Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
-
Size
66KB
-
MD5
1c92d3d625902c12c664fa6e4740d560
-
SHA1
da1f88e951cdacc56e3df95a3df4aea8c934170a
-
SHA256
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87
-
SHA512
61ba8905cbd610725ddd2c6007cae9f63690631464988f85e721ca23ba409a34865ff0288a11982ed89de652b50ba6ea1094fbff3551f4997e096e2a27d6445a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxes:ymb3NkkiQ3mdBjF0y7kbUs
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral2/memory/4048-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4048-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2440-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4716-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1624-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1244-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4836-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5020-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2824-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1868-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3904-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4644-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4852-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3936-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3720-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3616-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1532-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4736-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3452-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4156-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3232-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4556-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1760 7lrlffx.exe 2440 5nnhbt.exe 1244 5pvdv.exe 4836 rrrfxxr.exe 4716 rlfrlff.exe 1624 hbthtn.exe 640 tnnbhh.exe 4500 vjjdv.exe 2152 pvdpd.exe 5020 tntnbn.exe 2824 nhhbnn.exe 1048 dvppv.exe 1868 xlfxlff.exe 3904 hhthbt.exe 4468 httnbt.exe 1036 3djjp.exe 4644 lrrlxxl.exe 4852 nhttbt.exe 3936 nhhhbb.exe 3720 5jjdv.exe 2656 rlllffx.exe 3616 xrrrxxf.exe 1532 hhbtbt.exe 1660 nhhhnh.exe 4736 djjdv.exe 3452 llrxrxr.exe 4156 rxlfrrf.exe 3232 nhthhn.exe 4556 5jjdp.exe 2248 jvjjd.exe 3292 xllfrxx.exe 3056 3tnhnn.exe 1388 3pvvj.exe 2740 rffxllf.exe 2988 fffffff.exe 3684 7hbbtn.exe 4520 vvvpj.exe 376 vpvvv.exe 2528 flrlflf.exe 520 fxxxxlx.exe 4384 nnhhtt.exe 4080 tntnnn.exe 2080 ppjjd.exe 4752 dvpjd.exe 1620 xrxrllf.exe 1148 bthbbb.exe 4244 pddjd.exe 4716 5rxfxxx.exe 4128 7ttbnn.exe 5036 bhnnhh.exe 872 jpjdv.exe 2836 frxlffx.exe 3244 xxfxllf.exe 3692 ntbttt.exe 4144 vpppd.exe 2100 7ppjj.exe 1048 dvvpj.exe 4808 hhnnnn.exe 3020 tnbbbb.exe 2212 vvvpj.exe 4112 lllffff.exe 3600 ffllllr.exe 1544 tnttnt.exe 3936 9ntnhn.exe -
resource yara_rule behavioral2/memory/4048-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4048-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2440-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1244-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1244-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4716-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1624-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1244-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4836-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5020-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5020-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5020-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2824-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1868-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3904-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4468-