Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
Resource
win7-20241010-en
6 signatures
120 seconds
General
-
Target
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
-
Size
67KB
-
MD5
08cae242750fa005584264f241312370
-
SHA1
5f10bdd9878ebfd9b0f35ba972f2105d1677b79b
-
SHA256
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078b
-
SHA512
4b9508a0497deaab496bc5a6a8d9784c9142165653c6cbce9d9656772d2d66f0dc68452f2810a2ef1c5b07be81f9aa53cd713aad8fa33dfb1a640cb2af891e34
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqf7:ymb3NkkiQ3mdBjFI9cqf7
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral2/memory/1708-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1708-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4768-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2732-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2576-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2588-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1456-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/64-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4124-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/980-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3884-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1824-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2884-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4440-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3812-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1244-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4008-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2956-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1016-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4612-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1236-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1144-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2952-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3036-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4768 ttthtn.exe 2576 jvjdd.exe 2732 9ffffll.exe 2588 9llllll.exe 1456 nbhbtb.exe 2552 pppjj.exe 64 vjdvv.exe 4124 tntntn.exe 980 5jppj.exe 3884 vjppp.exe 1824 frrfrrr.exe 2884 rfllrxr.exe 3240 bbhhbb.exe 1520 5jddv.exe 4440 rxxrrxx.exe 3812 rrxfxll.exe 1244 nhhhhn.exe 4008 pdpvp.exe 4472 dvddp.exe 2956 lxrllff.exe 4548 bntnnn.exe 1016 ttbbtb.exe 4612 7jjdv.exe 1236 rxrxxxl.exe 4184 rffxrff.exe 1144 nnbttt.exe 4792 vvpdd.exe 1976 dpvpp.exe 2952 ttbbbb.exe 3036 pjjdd.exe 4908 rrxlxrl.exe 4384 rrffrrx.exe 4324 nbhbth.exe 2844 5vvpv.exe 4904 pjpdd.exe 3236 ffrllrf.exe 1808 bhhbtn.exe 4252 tbtnbb.exe 3876 dvppd.exe 2676 xlrlxxx.exe 2696 bbhhbb.exe 1600 llrrlfx.exe 2008 7lrrlxl.exe 3280 bbbtnt.exe 2300 bttnnh.exe 2160 rflfxxx.exe 4028 nthbbt.exe 2840 pdjdp.exe 1208 nbhbbt.exe 4852 7dpjp.exe 3996 lllfffx.exe 4724 xlrrfff.exe 440 tttnbh.exe 4556 5tbhbb.exe 516 jjddv.exe 4088 dvjdv.exe 2900 rflllll.exe 2540 hhnhtt.exe 4728 3jvdd.exe 3588 pjvvj.exe 4272 rrrrllf.exe 1368 fflllll.exe 1444 hhtbbh.exe 2284 1vvpj.exe -
resource yara_rule behavioral2/memory/1708-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1708-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4768-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2576-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2576-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2732-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2576-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2576-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2588-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1456-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/64-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/64-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/64-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4124-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