Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 15:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
-
Size
66KB
-
MD5
cd9ec96e409ba3bdf77823f1c1f0ffe0
-
SHA1
3c7c7da4c8b7d7aad15a2217df465b4c1cc37947
-
SHA256
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26
-
SHA512
57ccf0d3885ffc34bb7cff6f2e8f044b0f4c5c5a14ac769c362291b6d8fd5146a2b731ceef88b39aae4381ac55eab49be03a7f5e3a837e5a4a7d42dd1b71d46a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxeQ:ymb3NkkiQ3mdBjF0y7kbUQ
Malware Config
Signatures
-
Detect Blackmoon payload 29 IoCs
resource yara_rule behavioral2/memory/624-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/624-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3136-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4816-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3912-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2132-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2548-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/348-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4792-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1460-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3020-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2688-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4948-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3768-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1828-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1836-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1408-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1784-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1656-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1128-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/656-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4020-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1768-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4604-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/876-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4520-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/556-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1848-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1864-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3136 xrfxxll.exe 4816 thnhbb.exe 4592 bttnhh.exe 3912 ppjdv.exe 2132 lllfflf.exe 2548 rxlllff.exe 348 tntntt.exe 532 vvppj.exe 4792 5rxrlll.exe 1460 xflfxxr.exe 3020 5bbhbt.exe 2688 nnbnhh.exe 4948 pddvp.exe 3768 lxxxrxr.exe 1828 nnnnhh.exe 1836 dvdvp.exe 1408 pjjdv.exe 1784 rlrllll.exe 1656 hhbttn.exe 3524 hhhhtt.exe 1128 pppjd.exe 1104 xxfxllr.exe 656 tttttt.exe 4020 7btttb.exe 1768 vjppp.exe 4604 rrrlfrr.exe 876 9bnbbh.exe 4520 3hbbtb.exe 556 1ppjd.exe 1848 jpvpj.exe 1864 3rlfxxl.exe 3064 thhbtt.exe 4164 bnbtnn.exe 452 dvjdj.exe 4432 vpvpj.exe 4856 7rlfflf.exe 4764 rlrrxxf.exe 1988 5nttnn.exe 4956 hhhbhb.exe 4468 vpjdd.exe 4528 ddjjv.exe 2040 lfrlrxr.exe 4588 5ffffff.exe 1232 nhnhhh.exe 348 tntnnn.exe 2640 jjddp.exe 2928 dpvpd.exe 4920 lfffxxx.exe 1652 xlrlffx.exe 3020 frfffxx.exe 3444 ttnhtn.exe 2688 tnnhnn.exe 3432 vjppd.exe 2588 jdjdj.exe 2764 xxxrfxx.exe 400 lxfxxxx.exe 744 hnnhbb.exe 1408 7ttnbb.exe 640 9vddv.exe 4844 jjjdv.exe 4288 9rrlxxx.exe 3408 hnbttn.exe 3156 1dvvv.exe 2976 rlxxxxf.exe -
resource yara_rule behavioral2/memory/624-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/624-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3136-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4816-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4816-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4816-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2132-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2548-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/348-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/348-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/348-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