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4644-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4852-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3720-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3616-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1532-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4736-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3452-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3232-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4556-193-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 1760 4048 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 84 PID 4048 wrote to memory of 1760 4048 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 84 PID 4048 wrote to memory of 1760 4048 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 84 PID 1760 wrote to memory of 2440 1760 7lrlffx.exe 85 PID 1760 wrote to memory of 2440 1760 7lrlffx.exe 85 PID 1760 wrote to memory of 2440 1760 7lrlffx.exe 85 PID 2440 wrote to memory of 1244 2440 5nnhbt.exe 86 PID 2440 wrote to memory of 1244 2440 5nnhbt.exe 86 PID 2440 wrote to memory of 1244 2440 5nnhbt.exe 86 PID 1244 wrote to memory of 4836 1244 5pvdv.exe 87 PID 1244 wrote to memory of 4836 1244 5pvdv.exe 87 PID 1244 wrote to memory of 4836 1244 5pvdv.exe 87 PID 4836 wrote to memory of 4716 4836 rrrfxxr.exe 88 PID 4836 wrote to memory of 4716 4836 rrrfxxr.exe 88 PID 4836 wrote to memory of 4716 4836 rrrfxxr.exe 88 PID 4716 wrote to memory of 1624 4716 rlfrlff.exe 89 PID 4716 wrote to memory of 1624 4716 rlfrlff.exe 89 PID 4716 wrote to memory of 1624 4716 rlfrlff.exe 89 PID 1624 wrote to memory of 640 1624 hbthtn.exe 90 PID 1624 wrote to memory of 640 1624 hbthtn.exe 90 PID 1624 wrote to memory of 640 1624 hbthtn.exe 90 PID 640 wrote to memory of 4500 640 tnnbhh.exe 91 PID 640 wrote to memory of 4500 640 tnnbhh.exe 91 PID 640 wrote to memory of 4500 640 tnnbhh.exe 91 PID 4500 wrote to memory of 2152 4500 vjjdv.exe 92 PID 4500 wrote to memory of 2152 4500 vjjdv.exe 92 PID 4500 wrote to memory of 2152 4500 vjjdv.exe 92 PID 2152 wrote to memory of 5020 2152 pvdpd.exe 93 PID 2152 wrote to memory of 5020 2152 pvdpd.exe 93 PID 2152 wrote to memory of 5020 2152 pvdpd.exe 93 PID 5020 wrote to memory of 2824 5020 tntnbn.exe 94 PID 5020 wrote to memory of 2824 5020 tntnbn.exe 94 PID 5020 wrote to memory of 2824 5020 tntnbn.exe 94 PID 2824 wrote to memory of 1048 2824 nhhbnn.exe 95 PID 2824 wrote to memory of 1048 2824 nhhbnn.exe 95 PID 2824 wrote to memory of 1048 2824 nhhbnn.exe 95 PID 1048 wrote to memory of 1868 1048 dvppv.exe 96 PID 1048 wrote to memory of 1868 1048 dvppv.exe 96 PID 1048 wrote to memory of 1868 1048 dvppv.exe 96 PID 1868 wrote to memory of 3904 1868 xlfxlff.exe 97 PID 1868 wrote to memory of 3904 1868 xlfxlff.exe 97 PID 1868 wrote to memory of 3904 1868 xlfxlff.exe 97 PID 3904 wrote to memory of 4468 3904 hhthbt.exe 98 PID 3904 wrote to memory of 4468 3904 hhthbt.exe 98 PID 3904 wrote to memory of 4468 3904 hhthbt.exe 98 PID 4468 wrote to memory of 1036 4468 httnbt.exe 99 PID 4468 wrote to memory of 1036 4468 httnbt.exe 99 PID 4468 wrote to memory of 1036 4468 httnbt.exe 99 PID 1036 wrote to memory of 4644 1036 3djjp.exe 100 PID 1036 wrote to memory of 4644 1036 3djjp.exe 100 PID 1036 wrote to memory of 4644 1036 3djjp.exe 100 PID 4644 wrote to memory of 4852 4644 lrrlxxl.exe 101 PID 4644 wrote to memory of 4852 4644 lrrlxxl.exe 101 PID 4644 wrote to memory of 4852 4644 lrrlxxl.exe 101 PID 4852 wrote to memory of 3936 4852 nhttbt.exe 102 PID 4852 wrote to memory of 3936 4852 nhttbt.exe 102 PID 4852 wrote to memory of 3936 4852 nhttbt.exe 102 PID 3936 wrote to memory of 3720 3936 nhhhbb.exe 103 PID 3936 wrote to memory of 3720 3936 nhhhbb.exe 103 PID 3936 wrote to memory of 3720 3936 nhhhbb.exe 103 PID 3720 wrote to memory of 2656 3720 5jjdv.exe 104 PID 3720 wrote to memory of 2656 3720 5jjdv.exe 104 PID 3720 wrote to memory of 2656 3720 5jjdv.exe 104 PID 2656 wrote to memory of 3616 2656 rlllffx.