Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 18:45
Static task
static1
Behavioral task
behavioral1
Sample
78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe
Resource
win7-20240903-en
General
-
Target
78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe
-
Size
74KB
-
MD5
a99ea0baaff098042eb0cf15c7f5e1e0
-
SHA1
38b575dce409c5fae6017c3f60910836c386ac51
-
SHA256
78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5
-
SHA512
0b1afa913d14e66aac7bd9c70fd3a543822d5efe207e04b8213d7e1c8524b660624986fe0ecfaec0739980bb3fc79285141085ee797fc8a5479ba3e0765e9691
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmPK:ymb3NkkiQ3mdBjFIvl358nLA89OMFVHX
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral2/memory/1648-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1648-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4600-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2936-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3436-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3860-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1272-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4148-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3236-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2840-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4352-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2708-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2832-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4080-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4496-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/976-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2604-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4740-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1928-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2336-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/548-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3216-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4532-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4600 hbbttn.exe 2936 vvvpd.exe 1760 tnbbnn.exe 3436 nhbnhb.exe 3860 7pdvp.exe 1272 xrrlxxx.exe 1340 xlrlffr.exe 4148 pjpvd.exe 3236 pdvpj.exe 2840 tnbhbh.exe 4352 hhnhbb.exe 2708 ppvjd.exe 1696 9lrlxfx.exe 2832 nhhhbb.exe 4080 bnhthb.exe 4496 1lxrrrr.exe 976 vjdpj.exe 2604 frfxffr.exe 4740 fxfxlxr.exe 1928 nhhbbt.exe 1956 vjdjd.exe 2336 3flxlfx.exe 4584 rrxlxlr.exe 548 bthnhb.exe 4904 htthtt.exe 3216 lfrrxxx.exe 4532 rrrfrlf.exe 3088 5tbnhb.exe 1360 7dvpd.exe 2592 vjvjd.exe 4828 llrxfrx.exe 4360 bnnnhh.exe 3108 3nntnh.exe 5072 7dpjv.exe 3944 xlrrrrr.exe 944 xllfffx.exe 4972 nhhhnn.exe 3940 ddvvp.exe 3272 jdjdv.exe 4384 lxxrrrr.exe 3892 3hhbtt.exe 3668 bnbnnb.exe 4600 5jjjd.exe 2328 rffxrrl.exe 3708 lllrlll.exe 4124 btnnnn.exe 4876 jpdvp.exe 4300 dvdvp.exe 1544 9xxlxxr.exe 5016 bhttnn.exe 396 7nhthh.exe 2292 1pjdv.exe 3028 dpvpd.exe 3664 flrlxxx.exe 828 bhbbtn.exe 1948 ttnbnn.exe 3452 5ppjd.exe 2840 jvdvp.exe 1444 xrlfxxf.exe 4996 rflrrxr.exe 2364 bnnhhh.exe 2016 dvdpv.exe 2700 pjvvp.exe 2348 lffrxxf.exe -
resource yara_rule behavioral2/memory/1648-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1648-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4600-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3436-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3436-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1272-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4148-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4148-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4148-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3236-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4352-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2708-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