Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe
Resource
win7-20240708-en
General
-
Target
218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe
-
Size
79KB
-
MD5
9563f065ecced5a7df8053686788e26b
-
SHA1
7aba468d37390a2501d1453034be9da49b892a6e
-
SHA256
218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584
-
SHA512
be5c88e29385a2b8faa6241fc86eb512019b980fc99c813d77859e1e1c0691981367e8d9ce4deea690950fdff1670cd0e02011b084adbaaea034924262ad3d5b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLU1gxmcK8n/8:ymb3NkkiQ3mdBjFoLkmW8nE
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2412-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5088-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4660-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3036-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4868-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5052-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5048-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1332-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4808-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5028-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3380-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1516-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/824-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3412-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3424-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3008-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/804-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2260-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/720-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jpjvj.exe5lfxfrl.exe5lrlxlx.exennnnbn.exevjdpd.exerffxlfx.exefxrlxxr.exe3nhbnn.exedjpdp.exedjdjv.exe1lfxlfx.exe9hbbnn.exebnbthb.exedpvjv.exevjpdj.exerxxlfrl.exebnhtth.exe1dvjv.exepddpp.exelfffxxr.exethhbnn.exennnhbb.exepdjdj.exelffxlfx.exetbtnbb.exe7hhtbt.exevdvvj.exexrfxlfx.exebhbbtn.exedjvpj.exepjdvj.exexllflfx.exe9nnbtn.exevdpdv.exefxrrffx.exehnhbtn.exe1vvvp.exe9fffxrl.exehntbtt.exedvvpj.exe5rrfxrl.exebhhbbt.exe3jpjv.exetntnbb.exepddpj.exe1vdvp.exefflfllf.exehtbnhh.exehnthnt.exepddvp.exevjjdv.exe5xlfrrl.exe3flllll.exe3tttnn.exe7bnhbb.exe7jpdp.exedvpjd.exexffxxxr.exefrfxlxr.exentbthb.exe3pddj.exexffrllf.exefrlrlll.exebnntnt.exepid process 2412 jpjvj.exe 5088 5lfxfrl.exe 4432 5lrlxlx.exe 4660 nnnnbn.exe 4288 vjdpd.exe 3036 rffxlfx.exe 4868 fxrlxxr.exe 2236 3nhbnn.exe 5052 djpdp.exe 5048 djdjv.exe 4376 1lfxlfx.exe 1332 9hbbnn.exe 4576 bnbthb.exe 4808 dpvjv.exe 5028 vjpdj.exe 3380 rxxlfrl.exe 1516 bnhtth.exe 824 1dvjv.exe 2764 pddpp.exe 3412 lfffxxr.exe 3424 thhbnn.exe 3008 nnnhbb.exe 2396 pdjdj.exe 804 lffxlfx.exe 3552 tbtnbb.exe 2260 7hhtbt.exe 720 vdvvj.exe 3544 xrfxlfx.exe 4332 bhbbtn.exe 3812 djvpj.exe 4200 pjdvj.exe 796 xllflfx.exe 2544 9nnbtn.exe 4764 vdpdv.exe 4816 fxrrffx.exe 