Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe
-
Size
453KB
-
MD5
6c2363aa38f236c0cf59842c9dc4add1
-
SHA1
b7137d103c69091fe2a0b124af8bf2599c5adad6
-
SHA256
44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c
-
SHA512
fa1317022d9d692f16720c8d32e4005a2e569ae61b0ac0912c94c35ed70c6940c6f79f6cd2cb153418f83787c97160888c9d4cc5c1ba79fe54b4d6a116189855
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/2668-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-47-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/756-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-301-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1572-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-369-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2616-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-545-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/660-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2772 tbhbbn.exe 2672 9llxrxx.exe 2644 nhhntn.exe 3040 ddvdp.exe 2824 7tbhnt.exe 2648 tbbnbn.exe 1696 jpvdp.exe 2900 hnntbh.exe 2956 jpjjp.exe 2148 ntnbth.exe 692 rrffxrr.exe 2720 pvjpd.exe 2880 lfxflrr.exe 2344 vdvjd.exe 1884 vvppv.exe 644 1tthbn.exe 1904 ddppd.exe 2088 nhtttt.exe 3056 lrflrxf.exe 2128 3jjpd.exe 808 lxxxflx.exe 1644 dddjp.exe 1952 fxrxrxl.exe 756 ppjjv.exe 1568 bbnttb.exe 2476 nthnbh.exe 2072 5rlrxxf.exe 1500 vdddp.exe 1516 llrxrxx.exe 1192 jvjvp.exe 2760 xxxfrrf.exe 1572 ddjdj.exe 2684 vdjdj.exe 2660 htntbb.exe 2804 vddpd.exe 2340 9jjpd.exe 2576 7lflrxx.exe 2544 bhthnb.exe 2528 djvvj.exe 2168 pdpvj.exe 3064 frlrffr.exe 1132 9nhhth.exe 1716 vdvpv.exe 2232 1dppv.exe 2100 xrflxfr.exe 2180 hhbbhn.exe 2904 9djpd.exe 2856 frlfrxr.exe 2616 bbhbnh.exe 2988 xrffrxl.exe 1872 9hhnbt.exe 2444 ddddv.exe 2952 lrxxlrf.exe 644 ththhn.exe 1768 djdjv.exe 2304 ddjjv.exe 1376 rfxxrrf.exe 1972 1bhhnh.exe 2128 dpjjd.exe 1084 lxflxrf.exe 676 3rlrfll.exe 1596 tbntbh.exe 1628 dpjdv.exe 552 xlxxlrf.exe -
resource yara_rule behavioral1/memory/2668-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-403-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2616-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-545-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/660-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-735-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2396-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-767-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2772 2668 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 30 PID 2668 wrote to memory of 2772 2668 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 30 PID 2668 wrote to memory of 2772 2668 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 30 PID 2668 wrote to memory of 2772 2668 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 30 PID 2772 wrote to memory of 2672 2772 tbhbbn.exe 31 PID 2772 wrote to memory of 2672 2772 tbhbbn.exe 31 PID 2772 wrote to memory of 2672 2772 tbhbbn.exe 31 PID 2772 wrote to memory of 2672 2772 tbhbbn.exe 31 PID 2672 wrote to memory of 2644 2672 9llxrxx.exe 32 PID 2672 wrote to memory of 2644 2672 9llxrxx.exe 32 PID 2672 wrote to memory of 2644 2672 9llxrxx.exe 32 PID 2672 wrote to memory of 2644 2672 9llxrxx.exe 32 PID 2644 wrote to memory of 3040 2644 nhhntn.exe 33 PID 2644 