2832-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4080-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4496-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/976-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2604-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1928-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2336-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/548-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3216-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4532-190-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4600 1648 78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe 82 PID 1648 wrote to memory of 4600 1648 78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe 82 PID 1648 wrote to memory of 4600 1648 78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe 82 PID 4600 wrote to memory of 2936 4600 hbbttn.exe 83 PID 4600 wrote to memory of 2936 4600 hbbttn.exe 83 PID 4600 wrote to memory of 2936 4600 hbbttn.exe 83 PID 2936 wrote to memory of 1760 2936 vvvpd.exe 84 PID 2936 wrote to memory of 1760 2936 vvvpd.exe 84 PID 2936 wrote to memory of 1760 2936 vvvpd.exe 84 PID 1760 wrote to memory of 3436 1760 tnbbnn.exe 85 PID 1760 wrote to memory of 3436 1760 tnbbnn.exe 85 PID 1760 wrote to memory of 3436 1760 tnbbnn.exe 85 PID 3436 wrote to memory of 3860 3436 nhbnhb.exe 86 PID 3436 wrote to memory of 3860 3436 nhbnhb.exe 86 PID 3436 wrote to memory of 3860 3436 nhbnhb.exe 86 PID 3860 wrote to memory of 1272 3860 7pdvp.exe 87 PID 3860 wrote to memory of 1272 3860 7pdvp.exe 87 PID 3860 wrote to memory of 1272 3860 7pdvp.exe 87 PID 1272 wrote to memory of 1340 1272 xrrlxxx.exe 88 PID 1272 wrote to memory of 1340 1272 xrrlxxx.exe 88 PID 1272 wrote to memory of 1340 1272 xrrlxxx.exe 88 PID 1340 wrote to memory of 4148 1340 xlrlffr.exe 89 PID 1340 wrote to memory of 4148 1340 xlrlffr.exe 89 PID 1340 wrote to memory of 4148 1340 xlrlffr.exe 89 PID 4148 wrote to memory of 3236 4148 pjpvd.exe 90 PID 4148 wrote to memory of 3236 4148 pjpvd.exe 90 PID 4148 wrote to memory of 3236 4148 pjpvd.exe 90 PID 3236 wrote to memory of 2840 3236 pdvpj.exe 91 PID 3236 wrote to memory of 2840 3236 pdvpj.exe 91 PID 3236 wrote to memory of 2840 3236 pdvpj.exe 91 PID 2840 wrote to memory of 4352 2840 tnbhbh.exe 92 PID 2840 wrote to memory of 4352 2840 tnbhbh.exe 92 PID 2840 wrote to memory of 4352 2840 tnbhbh.exe 92 PID 4352 wrote to memory of 2708 4352 hhnhbb.exe 93 PID 4352 wrote to memory of 2708 4352 hhnhbb.exe 93 PID 4352 wrote to memory of 2708 4352 hhnhbb.exe 93 PID 2708 wrote to memory of 1696 2708 ppvjd.exe 94 PID 2708 wrote to memory of 1696 2708 ppvjd.exe 94 PID 2708 wrote to memory of 1696 2708 ppvjd.exe 94 PID 1696 wrote to memory of 2832 1696 9lrlxfx.exe 95 PID 1696 wrote to memory of 2832 1696 9lrlxfx.exe 95 PID 1696 wrote to memory of 2832 1696 9lrlxfx.exe 95 PID 2832 wrote to memory of 4080 2832 nhhhbb.exe 96 PID 2832 wrote to memory of 4080 2832 nhhhbb.exe 96 PID 2832 wrote to memory of 4080 2832 nhhhbb.exe 96 PID 4080 wrote to memory of 4496 4080 bnhthb.exe 97 PID 4080 wrote to memory of 4496 4080 bnhthb.exe 97 PID 4080 wrote to memory of 4496 4080 bnhthb.exe 97 PID 4496 wrote to memory of 976 4496 1lxrrrr.exe 98 PID 4496 wrote to memory of 976 4496 1lxrrrr.exe 98 PID 4496 wrote to memory of 976 4496 1lxrrrr.exe 98 PID 976 wrote to memory of 2604 976 vjdpj.exe 99 PID 976 wrote to memory of 2604 976 vjdpj.exe 99 PID 976 wrote to memory of 2604 976 vjdpj.exe 99 PID 2604 wrote to memory of 4740 2604 frfxffr.exe 100 PID 2604 wrote to memory of 4740 2604 frfxffr.exe 100 PID 2604 wrote to memory of 4740 2604 frfxffr.exe 100 PID 4740 wrote to memory of 1928 4740 fxfxlxr.exe 101 PID 4740 wrote to memory of 1928 4740 fxfxlxr.exe 101 PID 4740 wrote to memory of 1928 4740 