Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:11
Behavioral task
behavioral1
Sample
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe
-
Size
441KB
-
MD5
03ce133841edd02b31f0e33bae1342ff
-
SHA1
221703d523315cfe2cd4636cdbc2a6cc278c34cd
-
SHA256
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8
-
SHA512
d79209eca8238c3181d4dfbc34af265f51ff5ccaeb17d6f9e01c107c5bcc4ac019d77d485579a52195434e9e5f1fa8d0aafa2011966a0f4ce40e7142b88f077e
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5t:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMR
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4748-6-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/64-8-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4056-17-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4540-24-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3952-29-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2172-60-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2840-58-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2636-75-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1984-83-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/920-99-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4532-98-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1612-110-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3528-163-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2236-160-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1212-182-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4828-188-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4504-210-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1156-209-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4588-233-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4160-240-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1732-250-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1856-255-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1496-276-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5080-281-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2824-323-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4676-341-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1476-407-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3944-475-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3852-483-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3184-573-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4884-538-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3764-591-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1620-476-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4984-429-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1668-424-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3520-403-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2340-396-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2588-383-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4688-367-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2140-361-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3384-324-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/632-288-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5080-277-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2708-272-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4276-265-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4892-254-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2904-232-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4456-225-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4556-221-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4308-214-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3064-202-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1032-142-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5060-135-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1204-130-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3352-127-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4924-117-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/400-115-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4248-81-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1424-41-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4524-669-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4380-851-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2168-880-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3000-946-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3552-985-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4748-0-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\xrrrlrl.exe