Analysis
-
max time kernel
120s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
-
Size
66KB
-
MD5
1c92d3d625902c12c664fa6e4740d560
-
SHA1
da1f88e951cdacc56e3df95a3df4aea8c934170a
-
SHA256
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87
-
SHA512
61ba8905cbd610725ddd2c6007cae9f63690631464988f85e721ca23ba409a34865ff0288a11982ed89de652b50ba6ea1094fbff3551f4997e096e2a27d6445a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxes:ymb3NkkiQ3mdBjF0y7kbUs
Malware Config
Signatures
-
Detect Blackmoon payload 29 IoCs
resource yara_rule behavioral2/memory/1220-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4700-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4700-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4360-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4336-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4836-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2996-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1916-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5068-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3900-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2608-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2172-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3868-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3388-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4704-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/824-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2628-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2872-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4872-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1364-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2208-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4752-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/384-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/100-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3892-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1656-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1536-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4884-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4700 hnnhnn.exe 4360 bbntbn.exe 4336 dvpjd.exe 4836 xrxlxrl.exe 2996 hnnbnh.exe 1916 jdjjj.exe 5068 7lfrrlr.exe 3900 thnbnh.exe 2608 tnnnbb.exe 2172 dvvpj.exe 544 rfrfrxr.exe 3924 nhhthn.exe 1564 thbnhb.exe 3868 1ddpd.exe 3388 7rxlxlf.exe 4704 httnbn.exe 824 pdpdp.exe 2628 1ppjd.exe 2872 3xxrrrl.exe 4872 nbtthn.exe 1364 dddvj.exe 2208 7pvjv.exe 4752 rfrflxx.exe 4592 nbbbbb.exe 384 3bnbnh.exe 100 1pvpj.exe 3892 1rlfrrf.exe 1656 tnhbtn.exe 1536 9vvpd.exe 4884 llxrrrl.exe 4136 thnbtn.exe 2304 rrrxrrx.exe 2744 rfrlllr.exe 5028 htthbb.exe 1028 thbthb.exe 3504 jddvp.exe 2792 dpvdj.exe 4244 frffrrl.exe 4688 htntnh.exe 1680 nnhbnh.exe 2212 ddvjp.exe 4876 xxrlffx.exe 4672 hbhhhh.exe 4320 5tnhtt.exe 3368 vpjdp.exe 1916 lrfrxrx.exe 832 rffxrrl.exe 2768 bbbbnn.exe 3068 nbbnht.exe 4024 djdpj.exe 1000 rlflxfr.exe 5056 htnbnh.exe 5000 3hhthb.exe 5096 vvjpv.exe 2540 jvdvp.exe 3916 xrflrlr.exe 4792 5bthbn.exe 1748 vpdpp.exe 3016 3jjdv.exe 2628 xlffxrl.exe 4216 xfrfxrl.exe 444 ttnhtn.exe 692 9bbbnh.exe 4856 vjdpd.exe -
resource yara_rule behavioral2/memory/1220-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4700-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4700-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4700-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4360-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4360-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4336-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4836-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2996-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2996-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2996-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2996-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1916