4828 hnhbtn.exe 4428 1vvvp.exe 1504 9fffxrl.exe 1764 hntbtt.exe 3116 dvvpj.exe 3436 5rrfxrl.exe 2796 bhhbbt.exe 3148 3jpjv.exe 2256 tntnbb.exe 5036 pddpj.exe 1444 1vdvp.exe 5012 fflfllf.exe 2496 htbnhh.exe 4456 hnthnt.exe 3512 pddvp.exe 4048 vjjdv.exe 1404 5xlfrrl.exe 3380 3flllll.exe 940 3tttnn.exe 1604 7bnhbb.exe 4104 7jpdp.exe 4160 dvpjd.exe 3488 xffxxxr.exe 3052 frfxlxr.exe 3412 ntbthb.exe 3672 3pddj.exe 4896 xffrllf.exe 1916 frlrlll.exe 5040 bnntnt.exe -
Processes:
resource yara_rule behavioral2/memory/1172-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2412-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2412-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5088-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4660-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3036-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4868-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5052-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5048-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1332-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4808-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5028-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3380-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1516-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/824-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3412-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3424-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3008-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/804-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2260-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/720-177-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
htbnhh.exerfxrxrr.exe1vvvp.exetbthbt.exefrrflxr.exehbbbhn.exe1lfxlfx.exedppdp.exebhhbnn.exexlrfxrr.exejvvpj.exe5nttnn.exetnhbtt.exehtbtnb.exexfffrrl.exebtnnhh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exejpjvj.exe5lfxfrl.exe5lrlxlx.exennnnbn.exevjdpd.exerffxlfx.exefxrlxxr.exe3nhbnn.exedjpdp.exedjdjv.exe1lfxlfx.exe9hbbnn.exebnbthb.exedpvjv.exevjpdj.exerxxlfrl.exebnhtth.exe1dvjv.exepddpp.exelfffxxr.exethhbnn.exedescription pid process target process PID 1172 wrote to memory of 2412 1172 218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe jpjvj.exe PID 1172 wrote to memory of 2412 1172 218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe jpjvj.exe PID 1172 wrote to memory of 2412 1172 218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe jpjvj.exe PID 2412 wrote to memory of 5088 2412 jpjvj.exe 5lfxfrl.exe PID 2412 wrote to memory of 5088 2412 jpjvj.exe 5lfxfrl.exe PID 2412 wrote to memory of 5088 2412 jpjvj.exe 5lfxfrl.exe PID 5088 wrote to memory of 4432 5088 5lfxfrl.exe 5lrlxlx.exe PID 5088 wrote to memory of 4432 5088 5lfxfrl.exe 5lrlxlx.exe PID 5088 wrote to memory of 4432 5088 5lfxfrl.exe 5lrlxlx.exe PID 4432 wrote to memory of 