Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:41
Behavioral task
behavioral1
Sample
cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe
-
Size
465KB
-
MD5
fbd44c573c4cf8de8152ba147cfd040b
-
SHA1
cc20943f8f211b0fd608c22388f537cf6356b5d2
-
SHA256
cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3
-
SHA512
1cb44b62bc5796e14fb8b48d4c3c5725b0752e3a9be9b38280bbc774bfcb287132c26e16f6f2866088376abc56b0b41c82c034173c13f00052ac08b2f47b2fc4
-
SSDEEP
12288:J4wFHoSTeR0oQRkay+eFp3IDvSbh5nPVP+OKaf1V2:VeR0oykayRFp3lztP+OKaf1V2
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4640-8-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1928-25-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3496-30-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1300-19-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4852-12-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3432-37-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1592-6-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/448-56-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/448-50-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2560-48-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1932-62-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2772-75-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3424-107-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2300-105-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1416-142-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4216-176-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3168-209-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/212-226-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4276-236-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2256-249-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4352-260-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4416-280-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3184-296-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3424-318-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4120-335-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3940-349-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/840-331-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1052-359-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2592-307-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4764-300-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/676-270-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/920-234-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/560-213-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1268-203-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1788-170-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3928-163-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2936-166-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1248-152-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/512-131-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4660-125-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2524-124-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4764-98-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3184-87-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/772-80-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1556-74-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1340-63-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3196-373-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4484-379-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2532-386-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/212-408-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/920-415-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/60-434-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2108-445-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/664-461-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2132-471-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2664-490-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/116-562-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1036-587-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/688-665-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4956-679-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/888-703-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2672-707-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4568-714-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/772-921-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1592-0-0x0000000000400000-0x000000000043A000-memory.dmp