Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 15:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe
-
Size
71KB
-
MD5
a76e63d242d7c9c379313ad79be93ed0
-
SHA1
6b77d956b54baa67abde0f4eaf8146a648382340
-
SHA256
fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959
-
SHA512
15708cb3d329159682c80db019ff442c71272e8fbc20ab413019c2bf5ca2ea99736b8bd4a3c39def5ee2fd7883ece8b98cf852da2d2fff4e7eaa940cadb00dd6
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjU:ymb3NkkiQ3mdBjFI4Vk
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/816-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4876-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3664-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4076-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/816-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3704-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2784-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4104-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4452-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3020-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4444-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2300-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3952-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1020-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2356-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2756-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4220-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2804-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2736-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3884-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4616-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3372-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3132-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4740-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4876 lrfxxxx.exe 3664 lxfxrfx.exe 4076 tnhhnt.exe 1064 pjppp.exe 3704 hhhbbb.exe 2784 btnhhh.exe 4452 ddjdd.exe 4104 rrlfxfx.exe 2300 5fxxlrl.exe 3020 pdvvv.exe 4444 rrllfff.exe 4372 bhttbh.exe 1936 nnhhbt.exe 4112 jjjjd.exe 3952 xfxxrrl.exe 1020 bbtthn.exe 2356 bbhhnn.exe 2884 djddv.exe 2756 lflxrfx.exe 4220 tttbbb.exe 2804 jvdvp.exe 5040 ffxxfrr.exe 2736 nnnhbt.exe 3884 ppjdd.exe 4616 fflrrrr.exe 2944 xfllflf.exe 4680 bnbhht.exe 3372 5pddv.exe 3132 xrlfxxr.exe 1648 3bhhtt.exe 4740 jddvp.exe 2552 rlxxrxr.exe 892 ttthbb.exe 2192 9vdvp.exe 4364 ppppd.exe 2956 lffffff.exe 4508 xxfffff.exe 4276 thttnn.exe 4412 vpddd.exe 1616 ffrlffx.exe 2728 tnbnth.exe 3400 nbbhhh.exe 1524 pdvpd.exe 4472 xxxfrxr.exe 928 hbnbnn.exe 3148 9djjj.exe 5004 flxrlrl.exe 2212 5lxxrxr.exe 4452 bttbth.exe 4408 jpvpj.exe 3992 llxrlrl.exe 3708 bbbhbn.exe 1228 bhhbtt.exe 3744 pjdvd.exe 3496 xrxrlll.exe 4044 bhbhhn.exe 4164 bntnnh.exe 1420 djjdd.exe 3436 vdpvj.exe 3952 hbtntt.exe 1584 thntth.exe 2356 ppppj.exe 2884 lxlfxff.exe 2136 lflffxf.exe -
resource yara_rule behavioral2/memory/816-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4076-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/816-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3704-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2784-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4104-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4452-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2300-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2300-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3020-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4444-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2300-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3952-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1020-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2356-