Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 03:11
Behavioral task
behavioral1
Sample
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe
-
Size
441KB
-
MD5
03ce133841edd02b31f0e33bae1342ff
-
SHA1
221703d523315cfe2cd4636cdbc2a6cc278c34cd
-
SHA256
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8
-
SHA512
d79209eca8238c3181d4dfbc34af265f51ff5ccaeb17d6f9e01c107c5bcc4ac019d77d485579a52195434e9e5f1fa8d0aafa2011966a0f4ce40e7142b88f077e
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5t:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMR
Malware Config
Signatures
-
Detect Blackmoon payload 36 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-11-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2060-9-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3044-28-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3024-31-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2636-46-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2632-66-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1672-81-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2464-84-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2960-99-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2280-101-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1676-124-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1756-136-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1048-168-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2300-185-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1888-201-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1664-228-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1820-225-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/984-260-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1452-268-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2900-271-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1792-286-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2528-299-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1600-300-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3052-326-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2876-339-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2468-353-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2632-362-0x00000000003A0000-0x00000000003D4000-memory.dmp family_blackmoon behavioral1/memory/2684-399-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2168-406-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2184-407-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2420-421-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1160-446-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2328-546-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1792-571-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2176-585-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2160-872-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-0-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\jjjjp.exe UPX behavioral1/memory/2384-11-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2060-9-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\tbhtbh.exe UPX behavioral1/memory/3044-19-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\pjddj.exe UPX behavioral1/memory/3044-28-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/3024-31-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\1rffrxl.exe UPX C:\btttbh.exe UPX behavioral1/memory/2636-46-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\7pvjd.exe UPX behavioral1/memory/2452-55-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\hhbbtt.exe UPX behavioral1/memory/2632-66-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\vjdjv.exe