Analysis
-
max time kernel
115s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
Resource
win7-20240708-en
6 signatures
120 seconds
General
-
Target
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
-
Size
66KB
-
MD5
5794f03936c353d89fafe0a0274c6e10
-
SHA1
84d00b43452b5cd12f9dfcbccb532b9640110e77
-
SHA256
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195de
-
SHA512
87a3e1f27258c37f316aefb6d9c6cf38e9b72ffded8f4333cd80742e4762aa1908eba2cf0a69ca1f416553575c86a1e3c57f744ec67532b8222501479931e595
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27BqflM:ymb3NkkiQ3mdBjFI9cqfa
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/4108-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4656-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2408-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1420-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2484-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3120-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2004-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2640-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2152-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2164-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1616-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4156-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2788-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1064-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4696-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2892-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1724-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2288-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5016-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1308-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3656-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5076-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4464-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3452-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2380-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4656 228444.exe 2408 606868.exe 1420 40688.exe 2484 bbhtnb.exe 3120 llxxlll.exe 2004 xrfrfrr.exe 2640 hhhthh.exe 2152 5xfxrrl.exe 2164 7ppjd.exe 4912 ppvjd.exe 1616 htbthb.exe 4156 a6244.exe 2788 0882648.exe 1064 286048.exe 2892 xrxrlff.exe 4696 ddjdj.exe 3640 00004.exe 1724 20608.exe 1264 xllfxrl.exe 3720 vpjdv.exe 2896 rflxrrl.exe 2288 dvvjd.exe 5016 0808400.exe 1308 3flfffx.exe 3656 m8848.exe 5076 824448.exe 4464 6862004.exe 3452 86800.exe 464 httnnt.exe 2380 frrrfff.exe 3632 48800.exe 4268 rlflfff.exe 1540 482622.exe 2228 0406004.exe 5032 1xxfxll.exe 4924 ntnttt.exe 864 llffflf.exe 4536 6682660.exe 1060 3xrrlll.exe 2132 rrfffff.exe 4656 446244.exe 4628 dpdpd.exe 4532 tbbthn.exe 764 frrxlfx.exe 1404 s4848.exe 3308 lfrlxrl.exe 660 20206.exe 3896 5ppvj.exe 116 xrfrlfx.exe 4500 2000864.exe 2520 xxrxlrf.exe 2776 jjjvd.exe 1732 0026486.exe 4312 bthbbt.exe 4156 jjvpv.exe 1120 thbhbt.exe 2960 xrlfrlf.exe 1064 5xlfllr.exe 1284 482804.exe 2012 hnnnnn.exe 2372 pvddp.exe 3640 k06022.exe 1044 g6848.exe 4224 88000.exe -
resource yara_rule behavioral2/memory/4108-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4656-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2408-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2408-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2408-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1420-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2484-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3120-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2004-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2640-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2164-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2164-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2164-