Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe
-
Size
69KB
-
MD5
371a367028b140e10f0b6bde52fe4b21
-
SHA1
6137db7d50b45f5c6fb8a27e3bfb92dc9e202bdc
-
SHA256
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db
-
SHA512
284fb1a1eb5c01e1bc49814f0fb035158ee61b5e355f683ea4df45fe9fb02cfead89aa91bdae9ac0e3e192528f484596f80ce452e6865fd284a44218904be022
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qjH4l:ymb3NkkiQ3mdBjFIj+qjH4l
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/2888-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2264-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2888-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/492-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4628-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/456-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2628-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2492-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2420-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3684-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1404-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4560-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2868-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1672-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2940-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3260-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4940-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3792-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3740-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3196-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2108-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5056-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1640-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4532-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4980-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4584-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2264 hnbbhn.exe 492 pjvdp.exe 456 lxrfxlf.exe 4628 llrfrlx.exe 2628 nhtntn.exe 3624 nbthnh.exe 2492 5xfrxrf.exe 2420 lflxlfx.exe 3684 tntnhb.exe 2936 vdvpd.exe 1404 nbntnn.exe 4560 bbthtn.exe 2868 5ddpd.exe 4072 xrlrlfx.exe 3844 hhtnbt.exe 1672 nhbnhh.exe 2940 pppjp.exe 3260 dpjdp.exe 4260 xllfxrr.exe 4940 1ttnbt.exe 3792 ttbtht.exe 3740 vddpd.exe 3196 xlfxxfr.exe 2108 btnhbt.exe 5056 hnnbtn.exe 1640 jddjv.exe 4532 djdvj.exe 4980 3xxlrlx.exe 4676 bbbnnh.exe 2680 3tbtbt.exe 4584 vvvjv.exe 4444 ffrflrx.exe 1532 hhhhbt.exe 4568 hhbtbt.exe 4024 jdvvv.exe 2384 jdvjd.exe 4204 xflxrlf.exe 5036 lrrlfxr.exe 1916 nhbtnh.exe 456 vjjjp.exe 116 pvpjd.exe 4036 xxxrlfl.exe 2628 3nnhtt.exe 1112 btnnbt.exe 4488 9jpdp.exe 3248 jpdvj.exe 4960 xrrfrlf.exe 3880 rlxrffr.exe 4876 nhthbt.exe 5040 htbhht.exe 4852 vjjvv.exe 2960 vpdpj.exe 3092 lrrlrrf.exe 2784 frlfxrf.exe 4072 tnbtht.exe 428 dvpdp.exe 2000 dddpv.exe 3288 9dpdj.exe 644 xlxrfxr.exe 4020 bttnnh.exe 2084 nnhntn.exe 1520 vdvvj.exe 4928 3pdpd.exe 1872 fllfrlf.exe -
resource yara_rule behavioral2/memory/2888-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2264-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2888-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/492-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4628-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/456-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2628-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2492-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2492-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2492-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2420-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3684-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2936-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1404-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