Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
-
Size
66KB
-
MD5
5794f03936c353d89fafe0a0274c6e10
-
SHA1
84d00b43452b5cd12f9dfcbccb532b9640110e77
-
SHA256
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195de
-
SHA512
87a3e1f27258c37f316aefb6d9c6cf38e9b72ffded8f4333cd80742e4762aa1908eba2cf0a69ca1f416553575c86a1e3c57f744ec67532b8222501479931e595
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27BqflM:ymb3NkkiQ3mdBjFI9cqfa
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/4680-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4680-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/544-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/544-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4032-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4068-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3516-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1840-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/320-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2000-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/404-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1156-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3556-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2320-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3524-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1012-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1336-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3864-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3708-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4252-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1592-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3320-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1940-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1540-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3776-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3112-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 544 fflfxrf.exe 4032 nhnnhh.exe 4068 dpjdv.exe 3516 3lrfrrr.exe 1876 thbbnn.exe 1840 9ntntt.exe 320 jppjd.exe 2000 hbttnh.exe 404 pjvvd.exe 1156 1lfxrrl.exe 3556 fxlflfl.exe 2320 hhhbtt.exe 3524 vpddd.exe 1012 frlxllx.exe 1336 3thhbb.exe 3864 pdjjv.exe 3708 llffxxr.exe 4252 bhhhtt.exe 1592 1jppp.exe 3320 rlfrxxr.exe 5016 tnhnht.exe 1940 5tbbtt.exe 3032 1ppdv.exe 3776 xrrlfxx.exe 1540 frxrrrr.exe 1008 ntttbt.exe 4944 tnnthh.exe 1852 vjjjj.exe 3112 flxxfxr.exe 4620 rlrffxx.exe 2168 jddvv.exe 1416 ddddv.exe 4964 lflfrrl.exe 4400 3ntnhh.exe 4000 1jvpp.exe 4116 pjpjj.exe 2352 rrllfrl.exe 3992 3nnntn.exe 4348 btbhhh.exe 4472 1pvvp.exe 4480 ffxrrrf.exe 4828 rllfxfx.exe 5024 ntnbnt.exe 1564 vvpdv.exe 4564 1jjdd.exe 412 lflxfxf.exe 2944 rrxxrlr.exe 400 hnhhbh.exe 4228 nhnhbt.exe 4184 jdjdj.exe 1052 ddvpd.exe 2796 xrfrffx.exe 4624 frlxfff.exe 5048 hntbhn.exe 2060 btnhbt.exe 3556 jjjpv.exe 2536 fllrfxf.exe 1924 rfrlfxl.exe 2280 fxxrxxl.exe 3560 tntnhn.exe 2392 vvdvp.exe 436 pdpjp.exe 3224 lrxrllr.exe 3568 rfxrffx.exe -
resource yara_rule behavioral2/memory/4680-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4680-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/544-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/544-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/544-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/544-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4032-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4068-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4068-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3516-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1840-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1840-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1840-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1840-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/320-