Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe
-
Size
346KB
-
MD5
f8a64f2c4b35529bdda5e88e089e03c4
-
SHA1
fe302e141d1cbcf237d3558405b58764836518df
-
SHA256
46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f
-
SHA512
b8591bc63110e72cbff2c13101e6ca736f8c3bb2609c090b0569de24e1d9f391661b5dffc3803653787d05868d5f420b8eccc8f0781ea732820c32c42648842b
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAt:l7TcbWXZshJX2VGdt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1920-7-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2360-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/804-33-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2968-30-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2868-55-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1472-52-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2980-73-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2936-81-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2880-93-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2884-113-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2044-117-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2764-132-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2764-134-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1940-157-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2468-155-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1940-164-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1348-176-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2912-184-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2268-195-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2224-198-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/896-232-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1868-241-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1624-250-0x00000000003A0000-0x00000000003C8000-memory.dmp family_blackmoon behavioral1/memory/1624-252-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2372-260-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/336-271-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1692-306-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2472-318-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2472-316-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/2480-325-0x00000000005C0000-0x00000000005E8000-memory.dmp family_blackmoon behavioral1/memory/2716-346-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2708-353-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/3060-393-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1156-396-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1904-407-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1668-421-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/236-424-0x0000000000230000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/2468-442-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1940-452-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2264-464-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2248-477-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1708-502-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1616-505-0x00000000003B0000-0x00000000003D8000-memory.dmp family_blackmoon behavioral1/memory/1800-515-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1508-523-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2068-568-0x00000000002B0000-0x00000000002D8000-memory.dmp family_blackmoon