UPX behavioral2/memory/4748-6-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\hthnnn.exe UPX behavioral2/memory/64-8-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\9tttbh.exe UPX behavioral2/memory/4056-17-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4540-24-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\9vdvd.exe UPX behavioral2/memory/3952-25-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/3764-31-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\thnhhb.exe UPX behavioral2/memory/3952-29-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\ffrlfxr.exe UPX \??\c:\llxrllf.exe UPX \??\c:\nnhbtt.exe UPX C:\httttb.exe UPX \??\c:\pvddv.exe UPX behavioral2/memory/2172-60-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/2840-58-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\lrllffx.exe UPX \??\c:\ppddd.exe UPX behavioral2/memory/2636-75-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1984-83-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\pjvdv.exe UPX \??\c:\ffllfff.exe UPX \??\c:\lrrrlff.exe UPX behavioral2/memory/920-99-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4532-98-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1612-110-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\lxxrllf.exe UPX \??\c:\5jjdj.exe UPX behavioral2/memory/3528-163-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\5flflrx.exe UPX behavioral2/memory/2236-160-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\pjjjd.exe UPX \??\c:\fxlllff.exe UPX behavioral2/memory/1212-182-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4828-188-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/3064-198-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4504-210-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1156-209-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4588-233-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4160-240-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1732-250-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1856-255-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1496-276-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/5080-281-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/2964-295-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/2824-323-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4676-341-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/1476-407-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4816-411-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4972-455-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/3944-475-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/3852-483-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/448-499-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4576-548-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/3184-573-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4884-538-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4908-580-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/4884-534-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/2816-515-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral2/memory/2856-584-0x0000000000400000-0x0000000000434000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