wrote to memory of 3040 2644 nhhntn.exe 33 PID 2644 wrote to memory of 3040 2644 nhhntn.exe 33 PID 2644 wrote to memory of 3040 2644 nhhntn.exe 33 PID 3040 wrote to memory of 2824 3040 ddvdp.exe 34 PID 3040 wrote to memory of 2824 3040 ddvdp.exe 34 PID 3040 wrote to memory of 2824 3040 ddvdp.exe 34 PID 3040 wrote to memory of 2824 3040 ddvdp.exe 34 PID 2824 wrote to memory of 2648 2824 7tbhnt.exe 35 PID 2824 wrote to memory of 2648 2824 7tbhnt.exe 35 PID 2824 wrote to memory of 2648 2824 7tbhnt.exe 35 PID 2824 wrote to memory of 2648 2824 7tbhnt.exe 35 PID 2648 wrote to memory of 1696 2648 tbbnbn.exe 36 PID 2648 wrote to memory of 1696 2648 tbbnbn.exe 36 PID 2648 wrote to memory of 1696 2648 tbbnbn.exe 36 PID 2648 wrote to memory of 1696 2648 tbbnbn.exe 36 PID 1696 wrote to memory of 2900 1696 jpvdp.exe 37 PID 1696 wrote to memory of 2900 1696 jpvdp.exe 37 PID 1696 wrote to memory of 2900 1696 jpvdp.exe 37 PID 1696 wrote to memory of 2900 1696 jpvdp.exe 37 PID 2900 wrote to memory of 2956 2900 hnntbh.exe 38 PID 2900 wrote to memory of 2956 2900 hnntbh.exe 38 PID 2900 wrote to memory of 2956 2900 hnntbh.exe 38 PID 2900 wrote to memory of 2956 2900 hnntbh.exe 38 PID 2956 wrote to memory of 2148 2956 jpjjp.exe 39 PID 2956 wrote to memory of 2148 2956 jpjjp.exe 39 PID 2956 wrote to memory of 2148 2956 jpjjp.exe 39 PID 2956 wrote to memory of 2148 2956 jpjjp.exe 39 PID 2148 wrote to memory of 692 2148 ntnbth.exe 40 PID 2148 wrote to memory of 692 2148 ntnbth.exe 40 PID 2148 wrote to memory of 692 2148 ntnbth.exe 40 PID 2148 wrote to memory of 692 2148 ntnbth.exe 40 PID 692 wrote to memory of 2720 692 rrffxrr.exe 41 PID 692 wrote to memory of 2720 692 rrffxrr.exe 41 PID 692 wrote to memory of 2720 692 rrffxrr.exe 41 PID 692 wrote to memory of 2720 692 rrffxrr.exe 41 PID 2720 wrote to memory of 2880 2720 pvjpd.exe 42 PID 2720 wrote to memory of 2880 2720 pvjpd.exe 42 PID 2720 wrote to memory of 2880 2720 pvjpd.exe 42 PID 2720 wrote to memory of 2880 2720 pvjpd.exe 42 PID 2880 wrote to memory of 2344 2880 lfxflrr.exe 43 PID 2880 wrote to memory of 2344 2880 lfxflrr.exe 43 PID 2880 wrote to memory of 2344 2880 lfxflrr.exe 43 PID 2880 wrote to memory of 2344 2880 lfxflrr.exe 43 PID 2344 wrote to memory of 1884 2344 vdvjd.exe 44 PID 2344 wrote to memory of 1884 2344 vdvjd.exe 44 PID 2344 wrote to memory of 1884 2344 vdvjd.exe 44 PID 2344 wrote to memory of 1884 2344 vdvjd.exe 44 PID 1884 wrote to memory of 644 1884 vvppv.exe 45 PID 1884 wrote to memory of 644 1884 vvppv.exe 45 PID 1884 wrote to memory of 644 1884 vvppv.exe 45 PID 1884 wrote to memory of 644 1884 vvppv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe"C:\Users\Admin\AppData\Local\Temp\44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\tbhbbn.exec:\tbhbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\9llxrxx.exec:\9llxrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\nhhntn.exec:\nhhntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\ddvdp.exec:\ddvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\7tbhnt.exec:\7tbhnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\tbbnbn.exec:\tbbnbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jpvdp.exec:\jpvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\hnntbh.exec:\hnntbