Analysis
-
max time kernel
115s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 15:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe
-
Size
71KB
-
MD5
a76e63d242d7c9c379313ad79be93ed0
-
SHA1
6b77d956b54baa67abde0f4eaf8146a648382340
-
SHA256
fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959
-
SHA512
15708cb3d329159682c80db019ff442c71272e8fbc20ab413019c2bf5ca2ea99736b8bd4a3c39def5ee2fd7883ece8b98cf852da2d2fff4e7eaa940cadb00dd6
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjU:ymb3NkkiQ3mdBjFI4Vk
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
resource yara_rule behavioral2/memory/2460-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2460-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/712-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4116-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4696-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4324-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2584-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1280-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4616-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1664-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4804-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4804-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4916-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/924-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3740-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1500-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2880-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3448-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1060-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3036-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3128-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4864-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4064-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2320-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2472-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4664-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1360-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4548-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 712 rlxrrlf.exe 4116 dpdvv.exe 4696 rrfxrxr.exe 4324 hbhbhh.exe 2584 jvvpd.exe 1280 dpvpd.exe 4616 rfrllll.exe 1664 tbbhbt.exe 4804 vdddv.exe 4916 ffxrrrr.exe 924 fffxlfr.exe 1500 jvdvd.exe 3740 jdddd.exe 3804 frxrrrr.exe 2880 rllxrlf.exe 3448 tnnhbt.exe 1060 pdjjv.exe 3036 ffrrfrl.exe 3128 hbhhtb.exe 4700 tnnhbb.exe 4864 ddvvp.exe 3944 rfrlfff.exe 4036 rlxllrf.exe 3548 thnhbb.exe 4064 5vddv.exe 2320 xrrlffx.exe 2472 rlxxfxf.exe 4664 btbbbh.exe 1360 dvdpv.exe 3508 1ddpd.exe 4548 lfrrxrf.exe 3984 rxfxllf.exe 2696 nbhbtt.exe 2788 ntbthh.exe 2416 pdppp.exe 4428 djppj.exe 2736 rxffxxx.exe 1496 bnbbtt.exe 3504 thhbtn.exe 4844 pvvvp.exe 1284 jddvj.exe 4104 dddpj.exe 4324 7ffrllf.exe 396 htbtnt.exe 4740 bnnhtn.exe 2288 nhtttt.exe 4692 vppjv.exe 628 jddpj.exe 4764 frrrffx.exe 4916 fffxllf.exe 1712 nhbnhh.exe 1840 htbthh.exe 2328 vjpjj.exe 4504 pvdvv.exe 452 lxrlrlf.exe 1672 xxfxrlx.exe 4320 thhbnn.exe 1168 hbhbtn.exe 428 dvdvp.exe 5076 dppdj.exe 3128 lfrffxf.exe 2256 fxrlfxr.exe 2396 nhbtnb.exe 4516 dvvvp.exe -
resource yara_rule behavioral2/memory/2460-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2460-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/712-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/712-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/712-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/712-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4116-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4696-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4696-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4324-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2584-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1280-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