Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 16:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe
-
Size
66KB
-
MD5
c7cc8f19814aae48267674700de75440
-
SHA1
02176828c5eb723e1724bd5c766b4d12f2b4537e
-
SHA256
fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8a
-
SHA512
84ea465668c909cc771ecf1892b8f76fad89227b3279c32a7595c5dc721c0c396730c99c483442f5a434415fd0424bee020cd460f00fae56de10714c39dae270
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzkzNMP:ymb3NkkiQ3mdBjFIvlpMP
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
resource yara_rule behavioral2/memory/1440-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1440-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2132-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2120-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/764-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3256-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3388-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/660-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2152-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/756-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3068-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2520-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1616-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4652-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4148-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4668-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2052-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3312-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2108-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3512-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/216-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5016-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3760-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3928-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1500-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2232 482628.exe 2132 nnnnhb.exe 2120 frlxrll.exe 3388 4688468.exe 764 tnnnnn.exe 3256 hhnbth.exe 660 xxfflrr.exe 2152 7tbnhh.exe 756 lrlxlxf.exe 3068 62060.exe 2520 20242.exe 1616 48886.exe 4420 rflfxxx.exe 4652 bbbbbn.exe 4148 4802660.exe 4668 08600.exe 220 rxflxxx.exe 2052 4286820.exe 3312 nbttnn.exe 2108 4022008.exe 3012 028882.exe 3512 4648266.exe 216 jdvpd.exe 5016 082226.exe 3760 3hthbt.exe 3928 thhbnn.exe 1500 2660882.exe 4436 0860448.exe 3348 5nnhbb.exe 928 7frfrlf.exe 2380 8282608.exe 4836 06060.exe 1692 3bthtn.exe 2580 1vdpj.exe 3960 40260.exe 1628 lxfrlfx.exe 2528 280644.exe 5072 nhtthn.exe 1512 62448.exe 440 rfrffxl.exe 4108 24048.exe 2608 xfllfrf.exe 4560 48682.exe 4240 84224.exe 2120 xllfflx.exe 984 i244888.exe 3172 nhtnhh.exe 4412 tnhbtt.exe 2236 djjdv.exe 4388 ffrfflx.exe 2152 ttbhtb.exe 2292 4862666.exe 2800 tbbbbb.exe 2520 e84820.exe 752 bbbbtt.exe 2356 hthhht.exe 1780 s4662.exe 2852 htbbtb.exe 2972 66426.exe 436 rlxxfxf.exe 3640 48448.exe 1360 dvvvp.exe 1252 820066.exe 1184 jdjpp.exe -
resource yara_rule behavioral2/memory/1440-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2132-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2132-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1440-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2132-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2120-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/764-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3256-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3388-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/660-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/756-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3068-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2520-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1616-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