Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 23:28
Behavioral task
behavioral1
Sample
01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe
-
Size
335KB
-
MD5
56c45793661b41de45c09951d3c18977
-
SHA1
4a56c6c793614ff525b34aff609dcca985484f77
-
SHA256
01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e
-
SHA512
7de1a8778278908287072ac3e31705ce6b652c6cbc8897889aa704a57e773ed81ed23de22d8f153d55c197e716cced429d2d5feb929e1b6bb3aef23d8079a742
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRX:R4wFHoSHYHUrAwfMp3CDRX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1880-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2160-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2860-52-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2860-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2640-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1608-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/316-139-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2940-147-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2956-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2004-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1488-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1488-180-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/960-210-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1756-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-258-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2072-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-227-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/960-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2512-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3040-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1444-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1152-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1096-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/340-485-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2472-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-693-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-692-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1528-864-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1140-1018-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/764-1218-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2300-7980-0x0000000077880000-0x000000007799F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2160 jjvdj.exe 1684 1frrrrx.exe 2128 1pdvp.exe 2320 pdpdd.exe 2712 s6884.exe 2860 xxrfll6.exe 2728 9vvpj.exe 2640 1vjvj.exe 2136 9hbhtt.exe 2868 u642408.exe 2676 44468.exe 2652 1fflxfr.exe 1608 3jjjd.exe 2824 0086224.exe 2420 btnbtb.exe 1312 q62804.exe 316 lflxlrf.exe 2940 dppvj.exe 2956 64628.exe 1704 bbnhtt.exe 2004 djdjj.exe 1488 02462.exe 2104 btntbb.exe 3004 7xfflff.exe 688 m4006.exe 960 64402.exe 1756 60240.exe 1996 q80248.exe 1680 a6440.exe 2364 vvdvj.exe 2252 4208840.exe 2168 426804.exe 1700 a6680.exe 2072 60442.exe 2308 046662.exe 876 8680662.exe 1984 9htntn.exe 2512 s6844.exe 1556 1thttt.exe 3040 tnhnnt.exe 1284 ffflrxl.exe 1648 000268.exe 2328 820622.exe 1528 m8846.exe 2188 fxxflxl.exe 2844 3ppvd.exe 2720 822800.exe 2884 ppvjj.exe 2628 88420.exe 1796 006026.exe 2856 htntnn.exe 2656 268086.exe 1444 26448.exe 1816 22028.exe 2324 24602.exe 1540 864062.exe 536 20620.exe 1716 i406480.exe 1152 7lfrlrx.exe 1920 w26840.exe 1668 60624.exe 2944 86062.exe 568 0462046.exe 1948 rllxrfl.exe -
