Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 14:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
-
Size
67KB
-
MD5
08cae242750fa005584264f241312370
-
SHA1
5f10bdd9878ebfd9b0f35ba972f2105d1677b79b
-
SHA256
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078b
-
SHA512
4b9508a0497deaab496bc5a6a8d9784c9142165653c6cbce9d9656772d2d66f0dc68452f2810a2ef1c5b07be81f9aa53cd713aad8fa33dfb1a640cb2af891e34
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqf7:ymb3NkkiQ3mdBjFI9cqf7
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
resource yara_rule behavioral2/memory/1136-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1136-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4824-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4144-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4284-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3416-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3708-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4560-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4704-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4260-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4260-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1224-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3988-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4328-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2388-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1712-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1152-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2936-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2476-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1264-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4616-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1340-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4136-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2220-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4596-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3032-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4824 xrrlfff.exe 4144 nhnhhh.exe 4284 pjppj.exe 3416 vvjjv.exe 3708 1nbbnt.exe 4560 jdvpv.exe 1544 xrxxlxf.exe 4704 3xxxrxx.exe 4260 bnhhhh.exe 1224 5jjjd.exe 4396 ffxrrrf.exe 3988 thhhbt.exe 4176 pjppd.exe 4328 lxxrlfx.exe 2388 5bhhnh.exe 1712 jpjjv.exe 1152 fflfxxr.exe 1484 hhnbhh.exe 2936 5vvvv.exe 972 vvjdp.exe 2476 xrffxff.exe 1264 nbntht.exe 3916 nhbthh.exe 4616 xrxfxrx.exe 1936 rfrlfff.exe 1340 nhnnhh.exe 4136 vppjd.exe 2032 llflffx.exe 2220 frfrrff.exe 4596 7nbtnn.exe 3032 vpppv.exe 2024 lxlfffx.exe 5044 hbbbbb.exe 1240 9tbbbb.exe 3684 rlllffx.exe 744 lffxrrf.exe 2460 7bnhhb.exe 4280 bntnhn.exe 3968 dpvvp.exe 4392 flfrlff.exe 4864 9fffxfr.exe 3344 ttbbtt.exe 3536 jvjjj.exe 4460 rlfxrll.exe 1732 rxxxrrl.exe 3708 bhbhbb.exe 4872 nbhbbt.exe 3880 jdvpp.exe 4704 lrxfxxl.exe 4340 httnnn.exe 1832 5jjjj.exe 4852 5lrrrrx.exe 4348 nhhbbb.exe 1864 hbhhhh.exe 776 pddjj.exe 2904 jvjjd.exe 4920 fxxfrrr.exe 3336 nbnthh.exe 4004 vvjvv.exe 4844 vpjdv.exe 1852 5fffxxr.exe 2748 bntnnh.exe 1692 3pjjd.exe 1624 tbnnhh.exe -
resource yara_rule behavioral2/memory/1136-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1136-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4824-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4284-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3416-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3708-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4560-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4704-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4260-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4260-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4260-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4260-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