-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5068-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2608-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2172-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3868-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3388-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4704-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/824-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2628-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2872-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1364-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2208-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4752-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/384-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/100-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3892-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1656-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1536-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4884-207-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 4700 1220 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 84 PID 1220 wrote to memory of 4700 1220 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 84 PID 1220 wrote to memory of 4700 1220 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 84 PID 4700 wrote to memory of 4360 4700 hnnhnn.exe 85 PID 4700 wrote to memory of 4360 4700 hnnhnn.exe 85 PID 4700 wrote to memory of 4360 4700 hnnhnn.exe 85 PID 4360 wrote to memory of 4336 4360 bbntbn.exe 86 PID 4360 wrote to memory of 4336 4360 bbntbn.exe 86 PID 4360 wrote to memory of 4336 4360 bbntbn.exe 86 PID 4336 wrote to memory of 4836 4336 dvpjd.exe 87 PID 4336 wrote to memory of 4836 4336 dvpjd.exe 87 PID 4336 wrote to memory of 4836 4336 dvpjd.exe 87 PID 4836 wrote to memory of 2996 4836 xrxlxrl.exe 88 PID 4836 wrote to memory of 2996 4836 xrxlxrl.exe 88 PID 4836 wrote to memory of 2996 4836 xrxlxrl.exe 88 PID 2996 wrote to memory of 1916 2996 hnnbnh.exe 89 PID 2996 wrote to memory of 1916 2996 hnnbnh.exe 89 PID 2996 wrote to memory of 1916 2996 hnnbnh.exe 89 PID 1916 wrote to memory of 5068 1916 jdjjj.exe 90 PID 1916 wrote to memory of 5068 1916 jdjjj.exe 90 PID 1916 wrote to memory of 5068 1916 jdjjj.exe 90 PID 5068 wrote to memory of 3900 5068 7lfrrlr.exe 91 PID 5068 wrote to memory of 3900 5068 7lfrrlr.exe 91 PID 5068 wrote to memory of 3900 5068 7lfrrlr.exe 91 PID 3900 wrote to memory of 2608 3900 thnbnh.exe 92 PID 3900 wrote to memory of 2608 3900 thnbnh.exe 92 PID 3900 wrote to memory of 2608 3900 thnbnh.exe 92 PID 2608 wrote to memory of 2172 2608 tnnnbb.exe 93 PID 2608 wrote to memory of 2172 2608 tnnnbb.exe 93 PID 2608 wrote to memory of 2172 2608 tnnnbb.exe 93 PID 2172 wrote to memory of 544 2172 dvvpj.exe 94 PID 2172 wrote to memory of 544 2172 dvvpj.exe 94 PID 2172 wrote to memory of 544 2172 dvvpj.exe 94 PID 544 wrote to memory of 3924 544 rfrfrxr.exe 95 PID 544 wrote to memory of 3924 544 rfrfrxr.exe 95 PID 544 wrote to memory of 3924 544 rfrfrxr.exe 95 PID 3924 wrote to memory of 1564 3924 nhhthn.exe 96 PID 3924 wrote to memory of 1564 3924 nhhthn.exe 96 PID 3924 wrote to memory of 1564 3924 nhhthn.exe 96 PID 1564 wrote to memory of 3868 1564 thbnhb.exe 97 PID 1564 wrote to memory of 3868 1564 thbnhb.exe 97 PID 1564 wrote to memory of 3868 1564 thbnhb.exe 97 PID 3868 wrote to memory of 3388 3868 1ddpd.exe 98 PID 3868 wrote to memory of 3388 3868 1ddpd.exe 98 PID 3868 wrote to memory of 3388 3868 1ddpd.exe 98 PID 3388 wrote to memory of 4704 3388 7rxlxlf.exe 99 PID 3388 wrote to memory of 4704 3388 7rxlxlf.exe 99 PID 3388 wrote to memory of 4704 3388 7rxlxlf.exe 99 PID 4704 wrote to memory of 824 4704 httnbn.exe 100 PID 4704 wrote to memory of 824 4704 httnbn.exe 100 PID 4704 wrote to memory of 824 4704 httnbn.exe 100 PID 824 wrote to memory of 2628 824 pdpdp.exe 101 PID 824 wrote to memory of 2628 824 pdpdp.exe 