behavioral1/memory/2064-579-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2724-605-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2360 1vjpd.exe 2968 pvvvp.exe 804 llrllxr.exe 1472 hbbbtb.exe 2868 7nhttb.exe 2980 1nhhht.exe 2936 tbttbt.exe 2880 ddppd.exe 2640 bbnbnb.exe 2884 ntnnnb.exe 2044 bthhht.exe 2764 ppjvp.exe 1064 ttnhhn.exe 2468 pjdpd.exe 1940 nnnnhn.exe 1348 vvdjp.exe 2912 btnhnn.exe 2268 7rlxlxr.exe 2224 9dddp.exe 976 xrlrrxr.exe 1712 pjpdd.exe 896 pvvpj.exe 1868 9hbnnt.exe 1624 ddvvd.exe 2372 bhhthn.exe 336 3jjvp.exe 2552 bbnthb.exe 1728 bthtnt.exe 2112 5xrfxlx.exe 1692 tnhnbb.exe 2472 dvjvv.exe 2480 hbnbtb.exe 568 rxlflxr.exe 2776 llflrll.exe 2716 tthbbt.exe 2708 vpjdd.exe 2868 lffrrfx.exe 2980 3nhtnt.exe 1908 7jvvp.exe 2588 pjvdd.exe 2648 xrffrxx.exe 3060 bthbhn.exe 1156 bthhhh.exe 1904 5dvjj.exe 1680 xrlxflr.exe 1668 ntnbtb.exe 236 vpddd.exe 1632 ddpdv.exe 2468 rxrfrfr.exe 1336 9nhbtt.exe 1940 1jddd.exe 1348 xxlxflf.exe 2264 rrfrfrx.exe 2248 hhbhbn.exe 944 3dpdd.exe 1080 xxrxllr.exe 1744 ffxrlxf.exe 1708 tnnthh.exe 1616 pppdd.exe 1800 vpdjv.exe 1508 lrfrffl.exe 2976 nhttbb.exe 2108 7ddjp.exe 3024 xxrrrxr.exe -
resource yara_rule behavioral1/memory/1920-7-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2360-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/804-33-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2968-30-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2868-55-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1472-52-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2980-73-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2936-81-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2880-93-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2884-113-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2764-134-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1940-157-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2468-155-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1348-176-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2912-184-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2268-195-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2224-198-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1624-252-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2372-260-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/336-271-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1692-303-0x00000000003C0000-0x00000000003E8000-memory.dmp upx behavioral1/memory/2472-307-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1692-306-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2472-318-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/568-327-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2716-346-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2708-353-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1156-396-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/1904-407-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1668-421-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2468-442-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2264-464-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2248-477-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1708-502-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1616-505-0x00000000003B0000-0x00000000003D8000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2360 1920 46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe 31 PID 1920 wrote to memory of 2360 1920 46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe 31 PID 1920 wrote to