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2000-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/404-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1156-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3556-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2320-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3524-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1012-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1336-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3864-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3708-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4252-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1592-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3320-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1940-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1540-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3776-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3112-197-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4680 wrote to memory of 544 4680 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 84 PID 4680 wrote to memory of 544 4680 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 84 PID 4680 wrote to memory of 544 4680 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 84 PID 544 wrote to memory of 4032 544 fflfxrf.exe 85 PID 544 wrote to memory of 4032 544 fflfxrf.exe 85 PID 544 wrote to memory of 4032 544 fflfxrf.exe 85 PID 4032 wrote to memory of 4068 4032 nhnnhh.exe 86 PID 4032 wrote to memory of 4068 4032 nhnnhh.exe 86 PID 4032 wrote to memory of 4068 4032 nhnnhh.exe 86 PID 4068 wrote to memory of 3516 4068 dpjdv.exe 87 PID 4068 wrote to memory of 3516 4068 dpjdv.exe 87 PID 4068 wrote to memory of 3516 4068 dpjdv.exe 87 PID 3516 wrote to memory of 1876 3516 3lrfrrr.exe 88 PID 3516 wrote to memory of 1876 3516 3lrfrrr.exe 88 PID 3516 wrote to memory of 1876 3516 3lrfrrr.exe 88 PID 1876 wrote to memory of 1840 1876 thbbnn.exe 89 PID 1876 wrote to memory of 1840 1876 thbbnn.exe 89 PID 1876 wrote to memory of 1840 1876 thbbnn.exe 89 PID 1840 wrote to memory of 320 1840 9ntntt.exe 90 PID 1840 wrote to memory of 320 1840 9ntntt.exe 90 PID 1840 wrote to memory of 320 1840 9ntntt.exe 90 PID 320 wrote to memory of 2000 320 jppjd.exe 91 PID 320 wrote to memory of 2000 320 jppjd.exe 91 PID 320 wrote to memory of 2000 320 jppjd.exe 91 PID 2000 wrote to memory of 404 2000 hbttnh.exe 92 PID 2000 wrote to memory of 404 2000 hbttnh.exe 92 PID 2000 wrote to memory of 404 2000 hbttnh.exe 92 PID 404 wrote to memory of 1156 404 pjvvd.exe 93 PID 404 wrote to memory of 1156 404 pjvvd.exe 93 PID 404 wrote to memory of 1156 404 pjvvd.exe 93 PID 1156 wrote to memory of 3556 1156 1lfxrrl.exe 94 PID 1156 wrote to memory of 3556 1156 1lfxrrl.exe 94 PID 1156 wrote to memory of 3556 1156 1lfxrrl.exe 94 PID 3556 wrote to memory of 2320 3556 fxlflfl.exe 95 PID 3556 wrote to memory of 2320 3556 fxlflfl.exe 95 PID 3556 wrote to memory of 2320 3556 fxlflfl.exe 95 PID 2320 wrote to memory of 3524 2320 hhhbtt.exe 96 PID 2320 wrote to memory of 3524 2320 hhhbtt.exe 96 PID 2320 wrote to memory of 3524 2320 hhhbtt.exe 96 PID 3524 wrote to memory of 1012 3524 vpddd.exe 97 PID 3524 wrote to memory of 1012 3524 vpddd.exe 97 PID 3524 wrote to memory of 1012 3524 vpddd.exe 97 PID 1012 wrote to memory of 1336 1012 frlxllx.exe 98 PID 1012 wrote to memory of 1336 1012 frlxllx.exe 98 PID 1012 wrote to memory of 1336 1012 frlxllx.exe 98 PID 1336 wrote to memory of 3864 1336 3thhbb.exe 100 PID 1336 wrote to memory of 3864 1336 3thhbb.exe 100 PID 1336 wrote to memory of 3864 1336 3thhbb.exe 100 PID 3864 wrote to memory of 3708 3864 pdjjv.exe 101 PID 3864 wrote to memory of 3708 3864 pdjjv.exe 101 PID 3864 wrote to memory of 3708 3864 pdjjv.exe 101 PID 3708 wrote to memory of 4252 3708 llffxxr.exe 102 PID 3708 wrote to memory of 4252 3708 llffxxr.exe 102 PID 3708 wrote to memory of 4252 3708 llffxxr.exe 102 PID 4252 wrote to memory of 1592 4252 bhhhtt.exe 103 PID 4252 wrote to memory of 1592 4252 bhhhtt.exe 103 PID 4252 wrote to memory of 1592 4252 bhhhtt.exe 103 PID 1592 wrote to memory of 3320 1592 1jppp.exe 104 PID 1592 wrote to memory of 3320 1592 1jppp.exe 104 PID 1592 wrote to memory of 3320 1592 1jppp.exe 104 PID 3320 wrote to memory of 5016 3320 rlfrxxr.exe 105 PID 3320 wrote to memory of 5016 3320 rlfrxxr.exe 105 PID 3320 wrote to memory of 5016 3320 rlfrxxr.exe 105 PID 5016 wrote to memory of 1940 5016 tnhnht.