fxfxlxr.exe 101 PID 1928 wrote to memory of 1956 1928 nhhbbt.exe 102 PID 1928 wrote to memory of 1956 1928 nhhbbt.exe 102 PID 1928 wrote to memory of 1956 1928 nhhbbt.exe 102 PID 1956 wrote to memory of 2336 1956 vjdjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe"C:\Users\Admin\AppData\Local\Temp\78a35712bea1d4d5764b2961204229ffb58eb5164771e264310750a0be6be2b5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\hbbttn.exec:\hbbttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\vvvpd.exec:\vvvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\tnbbnn.exec:\tnbbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\nhbnhb.exec:\nhbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\7pdvp.exec:\7pdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\xrrlxxx.exec:\xrrlxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\xlrlffr.exec:\xlrlffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\pjpvd.exec:\pjpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\pdvpj.exec:\pdvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\tnbhbh.exec:\tnbhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\hhnhbb.exec:\hhnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\ppvjd.exec:\ppvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\9lrlxfx.exec:\9lrlxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\nhhhbb.exec:\nhhhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\bnhthb.exec:\bnhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\1lxrrrr.exec:\1lxrrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\vjdpj.exec:\vjdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\frfxffr.exec:\frfxffr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\fxfxlxr.exec:\fxfxlxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\nhhbbt.exec:\nhhbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\vjdjd.exec:\vjdjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\3flxlfx.exec:\3flxlfx.exe23⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rrxlxlr.exec:\rrxlxlr.exe24⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bthnhb.exec:\bthnhb.exe25⤵
- Executes dropped EXE
PID:548 -
\??\c:\htthtt.exec:\htthtt.exe26⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lfrrxxx.exec:\lfrrxxx.exe27⤵
- Executes dropped EXE
PID:3216 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe28⤵
- Executes dropped EXE
PID:4532 -
\??\c:\5tbnhb.exec:\5tbnhb.exe29⤵
- Executes dropped EXE
PID:3088 -
\??\c:\7dvpd.exec:\7dvpd.exe30⤵
- Executes dropped EXE
PID:1360 -
\??\c:\vjvjd.exec:\vjvjd.exe31⤵
- Executes dropped EXE
PID:2592 -
\??\c:\llrxfrx.exec:\llrxfrx.exe32⤵
- Executes dropped EXE
PID:4828 -
\??\c:\bnnnhh.exec:\bnnnhh.exe33⤵
- Executes dropped EXE
PID:4360 -
\??\c:\3nntnh.exec:\3nntnh.exe34⤵
- Executes dropped EXE
PID:3108 -
\??\c:\7dpjv.exec:\7dpjv.exe35⤵
- Executes dropped EXE
PID:5072 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe36⤵
- Executes dropped EXE
PID:3944 -
\??\c:\xllfffx.exec:\xllfffx.exe37⤵
- Executes dropped EXE
PID:944 -
\??\c:\nhhhnn.exec:\nhhhnn.exe38⤵
- Executes dropped EXE
PID:4972 -
\??\c:\ddvvp.exec:\ddvvp.exe39⤵
- Executes dropped EXE
PID:3940 -
\??\c:\jdjdv.exec:\jdjdv.exe40⤵
- Executes dropped EXE
PID:3272 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe41⤵
- Executes dropped EXE
PID:4384 -
\??\c:\3hhbtt.exec:\3hhbtt.exe42⤵
- Executes dropped EXE
PID:3892 -
\??\c:\bnbnnb.exec:\bnbnnb.exe43⤵
- Executes dropped EXE
PID:3668 -
\??\c:\5jjjd.exec:\5jjjd.exe44⤵
- Executes dropped EXE
PID:4600 -
\??\c:\rffxrrl.exec:\rffxrrl.exe45⤵
- Executes dropped EXE
PID:2328 -
\??\c:\lllrlll.exec:\lllrlll.exe46⤵
- Executes dropped EXE
PID:3708 -
\??\c:\btnnnn.exec:\btnnnn.exe47⤵
- Executes dropped EXE
PID:4124 -
\??\c:\jpdvp.exec:\jpdvp.exe48⤵
- Executes dropped EXE
PID:4876 -
\??\c:\dvdvp.exec:\dvdvp.exe49⤵