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2756-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4220-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2804-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5040-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2736-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3884-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4616-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3372-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3132-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-210-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9httbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 816 wrote to memory of 4876 816 fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe 84 PID 816 wrote to memory of 4876 816 fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe 84 PID 816 wrote to memory of 4876 816 fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe 84 PID 4876 wrote to memory of 3664 4876 lrfxxxx.exe 85 PID 4876 wrote to memory of 3664 4876 lrfxxxx.exe 85 PID 4876 wrote to memory of 3664 4876 lrfxxxx.exe 85 PID 3664 wrote to memory of 4076 3664 lxfxrfx.exe 86 PID 3664 wrote to memory of 4076 3664 lxfxrfx.exe 86 PID 3664 wrote to memory of 4076 3664 lxfxrfx.exe 86 PID 4076 wrote to memory of 1064 4076 tnhhnt.exe 87 PID 4076 wrote to memory of 1064 4076 tnhhnt.exe 87 PID 4076 wrote to memory of 1064 4076 tnhhnt.exe 87 PID 1064 wrote to memory of 3704 1064 pjppp.exe 88 PID 1064 wrote to memory of 3704 1064 pjppp.exe 88 PID 1064 wrote to memory of 3704 1064 pjppp.exe 88 PID 3704 wrote to memory of 2784 3704 hhhbbb.exe 89 PID 3704 wrote to memory of 2784 3704 hhhbbb.exe 89 PID 3704 wrote to memory of 2784 3704 hhhbbb.exe 89 PID 2784 wrote to memory of 4452 2784 btnhhh.exe 90 PID 2784 wrote to memory of 4452 2784 btnhhh.exe 90 PID 2784 wrote to memory of 4452 2784 btnhhh.exe 90 PID 4452 wrote to memory of 4104 4452 ddjdd.exe 91 PID 4452 wrote to memory of 4104 4452 ddjdd.exe 91 PID 4452 wrote to memory of 4104 4452 ddjdd.exe 91 PID 4104 wrote to memory of 2300 4104 rrlfxfx.exe 92 PID 4104 wrote to memory of 2300 4104 rrlfxfx.exe 92 PID 4104 wrote to memory of 2300 4104 rrlfxfx.exe 92 PID 2300 wrote to memory of 3020 2300 5fxxlrl.exe 93 PID 2300 wrote to memory of 3020 2300 5fxxlrl.exe 93 PID 2300 wrote to memory of 3020 2300 5fxxlrl.exe 93 PID 3020 wrote to memory of 4444 3020 pdvvv.exe 94 PID 3020 wrote to memory of 4444 3020 pdvvv.exe 94 PID 3020 wrote to memory of 4444 3020 pdvvv.exe 94 PID 4444 wrote to memory of 4372 4444 rrllfff.exe 95 PID 4444 wrote to memory of 4372 4444 rrllfff.exe 95 PID 4444 wrote to memory of 4372 4444 rrllfff.exe 95 PID 4372 wrote to memory of 1936 4372 bhttbh.exe 96 PID 4372 wrote to memory of 1936 4372 bhttbh.exe 96 PID 4372 wrote to memory of 1936 4372 bhttbh.exe 96 PID 1936 wrote to memory of 4112 1936 nnhhbt.exe 97 PID 1936 wrote to memory of 4112 1936 nnhhbt.exe 97 PID 1936 wrote to memory of 4112 1936 nnhhbt.exe 97 PID 4112 wrote to memory of 3952 4112 jjjjd.exe 98 PID 4112 wrote to memory of 3952 4112 jjjjd.exe 98 PID 4112 wrote to memory of 3952 4112 jjjjd.exe 98 PID 3952 wrote to memory of 1020 3952 xfxxrrl.exe 99 PID 3952 wrote to memory of 1020 3952 xfxxrrl.exe 99 PID 3952 wrote to memory of 1020 3952 xfxxrrl.exe 99 PID 1020 wrote to memory of 2356 1020 bbtthn.exe 100 PID 1020 wrote to memory of 2356 1020 bbtthn.exe 100 PID 1020 wrote to memory of 2356 1020 bbtthn.exe 100 PID 2356 wrote to memory of 2884 2356 bbhhnn.exe 101 PID 2356 wrote to memory of 2884 2356 bbhhnn.exe 101 PID 2356 wrote to memory of 2884 2356 bbhhnn.exe 101 PID 2884 wrote to memory of 2756 2884 djddv.exe 102 PID 2884 wrote to memory of 2756 2884 djddv.exe 102 PID 2884 wrote to memory of 2756 2884 djddv.exe 102 PID 2756 wrote to memory of 4220 