Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
Resource
win7-20240729-en
General
-
Target
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
-
Size
72KB
-
MD5
48a14a56008816ab2cba9121afc68b50
-
SHA1
88f815e444766d3f93175995c86504fd05a67838
-
SHA256
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbd
-
SHA512
ffb91efd11ad5d472c2909b0b2e17bf5f8d584a31293e8c6aa81a9b91c34c578eac6f37a886ffa57d3f62d247fbc328608771d881da3cb557c7edf4e9908fcea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65x:ymb3NkkiQ3mdBjFIFdJ8bViW67
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral2/memory/4464-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/320-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1688-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2696-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4540-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4976-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2196-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/864-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3536-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1348-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4240-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3608-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1572-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4108-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3340-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4740-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2316-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4340-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1612-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5116-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1584-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/652-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3872-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4540 vvpjp.exe 4464 5frlfff.exe 320 thtnnn.exe 1688 nhnbtb.exe 2696 jdjjj.exe 2196 rxllllr.exe 1604 ttbhhh.exe 3536 pvvvp.exe 2012 xrxrrxx.exe 864 ffrrflx.exe 1348 hhhbhb.exe 4240 jpjpp.exe 3708 1djjj.exe 3608 1nnttb.exe 1572 bthhhn.exe 4108 ddpvv.exe 3340 rrrrfrf.exe 4740 nntttt.exe 2316 hbnhhh.exe 4340 xfflllr.exe 2364 rfrxxff.exe 1612 ntbbbh.exe 3592 1pvvd.exe 2968 7flllrx.exe 5116 7nthbh.exe 1584 ntnnnb.exe 652 pdvdj.exe 64 flrrxff.exe 3872 7rrxxfl.exe 3172 tnnttt.exe 4628 jvddv.exe 1536 vvjdv.exe 4960 9ffxxxr.exe 1700 hhtnnt.exe 4948 pjjjd.exe 4044 jdddd.exe 4344 7lrrrxf.exe 3528 xrxrlrl.exe 4976 nhtnhh.exe 4848 dvppv.exe 4380 pvvdj.exe 3360 lxxflll.exe 4060 rllfffx.exe 1708 bhthbb.exe 2812 3bbttt.exe 5072 vpjjv.exe 464 jdjdv.exe 1604 fffrrlx.exe 4372 tthhnn.exe 3564 tttttt.exe 4052 1jjjd.exe 4116 pjjdv.exe 4460 lxxxrrr.exe 1016 bhnbbh.exe 216 httnbn.exe 2372 5dvpj.exe 4496 pjjdv.exe 1972 rrxflrx.exe 4224 lfxxrlf.exe 4756 ttbnbb.exe 1496 hbbbtt.exe 5064 pjpjj.exe 5096 1lfxrrl.exe 2568 1lfxrrl.exe -
resource yara_rule behavioral2/memory/4976-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4464-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/320-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1688-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1688-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2696-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4464-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4540-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4976-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2196-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1604-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1604-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1604-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/864-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3536-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