Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 15:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe
Resource
win7-20241010-en
6 signatures
120 seconds
General
-
Target
bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe
-
Size
70KB
-
MD5
55c088b8535eeac9767154da189a5340
-
SHA1
0f78de3e71fe34b48258d7a9c005b8bfa42ae744
-
SHA256
bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56
-
SHA512
f30def3da564fe4208b2d8c594d93d89ce97f898bb51a478972f8e3302507854067b339b267218610e3add13550d4e86f32a3e8f6d01c319032728103af431a5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUPqrDZ5Rxfu:ymb3NkkiQ3mdBjF0yUmrfu
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/2316-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/976-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4276-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1844-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2292-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1704-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4332-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3340-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2452-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3092-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3720-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3056-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/868-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3484-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3472-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2392-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3956-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4904-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1440-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4972-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3604-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3200-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/980-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2084-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3548-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 968 lrxfffl.exe 976 nnhhbt.exe 1844 7djdj.exe 4276 pjppv.exe 2292 jdjdv.exe 1704 hbhhtb.exe 4332 djjpj.exe 3340 lfxxrrr.exe 2452 nbbttb.exe 3092 pjpjp.exe 3720 jjpjd.exe 3056 fxxxlll.exe 868 hthnbh.exe 4892 jjvjj.exe 3484 xxfxxff.exe 2668 nntnnn.exe 3472 pvjdv.exe 2392 xrrxrrr.exe 3956 rxrrlll.exe 4904 nbbtbb.exe 1440 pdpvv.exe 4568 9ffrllf.exe 4972 rllfxxr.exe 3604 9bbhbb.exe 3200 bhnhbb.exe 980 flllflf.exe 3392 1llllll.exe 2084 nttttb.exe 780 tttnnt.exe 3548 9dpjd.exe 1512 jvddp.exe 2508 rrrlflf.exe 4556 9tbthb.exe 4352 pdvvv.exe 532 rllfrrl.exe 392 bbhntb.exe 1972 thbhth.exe 2204 pjjjj.exe 2188 pdvvd.exe 2940 lfllflf.exe 4276 tthnbh.exe 2900 tnnhtt.exe 4756 jdvpj.exe 524 dvpjj.exe 2248 jdpjj.exe 2268 frrrffx.exe 2452 tttttt.exe 4524 nhhbtt.exe 1428 7pvvv.exe 1708 xlrrlll.exe 3056 nhhtth.exe 4624 rfrrlrr.exe 3496 7fffxll.exe 3028 tthhtt.exe 2456 ppjdv.exe 3116 jjjjj.exe 4752 rllllrr.exe 4748 3rxxxxr.exe 2496 bnttbb.exe 468 pjdvp.exe 4344 dvddv.exe 4288 rrfxrrr.exe 400 xxlrrrx.exe 5100 dpddv.exe -
resource yara_rule behavioral2/memory/2316-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2316-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/968-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/976-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4276-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1844-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2292-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1704-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3340-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2452-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2452-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2452-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2452-