xrrrlrl.exehthnnn.exe9tttbh.exe9vdvd.exeffrlfxr.exethnhhb.exellxrllf.exennhbtt.exehttttb.exepvddv.exelrllffx.exethnhhh.exeppddd.exerlfxrll.exepjvdv.exeffllfff.exelrrrlff.exexffxrlf.exettbttt.exepjjjd.exeffxrlll.exeffxrrrl.exe1djdj.exexllfxrx.exelxxrllf.exenhbttt.exe5jjdj.exe5flflrx.exepjjjd.exefxlllff.exebbhbtt.exe1ntnhh.exe7jjdd.exexrrxfxf.exennbnnb.exepdpjd.exeppdpj.exe7xxxrxf.exebthhbb.exe9thhht.exejdppj.exeffllfrf.exe7xxrllf.exehhbnhh.exejdjdd.exepddvp.exerffxrrl.exexxxxlll.exehhtnbb.exevdjdd.exejppdp.exexflxxrl.exe1rxxxxl.exe5hhhbb.exepvdvp.exe9ddvp.exelflfxxf.exebtbnhb.exebtbthb.exevpvvd.exe1hnntt.exe1ppjd.exe7vvvp.exelxlrffr.exepid process 64 xrrrlrl.exe 4056 hthnnn.exe 4540 9tttbh.exe 3952 9vdvd.exe 3764 ffrlfxr.exe 1424 thnhhb.exe 3208 llxrllf.exe 4984 nnhbtt.exe 2840 httttb.exe 2172 pvddv.exe 3304 lrllffx.exe 2636 thnhhh.exe 1984 ppddd.exe 4248 rlfxrll.exe 2360 pjvdv.exe 4532 ffllfff.exe 920 lrrrlff.exe 1612 xffxrlf.exe 400 ttbttt.exe 4924 pjjjd.exe 3352 ffxrlll.exe 1204 ffxrrrl.exe 5060 1djdj.exe 1032 xllfxrx.exe 4348 lxxrllf.exe 4052 nhbttt.exe 2236 5jjdj.exe 3528 5flflrx.exe 2444 pjjjd.exe 968 fxlllff.exe 1212 bbhbtt.exe 3548 1ntnhh.exe 4828 7jjdd.exe 2312 xrrxfxf.exe 1600 nnbnnb.exe 3064 pdpjd.exe 1780 ppdpj.exe 1156 7xxxrxf.exe 4504 bthhbb.exe 4308 9thhht.exe 4556 jdppj.exe 1228 ffllfrf.exe 4456 7xxrllf.exe 2904 hhbnhh.exe 4588 jdjdd.exe 4628 pddvp.exe 4160 rffxrrl.exe 2424 xxxxlll.exe 1732 hhtnbb.exe 4892 vdjdd.exe 1856 jppdp.exe 1168 xflxxrl.exe 4976 1rxxxxl.exe 4276 5hhhbb.exe 2708 pvdvp.exe 1496 9ddvp.exe 5080 lflfxxf.exe 4672 btbnhb.exe 3192 btbthb.exe 632 vpvvd.exe 4248 1hnntt.exe 2964 1ppjd.exe 4532 7vvvp.exe 4552 lxlrffr.exe -
Processes:
resource yara_rule behavioral2/memory/4748-0-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\xrrrlrl.exe upx behavioral2/memory/4748-6-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\hthnnn.exe upx behavioral2/memory/64-8-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\9tttbh.exe upx behavioral2/memory/4056-17-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4540-24-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\9vdvd.exe upx behavioral2/memory/3952-25-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3764-31-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\thnhhb.exe upx behavioral2/memory/3952-29-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ffrlfxr.exe upx \??\c:\llxrllf.exe upx \??\c:\nnhbtt.exe upx C:\httttb.exe upx \??\c:\pvddv.exe upx behavioral2/memory/2172-60-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2840-58-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\lrllffx.exe upx \??\c:\ppddd.exe upx behavioral2/memory/2636-75-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1984-83-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\pjvdv.exe upx \??\c:\ffllfff.exe upx \??\c:\lrrrlff.exe upx behavioral2/memory/920-99-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4532-98-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1612-110-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lxxrllf.exe upx \??\c:\5jjdj.exe upx behavioral2/memory/3528-163-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\5flflrx.exe upx behavioral2/memory/2236-160-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\pjjjd.exe upx \??\c:\fxlllff.exe upx behavioral2/memory/1212-182-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4828-188-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3064-198-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4504-210-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1156-209-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4588-233-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4160-240-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1732-250-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1856-255-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1496-276-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/5080-281-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2964-295-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2824-323-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4676-341-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1476-407-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