4660 4432 5lrlxlx.exe nnnnbn.exe PID 4432 wrote to memory of 4660 4432 5lrlxlx.exe nnnnbn.exe PID 4432 wrote to memory of 4660 4432 5lrlxlx.exe nnnnbn.exe PID 4660 wrote to memory of 4288 4660 nnnnbn.exe vjdpd.exe PID 4660 wrote to memory of 4288 4660 nnnnbn.exe vjdpd.exe PID 4660 wrote to memory of 4288 4660 nnnnbn.exe vjdpd.exe PID 4288 wrote to memory of 3036 4288 vjdpd.exe rffxlfx.exe PID 4288 wrote to memory of 3036 4288 vjdpd.exe rffxlfx.exe PID 4288 wrote to memory of 3036 4288 vjdpd.exe rffxlfx.exe PID 3036 wrote to memory of 4868 3036 rffxlfx.exe fxrlxxr.exe PID 3036 wrote to memory of 4868 3036 rffxlfx.exe fxrlxxr.exe PID 3036 wrote to memory of 4868 3036 rffxlfx.exe fxrlxxr.exe PID 4868 wrote to memory of 2236 4868 fxrlxxr.exe 3nhbnn.exe PID 4868 wrote to memory of 2236 4868 fxrlxxr.exe 3nhbnn.exe PID 4868 wrote to memory of 2236 4868 fxrlxxr.exe 3nhbnn.exe PID 2236 wrote to memory of 5052 2236 3nhbnn.exe djpdp.exe PID 2236 wrote to memory of 5052 2236 3nhbnn.exe djpdp.exe PID 2236 wrote to memory of 5052 2236 3nhbnn.exe djpdp.exe PID 5052 wrote to memory of 5048 5052 djpdp.exe djdjv.exe PID 5052 wrote to memory of 5048 5052 djpdp.exe djdjv.exe PID 5052 wrote to memory of 5048 5052 djpdp.exe djdjv.exe PID 5048 wrote to memory of 4376 5048 djdjv.exe 1lfxlfx.exe PID 5048 wrote to memory of 4376 5048 djdjv.exe 1lfxlfx.exe PID 5048 wrote to memory of 4376 5048 djdjv.exe 1lfxlfx.exe PID 4376 wrote to memory of 1332 4376 1lfxlfx.exe 9hbbnn.exe PID 4376 wrote to memory of 1332 4376 1lfxlfx.exe 9hbbnn.exe PID 4376 wrote to memory of 1332 4376 1lfxlfx.exe 9hbbnn.exe PID 1332 wrote to memory of 4576 1332 9hbbnn.exe bnbthb.exe PID 1332 wrote to memory of 4576 1332 9hbbnn.exe bnbthb.exe PID 1332 wrote to memory of 4576 1332 9hbbnn.exe bnbthb.exe PID 4576 wrote to memory of 4808 4576 bnbthb.exe dpvjv.exe PID 4576 wrote to memory of 4808 4576 bnbthb.exe dpvjv.exe PID 4576 wrote to memory of 4808 4576 bnbthb.exe dpvjv.exe PID 4808 wrote to memory of 5028 4808 dpvjv.exe vjpdj.exe PID 4808 wrote to memory of 5028 4808 dpvjv.exe vjpdj.exe PID 4808 wrote to memory of 5028 4808 dpvjv.exe vjpdj.exe PID 5028 wrote to memory of 3380 5028 vjpdj.exe rxxlfrl.exe PID 5028 wrote to memory of 3380 5028 vjpdj.exe rxxlfrl.exe PID 5028 wrote to memory of 3380 5028 vjpdj.exe rxxlfrl.exe PID 3380 wrote to memory of 1516 3380 rxxlfrl.exe bnhtth.exe PID 3380 wrote to memory of 1516 3380 rxxlfrl.exe bnhtth.exe PID 3380 wrote to memory of 1516 3380 rxxlfrl.exe bnhtth.exe PID 1516 wrote to memory of 824 1516 bnhtth.exe 1dvjv.exe PID 1516 wrote to memory of 824 1516 bnhtth.exe 1dvjv.exe PID 1516 wrote to memory of 824 1516 bnhtth.exe 1dvjv.exe PID 824 wrote to memory of 2764 824 1dvjv.exe pddpp.exe PID 824 wrote to memory of 2764 824 1dvjv.exe pddpp.exe PID 824 wrote to memory of 2764 824 1dvjv.exe pddpp.exe PID 2764 wrote to memory of 3412 2764 pddpp.exe lfffxxr.exe PID 2764 wrote to