resource yara_rule behavioral1/memory/1880-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000120d6-8.dat upx behavioral1/memory/1880-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2160-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018be7-16.dat upx behavioral1/memory/2128-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018d7b-25.dat upx behavioral1/files/0x0007000000018fdf-33.dat upx behavioral1/memory/1684-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2320-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019056-39.dat upx behavioral1/files/0x0006000000019203-48.dat upx behavioral1/memory/2712-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019237-57.dat upx behavioral1/memory/2728-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001924f-66.dat upx behavioral1/files/0x0007000000019261-74.dat upx behavioral1/memory/2640-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194c3-82.dat upx behavioral1/files/0x00050000000194d5-88.dat upx behavioral1/files/0x00050000000194e1-96.dat upx behavioral1/memory/2676-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001870c-103.dat upx behavioral1/files/0x0005000000019502-112.dat upx behavioral1/memory/1608-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019508-119.dat upx behavioral1/memory/2824-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019510-127.dat upx behavioral1/files/0x0005000000019518-135.dat upx behavioral1/files/0x0005000000019520-144.dat upx behavioral1/memory/2956-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001952b-152.dat upx behavioral1/files/0x0005000000019535-169.dat upx behavioral1/memory/2004-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001952e-160.dat upx behavioral1/memory/1704-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019543-177.dat upx behavioral1/files/0x00050000000195a8-185.dat upx behavioral1/memory/1488-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1488-180-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019647-200.dat upx behavioral1/files/0x0005000000019650-215.dat upx behavioral1/memory/1756-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019a85-233.dat upx behavioral1/files/0x0005000000019b18-246.dat upx behavioral1/memory/2072-273-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c79-255.dat upx behavioral1/memory/2252-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019b16-240.dat upx behavioral1/memory/1996-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000197e4-224.dat upx behavioral1/memory/960-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001964f-207.dat upx behavioral1/files/0x0005000000019645-193.dat upx behavioral1/memory/2512-296-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1284-308-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3040-307-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2328-324-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2188-335-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2628-351-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1444-372-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1444-378-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2324-384-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i468062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i044664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6482406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6066666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2046662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20284.