Analysis
-
max time kernel
137s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
965c8e663afa32042732cd0d77321d3d.exe
Resource
win7-20240419-en
5 signatures
150 seconds
General
-
Target
965c8e663afa32042732cd0d77321d3d.exe
-
Size
191KB
-
MD5
965c8e663afa32042732cd0d77321d3d
-
SHA1
58e95baec0125ed8720ef87bcda4e8aeae37d3dc
-
SHA256
fba6ed8a5870968ab92e3caaa5cde025ddb86bac764be4dadc0cc018b898c820
-
SHA512
78c61de7327961a4b1d8e01d5586b6ff04517114084caada0063ec90e1d79b40c19aabed6c7260bee4f05095021db18642989bc6056187824de0e34f7e6750ca
-
SSDEEP
1536:EvQBeOGtrYSSsrc93UBIfdC67m6AJiqjt3ufT/FRxZOYsU58r:EhOm2sI93UufdC67ciyt3ujFf7jar
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/536-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/588-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-922-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
nbnbhb.exevjvpp.exejpvjd.exexlrfxfx.exetthbtn.exennbthb.exepvvpp.exefrfxllx.exefxrllfx.exenhthnn.exe7xlfxrr.exedjjjd.exe7rxrxxf.exentbtnh.exe7jpjd.exe9rxxfxl.exejjjjj.exe5xrfxlf.exehtbtnn.exevpvpj.exe9rxxxfl.exethnhhh.exejpvvp.exerffrlff.exejdpjd.exe1jpjd.exelflllrl.exetnnhbt.exevpppj.exethhbnn.exevjjdv.exerrrrllr.exenbnbhh.exepdjdd.exepvdvp.exexxlffxx.exebtbtnt.exepdpdv.exeddddv.exerflflll.exehnnntn.exerlffxfx.exelffxxxx.exe5vvpj.exejdpjd.exerrlrlll.exetbbnhb.exetntnhh.exedvjdj.exejpvpj.exe1llfxrl.exetbbnht.exebthntn.exedjpjv.exepdjdv.exefrxrrrr.exebnbbtt.exennnbtn.exepjppp.exe5ddvj.exexrrfrrl.exelrlfxrr.exebtbnbb.exennnhbb.exepid process 4464 nbnbhb.exe 3812 vjvpp.exe 2892 jpvjd.exe 1968 xlrfxfx.exe 4452 tthbtn.exe 5092 nnbthb.exe 1384 pvvpp.exe 2668 frfxllx.exe 4180 fxrllfx.exe 3576 nhthnn.exe 4008 7xlfxrr.exe 4984 djjjd.exe 3536 7rxrxxf.exe 4996 ntbtnh.exe 2136 7jpjd.exe 4644 9rxxfxl.exe 4200 jjjjj.exe 752 5xrfxlf.exe 1736 htbtnn.exe 2156 vpvpj.exe 4688 9rxxxfl.exe 4692 thnhhh.exe 4764 jpvvp.exe 1928 rffrlff.exe 736 jdpjd.exe 2008 1jpjd.exe 384 lflllrl.exe 3292 tnnhbt.exe 536 vpppj.exe 3820 thhbnn.exe 1968 vjjdv.exe 1112 rrrrllr.exe 4744 nbnbhh.exe 4968 pdjdd.exe 4656 pvdvp.exe 2544 xxlffxx.exe 4956 btbtnt.exe 2320 pdpdv.exe 3576 ddddv.exe 3748 rflflll.exe 1800 hnnntn.exe 3020 rlffxfx.exe 4544 lffxxxx.exe 4316 5vvpj.exe 2084 jdpjd.exe 1996 rrlrlll.exe 4144 tbbnhb.exe 756 tntnhh.exe 432 dvjdj.exe 4752 jpvpj.exe 1440 1llfxrl.exe 2284 tbbnht.exe 3724 bthntn.exe 4844 djpjv.exe 1560 pdjdv.exe 5096 frxrrrr.exe 4404 bnbbtt.exe 4432 nnnbtn.exe 384 pjppp.exe 1956 5ddvj.exe 4936 xrrfrrl.exe 4464 lrlfxrr.exe 5028 btbnbb.exe 1968 nnnhbb.exe -
Processes:
resource yara_rule behavioral2/memory/536-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/588-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-490-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
