Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 18:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe
-
Size
69KB
-
MD5
371a367028b140e10f0b6bde52fe4b21
-
SHA1
6137db7d50b45f5c6fb8a27e3bfb92dc9e202bdc
-
SHA256
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db
-
SHA512
284fb1a1eb5c01e1bc49814f0fb035158ee61b5e355f683ea4df45fe9fb02cfead89aa91bdae9ac0e3e192528f484596f80ce452e6865fd284a44218904be022
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qjH4l:ymb3NkkiQ3mdBjFIj+qjH4l
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/2080-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/708-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4912-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1784-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2984-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4520-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4520-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4448-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1596-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/988-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/264-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/988-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4444-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3208-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/396-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1692-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4824-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3816-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4792-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3416-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1076-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1160-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5116-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4520 7llfrrr.exe 708 bttnhh.exe 3276 bthbbb.exe 4912 dvvpp.exe 1784 vpdpp.exe 2984 fffxrrr.exe 1220 xrfxxxr.exe 4448 djvjd.exe 988 frxrlll.exe 1596 tbtttt.exe 3684 7ntbbb.exe 264 dvvvp.exe 4444 jdjdv.exe 1424 rxxrfrr.exe 3208 7htnhh.exe 396 dddvp.exe 2876 lrxxflr.exe 2232 3xlllll.exe 1692 bnhhbb.exe 2156 9ttbtt.exe 4824 ppjvv.exe 3816 jjpjj.exe 1464 xrxrrrl.exe 4792 1thhbb.exe 3416 ntbbtt.exe 1076 jjjpj.exe 4852 flxxrrl.exe 1160 1thhtb.exe 4812 btbbbb.exe 5116 7jvvv.exe 3924 1frlrrf.exe 2912 tttttb.exe 5000 nhnhhb.exe 1884 pjvpd.exe 1060 ffffxxl.exe 1620 fffxxfx.exe 2088 nbbbnb.exe 3440 dppjp.exe 1404 pdvdd.exe 4300 ffrrfrx.exe 3760 nbtbtb.exe 1648 hhtttt.exe 4672 vjjjj.exe 3400 vvdpd.exe 4448 xxfffrr.exe 988 lxlrxfl.exe 1600 ntttbh.exe 4560 bhhntb.exe 1520 jppvp.exe 216 djpjp.exe 5040 rxflxfl.exe 2540 1rfffff.exe 1808 nnbbhh.exe 4032 btbbtb.exe 768 pjjvv.exe 4928 flxxfll.exe 2544 fxxllxx.exe 1516 thtbnn.exe 1392 bhbbhn.exe 2428 vvdvd.exe 4936 lxlrfrr.exe 4824 lfxlxlr.exe 4872 5nhbtb.exe 3096 djvvj.exe -
resource yara_rule behavioral2/memory/2080-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2080-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/708-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2984-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4520-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1220-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4520-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1220-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/988-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1596-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/988-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/264-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/988-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/988-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4444-