UPX C:\9frrxfr.exe UPX behavioral1/memory/1672-81-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2464-84-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\bbthtt.exe UPX C:\rlflxfx.exe UPX behavioral1/memory/2960-99-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2280-101-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\ttnthh.exe UPX C:\5jdvj.exe UPX behavioral1/memory/1676-124-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\3fxlrxf.exe UPX C:\5tthtb.exe UPX behavioral1/memory/1756-136-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\ppppd.exe UPX C:\bbttbb.exe UPX C:\nthbnn.exe UPX C:\fxrfrrf.exe UPX behavioral1/memory/1048-168-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\bntnnn.exe UPX C:\dvpjj.exe UPX behavioral1/memory/2300-185-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\frfxrxl.exe UPX C:\btbnnn.exe UPX behavioral1/memory/1888-201-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\ppjjv.exe UPX C:\llrflxl.exe UPX behavioral1/memory/1664-228-0x0000000000400000-0x0000000000434000-memory.dmp UPX \??\c:\tnhnbb.exe UPX behavioral1/memory/1820-225-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\rrflffr.exe UPX C:\btttbn.exe UPX C:\7ppdd.exe UPX behavioral1/memory/984-260-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\7fflffr.exe UPX behavioral1/memory/1452-268-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\ddpdv.exe UPX behavioral1/memory/2900-271-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\lfxfrxf.exe UPX behavioral1/memory/1792-286-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2528-299-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/1600-300-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2744-307-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/3052-326-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2876-339-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/3040-346-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2468-353-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2632-362-0x00000000003A0000-0x00000000003D4000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
jjjjp.exetbhtbh.exepjddj.exe1rffrxl.exebtttbh.exe7pvjd.exehhbbtt.exevjdjv.exe9frrxfr.exebbthtt.exerlflxfx.exettnthh.exe5jdvj.exe3fxlrxf.exe5tthtb.exeppppd.exebbttbb.exenthbnn.exefxrfrrf.exebntnnn.exedvpjj.exefrfxrxl.exebtbnnn.exeppjjv.exellrflxl.exetnhnbb.exerrflffr.exebtttbn.exe7ppdd.exe7fflffr.exeddpdv.exelfxfrxf.exebhbnnh.exedvjdd.exe9lxrxxf.exefxllxfr.exehtbhnn.exe1jjjp.exefrlrrxl.exelfrrxxl.exebbtthb.exevvpdp.exelxlrlrr.exellfxllr.exenhtbhh.exedpdjd.exe7jddv.exe3lfrflx.exebhtnht.exe9jvjj.exefrrlxxl.exebbtbnn.exe1bhtnt.exejjjdp.exerlrxxxr.exethbhtt.exe7hbtnh.exe5jvvp.exefrxrllx.exehttbbb.exe3hbbhn.exejdvvd.exelfrfrxl.exehtnntt.exepid process 2384 jjjjp.exe 3044 tbhtbh.exe 3024 pjddj.exe 2636 1rffrxl.exe 2600 btttbh.exe 2452 7pvjd.exe 2632 hhbbtt.exe 1672 vjdjv.exe 2464 9frrxfr.exe 2960 bbthtt.exe 2280 rlflxfx.exe 2808 ttnthh.exe 1676 5jdvj.exe 2420 3fxlrxf.exe 1756 5tthtb.exe 1068 ppppd.exe 2792 bbttbb.exe 876 nthbnn.exe 1048 fxrfrrf.exe 2948 bntnnn.exe 2300 dvpjj.exe 1888 frfxrxl.exe 600 btbnnn.exe 616 ppjjv.exe 1820 llrflxl.exe 1664 tnhnbb.exe 312 rrflffr.exe 820 btttbn.exe 984 7ppdd.exe 1452 7fflffr.exe 2900 ddpdv.exe 1792 lfxfrxf.exe 1616 bhbnnh.exe 2528 dvjdd.exe 1600 9lxrxxf.exe 2744 fxllxfr.exe 1728 htbhnn.exe 3052 1jjjp.exe 3024 frlrrxl.exe 2716 lfrrxxl.exe 2876 bbtthb.exe 3040 vvpdp.exe 2468 lxlrlrr.exe 2632 llfxllr.exe 2620 nhtbhh.exe 2496 dpdjd.exe 2096 7jddv.exe 2968 3lfrflx.exe 2684 bhtnht.exe 2168 9jvjj.exe 2184 frrlxxl.exe 2732 bbtbnn.exe 2420 1bhtnt.exe 2736 jjjdp.exe 2776 rlrxxxr.exe 1160 thbhtt.exe 1088 7hbtnh.exe 876 5jvvp.exe 2964 frxrllx.exe 1964 httbbb.exe 2024 3hbbhn.exe 1744 jdvvd.exe 1256 lfrfrxl.exe 488 htnntt.exe -