4652-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4148-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4668-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2052-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3312-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2108-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3512-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/216-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5016-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3760-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3928-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1500-182-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0468226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2682048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0620482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8626606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2232 1440 fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe 84 PID 1440 wrote to memory of 2232 1440 fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe 84 PID 1440 wrote to memory of 2232 1440 fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe 84 PID 2232 wrote to memory of 2132 2232 482628.exe 85 PID 2232 wrote to memory of 2132 2232 482628.exe 85 PID 2232 wrote to memory of 2132 2232 482628.exe 85 PID 2132 wrote to memory of 2120 2132 nnnnhb.exe 86 PID 2132 wrote to memory of 2120 2132 nnnnhb.exe 86 PID 2132 wrote to memory of 2120 2132 nnnnhb.exe 86 PID 2120 wrote to memory of 3388 2120 frlxrll.exe 87 PID 2120 wrote to memory of 3388 2120 frlxrll.exe 87 PID 2120 wrote to memory of 3388 2120 frlxrll.exe 87 PID 3388 wrote to memory of 764 3388 4688468.exe 88 PID 3388 wrote to memory of 764 3388 4688468.exe 88 PID 3388 wrote to memory of 764 3388 4688468.exe 88 PID 764 wrote to memory of 3256 764 tnnnnn.exe 89 PID 764 wrote to memory of 3256 764 tnnnnn.exe 89 PID 764 wrote to memory of 3256 764 tnnnnn.exe 89 PID 3256 wrote to memory of 660 3256 hhnbth.exe 90 PID 3256 wrote to memory of 660 3256 hhnbth.exe 90 PID 3256 wrote to memory of 660 3256 hhnbth.exe 90 PID 660 wrote to memory of 2152 660 xxfflrr.exe 91 PID 660 wrote to memory of 2152 660 xxfflrr.exe 91 PID 660 wrote to memory of 2152 660 xxfflrr.exe 91 PID 2152 wrote to memory of 756 2152 7tbnhh.exe 92 PID 2152 wrote to memory of 756 2152 7tbnhh.exe 92 PID 2152 wrote to memory of 756 2152 7tbnhh.exe 92 PID 756 wrote to memory of 3068 756 lrlxlxf.exe 93 PID 756 wrote to memory of 3068 756 lrlxlxf.exe 93 PID 756 wrote to memory of 3068 756 lrlxlxf.exe 93 PID 3068 wrote to memory of 2520 3068 62060.exe 94 PID 3068 wrote to memory of 2520 3068 62060.exe 94 PID 3068 wrote to memory of 2520 3068 62060.exe 94 PID 2520 wrote to memory of 1616 2520 20242.exe 95 PID 2520 wrote to memory of 1616 2520 20242.exe 95 PID 2520 wrote to memory of 1616 2520 20242.exe 95 PID 1616 wrote to memory of 4420 1616 48886.exe 96 PID 1616 wrote to memory of 4420 1616 48886.exe 96 PID 1616 wrote to memory of 4420 1616 48886.exe 96 PID 4420 wrote to memory of 4652 4420 rflfxxx.exe 97 PID 4420 wrote to memory of 4652 4420 rflfxxx.exe 97 PID 4420 wrote to memory of 4652 4420 rflfxxx.exe 97 PID 4652 wrote to memory of 4148 4652 bbbbbn.exe 98 PID 4652 wrote to memory of 4148 4652 bbbbbn.exe 98 PID 4652 wrote to memory of 4148 4652 bbbbbn.exe 98 PID 4148 wrote to memory of 4668 4148 4802660.exe 99 PID 4148 wrote to memory of 4668 4148 4802660.exe 99 PID 4148 wrote to memory of 4668 4148 4802660.exe 99 PID 4668 wrote to memory of 220 4668 08600.exe 100 PID 4668 wrote to memory of 220 4668 08600.exe 100 PID 4668 wrote to memory of 220 4668 08600.exe 100 PID 220 wrote to memory of 2052 220 rxflxxx.exe 101 PID 220 wrote to memory of 2052 220 rxflxxx.exe 101 PID 220 wrote to memory of 2052 220 rxflxxx.exe 101 PID 2052 wrote to memory of 3312 2052 4286820.exe 102 PID 2052 wrote to memory of 3312 2052 4286820.exe 102 PID 2052 wrote to memory of 3312 2052 4286820.exe 102 PID 3312 wrote to memory of 2108 3312 nbttnn.exe 103 PID 3312 wrote to memory of 2108 3312 nbttnn.exe 103 PID 3312 wrote to memory of 2108 3312 nbttnn.exe 103 PID 2108 wrote to memory of 3012 2108 4022008.exe 104 PID 2108 wrote to memory of 3012 2108 4022008.exe 104 PID 2108 wrote to memory of 3012 2108 4022008.exe 104 PID 3012 wrote to memory of 3512 3012 028882.