memory of 2360 1920 46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe 31 PID 1920 wrote to memory of 2360 1920 46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe 31 PID 2360 wrote to memory of 2968 2360 1vjpd.exe 32 PID 2360 wrote to memory of 2968 2360 1vjpd.exe 32 PID 2360 wrote to memory of 2968 2360 1vjpd.exe 32 PID 2360 wrote to memory of 2968 2360 1vjpd.exe 32 PID 2968 wrote to memory of 804 2968 pvvvp.exe 33 PID 2968 wrote to memory of 804 2968 pvvvp.exe 33 PID 2968 wrote to memory of 804 2968 pvvvp.exe 33 PID 2968 wrote to memory of 804 2968 pvvvp.exe 33 PID 804 wrote to memory of 1472 804 llrllxr.exe 34 PID 804 wrote to memory of 1472 804 llrllxr.exe 34 PID 804 wrote to memory of 1472 804 llrllxr.exe 34 PID 804 wrote to memory of 1472 804 llrllxr.exe 34 PID 1472 wrote to memory of 2868 1472 hbbbtb.exe 35 PID 1472 wrote to memory of 2868 1472 hbbbtb.exe 35 PID 1472 wrote to memory of 2868 1472 hbbbtb.exe 35 PID 1472 wrote to memory of 2868 1472 hbbbtb.exe 35 PID 2868 wrote to memory of 2980 2868 7nhttb.exe 36 PID 2868 wrote to memory of 2980 2868 7nhttb.exe 36 PID 2868 wrote to memory of 2980 2868 7nhttb.exe 36 PID 2868 wrote to memory of 2980 2868 7nhttb.exe 36 PID 2980 wrote to memory of 2936 2980 1nhhht.exe 37 PID 2980 wrote to memory of 2936 2980 1nhhht.exe 37 PID 2980 wrote to memory of 2936 2980 1nhhht.exe 37 PID 2980 wrote to memory of 2936 2980 1nhhht.exe 37 PID 2936 wrote to memory of 2880 2936 tbttbt.exe 38 PID 2936 wrote to memory of 2880 2936 tbttbt.exe 38 PID 2936 wrote to memory of 2880 2936 tbttbt.exe 38 PID 2936 wrote to memory of 2880 2936 tbttbt.exe 38 PID 2880 wrote to memory of 2640 2880 ddppd.exe 39 PID 2880 wrote to memory of 2640 2880 ddppd.exe 39 PID 2880 wrote to memory of 2640 2880 ddppd.exe 39 PID 2880 wrote to memory of 2640 2880 ddppd.exe 39 PID 2640 wrote to memory of 2884 2640 bbnbnb.exe 40 PID 2640 wrote to memory of 2884 2640 bbnbnb.exe 40 PID 2640 wrote to memory of 2884 2640 bbnbnb.exe 40 PID 2640 wrote to memory of 2884 2640 bbnbnb.exe 40 PID 2884 wrote to memory of 2044 2884 ntnnnb.exe 41 PID 2884 wrote to memory of 2044 2884 ntnnnb.exe 41 PID 2884 wrote to memory of 2044 2884 ntnnnb.exe 41 PID 2884 wrote to memory of 2044 2884 ntnnnb.exe 41 PID 2044 wrote to memory of 2764 2044 bthhht.exe 42 PID 2044 wrote to memory of 2764 2044 bthhht.exe 42 PID 2044 wrote to memory of 2764 2044 bthhht.exe 42 PID 2044 wrote to memory of 2764 2044 bthhht.exe 42 PID 2764 wrote to memory of 1064 2764 ppjvp.exe 43 PID 2764 wrote to memory of 1064 2764 ppjvp.exe 43 PID 2764 wrote to memory of 1064 2764 ppjvp.exe 43 PID 2764 wrote to memory of 1064 2764 ppjvp.exe 43 PID 1064 wrote to memory of 2468 1064 ttnhhn.exe 44 PID 1064 wrote to memory of 2468 1064 ttnhhn.exe 44 PID 1064 wrote to memory of 2468 1064 ttnhhn.exe 44 PID 1064 wrote to memory of 2468 1064 ttnhhn.exe 44 PID 2468 wrote to memory of 1940 2468 pjdpd.exe 45 PID 2468 wrote to memory of 1940 2468 pjdpd.exe 45 PID 2468 wrote to memory of 1940 2468 pjdpd.exe 45 PID 2468 wrote to memory of 1940 2468 pjdpd.exe 45 PID 1940 wrote to memory of 1348 1940 nnnnhn.exe 46 PID 1940 wrote to memory of 1348 1940 nnnnhn.exe 46 PID 1940 wrote to memory of 1348 1940 nnnnhn.exe 46 PID 1940 wrote to memory of 1348 1940 