3536-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3536-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3536-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1348-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4240-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3608-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1572-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4108-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3340-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2316-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4340-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1612-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5116-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1584-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/652-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3872-198-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4540 4976 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 84 PID 4976 wrote to memory of 4540 4976 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 84 PID 4976 wrote to memory of 4540 4976 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 84 PID 4540 wrote to memory of 4464 4540 vvpjp.exe 85 PID 4540 wrote to memory of 4464 4540 vvpjp.exe 85 PID 4540 wrote to memory of 4464 4540 vvpjp.exe 85 PID 4464 wrote to memory of 320 4464 5frlfff.exe 86 PID 4464 wrote to memory of 320 4464 5frlfff.exe 86 PID 4464 wrote to memory of 320 4464 5frlfff.exe 86 PID 320 wrote to memory of 1688 320 thtnnn.exe 87 PID 320 wrote to memory of 1688 320 thtnnn.exe 87 PID 320 wrote to memory of 1688 320 thtnnn.exe 87 PID 1688 wrote to memory of 2696 1688 nhnbtb.exe 88 PID 1688 wrote to memory of 2696 1688 nhnbtb.exe 88 PID 1688 wrote to memory of 2696 1688 nhnbtb.exe 88 PID 2696 wrote to memory of 2196 2696 jdjjj.exe 89 PID 2696 wrote to memory of 2196 2696 jdjjj.exe 89 PID 2696 wrote to memory of 2196 2696 jdjjj.exe 89 PID 2196 wrote to memory of 1604 2196 rxllllr.exe 90 PID 2196 wrote to memory of 1604 2196 rxllllr.exe 90 PID 2196 wrote to memory of 1604 2196 rxllllr.exe 90 PID 1604 wrote to memory of 3536 1604 ttbhhh.exe 91 PID 1604 wrote to memory of 3536 1604 ttbhhh.exe 91 PID 1604 wrote to memory of 3536 1604 ttbhhh.exe 91 PID 3536 wrote to memory of 2012 3536 pvvvp.exe 92 PID 3536 wrote to memory of 2012 3536 pvvvp.exe 92 PID 3536 wrote to memory of 2012 3536 pvvvp.exe 92 PID 2012 wrote to memory of 864 2012 xrxrrxx.exe 93 PID 2012 wrote to memory of 864 2012 xrxrrxx.exe 93 PID 2012 wrote to memory of 864 2012 xrxrrxx.exe 93 PID 864 wrote to memory of 1348 864 ffrrflx.exe 95 PID 864 wrote to memory of 1348 864 ffrrflx.exe 95 PID 864 wrote to memory of 1348 864 ffrrflx.exe 95 PID 1348 wrote to memory of 4240 1348 hhhbhb.exe 96 PID 1348 wrote to memory of 4240 1348 hhhbhb.exe 96 PID 1348 wrote to memory of 4240 1348 hhhbhb.exe 96 PID 4240 wrote to memory of 3708 4240 jpjpp.exe 97 PID 4240 wrote to memory of 3708 4240 jpjpp.exe 97 PID 4240 wrote to memory of 3708 4240 jpjpp.exe 97 PID 3708 wrote to memory of 3608 3708 1djjj.exe 98 PID 3708 wrote to memory of 3608 3708 1djjj.exe 98 PID 3708 wrote to memory of 3608 3708 1djjj.exe 98 PID 3608 wrote to memory of 1572 3608 1nnttb.exe 99 PID 3608 wrote to memory of 1572 3608 1nnttb.exe 99 PID 3608 wrote to memory of 1572 3608 1nnttb.exe 99 PID 1572 wrote to memory of 4108 1572 bthhhn.exe 100 PID 1572 wrote to memory of 4108 1572 bthhhn.exe 100 PID 1572 wrote to memory of 4108 1572 bthhhn.exe 100 PID 4108 wrote to memory of 3340 4108 ddpvv.exe 102 PID 4108 wrote to memory of 3340 4108 ddpvv.exe 102 PID 4108 wrote to memory of 3340 4108 ddpvv.exe 102 PID 3340 wrote to memory of 4740 3340 rrrrfrf.exe 103 PID 3340 wrote to memory of 4740 3340 rrrrfrf.exe 103 PID 3340 wrote to memory of 4740 3340 rrrrfrf.exe 103 PID 4740 wrote to memory of 2316 4740 nntttt.exe 104 PID 4740 wrote to memory of 2316 4740 nntttt.exe 104 PID 4740 wrote to memory of 2316 4740 nntttt.exe 104 PID 2316 wrote to memory of 4340 2316 hbnhhh.exe 105 PID 2316 wrote to memory of 4340 2316 hbnhhh.exe 105 PID 2316 wrote to memory of 4340 2316 hbnhhh.exe 105 PID 4340 wrote to memory of 2364 4340 xfflllr.exe 106 PID 4340 wrote to memory of 2364 4340 xfflllr.exe 106 PID 4340 wrote to memory of 2364 4340 xfflllr.exe 106 PID 2364 wrote to memory of 1612 2364 rfrxxff.