Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
-
Size
66KB
-
MD5
5794f03936c353d89fafe0a0274c6e10
-
SHA1
84d00b43452b5cd12f9dfcbccb532b9640110e77
-
SHA256
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195de
-
SHA512
87a3e1f27258c37f316aefb6d9c6cf38e9b72ffded8f4333cd80742e4762aa1908eba2cf0a69ca1f416553575c86a1e3c57f744ec67532b8222501479931e595
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27BqflM:ymb3NkkiQ3mdBjFI9cqfa
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
resource yara_rule behavioral1/memory/2060-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2060-7-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2816-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2628-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2920-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2560-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1216-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1936-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1440-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2836-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1080-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1632-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2480-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/344-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1496-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2132-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1052-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2112-247-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1652-256-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/984-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-275-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2004-302-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 fxlrxfl.exe 2816 hbbnbb.exe 2628 hbhhhn.exe 2712 dvjpv.exe 2920 tthnbh.exe 2808 pjppd.exe 2560 lfxfrlf.exe 2592 bbbtnb.exe 1216 ddpdp.exe 1936 xfxrlrx.exe 1440 hbntbb.exe 2836 ttttbh.exe 2760 pjjvj.exe 1080 pvddv.exe 1632 lfxfflx.exe 2480 5fxxxxr.exe 344 hbntbb.exe 1496 ttntnn.exe 2288 vvpjv.exe 2132 pjpdj.exe 1052 rrlxlrl.exe 1096 fxrxlxl.exe 900 tnhtht.exe 2472 nhnhtt.exe 2112 dvppv.exe 1652 7dvjj.exe 984 xrflxfr.exe 2244 bthnnn.exe 1068 9vpjp.exe 2308 dvjjv.exe 2004 dvpvj.exe 2816 ppdjv.exe 308 xrxxlff.exe 2768 htnnbb.exe 2724 nhhhhh.exe 1764 ddjpp.exe 2552 jdddj.exe 2736 lfxlxlf.exe 2808 5rflllx.exe 2528 hbhnbh.exe 2548 btbbbn.exe 2640 5jjjv.exe 2024 dvvdd.exe 2576 llffxff.exe 264 fxllrrx.exe 864 bbtbbt.exe 2828 1jjjv.exe 2604 7pppj.exe 3068 rrrrlll.exe 1548 rrlrxfl.exe 2468 tnbhnn.exe 3064 tbhtbt.exe 3048 jdvpv.exe 2096 vjdjp.exe 2992 9xlrxfr.exe 1856 lfrxffr.exe 1500 bbbtnt.exe 2120 vvjpp.exe 1096 vvpdp.exe 900 5lrxflr.exe 1748 1rxfxxl.exe 1692 btbbnh.exe 1864 nhnbnt.exe 608 jjjpv.exe -
resource yara_rule behavioral1/memory/2060-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2300-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2816-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2628-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2560-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2560-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2560-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1216-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1936-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1440-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2836-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1080-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1632-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2480-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/344-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1496-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2132-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1052-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2112-247-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1652-256-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/984-265-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2004-302-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2300 