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1616-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2788-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4696-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2892-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1724-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5016-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1308-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3656-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5076-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4464-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3452-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2380-205-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i066800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2622268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2240400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c804882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c282606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4108 wrote to memory of 4656 4108 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 84 PID 4108 wrote to memory of 4656 4108 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 84 PID 4108 wrote to memory of 4656 4108 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 84 PID 4656 wrote to memory of 2408 4656 228444.exe 85 PID 4656 wrote to memory of 2408 4656 228444.exe 85 PID 4656 wrote to memory of 2408 4656 228444.exe 85 PID 2408 wrote to memory of 1420 2408 606868.exe 86 PID 2408 wrote to memory of 1420 2408 606868.exe 86 PID 2408 wrote to memory of 1420 2408 606868.exe 86 PID 1420 wrote to memory of 2484 1420 40688.exe 87 PID 1420 wrote to memory of 2484 1420 40688.exe 87 PID 1420 wrote to memory of 2484 1420 40688.exe 87 PID 2484 wrote to memory of 3120 2484 bbhtnb.exe 88 PID 2484 wrote to memory of 3120 2484 bbhtnb.exe 88 PID 2484 wrote to memory of 3120 2484 bbhtnb.exe 88 PID 3120 wrote to memory of 2004 3120 llxxlll.exe 89 PID 3120 wrote to memory of 2004 3120 llxxlll.exe 89 PID 3120 wrote to memory of 2004 3120 llxxlll.exe 89 PID 2004 wrote to memory of 2640 2004 xrfrfrr.exe 90 PID 2004 wrote to memory of 2640 2004 xrfrfrr.exe 90 PID 2004 wrote to memory of 2640 2004 xrfrfrr.exe 90 PID 2640 wrote to memory of 2152 2640 hhhthh.exe 91 PID 2640 wrote to memory of 2152 2640 hhhthh.exe 91 PID 2640 wrote to memory of 2152 2640 hhhthh.exe 91 PID 2152 wrote to memory of 2164 2152 5xfxrrl.exe 92 PID 2152 wrote to memory of 2164 2152 5xfxrrl.exe 92 PID 2152 wrote to memory of 2164 2152 5xfxrrl.exe 92 PID 2164 wrote to memory of 4912 2164 7ppjd.exe 93 PID 2164 wrote to memory of 4912 2164 7ppjd.exe 93 PID 2164 wrote to memory of 4912 2164 7ppjd.exe 93 PID 4912 wrote to memory of 1616 4912 ppvjd.exe 94 PID 4912 wrote to memory of 1616 4912 ppvjd.exe 94 PID 4912 wrote to memory of 1616 4912 ppvjd.exe 94 PID 1616 wrote to memory of 4156 1616 htbthb.exe 95 PID 1616 wrote to memory of 4156 1616 htbthb.exe 95 PID 1616 wrote to memory of 4156 1616 htbthb.exe 95 PID 4156 wrote to memory of 2788 4156 a6244.exe 96 PID 4156 wrote to memory of 2788 4156 a6244.exe 96 PID 4156 wrote to memory of 2788 4156 a6244.exe 96 PID 2788 wrote to memory of 1064 2788 0882648.exe 97 PID 2788 wrote to memory of 1064 2788 0882648.exe 97 PID 2788 wrote to memory of 1064 2788 0882648.exe 97 PID 1064 wrote to memory of 2892 1064 286048.exe 98 PID 1064 wrote to memory of 2892 1064 286048.exe 98 PID 1064 wrote to memory of 2892 1064 286048.exe 98 PID 2892 wrote to memory of 4696 2892 xrxrlff.exe 99 PID 2892 wrote to memory of 4696 2892 xrxrlff.exe 99 PID 2892 wrote to memory of 4696 2892 xrxrlff.exe 99 PID 4696 wrote to memory of 3640 4696 ddjdj.exe 100 PID 4696 wrote to memory of 3640 4696 ddjdj.exe 100 PID 4696 wrote to memory of 3640 4696 ddjdj.exe 100 PID 3640 wrote to memory of 1724 3640 00004.exe 102 PID 3640 wrote to memory