4616-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1664-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1664-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1664-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4804-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4804-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/924-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3740-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1500-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2880-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3448-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1060-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3036-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3128-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4864-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4064-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2320-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2472-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4664-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1360-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4548-213-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 712 2460 fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe 84 PID 2460 wrote to memory of 712 2460 fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe 84 PID 2460 wrote to memory of 712 2460 fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe 84 PID 712 wrote to memory of 4116 712 rlxrrlf.exe 85 PID 712 wrote to memory of 4116 712 rlxrrlf.exe 85 PID 712 wrote to memory of 4116 712 rlxrrlf.exe 85 PID 4116 wrote to memory of 4696 4116 dpdvv.exe 86 PID 4116 wrote to memory of 4696 4116 dpdvv.exe 86 PID 4116 wrote to memory of 4696 4116 dpdvv.exe 86 PID 4696 wrote to memory of 4324 4696 rrfxrxr.exe 87 PID 4696 wrote to memory of 4324 4696 rrfxrxr.exe 87 PID 4696 wrote to memory of 4324 4696 rrfxrxr.exe 87 PID 4324 wrote to memory of 2584 4324 hbhbhh.exe 88 PID 4324 wrote to memory of 2584 4324 hbhbhh.exe 88 PID 4324 wrote to memory of 2584 4324 hbhbhh.exe 88 PID 2584 wrote to memory of 1280 2584 jvvpd.exe 89 PID 2584 wrote to memory of 1280 2584 jvvpd.exe 89 PID 2584 wrote to memory of 1280 2584 jvvpd.exe 89 PID 1280 wrote to memory of 4616 1280 dpvpd.exe 90 PID 1280 wrote to memory of 4616 1280 dpvpd.exe 90 PID 1280 wrote to memory of 4616 1280 dpvpd.exe 90 PID 4616 wrote to memory of 1664 4616 rfrllll.exe 92 PID 4616 wrote to memory of 1664 4616 rfrllll.exe 92 PID 4616 wrote to memory of 1664 4616 rfrllll.exe 92 PID 1664 wrote to memory of 4804 1664 tbbhbt.exe 93 PID 1664 wrote to memory of 4804 1664 tbbhbt.exe 93 PID 1664 wrote to memory of 4804 1664 tbbhbt.exe 93 PID 4804 wrote to memory of 4916 4804 vdddv.exe 94 PID 4804 wrote to memory of 4916 4804 vdddv.exe 94 PID 4804 wrote to memory of 4916 4804 vdddv.exe 94 PID 4916 wrote to memory of 924 4916 ffxrrrr.exe 95 PID 4916 wrote to memory of 924 4916 ffxrrrr.exe 95 PID 4916 wrote to memory of 924 4916 ffxrrrr.exe 95 PID 924 wrote to memory of 1500 924 fffxlfr.exe 96 PID 924 wrote to memory of 1500 924 fffxlfr.exe 96 PID 924 wrote to memory of 1500 924 fffxlfr.exe 96 PID 1500 wrote to memory of 3740 1500 jvdvd.exe 97 PID 1500 wrote to memory of 3740 1500 jvdvd.exe 97 PID 1500 wrote to memory of 3740 1500 jvdvd.exe 97 PID 3740 wrote to memory of 3804 3740 jdddd.exe 99 PID 3740 wrote to memory of 3804 3740 jdddd.exe 99 PID 3740 wrote to memory of 3804 3740 jdddd.exe 99 PID 3804 wrote to memory of 2880 3804 frxrrrr.exe 100 PID 3804 wrote to memory of 2880 3804 frxrrrr.exe 100 PID 3804 wrote to memory of 2880 3804 frxrrrr.exe 100 PID 2880 wrote to memory of 3448 2880 rllxrlf.exe 101 PID 2880 wrote to memory of 3448 2880 rllxrlf.exe 101 PID 2880 wrote to memory of 3448 2880 rllxrlf.exe 101 PID 3448 wrote to memory of 1060 3448 tnnhbt.exe 102 PID 3448 wrote to memory of 1060 3448 tnnhbt.exe 102 PID 3448 wrote to