965c8e663afa32042732cd0d77321d3d.exenbnbhb.exevjvpp.exejpvjd.exexlrfxfx.exetthbtn.exennbthb.exepvvpp.exefrfxllx.exefxrllfx.exenhthnn.exe7xlfxrr.exedjjjd.exe7rxrxxf.exentbtnh.exe7jpjd.exe9rxxfxl.exejjjjj.exe5xrfxlf.exehtbtnn.exevpvpj.exe9rxxxfl.exedescription pid process target process PID 536 wrote to memory of 4464 536 965c8e663afa32042732cd0d77321d3d.exe nbnbhb.exe PID 536 wrote to memory of 4464 536 965c8e663afa32042732cd0d77321d3d.exe nbnbhb.exe PID 536 wrote to memory of 4464 536 965c8e663afa32042732cd0d77321d3d.exe nbnbhb.exe PID 4464 wrote to memory of 3812 4464 nbnbhb.exe vjvpp.exe PID 4464 wrote to memory of 3812 4464 nbnbhb.exe vjvpp.exe PID 4464 wrote to memory of 3812 4464 nbnbhb.exe vjvpp.exe PID 3812 wrote to memory of 2892 3812 vjvpp.exe jpvjd.exe PID 3812 wrote to memory of 2892 3812 vjvpp.exe jpvjd.exe PID 3812 wrote to memory of 2892 3812 vjvpp.exe jpvjd.exe PID 2892 wrote to memory of 1968 2892 jpvjd.exe xlrfxfx.exe PID 2892 wrote to memory of 1968 2892 jpvjd.exe xlrfxfx.exe PID 2892 wrote to memory of 1968 2892 jpvjd.exe xlrfxfx.exe PID 1968 wrote to memory of 4452 1968 xlrfxfx.exe tthbtn.exe PID 1968 wrote to memory of 4452 1968 xlrfxfx.exe tthbtn.exe PID 1968 wrote to memory of 4452 1968 xlrfxfx.exe tthbtn.exe PID 4452 wrote to memory of 5092 4452 tthbtn.exe nnbthb.exe PID 4452 wrote to memory of 5092 4452 tthbtn.exe nnbthb.exe PID 4452 wrote to memory of 5092 4452 tthbtn.exe nnbthb.exe PID 5092 wrote to memory of 1384 5092 nnbthb.exe pvvpp.exe PID 5092 wrote to memory of 1384 5092 nnbthb.exe pvvpp.exe PID 5092 wrote to memory of 1384 5092 nnbthb.exe pvvpp.exe PID 1384 wrote to memory of 2668 1384 pvvpp.exe frfxllx.exe PID 1384 wrote to memory of 2668 1384 pvvpp.exe frfxllx.exe PID 1384 wrote to memory of 2668 1384 pvvpp.exe frfxllx.exe PID 2668 wrote to memory of 4180 2668 frfxllx.exe fxrllfx.exe PID 2668 wrote to memory of 4180 2668 frfxllx.exe fxrllfx.exe PID 2668 wrote to memory of 4180 2668 frfxllx.exe fxrllfx.exe PID 4180 wrote to memory of 3576 4180 fxrllfx.exe nhthnn.exe PID 4180 wrote to memory of 3576 4180 fxrllfx.exe nhthnn.exe PID 4180 wrote to memory of 3576 4180 fxrllfx.exe nhthnn.exe PID 3576 wrote to memory of 4008 3576 nhthnn.exe 7xlfxrr.exe PID 3576 wrote to memory of 4008 3576 nhthnn.exe 7xlfxrr.exe PID 3576 wrote to memory of 4008 3576 nhthnn.exe 7xlfxrr.exe PID 4008 wrote to memory of 4984 4008 7xlfxrr.exe djjjd.exe PID 4008 wrote to memory of 4984 4008 7xlfxrr.exe djjjd.exe PID 4008 wrote to memory of 4984 4008 7xlfxrr.exe djjjd.exe PID 4984 wrote to memory of 3536 4984 djjjd.exe 7rxrxxf.exe PID 4984 wrote to memory of 3536 4984 djjjd.exe 7rxrxxf.exe PID 4984 wrote to memory of 3536 4984 djjjd.exe 7rxrxxf.exe PID 3536 wrote to memory of 4996 3536 7rxrxxf.exe ntbtnh.exe PID 3536 wrote to memory of 4996 3536 7rxrxxf.exe ntbtnh.exe PID 3536 wrote to memory of 4996 3536 7rxrxxf.exe ntbtnh.exe PID 4996 wrote to memory of 2136 4996 ntbtnh.exe 