Analysis
-
max time kernel
119s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 17:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe
Resource
win7-20240903-en
5 signatures
120 seconds
General
-
Target
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe
-
Size
51KB
-
MD5
5b8bf7213d1e02668211437da3532190
-
SHA1
71148a1485f39bebd3c9bee7fd42a17ead74fb8b
-
SHA256
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311
-
SHA512
5fd74d6fbc7e04bcb4aaff01a6a10b37293b71d779ff51a0823364816bdf553637b3cb770b39f6dca0c6a8dac9f273a930818353be52ca70b1ac17c66577c95e
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvXC:0cdpeeBSHHMHLf9RyIKC
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3688-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3260-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2516-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4056-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4244-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3520-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3404-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1352-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1336-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3080-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4632-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4088-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2420-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4800-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2612-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4168-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4220-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1404-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2492-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3424-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3536-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3972-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/212-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2252-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3308-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3012-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3084-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/956-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3496-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2996-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/624-241-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4388-245-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2028-261-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4632-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2364-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1660-288-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1248-292-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3452-301-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2544-300-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3676-313-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4596-323-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2136-327-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2432-337-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2676-344-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3508-366-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4324-370-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2636-374-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2436-402-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1456-412-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4088-416-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1284-426-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3224-430-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4628-440-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4300-444-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2172-532-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/756-702-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3448-841-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2560-893-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4172-909-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1752-988-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4408-1127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3260 vvvpj.exe 2516 pvjjj.exe 4056 bbnttt.exe 4244 ddjdv.exe 3520 frlfxfx.exe 3404 fxrxxxf.exe 220 ntttnn.exe 4388 9jpdd.exe 1352 7lxrlfx.exe 2592 rfllfff.exe 2032 tnbhhh.exe 1336 nnbttt.exe 3080 vvdjj.exe 4632 1rfxllr.exe 4088 5nnnnn.exe 2420 bhhbtt.exe 4800 pdvjd.exe 2612 rxlllff.exe 4168 bhtbnh.exe 1080 ddjjv.exe 4220 lxrlrrf.exe 5084 nntnnn.exe 2600 jddjj.exe 1404 5pddd.exe 2492 lxfxlll.exe 3424 5tbbbt.exe 3536 1nhhtt.exe 652 pvvvp.exe 5112 7fxxxxf.exe 3972 xxxxrrr.exe 1908 hhttnn.exe 212 3jpjp.exe 2252 jjpjd.exe 4680 3llrlff.exe 3308 5lrrxfx.exe 3012 nnttnt.exe 956 hhnnhh.exe 3084 pvvpd.exe 2476 9frlfrr.exe 2472 bhtnnn.exe 1916 hhhhnn.exe 1260 jjjdj.exe 5016 7rxffff.exe 3496 3xxxxfx.exe 3648 bnhtth.exe 2996 3djdv.exe 624 ffrlrrr.exe 4388 bnttnn.exe 3948 ntttbn.exe 2352 vjvvp.exe 1064 vpvvv.exe 4772 xfffxxx.exe 2028 nntttn.exe 4632 5bnhnh.exe 692 7ppdj.exe 3180 3flffll.exe 4432 7nnnhh.exe 2956 dvdpv.exe 2364 lfrlfxf.exe 1624 lrfxxrr.exe 1660 hhbhht.exe 1248 dvvpj.exe 3792 9pdvd.exe 2544 ffrlxrr.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3688 wrote to memory of 3260 3688 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 84 PID 3688 wrote to memory of 3260 3688 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 84 PID 3688 wrote to memory of 3260 3688 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 84 PID 3260 wrote to memory of 2516 3260 vvvpj.exe 85 PID 3260 wrote to memory of 2516 3260 vvvpj.exe 85 PID 3260 wrote to memory of 2516 3260 vvvpj.exe 85 PID 2516 wrote to memory of 4056 2516 pvjjj.exe 86 PID 2516 wrote to memory of 4056 2516 pvjjj.exe 86 PID 2516 wrote to memory of 4056 2516 pvjjj.exe 86 PID 4056 wrote to memory of 4244 4056 bbnttt.exe 87 PID 4056 wrote to memory of 4244 4056 bbnttt.exe 87 PID 4056 wrote to memory of 4244 4056 bbnttt.exe 87 PID 4244 wrote to memory of 3520 4244 ddjdv.exe 88 PID 4244 wrote to memory of 3520 4244 ddjdv.exe 88 PID 4244 wrote to memory of 3520 4244 ddjdv.exe 88 PID 3520 wrote to memory of 3404 3520 frlfxfx.exe 89 PID 3520 wrote to memory of 3404 3520 frlfxfx.exe 89 PID 3520 