2756 lflxrfx.exe 103 PID 2756 wrote to memory of 4220 2756 lflxrfx.exe 103 PID 2756 wrote to memory of 4220 2756 lflxrfx.exe 103 PID 4220 wrote to memory of 2804 4220 tttbbb.exe 104 PID 4220 wrote to memory of 2804 4220 tttbbb.exe 104 PID 4220 wrote to memory of 2804 4220 tttbbb.exe 104 PID 2804 wrote to memory of 5040 2804 jvdvp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe"C:\Users\Admin\AppData\Local\Temp\fff4e70989527d117844d2637fab2f297529b9981feca705353c65cc974d5959N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\lxfxrfx.exec:\lxfxrfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\tnhhnt.exec:\tnhhnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\pjppp.exec:\pjppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\hhhbbb.exec:\hhhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\btnhhh.exec:\btnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\ddjdd.exec:\ddjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\rrlfxfx.exec:\rrlfxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\5fxxlrl.exec:\5fxxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\pdvvv.exec:\pdvvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\rrllfff.exec:\rrllfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\bhttbh.exec:\bhttbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\nnhhbt.exec:\nnhhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\jjjjd.exec:\jjjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\xfxxrrl.exec:\xfxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\bbtthn.exec:\bbtthn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\bbhhnn.exec:\bbhhnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\djddv.exec:\djddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\lflxrfx.exec:\lflxrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\tttbbb.exec:\tttbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\jvdvp.exec:\jvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\ffxxfrr.exec:\ffxxfrr.exe23⤵
- Executes dropped EXE
PID:5040 -
\??\c:\nnnhbt.exec:\nnnhbt.exe24⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ppjdd.exec:\ppjdd.exe25⤵
- Executes dropped EXE
PID:3884 -
\??\c:\fflrrrr.exec:\fflrrrr.exe26⤵
- Executes dropped EXE
PID:4616 -
\??\c:\xfllflf.exec:\xfllflf.exe27⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bnbhht.exec:\bnbhht.exe28⤵
- Executes dropped EXE
PID:4680 -
\??\c:\5pddv.exec:\5pddv.exe29⤵
- Executes dropped EXE
PID:3372 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe30⤵
- Executes dropped EXE
PID:3132 -
\??\c:\3bhhtt.exec:\3bhhtt.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jddvp.exec:\jddvp.exe32⤵
- Executes dropped EXE
PID:4740 -
\??\c:\rlxxrxr.exec:\rlxxrxr.exe33⤵
- Executes dropped EXE
PID:2552 -
\??\c:\ttthbb.exec:\ttthbb.exe34⤵
- Executes dropped EXE
PID:892 -
\??\c:\9vdvp.exec:\9vdvp.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ppppd.exec:\ppppd.exe36⤵
- Executes dropped EXE
PID:4364 -
\??\c:\lffffff.exec:\lffffff.exe37⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xxfffff.exec:\xxfffff.exe38⤵
- Executes dropped EXE
PID:4508 -
\??\c:\thttnn.exec:\thttnn.exe39⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vpddd.exec:\vpddd.exe40⤵
- Executes dropped EXE
PID:4412 -
\??\c:\ffrlffx.exec:\ffrlffx.exe41⤵
- Executes dropped EXE
PID:1616 -
\??\c:\tnbnth.exec:\tnbnth.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nbbhhh.exec:\nbbhhh.exe43⤵
- Executes dropped EXE
PID:3400 -
\??\c:\pdvpd.exec:\pdvpd.exe44⤵
- Executes dropped EXE
PID:1524 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe45⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hbnbnn.exec:\hbnbnn.exe46⤵
- Executes dropped EXE
PID:928 -
\??\c:\9djjj.exec:\9djjj.exe47⤵
- Executes dropped EXE
PID:3148 -