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1880 wrote to memory of 2160 1880 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 30 PID 1880 wrote to memory of 2160 1880 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 30 PID 1880 wrote to memory of 2160 1880 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 30 PID 1880 wrote to memory of 2160 1880 01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe 30 PID 2160 wrote to memory of 1684 2160 jjvdj.exe 31 PID 2160 wrote to memory of 1684 2160 jjvdj.exe 31 PID 2160 wrote to memory of 1684 2160 jjvdj.exe 31 PID 2160 wrote to memory of 1684 2160 jjvdj.exe 31 PID 1684 wrote to memory of 2128 1684 1frrrrx.exe 32 PID 1684 wrote to memory of 2128 1684 1frrrrx.exe 32 PID 1684 wrote to memory of 2128 1684 1frrrrx.exe 32 PID 1684 wrote to memory of 2128 1684 1frrrrx.exe 32 PID 2128 wrote to memory of 2320 2128 1pdvp.exe 33 PID 2128 wrote to memory of 2320 2128 1pdvp.exe 33 PID 2128 wrote to memory of 2320 2128 1pdvp.exe 33 PID 2128 wrote to memory of 2320 2128 1pdvp.exe 33 PID 2320 wrote to memory of 2712 2320 pdpdd.exe 34 PID 2320 wrote to memory of 2712 2320 pdpdd.exe 34 PID 2320 wrote to memory of 2712 2320 pdpdd.exe 34 PID 2320 wrote to memory of 2712 2320 pdpdd.exe 34 PID 2712 wrote to memory of 2860 2712 s6884.exe 35 PID 2712 wrote to memory of 2860 2712 s6884.exe 35 PID 2712 wrote to memory of 2860 2712 s6884.exe 35 PID 2712 wrote to memory of 2860 2712 s6884.exe 35 PID 2860 wrote to memory of 2728 2860 xxrfll6.exe 36 PID 2860 wrote to memory of 2728 2860 xxrfll6.exe 36 PID 2860 wrote to memory of 2728 2860 xxrfll6.exe 36 PID 2860 wrote to memory of 2728 2860 xxrfll6.exe 36 PID 2728 wrote to memory of 2640 2728 9vvpj.exe 37 PID 2728 wrote to memory of 2640 2728 9vvpj.exe 37 PID 2728 wrote to memory of 2640 2728 9vvpj.exe 37 PID 2728 wrote to memory of 2640 2728 9vvpj.exe 37 PID 2640 wrote to memory of 2136 2640 1vjvj.exe 38 PID 2640 wrote to memory of 2136 2640 1vjvj.exe 38 PID 2640 wrote to memory of 2136 2640 1vjvj.exe 38 PID 2640 wrote to memory of 2136 2640 1vjvj.exe 38 PID 2136 wrote to memory of 2868 2136 9hbhtt.exe 39 PID 2136 wrote to memory of 2868 2136 9hbhtt.exe 39 PID 2136 wrote to memory of 2868 2136 9hbhtt.exe 39 PID 2136 wrote to memory of 2868 2136 9hbhtt.exe 39 PID 2868 wrote to memory of 2676 2868 u642408.exe 40 PID 2868 wrote to memory of 2676 2868 u642408.exe 40 PID 2868 wrote to memory of 2676 2868 u642408.exe 40 PID 2868 wrote to memory of 2676 2868 u642408.exe 40 PID 2676 wrote to memory of 2652 2676 44468.exe 41 PID 2676 wrote to memory of 2652 2676 44468.exe 41 PID 2676 wrote to memory of 2652 2676 44468.exe 41 PID 2676 wrote to memory of 2652 2676 44468.exe 41 PID 2652 wrote to memory of 1608 2652 1fflxfr.exe 42 PID 2652 wrote to memory of 1608 2652 1fflxfr.exe 42 PID 2652 wrote to memory of 1608 2652 1fflxfr.exe 42 PID 2652 wrote to memory of 1608 2652 1fflxfr.exe 42 PID 1608 wrote to memory of 2824 1608 3jjjd.exe 43 PID 1608 wrote to memory of 2824 1608 3jjjd.exe 43 PID 1608 wrote to memory of 2824 1608 3jjjd.exe 43 PID 1608 wrote to memory of 2824 1608 3jjjd.exe 43 PID 2824 wrote to memory of 2420 2824 0086224.exe 44 PID 2824 wrote to memory of 2420 2824 0086224.exe 44 PID 2824 wrote to memory of 2420 2824 0086224.exe 44 PID 2824 wrote to memory of 2420 2824 0086224.exe 44 PID 2420 wrote to memory of 1312 2420 btnbtb.exe 45 PID 2420 wrote to memory of 1312 2420 btnbtb.exe 45 PID 2420 wrote to memory of 1312 2420 btnbtb.exe 45 PID 2420 wrote to memory of 1312 2420 btnbtb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe"C:\Users\Admin\AppData\Local\Temp\01619631d74f451e6945ec26f89196513bd83601e208dd1fa99c4116bb65682e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\jjvdj.exec:\jjvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\1frrrrx.exec:\1frrrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\1pdvp.exec:\1pdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\pdpdd.exec:\pdpdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\s6884.exec:\s6884.