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3092-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3720-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3056-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/868-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3484-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3472-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2392-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3956-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4904-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1440-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4972-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3604-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3200-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/980-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2084-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3548-203-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 968 2316 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 84 PID 2316 wrote to memory of 968 2316 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 84 PID 2316 wrote to memory of 968 2316 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 84 PID 968 wrote to memory of 976 968 lrxfffl.exe 85 PID 968 wrote to memory of 976 968 lrxfffl.exe 85 PID 968 wrote to memory of 976 968 lrxfffl.exe 85 PID 976 wrote to memory of 1844 976 nnhhbt.exe 86 PID 976 wrote to memory of 1844 976 nnhhbt.exe 86 PID 976 wrote to memory of 1844 976 nnhhbt.exe 86 PID 1844 wrote to memory of 4276 1844 7djdj.exe 87 PID 1844 wrote to memory of 4276 1844 7djdj.exe 87 PID 1844 wrote to memory of 4276 1844 7djdj.exe 87 PID 4276 wrote to memory of 2292 4276 pjppv.exe 88 PID 4276 wrote to memory of 2292 4276 pjppv.exe 88 PID 4276 wrote to memory of 2292 4276 pjppv.exe 88 PID 2292 wrote to memory of 1704 2292 jdjdv.exe 89 PID 2292 wrote to memory of 1704 2292 jdjdv.exe 89 PID 2292 wrote to memory of 1704 2292 jdjdv.exe 89 PID 1704 wrote to memory of 4332 1704 hbhhtb.exe 90 PID 1704 wrote to memory of 4332 1704 hbhhtb.exe 90 PID 1704 wrote to memory of 4332 1704 hbhhtb.exe 90 PID 4332 wrote to memory of 3340 4332 djjpj.exe 92 PID 4332 wrote to memory of 3340 4332 djjpj.exe 92 PID 4332 wrote to memory of 3340 4332 djjpj.exe 92 PID 3340 wrote to memory of 2452 3340 lfxxrrr.exe 93 PID 3340 wrote to memory of 2452 3340 lfxxrrr.exe 93 PID 3340 wrote to memory of 2452 3340 lfxxrrr.exe 93 PID 2452 wrote to memory of 3092 2452 nbbttb.exe 94 PID 2452 wrote to memory of 3092 2452 nbbttb.exe 94 PID 2452 wrote to memory of 3092 2452 nbbttb.exe 94 PID 3092 wrote to memory of 3720 3092 pjpjp.exe 95 PID 3092 wrote to memory of 3720 3092 pjpjp.exe 95 PID 3092 wrote to memory of 3720 3092 pjpjp.exe 95 PID 3720 wrote to memory of 3056 3720 jjpjd.exe 96 PID 3720 wrote to memory of 3056 3720 jjpjd.exe 96 PID 3720 wrote to memory of 3056 3720 jjpjd.exe 96 PID 3056 wrote to memory of 868 3056 fxxxlll.exe 98 PID 3056 wrote to memory of 868 3056 fxxxlll.exe 98 PID 3056 wrote to memory of 868 3056 fxxxlll.exe 98 PID 868 wrote to memory of 4892 868 hthnbh.exe 99 PID 868 wrote to memory of 4892 868 hthnbh.exe 99 PID 868 wrote to memory of 4892 868 hthnbh.exe 99 PID 4892 wrote to memory of 3484 4892 jjvjj.exe 100 PID 4892 wrote to memory of 3484 4892 jjvjj.exe 100 PID 4892 wrote to memory of 3484 4892 jjvjj.exe 100 PID 3484 wrote to memory of 2668 3484 xxfxxff.exe 101 PID 3484 wrote to memory of 2668 3484 xxfxxff.exe 101 PID 3484 wrote to memory of 2668 3484 xxfxxff.exe 101 PID 2668 wrote to memory of 3472 2668 nntnnn.exe 102 PID 2668 wrote to memory of 3472 2668 nntnnn.exe 102 PID 2668 wrote to memory of 3472 2668 nntnnn.exe 102 PID 3472 wrote to memory of 2392 3472 pvjdv.exe 103 PID 3472 wrote to memory of 2392 3472 pvjdv.exe 103 PID 3472 wrote to memory of 2392 3472 pvjdv.exe 103 PID 2392 wrote to memory of 3956 2392 xrrxrrr.exe 104 PID 2392 wrote to memory of 3956 2392 xrrxrrr.exe 104 PID 2392 wrote to memory of 3956 2392 xrrxrrr.exe 104 PID 3956 wrote to memory of 4904 3956 rxrrlll.exe 106 PID 3956 wrote to memory of 4904 3956 rxrrlll.exe 106 PID 3956 wrote to memory of 4904 3956 rxrrlll.exe 106 PID 4904 wrote to memory of 1440 4904 nbbtbb.exe 107 PID 4904 wrote to memory of 1440 4904 nbbtbb.exe 107 PID 4904 wrote to memory of 1440 4904 nbbtbb.exe 107 PID 1440 wrote to memory of 4568 1440 pdpvv.