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe"C:\Users\Admin\AppData\Local\Temp\fddc0350bd847cf476d95097137f81caf0cf50deb2534d176c1c08cce7e55a8aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\482628.exec:\482628.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\nnnnhb.exec:\nnnnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\frlxrll.exec:\frlxrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\4688468.exec:\4688468.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\tnnnnn.exec:\tnnnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\hhnbth.exec:\hhnbth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\xxfflrr.exec:\xxfflrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\7tbnhh.exec:\7tbnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\lrlxlxf.exec:\lrlxlxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\62060.exec:\62060.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\20242.exec:\20242.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\48886.exec:\48886.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\rflfxxx.exec:\rflfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\bbbbbn.exec:\bbbbbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\4802660.exec:\4802660.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\08600.exec:\08600.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\rxflxxx.exec:\rxflxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\4286820.exec:\4286820.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\nbttnn.exec:\nbttnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\4022008.exec:\4022008.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\028882.exec:\028882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\4648266.exec:\4648266.exe23⤵
- Executes dropped EXE
PID:3512 -
\??\c:\jdvpd.exec:\jdvpd.exe24⤵
- Executes dropped EXE
PID:216 -
\??\c:\082226.exec:\082226.exe25⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3hthbt.exec:\3hthbt.exe26⤵
- Executes dropped EXE
PID:3760 -
\??\c:\thhbnn.exec:\thhbnn.exe27⤵
- Executes dropped EXE
PID:3928 -
\??\c:\2660882.exec:\2660882.exe28⤵
- Executes dropped EXE
PID:1500 -
\??\c:\0860448.exec:\0860448.exe29⤵
- Executes dropped EXE
PID:4436 -
\??\c:\5nnhbb.exec:\5nnhbb.exe30⤵
- Executes dropped EXE
PID:3348 -
\??\c:\7frfrlf.exec:\7frfrlf.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
\??\c:\8282608.exec:\8282608.exe32⤵
- Executes dropped EXE
PID:2380 -
\??\c:\06060.exec:\06060.exe33⤵
- Executes dropped EXE
PID:4836 -
\??\c:\3bthtn.exec:\3bthtn.exe34⤵
- Executes dropped EXE
PID:1692 -
\??\c:\1vdpj.exec:\1vdpj.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\40260.exec:\40260.exe36⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe37⤵
- Executes dropped EXE
PID:1628 -
\??\c:\280644.exec:\280644.exe38⤵
- Executes dropped EXE
PID:2528 -
\??\c:\nhtthn.exec:\nhtthn.exe39⤵
- Executes dropped EXE
PID:5072 -
\??\c:\62448.exec:\62448.exe40⤵
- Executes dropped EXE
PID:1512 -
\??\c:\5jpdp.exec:\5jpdp.exe41⤵PID:4380
-
\??\c:\rfrffxl.exec:\rfrffxl.exe42⤵
- Executes dropped EXE
PID:440 -
\??\c:\24048.exec:\24048.exe43⤵
- Executes dropped EXE
PID:4108 -
\??\c:\xfllfrf.exec:\xfllfrf.exe44⤵
- Executes dropped EXE
PID:2608 -
\??\c:\48682.exec:\48682.exe45⤵
- Executes dropped EXE
PID:4560 -
\??\c:\84224.exec:\84224.exe46⤵
- Executes dropped EXE
PID:4240 -
\??\c:\xllfflx.exec:\xllfflx.exe47⤵
- Executes dropped EXE