1224-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3988-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4328-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2388-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1712-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1152-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2476-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1264-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4616-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1340-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4136-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2220-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4596-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3032-208-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1136 wrote to memory of 4824 1136 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 84 PID 1136 wrote to memory of 4824 1136 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 84 PID 1136 wrote to memory of 4824 1136 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 84 PID 4824 wrote to memory of 4144 4824 xrrlfff.exe 85 PID 4824 wrote to memory of 4144 4824 xrrlfff.exe 85 PID 4824 wrote to memory of 4144 4824 xrrlfff.exe 85 PID 4144 wrote to memory of 4284 4144 nhnhhh.exe 86 PID 4144 wrote to memory of 4284 4144 nhnhhh.exe 86 PID 4144 wrote to memory of 4284 4144 nhnhhh.exe 86 PID 4284 wrote to memory of 3416 4284 pjppj.exe 87 PID 4284 wrote to memory of 3416 4284 pjppj.exe 87 PID 4284 wrote to memory of 3416 4284 pjppj.exe 87 PID 3416 wrote to memory of 3708 3416 vvjjv.exe 88 PID 3416 wrote to memory of 3708 3416 vvjjv.exe 88 PID 3416 wrote to memory of 3708 3416 vvjjv.exe 88 PID 3708 wrote to memory of 4560 3708 1nbbnt.exe 89 PID 3708 wrote to memory of 4560 3708 1nbbnt.exe 89 PID 3708 wrote to memory of 4560 3708 1nbbnt.exe 89 PID 4560 wrote to memory of 1544 4560 jdvpv.exe 91 PID 4560 wrote to memory of 1544 4560 jdvpv.exe 91 PID 4560 wrote to memory of 1544 4560 jdvpv.exe 91 PID 1544 wrote to memory of 4704 1544 xrxxlxf.exe 92 PID 1544 wrote to memory of 4704 1544 xrxxlxf.exe 92 PID 1544 wrote to memory of 4704 1544 xrxxlxf.exe 92 PID 4704 wrote to memory of 4260 4704 3xxxrxx.exe 93 PID 4704 wrote to memory of 4260 4704 3xxxrxx.exe 93 PID 4704 wrote to memory of 4260 4704 3xxxrxx.exe 93 PID 4260 wrote to memory of 1224 4260 bnhhhh.exe 94 PID 4260 wrote to memory of 1224 4260 bnhhhh.exe 94 PID 4260 wrote to memory of 1224 4260 bnhhhh.exe 94 PID 1224 wrote to memory of 4396 1224 5jjjd.exe 95 PID 1224 wrote to memory of 4396 1224 5jjjd.exe 95 PID 1224 wrote to memory of 4396 1224 5jjjd.exe 95 PID 4396 wrote to memory of 3988 4396 ffxrrrf.exe 96 PID 4396 wrote to memory of 3988 4396 ffxrrrf.exe 96 PID 4396 wrote to memory of 3988 4396 ffxrrrf.exe 96 PID 3988 wrote to memory of 4176 3988 thhhbt.exe 97 PID 3988 wrote to memory of 4176 3988 thhhbt.exe 97 PID 3988 wrote to memory of 4176 3988 thhhbt.exe 97 PID 4176 wrote to memory of 4328 4176 pjppd.exe 98 PID 4176 wrote to memory of 4328 4176 pjppd.exe 98 PID 4176 wrote to memory of 4328 4176 pjppd.exe 98 PID 4328 wrote to memory of 2388 4328 lxxrlfx.exe 100 PID 4328 wrote to memory of 2388 4328 lxxrlfx.exe 100 PID 4328 wrote to memory of 2388 4328 lxxrlfx.exe 100 PID 2388 wrote to memory of 1712 2388 5bhhnh.exe 101 PID 2388 wrote to memory of 1712 2388 5bhhnh.exe 101 PID 2388 wrote to memory of 1712 2388 5bhhnh.exe 101 PID 1712 wrote to memory of 1152 1712 jpjjv.exe 102 PID 1712 wrote to memory of 1152 1712 jpjjv.exe 102 PID 1712 wrote to memory of 1152 1712 jpjjv.exe 102 PID 1152 wrote to memory of 1484 1152 fflfxxr.exe 103 PID 1152 wrote to memory of 1484 1152 fflfxxr.exe 103 PID 1152 wrote to memory of 1484 1152 fflfxxr.exe 103 PID 1484 wrote to memory of 2936 1484 hhnbhh.exe 104 PID 1484 wrote to memory of 2936 1484 hhnbhh.exe 104 PID 1484 wrote to memory of 2936 1484 hhnbhh.exe 104 PID 2936 wrote to memory of 972 2936 5vvvv.exe 106 PID 2936 wrote to memory of 972 2936 5vvvv.exe 106 PID 2936 wrote to memory of 972 2936 5vvvv.exe 106 PID 972 wrote to memory of 2476 972 vvjdp.exe 107 PID 972 wrote to memory of 2476 972 vvjdp.exe 107 PID 972 wrote to memory of 2476 972 vvjdp.exe 107 PID 2476 wrote to memory of 1264 2476 xrffxff.