Processes:
resource yara_rule behavioral1/memory/2060-0-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\jjjjp.exe upx behavioral1/memory/2384-11-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2060-9-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\tbhtbh.exe upx behavioral1/memory/3044-19-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\pjddj.exe upx behavioral1/memory/3044-28-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3024-31-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\1rffrxl.exe upx C:\btttbh.exe upx behavioral1/memory/2636-46-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\7pvjd.exe upx behavioral1/memory/2452-55-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\hhbbtt.exe upx behavioral1/memory/2632-66-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\vjdjv.exe upx C:\9frrxfr.exe upx behavioral1/memory/1672-81-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2464-84-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bbthtt.exe upx C:\rlflxfx.exe upx behavioral1/memory/2960-99-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2280-101-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ttnthh.exe upx C:\5jdvj.exe upx behavioral1/memory/1676-124-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\3fxlrxf.exe upx C:\5tthtb.exe upx behavioral1/memory/1756-136-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ppppd.exe upx C:\bbttbb.exe upx C:\nthbnn.exe upx C:\fxrfrrf.exe upx behavioral1/memory/1048-168-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bntnnn.exe upx C:\dvpjj.exe upx behavioral1/memory/2300-185-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\frfxrxl.exe upx C:\btbnnn.exe upx behavioral1/memory/1888-201-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ppjjv.exe upx C:\llrflxl.exe upx behavioral1/memory/1664-228-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\tnhnbb.exe upx behavioral1/memory/1820-225-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\rrflffr.exe upx C:\btttbn.exe upx C:\7ppdd.exe upx behavioral1/memory/984-260-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\7fflffr.exe upx behavioral1/memory/1452-268-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ddpdv.exe upx behavioral1/memory/2900-271-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lfxfrxf.exe upx behavioral1/memory/1792-286-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2528-299-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1600-300-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2744-307-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3052-326-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2876-339-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3040-346-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2468-353-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2632-362-0x00000000003A0000-0x00000000003D4000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exejjjjp.exetbhtbh.exepjddj.exe1rffrxl.exebtttbh.exe7pvjd.exehhbbtt.exevjdjv.exe9frrxfr.exebbthtt.exerlflxfx.exettnthh.exe5jdvj.exe3fxlrxf.exe5tthtb.exedescription pid process target process PID 2060 wrote to memory of 2384 2060 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jjjjp.exe PID 2060 wrote to memory of 2384 2060 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jjjjp.exe PID 2060 wrote to memory of 2384 2060 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jjjjp.exe PID 2060 wrote to memory of 2384 2060 