Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 17:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe
Resource
win7-20240729-en
6 signatures
120 seconds
General
-
Target
ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe
-
Size
64KB
-
MD5
4ac73c8d389f30c9b1792afe3a6819d0
-
SHA1
72358171ca7bbd162b65cec2ed83426bc81c853f
-
SHA256
ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bd
-
SHA512
59b4410d4defed00985baeb788f223583768928d888ee39d58975235e3114e2e738bf2cd5ffde48a52364afc694c83ae389d3880cda1d94d788dc9f08a754370
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxi5Cx:ymb3NkkiQ3mdBjF0y7kbqCx
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
resource yara_rule behavioral2/memory/1200-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3936-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2360-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2360-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4644-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2972-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2820-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4840-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3324-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3180-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2436-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2160-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3320-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1536-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/452-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2236-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5060-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3040-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1060-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2496-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2740-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5000-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1200 nnbtnn.exe 2360 ppddj.exe 4644 xxxlfxf.exe 2972 hnhtbt.exe 2820 vjvvd.exe 1296 vpjpd.exe 4840 lxlrrlf.exe 3324 htbttb.exe 3180 dpvjd.exe 2436 ffxflxr.exe 2160 9ntttt.exe 3320 thtthb.exe 776 vjdjp.exe 5088 xxlxrrl.exe 1536 hbtnhn.exe 3120 djvjv.exe 452 jpjjv.exe 2236 rrrrrxl.exe 5060 bntnnn.exe 3040 tnbbbh.exe 1060 xxlrrfl.exe 2496 5rlrrff.exe 2740 hhbnht.exe 5000 1vppv.exe 3172 ntbhbn.exe 4848 vpjjj.exe 4036 rrrfflr.exe 4828 xxfxrff.exe 2104 hbttbt.exe 4404 5ppjd.exe 112 jvvjd.exe 1212 9fxrlll.exe 2868 tbntbh.exe 4168 1hnnhh.exe 4916 pjdvd.exe 5116 tbbthb.exe 2448 pjpjp.exe 3496 jvpvd.exe 1444 rflfxxx.exe 2820 fxfrflf.exe 3228 ttnnnn.exe 3192 hhtnnt.exe 1472 vjppj.exe 1940 7xllllr.exe 3760 rflrllf.exe 3180 7nnhhh.exe 2436 hnnnnb.exe 3216 vpppv.exe 2908 1jjjj.exe 4056 llxxffl.exe 748 rllllrr.exe 5088 bhtntb.exe 1948 tbbtnn.exe 1876 jdjdv.exe 3120 jddvp.exe 4936 ffxrlll.exe 4628 dpvpp.exe 4972 lxfxrrr.exe 3188 bntnhh.exe 4700 nhhhbb.exe 1856 nbttnt.exe 1248 vjdvd.exe 4996 xrxffxx.exe 2728 rrxxfff.exe -
resource yara_rule behavioral2/memory/3936-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1200-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2360-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2360-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2360-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4644-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2972-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2820-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4840-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3324-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3324-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3324-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3324-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3180-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