memory of 1060 3448 tnnhbt.exe 102 PID 1060 wrote to memory of 3036 1060 pdjjv.exe 103 PID 1060 wrote to memory of 3036 1060 pdjjv.exe 103 PID 1060 wrote to memory of 3036 1060 pdjjv.exe 103 PID 3036 wrote to memory of 3128 3036 ffrrfrl.exe 104 PID 3036 wrote to memory of 3128 3036 ffrrfrl.exe 104 PID 3036 wrote to memory of 3128 3036 ffrrfrl.exe 104 PID 3128 wrote to memory of 4700 3128 hbhhtb.exe 105 PID 3128 wrote to memory of 4700 3128 hbhhtb.exe 105 PID 3128 wrote to memory of 4700 3128 hbhhtb.exe 105 PID 4700 wrote to memory of 4864 4700 tnnhbb.exe 106 PID 4700 wrote to memory of 4864 4700 tnnhbb.exe 106 PID 4700 wrote to memory of 4864 4700 tnnhbb.exe 106 PID 4864 wrote to memory of 3944 4864 ddvvp.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe"C:\Users\Admin\AppData\Local\Temp\fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\dpdvv.exec:\dpdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\rrfxrxr.exec:\rrfxrxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\hbhbhh.exec:\hbhbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\jvvpd.exec:\jvvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\dpvpd.exec:\dpvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\rfrllll.exec:\rfrllll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\tbbhbt.exec:\tbbhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\vdddv.exec:\vdddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\ffxrrrr.exec:\ffxrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\fffxlfr.exec:\fffxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\jvdvd.exec:\jvdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\jdddd.exec:\jdddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\frxrrrr.exec:\frxrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\rllxrlf.exec:\rllxrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\tnnhbt.exec:\tnnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\pdjjv.exec:\pdjjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\ffrrfrl.exec:\ffrrfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\hbhhtb.exec:\hbhhtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\tnnhbb.exec:\tnnhbb.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\ddvvp.exec:\ddvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\rfrlfff.exec:\rfrlfff.exe23⤵
- Executes dropped EXE
PID:3944 -
\??\c:\rlxllrf.exec:\rlxllrf.exe24⤵
- Executes dropped EXE
PID:4036 -
\??\c:\thnhbb.exec:\thnhbb.exe25⤵
- Executes dropped EXE
PID:3548 -
\??\c:\5vddv.exec:\5vddv.exe26⤵
- Executes dropped EXE
PID:4064 -
\??\c:\xrrlffx.exec:\xrrlffx.exe27⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe28⤵
- Executes dropped EXE
PID:2472 -
\??\c:\btbbbh.exec:\btbbbh.exe29⤵
- Executes dropped EXE
PID:4664 -
\??\c:\dvdpv.exec:\dvdpv.exe30⤵
- Executes dropped EXE
PID:1360 -
\??\c:\1ddpd.exec:\1ddpd.exe31⤵
- Executes dropped EXE
PID:3508 -
\??\c:\lfrrxrf.exec:\lfrrxrf.exe32⤵
- Executes dropped EXE
PID:4548 -
\??\c:\rxfxllf.exec:\rxfxllf.exe33⤵
- Executes dropped EXE
PID:3984 -
\??\c:\nbhbtt.exec:\nbhbtt.exe34⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ntbthh.exec:\ntbthh.exe35⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pdppp.exec:\pdppp.exe36⤵
- Executes dropped EXE
PID:2416 -
\??\c:\djppj.exec:\djppj.exe37⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rxffxxx.exec:\rxffxxx.exe38⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bnbbtt.exec:\bnbbtt.exe39⤵
- Executes dropped EXE
PID:1496 -
\??\c:\thhbtn.exec:\thhbtn.exe40⤵
- Executes dropped EXE
PID:3504 -
\??\c:\pvvvp.exec:\pvvvp.exe41⤵
- Executes dropped EXE
PID:4844 -
\??\c:\jddvj.exec:\jddvj.exe42⤵
- Executes dropped EXE
PID:1284 -
\??\c:\dddpj.exec:\dddpj.exe43⤵
- Executes dropped EXE
PID:4104 -
\??\c:\7ffrllf.exec:\7ffrllf.exe44⤵
- Executes dropped EXE
PID:4324 -
\??\c:\htbtnt.exec:\htbtnt.exe45⤵
- Executes dropped EXE
PID:396 -
\??\c:\bnnhtn.exec:\bnnhtn.exe46⤵
- Executes dropped EXE
PID:4740 -