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3208-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/396-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1692-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4824-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3816-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4792-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3416-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1076-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1160-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5116-206-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-214-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllllr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 4520 2080 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 84 PID 2080 wrote to memory of 4520 2080 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 84 PID 2080 wrote to memory of 4520 2080 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 84 PID 4520 wrote to memory of 708 4520 7llfrrr.exe 85 PID 4520 wrote to memory of 708 4520 7llfrrr.exe 85 PID 4520 wrote to memory of 708 4520 7llfrrr.exe 85 PID 708 wrote to memory of 3276 708 bttnhh.exe 86 PID 708 wrote to memory of 3276 708 bttnhh.exe 86 PID 708 wrote to memory of 3276 708 bttnhh.exe 86 PID 3276 wrote to memory of 4912 3276 bthbbb.exe 87 PID 3276 wrote to memory of 4912 3276 bthbbb.exe 87 PID 3276 wrote to memory of 4912 3276 bthbbb.exe 87 PID 4912 wrote to memory of 1784 4912 dvvpp.exe 88 PID 4912 wrote to memory of 1784 4912 dvvpp.exe 88 PID 4912 wrote to memory of 1784 4912 dvvpp.exe 88 PID 1784 wrote to memory of 2984 1784 vpdpp.exe 89 PID 1784 wrote to memory of 2984 1784 vpdpp.exe 89 PID 1784 wrote to memory of 2984 1784 vpdpp.exe 89 PID 2984 wrote to memory of 1220 2984 fffxrrr.exe 90 PID 2984 wrote to memory of 1220 2984 fffxrrr.exe 90 PID 2984 wrote to memory of 1220 2984 fffxrrr.exe 90 PID 1220 wrote to memory of 4448 1220 xrfxxxr.exe 91 PID 1220 wrote to memory of 4448 1220 xrfxxxr.exe 91 PID 1220 wrote to memory of 4448 1220 xrfxxxr.exe 91 PID 4448 wrote to memory of 988 4448 djvjd.exe 92 PID 4448 wrote to memory of 988 4448 djvjd.exe 92 PID 4448 wrote to memory of 988 4448 djvjd.exe 92 PID 988 wrote to memory of 1596 988 frxrlll.exe 93 PID 988 wrote to memory of 1596 988 frxrlll.exe 93 PID 988 wrote to memory of 1596 988 frxrlll.exe 93 PID 1596 wrote to memory of 3684 1596 tbtttt.exe 94 PID 1596 wrote to memory of 3684 1596 tbtttt.exe 94 PID 1596 wrote to memory of 3684 1596 tbtttt.exe 94 PID 3684 wrote to memory of 264 3684 7ntbbb.exe 95 PID 3684 wrote to memory of 264 3684 7ntbbb.exe 95 PID 3684 wrote to memory of 264 3684 7ntbbb.exe 95 PID 264 wrote to memory of 4444 264 dvvvp.exe 96 PID 264 wrote to memory of 4444 264 dvvvp.exe 96 PID 264 wrote to memory of 4444 264 dvvvp.exe 96 PID 4444 wrote to memory of 1424 4444 jdjdv.exe 98 PID 4444 wrote to memory of 1424 4444 jdjdv.exe 98 PID 4444 wrote to memory of 1424 4444 jdjdv.exe 98 PID 1424 wrote to memory of 3208 1424 rxxrfrr.exe 100 PID 1424 wrote to memory of 3208 1424 rxxrfrr.exe 100 PID 1424 wrote to memory of 3208 1424 rxxrfrr.exe 100 PID 3208 wrote to memory of 396 3208 7htnhh.exe 101 PID 3208 wrote to memory of 396 3208 7htnhh.exe 101 PID 3208 wrote to memory of 396 3208 7htnhh.exe 101 PID 396 wrote to memory of 2876 396 dddvp.exe 102 PID 396 wrote to memory of 2876 396 dddvp.exe 102 PID 396 wrote to memory of 2876 396 dddvp.exe 102 PID 2876 wrote to memory of 2232 2876 lrxxflr.exe 103 PID 2876 wrote to memory of 2232 2876 lrxxflr.exe 103 PID 2876 wrote to memory of 2232 2876 lrxxflr.exe 103 PID 2232 wrote to memory of 1692 2232 3xlllll.exe 104 PID 2232 wrote to memory of 1692 2232 3xlllll.exe 104 PID 2232 wrote to memory of 1692 2232 3xlllll.exe 104 PID 1692 wrote to memory of 2156 1692 bnhhbb.exe 105 PID 1692 wrote to memory of 2156 1692 bnhhbb.exe 105 PID 1692 wrote to memory of 2156 1692 bnhhbb.exe 105 PID 2156 wrote to memory of 4824 2156 9ttbtt.exe 106 PID 2156 wrote to memory of 4824 2156 9ttbtt.exe 106 PID 2156 wrote to memory of 4824 2156 9ttbtt.exe 106 PID 4824 wrote to memory of 3816 4824 ppjvv.