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\vvpjp.exec:\vvpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\5frlfff.exec:\5frlfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\thtnnn.exec:\thtnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\nhnbtb.exec:\nhnbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\jdjjj.exec:\jdjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rxllllr.exec:\rxllllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\ttbhhh.exec:\ttbhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\pvvvp.exec:\pvvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\xrxrrxx.exec:\xrxrrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\ffrrflx.exec:\ffrrflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\hhhbhb.exec:\hhhbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\jpjpp.exec:\jpjpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\1djjj.exec:\1djjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\1nnttb.exec:\1nnttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\bthhhn.exec:\bthhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\ddpvv.exec:\ddpvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\rrrrfrf.exec:\rrrrfrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\nntttt.exec:\nntttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\hbnhhh.exec:\hbnhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\xfflllr.exec:\xfflllr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\rfrxxff.exec:\rfrxxff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\ntbbbh.exec:\ntbbbh.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\1pvvd.exec:\1pvvd.exe24⤵
- Executes dropped EXE
PID:3592 -
\??\c:\7flllrx.exec:\7flllrx.exe25⤵
- Executes dropped EXE
PID:2968 -
\??\c:\7nthbh.exec:\7nthbh.exe26⤵
- Executes dropped EXE
PID:5116 -
\??\c:\ntnnnb.exec:\ntnnnb.exe27⤵
- Executes dropped EXE
PID:1584 -
\??\c:\pdvdj.exec:\pdvdj.exe28⤵
- Executes dropped EXE
PID:652 -
\??\c:\flrrxff.exec:\flrrxff.exe29⤵
- Executes dropped EXE
PID:64 -
\??\c:\7rrxxfl.exec:\7rrxxfl.exe30⤵
- Executes dropped EXE
PID:3872 -
\??\c:\tnnttt.exec:\tnnttt.exe31⤵
- Executes dropped EXE
PID:3172 -
\??\c:\jvddv.exec:\jvddv.exe32⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vvjdv.exec:\vvjdv.exe33⤵
- Executes dropped EXE
PID:1536 -
\??\c:\9ffxxxr.exec:\9ffxxxr.exe34⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hhtnnt.exec:\hhtnnt.exe35⤵
- Executes dropped EXE
PID:1700 -
\??\c:\pjjjd.exec:\pjjjd.exe36⤵
- Executes dropped EXE
PID:4948 -
\??\c:\jdddd.exec:\jdddd.exe37⤵
- Executes dropped EXE
PID:4044 -
\??\c:\7lrrrxf.exec:\7lrrrxf.exe38⤵
- Executes dropped EXE
PID:4344 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe39⤵
- Executes dropped EXE
PID:3528 -
\??\c:\nhtnhh.exec:\nhtnhh.exe40⤵
- Executes dropped EXE
PID:4976 -
\??\c:\dvppv.exec:\dvppv.exe41⤵
- Executes dropped EXE
PID:4848 -
\??\c:\pvvdj.exec:\pvvdj.exe42⤵
- Executes dropped EXE
PID:4380 -
\??\c:\lxxflll.exec:\lxxflll.exe43⤵
- Executes dropped EXE
PID:3360 -
\??\c:\rllfffx.exec:\rllfffx.exe44⤵
- Executes dropped EXE
PID:4060 -
\??\c:\bhthbb.exec:\bhthbb.exe45⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3bbttt.exec:\3bbttt.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vpjjv.exec:\vpjjv.exe47⤵
- Executes dropped EXE
PID:5072 -