\??\c:\nhtttt.exec:\nhtttt.exe47⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vppjv.exec:\vppjv.exe48⤵
- Executes dropped EXE
PID:4692 -
\??\c:\jddpj.exec:\jddpj.exe49⤵
- Executes dropped EXE
PID:628 -
\??\c:\frrrffx.exec:\frrrffx.exe50⤵
- Executes dropped EXE
PID:4764 -
\??\c:\fffxllf.exec:\fffxllf.exe51⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nhbnhh.exec:\nhbnhh.exe52⤵
- Executes dropped EXE
PID:1712 -
\??\c:\htbthh.exec:\htbthh.exe53⤵
- Executes dropped EXE
PID:1840 -
\??\c:\vjpjj.exec:\vjpjj.exe54⤵
- Executes dropped EXE
PID:2328 -
\??\c:\pvdvv.exec:\pvdvv.exe55⤵
- Executes dropped EXE
PID:4504 -
\??\c:\lxrlrlf.exec:\lxrlrlf.exe56⤵
- Executes dropped EXE
PID:452 -
\??\c:\xxfxrlx.exec:\xxfxrlx.exe57⤵
- Executes dropped EXE
PID:1672 -
\??\c:\thhbnn.exec:\thhbnn.exe58⤵
- Executes dropped EXE
PID:4320 -
\??\c:\hbhbtn.exec:\hbhbtn.exe59⤵
- Executes dropped EXE
PID:1168 -
\??\c:\dvdvp.exec:\dvdvp.exe60⤵
- Executes dropped EXE
PID:428 -
\??\c:\dppdj.exec:\dppdj.exe61⤵
- Executes dropped EXE
PID:5076 -
\??\c:\lfrffxf.exec:\lfrffxf.exe62⤵
- Executes dropped EXE
PID:3128 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe63⤵
- Executes dropped EXE
PID:2256 -
\??\c:\nhbtnb.exec:\nhbtnb.exe64⤵
- Executes dropped EXE
PID:2396 -
\??\c:\dvvvp.exec:\dvvvp.exe65⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vppjj.exec:\vppjj.exe66⤵PID:2540
-
\??\c:\rlrlfff.exec:\rlrlfff.exe67⤵PID:2752
-
\??\c:\lfxrlfl.exec:\lfxrlfl.exe68⤵PID:2440
-
\??\c:\nnhbnn.exec:\nnhbnn.exe69⤵PID:2140
-
\??\c:\9djdv.exec:\9djdv.exe70⤵PID:3548
-
\??\c:\pppdv.exec:\pppdv.exe71⤵PID:2324
-
\??\c:\lxfxlff.exec:\lxfxlff.exe72⤵PID:2700
-
\??\c:\bhnttt.exec:\bhnttt.exe73⤵PID:1184
-
\??\c:\btbtnn.exec:\btbtnn.exe74⤵PID:552
-
\??\c:\jdddv.exec:\jdddv.exe75⤵PID:2760
-
\??\c:\jdpvp.exec:\jdpvp.exe76⤵PID:536
-
\??\c:\xlxlrlf.exec:\xlxlrlf.exe77⤵PID:5072
-
\??\c:\tnbtbn.exec:\tnbtbn.exe78⤵PID:3892
-
\??\c:\nthtnn.exec:\nthtnn.exe79⤵PID:1848
-
\??\c:\7pvpd.exec:\7pvpd.exe80⤵PID:224
-
\??\c:\dvdjv.exec:\dvdjv.exe81⤵PID:3664
-
\??\c:\hbtnbt.exec:\hbtnbt.exe82⤵PID:4552
-
\??\c:\jpjdp.exec:\jpjdp.exe83⤵PID:1136
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe84⤵PID:2736
-
\??\c:\rfffxxl.exec:\rfffxxl.exe85⤵PID:3524
-
\??\c:\hntnhh.exec:\hntnhh.exe86⤵PID:3504
-
\??\c:\httnbh.exec:\httnbh.exe87⤵PID:4264
-
\??\c:\vppdv.exec:\vppdv.exe88⤵PID:1284
-
\??\c:\xrrxllr.exec:\xrrxllr.exe89⤵PID:2932
-
\??\c:\rlffxrr.exec:\rlffxrr.exe90⤵PID:2584
-
\??\c:\bttnhh.exec:\bttnhh.exe91⤵PID:396
-
\??\c:\btbnhn.exec:\btbnhn.exe92⤵PID:4740
-
\??\c:\tbbhtt.exec:\tbbhtt.exe93⤵PID:2288
-
\??\c:\frlfxrl.exec:\frlfxrl.exe94⤵PID:4692
-
\??\c:\rflfxrl.exec:\rflfxrl.exe95⤵PID:628
-
\??\c:\bbhhbb.exec:\bbhhbb.exe96⤵PID:4868
-
\??\c:\5pjdv.exec:\5pjdv.exe97⤵PID:1500
-
\??\c:\jdvpj.exec:\jdvpj.exe98⤵PID:1712
-
\??\c:\xxfrrrr.exec:\xxfrrrr.exe99⤵PID:1840
-
\??\c:\llllrrr.exec:\llllrrr.exe100⤵PID:3956
-
\??\c:\tthbtt.exec:\tthbtt.exe101⤵PID:1560
-
\??\c:\jpvpd.exec:\jpvpd.exe102⤵PID:4992
-
\??\c:\dvvpv.exec:\dvvpv.exe103⤵PID:1672
-
\??\c:\3frlffx.exec:\3frlffx.exe104⤵PID:4320
-
\??\c:\rxxflrx.exec:\rxxflrx.exe105⤵PID:2728
-
\??\c:\3bhhhb.exec:\3bhhhb.exe106⤵PID:4432
-
\??\c:\nnhthh.exec:\nnhthh.exe107⤵PID:1832
-
\??\c:\dvvpp.exec:\dvvpp.exe108⤵PID:872
-
\??\c:\fxffllr.exec:\fxffllr.exe109⤵PID:2256
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe110⤵PID:2396
-
\??\c:\ffrxfff.exec:\ffrxfff.exe111⤵PID:916
-
\??\c:\tnbhhb.exec:\tnbhhb.exe112⤵PID:4448
-
\??\c:\tnnhtt.exec:\tnnhtt.exe113⤵PID:2752
-
\??\c:\vvvvv.exec:\vvvvv.exe114⤵PID:4704
-
\??\c:\jjjvj.exec:\jjjvj.exe115⤵PID:2140
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe116⤵PID:4444
-
\??\c:\jdppj.exec:\jdppj.exe117⤵PID:3052
-
\??\c:\3pvpd.exec:\3pvpd.exe118⤵PID:2908
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe119⤵PID:1184
-
\??\c:\3lllxfx.exec:\3lllxfx.exe120⤵PID:552
-
\??\c:\hnntbb.exec:\hnntbb.exe121⤵PID:2760
-
\??\c:\hbttbb.exec:\hbttbb.exe122⤵PID:3896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-