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe"C:\Users\Admin\AppData\Local\Temp\082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\7llfrrr.exec:\7llfrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\bttnhh.exec:\bttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\bthbbb.exec:\bthbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\dvvpp.exec:\dvvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\vpdpp.exec:\vpdpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\fffxrrr.exec:\fffxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\djvjd.exec:\djvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\frxrlll.exec:\frxrlll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\tbtttt.exec:\tbtttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\7ntbbb.exec:\7ntbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\dvvvp.exec:\dvvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\jdjdv.exec:\jdjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\rxxrfrr.exec:\rxxrfrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\7htnhh.exec:\7htnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\dddvp.exec:\dddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\lrxxflr.exec:\lrxxflr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\3xlllll.exec:\3xlllll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\bnhhbb.exec:\bnhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\9ttbtt.exec:\9ttbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\ppjvv.exec:\ppjvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\jjpjj.exec:\jjpjj.exe23⤵
- Executes dropped EXE
PID:3816 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe24⤵
- Executes dropped EXE
PID:1464 -
\??\c:\1thhbb.exec:\1thhbb.exe25⤵
- Executes dropped EXE
PID:4792 -
\??\c:\ntbbtt.exec:\ntbbtt.exe26⤵
- Executes dropped EXE
PID:3416 -
\??\c:\jjjpj.exec:\jjjpj.exe27⤵
- Executes dropped EXE
PID:1076 -
\??\c:\flxxrrl.exec:\flxxrrl.exe28⤵
- Executes dropped EXE
PID:4852 -
\??\c:\1thhtb.exec:\1thhtb.exe29⤵
- Executes dropped EXE
PID:1160 -
\??\c:\btbbbb.exec:\btbbbb.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\7jvvv.exec:\7jvvv.exe31⤵
- Executes dropped EXE
PID:5116 -
\??\c:\1frlrrf.exec:\1frlrrf.exe32⤵
- Executes dropped EXE
PID:3924 -
\??\c:\tttttb.exec:\tttttb.exe33⤵
- Executes dropped EXE
PID:2912 -
\??\c:\nhnhhb.exec:\nhnhhb.exe34⤵
- Executes dropped EXE
PID:5000 -
\??\c:\pjvpd.exec:\pjvpd.exe35⤵
- Executes dropped EXE
PID:1884 -
\??\c:\ffffxxl.exec:\ffffxxl.exe36⤵
- Executes dropped EXE
PID:1060 -
\??\c:\fffxxfx.exec:\fffxxfx.exe37⤵
- Executes dropped EXE
PID:1620 -
\??\c:\nbbbnb.exec:\nbbbnb.exe38⤵
- Executes dropped EXE
PID:2088 -
\??\c:\dppjp.exec:\dppjp.exe39⤵
- Executes dropped EXE
PID:3440 -
\??\c:\pdvdd.exec:\pdvdd.exe40⤵
- Executes dropped EXE
PID:1404 -
\??\c:\ffrrfrx.exec:\ffrrfrx.exe41⤵
- Executes dropped EXE
PID:4300 -
\??\c:\nbtbtb.exec:\nbtbtb.exe42⤵
- Executes dropped EXE
PID:3760 -
\??\c:\hhtttt.exec:\hhtttt.exe43⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vjjjj.exec:\vjjjj.exe44⤵
- Executes dropped EXE
PID:4672 -
\??\c:\vvdpd.exec:\vvdpd.exe45⤵
- Executes dropped EXE
PID:3400 -
\??\c:\xxfffrr.exec:\xxfffrr.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\lxlrxfl.exec:\lxlrxfl.exe47⤵
- Executes dropped EXE
PID:988 -
\??\c:\ntttbh.exec:\ntttbh.exe48⤵
- Executes dropped EXE
PID:1600 -
\??\c:\bhhntb.exec:\bhhntb.exe49⤵
- Executes dropped EXE