PID:2120 -
\??\c:\i244888.exec:\i244888.exe48⤵
- Executes dropped EXE
PID:984 -
\??\c:\nhtnhh.exec:\nhtnhh.exe49⤵
- Executes dropped EXE
PID:3172 -
\??\c:\tnhbtt.exec:\tnhbtt.exe50⤵
- Executes dropped EXE
PID:4412 -
\??\c:\djjdv.exec:\djjdv.exe51⤵
- Executes dropped EXE
PID:2236 -
\??\c:\ffrfflx.exec:\ffrfflx.exe52⤵
- Executes dropped EXE
PID:4388 -
\??\c:\ttbhtb.exec:\ttbhtb.exe53⤵
- Executes dropped EXE
PID:2152 -
\??\c:\4862666.exec:\4862666.exe54⤵
- Executes dropped EXE
PID:2292 -
\??\c:\tbbbbb.exec:\tbbbbb.exe55⤵
- Executes dropped EXE
PID:2800 -
\??\c:\e84820.exec:\e84820.exe56⤵
- Executes dropped EXE
PID:2520 -
\??\c:\bbbbtt.exec:\bbbbtt.exe57⤵
- Executes dropped EXE
PID:752 -
\??\c:\hthhht.exec:\hthhht.exe58⤵
- Executes dropped EXE
PID:2356 -
\??\c:\s4662.exec:\s4662.exe59⤵
- Executes dropped EXE
PID:1780 -
\??\c:\htbbtb.exec:\htbbtb.exe60⤵
- Executes dropped EXE
PID:2852 -
\??\c:\66426.exec:\66426.exe61⤵
- Executes dropped EXE
PID:2972 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe62⤵
- Executes dropped EXE
PID:436 -
\??\c:\48448.exec:\48448.exe63⤵
- Executes dropped EXE
PID:3640 -
\??\c:\dvvvp.exec:\dvvvp.exe64⤵
- Executes dropped EXE
PID:1360 -
\??\c:\820066.exec:\820066.exe65⤵
- Executes dropped EXE
PID:1252 -
\??\c:\jdjpp.exec:\jdjpp.exe66⤵
- Executes dropped EXE
PID:1184 -
\??\c:\60842.exec:\60842.exe67⤵PID:2460
-
\??\c:\46660.exec:\46660.exe68⤵PID:3720
-
\??\c:\rrrrffl.exec:\rrrrffl.exe69⤵PID:4972
-
\??\c:\3bbtnb.exec:\3bbtnb.exe70⤵PID:3480
-
\??\c:\1djdd.exec:\1djdd.exe71⤵PID:5016
-
\??\c:\666624.exec:\666624.exe72⤵PID:4676
-
\??\c:\hhhbnh.exec:\hhhbnh.exe73⤵PID:4072
-
\??\c:\82448.exec:\82448.exe74⤵PID:2708
-
\??\c:\bbnbtb.exec:\bbnbtb.exe75⤵PID:2188
-
\??\c:\2622226.exec:\2622226.exe76⤵PID:4960
-
\??\c:\lflrlff.exec:\lflrlff.exe77⤵PID:2100
-
\??\c:\8622660.exec:\8622660.exe78⤵PID:3892
-
\??\c:\fllffff.exec:\fllffff.exe79⤵PID:4436
-
\??\c:\08600.exec:\08600.exe80⤵PID:5060
-
\??\c:\bbhbtt.exec:\bbhbtt.exe81⤵PID:2380
-
\??\c:\8462666.exec:\8462666.exe82⤵PID:3564
-
\??\c:\rxxxllr.exec:\rxxxllr.exe83⤵PID:1540
-
\??\c:\htnnnh.exec:\htnnnh.exe84⤵PID:2580
-
\??\c:\602268.exec:\602268.exe85⤵PID:2196
-
\??\c:\462822.exec:\462822.exe86⤵PID:4924
-
\??\c:\vjvpj.exec:\vjvpj.exe87⤵PID:4004
-
\??\c:\68444.exec:\68444.exe88⤵PID:2884
-
\??\c:\7bhthn.exec:\7bhthn.exe89⤵PID:4380
-
\??\c:\6080820.exec:\6080820.exe90⤵PID:4432
-
\??\c:\pjjvv.exec:\pjjvv.exe91⤵PID:4108
-
\??\c:\8626606.exec:\8626606.exe92⤵
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\0200448.exec:\0200448.exe93⤵PID:4560
-
\??\c:\xllffxx.exec:\xllffxx.exe94⤵PID:4240
-
\??\c:\btbtnh.exec:\btbtnh.exe95⤵PID:4532
-
\??\c:\fflfffl.exec:\fflfffl.exe96⤵PID:2740
-
\??\c:\hbbnhb.exec:\hbbnhb.exe97⤵PID:3172
-
\??\c:\204864.exec:\204864.exe98⤵PID:3256
-
\??\c:\8840440.exec:\8840440.exe99⤵PID:2236
-
\??\c:\02062.exec:\02062.exe100⤵PID:4388
-
\??\c:\dvvpd.exec:\dvvpd.exe101⤵PID:2152
-
\??\c:\rxxfxrx.exec:\rxxfxrx.exe102⤵PID:2704
-
\??\c:\06260.exec:\06260.exe103⤵PID:3824
-
\??\c:\642604.exec:\642604.exe104⤵PID:1616
-
\??\c:\262682.exec:\262682.exe105⤵PID:2872
-
\??\c:\ntbttn.exec:\ntbttn.exe106⤵PID:4420
-
\??\c:\202866.exec:\202866.exe107⤵PID:3896
-
\??\c:\lffrxrr.exec:\lffrxrr.exe108⤵PID:3020
-
\??\c:\rllffrr.exec:\rllffrr.exe109⤵PID:1068
-
\??\c:\pjjpv.exec:\pjjpv.exe110⤵PID:1564
-
\??\c:\0288604.exec:\0288604.exe111⤵PID:3932
-
\??\c:\jvjdv.exec:\jvjdv.exe112⤵PID:404
-
\??\c:\6446664.exec:\6446664.exe113⤵PID:3936
-
\??\c:\208604.exec:\208604.exe114⤵PID:2332
-
\??\c:\684260.exec:\684260.exe115⤵PID:3328
-
\??\c:\82626.exec:\82626.exe116⤵PID:4428
-
\??\c:\ppjjv.exec:\ppjjv.exe117⤵PID:5076
-
\??\c:\pdvpj.exec:\pdvpj.exe118⤵PID:3760
-
\??\c:\06220.exec:\06220.exe119⤵PID:2180
-
\??\c:\0640426.exec:\0640426.exe120⤵PID:2896
-
\??\c:\5rfxfll.exec:\5rfxfll.exe121⤵PID:2148
-
\??\c:\8220068.exec:\8220068.exe122⤵PID:464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-