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\jpjjp.exec:\jpjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\ntnbth.exec:\ntnbth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\rrffxrr.exec:\rrffxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\pvjpd.exec:\pvjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\lfxflrr.exec:\lfxflrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\vdvjd.exec:\vdvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\vvppv.exec:\vvppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\1tthbn.exec:\1tthbn.exe17⤵
- Executes dropped EXE
PID:644 -
\??\c:\ddppd.exec:\ddppd.exe18⤵
- Executes dropped EXE
PID:1904 -
\??\c:\nhtttt.exec:\nhtttt.exe19⤵
- Executes dropped EXE
PID:2088 -
\??\c:\lrflrxf.exec:\lrflrxf.exe20⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3jjpd.exec:\3jjpd.exe21⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lxxxflx.exec:\lxxxflx.exe22⤵
- Executes dropped EXE
PID:808 -
\??\c:\dddjp.exec:\dddjp.exe23⤵
- Executes dropped EXE
PID:1644 -
\??\c:\fxrxrxl.exec:\fxrxrxl.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\ppjjv.exec:\ppjjv.exe25⤵
- Executes dropped EXE
PID:756 -
\??\c:\bbnttb.exec:\bbnttb.exe26⤵
- Executes dropped EXE
PID:1568 -
\??\c:\nthnbh.exec:\nthnbh.exe27⤵
- Executes dropped EXE
PID:2476 -
\??\c:\5rlrxxf.exec:\5rlrxxf.exe28⤵
- Executes dropped EXE
PID:2072 -
\??\c:\vdddp.exec:\vdddp.exe29⤵
- Executes dropped EXE
PID:1500 -
\??\c:\llrxrxx.exec:\llrxrxx.exe30⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jvjvp.exec:\jvjvp.exe31⤵
- Executes dropped EXE
PID:1192 -
\??\c:\xxxfrrf.exec:\xxxfrrf.exe32⤵
- Executes dropped EXE
PID:2760 -
\??\c:\ddjdj.exec:\ddjdj.exe33⤵
- Executes dropped EXE
PID:1572 -
\??\c:\vdjdj.exec:\vdjdj.exe34⤵
- Executes dropped EXE
PID:2684 -
\??\c:\htntbb.exec:\htntbb.exe35⤵
- Executes dropped EXE
PID:2660 -
\??\c:\vddpd.exec:\vddpd.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\9jjpd.exec:\9jjpd.exe37⤵
- Executes dropped EXE
PID:2340 -
\??\c:\7lflrxx.exec:\7lflrxx.exe38⤵
- Executes dropped EXE
PID:2576 -
\??\c:\bhthnb.exec:\bhthnb.exe39⤵
- Executes dropped EXE
PID:2544 -
\??\c:\djvvj.exec:\djvvj.exe40⤵
- Executes dropped EXE
PID:2528 -
\??\c:\pdpvj.exec:\pdpvj.exe41⤵
- Executes dropped EXE
PID:2168 -
\??\c:\frlrffr.exec:\frlrffr.exe42⤵
- Executes dropped EXE
PID:3064 -
\??\c:\9nhhth.exec:\9nhhth.exe43⤵
- Executes dropped EXE
PID:1132 -
\??\c:\vdvpv.exec:\vdvpv.exe44⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1dppv.exec:\1dppv.exe45⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xrflxfr.exec:\xrflxfr.exe46⤵
- Executes dropped EXE
PID:2100 -
\??\c:\hhbbhn.exec:\hhbbhn.exe47⤵
- Executes dropped EXE
PID:2180 -
\??\c:\9djpd.exec:\9djpd.exe48⤵
- Executes dropped EXE
PID:2904 -
\??\c:\frlfrxr.exec:\frlfrxr.exe49⤵
- Executes dropped EXE
PID:2856 -
\??\c:\bbhbnh.exec:\bbhbnh.exe50⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xrffrxl.exec:\xrffrxl.exe51⤵
- Executes dropped EXE
PID:2988 -
\??\c:\9hhnbt.exec:\9hhnbt.exe52⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ddddv.exec:\ddddv.exe53⤵
- Executes dropped EXE
PID:2444 -
\??\c:\lrxxlrf.exec:\lrxxlrf.exe54⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ththhn.exec:\ththhn.exe55⤵
- Executes dropped EXE
PID:644 -
\??\c:\djdjv.exec:\djdjv.exe56⤵