2060 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 31 PID 2060 wrote to memory of 2300 2060 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 31 PID 2060 wrote to memory of 2300 2060 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 31 PID 2060 wrote to memory of 2300 2060 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 31 PID 2300 wrote to memory of 2816 2300 fxlrxfl.exe 32 PID 2300 wrote to memory of 2816 2300 fxlrxfl.exe 32 PID 2300 wrote to memory of 2816 2300 fxlrxfl.exe 32 PID 2300 wrote to memory of 2816 2300 fxlrxfl.exe 32 PID 2816 wrote to memory of 2628 2816 hbbnbb.exe 33 PID 2816 wrote to memory of 2628 2816 hbbnbb.exe 33 PID 2816 wrote to memory of 2628 2816 hbbnbb.exe 33 PID 2816 wrote to memory of 2628 2816 hbbnbb.exe 33 PID 2628 wrote to memory of 2712 2628 hbhhhn.exe 34 PID 2628 wrote to memory of 2712 2628 hbhhhn.exe 34 PID 2628 wrote to memory of 2712 2628 hbhhhn.exe 34 PID 2628 wrote to memory of 2712 2628 hbhhhn.exe 34 PID 2712 wrote to memory of 2920 2712 dvjpv.exe 35 PID 2712 wrote to memory of 2920 2712 dvjpv.exe 35 PID 2712 wrote to memory of 2920 2712 dvjpv.exe 35 PID 2712 wrote to memory of 2920 2712 dvjpv.exe 35 PID 2920 wrote to memory of 2808 2920 tthnbh.exe 36 PID 2920 wrote to memory of 2808 2920 tthnbh.exe 36 PID 2920 wrote to memory of 2808 2920 tthnbh.exe 36 PID 2920 wrote to memory of 2808 2920 tthnbh.exe 36 PID 2808 wrote to memory of 2560 2808 pjppd.exe 37 PID 2808 wrote to memory of 2560 2808 pjppd.exe 37 PID 2808 wrote to memory of 2560 2808 pjppd.exe 37 PID 2808 wrote to memory of 2560 2808 pjppd.exe 37 PID 2560 wrote to memory of 2592 2560 lfxfrlf.exe 38 PID 2560 wrote to memory of 2592 2560 lfxfrlf.exe 38 PID 2560 wrote to memory of 2592 2560 lfxfrlf.exe 38 PID 2560 wrote to memory of 2592 2560 lfxfrlf.exe 38 PID 2592 wrote to memory of 1216 2592 bbbtnb.exe 39 PID 2592 wrote to memory of 1216 2592 bbbtnb.exe 39 PID 2592 wrote to memory of 1216 2592 bbbtnb.exe 39 PID 2592 wrote to memory of 1216 2592 bbbtnb.exe 39 PID 1216 wrote to memory of 1936 1216 ddpdp.exe 40 PID 1216 wrote to memory of 1936 1216 ddpdp.exe 40 PID 1216 wrote to memory of 1936 1216 ddpdp.exe 40 PID 1216 wrote to memory of 1936 1216 ddpdp.exe 40 PID 1936 wrote to memory of 1440 1936 xfxrlrx.exe 41 PID 1936 wrote to memory of 1440 1936 xfxrlrx.exe 41 PID 1936 wrote to memory of 1440 1936 xfxrlrx.exe 41 PID 1936 wrote to memory of 1440 1936 xfxrlrx.exe 41 PID 1440 wrote to memory of 2836 1440 hbntbb.exe 42 PID 1440 wrote to memory of 2836 1440 hbntbb.exe 42 PID 1440 wrote to memory of 2836 1440 hbntbb.exe 42 PID 1440 wrote to memory of 2836 1440 hbntbb.exe 42 PID 2836 wrote to memory of 2760 2836 ttttbh.exe 43 PID 2836 wrote to memory of 2760 2836 ttttbh.exe 43 PID 2836 wrote to memory of 2760 2836 ttttbh.exe 43 PID 2836 wrote to memory of 2760 2836 ttttbh.exe 43 PID 2760 wrote to memory of 1080 2760 pjjvj.exe 44 PID 2760 wrote to memory of 1080 2760 pjjvj.exe 44 PID 2760 wrote to memory of 1080 2760 pjjvj.exe 44 PID 2760 wrote to memory of 1080 2760 pjjvj.exe 44 PID 1080 wrote to memory of 1632 1080 pvddv.exe 45 PID 1080 wrote to memory of 1632 1080 pvddv.exe 45 PID 1080 wrote to memory of 1632 1080 pvddv.exe 45 PID 1080 wrote