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe"C:\Users\Admin\AppData\Local\Temp\bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\lrxfffl.exec:\lrxfffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\nnhhbt.exec:\nnhhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\7djdj.exec:\7djdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\pjppv.exec:\pjppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\jdjdv.exec:\jdjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\hbhhtb.exec:\hbhhtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\djjpj.exec:\djjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\lfxxrrr.exec:\lfxxrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\nbbttb.exec:\nbbttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\pjpjp.exec:\pjpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\jjpjd.exec:\jjpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\fxxxlll.exec:\fxxxlll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\hthnbh.exec:\hthnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\jjvjj.exec:\jjvjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\xxfxxff.exec:\xxfxxff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\nntnnn.exec:\nntnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\pvjdv.exec:\pvjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\xrrxrrr.exec:\xrrxrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\rxrrlll.exec:\rxrrlll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\nbbtbb.exec:\nbbtbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\pdpvv.exec:\pdpvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\9ffrllf.exec:\9ffrllf.exe23⤵
- Executes dropped EXE
PID:4568 -
\??\c:\rllfxxr.exec:\rllfxxr.exe24⤵
- Executes dropped EXE
PID:4972 -
\??\c:\9bbhbb.exec:\9bbhbb.exe25⤵
- Executes dropped EXE
PID:3604 -
\??\c:\bhnhbb.exec:\bhnhbb.exe26⤵
- Executes dropped EXE
PID:3200 -
\??\c:\flllflf.exec:\flllflf.exe27⤵
- Executes dropped EXE
PID:980 -
\??\c:\1llllll.exec:\1llllll.exe28⤵
- Executes dropped EXE
PID:3392 -
\??\c:\nttttb.exec:\nttttb.exe29⤵
- Executes dropped EXE
PID:2084 -
\??\c:\tttnnt.exec:\tttnnt.exe30⤵
- Executes dropped EXE
PID:780 -
\??\c:\9dpjd.exec:\9dpjd.exe31⤵
- Executes dropped EXE
PID:3548 -
\??\c:\jvddp.exec:\jvddp.exe32⤵
- Executes dropped EXE
PID:1512 -
\??\c:\rrrlflf.exec:\rrrlflf.exe33⤵
- Executes dropped EXE
PID:2508 -
\??\c:\9tbthb.exec:\9tbthb.exe34⤵
- Executes dropped EXE
PID:4556 -
\??\c:\pdvvv.exec:\pdvvv.exe35⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rllfrrl.exec:\rllfrrl.exe36⤵
- Executes dropped EXE
PID:532 -
\??\c:\bbhntb.exec:\bbhntb.exe37⤵
- Executes dropped EXE
PID:392 -
\??\c:\thbhth.exec:\thbhth.exe38⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pjjjj.exec:\pjjjj.exe39⤵
- Executes dropped EXE
PID:2204 -
\??\c:\pdvvd.exec:\pdvvd.exe40⤵
- Executes dropped EXE
PID:2188 -
\??\c:\lfllflf.exec:\lfllflf.exe41⤵
- Executes dropped EXE
PID:2940 -
\??\c:\tthnbh.exec:\tthnbh.exe42⤵
- Executes dropped EXE
PID:4276 -
\??\c:\tnnhtt.exec:\tnnhtt.exe43⤵
- Executes dropped EXE
PID:2900 -
\??\c:\jdvpj.exec:\jdvpj.exe44⤵
- Executes dropped EXE
PID:4756 -
\??\c:\dvpjj.exec:\dvpjj.exe45⤵
- Executes dropped EXE
PID:524 -
\??\c:\jdpjj.exec:\jdpjj.exe46⤵
- Executes dropped EXE
PID:2248 -
\??\c:\frrrffx.exec:\frrrffx.exe47⤵
- Executes dropped EXE
PID:2268 -
\??\c:\tttttt.exec:\tttttt.exe48⤵
- Executes dropped EXE
PID:2452 -