wrote to memory of 3404 3520 frlfxfx.exe 89 PID 3404 wrote to memory of 220 3404 fxrxxxf.exe 90 PID 3404 wrote to memory of 220 3404 fxrxxxf.exe 90 PID 3404 wrote to memory of 220 3404 fxrxxxf.exe 90 PID 220 wrote to memory of 4388 220 ntttnn.exe 91 PID 220 wrote to memory of 4388 220 ntttnn.exe 91 PID 220 wrote to memory of 4388 220 ntttnn.exe 91 PID 4388 wrote to memory of 1352 4388 9jpdd.exe 92 PID 4388 wrote to memory of 1352 4388 9jpdd.exe 92 PID 4388 wrote to memory of 1352 4388 9jpdd.exe 92 PID 1352 wrote to memory of 2592 1352 7lxrlfx.exe 93 PID 1352 wrote to memory of 2592 1352 7lxrlfx.exe 93 PID 1352 wrote to memory of 2592 1352 7lxrlfx.exe 93 PID 2592 wrote to memory of 2032 2592 rfllfff.exe 94 PID 2592 wrote to memory of 2032 2592 rfllfff.exe 94 PID 2592 wrote to memory of 2032 2592 rfllfff.exe 94 PID 2032 wrote to memory of 1336 2032 tnbhhh.exe 95 PID 2032 wrote to memory of 1336 2032 tnbhhh.exe 95 PID 2032 wrote to memory of 1336 2032 tnbhhh.exe 95 PID 1336 wrote to memory of 3080 1336 nnbttt.exe 96 PID 1336 wrote to memory of 3080 1336 nnbttt.exe 96 PID 1336 wrote to memory of 3080 1336 nnbttt.exe 96 PID 3080 wrote to memory of 4632 3080 vvdjj.exe 97 PID 3080 wrote to memory of 4632 3080 vvdjj.exe 97 PID 3080 wrote to memory of 4632 3080 vvdjj.exe 97 PID 4632 wrote to memory of 4088 4632 1rfxllr.exe 98 PID 4632 wrote to memory of 4088 4632 1rfxllr.exe 98 PID 4632 wrote to memory of 4088 4632 1rfxllr.exe 98 PID 4088 wrote to memory of 2420 4088 5nnnnn.exe 99 PID 4088 wrote to memory of 2420 4088 5nnnnn.exe 99 PID 4088 wrote to memory of 2420 4088 5nnnnn.exe 99 PID 2420 wrote to memory of 4800 2420 bhhbtt.exe 101 PID 2420 wrote to memory of 4800 2420 bhhbtt.exe 101 PID 2420 wrote to memory of 4800 2420 bhhbtt.exe 101 PID 4800 wrote to memory of 2612 4800 pdvjd.exe 102 PID 4800 wrote to memory of 2612 4800 pdvjd.exe 102 PID 4800 wrote to memory of 2612 4800 pdvjd.exe 102 PID 2612 wrote to memory of 4168 2612 rxlllff.exe 103 PID 2612 wrote to memory of 4168 2612 rxlllff.exe 103 PID 2612 wrote to memory of 4168 2612 rxlllff.exe 103 PID 4168 wrote to memory of 1080 4168 bhtbnh.exe 105 PID 4168 wrote to memory of 1080 4168 bhtbnh.exe 105 PID 4168 wrote to memory of 1080 4168 bhtbnh.exe 105 PID 1080 wrote to memory of 4220 1080 ddjjv.exe 106 PID 1080 wrote to memory of 4220 1080 ddjjv.exe 106 PID 1080 wrote to memory of 4220 1080 ddjjv.exe 106 PID 4220 wrote to memory of 5084 4220 lxrlrrf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe"C:\Users\Admin\AppData\Local\Temp\198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\vvvpj.exec:\vvvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\pvjjj.exec:\pvjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\bbnttt.exec:\bbnttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\ddjdv.exec:\ddjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\frlfxfx.exec:\frlfxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\fxrxxxf.exec:\fxrxxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\ntttnn.exec:\ntttnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\9jpdd.exec:\9jpdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\7lxrlfx.exec:\7lxrlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