Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe
-
Size
64KB
-
MD5
b14b0cd2e4f803c4683e0f2387842220
-
SHA1
6bdc74f881cae50019224f0c408b1176b8cfaead
-
SHA256
835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770f
-
SHA512
02d40ba4e745f59b933987741344253713f3207b2dd49d962d18bd06080a9eec067800c9ded3c9980b314764988a7f5200d9c7d34f9bdf18cbc121fd94ded7d9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxiP:ymb3NkkiQ3mdBjF0y7kbK
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/880-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2840-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/296-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1580-304-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/888-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2632-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-268-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-251-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/988-223-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3048-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2328-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1976-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2312-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2932-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1376-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/448-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2496-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2588-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2588-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2684-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2688-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2688 bthhnt.exe 2700 rlxfrrr.exe 2840 fxrrxfl.exe 2684 bntnnh.exe 2588 nbnnnt.exe 2496 jvjjj.exe 448 jvpdp.exe 1376 rlxfrxr.exe 2932 fxxfrrf.exe 2308 hbbhhh.exe 2880 hbhhht.exe 2232 pjvpd.exe 2644 jvjdj.exe 2312 rlrflfl.exe 1732 lflfffr.exe 1976 nbhbhh.exe 2328 nbnntn.exe 2212 1nbhbh.exe 3048 dvjvv.exe 952 pdvjj.exe 988 9jjjj.exe 296 rfflllr.exe 1064 frlrxrr.exe 2120 nhhhht.exe 1632 3bnntn.exe 2244 jjpjp.exe 2632 vjvvp.exe 888 fxllllr.exe 2460 xrfrlff.exe 1580 hbnbbt.exe 2792 hthtbt.exe 2740 9tnhhh.exe 2704 pddvp.exe 2816 5dppv.exe 2624 rfrrrrl.exe 2264 3frflff.exe 3008 9rfxfxr.exe 2852 tbbhhn.exe 2732 nhhbtt.exe 2160 thhbbt.exe 2756 djpvp.exe 2564 3pvjd.exe 2856 3jpjj.exe 2232 xrllxff.exe 1420 xrrxffl.exe 2884 thttnn.exe 2280 nhthhh.exe 2332 nhnnhb.exe 1976 pdjdv.exe 2132 1jpvp.exe 3056 rllffxx.exe 2100 lxxrxxx.exe 1080 hbbbbb.exe 776 tntnnb.exe 988 dvjjv.exe 900 pdppp.exe 1392 dpdvv.exe 2120 lfrffxl.exe 2552 1lrrllr.exe 3040 1ffrrlf.exe 2244 7tnhbt.exe 664 1hbttn.exe 2636 nbnnnn.exe 2276 vjddv.exe -
resource yara_rule behavioral1/memory/880-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2688-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2688-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1376-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/296-233-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1580-304-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/888-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2632-277-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-268-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-251-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/988-223-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3048-206-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2328-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1976-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2312-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1376-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1376-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/448-