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\fflfxrf.exec:\fflfxrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\nhnnhh.exec:\nhnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\dpjdv.exec:\dpjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\3lrfrrr.exec:\3lrfrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\thbbnn.exec:\thbbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\9ntntt.exec:\9ntntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\jppjd.exec:\jppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\hbttnh.exec:\hbttnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\pjvvd.exec:\pjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\1lfxrrl.exec:\1lfxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\fxlflfl.exec:\fxlflfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\hhhbtt.exec:\hhhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\vpddd.exec:\vpddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\frlxllx.exec:\frlxllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\3thhbb.exec:\3thhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\pdjjv.exec:\pdjjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\llffxxr.exec:\llffxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\bhhhtt.exec:\bhhhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\1jppp.exec:\1jppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\rlfrxxr.exec:\rlfrxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\tnhnht.exec:\tnhnht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\5tbbtt.exec:\5tbbtt.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1ppdv.exec:\1ppdv.exe24⤵
- Executes dropped EXE
PID:3032 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe25⤵
- Executes dropped EXE
PID:3776 -
\??\c:\frxrrrr.exec:\frxrrrr.exe26⤵
- Executes dropped EXE
PID:1540 -
\??\c:\ntttbt.exec:\ntttbt.exe27⤵
- Executes dropped EXE
PID:1008 -
\??\c:\tnnthh.exec:\tnnthh.exe28⤵
- Executes dropped EXE
PID:4944 -
\??\c:\vjjjj.exec:\vjjjj.exe29⤵
- Executes dropped EXE
PID:1852 -
\??\c:\flxxfxr.exec:\flxxfxr.exe30⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rlrffxx.exec:\rlrffxx.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4620 -
\??\c:\jddvv.exec:\jddvv.exe32⤵
- Executes dropped EXE
PID:2168 -
\??\c:\ddddv.exec:\ddddv.exe33⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lflfrrl.exec:\lflfrrl.exe34⤵
- Executes dropped EXE
PID:4964 -
\??\c:\3ntnhh.exec:\3ntnhh.exe35⤵
- Executes dropped EXE
PID:4400 -
\??\c:\1jvpp.exec:\1jvpp.exe36⤵
- Executes dropped EXE
PID:4000 -
\??\c:\pjpjj.exec:\pjpjj.exe37⤵
- Executes dropped EXE
PID:4116 -
\??\c:\rrllfrl.exec:\rrllfrl.exe38⤵
- Executes dropped EXE
PID:2352 -
\??\c:\3nnntn.exec:\3nnntn.exe39⤵
- Executes dropped EXE
PID:3992 -
\??\c:\btbhhh.exec:\btbhhh.exe40⤵
- Executes dropped EXE
PID:4348 -
\??\c:\1pvvp.exec:\1pvvp.exe41⤵
- Executes dropped EXE
PID:4472 -
\??\c:\ffxrrrf.exec:\ffxrrrf.exe42⤵
- Executes dropped EXE
PID:4480 -
\??\c:\rllfxfx.exec:\rllfxfx.exe43⤵
- Executes dropped EXE
PID:4828 -
\??\c:\ntnbnt.exec:\ntnbnt.exe44⤵
- Executes dropped EXE
PID:5024 -
\??\c:\vvpdv.exec:\vvpdv.exe45⤵
- Executes dropped EXE
PID:1564 -
\??\c:\1jjdd.exec:\1jjdd.exe46⤵
- Executes dropped EXE
PID:4564 -
\??\c:\lflxfxf.exec:\lflxfxf.exe47⤵
- Executes dropped EXE
PID:412 -