4560-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2868-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1672-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2940-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3260-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4940-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3792-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3740-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3196-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2108-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5056-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1640-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4532-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4980-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4584-208-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2264 2888 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 84 PID 2888 wrote to memory of 2264 2888 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 84 PID 2888 wrote to memory of 2264 2888 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 84 PID 2264 wrote to memory of 492 2264 hnbbhn.exe 85 PID 2264 wrote to memory of 492 2264 hnbbhn.exe 85 PID 2264 wrote to memory of 492 2264 hnbbhn.exe 85 PID 492 wrote to memory of 456 492 pjvdp.exe 86 PID 492 wrote to memory of 456 492 pjvdp.exe 86 PID 492 wrote to memory of 456 492 pjvdp.exe 86 PID 456 wrote to memory of 4628 456 lxrfxlf.exe 87 PID 456 wrote to memory of 4628 456 lxrfxlf.exe 87 PID 456 wrote to memory of 4628 456 lxrfxlf.exe 87 PID 4628 wrote to memory of 2628 4628 llrfrlx.exe 88 PID 4628 wrote to memory of 2628 4628 llrfrlx.exe 88 PID 4628 wrote to memory of 2628 4628 llrfrlx.exe 88 PID 2628 wrote to memory of 3624 2628 nhtntn.exe 89 PID 2628 wrote to memory of 3624 2628 nhtntn.exe 89 PID 2628 wrote to memory of 3624 2628 nhtntn.exe 89 PID 3624 wrote to memory of 2492 3624 nbthnh.exe 90 PID 3624 wrote to memory of 2492 3624 nbthnh.exe 90 PID 3624 wrote to memory of 2492 3624 nbthnh.exe 90 PID 2492 wrote to memory of 2420 2492 5xfrxrf.exe 91 PID 2492 wrote to memory of 2420 2492 5xfrxrf.exe 91 PID 2492 wrote to memory of 2420 2492 5xfrxrf.exe 91 PID 2420 wrote to memory of 3684 2420 lflxlfx.exe 92 PID 2420 wrote to memory of 3684 2420 lflxlfx.exe 92 PID 2420 wrote to memory of 3684 2420 lflxlfx.exe 92 PID 3684 wrote to memory of 2936 3684 tntnhb.exe 93 PID 3684 wrote to memory of 2936 3684 tntnhb.exe 93 PID 3684 wrote to memory of 2936 3684 tntnhb.exe 93 PID 2936 wrote to memory of 1404 2936 vdvpd.exe 94 PID 2936 wrote to memory of 1404 2936 vdvpd.exe 94 PID 2936 wrote to memory of 1404 2936 vdvpd.exe 94 PID 1404 wrote to memory of 4560 1404 nbntnn.exe 95 PID 1404 wrote to memory of 4560 1404 nbntnn.exe 95 PID 1404 wrote to memory of 4560 1404 nbntnn.exe 95 PID 4560 wrote to memory of 2868 4560 bbthtn.exe 96 PID 4560 wrote to memory of 2868 4560 bbthtn.exe 96 PID 4560 wrote to memory of 2868 4560 bbthtn.exe 96 PID 2868 wrote to memory of 4072 2868 5ddpd.exe 97 PID 2868 wrote to memory of 4072 2868 5ddpd.exe 97 PID 2868 wrote to memory of 4072 2868 5ddpd.exe 97 PID 4072 wrote to memory of 3844 4072 xrlrlfx.exe 98 PID 4072 wrote to memory of 3844 4072 xrlrlfx.exe 98 PID 4072 wrote to memory of 3844 4072 xrlrlfx.exe 98 PID 3844 wrote to memory of 1672 3844 hhtnbt.exe 99 PID 3844 wrote to memory of 1672 3844 hhtnbt.exe 99 PID 3844 wrote to memory of 1672 3844 hhtnbt.exe 99 PID 1672 wrote to memory of 2940 1672 nhbnhh.exe 100 PID 1672 wrote to memory of 2940 1672 nhbnhh.exe 100 PID 1672 wrote to memory of 2940 1672 nhbnhh.exe 100 PID 2940 wrote to memory of 3260 2940 pppjp.exe 101 PID 2940 wrote to memory of 3260 2940 pppjp.exe 101 PID 2940 wrote to memory of 3260 2940 pppjp.exe 101 PID 3260 wrote to memory of 4260 3260 dpjdp.exe 103 PID 3260 wrote to memory of 4260 3260 dpjdp.exe 103 PID 3260 wrote to memory of 4260 3260 dpjdp.exe 103 PID 4260 wrote to memory of 4940 4260 xllfxrr.exe 104 PID 4260 wrote to memory of 4940 4260 xllfxrr.exe 104 PID 4260 wrote to memory of 4940 4260 xllfxrr.exe 104 PID 4940 wrote to memory of 3792 4940 1ttnbt.exe 105 PID 4940 wrote to memory of 3792 4940 1ttnbt.exe 105 PID 4940 wrote to memory of 3792 4940 1ttnbt.exe 105 PID 3792 wrote to memory of 3740 3792 ttbtht.