7jpjd.exe PID 4996 wrote to memory of 2136 4996 ntbtnh.exe 7jpjd.exe PID 4996 wrote to memory of 2136 4996 ntbtnh.exe 7jpjd.exe PID 2136 wrote to memory of 4644 2136 7jpjd.exe 9rxxfxl.exe PID 2136 wrote to memory of 4644 2136 7jpjd.exe 9rxxfxl.exe PID 2136 wrote to memory of 4644 2136 7jpjd.exe 9rxxfxl.exe PID 4644 wrote to memory of 4200 4644 9rxxfxl.exe jjjjj.exe PID 4644 wrote to memory of 4200 4644 9rxxfxl.exe jjjjj.exe PID 4644 wrote to memory of 4200 4644 9rxxfxl.exe jjjjj.exe PID 4200 wrote to memory of 752 4200 jjjjj.exe 5xrfxlf.exe PID 4200 wrote to memory of 752 4200 jjjjj.exe 5xrfxlf.exe PID 4200 wrote to memory of 752 4200 jjjjj.exe 5xrfxlf.exe PID 752 wrote to memory of 1736 752 5xrfxlf.exe htbtnn.exe PID 752 wrote to memory of 1736 752 5xrfxlf.exe htbtnn.exe PID 752 wrote to memory of 1736 752 5xrfxlf.exe htbtnn.exe PID 1736 wrote to memory of 2156 1736 htbtnn.exe vpvpj.exe PID 1736 wrote to memory of 2156 1736 htbtnn.exe vpvpj.exe PID 1736 wrote to memory of 2156 1736 htbtnn.exe vpvpj.exe PID 2156 wrote to memory of 4688 2156 vpvpj.exe 9rxxxfl.exe PID 2156 wrote to memory of 4688 2156 vpvpj.exe 9rxxxfl.exe PID 2156 wrote to memory of 4688 2156 vpvpj.exe 9rxxxfl.exe PID 4688 wrote to memory of 4692 4688 9rxxxfl.exe thnhhh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\965c8e663afa32042732cd0d77321d3d.exe"C:\Users\Admin\AppData\Local\Temp\965c8e663afa32042732cd0d77321d3d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\nbnbhb.exec:\nbnbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\vjvpp.exec:\vjvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\jpvjd.exec:\jpvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xlrfxfx.exec:\xlrfxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\tthbtn.exec:\tthbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\nnbthb.exec:\nnbthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\pvvpp.exec:\pvvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\frfxllx.exec:\frfxllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\fxrllfx.exec:\fxrllfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\nhthnn.exec:\nhthnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\7xlfxrr.exec:\7xlfxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\djjjd.exec:\djjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\7rxrxxf.exec:\7rxrxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\ntbtnh.exec:\ntbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\7jpjd.exec:\7jpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\9rxxfxl.exec:\9rxxfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\jjjjj.exec:\jjjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\5xrfxlf.exec:\5xrfxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\htbtnn.exec:\htbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\vpvpj.exec:\vpvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\9rxxxfl.exec:\9rxxxfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\thnhhh.exec:\thnhhh.exe23⤵