c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe jjjjp.exe PID 2384 wrote to memory of 3044 2384 jjjjp.exe tbhtbh.exe PID 2384 wrote to memory of 3044 2384 jjjjp.exe tbhtbh.exe PID 2384 wrote to memory of 3044 2384 jjjjp.exe tbhtbh.exe PID 2384 wrote to memory of 3044 2384 jjjjp.exe tbhtbh.exe PID 3044 wrote to memory of 3024 3044 tbhtbh.exe pjddj.exe PID 3044 wrote to memory of 3024 3044 tbhtbh.exe pjddj.exe PID 3044 wrote to memory of 3024 3044 tbhtbh.exe pjddj.exe PID 3044 wrote to memory of 3024 3044 tbhtbh.exe pjddj.exe PID 3024 wrote to memory of 2636 3024 pjddj.exe 1rffrxl.exe PID 3024 wrote to memory of 2636 3024 pjddj.exe 1rffrxl.exe PID 3024 wrote to memory of 2636 3024 pjddj.exe 1rffrxl.exe PID 3024 wrote to memory of 2636 3024 pjddj.exe 1rffrxl.exe PID 2636 wrote to memory of 2600 2636 1rffrxl.exe btttbh.exe PID 2636 wrote to memory of 2600 2636 1rffrxl.exe btttbh.exe PID 2636 wrote to memory of 2600 2636 1rffrxl.exe btttbh.exe PID 2636 wrote to memory of 2600 2636 1rffrxl.exe btttbh.exe PID 2600 wrote to memory of 2452 2600 btttbh.exe 7pvjd.exe PID 2600 wrote to memory of 2452 2600 btttbh.exe 7pvjd.exe PID 2600 wrote to memory of 2452 2600 btttbh.exe 7pvjd.exe PID 2600 wrote to memory of 2452 2600 btttbh.exe 7pvjd.exe PID 2452 wrote to memory of 2632 2452 7pvjd.exe hhbbtt.exe PID 2452 wrote to memory of 2632 2452 7pvjd.exe hhbbtt.exe PID 2452 wrote to memory of 2632 2452 7pvjd.exe hhbbtt.exe PID 2452 wrote to memory of 2632 2452 7pvjd.exe hhbbtt.exe PID 2632 wrote to memory of 1672 2632 hhbbtt.exe vjdjv.exe PID 2632 wrote to memory of 1672 2632 hhbbtt.exe vjdjv.exe PID 2632 wrote to memory of 1672 2632 hhbbtt.exe vjdjv.exe PID 2632 wrote to memory of 1672 2632 hhbbtt.exe vjdjv.exe PID 1672 wrote to memory of 2464 1672 vjdjv.exe 9frrxfr.exe PID 1672 wrote to memory of 2464 1672 vjdjv.exe 9frrxfr.exe PID 1672 wrote to memory of 2464 1672 vjdjv.exe 9frrxfr.exe PID 1672 wrote to memory of 2464 1672 vjdjv.exe 9frrxfr.exe PID 2464 wrote to memory of 2960 2464 9frrxfr.exe bbthtt.exe PID 2464 wrote to memory of 2960 2464 9frrxfr.exe bbthtt.exe PID 2464 wrote to memory of 2960 2464 9frrxfr.exe bbthtt.exe PID 2464 wrote to memory of 2960 2464 9frrxfr.exe bbthtt.exe PID 2960 wrote to memory of 2280 2960 bbthtt.exe rlflxfx.exe PID 2960 wrote to memory of 2280 2960 bbthtt.exe rlflxfx.exe PID 2960 wrote to memory of 2280 2960 bbthtt.exe rlflxfx.exe PID 2960 wrote to memory of 2280 2960 bbthtt.exe rlflxfx.exe PID 2280 wrote to memory of 2808 2280 rlflxfx.exe ttnthh.exe PID 2280 wrote to memory of 2808 2280 rlflxfx.exe ttnthh.exe PID 2280 wrote to memory of 2808 2280 rlflxfx.exe ttnthh.exe PID 2280 wrote to memory of 2808 2280 rlflxfx.exe ttnthh.exe PID 2808 wrote to memory of 1676 2808 ttnthh.exe 5jdvj.exe PID 2808 wrote to memory of 1676 2808 ttnthh.exe 5jdvj.exe PID 2808 wrote to memory of 1676 2808 ttnthh.exe 5jdvj.exe PID 2808 wrote to memory of 1676 2808 ttnthh.exe 5jdvj.exe PID 1676 wrote to memory of 2420 1676 5jdvj.exe 3fxlrxf.exe PID 1676 wrote to memory of 2420 1676 5jdvj.exe 3fxlrxf.exe PID 1676 wrote to memory of 2420 1676 5jdvj.exe 3fxlrxf.exe PID 1676 wrote to memory of 2420 1676 5jdvj.exe 3fxlrxf.exe PID 2420 wrote to memory of 1756 2420 3fxlrxf.exe 5tthtb.exe PID 2420 wrote to memory of 1756 2420 3fxlrxf.exe 5tthtb.exe PID 2420 wrote to memory of 1756 2420 3fxlrxf.exe 5tthtb.exe PID 2420 wrote to memory of 1756 2420 3fxlrxf.exe 5tthtb.exe PID 1756 wrote to memory of 1068 1756 5tthtb.exe ppppd.exe PID 1756 wrote to memory of 1068 1756 5tthtb.exe ppppd.exe PID 1756 wrote to memory of 1068 1756 5tthtb.exe ppppd.exe PID 1756 wrote to memory of 1068 1756 5tthtb.exe