/532-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4792-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1460-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3020-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2688-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4948-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3768-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1828-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1836-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1408-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1656-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1128-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/656-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4020-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1768-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4604-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/876-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4520-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/556-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1848-202-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1864-207-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nntnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 624 wrote to memory of 3136 624 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 84 PID 624 wrote to memory of 3136 624 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 84 PID 624 wrote to memory of 3136 624 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 84 PID 3136 wrote to memory of 4816 3136 xrfxxll.exe 86 PID 3136 wrote to memory of 4816 3136 xrfxxll.exe 86 PID 3136 wrote to memory of 4816 3136 xrfxxll.exe 86 PID 4816 wrote to memory of 4592 4816 thnhbb.exe 87 PID 4816 wrote to memory of 4592 4816 thnhbb.exe 87 PID 4816 wrote to memory of 4592 4816 thnhbb.exe 87 PID 4592 wrote to memory of 3912 4592 bttnhh.exe 88 PID 4592 wrote to memory of 3912 4592 bttnhh.exe 88 PID 4592 wrote to memory of 3912 4592 bttnhh.exe 88 PID 3912 wrote to memory of 2132 3912 ppjdv.exe 89 PID 3912 wrote to memory of 2132 3912 ppjdv.exe 89 PID 3912 wrote to memory of 2132 3912 ppjdv.exe 89 PID 2132 wrote to memory of 2548 2132 lllfflf.exe 90 PID 2132 wrote to memory of 2548 2132 lllfflf.exe 90 PID 2132 wrote to memory of 2548 2132 lllfflf.exe 90 PID 2548 wrote to memory of 348 2548 rxlllff.exe 91 PID 2548 wrote to memory of 348 2548 rxlllff.exe 91 PID 2548 wrote to memory of 348 2548 rxlllff.exe 91 PID 348 wrote to memory of 532 348 tntntt.exe 92 PID 348 wrote to memory of 532 348 tntntt.exe 92 PID 348 wrote to memory of 532 348 tntntt.exe 92 PID 532 wrote to memory of 4792 532 vvppj.exe 93 PID 532 wrote to memory of 4792 532 vvppj.exe 93 PID 532 wrote to memory of 4792 532 vvppj.exe 93 PID 4792 wrote to memory of 1460 4792 5rxrlll.exe 94 PID 4792 wrote to memory of 1460 4792 5rxrlll.exe 94 PID 4792 wrote to memory of 1460 4792 5rxrlll.exe 94 PID 1460 wrote to memory of 3020 1460 xflfxxr.exe 95 PID 1460 wrote to memory of 3020 1460 xflfxxr.exe 95 PID 1460 wrote to memory of 3020 1460 xflfxxr.exe 95 PID 3020 wrote to memory of 2688 3020 5bbhbt.exe 96 PID 3020 wrote to memory of 2688 3020 5bbhbt.exe 96 PID 3020 wrote to memory of 2688 3020 5bbhbt.exe 96 PID 2688 wrote to memory of 4948 2688 nnbnhh.exe 97 PID 2688 wrote to memory of 4948 2688 nnbnhh.exe 97 PID 2688 wrote to memory of 4948 2688 nnbnhh.exe 97 PID 4948 wrote to memory of 3768 4948 pddvp.exe 99 PID 4948 wrote to memory of 3768 4948 pddvp.exe 99 PID 4948 wrote to memory of 3768 4948 pddvp.exe 99 PID 3768 wrote to memory of 1828 3768 lxxxrxr.exe 100 PID 3768 wrote to memory of 1828 3768 lxxxrxr.exe 100 PID 3768 wrote to memory of 1828 3768 lxxxrxr.exe 100 PID 1828 wrote to memory of 1836 1828 nnnnhh.exe 101 PID 1828 wrote to memory of 1836 1828 nnnnhh.exe 101 PID 1828 wrote to memory of 1836 1828 nnnnhh.exe 101 PID 1836 wrote to memory of 1408 1836 dvdvp.exe 102 