nnnnhn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe"C:\Users\Admin\AppData\Local\Temp\46b844698444932a3f24015f7e46d1637b4923a8a659f86654eed9edb6aad60f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\1vjpd.exec:\1vjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\pvvvp.exec:\pvvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\llrllxr.exec:\llrllxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\hbbbtb.exec:\hbbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\7nhttb.exec:\7nhttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\1nhhht.exec:\1nhhht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\tbttbt.exec:\tbttbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\ddppd.exec:\ddppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\bbnbnb.exec:\bbnbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\ntnnnb.exec:\ntnnnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\bthhht.exec:\bthhht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\ppjvp.exec:\ppjvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\ttnhhn.exec:\ttnhhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\pjdpd.exec:\pjdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\nnnnhn.exec:\nnnnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\vvdjp.exec:\vvdjp.exe17⤵
- Executes dropped EXE
PID:1348 -
\??\c:\btnhnn.exec:\btnhnn.exe18⤵
- Executes dropped EXE
PID:2912 -
\??\c:\7rlxlxr.exec:\7rlxlxr.exe19⤵
- Executes dropped EXE
PID:2268 -
\??\c:\9dddp.exec:\9dddp.exe20⤵
- Executes dropped EXE
PID:2224 -
\??\c:\xrlrrxr.exec:\xrlrrxr.exe21⤵
- Executes dropped EXE
PID:976 -
\??\c:\pjpdd.exec:\pjpdd.exe22⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pvvpj.exec:\pvvpj.exe23⤵
- Executes dropped EXE
PID:896 -
\??\c:\9hbnnt.exec:\9hbnnt.exe24⤵
- Executes dropped EXE
PID:1868 -
\??\c:\ddvvd.exec:\ddvvd.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\bhhthn.exec:\bhhthn.exe26⤵
- Executes dropped EXE
PID:2372 -
\??\c:\3jjvp.exec:\3jjvp.exe27⤵
- Executes dropped EXE
PID:336 -
\??\c:\bbnthb.exec:\bbnthb.exe28⤵
- Executes dropped EXE
PID:2552 -
\??\c:\bthtnt.exec:\bthtnt.exe29⤵
- Executes dropped EXE
PID:1728 -
\??\c:\5xrfxlx.exec:\5xrfxlx.exe30⤵
- Executes dropped EXE
PID:2112 -
\??\c:\tnhnbb.exec:\tnhnbb.exe31⤵
- Executes dropped EXE
PID:1692 -
\??\c:\dvjvv.exec:\dvjvv.exe32⤵
- Executes dropped EXE
PID:2472 -
\??\c:\hbnbtb.exec:\hbnbtb.exe33⤵
- Executes dropped EXE
PID:2480 -
\??\c:\rxlflxr.exec:\rxlflxr.exe34⤵
- Executes dropped EXE
PID:568 -
\??\c:\llflrll.exec:\llflrll.exe35⤵
- Executes dropped EXE
PID:2776 -
\??\c:\tthbbt.exec:\tthbbt.exe36⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vpjdd.exec:\vpjdd.exe37⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lffrrfx.exec:\lffrrfx.exe38⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3nhtnt.exec:\3nhtnt.exe39⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7jvvp.exec:\7jvvp.exe40⤵
- Executes dropped EXE
PID:1908 -
\??\c:\pjvdd.exec:\pjvdd.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xrffrxx.exec:\xrffrxx.exe42⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bthbhn.exec:\bthbhn.exe43⤵
- Executes dropped EXE
PID:3060 -
\??\c:\bthhhh.exec:\bthhhh.exe44⤵
- Executes dropped EXE
PID:1156 -
\??\c:\5dvjj.exec:\5dvjj.exe45⤵
- Executes dropped EXE
PID:1904 -
\??\c:\xrlxflr.exec:\xrlxflr.exe46⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ntnbtb.exec:\ntnbtb.exe47⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vpddd.exec:\vpddd.exe48⤵
- Executes dropped EXE
PID:236 -
\??\c:\ddpdv.exec:\ddpdv.exe49⤵
- Executes dropped EXE
PID:1632 -
\??\c:\rxrfrfr.exec:\rxrfrfr.exe50⤵
- Executes dropped EXE
PID:2468 -
\??\c:\9nhbtt.exec:\9nhbtt.exe51⤵
- Executes dropped EXE
PID:1336 -
\??\c:\1jddd.exec:\1jddd.exe52⤵
- Executes dropped EXE