- Executes dropped EXE
PID:4692 -
\??\c:\jpvvp.exec:\jpvvp.exe24⤵
- Executes dropped EXE
PID:4764 -
\??\c:\rffrlff.exec:\rffrlff.exe25⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jdpjd.exec:\jdpjd.exe26⤵
- Executes dropped EXE
PID:736 -
\??\c:\1jpjd.exec:\1jpjd.exe27⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lflllrl.exec:\lflllrl.exe28⤵
- Executes dropped EXE
PID:384 -
\??\c:\tnnhbt.exec:\tnnhbt.exe29⤵
- Executes dropped EXE
PID:3292 -
\??\c:\vpppj.exec:\vpppj.exe30⤵
- Executes dropped EXE
PID:536 -
\??\c:\thhbnn.exec:\thhbnn.exe31⤵
- Executes dropped EXE
PID:3820 -
\??\c:\vjjdv.exec:\vjjdv.exe32⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rrrrllr.exec:\rrrrllr.exe33⤵
- Executes dropped EXE
PID:1112 -
\??\c:\nbnbhh.exec:\nbnbhh.exe34⤵
- Executes dropped EXE
PID:4744 -
\??\c:\pdjdd.exec:\pdjdd.exe35⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pvdvp.exec:\pvdvp.exe36⤵
- Executes dropped EXE
PID:4656 -
\??\c:\xxlffxx.exec:\xxlffxx.exe37⤵
- Executes dropped EXE
PID:2544 -
\??\c:\btbtnt.exec:\btbtnt.exe38⤵
- Executes dropped EXE
PID:4956 -
\??\c:\pdpdv.exec:\pdpdv.exe39⤵
- Executes dropped EXE
PID:2320 -
\??\c:\ddddv.exec:\ddddv.exe40⤵
- Executes dropped EXE
PID:3576 -
\??\c:\rflflll.exec:\rflflll.exe41⤵
- Executes dropped EXE
PID:3748 -
\??\c:\hnnntn.exec:\hnnntn.exe42⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rlffxfx.exec:\rlffxfx.exe43⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lffxxxx.exec:\lffxxxx.exe44⤵
- Executes dropped EXE
PID:4544 -
\??\c:\5vvpj.exec:\5vvpj.exe45⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jdpjd.exec:\jdpjd.exe46⤵
- Executes dropped EXE
PID:2084 -
\??\c:\rrlrlll.exec:\rrlrlll.exe47⤵
- Executes dropped EXE
PID:1996 -
\??\c:\tbbnhb.exec:\tbbnhb.exe48⤵
- Executes dropped EXE
PID:4144 -
\??\c:\tntnhh.exec:\tntnhh.exe49⤵
- Executes dropped EXE
PID:756 -
\??\c:\dvjdj.exec:\dvjdj.exe50⤵
- Executes dropped EXE
PID:432 -
\??\c:\jpvpj.exec:\jpvpj.exe51⤵
- Executes dropped EXE
PID:4752 -
\??\c:\1llfxrl.exec:\1llfxrl.exe52⤵
- Executes dropped EXE
PID:1440 -
\??\c:\tbbnht.exec:\tbbnht.exe53⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bthntn.exec:\bthntn.exe54⤵
- Executes dropped EXE
PID:3724 -
\??\c:\djpjv.exec:\djpjv.exe55⤵
- Executes dropped EXE
PID:4844 -
\??\c:\pdjdv.exec:\pdjdv.exe56⤵
- Executes dropped EXE
PID:1560 -
\??\c:\frxrrrr.exec:\frxrrrr.exe57⤵
- Executes dropped EXE
PID:5096 -
\??\c:\bnbbtt.exec:\bnbbtt.exe58⤵
- Executes dropped EXE
PID:4404 -
\??\c:\nnnbtn.exec:\nnnbtn.exe59⤵
- Executes dropped EXE
PID:4432 -
\??\c:\pjppp.exec:\pjppp.exe60⤵
- Executes dropped EXE
PID:384 -
\??\c:\5ddvj.exec:\5ddvj.exe61⤵
- Executes dropped EXE