\rfllfff.exec:\rfllfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\tnbhhh.exec:\tnbhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\nnbttt.exec:\nnbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\vvdjj.exec:\vvdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\1rfxllr.exec:\1rfxllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\5nnnnn.exec:\5nnnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\bhhbtt.exec:\bhhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\pdvjd.exec:\pdvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\rxlllff.exec:\rxlllff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\bhtbnh.exec:\bhtbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\ddjjv.exec:\ddjjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\lxrlrrf.exec:\lxrlrrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\nntnnn.exec:\nntnnn.exe23⤵
- Executes dropped EXE
PID:5084 -
\??\c:\jddjj.exec:\jddjj.exe24⤵
- Executes dropped EXE
PID:2600 -
\??\c:\5pddd.exec:\5pddd.exe25⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lxfxlll.exec:\lxfxlll.exe26⤵
- Executes dropped EXE
PID:2492 -
\??\c:\5tbbbt.exec:\5tbbbt.exe27⤵
- Executes dropped EXE
PID:3424 -
\??\c:\1nhhtt.exec:\1nhhtt.exe28⤵
- Executes dropped EXE
PID:3536 -
\??\c:\pvvvp.exec:\pvvvp.exe29⤵
- Executes dropped EXE
PID:652 -
\??\c:\7fxxxxf.exec:\7fxxxxf.exe30⤵
- Executes dropped EXE
PID:5112 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe31⤵
- Executes dropped EXE
PID:3972 -
\??\c:\hhttnn.exec:\hhttnn.exe32⤵
- Executes dropped EXE
PID:1908 -
\??\c:\3jpjp.exec:\3jpjp.exe33⤵
- Executes dropped EXE
PID:212 -
\??\c:\jjpjd.exec:\jjpjd.exe34⤵
- Executes dropped EXE
PID:2252 -
\??\c:\3llrlff.exec:\3llrlff.exe35⤵
- Executes dropped EXE
PID:4680 -
\??\c:\5lrrxfx.exec:\5lrrxfx.exe36⤵
- Executes dropped EXE
PID:3308 -
\??\c:\nnttnt.exec:\nnttnt.exe37⤵
- Executes dropped EXE
PID:3012 -
\??\c:\hhnnhh.exec:\hhnnhh.exe38⤵
- Executes dropped EXE
PID:956 -
\??\c:\pvvpd.exec:\pvvpd.exe39⤵
- Executes dropped EXE
PID:3084 -
\??\c:\9frlfrr.exec:\9frlfrr.exe40⤵
- Executes dropped EXE
PID:2476 -
\??\c:\bhtnnn.exec:\bhtnnn.exe41⤵
- Executes dropped EXE
PID:2472 -
\??\c:\hhhhnn.exec:\hhhhnn.exe42⤵
- Executes dropped EXE
PID:1916 -
\??\c:\jjjdj.exec:\jjjdj.exe43⤵
- Executes dropped EXE
PID:1260 -
\??\c:\7rxffff.exec:\7rxffff.exe44⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3xxxxfx.exec:\3xxxxfx.exe45⤵
- Executes dropped EXE
PID:3496 -
\??\c:\bnhtth.exec:\bnhtth.exe46⤵
- Executes dropped EXE
PID:3648 -
\??\c:\3djdv.exec:\3djdv.exe47⤵
- Executes dropped EXE
PID:2996 -
\??\c:\ffrlrrr.exec:\ffrlrrr.exe48⤵
- Executes dropped EXE
PID:624 -
\??\c:\bnttnn.exec:\bnttnn.exe49⤵
- Executes dropped EXE
PID:4388 -
\??\c:\ntttbn.exec:\ntttbn.exe50⤵
- Executes dropped EXE
PID:3948 -
\??\c:\vjvvp.exec:\vjvvp.exe51⤵
- Executes dropped EXE
PID:2352 -
\??\c:\vpvvv.exec:\vpvvv.exe52⤵
- Executes dropped EXE
PID:1064 -
\??\c:\xfffxxx.exec:\xfffxxx.exe53⤵
- Executes dropped EXE
PID:4772 -
\??\c:\nntttn.exec:\nntttn.exe54⤵
- Executes dropped EXE
PID:2028 -
\??\c:\5bnhnh.exec:\5bnhnh.exe55⤵
- Executes dropped EXE
PID:4632 -
\??\c:\7ppdj.exec:\7ppdj.exe56⤵
- Executes dropped EXE
PID:692 -