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\7lrlffx.exec:\7lrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\5nnhbt.exec:\5nnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\5pvdv.exec:\5pvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\rrrfxxr.exec:\rrrfxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\rlfrlff.exec:\rlfrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\hbthtn.exec:\hbthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\tnnbhh.exec:\tnnbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\vjjdv.exec:\vjjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\pvdpd.exec:\pvdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\tntnbn.exec:\tntnbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\nhhbnn.exec:\nhhbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\dvppv.exec:\dvppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\xlfxlff.exec:\xlfxlff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\hhthbt.exec:\hhthbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\httnbt.exec:\httnbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\3djjp.exec:\3djjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\lrrlxxl.exec:\lrrlxxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\nhttbt.exec:\nhttbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\nhhhbb.exec:\nhhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\5jjdv.exec:\5jjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\rlllffx.exec:\rlllffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\xrrrxxf.exec:\xrrrxxf.exe23⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hhbtbt.exec:\hhbtbt.exe24⤵
- Executes dropped EXE
PID:1532 -
\??\c:\nhhhnh.exec:\nhhhnh.exe25⤵
- Executes dropped EXE
PID:1660 -
\??\c:\djjdv.exec:\djjdv.exe26⤵
- Executes dropped EXE
PID:4736 -
\??\c:\llrxrxr.exec:\llrxrxr.exe27⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rxlfrrf.exec:\rxlfrrf.exe28⤵
- Executes dropped EXE
PID:4156 -
\??\c:\nhthhn.exec:\nhthhn.exe29⤵
- Executes dropped EXE
PID:3232 -
\??\c:\5jjdp.exec:\5jjdp.exe30⤵
- Executes dropped EXE
PID:4556 -
\??\c:\jvjjd.exec:\jvjjd.exe31⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xllfrxx.exec:\xllfrxx.exe32⤵
- Executes dropped EXE
PID:3292 -
\??\c:\3tnhnn.exec:\3tnhnn.exe33⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3pvvj.exec:\3pvvj.exe34⤵
- Executes dropped EXE
PID:1388 -
\??\c:\rffxllf.exec:\rffxllf.exe35⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fffffff.exec:\fffffff.exe36⤵
- Executes dropped EXE
PID:2988 -
\??\c:\7hbbtn.exec:\7hbbtn.exe37⤵
- Executes dropped EXE
PID:3684 -
\??\c:\vvvpj.exec:\vvvpj.exe38⤵
- Executes dropped EXE
PID:4520 -
\??\c:\vpvvv.exec:\vpvvv.exe39⤵
- Executes dropped EXE
PID:376 -
\??\c:\flrlflf.exec:\flrlflf.exe40⤵
- Executes dropped EXE
PID:2528 -
\??\c:\fxxxxlx.exec:\fxxxxlx.exe41⤵
- Executes dropped EXE
PID:520 -
\??\c:\nnhhtt.exec:\nnhhtt.exe42⤵
- Executes dropped EXE
PID:4384 -
\??\c:\tntnnn.exec:\tntnnn.exe43⤵
- Executes dropped EXE
PID:4080 -
\??\c:\ppjjd.exec:\ppjjd.exe44⤵
- Executes dropped EXE
PID:2080 -
\??\c:\dvpjd.exec:\dvpjd.exe45⤵
- Executes dropped EXE
PID:4752 -
\??\c:\xrxrllf.exec:\xrxrllf.exe46⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bthbbb.exec:\bthbbb.exe47⤵
- Executes dropped EXE
PID:1148 -
\??\c:\pddjd.exec:\pddjd.exe48⤵
- Executes dropped EXE
PID:4244 -
\??\c:\5rxfxxx.exec:\5rxfxxx.exe49⤵
- Executes dropped EXE
PID:4716 -
