Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 14:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
-
Size
65KB
-
MD5
f859945ee111dbf2258f6722fc6555c0
-
SHA1
06e5c4319a815b98dae52f216b58d3923de9df63
-
SHA256
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963c
-
SHA512
ea0d755e1b4c350f2b6e9869d1a16f1c4f52a2ea12bfe5792526051995b2266040977f8d3b257b6b15ca64956907a0220189bf51f911c22c1a890c7b89b22ab5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Q:ymb3NkkiQ3mdBjFI99
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
resource yara_rule behavioral2/memory/4608-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5052-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4608-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4992-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4992-22-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/868-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2040-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4148-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4992-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3768-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3488-68-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5028-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4420-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1100-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3284-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3460-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4376-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2060-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2424-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/436-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5064-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4068-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3232-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4076-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2304-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4084-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5052 dvdpd.exe 4992 pjdvp.exe 212 3xxxxxx.exe 868 btttnn.exe 2040 bbbbtb.exe 4148 vpjdv.exe 5028 vpjdp.exe 3488 fffrlfx.exe 3768 nhbthh.exe 4420 dpdvv.exe 1100 flllflf.exe 3284 7nhbnh.exe 3708 nnthbt.exe 3460 jdjdp.exe 4376 3lfrlfr.exe 2060 xrfxrxr.exe 2424 hhhhhh.exe 1564 pvpdv.exe 436 3ffxrlf.exe 4676 7ffxrff.exe 5064 5hhbnh.exe 2972 nnnhnn.exe 1644 vvddd.exe 4068 7ppjd.exe 3352 7lfxfxr.exe 3232 hbbtnb.exe 4076 dvpjd.exe 2304 dvvvp.exe 3324 1jjdv.exe 4084 lxfxlff.exe 4512 rllxrlf.exe 3564 btthhb.exe 2152 hbbttt.exe 3720 5dvdp.exe 816 jdjjv.exe 4900 rrlfrrr.exe 1944 1rfxrlx.exe 2464 hbtttt.exe 2888 1bbthb.exe 4604 bhnbht.exe 1028 jvdvj.exe 1484 thbtnh.exe 4532 bnbbtt.exe 4452 pdvvj.exe 2376 pjpvj.exe 4768 lflxxxl.exe 704 nhhttt.exe 348 nhbthh.exe 2980 ddddp.exe 1536 5ppjp.exe 4100 lfrffxx.exe 3488 lxrrllf.exe 4956 btbtnh.exe 2700 nhnhhh.exe 2016 1pvpj.exe 1032 rllxrll.exe 220 nbhbbn.exe 2768 3nhbnh.exe 1796 ppvpd.exe 852 pddvp.exe 3192 lxxrrrl.exe 912 hbnttt.exe 2436 nhbnhb.exe 1632 vvpjp.exe -
resource yara_rule behavioral2/memory/4608-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5052-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4992-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/212-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/868-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2040-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4148-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4148-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5028-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5028-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3768-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3488-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5028-