of 1724 3640 00004.exe 102 PID 3640 wrote to memory of 1724 3640 00004.exe 102 PID 1724 wrote to memory of 1264 1724 20608.exe 103 PID 1724 wrote to memory of 1264 1724 20608.exe 103 PID 1724 wrote to memory of 1264 1724 20608.exe 103 PID 1264 wrote to memory of 3720 1264 xllfxrl.exe 104 PID 1264 wrote to memory of 3720 1264 xllfxrl.exe 104 PID 1264 wrote to memory of 3720 1264 xllfxrl.exe 104 PID 3720 wrote to memory of 2896 3720 vpjdv.exe 105 PID 3720 wrote to memory of 2896 3720 vpjdv.exe 105 PID 3720 wrote to memory of 2896 3720 vpjdv.exe 105 PID 2896 wrote to memory of 2288 2896 rflxrrl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\228444.exec:\228444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\606868.exec:\606868.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\40688.exec:\40688.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\bbhtnb.exec:\bbhtnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\llxxlll.exec:\llxxlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\xrfrfrr.exec:\xrfrfrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\hhhthh.exec:\hhhthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\5xfxrrl.exec:\5xfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\7ppjd.exec:\7ppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\ppvjd.exec:\ppvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\htbthb.exec:\htbthb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\a6244.exec:\a6244.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\0882648.exec:\0882648.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\286048.exec:\286048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\xrxrlff.exec:\xrxrlff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\ddjdj.exec:\ddjdj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\00004.exec:\00004.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\20608.exec:\20608.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\xllfxrl.exec:\xllfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\vpjdv.exec:\vpjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\rflxrrl.exec:\rflxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\dvvjd.exec:\dvvjd.exe23⤵
- Executes dropped EXE
PID:2288 -
\??\c:\0808400.exec:\0808400.exe24⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3flfffx.exec:\3flfffx.exe25⤵
- Executes dropped EXE
PID:1308 -
\??\c:\m8848.exec:\m8848.exe26⤵
- Executes dropped EXE
PID:3656 -
\??\c:\824448.exec:\824448.exe27⤵
- Executes dropped EXE
PID:5076 -
\??\c:\6862004.exec:\6862004.exe28⤵
- Executes dropped EXE
PID:4464 -
\??\c:\86800.exec:\86800.exe29⤵
- Executes dropped EXE
PID:3452 -
\??\c:\httnnt.exec:\httnnt.exe30⤵
- Executes dropped EXE
PID:464 -
\??\c:\frrrfff.exec:\frrrfff.exe31⤵
- Executes dropped EXE
PID:2380 -
\??\c:\48800.exec:\48800.exe32⤵
- Executes dropped EXE
PID:3632 -
\??\c:\rlflfff.exec:\rlflfff.exe33⤵
- Executes dropped EXE
PID:4268 -
\??\c:\482622.exec:\482622.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\0406004.exec:\0406004.exe35⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1xxfxll.exec:\1xxfxll.exe36⤵
- Executes dropped EXE
PID:5032 -
\??\c:\ntnttt.exec:\ntnttt.exe37⤵
- Executes dropped EXE
PID:4924 -
\??\c:\llffflf.exec:\llffflf.exe38⤵
- Executes dropped EXE
PID:864 -
\??\c:\6682660.exec:\6682660.exe39⤵
- Executes dropped EXE
PID:4536 -
\??\c:\3xrrlll.exec:\3xrrlll.exe40⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rrfffff.exec:\rrfffff.exe41⤵
- Executes dropped EXE
PID:2132 -
\??\c:\446244.exec:\446244.exe42⤵
- Executes dropped EXE
PID:4656 -
\??\c:\dpdpd.exec:\dpdpd.exe43⤵
- Executes dropped EXE
PID:4628 -
\??\c:\tbbthn.exec:\tbbthn.exe44⤵
- Executes dropped EXE
PID:4532 -
\??\c:\frrxlfx.exec:\frrxlfx.exe45⤵
- Executes dropped EXE
PID:764 -
\??\c:\s4848.exec:\s4848.exe46⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lfrlxrl.exec:\lfrlxrl.exe47⤵