ppppd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe"C:\Users\Admin\AppData\Local\Temp\c2863d4fd32b651688de4da8fce5909c15e59a29e03510b8f67ea8cbc02ed7c8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\jjjjp.exec:\jjjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\tbhtbh.exec:\tbhtbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\pjddj.exec:\pjddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\1rffrxl.exec:\1rffrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\btttbh.exec:\btttbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\7pvjd.exec:\7pvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\hhbbtt.exec:\hhbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\vjdjv.exec:\vjdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\9frrxfr.exec:\9frrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\bbthtt.exec:\bbthtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\rlflxfx.exec:\rlflxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\ttnthh.exec:\ttnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\5jdvj.exec:\5jdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\3fxlrxf.exec:\3fxlrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\5tthtb.exec:\5tthtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\ppppd.exec:\ppppd.exe17⤵
- Executes dropped EXE
PID:1068 -
\??\c:\bbttbb.exec:\bbttbb.exe18⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nthbnn.exec:\nthbnn.exe19⤵
- Executes dropped EXE
PID:876 -
\??\c:\fxrfrrf.exec:\fxrfrrf.exe20⤵
- Executes dropped EXE
PID:1048 -
\??\c:\bntnnn.exec:\bntnnn.exe21⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dvpjj.exec:\dvpjj.exe22⤵
- Executes dropped EXE
PID:2300 -
\??\c:\frfxrxl.exec:\frfxrxl.exe23⤵
- Executes dropped EXE
PID:1888 -
\??\c:\btbnnn.exec:\btbnnn.exe24⤵
- Executes dropped EXE
PID:600 -
\??\c:\ppjjv.exec:\ppjjv.exe25⤵
- Executes dropped EXE
PID:616 -
\??\c:\llrflxl.exec:\llrflxl.exe26⤵
- Executes dropped EXE
PID:1820 -
\??\c:\tnhnbb.exec:\tnhnbb.exe27⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rrflffr.exec:\rrflffr.exe28⤵
- Executes dropped EXE
PID:312 -
\??\c:\btttbn.exec:\btttbn.exe29⤵
- Executes dropped EXE
PID:820 -
\??\c:\7ppdd.exec:\7ppdd.exe30⤵
- Executes dropped EXE
PID:984 -
\??\c:\7fflffr.exec:\7fflffr.exe31⤵
- Executes dropped EXE
PID:1452 -
\??\c:\ddpdv.exec:\ddpdv.exe32⤵
- Executes dropped EXE
PID:2900 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe33⤵
- Executes dropped EXE
PID:1792 -
\??\c:\bhbnnh.exec:\bhbnnh.exe34⤵
- Executes dropped EXE
PID:1616 -
\??\c:\dvjdd.exec:\dvjdd.exe35⤵
- Executes dropped EXE
PID:2528 -
\??\c:\9lxrxxf.exec:\9lxrxxf.exe36⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxllxfr.exec:\fxllxfr.exe37⤵
- Executes dropped EXE
PID:2744 -
\??\c:\htbhnn.exec:\htbhnn.exe38⤵
- Executes dropped EXE
PID:1728 -
\??\c:\1jjjp.exec:\1jjjp.exe39⤵
- Executes dropped EXE
PID:3052 -
\??\c:\frlrrxl.exec:\frlrrxl.exe40⤵
- Executes dropped EXE
PID:3024 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe41⤵
- Executes dropped EXE
PID:2716 -
\??\c:\bbtthb.exec:\bbtthb.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\vvpdp.exec:\vvpdp.exe43⤵
- Executes dropped EXE
PID:3040 -
\??\c:\lxlrlrr.exec:\lxlrlrr.exe44⤵
- Executes dropped EXE
PID:2468 -
\??\c:\llfxllr.exec:\llfxllr.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nhtbhh.exec:\nhtbhh.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\dpdjd.exec:\dpdjd.exe47⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7jddv.exec:\7jddv.exe48⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3lfrflx.exec:\3lfrflx.exe49⤵
- Executes dropped EXE
PID:2968 -
\??\c:\bhtnht.exec:\bhtnht.exe50⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9jvjj.exec:\9jvjj.exe51⤵