101 PID 824 wrote to memory of 2628 824 pdpdp.exe 101 PID 2628 wrote to memory of 2872 2628 1ppjd.exe 102 PID 2628 wrote to memory of 2872 2628 1ppjd.exe 102 PID 2628 wrote to memory of 2872 2628 1ppjd.exe 102 PID 2872 wrote to memory of 4872 2872 3xxrrrl.exe 103 PID 2872 wrote to memory of 4872 2872 3xxrrrl.exe 103 PID 2872 wrote to memory of 4872 2872 3xxrrrl.exe 103 PID 4872 wrote to memory of 1364 4872 nbtthn.exe 104 PID 4872 wrote to memory of 1364 4872 nbtthn.exe 104 PID 4872 wrote to memory of 1364 4872 nbtthn.exe 104 PID 1364 wrote to memory of 2208 1364 dddvj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\hnnhnn.exec:\hnnhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\bbntbn.exec:\bbntbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\dvpjd.exec:\dvpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\xrxlxrl.exec:\xrxlxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\hnnbnh.exec:\hnnbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\jdjjj.exec:\jdjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\7lfrrlr.exec:\7lfrrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\thnbnh.exec:\thnbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\tnnnbb.exec:\tnnnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\dvvpj.exec:\dvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\rfrfrxr.exec:\rfrfrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\nhhthn.exec:\nhhthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\thbnhb.exec:\thbnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\1ddpd.exec:\1ddpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\7rxlxlf.exec:\7rxlxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\httnbn.exec:\httnbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\pdpdp.exec:\pdpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\1ppjd.exec:\1ppjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\3xxrrrl.exec:\3xxrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\nbtthn.exec:\nbtthn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\dddvj.exec:\dddvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\7pvjv.exec:\7pvjv.exe23⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rfrflxx.exec:\rfrflxx.exe24⤵
- Executes dropped EXE
PID:4752 -
\??\c:\nbbbbb.exec:\nbbbbb.exe25⤵
- Executes dropped EXE
PID:4592 -
\??\c:\3bnbnh.exec:\3bnbnh.exe26⤵
- Executes dropped EXE
PID:384 -
\??\c:\1pvpj.exec:\1pvpj.exe27⤵
- Executes dropped EXE
PID:100 -
\??\c:\1rlfrrf.exec:\1rlfrrf.exe28⤵
- Executes dropped EXE
PID:3892 -
\??\c:\tnhbtn.exec:\tnhbtn.exe29⤵
- Executes dropped EXE
PID:1656 -
\??\c:\9vvpd.exec:\9vvpd.exe30⤵
- Executes dropped EXE
PID:1536 -
\??\c:\llxrrrl.exec:\llxrrrl.exe31⤵
- Executes dropped EXE
PID:4884 -
\??\c:\thnbtn.exec:\thnbtn.exe32⤵
- Executes dropped EXE
PID:4136 -
\??\c:\rrrxrrx.exec:\rrrxrrx.exe33⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rfrlllr.exec:\rfrlllr.exe34⤵
- Executes dropped EXE
PID:2744 -
\??\c:\htthbb.exec:\htthbb.exe35⤵
- Executes dropped EXE
PID:5028 -
\??\c:\thbthb.exec:\thbthb.exe36⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jddvp.exec:\jddvp.exe37⤵
- Executes dropped EXE
PID:3504 -
\??\c:\dpvdj.exec:\dpvdj.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\frffrrl.exec:\frffrrl.exe39⤵
- Executes dropped EXE
PID:4244 -
\??\c:\htntnh.exec:\htntnh.exe40⤵
- Executes dropped EXE
PID:4688 -
\??\c:\nnhbnh.exec:\nnhbnh.exe41⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ddvjp.exec:\ddvjp.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\xxrlffx.exec:\xxrlffx.exe43⤵
- Executes dropped EXE
PID:4876 -
\??\c:\hbhhhh.exec:\hbhhhh.exe44⤵
- Executes dropped EXE
PID:4672 -
\??\c:\5tnhtt.exec:\5tnhtt.exe45⤵
- Executes dropped EXE
PID:4320 -
\??\c:\vpjdp.exec:\vpjdp.exe46⤵
- Executes dropped EXE
PID:3368 -
\??\c:\lrfrxrx.exec:\lrfrxrx.exe47⤵
- Executes dropped EXE
PID:1916 -
\??\c:\rffxrrl.exec:\rffxrrl.exe48⤵
- Executes dropped EXE
PID:832 -