memory of 3412 2764 pddpp.exe lfffxxr.exe PID 2764 wrote to memory of 3412 2764 pddpp.exe lfffxxr.exe PID 3412 wrote to memory of 3424 3412 lfffxxr.exe thhbnn.exe PID 3412 wrote to memory of 3424 3412 lfffxxr.exe thhbnn.exe PID 3412 wrote to memory of 3424 3412 lfffxxr.exe thhbnn.exe PID 3424 wrote to memory of 3008 3424 thhbnn.exe nnnhbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe"C:\Users\Admin\AppData\Local\Temp\218c8ebbbc8234b792ec258eee5b906d99009afe7a68976fb8ec0bf5b0236584.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjvj.exec:\jpjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lfxfrl.exec:\5lfxfrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lrlxlx.exec:\5lrlxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnbn.exec:\nnnnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdpd.exec:\vjdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxlfx.exec:\rffxlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nhbnn.exec:\3nhbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpdp.exec:\djpdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdjv.exec:\djdjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lfxlfx.exec:\1lfxlfx.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbbnn.exec:\9hbbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbthb.exec:\bnbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvjv.exec:\dpvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpdj.exec:\vjpdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxlfrl.exec:\rxxlfrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhtth.exec:\bnhtth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvjv.exec:\1dvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpp.exec:\pddpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxr.exec:\lfffxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbnn.exec:\thhbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhbb.exec:\nnnhbb.exe23⤵
- Executes dropped EXE
-
\??\c:\pdjdj.exec:\pdjdj.exe24⤵
- Executes dropped EXE
-
\??\c:\lffxlfx.exec:\lffxlfx.exe25⤵
- Executes dropped EXE
-
\??\c:\tbtnbb.exec:\tbtnbb.exe26⤵
- Executes dropped EXE
-
\??\c:\7hhtbt.exec:\7hhtbt.exe27⤵
- Executes dropped EXE
-
\??\c:\vdvvj.exec:\vdvvj.exe28⤵
- Executes dropped EXE
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe29⤵
- Executes dropped EXE
-
\??\c:\bhbbtn.exec:\bhbbtn.exe30⤵
- Executes dropped EXE
-
\??\c:\djvpj.exec:\djvpj.exe31⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe32⤵
- Executes dropped EXE
-
\??\c:\xllflfx.exec:\xllflfx.exe33⤵
- Executes dropped EXE
-
\??\c:\9nnbtn.exec:\9nnbtn.exe34⤵
- Executes dropped EXE
-
\??\c:\vdpdv.exec:\vdpdv.exe35⤵
- Executes dropped EXE
-
\??\c:\fxrrffx.exec:\fxrrffx.exe36⤵
- Executes dropped EXE
-
\??\c:\hnhbtn.exec:\hnhbtn.exe37⤵
- Executes dropped EXE
-
\??\c:\1vvvp.exec:\1vvvp.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\9fffxrl.exec:\9fffxrl.exe39⤵