4124-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4124-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/980-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3884-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1824-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2884-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4440-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3812-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1244-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4008-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2956-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1016-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4612-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1236-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1144-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2952-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3036-204-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 4768 1708 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 84 PID 1708 wrote to memory of 4768 1708 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 84 PID 1708 wrote to memory of 4768 1708 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 84 PID 4768 wrote to memory of 2576 4768 ttthtn.exe 85 PID 4768 wrote to memory of 2576 4768 ttthtn.exe 85 PID 4768 wrote to memory of 2576 4768 ttthtn.exe 85 PID 2576 wrote to memory of 2732 2576 jvjdd.exe 86 PID 2576 wrote to memory of 2732 2576 jvjdd.exe 86 PID 2576 wrote to memory of 2732 2576 jvjdd.exe 86 PID 2732 wrote to memory of 2588 2732 9ffffll.exe 87 PID 2732 wrote to memory of 2588 2732 9ffffll.exe 87 PID 2732 wrote to memory of 2588 2732 9ffffll.exe 87 PID 2588 wrote to memory of 1456 2588 9llllll.exe 88 PID 2588 wrote to memory of 1456 2588 9llllll.exe 88 PID 2588 wrote to memory of 1456 2588 9llllll.exe 88 PID 1456 wrote to memory of 2552 1456 nbhbtb.exe 89 PID 1456 wrote to memory of 2552 1456 nbhbtb.exe 89 PID 1456 wrote to memory of 2552 1456 nbhbtb.exe 89 PID 2552 wrote to memory of 64 2552 pppjj.exe 90 PID 2552 wrote to memory of 64 2552 pppjj.exe 90 PID 2552 wrote to memory of 64 2552 pppjj.exe 90 PID 64 wrote to memory of 4124 64 vjdvv.exe 92 PID 64 wrote to memory of 4124 64 vjdvv.exe 92 PID 64 wrote to memory of 4124 64 vjdvv.exe 92 PID 4124 wrote to memory of 980 4124 tntntn.exe 93 PID 4124 wrote to memory of 980 4124 tntntn.exe 93 PID 4124 wrote to memory of 980 4124 tntntn.exe 93 PID 980 wrote to memory of 3884 980 5jppj.exe 94 PID 980 wrote to memory of 3884 980 5jppj.exe 94 PID 980 wrote to memory of 3884 980 5jppj.exe 94 PID 3884 wrote to memory of 1824 3884 vjppp.exe 95 PID 3884 wrote to memory of 1824 3884 vjppp.exe 95 PID 3884 wrote to memory of 1824 3884 vjppp.exe 95 PID 1824 wrote to memory of 2884 1824 frrfrrr.exe 96 PID 1824 wrote to memory of 2884 1824 frrfrrr.exe 96 PID 1824 wrote to memory of 2884 1824 frrfrrr.exe 96 PID 2884 wrote to memory of 3240 2884 rfllrxr.exe 97 PID 2884 wrote to memory of 3240 2884 rfllrxr.exe 97 PID 2884 wrote to memory of 3240 2884 rfllrxr.exe 97 PID 3240 wrote to memory of 1520 3240 bbhhbb.exe 99 PID 3240 wrote to memory of 1520 3240 bbhhbb.exe 99 PID 3240 wrote to memory of 1520 3240 bbhhbb.exe 99 PID 1520 wrote to memory of 4440 1520 5jddv.exe 100 PID 1520 wrote to memory of 4440 1520 5jddv.exe 100 PID 1520 wrote to memory of 4440 1520 5jddv.exe 100 PID 4440 wrote to memory of 3812 4440 rxxrrxx.exe 101 PID 4440 wrote to memory of 3812 4440 rxxrrxx.exe 101 PID 4440 wrote to memory of 3812 4440 rxxrrxx.exe 101 PID 3812 wrote to memory of 1244 3812 rrxfxll.exe 102 PID 3812 wrote to memory of 1244 3812 rrxfxll.exe 102 PID 3812 wrote to memory of 1244 3812 rrxfxll.exe 102 PID 1244 wrote to memory of 4008 1244 nhhhhn.exe 103 PID 1244 wrote to memory of 4008 1244 nhhhhn.exe 103 PID 1244 wrote to memory of 4008 1244 nhhhhn.exe 103 PID 4008 wrote to memory of 4472 4008 pdpvp.exe 104 PID 4008 wrote to memory of 4472 4008 pdpvp.exe 104 PID 4008 wrote to memory of 4472 4008 pdpvp.exe 104 PID 4472 wrote to memory of 2956 4472 dvddp.exe 105 PID 4472 wrote to memory of 2956 4472 dvddp.exe 105 PID 4472 wrote to memory of 2956 4472 dvddp.exe 105 PID 2956 wrote to memory of 4548 2956 lxrllff.exe 106 PID 2956 wrote to memory of 4548 2956 lxrllff.exe 106 PID 2956 wrote to memory of 4548 2956 lxrllff.exe 106 PID 4548 wrote to memory of 1016 4548 bntnnn.