UPX C:\rlxrrll.exe UPX behavioral2/memory/4640-8-0x0000000000400000-0x000000000043A000-memory.dmp UPX C:\ntbttb.exe UPX C:\pjjdd.exe UPX behavioral2/memory/1928-25-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\frrrrrr.exe UPX behavioral2/memory/3496-30-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\xfllrxl.exe UPX behavioral2/memory/1300-19-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4852-12-0x0000000000400000-0x000000000043A000-memory.dmp UPX C:\rlrlflf.exe UPX behavioral2/memory/3432-37-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/2560-43-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\tnnhhh.exe UPX behavioral2/memory/1592-6-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\9ddvv.exe UPX behavioral2/memory/448-56-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\fxrlxxr.exe UPX behavioral2/memory/448-50-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/2560-48-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/1932-62-0x0000000000400000-0x000000000043A000-memory.dmp UPX C:\nhhbtt.exe UPX \??\c:\dpvpp.exe UPX behavioral2/memory/2772-75-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\thhbtt.exe UPX behavioral2/memory/4764-93-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\tbthbt.exe UPX \??\c:\5bhhbb.exe UPX behavioral2/memory/3424-107-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\ddjvp.exe UPX behavioral2/memory/2300-105-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\vvvvp.exe UPX behavioral2/memory/1416-142-0x0000000000400000-0x000000000043A000-memory.dmp UPX \??\c:\rllfxxx.exe UPX C:\hbnhhh.exe UPX \??\c:\ppdjj.exe UPX C:\rffxrlf.exe UPX C:\dpvpv.exe UPX \??\c:\lxxrllf.exe UPX behavioral2/memory/4216-176-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/1892-198-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/3168-209-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/212-226-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/3280-230-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4276-236-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/2256-249-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4352-260-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4416-280-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/3184-296-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/3424-318-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/3424-314-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4120-335-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/3940-349-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4196-345-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/840-331-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/1052-359-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/2592-307-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4764-300-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/676-270-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/4352-256-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/920-234-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/560-213-0x0000000000400000-0x000000000043A000-memory.dmp UPX