\??\c:\flxrlrl.exec:\flxrlrl.exe48⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5lxxrxr.exec:\5lxxrxr.exe49⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bttbth.exec:\bttbth.exe50⤵
- Executes dropped EXE
PID:4452 -
\??\c:\jpvpj.exec:\jpvpj.exe51⤵
- Executes dropped EXE
PID:4408 -
\??\c:\llxrlrl.exec:\llxrlrl.exe52⤵
- Executes dropped EXE
PID:3992 -
\??\c:\bbbhbn.exec:\bbbhbn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3708 -
\??\c:\bhhbtt.exec:\bhhbtt.exe54⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pjdvd.exec:\pjdvd.exe55⤵
- Executes dropped EXE
PID:3744 -
\??\c:\xrxrlll.exec:\xrxrlll.exe56⤵
- Executes dropped EXE
PID:3496 -
\??\c:\bhbhhn.exec:\bhbhhn.exe57⤵
- Executes dropped EXE
PID:4044 -
\??\c:\bntnnh.exec:\bntnnh.exe58⤵
- Executes dropped EXE
PID:4164 -
\??\c:\djjdd.exec:\djjdd.exe59⤵
- Executes dropped EXE
PID:1420 -
\??\c:\vdpvj.exec:\vdpvj.exe60⤵
- Executes dropped EXE
PID:3436 -
\??\c:\hbtntt.exec:\hbtntt.exe61⤵
- Executes dropped EXE
PID:3952 -
\??\c:\thntth.exec:\thntth.exe62⤵
- Executes dropped EXE
PID:1584 -
\??\c:\ppppj.exec:\ppppj.exe63⤵
- Executes dropped EXE
PID:2356 -
\??\c:\lxlfxff.exec:\lxlfxff.exe64⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lflffxf.exec:\lflffxf.exe65⤵
- Executes dropped EXE
PID:2136 -
\??\c:\nbhhtt.exec:\nbhhtt.exe66⤵PID:2348
-
\??\c:\pjpjd.exec:\pjpjd.exe67⤵PID:4588
-
\??\c:\lxrrxfr.exec:\lxrrxfr.exe68⤵PID:2940
-
\??\c:\bbhhhn.exec:\bbhhhn.exe69⤵PID:2240
-
\??\c:\vvjpd.exec:\vvjpd.exe70⤵PID:4608
-
\??\c:\pdpjj.exec:\pdpjj.exe71⤵PID:1300
-
\??\c:\xxrxllx.exec:\xxrxllx.exe72⤵PID:4892
-
\??\c:\nbbbnn.exec:\nbbbnn.exe73⤵PID:1684
-
\??\c:\vdpjp.exec:\vdpjp.exe74⤵PID:2776
-
\??\c:\dpjjd.exec:\dpjjd.exe75⤵PID:2656
-
\??\c:\llxrxfl.exec:\llxrxfl.exe76⤵PID:4468
-
\??\c:\xffffll.exec:\xffffll.exe77⤵PID:2220
-
\??\c:\3nthhh.exec:\3nthhh.exe78⤵PID:2724
-
\??\c:\pvppp.exec:\pvppp.exe79⤵PID:1572
-
\??\c:\vvjjd.exec:\vvjjd.exe80⤵PID:456
-
\??\c:\rrrlfll.exec:\rrrlfll.exe81⤵PID:4836
-
\??\c:\hhhbht.exec:\hhhbht.exe82⤵PID:4272
-
\??\c:\vpdjp.exec:\vpdjp.exe83⤵PID:5056
-
\??\c:\jddvv.exec:\jddvv.exe84⤵PID:4336
-
\??\c:\ffxxfrr.exec:\ffxxfrr.exe85⤵PID:4276
-
\??\c:\flfffll.exec:\flfffll.exe86⤵PID:816
-
\??\c:\hhhhbb.exec:\hhhhbb.exe87⤵PID:5112
-
\??\c:\rxlflxx.exec:\rxlflxx.exe88⤵PID:2364
-
\??\c:\rllxxfx.exec:\rllxxfx.exe89⤵PID:4692
-
\??\c:\vdvvd.exec:\vdvvd.exe90⤵PID:4472
-
\??\c:\vpjdv.exec:\vpjdv.exe91⤵PID:2592
-
\??\c:\1nbthb.exec:\1nbthb.exe92⤵PID:536
-
\??\c:\ppddv.exec:\ppddv.exe93⤵PID:2784
-
\??\c:\xxffxff.exec:\xxffxff.exe94⤵PID:2212
-
\??\c:\7dvvv.exec:\7dvvv.exe95⤵PID:2912
-
\??\c:\1lfxfff.exec:\1lfxfff.exe96⤵PID:4408
-
\??\c:\tntthn.exec:\tntthn.exe97⤵PID:452
-
\??\c:\tbnhbn.exec:\tbnhbn.exe98⤵PID:1848
-
\??\c:\9vvpd.exec:\9vvpd.exe99⤵PID:3240
-
\??\c:\xxlrlxl.exec:\xxlrlxl.exe100⤵PID:4496
-
\??\c:\7rxflrx.exec:\7rxflrx.exe101⤵PID:2096
-
\??\c:\bhhhnt.exec:\bhhhnt.exe102⤵PID:4164
-
\??\c:\hhhbhn.exec:\hhhbhn.exe103⤵PID:1420
-
\??\c:\djpvv.exec:\djpvv.exe104⤵PID:3968
-
\??\c:\7vddv.exec:\7vddv.exe105⤵PID:4908
-
\??\c:\llflrfr.exec:\llflrfr.exe106⤵PID:3984
-
\??\c:\lllffll.exec:\lllffll.exe107⤵PID:2088
-
\??\c:\nnbbbn.exec:\nnbbbn.exe108⤵PID:2348
-
\??\c:\nnnnhh.exec:\nnnnhh.exe109⤵PID:4588
-
\??\c:\ddpjj.exec:\ddpjj.exe110⤵PID:2560
-
\??\c:\jdppd.exec:\jdppd.exe111⤵PID:4688
-
\??\c:\xffxlrr.exec:\xffxlrr.exe112⤵PID:4788
-
\??\c:\lfrllll.exec:\lfrllll.exe113⤵PID:4436
-
\??\c:\ttbbbh.exec:\ttbbbh.exe114⤵PID:3180
-
\??\c:\ppppp.exec:\ppppp.exe115⤵PID:2960
-
\??\c:\pvdvp.exec:\pvdvp.exe116⤵PID:2152
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe117⤵PID:4848
-
\??\c:\hbtthh.exec:\hbtthh.exe118⤵PID:3880
-
\??\c:\7dpdp.exec:\7dpdp.exe119⤵PID:1480
-
\??\c:\xrfxrxx.exec:\xrfxrxx.exe120⤵PID:892
-
\??\c:\hbnhbb.exec:\hbnhbb.exe121⤵PID:372
-
\??\c:\dpddv.exec:\dpddv.exe122⤵PID:3228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-