- Executes dropped EXE
PID:4300 -
\??\c:\9xxlxxr.exec:\9xxlxxr.exe50⤵
- Executes dropped EXE
PID:1544 -
\??\c:\bhttnn.exec:\bhttnn.exe51⤵
- Executes dropped EXE
PID:5016 -
\??\c:\7nhthh.exec:\7nhthh.exe52⤵
- Executes dropped EXE
PID:396 -
\??\c:\1pjdv.exec:\1pjdv.exe53⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dpvpd.exec:\dpvpd.exe54⤵
- Executes dropped EXE
PID:3028 -
\??\c:\flrlxxx.exec:\flrlxxx.exe55⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bhbbtn.exec:\bhbbtn.exe56⤵
- Executes dropped EXE
PID:828 -
\??\c:\ttnbnn.exec:\ttnbnn.exe57⤵
- Executes dropped EXE
PID:1948 -
\??\c:\5ppjd.exec:\5ppjd.exe58⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jvdvp.exec:\jvdvp.exe59⤵
- Executes dropped EXE
PID:2840 -
\??\c:\xrlfxxf.exec:\xrlfxxf.exe60⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rflrrxr.exec:\rflrrxr.exe61⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bnnhhh.exec:\bnnhhh.exe62⤵
- Executes dropped EXE
PID:2364 -
\??\c:\dvdpv.exec:\dvdpv.exe63⤵
- Executes dropped EXE
PID:2016 -
\??\c:\pjvvp.exec:\pjvvp.exe64⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lffrxxf.exec:\lffrxxf.exe65⤵
- Executes dropped EXE
PID:2348 -
\??\c:\frxfflr.exec:\frxfflr.exe66⤵PID:2516
-
\??\c:\7bbbtt.exec:\7bbbtt.exe67⤵PID:4788
-
\??\c:\httttn.exec:\httttn.exe68⤵PID:3256
-
\??\c:\pjvvp.exec:\pjvvp.exe69⤵PID:4764
-
\??\c:\jdvpj.exec:\jdvpj.exe70⤵PID:4368
-
\??\c:\3rxrrfl.exec:\3rxrrfl.exe71⤵PID:2316
-
\??\c:\htnnnt.exec:\htnnnt.exe72⤵PID:1036
-
\??\c:\3bnhnn.exec:\3bnhnn.exe73⤵PID:4452
-
\??\c:\3ddvj.exec:\3ddvj.exe74⤵PID:4880
-
\??\c:\rxffxrf.exec:\rxffxrf.exe75⤵PID:4860
-
\??\c:\dvvvp.exec:\dvvvp.exe76⤵PID:5112
-
\??\c:\ppdvv.exec:\ppdvv.exe77⤵PID:2180
-
\??\c:\lxfrflr.exec:\lxfrflr.exe78⤵PID:3076
-
\??\c:\nhbtnn.exec:\nhbtnn.exe79⤵PID:1144
-
\??\c:\btbttb.exec:\btbttb.exe80⤵PID:4912
-
\??\c:\7vvjj.exec:\7vvjj.exe81⤵PID:1980
-
\??\c:\frrlxxr.exec:\frrlxxr.exe82⤵PID:3044
-
\??\c:\1lfrxfl.exec:\1lfrxfl.exe83⤵PID:4100
-
\??\c:\5ppjv.exec:\5ppjv.exe84⤵PID:4104
-
\??\c:\flrllll.exec:\flrllll.exe85⤵PID:4828
-
\??\c:\frrlffx.exec:\frrlffx.exe86⤵PID:1028
-
\??\c:\nhnnnn.exec:\nhnnnn.exe87⤵PID:1856
-
\??\c:\bttttt.exec:\bttttt.exe88⤵PID:2012
-
\??\c:\jpdpd.exec:\jpdpd.exe89⤵PID:3568
-
\??\c:\vjdvp.exec:\vjdvp.exe90⤵PID:4160
-
\??\c:\rllxxxf.exec:\rllxxxf.exe91⤵PID:536
-
\??\c:\xxrllxr.exec:\xxrllxr.exe92⤵PID:4972
-
\??\c:\tnbtnt.exec:\tnbtnt.exe93⤵PID:4388
-
\??\c:\nnbbhh.exec:\nnbbhh.exe94⤵PID:3272
-
\??\c:\vppjd.exec:\vppjd.exe95⤵PID:3580
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe96⤵PID:3892
-
\??\c:\frxxxxx.exec:\frxxxxx.exe97⤵PID:3672
-
\??\c:\tnnnbh.exec:\tnnnbh.exe98⤵PID:4600
-
\??\c:\ppjjd.exec:\ppjjd.exe99⤵PID:2328
-
\??\c:\xlxrfxx.exec:\xlxrfxx.exe100⤵PID:3708
-
\??\c:\5xlfffr.exec:\5xlfffr.exe101⤵PID:4124
-
\??\c:\httntb.exec:\httntb.exe102⤵PID:2868
-
\??\c:\7jvjd.exec:\7jvjd.exe103⤵PID:4300
-
\??\c:\jjpvv.exec:\jjpvv.exe104⤵PID:1480
-
\??\c:\lxrxlll.exec:\lxrxlll.exe105⤵PID:4044
-
\??\c:\nnnhbb.exec:\nnnhbb.exe106⤵PID:1340
-
\??\c:\1ntbbh.exec:\1ntbbh.exe107⤵PID:2904
-
\??\c:\vvjjd.exec:\vvjjd.exe108⤵PID:1044
-
\??\c:\ppdjv.exec:\ppdjv.exe109⤵PID:3236
-
\??\c:\rlrlffr.exec:\rlrlffr.exe110⤵PID:1948
-
\??\c:\1hnntt.exec:\1hnntt.exe111⤵PID:4352
-
\??\c:\pjdvp.exec:\pjdvp.exe112⤵PID:1504
-
\??\c:\rflfrrl.exec:\rflfrrl.exe113⤵PID:1684
-
\??\c:\hnhbtn.exec:\hnhbtn.exe114⤵PID:3916
-
\??\c:\7thbnh.exec:\7thbnh.exe115⤵PID:1820
-
\??\c:\vpvpp.exec:\vpvpp.exe116⤵PID:2832
-
\??\c:\xlfxrxr.exec:\xlfxrxr.exe117⤵PID:4400
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe118⤵PID:1496
-
\??\c:\5nnhbb.exec:\5nnhbb.exe119⤵PID:4284
-
\??\c:\bbhbth.exec:\bbhbth.exe120⤵PID:2516
-
\??\c:\pjppd.exec:\pjppd.exe121⤵PID:1988
-
\??\c:\xlfxlll.exec:\xlfxlll.exe122⤵PID:3412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-