\??\c:\7ttbnn.exec:\7ttbnn.exe50⤵
- Executes dropped EXE
PID:4128 -
\??\c:\bhnnhh.exec:\bhnnhh.exe51⤵
- Executes dropped EXE
PID:5036 -
\??\c:\jpjdv.exec:\jpjdv.exe52⤵
- Executes dropped EXE
PID:872 -
\??\c:\frxlffx.exec:\frxlffx.exe53⤵
- Executes dropped EXE
PID:2836 -
\??\c:\xxfxllf.exec:\xxfxllf.exe54⤵
- Executes dropped EXE
PID:3244 -
\??\c:\ntbttt.exec:\ntbttt.exe55⤵
- Executes dropped EXE
PID:3692 -
\??\c:\vpppd.exec:\vpppd.exe56⤵
- Executes dropped EXE
PID:4144 -
\??\c:\7ppjj.exec:\7ppjj.exe57⤵
- Executes dropped EXE
PID:2100 -
\??\c:\dvvpj.exec:\dvvpj.exe58⤵
- Executes dropped EXE
PID:1048 -
\??\c:\hhnnnn.exec:\hhnnnn.exe59⤵
- Executes dropped EXE
PID:4808 -
\??\c:\tnbbbb.exec:\tnbbbb.exe60⤵
- Executes dropped EXE
PID:3020 -
\??\c:\vvvpj.exec:\vvvpj.exe61⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lllffff.exec:\lllffff.exe62⤵
- Executes dropped EXE
PID:4112 -
\??\c:\ffllllr.exec:\ffllllr.exe63⤵
- Executes dropped EXE
PID:3600 -
\??\c:\tnttnt.exec:\tnttnt.exe64⤵
- Executes dropped EXE
PID:1544 -
\??\c:\9ntnhn.exec:\9ntnhn.exe65⤵
- Executes dropped EXE
PID:3936 -
\??\c:\5pjjp.exec:\5pjjp.exe66⤵PID:32
-
\??\c:\lxffxxx.exec:\lxffxxx.exe67⤵PID:1600
-
\??\c:\lxlxfxr.exec:\lxlxfxr.exe68⤵PID:2656
-
\??\c:\5nttnt.exec:\5nttnt.exe69⤵PID:3408
-
\??\c:\1htttb.exec:\1htttb.exe70⤵PID:2092
-
\??\c:\jpjdj.exec:\jpjdj.exe71⤵PID:368
-
\??\c:\lfllxxl.exec:\lfllxxl.exe72⤵
- System Location Discovery: System Language Discovery
PID:1200 -
\??\c:\rlffxxx.exec:\rlffxxx.exe73⤵PID:4600
-
\??\c:\5ntttt.exec:\5ntttt.exe74⤵PID:1028
-
\??\c:\jjpjp.exec:\jjpjp.exe75⤵PID:1800
-
\??\c:\pdvvp.exec:\pdvvp.exe76⤵PID:1316
-
\??\c:\5lrrlrr.exec:\5lrrlrr.exe77⤵PID:3232
-
\??\c:\5frfxfl.exec:\5frfxfl.exe78⤵PID:4440
-
\??\c:\hnbtnb.exec:\hnbtnb.exe79⤵PID:548
-
\??\c:\pppvj.exec:\pppvj.exe80⤵PID:1684
-
\??\c:\lxfffxx.exec:\lxfffxx.exe81⤵PID:3208
-
\??\c:\nbtnnn.exec:\nbtnnn.exe82⤵PID:64
-
\??\c:\pjjjj.exec:\pjjjj.exe83⤵PID:984
-
\??\c:\jjvjd.exec:\jjvjd.exe84⤵PID:4012
-
\??\c:\7rlllrr.exec:\7rlllrr.exe85⤵PID:4584
-
\??\c:\3nthtb.exec:\3nthtb.exe86⤵PID:4056
-
\??\c:\jpvvp.exec:\jpvvp.exe87⤵PID:3304
-
\??\c:\jdvdv.exec:\jdvdv.exe88⤵PID:4388
-
\??\c:\ffllrxf.exec:\ffllrxf.exe89⤵PID:4408
-
\??\c:\tttnnt.exec:\tttnnt.exe90⤵PID:2912
-
\??\c:\ntbntn.exec:\ntbntn.exe91⤵PID:1108
-
\??\c:\dvvpp.exec:\dvvpp.exe92⤵PID:1192
-
\??\c:\vvvvv.exec:\vvvvv.exe93⤵PID:3016
-
\??\c:\lxfxlrl.exec:\lxfxlrl.exe94⤵PID:472
-
\??\c:\1xlffff.exec:\1xlffff.exe95⤵PID:808
-
\??\c:\thnhbb.exec:\thnhbb.exe96⤵PID:3792
-
\??\c:\djjjd.exec:\djjjd.exe97⤵PID:772
-
\??\c:\jdjdv.exec:\jdjdv.exe98⤵PID:1968
-
\??\c:\xlxrlll.exec:\xlxrlll.exe99⤵PID:4444
-
\??\c:\ffllfll.exec:\ffllfll.exe100⤵PID:4304
-
\??\c:\tntttt.exec:\tntttt.exe101⤵PID:2520
-
\??\c:\9ntnbb.exec:\9ntnbb.exe102⤵PID:3044
-
\??\c:\jdjjd.exec:\jdjjd.exe103⤵PID:3268
-
\??\c:\ppppp.exec:\ppppp.exe104⤵PID:1756
-
\??\c:\xlrrflf.exec:\xlrrflf.exe105⤵PID:2100
-
\??\c:\rfffxxx.exec:\rfffxxx.exe106⤵PID:5084
-
\??\c:\tntbhh.exec:\tntbhh.exe107⤵PID:3040
-
\??\c:\jjjdd.exec:\jjjdd.exe108⤵PID:2564
-
\??\c:\vpddv.exec:\vpddv.exe109⤵PID:2712
-
\??\c:\xrlxrrr.exec:\xrlxrrr.exe110⤵PID:2212
-
\??\c:\lrffffr.exec:\lrffffr.exe111⤵PID:2452
-
\??\c:\btttnt.exec:\btttnt.exe112⤵PID:2616
-
\??\c:\htbbbn.exec:\htbbbn.exe113⤵PID:4940
-
\??\c:\pdvdp.exec:\pdvdp.exe114⤵PID:3972
-
\??\c:\djjdv.exec:\djjdv.exe115⤵PID:2604
-
\??\c:\llfxxrr.exec:\llfxxrr.exe116⤵PID:2656
-
\??\c:\lrxrlrx.exec:\lrxrlrx.exe117⤵PID:3272
-
\??\c:\bnbhtb.exec:\bnbhtb.exe118⤵PID:3584
-
\??\c:\3hhhbb.exec:\3hhhbb.exe119⤵PID:2524
-
\??\c:\djjdp.exec:\djjdp.exe120⤵PID:2508
-
\??\c:\vdppj.exec:\vdppj.exe121⤵PID:1028
-
\??\c:\9fflxfx.exec:\9fflxfx.exe122⤵PID:5100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-