PID:4560 -
\??\c:\jppvp.exec:\jppvp.exe50⤵
- Executes dropped EXE
PID:1520 -
\??\c:\djpjp.exec:\djpjp.exe51⤵
- Executes dropped EXE
PID:216 -
\??\c:\rxflxfl.exec:\rxflxfl.exe52⤵
- Executes dropped EXE
PID:5040 -
\??\c:\1rfffff.exec:\1rfffff.exe53⤵
- Executes dropped EXE
PID:2540 -
\??\c:\nnbbhh.exec:\nnbbhh.exe54⤵
- Executes dropped EXE
PID:1808 -
\??\c:\btbbtb.exec:\btbbtb.exe55⤵
- Executes dropped EXE
PID:4032 -
\??\c:\pjjvv.exec:\pjjvv.exe56⤵
- Executes dropped EXE
PID:768 -
\??\c:\flxxfll.exec:\flxxfll.exe57⤵
- Executes dropped EXE
PID:4928 -
\??\c:\fxxllxx.exec:\fxxllxx.exe58⤵
- Executes dropped EXE
PID:2544 -
\??\c:\thtbnn.exec:\thtbnn.exe59⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bhbbhn.exec:\bhbbhn.exe60⤵
- Executes dropped EXE
PID:1392 -
\??\c:\vvdvd.exec:\vvdvd.exe61⤵
- Executes dropped EXE
PID:2428 -
\??\c:\lxlrfrr.exec:\lxlrfrr.exe62⤵
- Executes dropped EXE
PID:4936 -
\??\c:\lfxlxlr.exec:\lfxlxlr.exe63⤵
- Executes dropped EXE
PID:4824 -
\??\c:\5nhbtb.exec:\5nhbtb.exe64⤵
- Executes dropped EXE
PID:4872 -
\??\c:\djvvj.exec:\djvvj.exe65⤵
- Executes dropped EXE
PID:3096 -
\??\c:\7dvvp.exec:\7dvvp.exe66⤵PID:3848
-
\??\c:\xflxrll.exec:\xflxrll.exe67⤵PID:4388
-
\??\c:\tbhbth.exec:\tbhbth.exe68⤵PID:2748
-
\??\c:\vvpjd.exec:\vvpjd.exe69⤵PID:3408
-
\??\c:\lrllllx.exec:\lrllllx.exe70⤵PID:4592
-
\??\c:\fxxrxxf.exec:\fxxrxxf.exe71⤵PID:3016
-
\??\c:\djvpp.exec:\djvpp.exe72⤵PID:2340
-
\??\c:\dvvpd.exec:\dvvpd.exe73⤵PID:1064
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe74⤵PID:1388
-
\??\c:\vvdjj.exec:\vvdjj.exe75⤵PID:4216
-
\??\c:\jddvp.exec:\jddvp.exe76⤵PID:2076
-
\??\c:\xxxrfff.exec:\xxxrfff.exe77⤵PID:3424
-
\??\c:\bbnntt.exec:\bbnntt.exe78⤵PID:3492
-
\??\c:\lxfffxr.exec:\lxfffxr.exe79⤵
- System Location Discovery: System Language Discovery
PID:4528 -
\??\c:\9xffxrr.exec:\9xffxrr.exe80⤵PID:4916
-
\??\c:\pjjjj.exec:\pjjjj.exe81⤵PID:5080
-
\??\c:\jdppp.exec:\jdppp.exe82⤵PID:1868
-
\??\c:\5frlrll.exec:\5frlrll.exe83⤵PID:3844
-
\??\c:\nnbthh.exec:\nnbthh.exe84⤵PID:920
-
\??\c:\tttbbb.exec:\tttbbb.exe85⤵PID:3404
-
\??\c:\dpdvj.exec:\dpdvj.exe86⤵PID:3780
-
\??\c:\xfxrrxx.exec:\xfxrrxx.exe87⤵PID:3992
-
\??\c:\3hnnhh.exec:\3hnnhh.exe88⤵PID:2456
-
\??\c:\ppdpp.exec:\ppdpp.exe89⤵PID:2192
-
\??\c:\llxrxrr.exec:\llxrxrr.exe90⤵PID:3444
-
\??\c:\xxxxrxr.exec:\xxxxrxr.exe91⤵PID:2684
-
\??\c:\hnbbht.exec:\hnbbht.exe92⤵PID:2044
-
\??\c:\ppjvp.exec:\ppjvp.exe93⤵PID:844
-
\??\c:\5pdvd.exec:\5pdvd.exe94⤵PID:668
-
\??\c:\3rfrlrf.exec:\3rfrlrf.exe95⤵PID:1596
-
\??\c:\1bttnn.exec:\1bttnn.exe96⤵PID:5032
-
\??\c:\9jjjd.exec:\9jjjd.exe97⤵PID:3828
-
\??\c:\9lrlxfx.exec:\9lrlxfx.exe98⤵PID:2480
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe99⤵PID:3320
-
\??\c:\nhnhht.exec:\nhnhht.exe100⤵PID:3332
-
\??\c:\hnbhnb.exec:\hnbhnb.exe101⤵PID:4180
-
\??\c:\vvdpj.exec:\vvdpj.exe102⤵PID:4968
-
\??\c:\dpppp.exec:\dpppp.exe103⤵PID:2264
-
\??\c:\5lffxfr.exec:\5lffxfr.exe104⤵PID:1940
-
\??\c:\bbttbh.exec:\bbttbh.exe105⤵PID:2768
-
\??\c:\jdpjj.exec:\jdpjj.exe106⤵PID:4092
-
\??\c:\lxxxrxf.exec:\lxxxrxf.exe107⤵PID:2388
-
\??\c:\rrlrllx.exec:\rrlrllx.exe108⤵PID:3248
-
\??\c:\hbttnn.exec:\hbttnn.exe109⤵PID:2156
-
\??\c:\jdddj.exec:\jdddj.exe110⤵PID:944
-
\??\c:\rlxxxrr.exec:\rlxxxrr.exe111⤵PID:1308
-
\??\c:\lxxxfll.exec:\lxxxfll.exe112⤵PID:3932
-
\??\c:\bhntbh.exec:\bhntbh.exe113⤵PID:3744
-
\??\c:\ddpvv.exec:\ddpvv.exe114⤵PID:1968
-
\??\c:\vvdvv.exec:\vvdvv.exe115⤵PID:4524
-
\??\c:\xflllrx.exec:\xflllrx.exe116⤵PID:1076
-
\??\c:\rrllrfl.exec:\rrllrfl.exe117⤵PID:4580
-
\??\c:\dvddv.exec:\dvddv.exe118⤵PID:3032
-
\??\c:\nnntnn.exec:\nnntnn.exe119⤵PID:3660
-
\??\c:\vddvv.exec:\vddvv.exe120⤵PID:4852
-
\??\c:\lllxrfr.exec:\lllxrfr.exe121⤵PID:3500
-
\??\c:\fxlxrlx.exec:\fxlxrlx.exe122⤵PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-