58⤵
- Executes dropped EXE
PID:5084 -
\??\c:\9ppdv.exec:\9ppdv.exe59⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe60⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xlxrrll.exec:\xlxrrll.exe61⤵
- Executes dropped EXE
PID:3952 -
\??\c:\bbbthb.exec:\bbbthb.exe62⤵
- Executes dropped EXE
PID:3272 -
\??\c:\pvvpd.exec:\pvvpd.exe63⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vddvd.exec:\vddvd.exe64⤵
- Executes dropped EXE
PID:3164 -
\??\c:\9xrlxxr.exec:\9xrlxxr.exe65⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xrrfrxl.exec:\xrrfrxl.exe66⤵PID:4596
-
\??\c:\hthbnh.exec:\hthbnh.exe67⤵PID:2636
-
\??\c:\5pjdp.exec:\5pjdp.exe68⤵PID:3896
-
\??\c:\djjvp.exec:\djjvp.exe69⤵PID:4376
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe70⤵PID:2684
-
\??\c:\5lfxrlf.exec:\5lfxrlf.exe71⤵PID:4076
-
\??\c:\7vvpv.exec:\7vvpv.exe72⤵PID:1564
-
\??\c:\jjdpd.exec:\jjdpd.exe73⤵PID:3408
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe74⤵PID:640
-
\??\c:\9tbthb.exec:\9tbthb.exe75⤵PID:2172
-
\??\c:\1hbttn.exec:\1hbttn.exe76⤵PID:2160
-
\??\c:\jdpdd.exec:\jdpdd.exe77⤵PID:3704
-
\??\c:\7vpdv.exec:\7vpdv.exe78⤵PID:4960
-
\??\c:\9xxrfxr.exec:\9xxrfxr.exe79⤵PID:1588
-
\??\c:\hnnhbb.exec:\hnnhbb.exe80⤵PID:3120
-
\??\c:\9thbbb.exec:\9thbbb.exe81⤵PID:1084
-
\??\c:\1bhbnh.exec:\1bhbnh.exe82⤵PID:2088
-
\??\c:\vpjvp.exec:\vpjvp.exe83⤵PID:4812
-
\??\c:\7rxlrlx.exec:\7rxlrlx.exe84⤵PID:4408
-
\??\c:\3fxxfxl.exec:\3fxxfxl.exe85⤵PID:1420
-
\??\c:\thnbbt.exec:\thnbbt.exe86⤵PID:2936
-
\??\c:\3bhtbb.exec:\3bhtbb.exe87⤵PID:1432
-
\??\c:\pjvpd.exec:\pjvpd.exe88⤵PID:4092
-
\??\c:\pjdvp.exec:\pjdvp.exe89⤵PID:1164
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe90⤵PID:2772
-
\??\c:\xlfxxrf.exec:\xlfxxrf.exe91⤵PID:4352
-
\??\c:\1nhhtn.exec:\1nhhtn.exe92⤵PID:5052
-
\??\c:\1nnhtn.exec:\1nnhtn.exe93⤵PID:4804
-
\??\c:\djjjv.exec:\djjjv.exe94⤵PID:3620
-
\??\c:\jvjvj.exec:\jvjvj.exe95⤵PID:1248
-
\??\c:\1rffrlx.exec:\1rffrlx.exe96⤵PID:3344
-
\??\c:\9fxrlrl.exec:\9fxrlrl.exe97⤵PID:2972
-
\??\c:\3hnnnn.exec:\3hnnnn.exe98⤵PID:1680
-
\??\c:\thtnhb.exec:\thtnhb.exe99⤵PID:4424
-
\??\c:\ppdvp.exec:\ppdvp.exe100⤵PID:2908
-
\??\c:\1xxxllx.exec:\1xxxllx.exe101⤵PID:4792
-
\??\c:\hnbbnb.exec:\hnbbnb.exe102⤵PID:4688
-
\??\c:\btnbnh.exec:\btnbnh.exe103⤵PID:2584
-
\??\c:\pjvpv.exec:\pjvpv.exe104⤵PID:1148
-
\??\c:\dvpjp.exec:\dvpjp.exe105⤵PID:2184
-
\??\c:\5ffrlll.exec:\5ffrlll.exe106⤵PID:4012
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe107⤵PID:1208
-
\??\c:\bnthhb.exec:\bnthhb.exe108⤵PID:1980
-
\??\c:\9jvjv.exec:\9jvjv.exe109⤵PID:4472
-
\??\c:\pjpdj.exec:\pjpdj.exe110⤵PID:5056
-
\??\c:\dpvpv.exec:\dpvpv.exe111⤵PID:4524
-
\??\c:\3rlfrrf.exec:\3rlfrrf.exe112⤵PID:1556
-
\??\c:\5btnbt.exec:\5btnbt.exe113⤵PID:5064
-
\??\c:\7bbtnh.exec:\7bbtnh.exe114⤵PID:1488
-
\??\c:\dvpdp.exec:\dvpdp.exe115⤵PID:1336
-
\??\c:\jvpdv.exec:\jvpdv.exe116⤵PID:936
-
\??\c:\xrfrlfx.exec:\xrfrlfx.exe117⤵PID:2564
-
\??\c:\flrlfxr.exec:\flrlfxr.exe118⤵PID:2504
-
\??\c:\ntnnhb.exec:\ntnnhb.exe119⤵PID:4216
-
\??\c:\bntnbt.exec:\bntnbt.exe120⤵PID:868
-
\??\c:\vpvpd.exec:\vpvpd.exe121⤵PID:3248
-
\??\c:\dpvdd.exec:\dpvdd.exe122⤵PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-