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/448-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/448-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2496-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2496-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2496-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2588-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2588-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2588-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2688-23-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ththn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 2688 880 835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe 30 PID 880 wrote to memory of 2688 880 835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe 30 PID 880 wrote to memory of 2688 880 835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe 30 PID 880 wrote to memory of 2688 880 835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe 30 PID 2688 wrote to memory of 2700 2688 bthhnt.exe 99 PID 2688 wrote to memory of 2700 2688 bthhnt.exe 99 PID 2688 wrote to memory of 2700 2688 bthhnt.exe 99 PID 2688 wrote to memory of 2700 2688 bthhnt.exe 99 PID 2700 wrote to memory of 2840 2700 rlxfrrr.exe 32 PID 2700 wrote to memory of 2840 2700 rlxfrrr.exe 32 PID 2700 wrote to memory of 2840 2700 rlxfrrr.exe 32 PID 2700 wrote to memory of 2840 2700 rlxfrrr.exe 32 PID 2840 wrote to memory of 2684 2840 fxrrxfl.exe 33 PID 2840 wrote to memory of 2684 2840 fxrrxfl.exe 33 PID 2840 wrote to memory of 2684 2840 fxrrxfl.exe 33 PID 2840 wrote to memory of 2684 2840 fxrrxfl.exe 33 PID 2684 wrote to memory of 2588 2684 bntnnh.exe 34 PID 2684 wrote to memory of 2588 2684 bntnnh.exe 34 PID 2684 wrote to memory of 2588 2684 bntnnh.exe 34 PID 2684 wrote to memory of 2588 2684 bntnnh.exe 34 PID 2588 wrote to memory of 2496 2588 nbnnnt.exe 35 PID 2588 wrote to memory of 2496 2588 nbnnnt.exe 35 PID 2588 wrote to memory of 2496 2588 nbnnnt.exe 35 PID 2588 wrote to memory of 2496 2588 nbnnnt.exe 35 PID 2496 wrote to memory of 448 2496 jvjjj.exe 36 PID 2496 wrote to memory of 448 2496 jvjjj.exe 36 PID 2496 wrote to memory of 448 2496 jvjjj.exe 36 PID 2496 wrote to memory of 448 2496 jvjjj.exe 36 PID 448 wrote to memory of 1376 448 jvpdp.exe 37 PID 448 wrote to memory of 1376 448 jvpdp.exe 37 PID 448 wrote to memory of 1376 448 jvpdp.exe 37 PID 448 wrote to memory of 1376 448 jvpdp.exe 37 PID 1376 wrote to memory of 2932 1376 rlxfrxr.exe 38 PID 1376 wrote to memory of 2932 1376 rlxfrxr.exe 38 PID 1376 wrote to memory of 2932 1376 rlxfrxr.exe 38 PID 1376 wrote to memory of 2932 1376 rlxfrxr.exe 38 PID 2932 wrote to memory of 2308 2932 fxxfrrf.exe 39 PID 2932 wrote to memory of 2308 2932 fxxfrrf.exe 39 PID 2932 wrote to memory of 2308 2932 fxxfrrf.exe 39 PID 2932 wrote to memory of 2308 2932 fxxfrrf.exe 39 PID 2308 wrote to memory of 2880 2308 hbbhhh.exe 40 PID 2308 wrote to memory of 2880 2308 hbbhhh.exe 40 PID 2308 wrote to memory of 2880 2308 hbbhhh.exe 40 PID 2308 wrote to memory of 2880 2308 hbbhhh.exe 40 PID 2880 wrote to memory of 2232 2880 hbhhht.exe 73 PID 2880 wrote to memory of 2232 2880 hbhhht.exe 73 PID 2880 wrote to memory of 2232 2880 hbhhht.exe 73 PID 2880 wrote to memory of 2232 2880 hbhhht.exe 73 PID 2232 wrote to memory of 2644 2232 pjvpd.exe 152 PID 2232 wrote to memory of 2644 2232 pjvpd.exe 152 PID 2232 wrote to memory of 2644 2232 pjvpd.exe 152 PID 2232 wrote to memory of 2644 2232 pjvpd.exe 152 PID 2644 wrote to memory of 2312 2644 jvjdj.exe 43 PID 2644 wrote to memory of 2312 2644 jvjdj.exe 43 PID 2644 wrote to memory of 2312 2644 jvjdj.exe 43 PID 2644 wrote to memory of 2312 2644 jvjdj.exe 43 PID 2312 wrote to memory of 1732 2312 rlrflfl.exe 44 PID 2312 wrote to memory of 1732 2312 rlrflfl.exe 44 