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\xxrfll6.exec:\xxrfll6.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\9vvpj.exec:\9vvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\1vjvj.exec:\1vjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\9hbhtt.exec:\9hbhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\u642408.exec:\u642408.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\44468.exec:\44468.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\1fflxfr.exec:\1fflxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\3jjjd.exec:\3jjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\0086224.exec:\0086224.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\btnbtb.exec:\btnbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\q62804.exec:\q62804.exe17⤵
- Executes dropped EXE
PID:1312 -
\??\c:\lflxlrf.exec:\lflxlrf.exe18⤵
- Executes dropped EXE
PID:316 -
\??\c:\dppvj.exec:\dppvj.exe19⤵
- Executes dropped EXE
PID:2940 -
\??\c:\64628.exec:\64628.exe20⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bbnhtt.exec:\bbnhtt.exe21⤵
- Executes dropped EXE
PID:1704 -
\??\c:\djdjj.exec:\djdjj.exe22⤵
- Executes dropped EXE
PID:2004 -
\??\c:\02462.exec:\02462.exe23⤵
- Executes dropped EXE
PID:1488 -
\??\c:\btntbb.exec:\btntbb.exe24⤵
- Executes dropped EXE
PID:2104 -
\??\c:\7xfflff.exec:\7xfflff.exe25⤵
- Executes dropped EXE
PID:3004 -
\??\c:\m4006.exec:\m4006.exe26⤵
- Executes dropped EXE
PID:688 -
\??\c:\64402.exec:\64402.exe27⤵
- Executes dropped EXE
PID:960 -
\??\c:\60240.exec:\60240.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\q80248.exec:\q80248.exe29⤵
- Executes dropped EXE
PID:1996 -
\??\c:\a6440.exec:\a6440.exe30⤵
- Executes dropped EXE
PID:1680 -
\??\c:\vvdvj.exec:\vvdvj.exe31⤵
- Executes dropped EXE
PID:2364 -
\??\c:\4208840.exec:\4208840.exe32⤵
- Executes dropped EXE
PID:2252 -
\??\c:\426804.exec:\426804.exe33⤵
- Executes dropped EXE
PID:2168 -
\??\c:\a6680.exec:\a6680.exe34⤵
- Executes dropped EXE
PID:1700 -
\??\c:\60442.exec:\60442.exe35⤵
- Executes dropped EXE
PID:2072 -
\??\c:\046662.exec:\046662.exe36⤵
- Executes dropped EXE
PID:2308 -
\??\c:\8680662.exec:\8680662.exe37⤵
- Executes dropped EXE
PID:876 -
\??\c:\9htntn.exec:\9htntn.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\s6844.exec:\s6844.exe39⤵
- Executes dropped EXE
PID:2512 -
\??\c:\1thttt.exec:\1thttt.exe40⤵
- Executes dropped EXE
PID:1556 -
\??\c:\tnhnnt.exec:\tnhnnt.exe41⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ffflrxl.exec:\ffflrxl.exe42⤵
- Executes dropped EXE
PID:1284 -
\??\c:\000268.exec:\000268.exe43⤵
- Executes dropped EXE
PID:1648 -
\??\c:\820622.exec:\820622.exe44⤵
- Executes dropped EXE
PID:2328 -
\??\c:\m8846.exec:\m8846.exe45⤵
- Executes dropped EXE
PID:1528 -
\??\c:\fxxflxl.exec:\fxxflxl.exe46⤵
- Executes dropped EXE
PID:2188 -
\??\c:\3ppvd.exec:\3ppvd.exe47⤵
- Executes dropped EXE
PID:2844 -
\??\c:\822800.exec:\822800.exe48⤵
- Executes dropped EXE
PID:2720 -
\??\c:\ppvjj.exec:\ppvjj.exe49⤵
- Executes dropped EXE
PID:2884 -
\??\c:\88420.exec:\88420.exe50⤵
- Executes dropped EXE
PID:2628 -
\??\c:\006026.exec:\006026.exe51⤵