\??\c:\rrxxrlr.exec:\rrxxrlr.exe48⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hnhhbh.exec:\hnhhbh.exe49⤵
- Executes dropped EXE
PID:400 -
\??\c:\nhnhbt.exec:\nhnhbt.exe50⤵
- Executes dropped EXE
PID:4228 -
\??\c:\jdjdj.exec:\jdjdj.exe51⤵
- Executes dropped EXE
PID:4184 -
\??\c:\ddvpd.exec:\ddvpd.exe52⤵
- Executes dropped EXE
PID:1052 -
\??\c:\xrfrffx.exec:\xrfrffx.exe53⤵
- Executes dropped EXE
PID:2796 -
\??\c:\frlxfff.exec:\frlxfff.exe54⤵
- Executes dropped EXE
PID:4624 -
\??\c:\hntbhn.exec:\hntbhn.exe55⤵
- Executes dropped EXE
PID:5048 -
\??\c:\btnhbt.exec:\btnhbt.exe56⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jjjpv.exec:\jjjpv.exe57⤵
- Executes dropped EXE
PID:3556 -
\??\c:\fllrfxf.exec:\fllrfxf.exe58⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rfrlfxl.exec:\rfrlfxl.exe59⤵
- Executes dropped EXE
PID:1924 -
\??\c:\fxxrxxl.exec:\fxxrxxl.exe60⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tntnhn.exec:\tntnhn.exe61⤵
- Executes dropped EXE
PID:3560 -
\??\c:\vvdvp.exec:\vvdvp.exe62⤵
- Executes dropped EXE
PID:2392 -
\??\c:\pdpjp.exec:\pdpjp.exe63⤵
- Executes dropped EXE
PID:436 -
\??\c:\lrxrllr.exec:\lrxrllr.exe64⤵
- Executes dropped EXE
PID:3224 -
\??\c:\rfxrffx.exec:\rfxrffx.exe65⤵
- Executes dropped EXE
PID:3568 -
\??\c:\nhnbbt.exec:\nhnbbt.exe66⤵PID:4928
-
\??\c:\tbhbtt.exec:\tbhbtt.exe67⤵PID:4936
-
\??\c:\ddddp.exec:\ddddp.exe68⤵PID:2372
-
\??\c:\vppjd.exec:\vppjd.exe69⤵PID:1352
-
\??\c:\lfxrlff.exec:\lfxrlff.exe70⤵PID:2344
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe71⤵PID:3232
-
\??\c:\htnhbt.exec:\htnhbt.exe72⤵PID:2144
-
\??\c:\dvpjd.exec:\dvpjd.exe73⤵PID:1944
-
\??\c:\jvjdp.exec:\jvjdp.exe74⤵PID:1292
-
\??\c:\frxrfxf.exec:\frxrfxf.exe75⤵PID:4664
-
\??\c:\lrxfxfx.exec:\lrxfxfx.exe76⤵PID:2524
-
\??\c:\hbhbtn.exec:\hbhbtn.exe77⤵PID:2016
-
\??\c:\nhnnnn.exec:\nhnnnn.exe78⤵PID:896
-
\??\c:\vvddj.exec:\vvddj.exe79⤵PID:4092
-
\??\c:\jpjjd.exec:\jpjjd.exe80⤵PID:3052
-
\??\c:\xxxlfxf.exec:\xxxlfxf.exe81⤵PID:4108
-
\??\c:\nhtthb.exec:\nhtthb.exe82⤵PID:4292
-
\??\c:\9hhttn.exec:\9hhttn.exe83⤵PID:2752
-
\??\c:\dvpjj.exec:\dvpjj.exe84⤵PID:372
-
\??\c:\dpjpj.exec:\dpjpj.exe85⤵PID:1348
-
\??\c:\frllrxf.exec:\frllrxf.exe86⤵PID:2352
-
\??\c:\nnbttn.exec:\nnbttn.exe87⤵PID:3068
-
\??\c:\nntnnn.exec:\nntnnn.exe88⤵PID:4360
-
\??\c:\vvjdj.exec:\vvjdj.exe89⤵PID:2288
-
\??\c:\3dddp.exec:\3dddp.exe90⤵PID:3308
-
\??\c:\ffrrrrl.exec:\ffrrrrl.exe91⤵PID:3664
-
\??\c:\bbbtnn.exec:\bbbtnn.exe92⤵PID:1660
-
\??\c:\jdpjj.exec:\jdpjj.exe93⤵PID:1548
-
\??\c:\ffrlxxx.exec:\ffrlxxx.exe94⤵PID:3516
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe95⤵PID:1876
-
\??\c:\bbbbth.exec:\bbbbth.exe96⤵PID:3048
-
\??\c:\bttnhb.exec:\bttnhb.exe97⤵PID:2728
-
\??\c:\vpddv.exec:\vpddv.exe98⤵PID:1812
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe99⤵PID:1832
-
\??\c:\lrxxflf.exec:\lrxxflf.exe100⤵PID:5000
-
\??\c:\nhbhht.exec:\nhbhht.exe101⤵PID:2000
-
\??\c:\hhtnhh.exec:\hhtnhh.exe102⤵PID:312
-
\??\c:\jjjdd.exec:\jjjdd.exe103⤵PID:3608
-
\??\c:\flxrrxx.exec:\flxrrxx.exe104⤵PID:4388
-
\??\c:\bbbhhh.exec:\bbbhhh.exe105⤵PID:1844
-
\??\c:\nhtttt.exec:\nhtttt.exe106⤵PID:3120
-
\??\c:\lxxxffl.exec:\lxxxffl.exe107⤵PID:3044
-
\??\c:\xrfflll.exec:\xrfflll.exe108⤵PID:1980
-
\??\c:\bthhhn.exec:\bthhhn.exe109⤵PID:4832
-
\??\c:\vdppv.exec:\vdppv.exe110⤵PID:436
-
\??\c:\jdjdd.exec:\jdjdd.exe111⤵PID:4412
-
\??\c:\rxlflll.exec:\rxlflll.exe112⤵PID:2900
-
\??\c:\bbhhbt.exec:\bbhhbt.exe113⤵PID:4864
-
\??\c:\ddjjj.exec:\ddjjj.exe114⤵PID:3652
-
\??\c:\fxxfflf.exec:\fxxfflf.exe115⤵PID:3368
-
\??\c:\3fffxfx.exec:\3fffxfx.exe116⤵PID:3352
-
\??\c:\tnhttb.exec:\tnhttb.exe117⤵PID:556
-
\??\c:\tntnhn.exec:\tntnhn.exe118⤵PID:1376
-
\??\c:\jppjj.exec:\jppjj.exe119⤵PID:2312
-
\??\c:\5pjdv.exec:\5pjdv.exe120⤵PID:4452
-
\??\c:\3lrrllr.exec:\3lrrllr.exe121⤵PID:2052
-
\??\c:\rxxflxx.exec:\rxxflxx.exe122⤵PID:3112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-