PID 2312 wrote to memory of 1732 2312 rlrflfl.exe 44 PID 2312 wrote to memory of 1732 2312 rlrflfl.exe 44 PID 1732 wrote to memory of 1976 1732 lflfffr.exe 45 PID 1732 wrote to memory of 1976 1732 lflfffr.exe 45 PID 1732 wrote to memory of 1976 1732 lflfffr.exe 45 PID 1732 wrote to memory of 1976 1732 lflfffr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe"C:\Users\Admin\AppData\Local\Temp\835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\bthhnt.exec:\bthhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\rlxfrrr.exec:\rlxfrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\fxrrxfl.exec:\fxrrxfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\bntnnh.exec:\bntnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\nbnnnt.exec:\nbnnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\jvjjj.exec:\jvjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\jvpdp.exec:\jvpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\rlxfrxr.exec:\rlxfrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\fxxfrrf.exec:\fxxfrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\hbbhhh.exec:\hbbhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\hbhhht.exec:\hbhhht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\pjvpd.exec:\pjvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jvjdj.exec:\jvjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\rlrflfl.exec:\rlrflfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lflfffr.exec:\lflfffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\nbhbhh.exec:\nbhbhh.exe17⤵
- Executes dropped EXE
PID:1976 -
\??\c:\nbnntn.exec:\nbnntn.exe18⤵
- Executes dropped EXE
PID:2328 -
\??\c:\1nbhbh.exec:\1nbhbh.exe19⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dvjvv.exec:\dvjvv.exe20⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pdvjj.exec:\pdvjj.exe21⤵
- Executes dropped EXE
PID:952 -
\??\c:\9jjjj.exec:\9jjjj.exe22⤵
- Executes dropped EXE
PID:988 -
\??\c:\rfflllr.exec:\rfflllr.exe23⤵
- Executes dropped EXE
PID:296 -
\??\c:\frlrxrr.exec:\frlrxrr.exe24⤵
- Executes dropped EXE
PID:1064 -
\??\c:\nhhhht.exec:\nhhhht.exe25⤵
- Executes dropped EXE
PID:2120 -
\??\c:\3bnntn.exec:\3bnntn.exe26⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jjpjp.exec:\jjpjp.exe27⤵
- Executes dropped EXE
PID:2244 -
\??\c:\vjvvp.exec:\vjvvp.exe28⤵
- Executes dropped EXE
PID:2632 -
\??\c:\fxllllr.exec:\fxllllr.exe29⤵
- Executes dropped EXE
PID:888 -
\??\c:\xrfrlff.exec:\xrfrlff.exe30⤵
- Executes dropped EXE
PID:2460 -
\??\c:\hbnbbt.exec:\hbnbbt.exe31⤵
- Executes dropped EXE
PID:1580 -
\??\c:\hthtbt.exec:\hthtbt.exe32⤵
- Executes dropped EXE
PID:2792 -
\??\c:\9tnhhh.exec:\9tnhhh.exe33⤵
- Executes dropped EXE
PID:2740 -
\??\c:\pddvp.exec:\pddvp.exe34⤵
- Executes dropped EXE
PID:2704 -
\??\c:\5dppv.exec:\5dppv.exe35⤵
- Executes dropped EXE
PID:2816 -
\??\c:\rfrrrrl.exec:\rfrrrrl.exe36⤵
- Executes dropped EXE
PID:2624 -
\??\c:\3frflff.exec:\3frflff.exe37⤵
- Executes dropped EXE
PID:2264 -
\??\c:\9rfxfxr.exec:\9rfxfxr.exe38⤵
- Executes dropped EXE
PID:3008 -
\??\c:\tbbhhn.exec:\tbbhhn.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\nhhbtt.exec:\nhhbtt.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\thhbbt.exec:\thhbbt.exe41⤵
- Executes dropped EXE
PID:2160 -
\??\c:\djpvp.exec:\djpvp.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\3pvjd.exec:\3pvjd.exe43⤵
- Executes dropped EXE
PID:2564 -
\??\c:\3jpjj.exec:\3jpjj.exe44⤵
- Executes dropped EXE
PID:2856 -
\??\c:\xrllxff.exec:\xrllxff.exe45⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xrrxffl.exec:\xrrxffl.exe46⤵
- Executes dropped EXE
PID:1420 -
\??\c:\thttnn.exec:\thttnn.exe47⤵
- Executes dropped EXE
PID:2884 -
\??\c:\nhthhh.exec:\nhthhh.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
