Analysis
-
max time kernel
117s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
Resource
win7-20240903-en
General
-
Target
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
-
Size
72KB
-
MD5
48a14a56008816ab2cba9121afc68b50
-
SHA1
88f815e444766d3f93175995c86504fd05a67838
-
SHA256
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbd
-
SHA512
ffb91efd11ad5d472c2909b0b2e17bf5f8d584a31293e8c6aa81a9b91c34c578eac6f37a886ffa57d3f62d247fbc328608771d881da3cb557c7edf4e9908fcea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65x:ymb3NkkiQ3mdBjFIFdJ8bViW67
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
resource yara_rule behavioral2/memory/708-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2288-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4424-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3484-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4780-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2184-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/224-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/224-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2828-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2092-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/780-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/696-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4668-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3788-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1476-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4640-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4928-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3868-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/836-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3560-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3660-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2068-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/876-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2600-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3632-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4884-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1540-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/920-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2288 jjppp.exe 4424 ddjdp.exe 3484 rxfrfff.exe 4780 7ppjd.exe 2184 vppjv.exe 224 tnhhbb.exe 2828 btbtnh.exe 2092 ddjvp.exe 780 1lrllxf.exe 2988 hbbttt.exe 696 jjpjv.exe 4668 djpjj.exe 3788 1xrxffl.exe 1548 tthbbt.exe 3316 vpdvj.exe 1476 7jjdp.exe 4640 frxrffr.exe 4928 ttbttn.exe 3868 djjdd.exe 836 jvvpd.exe 3560 xxxffll.exe 3660 7bhbtt.exe 548 dppjd.exe 2068 rlrrfxl.exe 876 fxlfxfx.exe 2600 9bhbbb.exe 3632 vjjpd.exe 4356 5xffxxr.exe 4884 7xllffr.exe 1540 thtnhh.exe 920 jjpjd.exe 3480 fxfxrll.exe 2112 xxxfrfr.exe 3156 thbtnb.exe 4548 pddvp.exe 5020 vjjdv.exe 4388 xfxrflf.exe 2040 bntbtt.exe 4320 bbntth.exe 2920 pvpvp.exe 4488 xrrxxxr.exe 2180 hhnnbt.exe 3884 pjdpj.exe 2700 jjjdd.exe 464 xrxxlll.exe 396 nbnbbn.exe 2568 3pjpv.exe 544 lllfxxx.exe 1204 vpvvp.exe 5004 rfrfrfr.exe 1924 rrrfrrx.exe 3516 bttnhh.exe 5048 xrlfxxr.exe 5044 xfffrfl.exe 4888 hbbtnt.exe 2940 fxrrlrr.exe 3356 bttnhb.exe 2732 3jpjv.exe 468 jjpjv.exe 1796 rrrffff.exe 1136 btbhbb.exe 1524 tnhbhh.exe 1488 vpvvp.exe 3692 5rffrff.exe -
resource yara_rule behavioral2/memory/708-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/708-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4424-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3484-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3484-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4780-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/224-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/224-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/224-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2828-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2092-