4816-411-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4972-455-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3944-475-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3852-483-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/448-499-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4576-548-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3184-573-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4884-538-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4908-580-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4884-534-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2816-515-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2856-584-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exexrrrlrl.exehthnnn.exe9tttbh.exe9vdvd.exeffrlfxr.exethnhhb.exellxrllf.exennhbtt.exehttttb.exepvddv.exelrllffx.exethnhhh.exeppddd.exerlfxrll.exepjvdv.exeffllfff.exelrrrlff.exexffxrlf.exettbttt.exepjjjd.exeffxrlll.exedescription pid process target process PID 4748 wrote to memory of 64 4748 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jpdvp.exe PID 4748 wrote to memory of 64 4748 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jpdvp.exe PID 4748 wrote to memory of 64 4748 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jpdvp.exe PID 64 wrote to memory of 4056 64 xrrrlrl.exe hthnnn.exe PID 64 wrote to memory of 4056 64 xrrrlrl.exe hthnnn.exe PID 64 wrote to memory of 4056 64 xrrrlrl.exe hthnnn.exe PID 4056 wrote to memory of 4540 4056 hthnnn.exe ffxfrrf.exe PID 4056 wrote to memory of 4540 4056 hthnnn.exe ffxfrrf.exe PID 4056 wrote to memory of 4540 4056 hthnnn.exe ffxfrrf.exe PID 4540 wrote to memory of 3952 4540 9tttbh.exe hbntnb.exe PID 4540 wrote to memory of 3952 4540 9tttbh.exe hbntnb.exe PID 4540 wrote to memory of 3952 4540 9tttbh.exe hbntnb.exe PID 3952 wrote to memory of 3764 3952 9vdvd.exe rxfxlll.exe PID 3952 wrote to memory of 3764 3952 9vdvd.exe rxfxlll.exe PID 3952 wrote to memory of 3764 3952 9vdvd.exe rxfxlll.exe PID 3764 wrote to memory of 1424 3764 ffrlfxr.exe thnhhb.exe PID 3764 wrote to memory of 1424 3764 ffrlfxr.exe thnhhb.exe PID 3764 wrote to memory of 1424 3764 ffrlfxr.exe thnhhb.exe PID 1424 wrote to memory of 3208 1424 thnhhb.exe llxrllf.exe PID 1424 wrote to memory of 3208 1424 thnhhb.exe llxrllf.exe PID 1424 wrote to memory of 3208 1424 thnhhb.exe llxrllf.exe PID 3208 wrote to memory of 4984 3208 llxrllf.exe nnhbtt.exe PID 3208 wrote to memory of 4984 3208 llxrllf.exe nnhbtt.exe PID 3208 wrote to memory of 4984 3208 llxrllf.exe nnhbtt.exe PID 4984 wrote to memory of 2840 4984 nnhbtt.exe httttb.exe PID 4984 wrote to memory of 2840 4984 nnhbtt.exe httttb.exe PID 4984 wrote to memory of 2840 4984 nnhbtt.exe httttb.exe PID 2840 wrote to memory of 2172 2840 httttb.exe pvddv.exe PID 2840 wrote to memory of 2172 2840 httttb.exe pvddv.exe PID 2840 wrote to memory of 2172 2840 httttb.exe pvddv.exe PID 2172 wrote to memory of 3304 2172 pvddv.exe lrllffx.exe PID 2172 wrote to memory of 3304 2172 pvddv.exe lrllffx.exe PID 2172 wrote to memory of 3304 2172 pvddv.exe lrllffx.exe PID 3304 wrote to memory of 2636 3304 lrllffx.exe thnhhh.exe PID 3304 wrote to memory of 2636 3304 lrllffx.exe thnhhh.exe PID 3304 wrote to memory of 2636 3304 lrllffx.exe thnhhh.exe PID 2636 wrote to memory of 1984 2636 thnhhh.exe ppddd.exe PID 2636 wrote to memory of 1984 2636 thnhhh.exe ppddd.exe PID 2636 wrote to memory of 1984 2636 thnhhh.exe ppddd.exe PID 1984 wrote to memory of 4248 1984 ppddd.exe 1hnntt.exe PID 1984 wrote to memory of 4248 1984 ppddd.exe 1hnntt.exe PID 1984 wrote to memory of 4248 1984 ppddd.exe 1hnntt.exe PID 4248 wrote to memory of 2360 4248 rlfxrll.exe pjvdv.exe PID 4248 wrote to memory of 2360 4248 rlfxrll.exe pjvdv.exe PID 4248 wrote to memory of 2360 4248 rlfxrll.exe pjvdv.exe PID 2360 wrote to memory of 4532 2360 pjvdv.exe ffllfff.exe PID 2360 wrote to memory of 4532 2360 pjvdv.exe ffllfff.exe PID 2360 wrote to memory of 4532 2360 pjvdv.exe ffllfff.exe PID 4532 wrote to memory of 920 4532 ffllfff.exe lrrrlff.exe