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4420-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4420-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4420-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1100-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3284-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3460-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4376-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2060-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2424-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/436-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5064-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4068-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3232-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4076-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2304-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4084-205-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4608 wrote to memory of 5052 4608 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 84 PID 4608 wrote to memory of 5052 4608 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 84 PID 4608 wrote to memory of 5052 4608 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 84 PID 5052 wrote to memory of 4992 5052 dvdpd.exe 85 PID 5052 wrote to memory of 4992 5052 dvdpd.exe 85 PID 5052 wrote to memory of 4992 5052 dvdpd.exe 85 PID 4992 wrote to memory of 212 4992 pjdvp.exe 86 PID 4992 wrote to memory of 212 4992 pjdvp.exe 86 PID 4992 wrote to memory of 212 4992 pjdvp.exe 86 PID 212 wrote to memory of 868 212 3xxxxxx.exe 87 PID 212 wrote to memory of 868 212 3xxxxxx.exe 87 PID 212 wrote to memory of 868 212 3xxxxxx.exe 87 PID 868 wrote to memory of 2040 868 btttnn.exe 88 PID 868 wrote to memory of 2040 868 btttnn.exe 88 PID 868 wrote to memory of 2040 868 btttnn.exe 88 PID 2040 wrote to memory of 4148 2040 bbbbtb.exe 89 PID 2040 wrote to memory of 4148 2040 bbbbtb.exe 89 PID 2040 wrote to memory of 4148 2040 bbbbtb.exe 89 PID 4148 wrote to memory of 5028 4148 vpjdv.exe 90 PID 4148 wrote to memory of 5028 4148 vpjdv.exe 90 PID 4148 wrote to memory of 5028 4148 vpjdv.exe 90 PID 5028 wrote to memory of 3488 5028 vpjdp.exe 91 PID 5028 wrote to memory of 3488 5028 vpjdp.exe 91 PID 5028 wrote to memory of 3488 5028 vpjdp.exe 91 PID 3488 wrote to memory of 3768 3488 fffrlfx.exe 92 PID 3488 wrote to memory of 3768 3488 fffrlfx.exe 92 PID 3488 wrote to memory of 3768 3488 fffrlfx.exe 92 PID 3768 wrote to memory of 4420 3768 nhbthh.exe 93 PID 3768 wrote to memory of 4420 3768 nhbthh.exe 93 PID 3768 wrote to memory of 4420 3768 nhbthh.exe 93 PID 4420 wrote to memory of 1100 4420 dpdvv.exe 94 PID 4420 wrote to memory of 1100 4420 dpdvv.exe 94 PID 4420 wrote to memory of 1100 4420 dpdvv.exe 94 PID 1100 wrote to memory of 3284 1100 flllflf.exe 95 PID 1100 wrote to memory of 3284 1100 flllflf.exe 95 PID 1100 wrote to memory of 3284 1100 flllflf.exe 95 PID 3284 wrote to memory of 3708 3284 7nhbnh.exe 96 PID 3284 wrote to memory of 3708 3284 7nhbnh.exe 96 PID 3284 wrote to memory of 3708 3284 7nhbnh.exe 96 PID 3708 wrote to memory of 3460 3708 nnthbt.exe 98 PID 3708 wrote to memory of 3460 3708 nnthbt.exe 98 PID 3708 wrote to memory of 3460 3708 nnthbt.exe 98 PID 3460 wrote to memory of 4376 3460 jdjdp.exe 99 PID 3460 wrote to memory of 4376 3460 jdjdp.exe 99 PID 3460 wrote to memory of 4376 3460 jdjdp.exe 99 PID 4376 wrote to memory of 2060 4376 3lfrlfr.exe 100 PID 4376 wrote to memory of 2060 4376 3lfrlfr.exe 100 PID 4376 wrote to memory of 2060 4376 3lfrlfr.exe 100 PID 2060 wrote to memory of 2424 2060 xrfxrxr.exe 101 PID 2060 wrote to memory of 2424 2060 xrfxrxr.exe 101 PID 2060 wrote to memory of 2424 2060 xrfxrxr.exe 101 PID 2424 wrote to memory of 1564 2424 hhhhhh.exe 102 PID 2424 wrote to memory of 1564 2424 hhhhhh.exe 102 PID 2424 wrote to memory of 1564 2424 hhhhhh.exe 102 PID 1564 wrote to memory of 436 1564 pvpdv.exe 103 PID 1564 wrote to memory of 436 1564 pvpdv.exe 103 PID 1564 wrote to memory of 436 1564 pvpdv.exe 103 PID 436 wrote to memory of 4676 436 3ffxrlf.exe 104 PID 436 wrote to memory of 4676 436 3ffxrlf.exe 104 PID 436 wrote to memory of 4676 436 3ffxrlf.exe 104 PID 4676 wrote to memory of 5064 4676 7ffxrff.exe 105 PID 4676 wrote to memory of 5064 4676 7ffxrff.exe 105 PID 4676 wrote to memory of 5064 4676 7ffxrff.exe 105 PID 5064 wrote to memory of 2972 5064 5hhbnh.