behavioral2/memory/1268-203-0x0000000000400000-0x000000000043A000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rlxrrll.exentbttb.exepjjdd.exexfllrxl.exefrrrrrr.exerlrlflf.exetnnhhh.exe9ddvv.exefxrlxxr.exexlxlffx.exenhhbtt.exedpvpp.exelflfxfx.exethhbtt.exetbthbt.exebbtnhh.exe5bhhbb.exeddjvp.exevvvvp.exepvpjv.exeflllxxr.exenhtnbb.exevjvpp.exerllfxxx.exehbnhhh.exeppdjj.exellflffx.exerffxrlf.exehhbtbb.exedpvpv.exelxxrllf.exebnbtnh.exedjpjj.exevjdvp.exenbtnhh.exebbnhhn.exeppjjd.exexxffxxl.exexffxrlf.exettnbbn.exevvpjd.exexfffxxr.exefxxlffx.exehnnhhh.exefrxxrrl.exellrlfff.exehthbnn.exevvpjd.exejvjdp.exelffxrrl.exehnttnn.exethhbtt.exejdpjd.exexflffrr.exelfrlfxf.exentbtnh.exejdpvp.exedvddd.exeffflrrx.exebhnhhh.exetbbhtt.exedpjdv.exedvvpd.exerxfxxff.exepid process 4640 rlxrrll.exe 4852 ntbttb.exe 1300 pjjdd.exe 1928 xfllrxl.exe 3496 frrrrrr.exe 3432 rlrlflf.exe 2560 tnnhhh.exe 448 9ddvv.exe 1932 fxrlxxr.exe 1340 xlxlffx.exe 1556 nhhbtt.exe 2772 dpvpp.exe 772 lflfxfx.exe 3184 thhbtt.exe 4764 tbthbt.exe 2300 bbtnhh.exe 3424 5bhhbb.exe 4292 ddjvp.exe 2524 vvvvp.exe 4660 pvpjv.exe 512 flllxxr.exe 2816 nhtnbb.exe 1416 vjvpp.exe 3176 rllfxxx.exe 1248 hbnhhh.exe 2936 ppdjj.exe 3928 llflffx.exe 1788 rffxrlf.exe 4216 hhbtbb.exe 4996 dpvpv.exe 3480 lxxrllf.exe 4144 bnbtnh.exe 1228 djpjj.exe 1892 vjdvp.exe 1268 nbtnhh.exe 2948 bbnhhn.exe 3168 ppjjd.exe 560 xxffxxl.exe 4392 xffxrlf.exe 536 ttnbbn.exe 212 vvpjd.exe 4296 xfffxxr.exe 3280 fxxlffx.exe 920 hnnhhh.exe 3360 frxxrrl.exe 2904 llrlfff.exe 2256 hthbnn.exe 3012 vvpjd.exe 4184 jvjdp.exe 4352 lffxrrl.exe 516 hnttnn.exe 2560 thhbtt.exe 392 jdpjd.exe 676 xflffrr.exe 2108 lfrlfxf.exe 5032 ntbtnh.exe 4416 jdpvp.exe 2972 dvddd.exe 1556 ffflrrx.exe 3972 bhnhhh.exe 4756 tbbhtt.exe 3184 dpjdv.exe 4764 dvvpd.exe 2592 rxfxxff.exe -
Processes:
resource yara_rule behavioral2/memory/1592-0-0x0000000000400000-0x000000000043A000-memory.dmp upx C:\rlxrrll.exe upx behavioral2/memory/4640-8-0x0000000000400000-0x000000000043A000-memory.dmp upx C:\ntbttb.exe upx C:\pjjdd.exe upx behavioral2/memory/1928-25-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\frrrrrr.exe upx behavioral2/memory/3496-30-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\xfllrxl.exe upx behavioral2/memory/1300-19-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4852-12-0x0000000000400000-0x000000000043A000-memory.dmp upx C:\rlrlflf.exe upx behavioral2/memory/3432-37-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2560-43-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\tnnhhh.exe upx behavioral2/memory/1592-6-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\9ddvv.exe upx behavioral2/memory/448-56-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\fxrlxxr.exe upx behavioral2/memory/448-50-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2560-48-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1932-62-0x0000000000400000-0x000000000043A000-memory.dmp upx C:\nhhbtt.exe upx \??\c:\dpvpp.exe upx behavioral2/memory/2772-75-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\thhbtt.exe upx behavioral2/memory/4764-93-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\tbthbt.exe upx \??\c:\5bhhbb.exe upx behavioral2/memory/3424-107-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\ddjvp.exe upx behavioral2/memory/2300-105-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\vvvvp.exe upx behavioral2/memory/1416-142-0x0000000000400000-0x000000000043A000-memory.dmp upx \??\c:\rllfxxx.exe upx C:\hbnhhh.exe upx \??\c:\ppdjj.exe upx C:\rffxrlf.exe upx C:\dpvpv.exe upx \??\c:\lxxrllf.exe upx behavioral2/memory/4216-176-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1892-198-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3168-209-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/212-226-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3280-230-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4276-236-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2256-249-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4352-260-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4416-280-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3184-296-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3424-318-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3424-314-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4120-335-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