- Executes dropped EXE
-
\??\c:\hntbtt.exec:\hntbtt.exe40⤵
- Executes dropped EXE
-
\??\c:\dvvpj.exec:\dvvpj.exe41⤵
- Executes dropped EXE
-
\??\c:\5rrfxrl.exec:\5rrfxrl.exe42⤵
- Executes dropped EXE
-
\??\c:\bhhbbt.exec:\bhhbbt.exe43⤵
- Executes dropped EXE
-
\??\c:\3jpjv.exec:\3jpjv.exe44⤵
- Executes dropped EXE
-
\??\c:\tntnbb.exec:\tntnbb.exe45⤵
- Executes dropped EXE
-
\??\c:\pddpj.exec:\pddpj.exe46⤵
- Executes dropped EXE
-
\??\c:\1vdvp.exec:\1vdvp.exe47⤵
- Executes dropped EXE
-
\??\c:\fflfllf.exec:\fflfllf.exe48⤵
- Executes dropped EXE
-
\??\c:\htbnhh.exec:\htbnhh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hnthnt.exec:\hnthnt.exe50⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe51⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe52⤵
- Executes dropped EXE
-
\??\c:\5xlfrrl.exec:\5xlfrrl.exe53⤵
- Executes dropped EXE
-
\??\c:\3flllll.exec:\3flllll.exe54⤵
- Executes dropped EXE
-
\??\c:\3tttnn.exec:\3tttnn.exe55⤵
- Executes dropped EXE
-
\??\c:\7bnhbb.exec:\7bnhbb.exe56⤵
- Executes dropped EXE
-
\??\c:\7jpdp.exec:\7jpdp.exe57⤵
- Executes dropped EXE
-
\??\c:\dvpjd.exec:\dvpjd.exe58⤵
- Executes dropped EXE
-
\??\c:\xffxxxr.exec:\xffxxxr.exe59⤵
- Executes dropped EXE
-
\??\c:\frfxlxr.exec:\frfxlxr.exe60⤵
- Executes dropped EXE
-
\??\c:\ntbthb.exec:\ntbthb.exe61⤵
- Executes dropped EXE
-
\??\c:\3pddj.exec:\3pddj.exe62⤵
- Executes dropped EXE
-
\??\c:\xffrllf.exec:\xffrllf.exe63⤵
- Executes dropped EXE
-
\??\c:\frlrlll.exec:\frlrlll.exe64⤵
- Executes dropped EXE
-
\??\c:\bnntnt.exec:\bnntnt.exe65⤵
- Executes dropped EXE
-
\??\c:\5tbtnb.exec:\5tbtnb.exe66⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe67⤵
-
\??\c:\9xrlxrr.exec:\9xrlxrr.exe68⤵
-
\??\c:\lfrrxxx.exec:\lfrrxxx.exe69⤵
-
\??\c:\thbnhb.exec:\thbnhb.exe70⤵
-
\??\c:\vjdpp.exec:\vjdpp.exe71⤵
-
\??\c:\1vdpj.exec:\1vdpj.exe72⤵
-
\??\c:\lfrffxf.exec:\lfrffxf.exe73⤵
-
\??\c:\bntnnn.exec:\bntnnn.exe74⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe75⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe76⤵
-
\??\c:\fffxfff.exec:\fffxfff.exe77⤵
-
\??\c:\7flffxx.exec:\7flffxx.exe78⤵
-
\??\c:\xlllfrl.exec:\xlllfrl.exe79⤵
-
\??\c:\nbbhbb.exec:\nbbhbb.exe80⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe81⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe82⤵
-
\??\c:\xlrfxrr.exec:\xlrfxrr.exe83⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hnhnnh.exec:\hnhnnh.exe84⤵
-
\??\c:\9nthnh.exec:\9nthnh.exe85⤵
-
\??\c:\pppdj.exec:\pppdj.exe86⤵
-
\??\c:\5pdvv.exec:\5pdvv.exe87⤵
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe88⤵
-
\??\c:\nbnnhh.exec:\nbnnhh.exe89⤵
-
\??\c:\hnbhbn.exec:\hnbhbn.exe90⤵
-
\??\c:\pdvpv.exec:\pdvpv.exe91⤵
-
\??\c:\rfxrxrr.exec:\rfxrxrr.exe92⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7xffxxx.exec:\7xffxxx.exe93⤵
-
\??\c:\bnnhtb.exec:\bnnhtb.exe94⤵
-
\??\c:\5nbthh.exec:\5nbthh.exe95⤵
-
\??\c:\1jddv.exec:\1jddv.exe96⤵
-