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/780-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2988-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2988-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/696-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4668-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3788-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1476-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4640-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4928-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3868-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/836-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3560-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3660-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2068-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/876-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2600-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3632-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4884-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1540-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/920-212-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 2288 708 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 84 PID 708 wrote to memory of 2288 708 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 84 PID 708 wrote to memory of 2288 708 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 84 PID 2288 wrote to memory of 4424 2288 jjppp.exe 85 PID 2288 wrote to memory of 4424 2288 jjppp.exe 85 PID 2288 wrote to memory of 4424 2288 jjppp.exe 85 PID 4424 wrote to memory of 3484 4424 ddjdp.exe 86 PID 4424 wrote to memory of 3484 4424 ddjdp.exe 86 PID 4424 wrote to memory of 3484 4424 ddjdp.exe 86 PID 3484 wrote to memory of 4780 3484 rxfrfff.exe 87 PID 3484 wrote to memory of 4780 3484 rxfrfff.exe 87 PID 3484 wrote to memory of 4780 3484 rxfrfff.exe 87 PID 4780 wrote to memory of 2184 4780 7ppjd.exe 88 PID 4780 wrote to memory of 2184 4780 7ppjd.exe 88 PID 4780 wrote to memory of 2184 4780 7ppjd.exe 88 PID 2184 wrote to memory of 224 2184 vppjv.exe 89 PID 2184 wrote to memory of 224 2184 vppjv.exe 89 PID 2184 wrote to memory of 224 2184 vppjv.exe 89 PID 224 wrote to memory of 2828 224 tnhhbb.exe 90 PID 224 wrote to memory of 2828 224 tnhhbb.exe 90 PID 224 wrote to memory of 2828 224 tnhhbb.exe 90 PID 2828 wrote to memory of 2092 2828 btbtnh.exe 91 PID 2828 wrote to memory of 2092 2828 btbtnh.exe 91 PID 2828 wrote to memory of 2092 2828 btbtnh.exe 91 PID 2092 wrote to memory of 780 2092 ddjvp.exe 92 PID 2092 wrote to memory of 780 2092 ddjvp.exe 92 PID 2092 wrote to memory of 780 2092 ddjvp.exe 92 PID 780 wrote to memory of 2988 780 1lrllxf.exe 93 PID 780 wrote to memory of 2988 780 1lrllxf.exe 93 PID 780 wrote to memory of 2988 780 1lrllxf.exe 93 PID 2988 wrote to memory of 696 2988 hbbttt.exe 94 PID 2988 wrote to memory of 696 2988 hbbttt.exe 94 PID 2988 wrote to memory of 696 2988 hbbttt.exe 94 PID 696 wrote to memory of 4668 696 jjpjv.exe 96 PID 696 wrote to memory of 4668 696 jjpjv.exe 96 PID 696 wrote to memory of 4668 696 jjpjv.exe 96 PID 4668 wrote to memory of 3788 4668 djpjj.exe 97 PID 4668 wrote to memory of 3788 4668 djpjj.exe 97 PID 4668 wrote to memory of 3788 4668 djpjj.exe 97 PID 3788 wrote to memory of 1548 3788 1xrxffl.exe 98 PID 3788 wrote to memory of 1548 3788 1xrxffl.exe 98 PID 3788 wrote to memory of 1548 3788 1xrxffl.exe 98 PID 1548 wrote to memory of 3316 1548 tthbbt.exe 99 PID 1548 wrote to memory of 3316 1548 tthbbt.exe 99 PID 1548 wrote to memory of 3316 1548 tthbbt.exe 99 PID 3316 wrote to memory of 1476 3316 vpdvj.exe 100 PID 3316 wrote to memory of 1476 3316 vpdvj.exe 100 PID 3316 wrote to memory of 1476 3316 vpdvj.exe 100 PID 1476 wrote to memory of 4640 1476 7jjdp.exe 101 PID 1476 wrote to memory of 4640 1476 7jjdp.exe 101 PID 1476 wrote to memory of 4640 1476 7jjdp.exe 101 PID 4640 