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\dvdpd.exec:\dvdpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\pjdvp.exec:\pjdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\3xxxxxx.exec:\3xxxxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\btttnn.exec:\btttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\bbbbtb.exec:\bbbbtb.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\vpjdv.exec:\vpjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\vpjdp.exec:\vpjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\fffrlfx.exec:\fffrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\nhbthh.exec:\nhbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\dpdvv.exec:\dpdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\flllflf.exec:\flllflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\7nhbnh.exec:\7nhbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\nnthbt.exec:\nnthbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\jdjdp.exec:\jdjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\3lfrlfr.exec:\3lfrlfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\hhhhhh.exec:\hhhhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\pvpdv.exec:\pvpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\3ffxrlf.exec:\3ffxrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\7ffxrff.exec:\7ffxrff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\5hhbnh.exec:\5hhbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\nnnhnn.exec:\nnnhnn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
\??\c:\vvddd.exec:\vvddd.exe24⤵
- Executes dropped EXE
PID:1644 -
\??\c:\7ppjd.exec:\7ppjd.exe25⤵
- Executes dropped EXE
PID:4068 -
\??\c:\7lfxfxr.exec:\7lfxfxr.exe26⤵
- Executes dropped EXE
PID:3352 -
\??\c:\hbbtnb.exec:\hbbtnb.exe27⤵
- Executes dropped EXE
PID:3232 -
\??\c:\dvpjd.exec:\dvpjd.exe28⤵
- Executes dropped EXE
PID:4076 -
\??\c:\dvvvp.exec:\dvvvp.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\1jjdv.exec:\1jjdv.exe30⤵
- Executes dropped EXE
PID:3324 -
\??\c:\lxfxlff.exec:\lxfxlff.exe31⤵
- Executes dropped EXE
PID:4084 -
\??\c:\rllxrlf.exec:\rllxrlf.exe32⤵
- Executes dropped EXE
PID:4512 -
\??\c:\btthhb.exec:\btthhb.exe33⤵
- Executes dropped EXE
PID:3564 -
\??\c:\hbbttt.exec:\hbbttt.exe34⤵
- Executes dropped EXE
PID:2152 -
\??\c:\5dvdp.exec:\5dvdp.exe35⤵
- Executes dropped EXE
PID:3720 -
\??\c:\jdjjv.exec:\jdjjv.exe36⤵
- Executes dropped EXE
PID:816 -
\??\c:\rrlfrrr.exec:\rrlfrrr.exe37⤵
- Executes dropped EXE
PID:4900 -
\??\c:\1rfxrlx.exec:\1rfxrlx.exe38⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hbtttt.exec:\hbtttt.exe39⤵
- Executes dropped EXE
PID:2464 -
\??\c:\1bbthb.exec:\1bbthb.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\bhnbht.exec:\bhnbht.exe41⤵
- Executes dropped EXE
PID:4604 -
\??\c:\jvdvj.exec:\jvdvj.exe42⤵
- Executes dropped EXE
PID:1028 -
\??\c:\thbtnh.exec:\thbtnh.exe43⤵
- Executes dropped EXE
PID:1484 -
\??\c:\bnbbtt.exec:\bnbbtt.exe44⤵
- Executes dropped EXE
PID:4532 -
\??\c:\pdvvj.exec:\pdvvj.exe45⤵
- Executes dropped EXE
PID:4452 -
\??\c:\pjpvj.exec:\pjpvj.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lflxxxl.exec:\lflxxxl.exe47⤵
- Executes dropped EXE
PID:4768 -
\??\c:\nhhttt.exec:\nhhttt.exe48⤵
- Executes dropped EXE
PID:704 -
\??\c:\nhbthh.exec:\nhbthh.exe49⤵