2436-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2160-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3320-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1536-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/452-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2236-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5060-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3040-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1060-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2496-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2740-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5000-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3172-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-193-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3936 wrote to memory of 1200 3936 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 86 PID 3936 wrote to memory of 1200 3936 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 86 PID 3936 wrote to memory of 1200 3936 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 86 PID 1200 wrote to memory of 2360 1200 nnbtnn.exe 87 PID 1200 wrote to memory of 2360 1200 nnbtnn.exe 87 PID 1200 wrote to memory of 2360 1200 nnbtnn.exe 87 PID 2360 wrote to memory of 4644 2360 ppddj.exe 88 PID 2360 wrote to memory of 4644 2360 ppddj.exe 88 PID 2360 wrote to memory of 4644 2360 ppddj.exe 88 PID 4644 wrote to memory of 2972 4644 xxxlfxf.exe 89 PID 4644 wrote to memory of 2972 4644 xxxlfxf.exe 89 PID 4644 wrote to memory of 2972 4644 xxxlfxf.exe 89 PID 2972 wrote to memory of 2820 2972 hnhtbt.exe 90 PID 2972 wrote to memory of 2820 2972 hnhtbt.exe 90 PID 2972 wrote to memory of 2820 2972 hnhtbt.exe 90 PID 2820 wrote to memory of 1296 2820 vjvvd.exe 91 PID 2820 wrote to memory of 1296 2820 vjvvd.exe 91 PID 2820 wrote to memory of 1296 2820 vjvvd.exe 91 PID 1296 wrote to memory of 4840 1296 vpjpd.exe 92 PID 1296 wrote to memory of 4840 1296 vpjpd.exe 92 PID 1296 wrote to memory of 4840 1296 vpjpd.exe 92 PID 4840 wrote to memory of 3324 4840 lxlrrlf.exe 93 PID 4840 wrote to memory of 3324 4840 lxlrrlf.exe 93 PID 4840 wrote to memory of 3324 4840 lxlrrlf.exe 93 PID 3324 wrote to memory of 3180 3324 htbttb.exe 94 PID 3324 wrote to memory of 3180 3324 htbttb.exe 94 PID 3324 wrote to memory of 3180 3324 htbttb.exe 94 PID 3180 wrote to memory of 2436 3180 dpvjd.exe 95 PID 3180 wrote to memory of 2436 3180 dpvjd.exe 95 PID 3180 wrote to memory of 2436 3180 dpvjd.exe 95 PID 2436 wrote to memory of 2160 2436 ffxflxr.exe 96 PID 2436 wrote to memory of 2160 2436 ffxflxr.exe 96 PID 2436 wrote to memory of 2160 2436 ffxflxr.exe 96 PID 2160 wrote to memory of 3320 2160 9ntttt.exe 97 PID 2160 wrote to memory of 3320 2160 9ntttt.exe 97 PID 2160 wrote to memory of 3320 2160 9ntttt.exe 97 PID 3320 wrote to memory of 776 3320 thtthb.exe 98 PID 3320 wrote to memory of 776 3320 thtthb.exe 98 PID 3320 wrote to memory of 776 3320 thtthb.exe 98 PID 776 wrote to memory of 5088 776 vjdjp.exe 99 PID 776 wrote to memory of 5088 776 vjdjp.exe 99 PID 776 wrote to memory of 5088 776 vjdjp.exe 99 PID 5088 wrote to memory of 1536 5088 xxlxrrl.exe 100 PID 5088 wrote to memory of 1536 5088 xxlxrrl.exe 100 PID 5088 wrote to memory of 1536 5088 xxlxrrl.exe 100 PID 1536 wrote to memory of 3120 1536 hbtnhn.exe 101 PID 1536 wrote to memory of 3120 1536 hbtnhn.exe 101 PID 1536 wrote to memory of 3120 1536 hbtnhn.exe 101 PID 3120 wrote to memory of 452 3120 djvjv.exe 102 PID 3120 wrote to memory of 452 3120 djvjv.exe 102 PID 3120 wrote to memory of 452 3120 djvjv.exe 102 PID 452 wrote to memory of 2236 452 jpjjv.exe 103 PID 452 wrote to memory of 2236 452 jpjjv.exe 103 PID 452 wrote to memory of 2236 452 jpjjv.exe 103 PID 2236 wrote to memory of 5060 2236 rrrrrxl.exe 104 PID 2236 wrote to memory of 5060 2236 rrrrrxl.exe 104 PID 2236 wrote to memory of 5060 2236 rrrrrxl.exe 104 PID 5060 wrote to memory of 3040 5060 bntnnn.exe 105 PID 5060 wrote to memory of 3040 5060 bntnnn.exe 105 PID 5060 wrote to memory of 3040 5060 bntnnn.exe 105 PID 3040 wrote to memory of 1060 3040 tnbbbh.exe 106 PID 3040 wrote to memory of 1060 3040 tnbbbh.exe 106 PID 3040 wrote to memory of 1060 3040 tnbbbh.exe 106 PID 1060 wrote to memory of 2496 1060 xxlrrfl.