wrote to memory of 4928 4640 frxrffr.exe 102 PID 4640 wrote to memory of 4928 4640 frxrffr.exe 102 PID 4640 wrote to memory of 4928 4640 frxrffr.exe 102 PID 4928 wrote to memory of 3868 4928 ttbttn.exe 103 PID 4928 wrote to memory of 3868 4928 ttbttn.exe 103 PID 4928 wrote to memory of 3868 4928 ttbttn.exe 103 PID 3868 wrote to memory of 836 3868 djjdd.exe 104 PID 3868 wrote to memory of 836 3868 djjdd.exe 104 PID 3868 wrote to memory of 836 3868 djjdd.exe 104 PID 836 wrote to memory of 3560 836 jvvpd.exe 105 PID 836 wrote to memory of 3560 836 jvvpd.exe 105 PID 836 wrote to memory of 3560 836 jvvpd.exe 105 PID 3560 wrote to memory of 3660 3560 xxxffll.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\jjppp.exec:\jjppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\ddjdp.exec:\ddjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\rxfrfff.exec:\rxfrfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\7ppjd.exec:\7ppjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\vppjv.exec:\vppjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\tnhhbb.exec:\tnhhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\btbtnh.exec:\btbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\ddjvp.exec:\ddjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\1lrllxf.exec:\1lrllxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\hbbttt.exec:\hbbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\jjpjv.exec:\jjpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\djpjj.exec:\djpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\1xrxffl.exec:\1xrxffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\tthbbt.exec:\tthbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\vpdvj.exec:\vpdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\7jjdp.exec:\7jjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\frxrffr.exec:\frxrffr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\ttbttn.exec:\ttbttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\djjdd.exec:\djjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\jvvpd.exec:\jvvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\xxxffll.exec:\xxxffll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\7bhbtt.exec:\7bhbtt.exe23⤵
- Executes dropped EXE
PID:3660 -
\??\c:\dppjd.exec:\dppjd.exe24⤵
- Executes dropped EXE
PID:548 -
\??\c:\rlrrfxl.exec:\rlrrfxl.exe25⤵
- Executes dropped EXE
PID:2068 -
\??\c:\fxlfxfx.exec:\fxlfxfx.exe26⤵
- Executes dropped EXE
PID:876 -
\??\c:\9bhbbb.exec:\9bhbbb.exe27⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vjjpd.exec:\vjjpd.exe28⤵
- Executes dropped EXE
PID:3632 -
\??\c:\5xffxxr.exec:\5xffxxr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356 -
\??\c:\7xllffr.exec:\7xllffr.exe30⤵
- Executes dropped EXE
PID:4884 -
\??\c:\thtnhh.exec:\thtnhh.exe31⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jjpjd.exec:\jjpjd.exe32⤵
- Executes dropped EXE
PID:920 -
\??\c:\fxfxrll.exec:\fxfxrll.exe33⤵
- Executes dropped EXE
PID:3480 -
\??\c:\xxxfrfr.exec:\xxxfrfr.exe34⤵
- Executes dropped EXE
PID:2112 -
\??\c:\thbtnb.exec:\thbtnb.exe35⤵
- Executes dropped EXE
PID:3156 -
\??\c:\pddvp.exec:\pddvp.exe36⤵
- Executes dropped EXE
PID:4548 -
\??\c:\vjjdv.exec:\vjjdv.exe37⤵
- Executes dropped EXE
PID:5020 -
\??\c:\xfxrflf.exec:\xfxrflf.exe38⤵
- Executes dropped EXE
PID:4388 -
\??\c:\bntbtt.exec:\bntbtt.exe39⤵
- Executes dropped EXE
PID:2040 -
\??\c:\bbntth.exec:\bbntth.exe40⤵
- Executes dropped EXE
PID:4320 -
\??\c:\pvpvp.exec:\pvpvp.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xrrxxxr.exec:\xrrxxxr.exe42⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hhnnbt.exec:\hhnnbt.exe43⤵
- Executes dropped EXE
PID:2180 -
\??\c:\pjdpj.exec:\pjdpj.exe44⤵
- Executes dropped EXE
PID:3884 -
\??\c:\jjjdd.exec:\jjjdd.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\xrxxlll.exec:\xrxxlll.exe46⤵
- Executes dropped EXE
PID:464 -
\??\c:\nbnbbn.exec:\nbnbbn.exe47⤵