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\ttthtn.exec:\ttthtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\jvjdd.exec:\jvjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\9ffffll.exec:\9ffffll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\9llllll.exec:\9llllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\nbhbtb.exec:\nbhbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\pppjj.exec:\pppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\vjdvv.exec:\vjdvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\tntntn.exec:\tntntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\5jppj.exec:\5jppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\vjppp.exec:\vjppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\frrfrrr.exec:\frrfrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\rfllrxr.exec:\rfllrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\bbhhbb.exec:\bbhhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\5jddv.exec:\5jddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\rxxrrxx.exec:\rxxrrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\rrxfxll.exec:\rrxfxll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\nhhhhn.exec:\nhhhhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\pdpvp.exec:\pdpvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\dvddp.exec:\dvddp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\lxrllff.exec:\lxrllff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\bntnnn.exec:\bntnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\ttbbtb.exec:\ttbbtb.exe23⤵
- Executes dropped EXE
PID:1016 -
\??\c:\7jjdv.exec:\7jjdv.exe24⤵
- Executes dropped EXE
PID:4612 -
\??\c:\rxrxxxl.exec:\rxrxxxl.exe25⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rffxrff.exec:\rffxrff.exe26⤵
- Executes dropped EXE
PID:4184 -
\??\c:\nnbttt.exec:\nnbttt.exe27⤵
- Executes dropped EXE
PID:1144 -
\??\c:\vvpdd.exec:\vvpdd.exe28⤵
- Executes dropped EXE
PID:4792 -
\??\c:\dpvpp.exec:\dpvpp.exe29⤵
- Executes dropped EXE
PID:1976 -
\??\c:\ttbbbb.exec:\ttbbbb.exe30⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pjjdd.exec:\pjjdd.exe31⤵
- Executes dropped EXE
PID:3036 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe32⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rrffrrx.exec:\rrffrrx.exe33⤵
- Executes dropped EXE
PID:4384 -
\??\c:\nbhbth.exec:\nbhbth.exe34⤵
- Executes dropped EXE
PID:4324 -
\??\c:\5vvpv.exec:\5vvpv.exe35⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pjpdd.exec:\pjpdd.exe36⤵
- Executes dropped EXE
PID:4904 -
\??\c:\ffrllrf.exec:\ffrllrf.exe37⤵
- Executes dropped EXE
PID:3236 -
\??\c:\bhhbtn.exec:\bhhbtn.exe38⤵
- Executes dropped EXE
PID:1808 -
\??\c:\tbtnbb.exec:\tbtnbb.exe39⤵
- Executes dropped EXE
PID:4252 -
\??\c:\dvppd.exec:\dvppd.exe40⤵
- Executes dropped EXE
PID:3876 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\bbhhbb.exec:\bbhhbb.exe42⤵
- Executes dropped EXE
PID:2696 -
\??\c:\llrrlfx.exec:\llrrlfx.exe43⤵
- Executes dropped EXE
PID:1600 -
\??\c:\7lrrlxl.exec:\7lrrlxl.exe44⤵
- Executes dropped EXE
PID:2008 -
\??\c:\bbbtnt.exec:\bbbtnt.exe45⤵
- Executes dropped EXE
PID:3280 -
\??\c:\bttnnh.exec:\bttnnh.exe46⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rflfxxx.exec:\rflfxxx.exe47⤵
- Executes dropped EXE