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\xrrlfff.exec:\xrrlfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\nhnhhh.exec:\nhnhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\pjppj.exec:\pjppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\vvjjv.exec:\vvjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\1nbbnt.exec:\1nbbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\jdvpv.exec:\jdvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\xrxxlxf.exec:\xrxxlxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\3xxxrxx.exec:\3xxxrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\bnhhhh.exec:\bnhhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\5jjjd.exec:\5jjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\ffxrrrf.exec:\ffxrrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\thhhbt.exec:\thhhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\pjppd.exec:\pjppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\5bhhnh.exec:\5bhhnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\jpjjv.exec:\jpjjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\fflfxxr.exec:\fflfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\hhnbhh.exec:\hhnbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\5vvvv.exec:\5vvvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\vvjdp.exec:\vvjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\xrffxff.exec:\xrffxff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\nbntht.exec:\nbntht.exe23⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nhbthh.exec:\nhbthh.exe24⤵
- Executes dropped EXE
PID:3916 -
\??\c:\xrxfxrx.exec:\xrxfxrx.exe25⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rfrlfff.exec:\rfrlfff.exe26⤵
- Executes dropped EXE
PID:1936 -
\??\c:\nhnnhh.exec:\nhnnhh.exe27⤵
- Executes dropped EXE
PID:1340 -
\??\c:\vppjd.exec:\vppjd.exe28⤵
- Executes dropped EXE
PID:4136 -
\??\c:\llflffx.exec:\llflffx.exe29⤵
- Executes dropped EXE
PID:2032 -
\??\c:\frfrrff.exec:\frfrrff.exe30⤵
- Executes dropped EXE
PID:2220 -
\??\c:\7nbtnn.exec:\7nbtnn.exe31⤵
- Executes dropped EXE
PID:4596 -
\??\c:\vpppv.exec:\vpppv.exe32⤵
- Executes dropped EXE
PID:3032 -
\??\c:\lxlfffx.exec:\lxlfffx.exe33⤵
- Executes dropped EXE
PID:2024 -
\??\c:\hbbbbb.exec:\hbbbbb.exe34⤵
- Executes dropped EXE
PID:5044 -
\??\c:\9tbbbb.exec:\9tbbbb.exe35⤵
- Executes dropped EXE
PID:1240 -
\??\c:\rlllffx.exec:\rlllffx.exe36⤵
- Executes dropped EXE
PID:3684 -
\??\c:\lffxrrf.exec:\lffxrrf.exe37⤵
- Executes dropped EXE
PID:744 -
\??\c:\7bnhhb.exec:\7bnhhb.exe38⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bntnhn.exec:\bntnhn.exe39⤵
- Executes dropped EXE
PID:4280 -
\??\c:\dpvvp.exec:\dpvvp.exe40⤵
- Executes dropped EXE
PID:3968 -
\??\c:\flfrlff.exec:\flfrlff.exe41⤵
- Executes dropped EXE
PID:4392 -
\??\c:\9fffxfr.exec:\9fffxfr.exe42⤵
- Executes dropped EXE
PID:4864 -
\??\c:\ttbbtt.exec:\ttbbtt.exe43⤵
- Executes dropped EXE
PID:3344 -
\??\c:\jvjjj.exec:\jvjjj.exe44⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rlfxrll.exec:\rlfxrll.exe45⤵
- Executes dropped EXE
PID:4460 -
\??\c:\rxxxrrl.exec:\rxxxrrl.exe46⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bhbhbb.exec:\bhbhbb.exe47⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nbhbbt.exec:\nbhbbt.exe48⤵
- Executes dropped EXE
PID:4872 -
\??\c:\jdvpp.exec:\jdvpp.exe49⤵
- Executes dropped EXE