\??\c:\bbbbnn.exec:\bbbbnn.exe49⤵
- Executes dropped EXE
PID:2768 -
\??\c:\nbbnht.exec:\nbbnht.exe50⤵
- Executes dropped EXE
PID:3068 -
\??\c:\djdpj.exec:\djdpj.exe51⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rlflxfr.exec:\rlflxfr.exe52⤵
- Executes dropped EXE
PID:1000 -
\??\c:\htnbnh.exec:\htnbnh.exe53⤵
- Executes dropped EXE
PID:5056 -
\??\c:\3hhthb.exec:\3hhthb.exe54⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vvjpv.exec:\vvjpv.exe55⤵
- Executes dropped EXE
PID:5096 -
\??\c:\jvdvp.exec:\jvdvp.exe56⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xrflrlr.exec:\xrflrlr.exe57⤵
- Executes dropped EXE
PID:3916 -
\??\c:\5bthbn.exec:\5bthbn.exe58⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vpdpp.exec:\vpdpp.exe59⤵
- Executes dropped EXE
PID:1748 -
\??\c:\3jjdv.exec:\3jjdv.exe60⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xlffxrl.exec:\xlffxrl.exe61⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xfrfxrl.exec:\xfrfxrl.exe62⤵
- Executes dropped EXE
PID:4216 -
\??\c:\ttnhtn.exec:\ttnhtn.exe63⤵
- Executes dropped EXE
PID:444 -
\??\c:\9bbbnh.exec:\9bbbnh.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\vjdpd.exec:\vjdpd.exe65⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jvpdv.exec:\jvpdv.exe66⤵
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\rflfxrf.exec:\rflfxrf.exe67⤵PID:4796
-
\??\c:\nhbhbt.exec:\nhbhbt.exe68⤵PID:3612
-
\??\c:\jpdpd.exec:\jpdpd.exe69⤵PID:2024
-
\??\c:\vppdv.exec:\vppdv.exe70⤵PID:4860
-
\??\c:\5ffxlfr.exec:\5ffxlfr.exe71⤵PID:4448
-
\??\c:\lrlfxxl.exec:\lrlfxxl.exe72⤵PID:4664
-
\??\c:\bhnnbb.exec:\bhnnbb.exe73⤵PID:4832
-
\??\c:\7vpdp.exec:\7vpdp.exe74⤵PID:1908
-
\??\c:\9djdp.exec:\9djdp.exe75⤵PID:1852
-
\??\c:\frrffxr.exec:\frrffxr.exe76⤵PID:2424
-
\??\c:\hbbbtn.exec:\hbbbtn.exe77⤵PID:1392
-
\??\c:\htnbnh.exec:\htnbnh.exe78⤵PID:4004
-
\??\c:\ppppd.exec:\ppppd.exe79⤵PID:2304
-
\??\c:\rrlfxrf.exec:\rrlfxrf.exe80⤵PID:2744
-
\??\c:\nntnbb.exec:\nntnbb.exe81⤵PID:3668
-
\??\c:\nhbnhb.exec:\nhbnhb.exe82⤵PID:4100
-
\??\c:\djjjv.exec:\djjjv.exe83⤵PID:4324
-
\??\c:\3pvjv.exec:\3pvjv.exe84⤵PID:2220
-
\??\c:\frrfrlx.exec:\frrfrlx.exe85⤵PID:748
-
\??\c:\3nhthb.exec:\3nhthb.exe86⤵PID:3684
-
\??\c:\bntnbb.exec:\bntnbb.exe87⤵PID:1220
-
\??\c:\bthbhh.exec:\bthbhh.exe88⤵PID:4464
-
\??\c:\5jdvd.exec:\5jdvd.exe89⤵PID:4868
-
\??\c:\frxrxrl.exec:\frxrxrl.exe90⤵PID:4468
-
\??\c:\nhbnhb.exec:\nhbnhb.exe91⤵PID:4000
-
\??\c:\jvpjv.exec:\jvpjv.exe92⤵PID:2656
-
\??\c:\xlrffff.exec:\xlrffff.exe93⤵PID:872
-
\??\c:\lfrfrll.exec:\lfrfrll.exe94⤵PID:1412
-
\??\c:\rlffrrl.exec:\rlffrrl.exe95⤵PID:740
-
\??\c:\nhtnbt.exec:\nhtnbt.exe96⤵PID:4960
-
\??\c:\hntnhb.exec:\hntnhb.exe97⤵PID:2888
-
\??\c:\dddpd.exec:\dddpd.exe98⤵PID:3068
-
\??\c:\7llxlfx.exec:\7llxlfx.exe99⤵PID:1768
-
\??\c:\rfrfrfr.exec:\rfrfrfr.exe100⤵PID:1760
-
\??\c:\5hbbtt.exec:\5hbbtt.exe101⤵PID:2912
-
\??\c:\bttnhh.exec:\bttnhh.exe102⤵PID:228
-
\??\c:\jjjdv.exec:\jjjdv.exe103⤵PID:5096
-
\??\c:\fxllfrx.exec:\fxllfrx.exe104⤵PID:2668
-
\??\c:\lfflflf.exec:\lfflflf.exe105⤵PID:1184
-
\??\c:\hnhnhn.exec:\hnhnhn.exe106⤵PID:608
-
\??\c:\ddddp.exec:\ddddp.exe107⤵PID:2020
-
\??\c:\pjpdj.exec:\pjpdj.exe108⤵PID:3028
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe109⤵PID:1912
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe110⤵PID:4768
-
\??\c:\xxxxlfx.exec:\xxxxlfx.exe111⤵PID:1320
-
\??\c:\bnhbnh.exec:\bnhbnh.exe112⤵PID:2748
-
\??\c:\tbbtbt.exec:\tbbtbt.exe113⤵PID:4716
-
\??\c:\vvppd.exec:\vvppd.exe114⤵PID:2208
-
\??\c:\dpdjd.exec:\dpdjd.exe115⤵PID:2892
-
\??\c:\lxrfrrl.exec:\lxrfrrl.exe116⤵PID:3612
-
\??\c:\3hnbnt.exec:\3hnbnt.exe117⤵PID:2024
-
\??\c:\hbbnbb.exec:\hbbnbb.exe118⤵PID:4724
-
\??\c:\pdvpd.exec:\pdvpd.exe119⤵PID:4256
-
\??\c:\vjjdp.exec:\vjjdp.exe120⤵PID:4544
-
\??\c:\lllrflf.exec:\lllrflf.exe121⤵
- System Location Discovery: System Language Discovery
PID:2760 -
\??\c:\ttnnnn.exec:\ttnnnn.exe122⤵PID:4392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-