- Executes dropped EXE
PID:396 -
\??\c:\3pjpv.exec:\3pjpv.exe48⤵
- Executes dropped EXE
PID:2568 -
\??\c:\lllfxxx.exec:\lllfxxx.exe49⤵
- Executes dropped EXE
PID:544 -
\??\c:\vpvvp.exec:\vpvvp.exe50⤵
- Executes dropped EXE
PID:1204 -
\??\c:\rfrfrfr.exec:\rfrfrfr.exe51⤵
- Executes dropped EXE
PID:5004 -
\??\c:\rrrfrrx.exec:\rrrfrrx.exe52⤵
- Executes dropped EXE
PID:1924 -
\??\c:\bttnhh.exec:\bttnhh.exe53⤵
- Executes dropped EXE
PID:3516 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe54⤵
- Executes dropped EXE
PID:5048 -
\??\c:\xfffrfl.exec:\xfffrfl.exe55⤵
- Executes dropped EXE
PID:5044 -
\??\c:\hbbtnt.exec:\hbbtnt.exe56⤵
- Executes dropped EXE
PID:4888 -
\??\c:\fxrrlrr.exec:\fxrrlrr.exe57⤵
- Executes dropped EXE
PID:2940 -
\??\c:\bttnhb.exec:\bttnhb.exe58⤵
- Executes dropped EXE
PID:3356 -
\??\c:\3jpjv.exec:\3jpjv.exe59⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jjpjv.exec:\jjpjv.exe60⤵
- Executes dropped EXE
PID:468 -
\??\c:\rrrffff.exec:\rrrffff.exe61⤵
- Executes dropped EXE
PID:1796 -
\??\c:\btbhbb.exec:\btbhbb.exe62⤵
- Executes dropped EXE
PID:1136 -
\??\c:\tnhbhh.exec:\tnhbhh.exe63⤵
- Executes dropped EXE
PID:1524 -
\??\c:\vpvvp.exec:\vpvvp.exe64⤵
- Executes dropped EXE
PID:1488 -
\??\c:\5rffrff.exec:\5rffrff.exe65⤵
- Executes dropped EXE
PID:3692 -
\??\c:\nttttb.exec:\nttttb.exe66⤵PID:2480
-
\??\c:\pvjdd.exec:\pvjdd.exe67⤵PID:3756
-
\??\c:\5llfxxr.exec:\5llfxxr.exe68⤵PID:5096
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe69⤵PID:4364
-
\??\c:\rlxrlll.exec:\rlxrlll.exe70⤵PID:4920
-
\??\c:\hhnnnn.exec:\hhnnnn.exe71⤵PID:1948
-
\??\c:\dpvjj.exec:\dpvjj.exe72⤵PID:2008
-
\??\c:\fxfxffl.exec:\fxfxffl.exe73⤵PID:2304
-
\??\c:\btbbtt.exec:\btbbtt.exe74⤵PID:1380
-
\??\c:\dddvp.exec:\dddvp.exe75⤵PID:1444
-
\??\c:\vppjd.exec:\vppjd.exe76⤵PID:876
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe77⤵PID:964
-
\??\c:\tnhhbb.exec:\tnhhbb.exe78⤵PID:4420
-
\??\c:\3htnhh.exec:\3htnhh.exe79⤵PID:4628
-
\??\c:\jdpjd.exec:\jdpjd.exe80⤵PID:384
-
\??\c:\7vdvp.exec:\7vdvp.exe81⤵PID:3760
-
\??\c:\xrrlffx.exec:\xrrlffx.exe82⤵PID:652
-
\??\c:\rllxxxr.exec:\rllxxxr.exe83⤵PID:4360
-
\??\c:\bbnhbn.exec:\bbnhbn.exe84⤵PID:3088
-
\??\c:\1bnhtt.exec:\1bnhtt.exe85⤵PID:4512
-
\??\c:\pjjdd.exec:\pjjdd.exe86⤵PID:2172
-
\??\c:\rlfxfff.exec:\rlfxfff.exe87⤵PID:4816
-
\??\c:\rfflrfl.exec:\rfflrfl.exe88⤵PID:2884
-
\??\c:\tbbbtn.exec:\tbbbtn.exe89⤵PID:628
-
\??\c:\bhnhnn.exec:\bhnhnn.exe90⤵PID:2804
-
\??\c:\jpvvd.exec:\jpvvd.exe91⤵PID:216
-
\??\c:\flxrrrl.exec:\flxrrrl.exe92⤵PID:4476
-
\??\c:\nbttbb.exec:\nbttbb.exe93⤵PID:2672
-
\??\c:\hbbbtt.exec:\hbbbtt.exe94⤵PID:4664
-
\??\c:\jvjpp.exec:\jvjpp.exe95⤵PID:4196
-
\??\c:\ffffxxx.exec:\ffffxxx.exe96⤵PID:4556
-
\??\c:\htttnt.exec:\htttnt.exe97⤵PID:3484
-
\??\c:\pdddp.exec:\pdddp.exe98⤵PID:2572
-
\??\c:\frxxxxx.exec:\frxxxxx.exe99⤵PID:4124
-
\??\c:\tntnhb.exec:\tntnhb.exe100⤵PID:3800
-
\??\c:\vjppp.exec:\vjppp.exe101⤵PID:1896
-
\??\c:\frxrlrl.exec:\frxrlrl.exe102⤵PID:2052
-
\??\c:\thnbbh.exec:\thnbbh.exe103⤵PID:5004
-
\??\c:\pjvpp.exec:\pjvpp.exe104⤵PID:1924
-
\??\c:\lxxxxrr.exec:\lxxxxrr.exe105⤵PID:712
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe106⤵PID:988
-
\??\c:\9vjdv.exec:\9vjdv.exe107⤵PID:4160
-
\??\c:\1ffxrrr.exec:\1ffxrrr.exe108⤵PID:4888
-
\??\c:\9hhbtt.exec:\9hhbtt.exe109⤵PID:2940
-
\??\c:\dpddp.exec:\dpddp.exe110⤵PID:3356
-
\??\c:\rllfffx.exec:\rllfffx.exe111⤵PID:3272
-
\??\c:\fxxxlrr.exec:\fxxxlrr.exe112⤵PID:4064
-
\??\c:\nbbnhh.exec:\nbbnhh.exe113⤵PID:408
-
\??\c:\pvdjv.exec:\pvdjv.exe114⤵PID:1136
-
\??\c:\jdjvv.exec:\jdjvv.exe115⤵PID:1476
-
\??\c:\rlrlfrl.exec:\rlrlfrl.exe116⤵PID:1440
-
\??\c:\ntnnhh.exec:\ntnnhh.exe117⤵PID:2392
-
\??\c:\bttnnn.exec:\bttnnn.exe118⤵PID:4236
-
\??\c:\djjjd.exec:\djjjd.exe119⤵PID:2780
-
\??\c:\pvjdv.exec:\pvjdv.exe120⤵PID:4756
-
\??\c:\lfllxxx.exec:\lfllxxx.exe121⤵PID:1460
-
\??\c:\bhttnn.exec:\bhttnn.exe122⤵PID:3660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-