PID:1956 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe62⤵
- Executes dropped EXE
PID:4936 -
\??\c:\lrlfxrr.exec:\lrlfxrr.exe63⤵
- Executes dropped EXE
PID:4464 -
\??\c:\btbnbb.exec:\btbnbb.exe64⤵
- Executes dropped EXE
PID:5028 -
\??\c:\nnnhbb.exec:\nnnhbb.exe65⤵
- Executes dropped EXE
PID:1968 -
\??\c:\vvvdp.exec:\vvvdp.exe66⤵PID:4992
-
\??\c:\pjdvj.exec:\pjdvj.exe67⤵PID:4028
-
\??\c:\lxfxfxf.exec:\lxfxfxf.exe68⤵PID:876
-
\??\c:\frxxrxr.exec:\frxxrxr.exe69⤵PID:4968
-
\??\c:\hbbtbt.exec:\hbbtbt.exe70⤵PID:1384
-
\??\c:\1vjjv.exec:\1vjjv.exe71⤵PID:4868
-
\??\c:\7ddvj.exec:\7ddvj.exe72⤵PID:4180
-
\??\c:\1xfxxxr.exec:\1xfxxxr.exe73⤵PID:2320
-
\??\c:\rxllllr.exec:\rxllllr.exe74⤵PID:3300
-
\??\c:\7bhhhn.exec:\7bhhhn.exe75⤵PID:1596
-
\??\c:\jppvj.exec:\jppvj.exe76⤵PID:4652
-
\??\c:\pjjpd.exec:\pjjpd.exe77⤵PID:1800
-
\??\c:\hhbhbb.exec:\hhbhbb.exe78⤵PID:2832
-
\??\c:\dvdvv.exec:\dvdvv.exe79⤵PID:2396
-
\??\c:\9frlffx.exec:\9frlffx.exe80⤵PID:4644
-
\??\c:\rllfxxr.exec:\rllfxxr.exe81⤵PID:1568
-
\??\c:\nttnhh.exec:\nttnhh.exe82⤵PID:2760
-
\??\c:\dpdvp.exec:\dpdvp.exe83⤵PID:1504
-
\??\c:\jvvpd.exec:\jvvpd.exe84⤵PID:1916
-
\??\c:\rxlllll.exec:\rxlllll.exe85⤵PID:432
-
\??\c:\thhhbb.exec:\thhhbb.exe86⤵PID:1440
-
\??\c:\tnnhbt.exec:\tnnhbt.exe87⤵PID:5052
-
\??\c:\ddddj.exec:\ddddj.exe88⤵PID:1820
-
\??\c:\5pjvj.exec:\5pjvj.exe89⤵PID:2740
-
\??\c:\xfxrffx.exec:\xfxrffx.exe90⤵PID:660
-
\??\c:\fflfxrl.exec:\fflfxrl.exe91⤵PID:1528
-
\??\c:\btnbth.exec:\btnbth.exe92⤵PID:4444
-
\??\c:\nbnhtt.exec:\nbnhtt.exe93⤵PID:4456
-
\??\c:\ddvpd.exec:\ddvpd.exe94⤵PID:2960
-
\??\c:\dvvpd.exec:\dvvpd.exe95⤵PID:4340
-
\??\c:\9hnhhh.exec:\9hnhhh.exe96⤵PID:2500
-
\??\c:\jdddd.exec:\jdddd.exe97⤵PID:1348
-
\??\c:\vddvd.exec:\vddvd.exe98⤵PID:2572
-
\??\c:\frfrrlf.exec:\frfrrlf.exe99⤵PID:1636
-
\??\c:\lrlflfx.exec:\lrlflfx.exe100⤵PID:4788
-
\??\c:\bnttnn.exec:\bnttnn.exe101⤵PID:4064
-
\??\c:\nbbthh.exec:\nbbthh.exe102⤵PID:876
-
\??\c:\3ddvp.exec:\3ddvp.exe103⤵PID:1420
-
\??\c:\lxrlxxl.exec:\lxrlxxl.exe104⤵PID:4956
-
\??\c:\rrfxllf.exec:\rrfxllf.exe105⤵PID:3972
-
\??\c:\hbhbnn.exec:\hbhbnn.exe106⤵PID:1412
-
\??\c:\jddpv.exec:\jddpv.exe107⤵PID:444
-
\??\c:\3jjdp.exec:\3jjdp.exe108⤵PID:3300
-
\??\c:\3lrlffx.exec:\3lrlffx.exe109⤵PID:1652
-
\??\c:\thbttt.exec:\thbttt.exe110⤵PID:3020
-
\??\c:\nhhbnn.exec:\nhhbnn.exe111⤵PID:1800
-
\??\c:\jpvjv.exec:\jpvjv.exe112⤵PID:4288
-
\??\c:\pjdvv.exec:\pjdvv.exe113⤵PID:3268
-
\??\c:\xlrrlll.exec:\xlrrlll.exe114⤵PID:2852
-
\??\c:\1rxrffr.exec:\1rxrffr.exe115⤵PID:512
-
\??\c:\5bthnh.exec:\5bthnh.exe116⤵PID:2004
-
\??\c:\tbhtnh.exec:\tbhtnh.exe117⤵PID:4144
-
\??\c:\7ddvp.exec:\7ddvp.exe118⤵PID:588
-
\??\c:\dvvjv.exec:\dvvjv.exe119⤵PID:4016
-
\??\c:\3xxrffx.exec:\3xxrffx.exe120⤵PID:1356
-
\??\c:\3hhnbt.exec:\3hhnbt.exe121⤵PID:2336
-
\??\c:\tttnhb.exec:\tttnhb.exe122⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-