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe"C:\Users\Admin\AppData\Local\Temp\ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\nnbtnn.exec:\nnbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\ppddj.exec:\ppddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\xxxlfxf.exec:\xxxlfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\hnhtbt.exec:\hnhtbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\vjvvd.exec:\vjvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\vpjpd.exec:\vpjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\lxlrrlf.exec:\lxlrrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\htbttb.exec:\htbttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\dpvjd.exec:\dpvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\ffxflxr.exec:\ffxflxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\9ntttt.exec:\9ntttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\thtthb.exec:\thtthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\vjdjp.exec:\vjdjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\xxlxrrl.exec:\xxlxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\hbtnhn.exec:\hbtnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\djvjv.exec:\djvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\jpjjv.exec:\jpjjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\rrrrrxl.exec:\rrrrrxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\bntnnn.exec:\bntnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\tnbbbh.exec:\tnbbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\xxlrrfl.exec:\xxlrrfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\5rlrrff.exec:\5rlrrff.exe23⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hhbnht.exec:\hhbnht.exe24⤵
- Executes dropped EXE
PID:2740 -
\??\c:\1vppv.exec:\1vppv.exe25⤵
- Executes dropped EXE
PID:5000 -
\??\c:\ntbhbn.exec:\ntbhbn.exe26⤵
- Executes dropped EXE
PID:3172 -
\??\c:\vpjjj.exec:\vpjjj.exe27⤵
- Executes dropped EXE
PID:4848 -
\??\c:\rrrfflr.exec:\rrrfflr.exe28⤵
- Executes dropped EXE
PID:4036 -
\??\c:\xxfxrff.exec:\xxfxrff.exe29⤵
- Executes dropped EXE
PID:4828 -
\??\c:\hbttbt.exec:\hbttbt.exe30⤵
- Executes dropped EXE
PID:2104 -
\??\c:\5ppjd.exec:\5ppjd.exe31⤵
- Executes dropped EXE
PID:4404 -
\??\c:\jvvjd.exec:\jvvjd.exe32⤵
- Executes dropped EXE
PID:112 -
\??\c:\9fxrlll.exec:\9fxrlll.exe33⤵
- Executes dropped EXE
PID:1212 -
\??\c:\tbntbh.exec:\tbntbh.exe34⤵
- Executes dropped EXE
PID:2868 -
\??\c:\1hnnhh.exec:\1hnnhh.exe35⤵
- Executes dropped EXE
PID:4168 -
\??\c:\pjdvd.exec:\pjdvd.exe36⤵
- Executes dropped EXE
PID:4916 -
\??\c:\tbbthb.exec:\tbbthb.exe37⤵
- Executes dropped EXE
PID:5116 -
\??\c:\pjpjp.exec:\pjpjp.exe38⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jvpvd.exec:\jvpvd.exe39⤵
- Executes dropped EXE
PID:3496 -
\??\c:\rflfxxx.exec:\rflfxxx.exe40⤵
- Executes dropped EXE
PID:1444 -
\??\c:\fxfrflf.exec:\fxfrflf.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ttnnnn.exec:\ttnnnn.exe42⤵
- Executes dropped EXE
PID:3228 -
\??\c:\hhtnnt.exec:\hhtnnt.exe43⤵
- Executes dropped EXE
PID:3192 -
\??\c:\vjppj.exec:\vjppj.exe44⤵
- Executes dropped EXE
PID:1472 -
\??\c:\7xllllr.exec:\7xllllr.exe45⤵
- Executes dropped EXE
PID:1940 -
\??\c:\rflrllf.exec:\rflrllf.exe46⤵
- Executes dropped EXE
PID:3760 -
\??\c:\7nnhhh.exec:\7nnhhh.exe47⤵
- Executes dropped EXE
PID:3180 -
\??\c:\hnnnnb.exec:\hnnnnb.exe48⤵
- Executes dropped EXE
PID:2436 -