3940-349-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4196-345-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/840-331-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1052-359-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2592-307-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4764-300-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/676-270-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4352-256-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/920-234-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/560-213-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1268-203-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exerlxrrll.exentbttb.exepjjdd.exexfllrxl.exefrrrrrr.exerlrlflf.exetnnhhh.exe9ddvv.exefxrlxxr.exexlxlffx.exenhhbtt.exedpvpp.exelflfxfx.exethhbtt.exetbthbt.exebbtnhh.exe5bhhbb.exeddjvp.exevvvvp.exepvpjv.exeflllxxr.exedescription pid process target process PID 1592 wrote to memory of 4640 1592 cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe rlxrrll.exe PID 1592 wrote to memory of 4640 1592 cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe rlxrrll.exe PID 1592 wrote to memory of 4640 1592 cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe rlxrrll.exe PID 4640 wrote to memory of 4852 4640 rlxrrll.exe ntbttb.exe PID 4640 wrote to memory of 4852 4640 rlxrrll.exe ntbttb.exe PID 4640 wrote to memory of 4852 4640 rlxrrll.exe ntbttb.exe PID 4852 wrote to memory of 1300 4852 ntbttb.exe pjjdd.exe PID 4852 wrote to memory of 1300 4852 ntbttb.exe pjjdd.exe PID 4852 wrote to memory of 1300 4852 ntbttb.exe pjjdd.exe PID 1300 wrote to memory of 1928 1300 pjjdd.exe xfllrxl.exe PID 1300 wrote to memory of 1928 1300 pjjdd.exe xfllrxl.exe PID 1300 wrote to memory of 1928 1300 pjjdd.exe xfllrxl.exe PID 1928 wrote to memory of 3496 1928 xfllrxl.exe frrrrrr.exe PID 1928 wrote to memory of 3496 1928 xfllrxl.exe frrrrrr.exe PID 1928 wrote to memory of 3496 1928 xfllrxl.exe frrrrrr.exe PID 3496 wrote to memory of 3432 3496 frrrrrr.exe rlrlflf.exe PID 3496 wrote to memory of 3432 3496 frrrrrr.exe rlrlflf.exe PID 3496 wrote to memory of 3432 3496 frrrrrr.exe rlrlflf.exe PID 3432 wrote to memory of 2560 3432 rlrlflf.exe thhbtt.exe PID 3432 wrote to memory of 2560 3432 rlrlflf.exe thhbtt.exe PID 3432 wrote to memory of 2560 3432 rlrlflf.exe thhbtt.exe PID 2560 wrote to memory of 448 2560 tnnhhh.exe 9ddvv.exe PID 2560 wrote to memory of 448 2560 tnnhhh.exe 9ddvv.exe PID 2560 wrote to memory of 448 2560 tnnhhh.exe 9ddvv.exe PID 448 wrote to memory of 1932 448 9ddvv.exe fxrlxxr.exe PID 448 wrote to memory of 1932 448 9ddvv.exe fxrlxxr.exe PID 448 wrote to memory of 1932 448 9ddvv.exe fxrlxxr.exe PID 1932 wrote to memory of 1340 1932 fxrlxxr.exe xlxlffx.exe PID 1932 wrote to memory of 1340 1932 fxrlxxr.exe xlxlffx.exe PID 1932 wrote to memory of 1340 1932 fxrlxxr.exe xlxlffx.exe PID 1340 wrote to memory of 1556 1340 xlxlffx.exe ffflrrx.exe PID 1340 wrote to memory of 1556 1340 xlxlffx.exe ffflrrx.exe PID 1340 wrote to memory of 1556 1340 xlxlffx.exe ffflrrx.exe PID 1556 wrote to memory of 2772 1556 nhhbtt.exe dpvpp.exe PID 1556 wrote to memory of 2772 1556 nhhbtt.exe dpvpp.exe PID 1556 wrote to memory of 2772 1556 nhhbtt.exe dpvpp.exe PID 2772 wrote to memory of 772 2772 dpvpp.exe lflfxfx.exe PID 2772 wrote to memory of 772 2772 dpvpp.exe lflfxfx.exe PID 2772 wrote to memory of 772 2772 dpvpp.exe lflfxfx.exe PID 772 wrote to memory of 3184 772 lflfxfx.exe thhbtt.exe PID 772 wrote to memory of 3184 772 lflfxfx.exe thhbtt.exe PID 772 wrote to memory of 3184 772 lflfxfx.exe thhbtt.exe PID 3184 wrote to memory of 4764 3184 thhbtt.exe dvvpd.exe PID 3184 wrote to memory of 4764 3184 thhbtt.exe dvvpd.exe PID 3184 wrote to memory of 4764 3184 thhbtt.exe dvvpd.exe PID 4764 wrote to memory of 2300 4764 tbthbt.exe bbtnhh.exe PID 4764 wrote to memory of 2300 4764 tbthbt.exe bbtnhh.exe PID 4764 wrote to memory of 2300 4764 tbthbt.exe bbtnhh.exe PID 2300 wrote to memory of 3424 2300 bbtnhh.exe 5bhhbb.exe PID 2300 