PID:3880 -
\??\c:\lrxfxxl.exec:\lrxfxxl.exe50⤵
- Executes dropped EXE
PID:4704 -
\??\c:\httnnn.exec:\httnnn.exe51⤵
- Executes dropped EXE
PID:4340 -
\??\c:\5jjjj.exec:\5jjjj.exe52⤵
- Executes dropped EXE
PID:1832 -
\??\c:\5lrrrrx.exec:\5lrrrrx.exe53⤵
- Executes dropped EXE
PID:4852 -
\??\c:\nhhbbb.exec:\nhhbbb.exe54⤵
- Executes dropped EXE
PID:4348 -
\??\c:\hbhhhh.exec:\hbhhhh.exe55⤵
- Executes dropped EXE
PID:1864 -
\??\c:\pddjj.exec:\pddjj.exe56⤵
- Executes dropped EXE
PID:776 -
\??\c:\jvjjd.exec:\jvjjd.exe57⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fxxfrrr.exec:\fxxfrrr.exe58⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nbnthh.exec:\nbnthh.exe59⤵
- Executes dropped EXE
PID:3336 -
\??\c:\vvjvv.exec:\vvjvv.exe60⤵
- Executes dropped EXE
PID:4004 -
\??\c:\vpjdv.exec:\vpjdv.exe61⤵
- Executes dropped EXE
PID:4844 -
\??\c:\5fffxxr.exec:\5fffxxr.exe62⤵
- Executes dropped EXE
PID:1852 -
\??\c:\bntnnh.exec:\bntnnh.exe63⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3pjjd.exec:\3pjjd.exe64⤵
- Executes dropped EXE
PID:1692 -
\??\c:\tbnnhh.exec:\tbnnhh.exe65⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jpvvj.exec:\jpvvj.exe66⤵PID:2648
-
\??\c:\xlrlllf.exec:\xlrlllf.exe67⤵PID:4292
-
\??\c:\btbnhh.exec:\btbnhh.exe68⤵PID:3220
-
\??\c:\vvddj.exec:\vvddj.exe69⤵PID:4772
-
\??\c:\fflfxfx.exec:\fflfxfx.exe70⤵PID:3664
-
\??\c:\5rrrrxx.exec:\5rrrrxx.exe71⤵PID:2896
-
\??\c:\thbtnt.exec:\thbtnt.exe72⤵PID:2512
-
\??\c:\bbhhtt.exec:\bbhhtt.exe73⤵PID:4576
-
\??\c:\7vjjv.exec:\7vjjv.exe74⤵PID:1868
-
\??\c:\pdddj.exec:\pdddj.exe75⤵PID:5020
-
\??\c:\lflrlxx.exec:\lflrlxx.exe76⤵PID:2032
-
\??\c:\bbhhnt.exec:\bbhhnt.exe77⤵PID:320
-
\??\c:\pjdjp.exec:\pjdjp.exe78⤵PID:4832
-
\??\c:\dvddv.exec:\dvddv.exe79⤵PID:3912
-
\??\c:\fxffffr.exec:\fxffffr.exe80⤵PID:3032
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe81⤵PID:2548
-
\??\c:\thtttb.exec:\thtttb.exe82⤵PID:1640
-
\??\c:\bhnnnn.exec:\bhnnnn.exe83⤵PID:2868
-
\??\c:\vjddv.exec:\vjddv.exe84⤵PID:2200
-
\??\c:\rrllxlf.exec:\rrllxlf.exe85⤵PID:2100
-
\??\c:\9rxxrrr.exec:\9rxxrrr.exe86⤵PID:1396
-
\??\c:\9bbhnt.exec:\9bbhnt.exe87⤵PID:3164
-
\??\c:\tnnhbb.exec:\tnnhbb.exe88⤵PID:3404
-
\??\c:\pjpjj.exec:\pjpjj.exe89⤵PID:3848
-
\??\c:\xrrfxff.exec:\xrrfxff.exe90⤵PID:4612
-
\??\c:\5rrrlrl.exec:\5rrrlrl.exe91⤵PID:2844
-
\??\c:\btbhht.exec:\btbhht.exe92⤵PID:2472
-
\??\c:\ppppj.exec:\ppppj.exe93⤵PID:3792
-
\??\c:\fxxfrxx.exec:\fxxfrxx.exe94⤵PID:4540
-
\??\c:\frrffxf.exec:\frrffxf.exe95⤵PID:3292
-
\??\c:\hbtbbb.exec:\hbtbbb.exe96⤵PID:4516
-
\??\c:\dpvpp.exec:\dpvpp.exe97⤵PID:768
-
\??\c:\rllxrrr.exec:\rllxrrr.exe98⤵PID:2576
-
\??\c:\ntnhbb.exec:\ntnhbb.exe99⤵PID:1500
-
\??\c:\jvjvd.exec:\jvjvd.exe100⤵PID:4856
-
\??\c:\rfllfff.exec:\rfllfff.exe101⤵PID:4884
-
\??\c:\httnnh.exec:\httnnh.exe102⤵PID:764
-
\??\c:\3flffff.exec:\3flffff.exe103⤵PID:4396
-
\??\c:\httnhh.exec:\httnhh.exe104⤵
- System Location Discovery: System Language Discovery
PID:3628 -
\??\c:\3bhbhh.exec:\3bhbhh.exe105⤵PID:1548
-
\??\c:\jdppv.exec:\jdppv.exe106⤵PID:4328
-
\??\c:\lxrlxxr.exec:\lxrlxxr.exe107⤵PID:2804
-
\??\c:\lflffrr.exec:\lflffrr.exe108⤵PID:2588
-
\??\c:\nhnnnn.exec:\nhnnnn.exe109⤵PID:4256
-
\??\c:\pjddv.exec:\pjddv.exe110⤵PID:1808
-
\??\c:\9lxxxrl.exec:\9lxxxrl.exe111⤵PID:956
-
\??\c:\7rxxfrr.exec:\7rxxfrr.exe112⤵PID:5116
-
\??\c:\bnntbh.exec:\bnntbh.exe113⤵PID:3952
-
\??\c:\htbbnn.exec:\htbbnn.exe114⤵PID:4644
-
\??\c:\jjjjd.exec:\jjjjd.exe115⤵PID:4108
-
\??\c:\rllfxxr.exec:\rllfxxr.exe116⤵PID:5088
-
\??\c:\xllffll.exec:\xllffll.exe117⤵PID:2944
-
\??\c:\thnnnn.exec:\thnnnn.exe118⤵PID:4264
-
\??\c:\vvjjp.exec:\vvjjp.exe119⤵PID:1276
-
\??\c:\jddjd.exec:\jddjd.exe120⤵PID:1016
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe121⤵PID:3364
-
\??\c:\xrrrrlr.exec:\xrrrrlr.exe122⤵PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-