PID 1836 wrote to memory of 1408 1836 dvdvp.exe 102 PID 1836 wrote to memory of 1408 1836 dvdvp.exe 102 PID 1408 wrote to memory of 1784 1408 pjjdv.exe 103 PID 1408 wrote to memory of 1784 1408 pjjdv.exe 103 PID 1408 wrote to memory of 1784 1408 pjjdv.exe 103 PID 1784 wrote to memory of 1656 1784 rlrllll.exe 104 PID 1784 wrote to memory of 1656 1784 rlrllll.exe 104 PID 1784 wrote to memory of 1656 1784 rlrllll.exe 104 PID 1656 wrote to memory of 3524 1656 hhbttn.exe 105 PID 1656 wrote to memory of 3524 1656 hhbttn.exe 105 PID 1656 wrote to memory of 3524 1656 hhbttn.exe 105 PID 3524 wrote to memory of 1128 3524 hhhhtt.exe 106 PID 3524 wrote to memory of 1128 3524 hhhhtt.exe 106 PID 3524 wrote to memory of 1128 3524 hhhhtt.exe 106 PID 1128 wrote to memory of 1104 1128 pppjd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\xrfxxll.exec:\xrfxxll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\thnhbb.exec:\thnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\bttnhh.exec:\bttnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\ppjdv.exec:\ppjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\lllfflf.exec:\lllfflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\rxlllff.exec:\rxlllff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\tntntt.exec:\tntntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\vvppj.exec:\vvppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\5rxrlll.exec:\5rxrlll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\xflfxxr.exec:\xflfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\5bbhbt.exec:\5bbhbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\nnbnhh.exec:\nnbnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\pddvp.exec:\pddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\lxxxrxr.exec:\lxxxrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\nnnnhh.exec:\nnnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\dvdvp.exec:\dvdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\pjjdv.exec:\pjjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\rlrllll.exec:\rlrllll.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\hhbttn.exec:\hhbttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\hhhhtt.exec:\hhhhtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\pppjd.exec:\pppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\xxfxllr.exec:\xxfxllr.exe23⤵
- Executes dropped EXE
PID:1104 -
\??\c:\tttttt.exec:\tttttt.exe24⤵
- Executes dropped EXE
PID:656 -
\??\c:\7btttb.exec:\7btttb.exe25⤵
- Executes dropped EXE
PID:4020 -
\??\c:\vjppp.exec:\vjppp.exe26⤵
- Executes dropped EXE
PID:1768 -
\??\c:\rrrlfrr.exec:\rrrlfrr.exe27⤵
- Executes dropped EXE
PID:4604 -
\??\c:\9bnbbh.exec:\9bnbbh.exe28⤵
- Executes dropped EXE
PID:876 -
\??\c:\3hbbtb.exec:\3hbbtb.exe29⤵
- Executes dropped EXE
PID:4520 -
\??\c:\1ppjd.exec:\1ppjd.exe30⤵
- Executes dropped EXE
PID:556 -
\??\c:\jpvpj.exec:\jpvpj.exe31⤵
- Executes dropped EXE
PID:1848 -
\??\c:\3rlfxxl.exec:\3rlfxxl.exe32⤵
- Executes dropped EXE
PID:1864 -
\??\c:\thhbtt.exec:\thhbtt.exe33⤵
- Executes dropped EXE
PID:3064 -
\??\c:\bnbtnn.exec:\bnbtnn.exe34⤵
- Executes dropped EXE
PID:4164 -
\??\c:\dvjdj.exec:\dvjdj.exe35⤵
- Executes dropped EXE
PID:452 -
\??\c:\vpvpj.exec:\vpvpj.exe36⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7rlfflf.exec:\7rlfflf.exe37⤵
- Executes dropped EXE
PID:4856 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe38⤵
- Executes dropped EXE
PID:4764 -
\??\c:\5nttnn.exec:\5nttnn.exe39⤵
- Executes dropped EXE
PID:1988 -
\??\c:\hhhbhb.exec:\hhhbhb.exe40⤵
- Executes dropped EXE
PID:4956 -
\??\c:\vpjdd.exec:\vpjdd.exe41⤵
- Executes dropped EXE
PID:4468 -
\??\c:\ddjjv.exec:\ddjjv.exe42⤵
- Executes dropped EXE
PID:4528 -
\??\c:\lfrlrxr.exec:\lfrlrxr.exe43⤵
- Executes dropped EXE
PID:2040 -
\??\c:\5ffffff.exec:\5ffffff.exe44⤵
- Executes dropped EXE
PID:4588 -
\??\c:\nhnhhh.exec:\nhnhhh.exe45⤵
- Executes dropped EXE
PID:1232 -
\??\c:\tntnnn.exec:\tntnnn.exe46⤵