- Executes dropped EXE
PID:3308 -
\??\c:\20206.exec:\20206.exe48⤵
- Executes dropped EXE
PID:660 -
\??\c:\5ppvj.exec:\5ppvj.exe49⤵
- Executes dropped EXE
PID:3896 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe50⤵
- Executes dropped EXE
PID:116 -
\??\c:\2000864.exec:\2000864.exe51⤵
- Executes dropped EXE
PID:4500 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe52⤵
- Executes dropped EXE
PID:2520 -
\??\c:\jjjvd.exec:\jjjvd.exe53⤵
- Executes dropped EXE
PID:2776 -
\??\c:\0026486.exec:\0026486.exe54⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bthbbt.exec:\bthbbt.exe55⤵
- Executes dropped EXE
PID:4312 -
\??\c:\jjvpv.exec:\jjvpv.exe56⤵
- Executes dropped EXE
PID:4156 -
\??\c:\thbhbt.exec:\thbhbt.exe57⤵
- Executes dropped EXE
PID:1120 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe58⤵
- Executes dropped EXE
PID:2960 -
\??\c:\5xlfllr.exec:\5xlfllr.exe59⤵
- Executes dropped EXE
PID:1064 -
\??\c:\482804.exec:\482804.exe60⤵
- Executes dropped EXE
PID:1284 -
\??\c:\hnnnnn.exec:\hnnnnn.exe61⤵
- Executes dropped EXE
PID:2012 -
\??\c:\pvddp.exec:\pvddp.exe62⤵
- Executes dropped EXE
PID:2372 -
\??\c:\k06022.exec:\k06022.exe63⤵
- Executes dropped EXE
PID:3640 -
\??\c:\g6848.exec:\g6848.exe64⤵
- Executes dropped EXE
PID:1044 -
\??\c:\88000.exec:\88000.exe65⤵
- Executes dropped EXE
PID:4224 -
\??\c:\6466848.exec:\6466848.exe66⤵PID:1352
-
\??\c:\dvvpj.exec:\dvvpj.exe67⤵PID:3720
-
\??\c:\80226.exec:\80226.exe68⤵PID:4972
-
\??\c:\84820.exec:\84820.exe69⤵PID:1040
-
\??\c:\s4222.exec:\s4222.exe70⤵PID:4112
-
\??\c:\86886.exec:\86886.exe71⤵PID:4344
-
\??\c:\866044.exec:\866044.exe72⤵PID:2840
-
\??\c:\vvddd.exec:\vvddd.exe73⤵PID:2708
-
\??\c:\04004.exec:\04004.exe74⤵PID:3312
-
\??\c:\246488.exec:\246488.exe75⤵PID:1992
-
\??\c:\042288.exec:\042288.exe76⤵PID:4236
-
\??\c:\nbhhbh.exec:\nbhhbh.exe77⤵PID:3712
-
\??\c:\426266.exec:\426266.exe78⤵PID:2976
-
\??\c:\w02266.exec:\w02266.exe79⤵PID:1228
-
\??\c:\2800060.exec:\2800060.exe80⤵PID:2812
-
\??\c:\42024.exec:\42024.exe81⤵PID:3208
-
\??\c:\084848.exec:\084848.exe82⤵PID:4008
-
\??\c:\0226226.exec:\0226226.exe83⤵PID:1464
-
\??\c:\nnbnbb.exec:\nnbnbb.exe84⤵PID:3048
-
\??\c:\884422.exec:\884422.exe85⤵PID:3960
-
\??\c:\jpvpv.exec:\jpvpv.exe86⤵PID:3704
-
\??\c:\28420.exec:\28420.exe87⤵PID:4796
-
\??\c:\bnbnbt.exec:\bnbnbt.exe88⤵PID:4316
-
\??\c:\vjjdv.exec:\vjjdv.exe89⤵PID:532
-
\??\c:\628648.exec:\628648.exe90⤵PID:1080
-
\??\c:\80044.exec:\80044.exe91⤵PID:2132
-
\??\c:\g4042.exec:\g4042.exe92⤵PID:4240
-
\??\c:\6442228.exec:\6442228.exe93⤵PID:5064
-
\??\c:\4660408.exec:\4660408.exe94⤵PID:4492
-
\??\c:\22264.exec:\22264.exe95⤵PID:4412
-
\??\c:\844262.exec:\844262.exe96⤵PID:2448
-
\??\c:\7llffff.exec:\7llffff.exe97⤵PID:1612
-
\??\c:\04622.exec:\04622.exe98⤵PID:1644
-
\??\c:\pvpjv.exec:\pvpjv.exe99⤵PID:4724
-
\??\c:\08426.exec:\08426.exe100⤵PID:1668
-
\??\c:\204860.exec:\204860.exe101⤵PID:4500
-
\??\c:\480004.exec:\480004.exe102⤵PID:3648
-
\??\c:\7xxrrlr.exec:\7xxrrlr.exe103⤵PID:2088
-
\??\c:\28860.exec:\28860.exe104⤵PID:1732
-
\??\c:\nbthth.exec:\nbthth.exe105⤵PID:4312
-
\??\c:\jjjjv.exec:\jjjjv.exe106⤵PID:3604
-
\??\c:\6848048.exec:\6848048.exe107⤵PID:372
-
\??\c:\22282.exec:\22282.exe108⤵PID:776
-
\??\c:\thnnhn.exec:\thnnhn.exe109⤵PID:436
-
\??\c:\btbbnh.exec:\btbbnh.exe110⤵PID:4684
-
\??\c:\24202.exec:\24202.exe111⤵PID:664
-
\??\c:\thbntn.exec:\thbntn.exe112⤵PID:2372
-
\??\c:\hnnnnh.exec:\hnnnnh.exe113⤵PID:3640
-
\??\c:\btnbnh.exec:\btnbnh.exe114⤵PID:2856
-
\??\c:\0824604.exec:\0824604.exe115⤵PID:4440
-
\??\c:\lxrlfxx.exec:\lxrlfxx.exe116⤵PID:2676
-
\??\c:\4042266.exec:\4042266.exe117⤵PID:3328
-
\??\c:\llfxrlf.exec:\llfxrlf.exe118⤵PID:1208
-
\??\c:\6206246.exec:\6206246.exe119⤵PID:3088
-
\??\c:\lxrrllr.exec:\lxrrllr.exe120⤵PID:1020
-
\??\c:\26280.exec:\26280.exe121⤵PID:1436
-
\??\c:\22408.exec:\22408.exe122⤵PID:1232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-