to memory of 1632 1080 pvddv.exe 45 PID 1632 wrote to memory of 2480 1632 lfxfflx.exe 46 PID 1632 wrote to memory of 2480 1632 lfxfflx.exe 46 PID 1632 wrote to memory of 2480 1632 lfxfflx.exe 46 PID 1632 wrote to memory of 2480 1632 lfxfflx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\hbbnbb.exec:\hbbnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\hbhhhn.exec:\hbhhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\dvjpv.exec:\dvjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\tthnbh.exec:\tthnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\pjppd.exec:\pjppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\lfxfrlf.exec:\lfxfrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\bbbtnb.exec:\bbbtnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\ddpdp.exec:\ddpdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\xfxrlrx.exec:\xfxrlrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\hbntbb.exec:\hbntbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\ttttbh.exec:\ttttbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\pjjvj.exec:\pjjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\pvddv.exec:\pvddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\lfxfflx.exec:\lfxfflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\5fxxxxr.exec:\5fxxxxr.exe17⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hbntbb.exec:\hbntbb.exe18⤵
- Executes dropped EXE
PID:344 -
\??\c:\ttntnn.exec:\ttntnn.exe19⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vvpjv.exec:\vvpjv.exe20⤵
- Executes dropped EXE
PID:2288 -
\??\c:\pjpdj.exec:\pjpdj.exe21⤵
- Executes dropped EXE
PID:2132 -
\??\c:\rrlxlrl.exec:\rrlxlrl.exe22⤵
- Executes dropped EXE
PID:1052 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe23⤵
- Executes dropped EXE
PID:1096 -
\??\c:\tnhtht.exec:\tnhtht.exe24⤵
- Executes dropped EXE
PID:900 -
\??\c:\nhnhtt.exec:\nhnhtt.exe25⤵
- Executes dropped EXE
PID:2472 -
\??\c:\dvppv.exec:\dvppv.exe26⤵
- Executes dropped EXE
PID:2112 -
\??\c:\7dvjj.exec:\7dvjj.exe27⤵
- Executes dropped EXE
PID:1652 -
\??\c:\xrflxfr.exec:\xrflxfr.exe28⤵
- Executes dropped EXE
PID:984 -
\??\c:\bthnnn.exec:\bthnnn.exe29⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9vpjp.exec:\9vpjp.exe30⤵
- Executes dropped EXE
PID:1068 -
\??\c:\dvjjv.exec:\dvjjv.exe31⤵
- Executes dropped EXE
PID:2308 -
\??\c:\dvpvj.exec:\dvpvj.exe32⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ppdjv.exec:\ppdjv.exe33⤵
- Executes dropped EXE
PID:2816 -
\??\c:\xrxxlff.exec:\xrxxlff.exe34⤵
- Executes dropped EXE
PID:308 -
\??\c:\htnnbb.exec:\htnnbb.exe35⤵
- Executes dropped EXE
PID:2768 -
\??\c:\nhhhhh.exec:\nhhhhh.exe36⤵
- Executes dropped EXE
PID:2724 -
\??\c:\ddjpp.exec:\ddjpp.exe37⤵
- Executes dropped EXE
PID:1764 -
\??\c:\jdddj.exec:\jdddj.exe38⤵
- Executes dropped EXE
PID:2552 -
\??\c:\lfxlxlf.exec:\lfxlxlf.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\5rflllx.exec:\5rflllx.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hbhnbh.exec:\hbhnbh.exe41⤵
- Executes dropped EXE
PID:2528 -
\??\c:\btbbbn.exec:\btbbbn.exe42⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5jjjv.exec:\5jjjv.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\dvvdd.exec:\dvvdd.exe44⤵
- Executes dropped EXE
PID:2024 -
\??\c:\llffxff.exec:\llffxff.exe45⤵
- Executes dropped EXE
PID:2576 -
\??\c:\fxllrrx.exec:\fxllrrx.exe46⤵
- Executes dropped EXE
PID:264 -
\??\c:\bbtbbt.exec:\bbtbbt.exe47⤵
- Executes dropped EXE
PID:864 -
\??\c:\1jjjv.exec:\1jjjv.exe48⤵
- Executes dropped EXE
PID:2828 -
\??\c:\7pppj.exec:\7pppj.exe49⤵
- Executes dropped EXE
PID:2604 -
\??\c:\rrrrlll.exec:\rrrrlll.exe50⤵
- Executes dropped EXE
PID:3068 -