\??\c:\vppdv.exec:\vppdv.exe97⤵
-
\??\c:\lxxrffx.exec:\lxxrffx.exe98⤵
-
\??\c:\lrrrlff.exec:\lrrrlff.exe99⤵
-
\??\c:\hnnnbt.exec:\hnnnbt.exe100⤵
-
\??\c:\nhnnbn.exec:\nhnnbn.exe101⤵
-
\??\c:\jjpdd.exec:\jjpdd.exe102⤵
-
\??\c:\ppvpd.exec:\ppvpd.exe103⤵
-
\??\c:\rffxlfx.exec:\rffxlfx.exe104⤵
-
\??\c:\fxrlfrl.exec:\fxrlfrl.exe105⤵
-
\??\c:\bhhbtt.exec:\bhhbtt.exe106⤵
-
\??\c:\dpddv.exec:\dpddv.exe107⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe108⤵
-
\??\c:\lxrlrlf.exec:\lxrlrlf.exe109⤵
-
\??\c:\7tnhbt.exec:\7tnhbt.exe110⤵
-
\??\c:\hhnhhb.exec:\hhnhhb.exe111⤵
-
\??\c:\pvvvp.exec:\pvvvp.exe112⤵
-
\??\c:\rffxxrx.exec:\rffxxrx.exe113⤵
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe114⤵
-
\??\c:\tbnhnh.exec:\tbnhnh.exe115⤵
-
\??\c:\vjdjv.exec:\vjdjv.exe116⤵
-
\??\c:\3dpjv.exec:\3dpjv.exe117⤵
-
\??\c:\lxrlxxx.exec:\lxrlxxx.exe118⤵
-
\??\c:\frxxrrl.exec:\frxxrrl.exe119⤵
-
\??\c:\nnhhbh.exec:\nnhhbh.exe120⤵
-
\??\c:\tttnhh.exec:\tttnhh.exe121⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe122⤵
-
\??\c:\jppjv.exec:\jppjv.exe123⤵
-
\??\c:\frxlxxr.exec:\frxlxxr.exe124⤵
-
\??\c:\thbbnh.exec:\thbbnh.exe125⤵
-
\??\c:\nhthbb.exec:\nhthbb.exe126⤵
-
\??\c:\dppdp.exec:\dppdp.exe127⤵
- System Location Discovery: System Language Discovery
-
\??\c:\1rrrllf.exec:\1rrrllf.exe128⤵
-
\??\c:\1fxlfxr.exec:\1fxlfxr.exe129⤵
-
\??\c:\7bbthb.exec:\7bbthb.exe130⤵
-
\??\c:\nbtnhh.exec:\nbtnhh.exe131⤵
-
\??\c:\vddvd.exec:\vddvd.exe132⤵
-
\??\c:\rrlxlfx.exec:\rrlxlfx.exe133⤵
-
\??\c:\7lrrrxx.exec:\7lrrrxx.exe134⤵
-
\??\c:\bbbtnh.exec:\bbbtnh.exe135⤵
-
\??\c:\7ntnnn.exec:\7ntnnn.exe136⤵
-
\??\c:\djpdv.exec:\djpdv.exe137⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe138⤵
-
\??\c:\fxrlxxl.exec:\fxrlxxl.exe139⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe140⤵
-
\??\c:\9bbbnn.exec:\9bbbnn.exe141⤵
-
\??\c:\3nnhbh.exec:\3nnhbh.exe142⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe143⤵
-
\??\c:\xffxllf.exec:\xffxllf.exe144⤵
-
\??\c:\lrxrlrx.exec:\lrxrlrx.exe145⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe146⤵
-
\??\c:\5bbttt.exec:\5bbttt.exe147⤵
-
\??\c:\jvddp.exec:\jvddp.exe148⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe149⤵
-
\??\c:\fflfxxr.exec:\fflfxxr.exe150⤵
-
\??\c:\nnnhbn.exec:\nnnhbn.exe151⤵
-
\??\c:\7hnhtt.exec:\7hnhtt.exe152⤵
-
\??\c:\jdddd.exec:\jdddd.exe153⤵
-
\??\c:\3jdvj.exec:\3jdvj.exe154⤵
-
\??\c:\llfxllf.exec:\llfxllf.exe155⤵
-
\??\c:\ffflfrl.exec:\ffflfrl.exe156⤵
-
\??\c:\7hhtnh.exec:\7hhtnh.exe157⤵
-
\??\c:\pddpd.exec:\pddpd.exe158⤵
-
\??\c:\pdpdp.exec:\pdpdp.exe159⤵
-
\??\c:\5ffrxrx.exec:\5ffrxrx.exe160⤵
-
\??\c:\bttntt.exec:\bttntt.exe161⤵
-
\??\c:\djdpd.exec:\djdpd.exe162⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe163⤵
-
\??\c:\frrffxf.exec:\frrffxf.exe164⤵
-
\??\c:\bhbtnn.exec:\bhbtnn.exe165⤵
-
\??\c:\tnnhtt.exec:\tnnhtt.exe166⤵
-
\??\c:\vdjjv.exec:\vdjjv.exe167⤵
-
\??\c:\vjvpd.exec:\vjvpd.exe168⤵
-