\??\c:\nhhbtt.exec:\nhhbtt.exe49⤵
- Executes dropped EXE
PID:4524 -
\??\c:\7pvvv.exec:\7pvvv.exe50⤵
- Executes dropped EXE
PID:1428 -
\??\c:\xlrrlll.exec:\xlrrlll.exe51⤵
- Executes dropped EXE
PID:1708 -
\??\c:\nhhtth.exec:\nhhtth.exe52⤵
- Executes dropped EXE
PID:3056 -
\??\c:\rfrrlrr.exec:\rfrrlrr.exe53⤵
- Executes dropped EXE
PID:4624 -
\??\c:\7fffxll.exec:\7fffxll.exe54⤵
- Executes dropped EXE
PID:3496 -
\??\c:\tthhtt.exec:\tthhtt.exe55⤵
- Executes dropped EXE
PID:3028 -
\??\c:\ppjdv.exec:\ppjdv.exe56⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jjjjj.exec:\jjjjj.exe57⤵
- Executes dropped EXE
PID:3116 -
\??\c:\rllllrr.exec:\rllllrr.exe58⤵
- Executes dropped EXE
PID:4752 -
\??\c:\3rxxxxr.exec:\3rxxxxr.exe59⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bnttbb.exec:\bnttbb.exe60⤵
- Executes dropped EXE
PID:2496 -
\??\c:\pjdvp.exec:\pjdvp.exe61⤵
- Executes dropped EXE
PID:468 -
\??\c:\dvddv.exec:\dvddv.exe62⤵
- Executes dropped EXE
PID:4344 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe63⤵
- Executes dropped EXE
PID:4288 -
\??\c:\xxlrrrx.exec:\xxlrrrx.exe64⤵
- Executes dropped EXE
PID:400 -
\??\c:\dpddv.exec:\dpddv.exe65⤵
- Executes dropped EXE
PID:5100 -
\??\c:\9llrllf.exec:\9llrllf.exe66⤵PID:1304
-
\??\c:\hhhbtt.exec:\hhhbtt.exe67⤵PID:3232
-
\??\c:\ppvvv.exec:\ppvvv.exe68⤵PID:4424
-
\??\c:\pjjdv.exec:\pjjdv.exe69⤵PID:5060
-
\??\c:\rxrrrrx.exec:\rxrrrrx.exe70⤵PID:1084
-
\??\c:\xffxxxr.exec:\xffxxxr.exe71⤵PID:4136
-
\??\c:\1nnhbh.exec:\1nnhbh.exe72⤵PID:1220
-
\??\c:\hbnthh.exec:\hbnthh.exe73⤵PID:4968
-
\??\c:\vdpjd.exec:\vdpjd.exe74⤵PID:4952
-
\??\c:\lffffrr.exec:\lffffrr.exe75⤵PID:2688
-
\??\c:\ntbthh.exec:\ntbthh.exe76⤵PID:3940
-
\??\c:\nnhtnt.exec:\nnhtnt.exe77⤵PID:4688
-
\??\c:\jdddv.exec:\jdddv.exe78⤵PID:952
-
\??\c:\3ddpj.exec:\3ddpj.exe79⤵PID:812
-
\??\c:\5vdvp.exec:\5vdvp.exe80⤵PID:2388
-
\??\c:\frxrrrr.exec:\frxrrrr.exe81⤵PID:4356
-
\??\c:\bbhbtb.exec:\bbhbtb.exe82⤵PID:4240
-
\??\c:\btnnbb.exec:\btnnbb.exe83⤵PID:2096
-
\??\c:\xrffrrr.exec:\xrffrrr.exe84⤵PID:808
-
\??\c:\frxxrrr.exec:\frxxrrr.exe85⤵PID:744
-
\??\c:\nhnhbt.exec:\nhnhbt.exe86⤵PID:968
-
\??\c:\tnhhbh.exec:\tnhhbh.exe87⤵PID:1324
-
\??\c:\jjppd.exec:\jjppd.exe88⤵PID:2376
-
\??\c:\vpjdv.exec:\vpjdv.exe89⤵PID:2620
-
\??\c:\jpjjp.exec:\jpjjp.exe90⤵PID:1844
-
\??\c:\lffxxxr.exec:\lffxxxr.exe91⤵PID:4724
-
\??\c:\hthhbb.exec:\hthhbb.exe92⤵PID:2292
-
\??\c:\vjjdd.exec:\vjjdd.exe93⤵PID:1472
-
\??\c:\jddpj.exec:\jddpj.exe94⤵PID:524
-
\??\c:\pdppp.exec:\pdppp.exe95⤵PID:964
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe96⤵PID:1636
-
\??\c:\tthhhh.exec:\tthhhh.exe97⤵PID:2120
-
\??\c:\pjpjp.exec:\pjpjp.exe98⤵PID:1652
-
\??\c:\7vvjv.exec:\7vvjv.exe99⤵PID:4316
-
\??\c:\7fxrfxl.exec:\7fxrfxl.exe100⤵PID:5020
-
\??\c:\7fllrff.exec:\7fllrff.exe101⤵PID:2588
-
\??\c:\hhhhbh.exec:\hhhhbh.exe102⤵PID:1528
-
\??\c:\3jddp.exec:\3jddp.exe103⤵PID:3496
-
\??\c:\dvjdp.exec:\dvjdp.exe104⤵
- System Location Discovery: System Language Discovery
PID:4984 -
\??\c:\flrlxxr.exec:\flrlxxr.exe105⤵PID:4916
-
\??\c:\fflxxxr.exec:\fflxxxr.exe106⤵PID:3116
-
\??\c:\httttt.exec:\httttt.exe107⤵PID:3964
-
\??\c:\jjvpv.exec:\jjvpv.exe108⤵
- System Location Discovery: System Language Discovery
PID:436 -
\??\c:\pjvpv.exec:\pjvpv.exe109⤵PID:2496
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe110⤵PID:468
-
\??\c:\tbhhhn.exec:\tbhhhn.exe111⤵PID:4344
-
\??\c:\ttnhnn.exec:\ttnhnn.exe112⤵PID:452
-
\??\c:\pjjdv.exec:\pjjdv.exe113⤵PID:3192
-
\??\c:\xrrlffx.exec:\xrrlffx.exe114⤵PID:3280
-
\??\c:\3xrlffx.exec:\3xrlffx.exe115⤵PID:4732
-
\??\c:\vpppp.exec:\vpppp.exe116⤵PID:5084
-
\??\c:\rlrrlxx.exec:\rlrrlxx.exe117⤵PID:4972
-
\??\c:\nhbtbb.exec:\nhbtbb.exe118⤵PID:2468
-
\??\c:\bhhnbn.exec:\bhhnbn.exe119⤵PID:3948
-
\??\c:\1vppj.exec:\1vppj.exe120⤵PID:544
-
\??\c:\hthbbn.exec:\hthbbn.exe121⤵PID:3620
-
\??\c:\pjpjp.exec:\pjpjp.exe122⤵PID:1288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-