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe"C:\Users\Admin\AppData\Local\Temp\082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\hnbbhn.exec:\hnbbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\pjvdp.exec:\pjvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\lxrfxlf.exec:\lxrfxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\llrfrlx.exec:\llrfrlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\nhtntn.exec:\nhtntn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\nbthnh.exec:\nbthnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\5xfrxrf.exec:\5xfrxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\lflxlfx.exec:\lflxlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\tntnhb.exec:\tntnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\vdvpd.exec:\vdvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\nbntnn.exec:\nbntnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\bbthtn.exec:\bbthtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\5ddpd.exec:\5ddpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\xrlrlfx.exec:\xrlrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\hhtnbt.exec:\hhtnbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\nhbnhh.exec:\nhbnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\pppjp.exec:\pppjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\dpjdp.exec:\dpjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\xllfxrr.exec:\xllfxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\1ttnbt.exec:\1ttnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\ttbtht.exec:\ttbtht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\vddpd.exec:\vddpd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740 -
\??\c:\xlfxxfr.exec:\xlfxxfr.exe24⤵
- Executes dropped EXE
PID:3196 -
\??\c:\btnhbt.exec:\btnhbt.exe25⤵
- Executes dropped EXE
PID:2108 -
\??\c:\hnnbtn.exec:\hnnbtn.exe26⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jddjv.exec:\jddjv.exe27⤵
- Executes dropped EXE
PID:1640 -
\??\c:\djdvj.exec:\djdvj.exe28⤵
- Executes dropped EXE
PID:4532 -
\??\c:\3xxlrlx.exec:\3xxlrlx.exe29⤵
- Executes dropped EXE
PID:4980 -
\??\c:\bbbnnh.exec:\bbbnnh.exe30⤵
- Executes dropped EXE
PID:4676 -
\??\c:\3tbtbt.exec:\3tbtbt.exe31⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vvvjv.exec:\vvvjv.exe32⤵
- Executes dropped EXE
PID:4584 -
\??\c:\ffrflrx.exec:\ffrflrx.exe33⤵
- Executes dropped EXE
PID:4444 -
\??\c:\hhhhbt.exec:\hhhhbt.exe34⤵
- Executes dropped EXE
PID:1532 -
\??\c:\hhbtbt.exec:\hhbtbt.exe35⤵
- Executes dropped EXE
PID:4568 -
\??\c:\jdvvv.exec:\jdvvv.exe36⤵
- Executes dropped EXE
PID:4024 -
\??\c:\jdvjd.exec:\jdvjd.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\xflxrlf.exec:\xflxrlf.exe38⤵
- Executes dropped EXE
PID:4204 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe39⤵
- Executes dropped EXE
PID:5036 -
\??\c:\nhbtnh.exec:\nhbtnh.exe40⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vjjjp.exec:\vjjjp.exe41⤵
- Executes dropped EXE
PID:456 -
\??\c:\pvpjd.exec:\pvpjd.exe42⤵
- Executes dropped EXE
PID:116 -
\??\c:\xxxrlfl.exec:\xxxrlfl.exe43⤵
- Executes dropped EXE
PID:4036 -
\??\c:\3nnhtt.exec:\3nnhtt.exe44⤵
- Executes dropped EXE
PID:2628 -
\??\c:\btnnbt.exec:\btnnbt.exe45⤵
- Executes dropped EXE
PID:1112 -
\??\c:\9jpdp.exec:\9jpdp.exe46⤵
- Executes dropped EXE
PID:4488 -
\??\c:\jpdvj.exec:\jpdvj.exe47⤵
- Executes dropped EXE
PID:3248 -