- Executes dropped EXE
PID:348 -
\??\c:\jjddp.exec:\jjddp.exe47⤵
- Executes dropped EXE
PID:2640 -
\??\c:\dpvpd.exec:\dpvpd.exe48⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lfffxxx.exec:\lfffxxx.exe49⤵
- Executes dropped EXE
PID:4920 -
\??\c:\xlrlffx.exec:\xlrlffx.exe50⤵
- Executes dropped EXE
PID:1652 -
\??\c:\frfffxx.exec:\frfffxx.exe51⤵
- Executes dropped EXE
PID:3020 -
\??\c:\ttnhtn.exec:\ttnhtn.exe52⤵
- Executes dropped EXE
PID:3444 -
\??\c:\tnnhnn.exec:\tnnhnn.exe53⤵
- Executes dropped EXE
PID:2688 -
\??\c:\vjppd.exec:\vjppd.exe54⤵
- Executes dropped EXE
PID:3432 -
\??\c:\jdjdj.exec:\jdjdj.exe55⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xxxrfxx.exec:\xxxrfxx.exe56⤵
- Executes dropped EXE
PID:2764 -
\??\c:\lxfxxxx.exec:\lxfxxxx.exe57⤵
- Executes dropped EXE
PID:400 -
\??\c:\hnnhbb.exec:\hnnhbb.exe58⤵
- Executes dropped EXE
PID:744 -
\??\c:\7ttnbb.exec:\7ttnbb.exe59⤵
- Executes dropped EXE
PID:1408 -
\??\c:\9vddv.exec:\9vddv.exe60⤵
- Executes dropped EXE
PID:640 -
\??\c:\jjjdv.exec:\jjjdv.exe61⤵
- Executes dropped EXE
PID:4844 -
\??\c:\9rrlxxx.exec:\9rrlxxx.exe62⤵
- Executes dropped EXE
PID:4288 -
\??\c:\hnbttn.exec:\hnbttn.exe63⤵
- Executes dropped EXE
PID:3408 -
\??\c:\1dvvv.exec:\1dvvv.exe64⤵
- Executes dropped EXE
PID:3156 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe65⤵
- Executes dropped EXE
PID:2976 -
\??\c:\tnnbtt.exec:\tnnbtt.exe66⤵PID:4000
-
\??\c:\djddv.exec:\djddv.exe67⤵PID:4940
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe68⤵PID:880
-
\??\c:\lfxxrrr.exec:\lfxxrrr.exe69⤵PID:2208
-
\??\c:\bbbttt.exec:\bbbttt.exe70⤵PID:468
-
\??\c:\hhttnn.exec:\hhttnn.exe71⤵PID:3672
-
\??\c:\3ppjd.exec:\3ppjd.exe72⤵PID:768
-
\??\c:\1llfxxr.exec:\1llfxxr.exe73⤵PID:1040
-
\??\c:\9xrrrxr.exec:\9xrrrxr.exe74⤵PID:1372
-
\??\c:\bntthh.exec:\bntthh.exe75⤵PID:2420
-
\??\c:\3vdvp.exec:\3vdvp.exe76⤵PID:3972
-
\??\c:\lffxrrl.exec:\lffxrrl.exe77⤵PID:2600
-
\??\c:\hhbbtt.exec:\hhbbtt.exe78⤵PID:3808
-
\??\c:\vjdpp.exec:\vjdpp.exe79⤵PID:3948
-
\??\c:\pjjvp.exec:\pjjvp.exe80⤵PID:2788
-
\??\c:\rffxfll.exec:\rffxfll.exe81⤵PID:4312
-
\??\c:\ffllrrx.exec:\ffllrrx.exe82⤵PID:1144
-
\??\c:\hbhhbn.exec:\hbhhbn.exe83⤵PID:3992
-
\??\c:\pjpjj.exec:\pjpjj.exe84⤵PID:1708
-
\??\c:\xllxrrl.exec:\xllxrrl.exe85⤵PID:3980
-
\??\c:\ffrrllf.exec:\ffrrllf.exe86⤵PID:1988
-
\??\c:\1hhbtt.exec:\1hhbtt.exe87⤵PID:3184
-
\??\c:\btnhtt.exec:\btnhtt.exe88⤵PID:3912
-
\??\c:\vdjjv.exec:\vdjjv.exe89⤵PID:4316
-
\??\c:\vdvdv.exec:\vdvdv.exe90⤵PID:1720
-
\??\c:\lxflrrf.exec:\lxflrrf.exe91⤵PID:3248
-
\??\c:\bttnhb.exec:\bttnhb.exe92⤵PID:2780
-
\??\c:\5pdjv.exec:\5pdjv.exe93⤵PID:5004
-
\??\c:\pdjdd.exec:\pdjdd.exe94⤵PID:4692
-
\??\c:\fxrxlll.exec:\fxrxlll.exe95⤵PID:2472
-
\??\c:\thtnhh.exec:\thtnhh.exe96⤵PID:2840
-
\??\c:\1hhtnn.exec:\1hhtnn.exe97⤵PID:1652
-
\??\c:\lffxrrl.exec:\lffxrrl.exe98⤵PID:3984
-
\??\c:\ttnnhh.exec:\ttnnhh.exe99⤵PID:4840
-
\??\c:\ppdpd.exec:\ppdpd.exe100⤵PID:2688
-
\??\c:\lfrlffx.exec:\lfrlffx.exe101⤵PID:3768
-
\??\c:\bbntnn.exec:\bbntnn.exe102⤵PID:4132
-
\??\c:\bnthnh.exec:\bnthnh.exe103⤵PID:2748
-
\??\c:\djppd.exec:\djppd.exe104⤵PID:4932
-
\??\c:\dvpjd.exec:\dvpjd.exe105⤵PID:4832
-
\??\c:\rllfffx.exec:\rllfffx.exe106⤵PID:4656
-
\??\c:\lllrfxx.exec:\lllrfxx.exe107⤵PID:1784
-
\??\c:\bthhhb.exec:\bthhhb.exe108⤵PID:4668
-
\??\c:\jvjvp.exec:\jvjvp.exe109⤵PID:4788
-
\??\c:\vjdvp.exec:\vjdvp.exe110⤵PID:2604
-
\??\c:\rllxllf.exec:\rllxllf.exe111⤵PID:2556
-
\??\c:\rflfxxr.exec:\rflfxxr.exe112⤵PID:864
-
\??\c:\7nhbbn.exec:\7nhbbn.exe113⤵PID:1128
-
\??\c:\pjdvp.exec:\pjdvp.exe114⤵PID:2584
-
\??\c:\pdjvp.exec:\pdjvp.exe115⤵PID:1104
-
\??\c:\rlffrff.exec:\rlffrff.exe116⤵PID:3324
-
\??\c:\frxxrrl.exec:\frxxrrl.exe117⤵PID:4048
-
\??\c:\nntnnn.exec:\nntnnn.exe118⤵PID:756
-
\??\c:\1hnhtb.exec:\1hnhtb.exe119⤵PID:4548
-
\??\c:\pddjd.exec:\pddjd.exe120⤵PID:3748
-
\??\c:\dpvpd.exec:\dpvpd.exe121⤵PID:3084
-
\??\c:\5lfxrrl.exec:\5lfxrrl.exe122⤵PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-