- Executes dropped EXE
PID:2168 -
\??\c:\frrlxxl.exec:\frrlxxl.exe52⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bbtbnn.exec:\bbtbnn.exe53⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1bhtnt.exec:\1bhtnt.exe54⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jjjdp.exec:\jjjdp.exe55⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rlrxxxr.exec:\rlrxxxr.exe56⤵
- Executes dropped EXE
PID:2776 -
\??\c:\thbhtt.exec:\thbhtt.exe57⤵
- Executes dropped EXE
PID:1160 -
\??\c:\7hbtnh.exec:\7hbtnh.exe58⤵
- Executes dropped EXE
PID:1088 -
\??\c:\5jvvp.exec:\5jvvp.exe59⤵
- Executes dropped EXE
PID:876 -
\??\c:\frxrllx.exec:\frxrllx.exe60⤵
- Executes dropped EXE
PID:2964 -
\??\c:\httbbb.exec:\httbbb.exe61⤵
- Executes dropped EXE
PID:1964 -
\??\c:\3hbbhn.exec:\3hbbhn.exe62⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jdvvd.exec:\jdvvd.exe63⤵
- Executes dropped EXE
PID:1744 -
\??\c:\lfrfrxl.exec:\lfrfrxl.exe64⤵
- Executes dropped EXE
PID:1256 -
\??\c:\htnntt.exec:\htnntt.exe65⤵
- Executes dropped EXE
PID:488 -
\??\c:\bttntb.exec:\bttntb.exe66⤵PID:584
-
\??\c:\dvjjd.exec:\dvjjd.exe67⤵PID:2100
-
\??\c:\fxrxflx.exec:\fxrxflx.exe68⤵PID:808
-
\??\c:\llxrxlr.exec:\llxrxlr.exe69⤵PID:1612
-
\??\c:\btttbt.exec:\btttbt.exe70⤵PID:956
-
\??\c:\7jvvv.exec:\7jvvv.exe71⤵PID:1708
-
\??\c:\pdddp.exec:\pdddp.exe72⤵PID:820
-
\??\c:\7rflrrf.exec:\7rflrrf.exe73⤵PID:2328
-
\??\c:\hhbhtn.exec:\hhbhtn.exe74⤵PID:2008
-
\??\c:\1hhbnt.exec:\1hhbnt.exe75⤵PID:1240
-
\??\c:\jpjpj.exec:\jpjpj.exe76⤵PID:2128
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe77⤵PID:1792
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe78⤵PID:1608
-
\??\c:\hbnbhn.exec:\hbnbhn.exe79⤵PID:2176
-
\??\c:\dvpvv.exec:\dvpvv.exe80⤵PID:1580
-
\??\c:\7xlxxfl.exec:\7xlxxfl.exe81⤵PID:3032
-
\??\c:\hbhtbh.exec:\hbhtbh.exe82⤵PID:2540
-
\??\c:\pdvdp.exec:\pdvdp.exe83⤵PID:2648
-
\??\c:\jjdpd.exec:\jjdpd.exe84⤵PID:3024
-
\??\c:\rlfrxll.exec:\rlfrxll.exe85⤵PID:2716
-
\??\c:\nthntn.exec:\nthntn.exe86⤵PID:2876
-
\??\c:\9vdvd.exec:\9vdvd.exe87⤵PID:2452
-
\??\c:\rfrffxf.exec:\rfrffxf.exe88⤵PID:2820
-
\??\c:\9xrxffr.exec:\9xrxffr.exe89⤵PID:2616
-
\??\c:\nhbnbh.exec:\nhbnbh.exe90⤵PID:2524
-
\??\c:\vpdpv.exec:\vpdpv.exe91⤵PID:2156
-
\??\c:\5pddj.exec:\5pddj.exe92⤵PID:2952
-
\??\c:\7xrxfrf.exec:\7xrxfrf.exe93⤵PID:2804
-
\??\c:\thtnbb.exec:\thtnbb.exe94⤵PID:948
-
\??\c:\dvjvv.exec:\dvjvv.exe95⤵PID:2316
-
\??\c:\lxlrllx.exec:\lxlrllx.exe96⤵PID:636
-
\??\c:\rrllllr.exec:\rrllllr.exe97⤵PID:292
-
\??\c:\hbthtn.exec:\hbthtn.exe98⤵PID:2432
-
\??\c:\7djdp.exec:\7djdp.exe99⤵PID:2760
-
\??\c:\vjdvj.exec:\vjdvj.exe100⤵PID:1540
-
\??\c:\lxflflr.exec:\lxflflr.exe101⤵PID:1136
-
\??\c:\ttthbn.exec:\ttthbn.exe102⤵PID:860
-
\??\c:\9tbhnb.exec:\9tbhnb.exe103⤵PID:1984
-
\??\c:\dvjpd.exec:\dvjpd.exe104⤵PID:876
-
\??\c:\fllfllx.exec:\fllfllx.exe105⤵PID:2840
-
\??\c:\7btntb.exec:\7btntb.exe106⤵PID:1952
-
\??\c:\bbtntb.exec:\bbtntb.exe107⤵PID:1968
-
\??\c:\djdvj.exec:\djdvj.exe108⤵PID:716
-
\??\c:\xrflxfx.exec:\xrflxfx.exe109⤵PID:1256
-
\??\c:\9btbtt.exec:\9btbtt.exe110⤵PID:488
-
\??\c:\bththn.exec:\bththn.exe111⤵PID:700
-
\??\c:\vdvpj.exec:\vdvpj.exe112⤵PID:776
-
\??\c:\rlfxflr.exec:\rlfxflr.exe113⤵PID:2924
-
\??\c:\1hbhnn.exec:\1hbhnn.exe114⤵PID:312
-
\??\c:\bnbbnn.exec:\bnbbnn.exe115⤵PID:1168
-
\??\c:\9vjdp.exec:\9vjdp.exe116⤵PID:1708
-
\??\c:\rfrrxrf.exec:\rfrrxrf.exe117⤵PID:2104
-
\??\c:\hbbbtb.exec:\hbbbtb.exe118⤵PID:2328
-
\??\c:\tbbhnn.exec:\tbbhnn.exe119⤵PID:2896
-
\??\c:\jjjvv.exec:\jjjvv.exe120⤵PID:2180
-
\??\c:\frllrrl.exec:\frllrrl.exe121⤵PID:2200
-
\??\c:\tthbhn.exec:\tthbhn.exe122⤵PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-