PID:1940 -
\??\c:\xxlxflf.exec:\xxlxflf.exe53⤵
- Executes dropped EXE
PID:1348 -
\??\c:\rrfrfrx.exec:\rrfrfrx.exe54⤵
- Executes dropped EXE
PID:2264 -
\??\c:\hhbhbn.exec:\hhbhbn.exe55⤵
- Executes dropped EXE
PID:2248 -
\??\c:\3dpdd.exec:\3dpdd.exe56⤵
- Executes dropped EXE
PID:944 -
\??\c:\xxrxllr.exec:\xxrxllr.exe57⤵
- Executes dropped EXE
PID:1080 -
\??\c:\ffxrlxf.exec:\ffxrlxf.exe58⤵
- Executes dropped EXE
PID:1744 -
\??\c:\tnnthh.exec:\tnnthh.exe59⤵
- Executes dropped EXE
PID:1708 -
\??\c:\pppdd.exec:\pppdd.exe60⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vpdjv.exec:\vpdjv.exe61⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lrfrffl.exec:\lrfrffl.exe62⤵
- Executes dropped EXE
PID:1508 -
\??\c:\nhttbb.exec:\nhttbb.exe63⤵
- Executes dropped EXE
PID:2976 -
\??\c:\7ddjp.exec:\7ddjp.exe64⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xxrrrxr.exec:\xxrrrxr.exe65⤵
- Executes dropped EXE
PID:3024 -
\??\c:\5rxlfrr.exec:\5rxlfrr.exe66⤵PID:940
-
\??\c:\hnhbnb.exec:\hnhbnb.exe67⤵PID:2080
-
\??\c:\3vpdj.exec:\3vpdj.exe68⤵PID:2552
-
\??\c:\dpjpj.exec:\dpjpj.exe69⤵PID:3044
-
\??\c:\9lffflr.exec:\9lffflr.exe70⤵PID:2068
-
\??\c:\nnnnht.exec:\nnnnht.exe71⤵PID:2064
-
\??\c:\vvjjv.exec:\vvjjv.exe72⤵PID:2544
-
\??\c:\llfrlfl.exec:\llfrlfl.exe73⤵PID:2380
-
\??\c:\frrfrxl.exec:\frrfrxl.exe74⤵PID:2236
-
\??\c:\bhbtnt.exec:\bhbtnt.exe75⤵PID:2724
-
\??\c:\7vjvv.exec:\7vjvv.exe76⤵PID:2060
-
\??\c:\lrxrfxf.exec:\lrxrfxf.exe77⤵PID:2732
-
\??\c:\1xlxfxl.exec:\1xlxfxl.exe78⤵PID:2736
-
\??\c:\bhtnhn.exec:\bhtnhn.exe79⤵PID:2708
-
\??\c:\jjvjv.exec:\jjvjv.exe80⤵PID:2836
-
\??\c:\rlfxxlr.exec:\rlfxxlr.exe81⤵PID:2748
-
\??\c:\hhthhh.exec:\hhthhh.exe82⤵PID:2608
-
\??\c:\tttbhn.exec:\tttbhn.exe83⤵PID:2172
-
\??\c:\jdpvj.exec:\jdpvj.exe84⤵PID:2204
-
\??\c:\flrxxfr.exec:\flrxxfr.exe85⤵PID:1964
-
\??\c:\9btthh.exec:\9btthh.exe86⤵PID:2844
-
\??\c:\nnhtnt.exec:\nnhtnt.exe87⤵PID:1672
-
\??\c:\7dpjp.exec:\7dpjp.exe88⤵PID:1936
-
\??\c:\ddjjd.exec:\ddjjd.exe89⤵PID:2548
-
\??\c:\flffxfl.exec:\flffxfl.exe90⤵PID:1220
-
\??\c:\hhhthn.exec:\hhhthn.exe91⤵PID:856
-
\??\c:\tbbnnt.exec:\tbbnnt.exe92⤵PID:1724
-
\??\c:\vvvpv.exec:\vvvpv.exe93⤵PID:1940
-
\??\c:\rllrrfx.exec:\rllrrfx.exe94⤵PID:1348
-
\??\c:\xxfxfxx.exec:\xxfxfxx.exe95⤵PID:2356
-
\??\c:\ttnbtb.exec:\ttnbtb.exe96⤵PID:2248
-
\??\c:\djjvd.exec:\djjvd.exe97⤵PID:600
-
\??\c:\rrxlxlr.exec:\rrxlxlr.exe98⤵PID:1804
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe99⤵PID:1712
-
\??\c:\htnnhn.exec:\htnnhn.exe100⤵PID:2192
-
\??\c:\nhbtnn.exec:\nhbtnn.exe101⤵PID:1640
-
\??\c:\9dpvv.exec:\9dpvv.exe102⤵PID:1868
-
\??\c:\fllxrrf.exec:\fllxrrf.exe103⤵PID:3048
-
\??\c:\nttbtb.exec:\nttbtb.exe104⤵PID:3028
-
\??\c:\bhnbtb.exec:\bhnbtb.exe105⤵PID:1748
-
\??\c:\5pjpj.exec:\5pjpj.exe106⤵PID:2372
-
\??\c:\xxlxxfx.exec:\xxlxxfx.exe107⤵PID:940
-
\??\c:\5tnbbn.exec:\5tnbbn.exe108⤵PID:308
-
\??\c:\9bnnbh.exec:\9bnnbh.exe109⤵PID:1728
-
\??\c:\ddvdd.exec:\ddvdd.exe110⤵PID:2328
-
\??\c:\vvppj.exec:\vvppj.exe111⤵PID:2068
-
\??\c:\7frffrl.exec:\7frffrl.exe112⤵PID:2348
-
\??\c:\tbttnn.exec:\tbttnn.exe113⤵PID:1864
-
\??\c:\ppdjj.exec:\ppdjj.exe114⤵PID:2508
-
\??\c:\lllxrrl.exec:\lllxrrl.exe115⤵PID:2480
-
\??\c:\nntbnt.exec:\nntbnt.exe116⤵PID:2684
-
\??\c:\bbtnbh.exec:\bbtnbh.exe117⤵PID:2680
-
\??\c:\dvjpv.exec:\dvjpv.exe118⤵PID:2700
-
\??\c:\ddvdj.exec:\ddvdj.exe119⤵PID:2872
-
\??\c:\rrlxfxr.exec:\rrlxfxr.exe120⤵PID:2692
-
\??\c:\nbtbnb.exec:\nbtbnb.exe121⤵PID:2740
-
\??\c:\ppjpd.exec:\ppjpd.exe122⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-