\??\c:\jdjdv.exec:\jdjdv.exe48⤵
- Executes dropped EXE
PID:464 -
\??\c:\fffrrlx.exec:\fffrrlx.exe49⤵
- Executes dropped EXE
PID:1604 -
\??\c:\tthhnn.exec:\tthhnn.exe50⤵
- Executes dropped EXE
PID:4372 -
\??\c:\tttttt.exec:\tttttt.exe51⤵
- Executes dropped EXE
PID:3564 -
\??\c:\1jjjd.exec:\1jjjd.exe52⤵
- Executes dropped EXE
PID:4052 -
\??\c:\pjjdv.exec:\pjjdv.exe53⤵
- Executes dropped EXE
PID:4116 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe54⤵
- Executes dropped EXE
PID:4460 -
\??\c:\bhnbbh.exec:\bhnbbh.exe55⤵
- Executes dropped EXE
PID:1016 -
\??\c:\httnbn.exec:\httnbn.exe56⤵
- Executes dropped EXE
PID:216 -
\??\c:\5dvpj.exec:\5dvpj.exe57⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pjjdv.exec:\pjjdv.exe58⤵
- Executes dropped EXE
PID:4496 -
\??\c:\rrxflrx.exec:\rrxflrx.exe59⤵
- Executes dropped EXE
PID:1972 -
\??\c:\lfxxrlf.exec:\lfxxrlf.exe60⤵
- Executes dropped EXE
PID:4224 -
\??\c:\ttbnbb.exec:\ttbnbb.exe61⤵
- Executes dropped EXE
PID:4756 -
\??\c:\hbbbtt.exec:\hbbbtt.exe62⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pjpjj.exec:\pjpjj.exe63⤵
- Executes dropped EXE
PID:5064 -
\??\c:\1lfxrrl.exec:\1lfxrrl.exe64⤵
- Executes dropped EXE
PID:5096 -
\??\c:\1lfxrrl.exec:\1lfxrrl.exe65⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe66⤵PID:3192
-
\??\c:\bbbbtn.exec:\bbbbtn.exe67⤵PID:1148
-
\??\c:\5nnttn.exec:\5nnttn.exe68⤵PID:3324
-
\??\c:\jdddd.exec:\jdddd.exe69⤵PID:3548
-
\??\c:\jdppd.exec:\jdppd.exe70⤵PID:2208
-
\??\c:\lfrxfrl.exec:\lfrxfrl.exe71⤵PID:1612
-
\??\c:\bbbbbb.exec:\bbbbbb.exe72⤵PID:2544
-
\??\c:\hbbbbt.exec:\hbbbbt.exe73⤵PID:3272
-
\??\c:\1vvvp.exec:\1vvvp.exe74⤵PID:1584
-
\??\c:\9dppd.exec:\9dppd.exe75⤵PID:4532
-
\??\c:\pppjp.exec:\pppjp.exe76⤵PID:3576
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe77⤵PID:2884
-
\??\c:\bnnhbb.exec:\bnnhbb.exe78⤵PID:3704
-
\??\c:\ttnbth.exec:\ttnbth.exe79⤵PID:908
-
\??\c:\vvppp.exec:\vvppp.exe80⤵PID:5084
-
\??\c:\lxxrrff.exec:\lxxrrff.exe81⤵PID:1512
-
\??\c:\flxrlff.exec:\flxrlff.exe82⤵PID:2708
-
\??\c:\httttt.exec:\httttt.exe83⤵PID:1436
-
\??\c:\thtttb.exec:\thtttb.exe84⤵PID:904
-
\??\c:\jjjdv.exec:\jjjdv.exe85⤵PID:4324
-
\??\c:\7rfffff.exec:\7rfffff.exe86⤵PID:2292
-
\??\c:\nnnnnn.exec:\nnnnnn.exe87⤵PID:900
-
\??\c:\bttnhh.exec:\bttnhh.exe88⤵PID:3528
-
\??\c:\pvddj.exec:\pvddj.exe89⤵PID:3836
-
\??\c:\jdjjd.exec:\jdjjd.exe90⤵PID:1952
-
\??\c:\frxlfrl.exec:\frxlfrl.exe91⤵PID:3480
-
\??\c:\7bhhnn.exec:\7bhhnn.exe92⤵PID:2176
-
\??\c:\htttnn.exec:\htttnn.exe93⤵PID:4220
-
\??\c:\pjjvj.exec:\pjjvj.exe94⤵PID:2784
-
\??\c:\xxflrxf.exec:\xxflrxf.exe95⤵PID:2056
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe96⤵PID:464
-
\??\c:\nthhht.exec:\nthhht.exe97⤵PID:876
-
\??\c:\ntttth.exec:\ntttth.exe98⤵PID:1804
-
\??\c:\jdjdd.exec:\jdjdd.exe99⤵PID:1364
-
\??\c:\dvddv.exec:\dvddv.exe100⤵PID:4384
-
\??\c:\xlxxxxx.exec:\xlxxxxx.exe101⤵PID:2220
-
\??\c:\5thbhh.exec:\5thbhh.exe102⤵PID:4232
-
\??\c:\jjjpj.exec:\jjjpj.exe103⤵PID:2692
-
\??\c:\9lllxxr.exec:\9lllxxr.exe104⤵PID:3196
-
\??\c:\5lxrrrl.exec:\5lxrrrl.exe105⤵PID:3936
-
\??\c:\tbnbnh.exec:\tbnbnh.exe106⤵PID:3288
-
\??\c:\dpvpp.exec:\dpvpp.exe107⤵PID:3852
-
\??\c:\vpvpp.exec:\vpvpp.exe108⤵PID:3748
-
\??\c:\lrffrxr.exec:\lrffrxr.exe109⤵PID:4544
-
\??\c:\bnbthh.exec:\bnbthh.exe110⤵PID:1020
-
\??\c:\ppdjp.exec:\ppdjp.exe111⤵PID:2036
-
\??\c:\lxrllfx.exec:\lxrllfx.exe112⤵PID:3856
-
\??\c:\htbthb.exec:\htbthb.exe113⤵PID:4660
-
\??\c:\hthhbb.exec:\hthhbb.exe114⤵PID:1152
-
\??\c:\xxlfllx.exec:\xxlfllx.exe115⤵PID:3400
-
\??\c:\lxxffff.exec:\lxxffff.exe116⤵PID:756
-
\??\c:\3hnntb.exec:\3hnntb.exe117⤵PID:4552
-
\??\c:\nnttnn.exec:\nnttnn.exe118⤵PID:4648
-
\??\c:\7pvvd.exec:\7pvvd.exe119⤵PID:5032
-
\??\c:\dvvvv.exec:\dvvvv.exe120⤵PID:1824
-
\??\c:\flrfrrx.exec:\flrfrrx.exe121⤵PID:1800
-
\??\c:\rflllrr.exec:\rflllrr.exe122⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-