- Executes dropped EXE
PID:348 -
\??\c:\ddddp.exec:\ddddp.exe50⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5ppjp.exec:\5ppjp.exe51⤵
- Executes dropped EXE
PID:1536 -
\??\c:\lfrffxx.exec:\lfrffxx.exe52⤵
- Executes dropped EXE
PID:4100 -
\??\c:\lxrrllf.exec:\lxrrllf.exe53⤵
- Executes dropped EXE
PID:3488 -
\??\c:\btbtnh.exec:\btbtnh.exe54⤵
- Executes dropped EXE
PID:4956 -
\??\c:\nhnhhh.exec:\nhnhhh.exe55⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1pvpj.exec:\1pvpj.exe56⤵
- Executes dropped EXE
PID:2016 -
\??\c:\rllxrll.exec:\rllxrll.exe57⤵
- Executes dropped EXE
PID:1032 -
\??\c:\nbhbbn.exec:\nbhbbn.exe58⤵
- Executes dropped EXE
PID:220 -
\??\c:\3nhbnh.exec:\3nhbnh.exe59⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ppvpd.exec:\ppvpd.exe60⤵
- Executes dropped EXE
PID:1796 -
\??\c:\pddvp.exec:\pddvp.exe61⤵
- Executes dropped EXE
PID:852 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe62⤵
- Executes dropped EXE
PID:3192 -
\??\c:\hbnttt.exec:\hbnttt.exe63⤵
- Executes dropped EXE
PID:912 -
\??\c:\nhbnhb.exec:\nhbnhb.exe64⤵
- Executes dropped EXE
PID:2436 -
\??\c:\vvpjp.exec:\vvpjp.exe65⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pvjpd.exec:\pvjpd.exe66⤵PID:1760
-
\??\c:\lflfxxx.exec:\lflfxxx.exe67⤵PID:228
-
\??\c:\7rllxxl.exec:\7rllxxl.exe68⤵PID:3384
-
\??\c:\ttnhhh.exec:\ttnhhh.exe69⤵PID:3052
-
\??\c:\tnhthh.exec:\tnhthh.exe70⤵PID:3608
-
\??\c:\xrffxll.exec:\xrffxll.exe71⤵PID:4936
-
\??\c:\3rrlffx.exec:\3rrlffx.exe72⤵PID:3744
-
\??\c:\hhhbbb.exec:\hhhbbb.exe73⤵PID:4416
-
\??\c:\dvvpj.exec:\dvvpj.exe74⤵PID:924
-
\??\c:\lrffxff.exec:\lrffxff.exe75⤵PID:4548
-
\??\c:\1tbbnh.exec:\1tbbnh.exe76⤵PID:4560
-
\??\c:\tttbtt.exec:\tttbtt.exe77⤵PID:2504
-
\??\c:\jdvvp.exec:\jdvvp.exe78⤵PID:3324
-
\??\c:\xrxxflr.exec:\xrxxflr.exe79⤵PID:392
-
\??\c:\nhtnnn.exec:\nhtnnn.exe80⤵PID:964
-
\??\c:\htttnt.exec:\htttnt.exe81⤵PID:4572
-
\??\c:\vjpjp.exec:\vjpjp.exe82⤵PID:3564
-
\??\c:\pppdj.exec:\pppdj.exe83⤵PID:4976
-
\??\c:\9xflxrr.exec:\9xflxrr.exe84⤵PID:3820
-
\??\c:\lxffxrl.exec:\lxffxrl.exe85⤵PID:3640
-
\??\c:\pjjdv.exec:\pjjdv.exe86⤵PID:3512
-
\??\c:\lfrllll.exec:\lfrllll.exe87⤵PID:1320
-
\??\c:\rxxfffx.exec:\rxxfffx.exe88⤵PID:4632
-
\??\c:\nhnhbt.exec:\nhnhbt.exe89⤵PID:4124
-
\??\c:\pjdvj.exec:\pjdvj.exe90⤵PID:4604
-
\??\c:\dppjj.exec:\dppjj.exe91⤵PID:2108
-
\??\c:\lflfffl.exec:\lflfffl.exe92⤵PID:4828
-
\??\c:\llffrlf.exec:\llffrlf.exe93⤵PID:536
-
\??\c:\3rlfxrl.exec:\3rlfxrl.exe94⤵PID:3732
-
\??\c:\thbtnn.exec:\thbtnn.exe95⤵PID:3252
-
\??\c:\dddjd.exec:\dddjd.exe96⤵
- System Location Discovery: System Language Discovery
PID:1044 -
\??\c:\rlfxllf.exec:\rlfxllf.exe97⤵PID:2884
-
\??\c:\7ffxrlf.exec:\7ffxrlf.exe98⤵PID:1716
-
\??\c:\tnthbn.exec:\tnthbn.exe99⤵PID:864
-
\??\c:\3jdpj.exec:\3jdpj.exe100⤵PID:3768
-
\??\c:\5llflfx.exec:\5llflfx.exe101⤵PID:1360
-
\??\c:\5rrrrfr.exec:\5rrrrfr.exe102⤵PID:3120
-
\??\c:\btbbnn.exec:\btbbnn.exe103⤵PID:3200
-
\??\c:\7hbhth.exec:\7hbhth.exe104⤵PID:4420
-
\??\c:\thhtnh.exec:\thhtnh.exe105⤵PID:4628
-
\??\c:\jjppp.exec:\jjppp.exe106⤵PID:1032
-
\??\c:\7fxrrxx.exec:\7fxrrxx.exe107⤵PID:220
-
\??\c:\5flllxl.exec:\5flllxl.exe108⤵PID:2768
-
\??\c:\tbbhhh.exec:\tbbhhh.exe109⤵PID:856
-
\??\c:\nhhbtt.exec:\nhhbtt.exe110⤵PID:1556
-
\??\c:\dpvvv.exec:\dpvvv.exe111⤵PID:3836
-
\??\c:\pvjdp.exec:\pvjdp.exe112⤵PID:4448
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe113⤵PID:4928
-
\??\c:\rflxrxr.exec:\rflxrxr.exe114⤵PID:1632
-
\??\c:\nbtnhb.exec:\nbtnhb.exe115⤵PID:4504
-
\??\c:\hbhthh.exec:\hbhthh.exe116⤵PID:4664
-
\??\c:\vppjd.exec:\vppjd.exe117⤵PID:2704
-
\??\c:\5jvpv.exec:\5jvpv.exe118⤵PID:2408
-
\??\c:\3xfxllf.exec:\3xfxllf.exe119⤵PID:1644
-
\??\c:\lffxrrr.exec:\lffxrrr.exe120⤵PID:3156
-
\??\c:\tnhbtt.exec:\tnhbtt.exe121⤵PID:3008
-
\??\c:\bnttnh.exec:\bnttnh.exe122⤵PID:4416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-