- Executes dropped EXE
PID:1768 -
\??\c:\ddjjv.exec:\ddjjv.exe57⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rfxxrrf.exec:\rfxxrrf.exe58⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1bhhnh.exec:\1bhhnh.exe59⤵
- Executes dropped EXE
PID:1972 -
\??\c:\dpjjd.exec:\dpjjd.exe60⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lxflxrf.exec:\lxflxrf.exe61⤵
- Executes dropped EXE
PID:1084 -
\??\c:\3rlrfll.exec:\3rlrfll.exe62⤵
- Executes dropped EXE
PID:676 -
\??\c:\tbntbh.exec:\tbntbh.exe63⤵
- Executes dropped EXE
PID:1596 -
\??\c:\dpjdv.exec:\dpjdv.exe64⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xlxxlrf.exec:\xlxxlrf.exe65⤵
- Executes dropped EXE
PID:552 -
\??\c:\ffxxffl.exec:\ffxxffl.exe66⤵PID:304
-
\??\c:\tbbntt.exec:\tbbntt.exe67⤵PID:1568
-
\??\c:\pvpdp.exec:\pvpdp.exe68⤵PID:1868
-
\??\c:\jpjpd.exec:\jpjpd.exe69⤵PID:2928
-
\??\c:\1lffffl.exec:\1lffffl.exe70⤵PID:660
-
\??\c:\hhhhnn.exec:\hhhhnn.exe71⤵PID:2924
-
\??\c:\vdvjv.exec:\vdvjv.exe72⤵PID:2500
-
\??\c:\xxfllrx.exec:\xxfllrx.exe73⤵PID:2832
-
\??\c:\xfllrrl.exec:\xfllrrl.exe74⤵PID:2800
-
\??\c:\5hbbhn.exec:\5hbbhn.exe75⤵PID:2712
-
\??\c:\9vjjd.exec:\9vjjd.exe76⤵PID:2772
-
\??\c:\lrrrffr.exec:\lrrrffr.exe77⤵PID:2684
-
\??\c:\rrlrfrl.exec:\rrlrfrl.exe78⤵PID:2176
-
\??\c:\bhbbhn.exec:\bhbbhn.exe79⤵PID:2804
-
\??\c:\jjppp.exec:\jjppp.exe80⤵PID:2340
-
\??\c:\7rlrxfl.exec:\7rlrxfl.exe81⤵PID:2532
-
\??\c:\xxrxflx.exec:\xxrxflx.exe82⤵PID:2544
-
\??\c:\7tbtbb.exec:\7tbtbb.exe83⤵PID:2528
-
\??\c:\ppjjj.exec:\ppjjj.exe84⤵PID:616
-
\??\c:\pddvj.exec:\pddvj.exe85⤵PID:2052
-
\??\c:\lxlxllx.exec:\lxlxllx.exe86⤵PID:2244
-
\??\c:\tbntbb.exec:\tbntbb.exe87⤵PID:2144
-
\??\c:\hhtbnt.exec:\hhtbnt.exe88⤵PID:2956
-
\??\c:\jpvdp.exec:\jpvdp.exe89⤵PID:2964
-
\??\c:\7rfrlrf.exec:\7rfrlrf.exe90⤵PID:2180
-
\??\c:\7rfxffl.exec:\7rfxffl.exe91⤵PID:2904
-
\??\c:\7bnthh.exec:\7bnthh.exe92⤵PID:2872
-
\??\c:\pvdvd.exec:\pvdvd.exe93⤵PID:2860
-
\??\c:\rfxfxxr.exec:\rfxfxxr.exe94⤵PID:2460
-
\??\c:\thhnbh.exec:\thhnbh.exe95⤵PID:2588
-
\??\c:\htnbhn.exec:\htnbhn.exe96⤵PID:2444
-
\??\c:\jpdpj.exec:\jpdpj.exe97⤵PID:2320
-
\??\c:\rxflrfl.exec:\rxflrfl.exe98⤵PID:2200
-
\??\c:\bhttbb.exec:\bhttbb.exe99⤵PID:2396
-
\??\c:\9dpdj.exec:\9dpdj.exe100⤵PID:2104
-
\??\c:\3jjpd.exec:\3jjpd.exe101⤵PID:2120
-
\??\c:\lxlxxlf.exec:\lxlxxlf.exe102⤵PID:1588
-
\??\c:\bbnntb.exec:\bbnntb.exe103⤵PID:916
-
\??\c:\9jddp.exec:\9jddp.exe104⤵PID:1896
-
\??\c:\pdjdp.exec:\pdjdp.exe105⤵PID:2452
-
\??\c:\1fxfrfr.exec:\1fxfrfr.exe106⤵PID:1524
-
\??\c:\hhbbnt.exec:\hhbbnt.exe107⤵PID:2480
-
\??\c:\tnhnbb.exec:\tnhnbb.exe108⤵PID:552
-
\??\c:\1llrffl.exec:\1llrffl.exe109⤵PID:1436
-
\??\c:\7xrrxfr.exec:\7xrrxfr.exe110⤵PID:1568
-
\??\c:\9tnnth.exec:\9tnnth.exe111⤵PID:1868
-
\??\c:\1vdvp.exec:\1vdvp.exe112⤵PID:2928
-
\??\c:\flflrlx.exec:\flflrlx.exe113⤵PID:868
-
\??\c:\llflxlx.exec:\llflxlx.exe114⤵PID:2276
-
\??\c:\nnbhhn.exec:\nnbhhn.exe115⤵PID:2656
-
\??\c:\nnhtth.exec:\nnhtth.exe116⤵PID:1576
-
\??\c:\vjddj.exec:\vjddj.exe117⤵PID:1572
-
\??\c:\7pvdp.exec:\7pvdp.exe118⤵PID:2672
-
\??\c:\rxrrffr.exec:\rxrrffr.exe119⤵PID:2652
-
\??\c:\9bntbh.exec:\9bntbh.exe120⤵PID:2644
-
\??\c:\bhtbhh.exec:\bhtbhh.exe121⤵PID:2688
-
\??\c:\pvvpd.exec:\pvvpd.exe122⤵PID:2604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-