wrote to memory of 3424 2300 bbtnhh.exe 5bhhbb.exe PID 2300 wrote to memory of 3424 2300 bbtnhh.exe 5bhhbb.exe PID 3424 wrote to memory of 4292 3424 5bhhbb.exe ddjvp.exe PID 3424 wrote to memory of 4292 3424 5bhhbb.exe ddjvp.exe PID 3424 wrote to memory of 4292 3424 5bhhbb.exe ddjvp.exe PID 4292 wrote to memory of 2524 4292 ddjvp.exe bnbtth.exe PID 4292 wrote to memory of 2524 4292 ddjvp.exe bnbtth.exe PID 4292 wrote to memory of 2524 4292 ddjvp.exe bnbtth.exe PID 2524 wrote to memory of 4660 2524 vvvvp.exe pvpjv.exe PID 2524 wrote to memory of 4660 2524 vvvvp.exe pvpjv.exe PID 2524 wrote to memory of 4660 2524 vvvvp.exe pvpjv.exe PID 4660 wrote to memory of 512 4660 pvpjv.exe flllxxr.exe PID 4660 wrote to memory of 512 4660 pvpjv.exe flllxxr.exe PID 4660 wrote to memory of 512 4660 pvpjv.exe flllxxr.exe PID 512 wrote to memory of 2816 512 flllxxr.exe nhtnbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe"C:\Users\Admin\AppData\Local\Temp\cd0af4defeaf7861834589eb89091ceb4fb7a81c59a25a01d66779fd74635ce3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\rlxrrll.exec:\rlxrrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\ntbttb.exec:\ntbttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\pjjdd.exec:\pjjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\xfllrxl.exec:\xfllrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\frrrrrr.exec:\frrrrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\rlrlflf.exec:\rlrlflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\tnnhhh.exec:\tnnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\9ddvv.exec:\9ddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\xlxlffx.exec:\xlxlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\nhhbtt.exec:\nhhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\dpvpp.exec:\dpvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\lflfxfx.exec:\lflfxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\thhbtt.exec:\thhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\tbthbt.exec:\tbthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\bbtnhh.exec:\bbtnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\5bhhbb.exec:\5bhhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\ddjvp.exec:\ddjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\vvvvp.exec:\vvvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\pvpjv.exec:\pvpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\flllxxr.exec:\flllxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\nhtnbb.exec:\nhtnbb.exe23⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vjvpp.exec:\vjvpp.exe24⤵
- Executes dropped EXE
PID:1416 -
\??\c:\rllfxxx.exec:\rllfxxx.exe25⤵
- Executes dropped EXE
PID:3176 -
\??\c:\hbnhhh.exec:\hbnhhh.exe26⤵
- Executes dropped EXE
PID:1248 -
\??\c:\ppdjj.exec:\ppdjj.exe27⤵
- Executes dropped EXE
PID:2936 -
\??\c:\llflffx.exec:\llflffx.exe28⤵
- Executes dropped EXE
PID:3928 -
\??\c:\rffxrlf.exec:\rffxrlf.exe29⤵
- Executes dropped EXE
PID:1788 -
\??\c:\hhbtbb.exec:\hhbtbb.exe30⤵
- Executes dropped EXE
PID:4216 -
\??\c:\dpvpv.exec:\dpvpv.exe31⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lxxrllf.exec:\lxxrllf.exe32⤵
- Executes dropped EXE
PID:3480 -
\??\c:\bnbtnh.exec:\bnbtnh.exe33⤵
- Executes dropped EXE
PID:4144 -
\??\c:\djpjj.exec:\djpjj.exe34⤵
- Executes dropped EXE
PID:1228 -
\??\c:\vjdvp.exec:\vjdvp.exe35⤵
- Executes dropped EXE
PID:1892 -
\??\c:\nbtnhh.exec:\nbtnhh.exe36⤵
- Executes dropped EXE
PID:1268 -
\??\c:\bbnhhn.exec:\bbnhhn.exe37⤵
- Executes dropped EXE
PID:2948 -
\??\c:\ppjjd.exec:\ppjjd.exe38⤵
- Executes dropped EXE
PID:3168 -
\??\c:\xxffxxl.exec:\xxffxxl.exe39⤵
- Executes dropped EXE
PID:560 -
\??\c:\xffxrlf.exec:\xffxrlf.exe40⤵
- Executes dropped EXE
PID:4392 -
\??\c:\ttnbbn.exec:\ttnbbn.exe41⤵
- Executes dropped EXE
PID:536 -
\??\c:\vvpjd.exec:\vvpjd.exe42⤵
- Executes dropped EXE
PID:212 -
\??\c:\xfffxxr.exec:\xfffxxr.exe43⤵
- Executes dropped EXE
PID:4296 -
\??\c:\fxxlffx.exec:\fxxlffx.exe44⤵
- Executes dropped EXE
PID:3280 -
\??\c:\hnnhhh.exec:\hnnhhh.exe45⤵