\??\c:\3flffll.exec:\3flffll.exe57⤵
- Executes dropped EXE
PID:3180 -
\??\c:\7nnnhh.exec:\7nnnhh.exe58⤵
- Executes dropped EXE
PID:4432 -
\??\c:\dvdpv.exec:\dvdpv.exe59⤵
- Executes dropped EXE
PID:2956 -
\??\c:\lfrlfxf.exec:\lfrlfxf.exe60⤵
- Executes dropped EXE
PID:2364 -
\??\c:\lrfxxrr.exec:\lrfxxrr.exe61⤵
- Executes dropped EXE
PID:1624 -
\??\c:\hhbhht.exec:\hhbhht.exe62⤵
- Executes dropped EXE
PID:1660 -
\??\c:\dvvpj.exec:\dvvpj.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
\??\c:\9pdvd.exec:\9pdvd.exe64⤵
- Executes dropped EXE
PID:3792 -
\??\c:\ffrlxrr.exec:\ffrlxrr.exe65⤵
- Executes dropped EXE
PID:2544 -
\??\c:\1hbtnn.exec:\1hbtnn.exe66⤵PID:3452
-
\??\c:\dvjjd.exec:\dvjjd.exe67⤵PID:1108
-
\??\c:\flrfllx.exec:\flrfllx.exe68⤵PID:392
-
\??\c:\nhbbhn.exec:\nhbbhn.exe69⤵PID:3676
-
\??\c:\ddddv.exec:\ddddv.exe70⤵PID:3092
-
\??\c:\vpdpj.exec:\vpdpj.exe71⤵PID:3596
-
\??\c:\xxrrxxl.exec:\xxrrxxl.exe72⤵PID:4596
-
\??\c:\3jdpv.exec:\3jdpv.exe73⤵PID:2136
-
\??\c:\7xfxxxx.exec:\7xfxxxx.exe74⤵PID:3296
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe75⤵PID:528
-
\??\c:\jjjjj.exec:\jjjjj.exe76⤵PID:2432
-
\??\c:\dppvp.exec:\dppvp.exe77⤵PID:3972
-
\??\c:\rxxrfxx.exec:\rxxrfxx.exe78⤵PID:2676
-
\??\c:\bbhnnn.exec:\bbhnnn.exe79⤵PID:1912
-
\??\c:\vvddv.exec:\vvddv.exe80⤵PID:3988
-
\??\c:\ffrrxlf.exec:\ffrrxlf.exe81⤵PID:4540
-
\??\c:\xflrlrl.exec:\xflrlrl.exe82⤵PID:4360
-
\??\c:\nbbtnn.exec:\nbbtnn.exe83⤵PID:956
-
\??\c:\5bnbhh.exec:\5bnbhh.exe84⤵PID:3688
-
\??\c:\3vjdj.exec:\3vjdj.exe85⤵PID:3508
-
\??\c:\jdvpv.exec:\jdvpv.exe86⤵PID:4324
-
\??\c:\llrxlrr.exec:\llrxlrr.exe87⤵PID:2636
-
\??\c:\hbtnhn.exec:\hbtnhn.exe88⤵PID:5068
-
\??\c:\htnhnb.exec:\htnhnb.exe89⤵PID:5076
-
\??\c:\fxfxxfx.exec:\fxfxxfx.exe90⤵PID:4084
-
\??\c:\frllllf.exec:\frllllf.exe91⤵PID:3648
-
\??\c:\tntttb.exec:\tntttb.exe92⤵PID:3368
-
\??\c:\thbtnt.exec:\thbtnt.exe93⤵PID:2980
-
\??\c:\ppppp.exec:\ppppp.exe94⤵PID:4388
-
\??\c:\pjvpp.exec:\pjvpp.exe95⤵PID:2728
-
\??\c:\3rrllll.exec:\3rrllll.exe96⤵PID:2436
-
\??\c:\bhnnht.exec:\bhnnht.exe97⤵PID:3956
-
\??\c:\hhbnnt.exec:\hhbnnt.exe98⤵PID:1924
-
\??\c:\7vjdd.exec:\7vjdd.exe99⤵PID:1456
-
\??\c:\xfxxrxf.exec:\xfxxrxf.exe100⤵PID:4088
-
\??\c:\rfxxxxx.exec:\rfxxxxx.exe101⤵PID:4872
-
\??\c:\nntnnt.exec:\nntnnt.exe102⤵PID:2420
-
\??\c:\nhnnhh.exec:\nhnnhh.exe103⤵PID:1284
-
\??\c:\jpvvp.exec:\jpvvp.exe104⤵PID:3224
-
\??\c:\xxfxxxl.exec:\xxfxxxl.exe105⤵PID:3880
-
\??\c:\nnbbnn.exec:\nnbbnn.exe106⤵PID:1624
-
\??\c:\bhttnn.exec:\bhttnn.exe107⤵PID:4628
-
\??\c:\ddppv.exec:\ddppv.exe108⤵PID:4300
-
\??\c:\jpddv.exec:\jpddv.exe109⤵PID:2040
-
\??\c:\xxffrlf.exec:\xxffrlf.exe110⤵PID:3228
-
\??\c:\pvjpv.exec:\pvjpv.exe111⤵PID:5084
-
\??\c:\flfxllr.exec:\flfxllr.exe112⤵PID:1012
-
\??\c:\bbtbhb.exec:\bbtbhb.exe113⤵PID:3096
-
\??\c:\btbttn.exec:\btbttn.exe114⤵PID:4332
-
\??\c:\vpjdp.exec:\vpjdp.exe115⤵PID:3536
-
\??\c:\fxfxllf.exec:\fxfxllf.exe116⤵PID:3108
-
\??\c:\llrrrrr.exec:\llrrrrr.exe117⤵PID:3732
-
\??\c:\nttbnn.exec:\nttbnn.exe118⤵PID:528
-
\??\c:\hbbbbb.exec:\hbbbbb.exe119⤵PID:1908
-
\??\c:\3vppj.exec:\3vppj.exe120⤵PID:2676
-
\??\c:\9fxxxxl.exec:\9fxxxxl.exe121⤵PID:4492
-
\??\c:\5rxxrlf.exec:\5rxxrlf.exe122⤵PID:4624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-