PID 4532 wrote to memory of 920 4532 ffllfff.exe lrrrlff.exe PID 4532 wrote to memory of 920 4532 ffllfff.exe lrrrlff.exe PID 920 wrote to memory of 1612 920 lrrrlff.exe xffxrlf.exe PID 920 wrote to memory of 1612 920 lrrrlff.exe xffxrlf.exe PID 920 wrote to memory of 1612 920 lrrrlff.exe xffxrlf.exe PID 1612 wrote to memory of 400 1612 xffxrlf.exe ttbttt.exe PID 1612 wrote to memory of 400 1612 xffxrlf.exe ttbttt.exe PID 1612 wrote to memory of 400 1612 xffxrlf.exe ttbttt.exe PID 400 wrote to memory of 4924 400 ttbttt.exe pjjjd.exe PID 400 wrote to memory of 4924 400 ttbttt.exe pjjjd.exe PID 400 wrote to memory of 4924 400 ttbttt.exe pjjjd.exe PID 4924 wrote to memory of 3352 4924 pjjjd.exe ffxrlll.exe PID 4924 wrote to memory of 3352 4924 pjjjd.exe ffxrlll.exe PID 4924 wrote to memory of 3352 4924 pjjjd.exe ffxrlll.exe PID 3352 wrote to memory of 1204 3352 ffxrlll.exe ffxrrrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe"C:\Users\Admin\AppData\Local\Temp\c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\xrrrlrl.exec:\xrrrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\hthnnn.exec:\hthnnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\9tttbh.exec:\9tttbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\9vdvd.exec:\9vdvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\ffrlfxr.exec:\ffrlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\thnhhb.exec:\thnhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\llxrllf.exec:\llxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\nnhbtt.exec:\nnhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\httttb.exec:\httttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\pvddv.exec:\pvddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lrllffx.exec:\lrllffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\thnhhh.exec:\thnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\ppddd.exec:\ppddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\rlfxrll.exec:\rlfxrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\pjvdv.exec:\pjvdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\ffllfff.exec:\ffllfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\lrrrlff.exec:\lrrrlff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\xffxrlf.exec:\xffxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ttbttt.exec:\ttbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\pjjjd.exec:\pjjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\ffxrlll.exec:\ffxrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\ffxrrrl.exec:\ffxrrrl.exe23⤵
- Executes dropped EXE
PID:1204 -
\??\c:\1djdj.exec:\1djdj.exe24⤵
- Executes dropped EXE
PID:5060 -
\??\c:\xllfxrx.exec:\xllfxrx.exe25⤵
- Executes dropped EXE
PID:1032 -
\??\c:\lxxrllf.exec:\lxxrllf.exe26⤵
- Executes dropped EXE
PID:4348 -
\??\c:\nhbttt.exec:\nhbttt.exe27⤵
- Executes dropped EXE
PID:4052 -
\??\c:\5jjdj.exec:\5jjdj.exe28⤵
- Executes dropped EXE
PID:2236 -
\??\c:\5flflrx.exec:\5flflrx.exe29⤵
- Executes dropped EXE
PID:3528 -
\??\c:\pjjjd.exec:\pjjjd.exe30⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fxlllff.exec:\fxlllff.exe31⤵
- Executes dropped EXE
PID:968 -
\??\c:\bbhbtt.exec:\bbhbtt.exe32⤵
- Executes dropped EXE
PID:1212 -
\??\c:\1ntnhh.exec:\1ntnhh.exe33⤵
- Executes dropped EXE
PID:3548 -
\??\c:\7jjdd.exec:\7jjdd.exe34⤵
- Executes dropped EXE
PID:4828 -
\??\c:\xrrxfxf.exec:\xrrxfxf.exe35⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nnbnnb.exec:\nnbnnb.exe36⤵
- Executes dropped EXE
PID:1600 -
\??\c:\pdpjd.exec:\pdpjd.exe37⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ppdpj.exec:\ppdpj.exe38⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7xxxrxf.exec:\7xxxrxf.exe39⤵
- Executes dropped EXE
PID:1156 -
\??\c:\bthhbb.exec:\bthhbb.exe40⤵
- Executes dropped EXE
PID:4504 -
\??\c:\9thhht.exec:\9thhht.exe41⤵
- Executes dropped EXE
PID:4308 -
\??\c:\jdppj.exec:\jdppj.exe42⤵
- Executes dropped EXE
PID:4556 -
\??\c:\ffllfrf.exec:\ffllfrf.exe43⤵
- Executes dropped EXE
PID:1228 -
\??\c:\7xxrllf.exec:\7xxrllf.exe44⤵
- Executes dropped EXE
PID:4456 -