\??\c:\rlfrfrl.exec:\rlfrfrl.exe169⤵
-
\??\c:\btnthb.exec:\btnthb.exe170⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe171⤵
-
\??\c:\jvjdp.exec:\jvjdp.exe172⤵
-
\??\c:\1pjdp.exec:\1pjdp.exe173⤵
-
\??\c:\rxfrllf.exec:\rxfrllf.exe174⤵
-
\??\c:\lfffffx.exec:\lfffffx.exe175⤵
-
\??\c:\bhnbtn.exec:\bhnbtn.exe176⤵
-
\??\c:\7dvpd.exec:\7dvpd.exe177⤵
-
\??\c:\pppdj.exec:\pppdj.exe178⤵
-
\??\c:\fflfxxx.exec:\fflfxxx.exe179⤵
-
\??\c:\5fxrllf.exec:\5fxrllf.exe180⤵
-
\??\c:\tbtthb.exec:\tbtthb.exe181⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe182⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe183⤵
-
\??\c:\fxffllx.exec:\fxffllx.exe184⤵
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe185⤵
-
\??\c:\7nbtbt.exec:\7nbtbt.exe186⤵
-
\??\c:\djjdp.exec:\djjdp.exe187⤵
-
\??\c:\5flxfrr.exec:\5flxfrr.exe188⤵
-
\??\c:\rxxllfx.exec:\rxxllfx.exe189⤵
-
\??\c:\thhbbb.exec:\thhbbb.exe190⤵
-
\??\c:\nhnhhh.exec:\nhnhhh.exe191⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe192⤵
-
\??\c:\9djdp.exec:\9djdp.exe193⤵
-
\??\c:\9lrlrxx.exec:\9lrlrxx.exe194⤵
-
\??\c:\3bbthb.exec:\3bbthb.exe195⤵
-
\??\c:\vppjv.exec:\vppjv.exe196⤵
-
\??\c:\5jdpd.exec:\5jdpd.exe197⤵
-
\??\c:\1lrfrlf.exec:\1lrfrlf.exe198⤵
-
\??\c:\nbtnnn.exec:\nbtnnn.exe199⤵
-
\??\c:\htbhhh.exec:\htbhhh.exe200⤵
-
\??\c:\jvvjv.exec:\jvvjv.exe201⤵
-
\??\c:\vppvd.exec:\vppvd.exe202⤵
-
\??\c:\frrflxr.exec:\frrflxr.exe203⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nbtnbt.exec:\nbtnbt.exe204⤵
-
\??\c:\nhhbbb.exec:\nhhbbb.exe205⤵
-
\??\c:\jddpp.exec:\jddpp.exe206⤵
-
\??\c:\1jdvv.exec:\1jdvv.exe207⤵
-
\??\c:\5lfrxrl.exec:\5lfrxrl.exe208⤵
-
\??\c:\fflfllf.exec:\fflfllf.exe209⤵
-
\??\c:\nhbnhb.exec:\nhbnhb.exe210⤵
-
\??\c:\5ddpd.exec:\5ddpd.exe211⤵
-
\??\c:\lxlxxrr.exec:\lxlxxrr.exe212⤵
-
\??\c:\7ffxrlx.exec:\7ffxrlx.exe213⤵
-
\??\c:\tnhhbb.exec:\tnhhbb.exe214⤵
-
\??\c:\tnnbtb.exec:\tnnbtb.exe215⤵
-
\??\c:\5jjdp.exec:\5jjdp.exe216⤵
-
\??\c:\dppdd.exec:\dppdd.exe217⤵
-
\??\c:\1lfxllr.exec:\1lfxllr.exe218⤵
-
\??\c:\5xxrllf.exec:\5xxrllf.exe219⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe220⤵
-
\??\c:\ttbhnt.exec:\ttbhnt.exe221⤵
-
\??\c:\nttnnt.exec:\nttnnt.exe222⤵
-
\??\c:\vjdjj.exec:\vjdjj.exe223⤵
-
\??\c:\rlllfff.exec:\rlllfff.exe224⤵
-
\??\c:\rffrfxl.exec:\rffrfxl.exe225⤵
-
\??\c:\btnthb.exec:\btnthb.exe226⤵
-
\??\c:\bnnnbt.exec:\bnnnbt.exe227⤵
-
\??\c:\jvpjj.exec:\jvpjj.exe228⤵
-
\??\c:\lxrflfx.exec:\lxrflfx.exe229⤵
-
\??\c:\frfxxrl.exec:\frfxxrl.exe230⤵
-
\??\c:\1bbbtt.exec:\1bbbtt.exe231⤵
-
\??\c:\7dpjd.exec:\7dpjd.exe232⤵
-
\??\c:\jvpdv.exec:\jvpdv.exe233⤵
-
\??\c:\ddjdj.exec:\ddjdj.exe234⤵
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe235⤵
-
\??\c:\nnnhbn.exec:\nnnhbn.exe236⤵
-
\??\c:\thhthb.exec:\thhthb.exe237⤵
-
\??\c:\dpdpd.exec:\dpdpd.exe238⤵
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe239⤵
-
\??\c:\flfxrfx.exec:\flfxrfx.exe240⤵
-
\??\c:\fxllxrx.exec:\fxllxrx.exe241⤵