\??\c:\nhnnhb.exec:\nhnnhb.exe49⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pdjdv.exec:\pdjdv.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\1jpvp.exec:\1jpvp.exe51⤵
- Executes dropped EXE
PID:2132 -
\??\c:\rllffxx.exec:\rllffxx.exe52⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lxxrxxx.exec:\lxxrxxx.exe53⤵
- Executes dropped EXE
PID:2100 -
\??\c:\hbbbbb.exec:\hbbbbb.exe54⤵
- Executes dropped EXE
PID:1080 -
\??\c:\tntnnb.exec:\tntnnb.exe55⤵
- Executes dropped EXE
PID:776 -
\??\c:\dvjjv.exec:\dvjjv.exe56⤵
- Executes dropped EXE
PID:988 -
\??\c:\pdppp.exec:\pdppp.exe57⤵
- Executes dropped EXE
PID:900 -
\??\c:\dpdvv.exec:\dpdvv.exe58⤵
- Executes dropped EXE
PID:1392 -
\??\c:\lfrffxl.exec:\lfrffxl.exe59⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1lrrllr.exec:\1lrrllr.exe60⤵
- Executes dropped EXE
PID:2552 -
\??\c:\1ffrrlf.exec:\1ffrrlf.exe61⤵
- Executes dropped EXE
PID:3040 -
\??\c:\7tnhbt.exec:\7tnhbt.exe62⤵
- Executes dropped EXE
PID:2244 -
\??\c:\1hbttn.exec:\1hbttn.exe63⤵
- Executes dropped EXE
PID:664 -
\??\c:\nbnnnn.exec:\nbnnnn.exe64⤵
- Executes dropped EXE
PID:2636 -
\??\c:\vjddv.exec:\vjddv.exe65⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vpdpp.exec:\vpdpp.exe66⤵PID:2652
-
\??\c:\5vjdj.exec:\5vjdj.exe67⤵PID:1588
-
\??\c:\7rffxxf.exec:\7rffxxf.exe68⤵PID:2556
-
\??\c:\xllrffl.exec:\xllrffl.exe69⤵PID:2068
-
\??\c:\1rfllfl.exec:\1rfllfl.exe70⤵PID:2740
-
\??\c:\btbbhb.exec:\btbbhb.exe71⤵PID:2700
-
\??\c:\nbttbn.exec:\nbttbn.exe72⤵PID:2712
-
\??\c:\pdppp.exec:\pdppp.exe73⤵PID:1844
-
\??\c:\dppjd.exec:\dppjd.exe74⤵PID:768
-
\??\c:\djpdj.exec:\djpdj.exe75⤵PID:2496
-
\??\c:\jvdvv.exec:\jvdvv.exe76⤵PID:1296
-
\??\c:\xlrlffl.exec:\xlrlffl.exe77⤵PID:2940
-
\??\c:\rfrfffx.exec:\rfrfffx.exe78⤵PID:2692
-
\??\c:\btbbbt.exec:\btbbbt.exe79⤵PID:2716
-
\??\c:\3bnhbb.exec:\3bnhbb.exe80⤵PID:2192
-
\??\c:\nbtnnt.exec:\nbtnnt.exe81⤵PID:3000
-
\??\c:\3pdjp.exec:\3pdjp.exe82⤵PID:2688
-
\??\c:\5vvvj.exec:\5vvvj.exe83⤵PID:2804
-
\??\c:\vjppj.exec:\vjppj.exe84⤵PID:2568
-
\??\c:\lfxllrl.exec:\lfxllrl.exe85⤵PID:1176
-
\??\c:\rlrxffl.exec:\rlrxffl.exe86⤵PID:2320
-
\??\c:\xlfrflx.exec:\xlfrflx.exe87⤵PID:1732
-
\??\c:\bnbbhb.exec:\bnbbhb.exe88⤵PID:2168
-
\??\c:\nbbhnt.exec:\nbbhnt.exe89⤵PID:1324
-
\??\c:\nbhhnt.exec:\nbhhnt.exe90⤵PID:1568
-
\??\c:\jddpp.exec:\jddpp.exe91⤵PID:2988
-
\??\c:\jjjpj.exec:\jjjpj.exe92⤵PID:2864
-
\??\c:\vpjjp.exec:\vpjjp.exe93⤵PID:2176
-
\??\c:\lxxrlll.exec:\lxxrlll.exe94⤵PID:2516
-
\??\c:\jvjpp.exec:\jvjpp.exe95⤵PID:760
-
\??\c:\vpdpp.exec:\vpdpp.exe96⤵PID:1544
-
\??\c:\dpddj.exec:\dpddj.exe97⤵PID:1724
-
\??\c:\frfrfll.exec:\frfrfll.exe98⤵PID:2500
-
\??\c:\frxxffl.exec:\frxxffl.exe99⤵PID:996
-
\??\c:\rlllxrx.exec:\rlllxrx.exe100⤵PID:2552
-
\??\c:\nhbhhh.exec:\nhbhhh.exe101⤵PID:2876
-
\??\c:\bhtnhb.exec:\bhtnhb.exe102⤵
- System Location Discovery: System Language Discovery
PID:344 -
\??\c:\btbbnn.exec:\btbbnn.exe103⤵PID:1744
-
\??\c:\5pjpp.exec:\5pjpp.exe104⤵PID:2076
-
\??\c:\pdjjp.exec:\pdjjp.exe105⤵PID:2292
-
\??\c:\9pvvj.exec:\9pvvj.exe106⤵PID:2808
-
\??\c:\5rlfflr.exec:\5rlfflr.exe107⤵PID:2676
-
\??\c:\fxlrrff.exec:\fxlrrff.exe108⤵PID:1528
-
\??\c:\lflrrxf.exec:\lflrrxf.exe109⤵PID:2832
-
\??\c:\nhnttb.exec:\nhnttb.exe110⤵PID:2592
-
\??\c:\bntbnn.exec:\bntbnn.exe111⤵PID:2620
-
\??\c:\nbhbbb.exec:\nbhbbb.exe112⤵PID:2428
-
\??\c:\pjddp.exec:\pjddp.exe113⤵PID:2224
-
\??\c:\vpvvv.exec:\vpvvv.exe114⤵PID:2204
-
\??\c:\vpvpv.exec:\vpvpv.exe115⤵PID:2828
-
\??\c:\jdppv.exec:\jdppv.exe116⤵PID:1228
-
\??\c:\flxrfxf.exec:\flxrfxf.exe117⤵PID:2852
-
\??\c:\rlxllrx.exec:\rlxllrx.exe118⤵PID:2848
-
\??\c:\9lxrrlf.exec:\9lxrrlf.exe119⤵PID:2872
-
\??\c:\tthhnn.exec:\tthhnn.exe120⤵PID:3012
-
\??\c:\7tbbbb.exec:\7tbbbb.exe121⤵PID:2648
-
\??\c:\nbnhhn.exec:\nbnhhn.exe122⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-