- Executes dropped EXE
PID:1796 -
\??\c:\htntnn.exec:\htntnn.exe52⤵
- Executes dropped EXE
PID:2856 -
\??\c:\268086.exec:\268086.exe53⤵
- Executes dropped EXE
PID:2656 -
\??\c:\26448.exec:\26448.exe54⤵
- Executes dropped EXE
PID:1444 -
\??\c:\22028.exec:\22028.exe55⤵
- Executes dropped EXE
PID:1816 -
\??\c:\24602.exec:\24602.exe56⤵
- Executes dropped EXE
PID:2324 -
\??\c:\864062.exec:\864062.exe57⤵
- Executes dropped EXE
PID:1540 -
\??\c:\20620.exec:\20620.exe58⤵
- Executes dropped EXE
PID:536 -
\??\c:\i406480.exec:\i406480.exe59⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7lfrlrx.exec:\7lfrlrx.exe60⤵
- Executes dropped EXE
PID:1152 -
\??\c:\w26840.exec:\w26840.exe61⤵
- Executes dropped EXE
PID:1920 -
\??\c:\60624.exec:\60624.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\86062.exec:\86062.exe63⤵
- Executes dropped EXE
PID:2944 -
\??\c:\0462046.exec:\0462046.exe64⤵
- Executes dropped EXE
PID:568 -
\??\c:\rllxrfl.exec:\rllxrfl.exe65⤵
- Executes dropped EXE
PID:1948 -
\??\c:\0462406.exec:\0462406.exe66⤵PID:2024
-
\??\c:\tnhntt.exec:\tnhntt.exe67⤵PID:2116
-
\??\c:\vvjvp.exec:\vvjvp.exe68⤵PID:2076
-
\??\c:\q24688.exec:\q24688.exe69⤵PID:1488
-
\??\c:\vpdjj.exec:\vpdjj.exe70⤵PID:1020
-
\??\c:\tnbnth.exec:\tnbnth.exe71⤵PID:688
-
\??\c:\thbhhn.exec:\thbhhn.exe72⤵PID:1744
-
\??\c:\nhhbnh.exec:\nhhbnh.exe73⤵PID:1096
-
\??\c:\w20060.exec:\w20060.exe74⤵PID:340
-
\??\c:\04802.exec:\04802.exe75⤵PID:1788
-
\??\c:\9nnhnn.exec:\9nnhnn.exe76⤵PID:2288
-
\??\c:\ppppv.exec:\ppppv.exe77⤵PID:1680
-
\??\c:\42624.exec:\42624.exe78⤵PID:2472
-
\??\c:\6040628.exec:\6040628.exe79⤵PID:3016
-
\??\c:\tbhbth.exec:\tbhbth.exe80⤵PID:1364
-
\??\c:\i266840.exec:\i266840.exe81⤵PID:2220
-
\??\c:\tnnbth.exec:\tnnbth.exe82⤵PID:2428
-
\??\c:\hhhthn.exec:\hhhthn.exe83⤵PID:2912
-
\??\c:\c428402.exec:\c428402.exe84⤵PID:1300
-
\??\c:\2660686.exec:\2660686.exe85⤵PID:2308
-
\??\c:\lfrxlfr.exec:\lfrxlfr.exe86⤵PID:1592
-
\??\c:\1ffxxrx.exec:\1ffxxrx.exe87⤵PID:1820
-
\??\c:\btnbht.exec:\btnbht.exe88⤵PID:1984
-
\??\c:\k46800.exec:\k46800.exe89⤵PID:3028
-
\??\c:\q20688.exec:\q20688.exe90⤵PID:2528
-
\??\c:\xlxfrxl.exec:\xlxfrxl.exe91⤵PID:2120
-
\??\c:\lxflrxf.exec:\lxflrxf.exe92⤵PID:1072
-
\??\c:\264806.exec:\264806.exe93⤵PID:2152
-
\??\c:\8208024.exec:\8208024.exe94⤵PID:2312
-
\??\c:\08624.exec:\08624.exe95⤵PID:2848
-
\??\c:\608466.exec:\608466.exe96⤵PID:2188
-
\??\c:\0042466.exec:\0042466.exe97⤵PID:2260
-
\??\c:\4200684.exec:\4200684.exe98⤵PID:2984
-
\??\c:\9rxrxfr.exec:\9rxrxfr.exe99⤵PID:2876
-
\??\c:\q82424.exec:\q82424.exe100⤵PID:2776
-
\??\c:\26068.exec:\26068.exe101⤵PID:2616
-
\??\c:\i268406.exec:\i268406.exe102⤵PID:2660
-
\??\c:\btnbtb.exec:\btnbtb.exe103⤵PID:2772
-
\??\c:\48660.exec:\48660.exe104⤵PID:2268
-
\??\c:\vpdpv.exec:\vpdpv.exe105⤵PID:2180
-
\??\c:\5tttbh.exec:\5tttbh.exe106⤵PID:1504
-
\??\c:\btnbnb.exec:\btnbnb.exe107⤵PID:2792
-
\??\c:\k48200.exec:\k48200.exe108⤵PID:1540
-
\??\c:\xrlxxrf.exec:\xrlxxrf.exe109⤵PID:2500
-
\??\c:\20840.exec:\20840.exe110⤵PID:816
-
\??\c:\s6400.exec:\s6400.exe111⤵PID:2080
-
\??\c:\rfxfrxf.exec:\rfxfrxf.exe112⤵PID:764
-
\??\c:\2224802.exec:\2224802.exe113⤵PID:2960
-
\??\c:\7thhhb.exec:\7thhhb.exe114⤵PID:2944
-
\??\c:\tnbhhn.exec:\tnbhhn.exe115⤵PID:2532
-
\??\c:\9nnbhn.exec:\9nnbhn.exe116⤵PID:1924
-
\??\c:\846486.exec:\846486.exe117⤵PID:1276
-
\??\c:\44802.exec:\44802.exe118⤵PID:1616
-
\??\c:\7flrflx.exec:\7flrflx.exe119⤵PID:448
-
\??\c:\5pdjp.exec:\5pdjp.exe120⤵PID:2236
-
\??\c:\s8808.exec:\s8808.exe121⤵PID:1360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-