\??\c:\vpppv.exec:\vpppv.exe49⤵
- Executes dropped EXE
PID:3216 -
\??\c:\1jjjj.exec:\1jjjj.exe50⤵
- Executes dropped EXE
PID:2908 -
\??\c:\llxxffl.exec:\llxxffl.exe51⤵
- Executes dropped EXE
PID:4056 -
\??\c:\rllllrr.exec:\rllllrr.exe52⤵
- Executes dropped EXE
PID:748 -
\??\c:\bhtntb.exec:\bhtntb.exe53⤵
- Executes dropped EXE
PID:5088 -
\??\c:\tbbtnn.exec:\tbbtnn.exe54⤵
- Executes dropped EXE
PID:1948 -
\??\c:\jdjdv.exec:\jdjdv.exe55⤵
- Executes dropped EXE
PID:1876 -
\??\c:\jddvp.exec:\jddvp.exe56⤵
- Executes dropped EXE
PID:3120 -
\??\c:\ffxrlll.exec:\ffxrlll.exe57⤵
- Executes dropped EXE
PID:4936 -
\??\c:\dpvpp.exec:\dpvpp.exe58⤵
- Executes dropped EXE
PID:4628 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe59⤵
- Executes dropped EXE
PID:4972 -
\??\c:\bntnhh.exec:\bntnhh.exe60⤵
- Executes dropped EXE
PID:3188 -
\??\c:\nhhhbb.exec:\nhhhbb.exe61⤵
- Executes dropped EXE
PID:4700 -
\??\c:\nbttnt.exec:\nbttnt.exe62⤵
- Executes dropped EXE
PID:1856 -
\??\c:\vjdvd.exec:\vjdvd.exe63⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xrxffxx.exec:\xrxffxx.exe64⤵
- Executes dropped EXE
PID:4996 -
\??\c:\rrxxfff.exec:\rrxxfff.exe65⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nntbhn.exec:\nntbhn.exe66⤵PID:3644
-
\??\c:\nbhhhh.exec:\nbhhhh.exe67⤵PID:1052
-
\??\c:\jvvvv.exec:\jvvvv.exe68⤵PID:2888
-
\??\c:\pjpjd.exec:\pjpjd.exe69⤵PID:4076
-
\??\c:\lxffxxx.exec:\lxffxxx.exe70⤵PID:4508
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe71⤵PID:384
-
\??\c:\ntnbbh.exec:\ntnbbh.exe72⤵PID:1476
-
\??\c:\tnnhbt.exec:\tnnhbt.exe73⤵PID:1704
-
\??\c:\jppjd.exec:\jppjd.exe74⤵PID:1976
-
\??\c:\nbbhnb.exec:\nbbhnb.exe75⤵PID:1700
-
\??\c:\ppdvd.exec:\ppdvd.exe76⤵PID:408
-
\??\c:\nnbhtn.exec:\nnbhtn.exe77⤵PID:4168
-
\??\c:\btnntn.exec:\btnntn.exe78⤵PID:4788
-
\??\c:\vdvvv.exec:\vdvvv.exe79⤵PID:3196
-
\??\c:\lllrlrr.exec:\lllrlrr.exe80⤵PID:1820
-
\??\c:\xrfrrxf.exec:\xrfrrxf.exe81⤵PID:3984
-
\??\c:\hnhhbt.exec:\hnhhbt.exe82⤵PID:3564
-
\??\c:\dvpjv.exec:\dvpjv.exe83⤵PID:1276
-
\??\c:\3xrlrrr.exec:\3xrlrrr.exe84⤵PID:2708
-
\??\c:\nhbbtn.exec:\nhbbtn.exe85⤵PID:3000
-
\??\c:\nbnhbb.exec:\nbnhbb.exe86⤵PID:5084
-
\??\c:\dpppj.exec:\dpppj.exe87⤵PID:1896
-
\??\c:\ppddj.exec:\ppddj.exe88⤵PID:264
-
\??\c:\xlfrflx.exec:\xlfrflx.exe89⤵PID:2552
-
\??\c:\hhbbtt.exec:\hhbbtt.exe90⤵PID:2224
-
\??\c:\ppppp.exec:\ppppp.exe91⤵PID:2604
-
\??\c:\5dddv.exec:\5dddv.exe92⤵PID:2988
-
\??\c:\9fffxff.exec:\9fffxff.exe93⤵PID:2592
-
\??\c:\7nhbbh.exec:\7nhbbh.exe94⤵PID:3972
-
\??\c:\bnnhth.exec:\bnnhth.exe95⤵PID:4688
-
\??\c:\jjvvv.exec:\jjvvv.exe96⤵PID:1388
-
\??\c:\jdddv.exec:\jdddv.exe97⤵PID:4160
-
\??\c:\rlrlrxf.exec:\rlrlrxf.exe98⤵PID:5036
-
\??\c:\7btnhn.exec:\7btnhn.exe99⤵PID:2204
-
\??\c:\bnnhbt.exec:\bnnhbt.exe100⤵PID:972
-
\??\c:\vppvp.exec:\vppvp.exe101⤵PID:392
-
\??\c:\xxrfxll.exec:\xxrfxll.exe102⤵PID:3544
-
\??\c:\xrxxfll.exec:\xrxxfll.exe103⤵PID:1836
-
\??\c:\xflllrr.exec:\xflllrr.exe104⤵PID:740
-
\??\c:\bbnntt.exec:\bbnntt.exe105⤵
- System Location Discovery: System Language Discovery
PID:3548 -
\??\c:\vvjjj.exec:\vvjjj.exe106⤵PID:4848
-
\??\c:\1fllflr.exec:\1fllflr.exe107⤵PID:4600
-
\??\c:\bbtnnh.exec:\bbtnnh.exe108⤵PID:4828
-
\??\c:\7hnntb.exec:\7hnntb.exe109⤵PID:60
-
\??\c:\jdvvj.exec:\jdvvj.exe110⤵PID:1832
-
\??\c:\xlxlrfr.exec:\xlxlrfr.exe111⤵PID:1924
-
\??\c:\bbhhhn.exec:\bbhhhn.exe112⤵PID:4152
-
\??\c:\ttbbbh.exec:\ttbbbh.exe113⤵PID:1204
-
\??\c:\bbnnnh.exec:\bbnnnh.exe114⤵PID:684
-
\??\c:\llfxfll.exec:\llfxfll.exe115⤵PID:1852
-
\??\c:\lxfflrr.exec:\lxfflrr.exe116⤵PID:4916
-
\??\c:\3ntthh.exec:\3ntthh.exe117⤵PID:2384
-
\??\c:\nthbhb.exec:\nthbhb.exe118⤵PID:768
-
\??\c:\pdpjd.exec:\pdpjd.exe119⤵PID:2832
-
\??\c:\rlrflll.exec:\rlrflll.exe120⤵PID:4488
-
\??\c:\flrxrff.exec:\flrxrff.exe121⤵PID:1496
-
\??\c:\bhhnbt.exec:\bhhnbt.exe122⤵PID:944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-