\??\c:\xrrfrlf.exec:\xrrfrlf.exe48⤵
- Executes dropped EXE
PID:4960 -
\??\c:\rlxrffr.exec:\rlxrffr.exe49⤵
- Executes dropped EXE
PID:3880 -
\??\c:\nhthbt.exec:\nhthbt.exe50⤵
- Executes dropped EXE
PID:4876 -
\??\c:\htbhht.exec:\htbhht.exe51⤵
- Executes dropped EXE
PID:5040 -
\??\c:\vjjvv.exec:\vjjvv.exe52⤵
- Executes dropped EXE
PID:4852 -
\??\c:\vpdpj.exec:\vpdpj.exe53⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lrrlrrf.exec:\lrrlrrf.exe54⤵
- Executes dropped EXE
PID:3092 -
\??\c:\frlfxrf.exec:\frlfxrf.exe55⤵
- Executes dropped EXE
PID:2784 -
\??\c:\tnbtht.exec:\tnbtht.exe56⤵
- Executes dropped EXE
PID:4072 -
\??\c:\dvpdp.exec:\dvpdp.exe57⤵
- Executes dropped EXE
PID:428 -
\??\c:\dddpv.exec:\dddpv.exe58⤵
- Executes dropped EXE
PID:2000 -
\??\c:\9dpdj.exec:\9dpdj.exe59⤵
- Executes dropped EXE
PID:3288 -
\??\c:\xlxrfxr.exec:\xlxrfxr.exe60⤵
- Executes dropped EXE
PID:644 -
\??\c:\bttnnh.exec:\bttnnh.exe61⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nnhntn.exec:\nnhntn.exe62⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vdvvj.exec:\vdvvj.exe63⤵
- Executes dropped EXE
PID:1520 -
\??\c:\3pdpd.exec:\3pdpd.exe64⤵
- Executes dropped EXE
PID:4928 -
\??\c:\fllfrlf.exec:\fllfrlf.exe65⤵
- Executes dropped EXE
PID:1872 -
\??\c:\1xxrlxr.exec:\1xxrlxr.exe66⤵PID:1040
-
\??\c:\tttnbt.exec:\tttnbt.exe67⤵PID:4136
-
\??\c:\hhbhhn.exec:\hhbhhn.exe68⤵PID:3160
-
\??\c:\jvdvv.exec:\jvdvv.exe69⤵PID:4016
-
\??\c:\djdvd.exec:\djdvd.exe70⤵PID:2212
-
\??\c:\dvvvd.exec:\dvvvd.exe71⤵PID:4992
-
\??\c:\xllfrrl.exec:\xllfrrl.exe72⤵PID:2156
-
\??\c:\lllfxxf.exec:\lllfxxf.exe73⤵PID:2368
-
\??\c:\tthbtn.exec:\tthbtn.exe74⤵PID:4188
-
\??\c:\bbthtn.exec:\bbthtn.exe75⤵PID:3000
-
\??\c:\1pvdj.exec:\1pvdj.exe76⤵PID:4256
-
\??\c:\pvpjj.exec:\pvpjj.exe77⤵PID:2256
-
\??\c:\lrflfrf.exec:\lrflfrf.exe78⤵PID:4320
-
\??\c:\lfrllfl.exec:\lfrllfl.exe79⤵PID:2180
-
\??\c:\nhbhhh.exec:\nhbhhh.exe80⤵PID:2448
-
\??\c:\5nnhtb.exec:\5nnhtb.exe81⤵PID:3960
-
\??\c:\pddpp.exec:\pddpp.exe82⤵PID:4360
-
\??\c:\jjjvj.exec:\jjjvj.exe83⤵PID:5044
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe84⤵PID:3572
-
\??\c:\lxxllxx.exec:\lxxllxx.exe85⤵PID:1120
-
\??\c:\hhnhbt.exec:\hhnhbt.exe86⤵PID:216
-
\??\c:\htnhtb.exec:\htnhtb.exe87⤵PID:2596
-
\??\c:\vddjv.exec:\vddjv.exe88⤵PID:4148
-
\??\c:\vpjdd.exec:\vpjdd.exe89⤵PID:1112
-
\??\c:\pvddj.exec:\pvddj.exe90⤵PID:3244
-
\??\c:\xffxffx.exec:\xffxffx.exe91⤵PID:3248
-
\??\c:\btthhb.exec:\btthhb.exe92⤵PID:1084
-
\??\c:\jvpvp.exec:\jvpvp.exe93⤵PID:1692
-
\??\c:\5fxrllx.exec:\5fxrllx.exe94⤵PID:2296
-
\??\c:\xfrxrrl.exec:\xfrxrrl.exe95⤵PID:5092
-
\??\c:\tnnbtt.exec:\tnnbtt.exe96⤵PID:4560
-
\??\c:\9ntnhb.exec:\9ntnhb.exe97⤵PID:2204
-
\??\c:\5vdpd.exec:\5vdpd.exe98⤵PID:4240
-
\??\c:\bthbnh.exec:\bthbnh.exe99⤵PID:3844
-
\??\c:\jdvpd.exec:\jdvpd.exe100⤵PID:4388
-
\??\c:\vpjvj.exec:\vpjvj.exe101⤵PID:3548
-
\??\c:\rfxlffr.exec:\rfxlffr.exe102⤵PID:4672
-
\??\c:\lrxlxrr.exec:\lrxlxrr.exe103⤵PID:2648
-
\??\c:\nnthtn.exec:\nnthtn.exe104⤵PID:4956
-
\??\c:\thnhbt.exec:\thnhbt.exe105⤵PID:684
-
\??\c:\jvdvp.exec:\jvdvp.exe106⤵PID:4052
-
\??\c:\pdpdp.exec:\pdpdp.exe107⤵PID:4696
-
\??\c:\fxrfrll.exec:\fxrfrll.exe108⤵PID:4384
-
\??\c:\xxfflrx.exec:\xxfflrx.exe109⤵PID:3196
-
\??\c:\1xxlfxf.exec:\1xxlfxf.exe110⤵PID:2108
-
\??\c:\1tnthb.exec:\1tnthb.exe111⤵PID:4732
-
\??\c:\thhhtn.exec:\thhhtn.exe112⤵PID:2200
-
\??\c:\pdjpj.exec:\pdjpj.exe113⤵PID:4712
-
\??\c:\frflxrf.exec:\frflxrf.exe114⤵PID:3968
-
\??\c:\rllffxl.exec:\rllffxl.exe115⤵PID:1068
-
\??\c:\htnhtn.exec:\htnhtn.exe116⤵PID:2680
-
\??\c:\dddvj.exec:\dddvj.exe117⤵PID:4188
-
\??\c:\dvjvj.exec:\dvjvj.exe118⤵PID:3000
-
\??\c:\rfxrrll.exec:\rfxrrll.exe119⤵PID:2332
-
\??\c:\1frlxrf.exec:\1frlxrf.exe120⤵PID:4744
-
\??\c:\bnthhb.exec:\bnthhb.exe121⤵PID:4456
-
\??\c:\1nthbb.exec:\1nthbb.exe122⤵PID:3976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-