PID:2160 -
\??\c:\nthbbt.exec:\nthbbt.exe48⤵
- Executes dropped EXE
PID:4028 -
\??\c:\pdjdp.exec:\pdjdp.exe49⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nbhbbt.exec:\nbhbbt.exe50⤵
- Executes dropped EXE
PID:1208 -
\??\c:\7dpjp.exec:\7dpjp.exe51⤵
- Executes dropped EXE
PID:4852 -
\??\c:\lllfffx.exec:\lllfffx.exe52⤵
- Executes dropped EXE
PID:3996 -
\??\c:\xlrrfff.exec:\xlrrfff.exe53⤵
- Executes dropped EXE
PID:4724 -
\??\c:\tttnbh.exec:\tttnbh.exe54⤵
- Executes dropped EXE
PID:440 -
\??\c:\5tbhbb.exec:\5tbhbb.exe55⤵
- Executes dropped EXE
PID:4556 -
\??\c:\jjddv.exec:\jjddv.exe56⤵
- Executes dropped EXE
PID:516 -
\??\c:\dvjdv.exec:\dvjdv.exe57⤵
- Executes dropped EXE
PID:4088 -
\??\c:\rflllll.exec:\rflllll.exe58⤵
- Executes dropped EXE
PID:2900 -
\??\c:\hhnhtt.exec:\hhnhtt.exe59⤵
- Executes dropped EXE
PID:2540 -
\??\c:\3jvdd.exec:\3jvdd.exe60⤵
- Executes dropped EXE
PID:4728 -
\??\c:\pjvvj.exec:\pjvvj.exe61⤵
- Executes dropped EXE
PID:3588 -
\??\c:\rrrrllf.exec:\rrrrllf.exe62⤵
- Executes dropped EXE
PID:4272 -
\??\c:\fflllll.exec:\fflllll.exe63⤵
- Executes dropped EXE
PID:1368 -
\??\c:\hhtbbh.exec:\hhtbbh.exe64⤵
- Executes dropped EXE
PID:1444 -
\??\c:\1vvpj.exec:\1vvpj.exe65⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pvdvv.exec:\pvdvv.exe66⤵PID:4848
-
\??\c:\xxxfxlf.exec:\xxxfxlf.exe67⤵PID:2740
-
\??\c:\tbbtnn.exec:\tbbtnn.exe68⤵PID:4472
-
\??\c:\hhbtnn.exec:\hhbtnn.exe69⤵PID:3620
-
\??\c:\dpppj.exec:\dpppj.exe70⤵PID:4880
-
\??\c:\jvpjd.exec:\jvpjd.exe71⤵PID:3904
-
\??\c:\rllrlll.exec:\rllrlll.exe72⤵PID:4292
-
\??\c:\9xfxrlf.exec:\9xfxrlf.exe73⤵PID:5020
-
\??\c:\nnhhhh.exec:\nnhhhh.exe74⤵PID:4308
-
\??\c:\pjddd.exec:\pjddd.exe75⤵PID:3940
-
\??\c:\pvvvp.exec:\pvvvp.exe76⤵PID:4104
-
\??\c:\rffrfxr.exec:\rffrfxr.exe77⤵PID:1064
-
\??\c:\nbbthh.exec:\nbbthh.exe78⤵PID:5080
-
\??\c:\vvvvp.exec:\vvvvp.exe79⤵PID:2024
-
\??\c:\5pppj.exec:\5pppj.exe80⤵PID:1976
-
\??\c:\xrllfff.exec:\xrllfff.exe81⤵PID:396
-
\??\c:\xlllrxr.exec:\xlllrxr.exe82⤵PID:4536
-
\??\c:\nnhhbn.exec:\nnhhbn.exe83⤵PID:3304
-
\??\c:\9hnhtt.exec:\9hnhtt.exe84⤵PID:848
-
\??\c:\pvpjv.exec:\pvpjv.exe85⤵PID:316
-
\??\c:\rffxxxx.exec:\rffxxxx.exe86⤵PID:5112
-
\??\c:\lffxrrl.exec:\lffxrrl.exe87⤵PID:624
-
\??\c:\btnnhb.exec:\btnnhb.exe88⤵PID:4648
-
\??\c:\bbhhbb.exec:\bbhhbb.exe89⤵PID:3972
-
\??\c:\djvdp.exec:\djvdp.exe90⤵PID:4748
-
\??\c:\1rlxrlf.exec:\1rlxrlf.exe91⤵PID:4288
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe92⤵PID:4452
-
\??\c:\bthbbh.exec:\bthbbh.exe93⤵PID:1488
-
\??\c:\bbbbtt.exec:\bbbbtt.exe94⤵PID:3184
-
\??\c:\vvjpj.exec:\vvjpj.exe95⤵PID:1984
-
\??\c:\jvvvj.exec:\jvvvj.exe96⤵PID:3492
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe97⤵PID:536
-
\??\c:\frxxrxx.exec:\frxxrxx.exe98⤵PID:3584
-
\??\c:\nntttt.exec:\nntttt.exe99⤵PID:4256
-
\??\c:\hhhtnt.exec:\hhhtnt.exe100⤵PID:2968
-
\??\c:\vpvvv.exec:\vpvvv.exe101⤵PID:4028
-
\??\c:\lfrfxrl.exec:\lfrfxrl.exe102⤵PID:3324
-
\??\c:\llrrrrr.exec:\llrrrrr.exe103⤵PID:2108
-
\??\c:\tttnnn.exec:\tttnnn.exe104⤵PID:3892
-
\??\c:\hthbth.exec:\hthbth.exe105⤵PID:1504
-
\??\c:\pddjp.exec:\pddjp.exe106⤵PID:4604
-
\??\c:\pddjv.exec:\pddjv.exe107⤵PID:3936
-
\??\c:\rxxrlll.exec:\rxxrlll.exe108⤵PID:2488
-
\??\c:\frxrllf.exec:\frxrllf.exe109⤵PID:1932
-
\??\c:\bttbbb.exec:\bttbbb.exe110⤵PID:2232
-
\??\c:\nhtnbb.exec:\nhtnbb.exe111⤵PID:1752
-
\??\c:\hbhnnn.exec:\hbhnnn.exe112⤵PID:372
-
\??\c:\vddpj.exec:\vddpj.exe113⤵PID:1500
-
\??\c:\vpjdp.exec:\vpjdp.exe114⤵PID:5060
-
\??\c:\fxffxxx.exec:\fxffxxx.exe115⤵PID:2860
-
\??\c:\7xrrlll.exec:\7xrrlll.exe116⤵PID:916
-
\??\c:\hbttnb.exec:\hbttnb.exe117⤵PID:2396
-
\??\c:\tttthn.exec:\tttthn.exe118⤵PID:4880
-
\??\c:\ppdvp.exec:\ppdvp.exe119⤵PID:2104
-
\??\c:\pvvpj.exec:\pvvpj.exe120⤵PID:5016
-
\??\c:\bntnhh.exec:\bntnhh.exe121⤵PID:3528
-
\??\c:\pvvvp.exec:\pvvvp.exe122⤵PID:2376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-