- Executes dropped EXE
PID:920 -
\??\c:\ppvpj.exec:\ppvpj.exe46⤵PID:4276
-
\??\c:\frxxrrl.exec:\frxxrrl.exe47⤵
- Executes dropped EXE
PID:3360 -
\??\c:\llrlfff.exec:\llrlfff.exe48⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hthbnn.exec:\hthbnn.exe49⤵
- Executes dropped EXE
PID:2256 -
\??\c:\vvpjd.exec:\vvpjd.exe50⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jvjdp.exec:\jvjdp.exe51⤵
- Executes dropped EXE
PID:4184 -
\??\c:\lffxrrl.exec:\lffxrrl.exe52⤵
- Executes dropped EXE
PID:4352 -
\??\c:\hnttnn.exec:\hnttnn.exe53⤵
- Executes dropped EXE
PID:516 -
\??\c:\thhbtt.exec:\thhbtt.exe54⤵
- Executes dropped EXE
PID:2560 -
\??\c:\jdpjd.exec:\jdpjd.exe55⤵
- Executes dropped EXE
PID:392 -
\??\c:\xflffrr.exec:\xflffrr.exe56⤵
- Executes dropped EXE
PID:676 -
\??\c:\lfrlfxf.exec:\lfrlfxf.exe57⤵
- Executes dropped EXE
PID:2108 -
\??\c:\ntbtnh.exec:\ntbtnh.exe58⤵
- Executes dropped EXE
PID:5032 -
\??\c:\jdpvp.exec:\jdpvp.exe59⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dvddd.exec:\dvddd.exe60⤵
- Executes dropped EXE
PID:2972 -
\??\c:\ffflrrx.exec:\ffflrrx.exe61⤵
- Executes dropped EXE
PID:1556 -
\??\c:\bhnhhh.exec:\bhnhhh.exe62⤵
- Executes dropped EXE
PID:3972 -
\??\c:\tbbhtt.exec:\tbbhtt.exe63⤵
- Executes dropped EXE
PID:4756 -
\??\c:\dpjdv.exec:\dpjdv.exe64⤵
- Executes dropped EXE
PID:3184 -
\??\c:\dvvpd.exec:\dvvpd.exe65⤵
- Executes dropped EXE
PID:4764 -
\??\c:\rxfxxff.exec:\rxfxxff.exe66⤵
- Executes dropped EXE
PID:2592 -
\??\c:\hbhhnn.exec:\hbhhnn.exe67⤵PID:1584
-
\??\c:\nhnhhb.exec:\nhnhhb.exe68⤵PID:4336
-
\??\c:\pjjvd.exec:\pjjvd.exe69⤵PID:3424
-
\??\c:\xfllffl.exec:\xfllffl.exe70⤵PID:4792
-
\??\c:\rrxlrrl.exec:\rrxlrrl.exe71⤵PID:4924
-
\??\c:\bnbtth.exec:\bnbtth.exe72⤵PID:2524
-
\??\c:\pvvdv.exec:\pvvdv.exe73⤵PID:840
-
\??\c:\jpppj.exec:\jpppj.exe74⤵PID:636
-
\??\c:\xflxrfx.exec:\xflxrfx.exe75⤵PID:4120
-
\??\c:\lfrlfrl.exec:\lfrlfrl.exe76⤵PID:1532
-
\??\c:\htbbbb.exec:\htbbbb.exe77⤵PID:3176
-
\??\c:\3jvvp.exec:\3jvvp.exe78⤵PID:4196
-
\??\c:\vpvjv.exec:\vpvjv.exe79⤵PID:3940
-
\??\c:\xlffrrr.exec:\xlffrrr.exe80⤵PID:316
-
\??\c:\bnnhhb.exec:\bnnhhb.exe81⤵PID:1052
-
\??\c:\hhhhhh.exec:\hhhhhh.exe82⤵PID:1788
-
\??\c:\jpvvp.exec:\jpvvp.exe83⤵PID:3840
-
\??\c:\xrllfrx.exec:\xrllfrx.exe84⤵PID:3464
-
\??\c:\lllllff.exec:\lllllff.exe85⤵PID:888
-
\??\c:\btnnhh.exec:\btnnhh.exe86⤵PID:3196
-
\??\c:\vjdvj.exec:\vjdvj.exe87⤵PID:4484
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe88⤵PID:4324
-
\??\c:\5ntbhb.exec:\5ntbhb.exe89⤵PID:2532
-
\??\c:\7ttnhh.exec:\7ttnhh.exe90⤵PID:3488
-
\??\c:\vppdv.exec:\vppdv.exe91⤵PID:4156
-
\??\c:\frlfxfx.exec:\frlfxfx.exe92⤵PID:4596
-
\??\c:\nntbnh.exec:\nntbnh.exe93⤵PID:4804
-
\??\c:\vvvvv.exec:\vvvvv.exe94⤵PID:3992
-
\??\c:\xffxlfx.exec:\xffxlfx.exe95⤵PID:2068
-
\??\c:\llxxffl.exec:\llxxffl.exe96⤵PID:5088
-
\??\c:\nthbtt.exec:\nthbtt.exe97⤵PID:212
-
\??\c:\pvvvp.exec:\pvvvp.exe98⤵PID:1064
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe99⤵PID:920
-
\??\c:\xrrlffx.exec:\xrrlffx.exe100⤵PID:1772
-
\??\c:\hhnnnb.exec:\hhnnnb.exe101⤵PID:4516
-
\??\c:\pjjjj.exec:\pjjjj.exe102⤵PID:3012
-
\??\c:\vvdvp.exec:\vvdvp.exe103⤵PID:1332
-
\??\c:\llxrlff.exec:\llxrlff.exe104⤵PID:4388
-
\??\c:\hbhhbn.exec:\hbhhbn.exe105⤵PID:60
-
\??\c:\bhnhbb.exec:\bhnhbb.exe106⤵PID:3200
-
\??\c:\dvvpj.exec:\dvvpj.exe107⤵PID:3380
-
\??\c:\fxxxfll.exec:\fxxxfll.exe108⤵PID:2108
-
\??\c:\jdppp.exec:\jdppp.exe109⤵PID:1664
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe110⤵PID:1736
-
\??\c:\bhtnhh.exec:\bhtnhh.exe111⤵PID:2940
-
\??\c:\vpdjp.exec:\vpdjp.exe112⤵PID:5064
-
\??\c:\hbhhbh.exec:\hbhhbh.exe113⤵PID:664
-
\??\c:\dvvvd.exec:\dvvvd.exe114⤵PID:4060
-
\??\c:\nhhhbh.exec:\nhhhbh.exe115⤵PID:3184
-
\??\c:\djdjd.exec:\djdjd.exe116⤵PID:2132
-
\??\c:\bhbbhh.exec:\bhbbhh.exe117⤵PID:2268
-
\??\c:\rxffxxr.exec:\rxffxxr.exe118⤵PID:5080
-
\??\c:\hhnnht.exec:\hhnnht.exe119⤵PID:3816
-
\??\c:\jjvpj.exec:\jjvpj.exe120⤵PID:4116
-
\??\c:\xfxxxxr.exec:\xfxxxxr.exe121⤵PID:3632
-
\??\c:\hthhbb.exec:\hthhbb.exe122⤵PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-