\??\c:\hhbnhh.exec:\hhbnhh.exe45⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jdjdd.exec:\jdjdd.exe46⤵
- Executes dropped EXE
PID:4588 -
\??\c:\pddvp.exec:\pddvp.exe47⤵
- Executes dropped EXE
PID:4628 -
\??\c:\rffxrrl.exec:\rffxrrl.exe48⤵
- Executes dropped EXE
PID:4160 -
\??\c:\xxxxlll.exec:\xxxxlll.exe49⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hhtnbb.exec:\hhtnbb.exe50⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vdjdd.exec:\vdjdd.exe51⤵
- Executes dropped EXE
PID:4892 -
\??\c:\jppdp.exec:\jppdp.exe52⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xflxxrl.exec:\xflxxrl.exe53⤵
- Executes dropped EXE
PID:1168 -
\??\c:\1rxxxxl.exec:\1rxxxxl.exe54⤵
- Executes dropped EXE
PID:4976 -
\??\c:\5hhhbb.exec:\5hhhbb.exe55⤵
- Executes dropped EXE
PID:4276 -
\??\c:\pvdvp.exec:\pvdvp.exe56⤵
- Executes dropped EXE
PID:2708 -
\??\c:\9ddvp.exec:\9ddvp.exe57⤵
- Executes dropped EXE
PID:1496 -
\??\c:\lflfxxf.exec:\lflfxxf.exe58⤵
- Executes dropped EXE
PID:5080 -
\??\c:\btbnhb.exec:\btbnhb.exe59⤵
- Executes dropped EXE
PID:4672 -
\??\c:\btbthb.exec:\btbthb.exe60⤵
- Executes dropped EXE
PID:3192 -
\??\c:\vpvvd.exec:\vpvvd.exe61⤵
- Executes dropped EXE
PID:632 -
\??\c:\1hnntt.exec:\1hnntt.exe62⤵
- Executes dropped EXE
PID:4248 -
\??\c:\1ppjd.exec:\1ppjd.exe63⤵
- Executes dropped EXE
PID:2964 -
\??\c:\7vvvp.exec:\7vvvp.exe64⤵
- Executes dropped EXE
PID:4532 -
\??\c:\lxlrffr.exec:\lxlrffr.exe65⤵
- Executes dropped EXE
PID:4552 -
\??\c:\5hnttt.exec:\5hnttt.exe66⤵PID:3480
-
\??\c:\bbbtnh.exec:\bbbtnh.exe67⤵PID:4072
-
\??\c:\9vdvp.exec:\9vdvp.exe68⤵PID:648
-
\??\c:\ffllffl.exec:\ffllffl.exe69⤵PID:1636
-
\??\c:\bnttnt.exec:\bnttnt.exe70⤵PID:2640
-
\??\c:\3btntt.exec:\3btntt.exe71⤵PID:2824
-
\??\c:\vjvvv.exec:\vjvvv.exe72⤵PID:3384
-
\??\c:\1pddd.exec:\1pddd.exe73⤵PID:1572
-
\??\c:\rrfxrlr.exec:\rrfxrlr.exe74⤵PID:4740
-
\??\c:\rffxrrr.exec:\rffxrrr.exe75⤵PID:3804
-
\??\c:\3nnbtt.exec:\3nnbtt.exe76⤵PID:4980
-
\??\c:\3hbthh.exec:\3hbthh.exe77⤵PID:4676
-
\??\c:\jpddd.exec:\jpddd.exe78⤵PID:1616
-
\??\c:\9jppv.exec:\9jppv.exe79⤵PID:2632
-
\??\c:\xrfxrxx.exec:\xrfxrxx.exe80⤵PID:2144
-
\??\c:\5lxxxxl.exec:\5lxxxxl.exe81⤵PID:4932
-
\??\c:\tbnnhh.exec:\tbnnhh.exe82⤵PID:3776
-
\??\c:\vjpjd.exec:\vjpjd.exe83⤵PID:2140
-
\??\c:\pvddp.exec:\pvddp.exe84⤵PID:1632
-
\??\c:\lxfflrl.exec:\lxfflrl.exe85⤵PID:4688
-
\??\c:\lxffxxx.exec:\lxffxxx.exe86⤵PID:3720
-
\??\c:\nnhhbb.exec:\nnhhbb.exe87⤵PID:4168
-
\??\c:\vppjd.exec:\vppjd.exe88⤵PID:4940
-
\??\c:\vpppj.exec:\vpppj.exe89⤵PID:2588
-
\??\c:\fxxrfff.exec:\fxxrfff.exe90⤵PID:1156
-
\??\c:\bbbttn.exec:\bbbttn.exe91⤵PID:408
-
\??\c:\bnnhhn.exec:\bnnhhn.exe92⤵PID:2776
-
\??\c:\jpdvp.exec:\jpdvp.exe93⤵PID:64
-
\??\c:\jddvp.exec:\jddvp.exe94⤵PID:2340
-
\??\c:\7lrrrxf.exec:\7lrrrxf.exe95⤵PID:3520
-
\??\c:\lffxxxx.exec:\lffxxxx.exe96⤵PID:4028
-
\??\c:\3tbttb.exec:\3tbttb.exe97⤵PID:1476
-
\??\c:\btbtnh.exec:\btbtnh.exe98⤵PID:4816
-
\??\c:\pjpjv.exec:\pjpjv.exe99⤵PID:5000
-
\??\c:\frrlllf.exec:\frrlllf.exe100⤵PID:1832
-
\??\c:\xflfxrl.exec:\xflfxrl.exe101⤵PID:1668
-
\??\c:\htbhnh.exec:\htbhnh.exe102⤵PID:600
-
\??\c:\thnhbh.exec:\thnhbh.exe103⤵PID:4984
-
\??\c:\pjjjd.exec:\pjjjd.exe104⤵PID:3008
-
\??\c:\vvpvp.exec:\vvpvp.exe105⤵PID:3660
-
\??\c:\xflfxrl.exec:\xflfxrl.exe106⤵PID:3176
-
\??\c:\htbtnh.exec:\htbtnh.exe107⤵PID:3164
-
\??\c:\nbbhbn.exec:\nbbhbn.exe108⤵PID:2708
-
\??\c:\dvpjj.exec:\dvpjj.exe109⤵PID:2248
-
\??\c:\pjvpp.exec:\pjvpp.exe110⤵PID:2636
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe111⤵PID:4972
-
\??\c:\ffrrlrf.exec:\ffrrlrf.exe112⤵PID:5004
-
\??\c:\7bbtnh.exec:\7bbtnh.exe113⤵PID:468
-
\??\c:\vppjd.exec:\vppjd.exe114⤵PID:5084
-
\??\c:\dddvv.exec:\dddvv.exe115⤵PID:3648
-
\??\c:\xrllfrl.exec:\xrllfrl.exe116⤵PID:3944
-
\??\c:\rllxrrl.exec:\rllxrrl.exe117⤵PID:1620
-
\??\c:\btttnn.exec:\btttnn.exe118⤵PID:4876
-
\??\c:\5hhbth.exec:\5hhbth.exe119⤵PID:3852
-
\??\c:\pjpdj.exec:\pjpdj.exe120⤵PID:1576
-
\??\c:\vjvpj.exec:\vjvpj.exe121⤵PID:4516
-
\??\c:\xrfxrxr.exec:\xrfxrxr.exe122⤵PID:1552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-