\??\c:\rrlrxfl.exec:\rrlrxfl.exe51⤵
- Executes dropped EXE
PID:1548 -
\??\c:\tnbhnn.exec:\tnbhnn.exe52⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tbhtbt.exec:\tbhtbt.exe53⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jdvpv.exec:\jdvpv.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
\??\c:\vjdjp.exec:\vjdjp.exe55⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9xlrxfr.exec:\9xlrxfr.exe56⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lfrxffr.exec:\lfrxffr.exe57⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bbbtnt.exec:\bbbtnt.exe58⤵
- Executes dropped EXE
PID:1500 -
\??\c:\vvjpp.exec:\vvjpp.exe59⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vvpdp.exec:\vvpdp.exe60⤵
- Executes dropped EXE
PID:1096 -
\??\c:\5lrxflr.exec:\5lrxflr.exe61⤵
- Executes dropped EXE
PID:900 -
\??\c:\1rxfxxl.exec:\1rxfxxl.exe62⤵
- Executes dropped EXE
PID:1748 -
\??\c:\btbbnh.exec:\btbbnh.exe63⤵
- Executes dropped EXE
PID:1692 -
\??\c:\nhnbnt.exec:\nhnbnt.exe64⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jjjpv.exec:\jjjpv.exe65⤵
- Executes dropped EXE
PID:608 -
\??\c:\vpvpd.exec:\vpvpd.exe66⤵PID:1076
-
\??\c:\rfxflrx.exec:\rfxflrx.exe67⤵PID:1644
-
\??\c:\fflrfrl.exec:\fflrfrl.exe68⤵PID:2060
-
\??\c:\tththt.exec:\tththt.exe69⤵PID:760
-
\??\c:\3bbbhn.exec:\3bbbhn.exe70⤵PID:2696
-
\??\c:\jvjdj.exec:\jvjdj.exe71⤵PID:2004
-
\??\c:\vjjpv.exec:\vjjpv.exe72⤵PID:2180
-
\??\c:\7llrxfl.exec:\7llrxfl.exe73⤵PID:2668
-
\??\c:\lfrxxll.exec:\lfrxxll.exe74⤵PID:2936
-
\??\c:\hbhhht.exec:\hbhhht.exe75⤵PID:2664
-
\??\c:\5nhntt.exec:\5nhntt.exe76⤵PID:2780
-
\??\c:\3ppdj.exec:\3ppdj.exe77⤵PID:2252
-
\??\c:\pjjpj.exec:\pjjpj.exe78⤵PID:2572
-
\??\c:\frrlxxf.exec:\frrlxxf.exe79⤵PID:2688
-
\??\c:\9rfrffl.exec:\9rfrffl.exe80⤵PID:3028
-
\??\c:\bbthtb.exec:\bbthtb.exe81⤵PID:2568
-
\??\c:\1nhtnb.exec:\1nhtnb.exe82⤵PID:2356
-
\??\c:\jdppv.exec:\jdppv.exe83⤵PID:1216
-
\??\c:\ddvvv.exec:\ddvvv.exe84⤵PID:1936
-
\??\c:\llxxffl.exec:\llxxffl.exe85⤵PID:2268
-
\??\c:\llxflrf.exec:\llxflrf.exe86⤵PID:2036
-
\??\c:\nnhntb.exec:\nnhntb.exe87⤵PID:1772
-
\??\c:\9hbbnn.exec:\9hbbnn.exe88⤵PID:1912
-
\??\c:\pjdjj.exec:\pjdjj.exe89⤵PID:2016
-
\??\c:\3xlxffr.exec:\3xlxffr.exe90⤵PID:1784
-
\??\c:\xlxxffl.exec:\xlxxffl.exe91⤵PID:1956
-
\??\c:\nnhbbh.exec:\nnhbbh.exe92⤵PID:344
-
\??\c:\nnhttb.exec:\nnhttb.exe93⤵PID:2104
-
\??\c:\5vpdv.exec:\5vpdv.exe94⤵PID:2728
-
\??\c:\vvjvj.exec:\vvjvj.exe95⤵PID:2088
-
\??\c:\9lfxllx.exec:\9lfxllx.exe96⤵PID:2400
-
\??\c:\llflrxf.exec:\llflrxf.exe97⤵PID:3040
-
\??\c:\nhnntb.exec:\nhnntb.exe98⤵PID:1204
-
\??\c:\nhbtnn.exec:\nhbtnn.exe99⤵PID:632
-
\??\c:\jdjpv.exec:\jdjpv.exe100⤵PID:1820
-
\??\c:\dvppv.exec:\dvppv.exe101⤵PID:3004
-
\??\c:\xxxrxxf.exec:\xxxrxxf.exe102⤵PID:1176
-
\??\c:\rlfflrx.exec:\rlfflrx.exe103⤵PID:1652
-
\??\c:\nnnhtn.exec:\nnnhtn.exe104⤵PID:2248
-
\??\c:\nhhntb.exec:\nhhntb.exe105⤵PID:1824
-
\??\c:\3pvdp.exec:\3pvdp.exe106⤵PID:1988
-
\??\c:\ddjdj.exec:\ddjdj.exe107⤵PID:1592
-
\??\c:\lfxxllr.exec:\lfxxllr.exe108⤵PID:2488
-
\??\c:\ffxxrxr.exec:\ffxxrxr.exe109⤵PID:796
-
\??\c:\1bntbh.exec:\1bntbh.exe110⤵PID:2648
-
\??\c:\tnbbbh.exec:\tnbbbh.exe111⤵PID:2800
-
\??\c:\jdppv.exec:\jdppv.exe112⤵PID:2608
-
\??\c:\ddvdd.exec:\ddvdd.exe113⤵PID:2672
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe114⤵PID:2724
-
\??\c:\9ffxllr.exec:\9ffxllr.exe115⤵PID:2680
-
\??\c:\9hbnbt.exec:\9hbnbt.exe116⤵PID:2872
-
\??\c:\nbnbbh.exec:\nbnbbh.exe117⤵PID:2788
-
\??\c:\pjdjj.exec:\pjdjj.exe118⤵PID:2512
-
\??\c:\jvjpd.exec:\jvjpd.exe119⤵PID:2588
-
\??\c:\pjdvd.exec:\pjdvd.exe120⤵PID:2152
-
\??\c:\rlflrrf.exec:\rlflrrf.exe121⤵PID:2592
-
\??\c:\5xxlrfl.exec:\5xxlrfl.exe122⤵PID:2332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-