Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 17:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe
Resource
win7-20241010-en
5 signatures
150 seconds
General
-
Target
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe
-
Size
51KB
-
MD5
5b8bf7213d1e02668211437da3532190
-
SHA1
71148a1485f39bebd3c9bee7fd42a17ead74fb8b
-
SHA256
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311
-
SHA512
5fd74d6fbc7e04bcb4aaff01a6a10b37293b71d779ff51a0823364816bdf553637b3cb770b39f6dca0c6a8dac9f273a930818353be52ca70b1ac17c66577c95e
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvXC:0cdpeeBSHHMHLf9RyIKC
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/856-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4672-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1820-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1524-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4100-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4564-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4004-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1716-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2508-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3596-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3660-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/764-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3144-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/528-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4588-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2788-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2464-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4876-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4108-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3916-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1724-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1560-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1728-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4772-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4360-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1632-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1396-217-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1940-224-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2036-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3276-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4260-245-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1984-249-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2776-271-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/624-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3144-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/316-292-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1428-299-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1452-303-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2900-319-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4952-330-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/872-342-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-341-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2444-355-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1560-361-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1632-387-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/444-394-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2976-407-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3712-414-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2112-442-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3440-470-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1124-590-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4988-607-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2448-611-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4032-618-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2428-649-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3220-713-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1956-717-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3312-737-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3264-799-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2968-806-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3728-1336-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3680-4651-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4672 bhhbtt.exe 1820 hhhhbn.exe 1524 7dddv.exe 4100 lllfrrl.exe 4564 flxxfff.exe 4004 bhhnnn.exe 1716 vjjdd.exe 4552 rrfxrrl.exe 1056 btbtbb.exe 3660 bbbbtt.exe 2508 djpjp.exe 3596 rfffxrl.exe 1004 rxrrrll.exe 764 5hhbtt.exe 3144 9vvpd.exe 528 vjpdv.exe 4588 3rxfxxr.exe 2788 hnbtnn.exe 2464 ppppp.exe 4876 rrlxxxl.exe 4624 btbnhh.exe 4108 ddjjd.exe 4148 jdjjd.exe 4196 7ffxxff.exe 3088 5rxxrrl.exe 4340 bbhhbb.exe 5040 bhbhht.exe 3916 5jvvj.exe 1672 lrxxrxr.exe 1724 flllfff.exe 1560 tbbnnn.exe 1728 1hbbtn.exe 4772 pddjj.exe 3604 lxxxlll.exe 4360 rlfrllf.exe 3172 1tbbbt.exe 4216 hnbbbb.exe 1340 ppjjd.exe 1632 ppjdj.exe 1396 lllfrrx.exe 4328 bttnnn.exe 1940 hhhbnn.exe 4672 vdvpp.exe 1820 9vvpj.exe 4808 lfllxfx.exe 3276 ttbbtt.exe 2036 tbttnt.exe 4260 nhhhbb.exe 1984 pdddp.exe 4376 rrrrrrr.exe 544 flllffx.exe 2952 nhnnhh.exe 4384 jdppd.exe 2332 jjvpv.exe 2008 rrlflfl.exe 2776 fxxxrxr.exe 2112 5ttttb.exe 4812 nntnhh.exe 624 vjdjp.exe 3144 1pvpp.exe 5108 fflfxfx.exe 316 bbnnnn.exe 2724 nnhbth.exe 1428 djddv.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 856 wrote to memory of 4672 856 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 85 PID 856 wrote to memory of 4672 856 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 85 PID 856 wrote to memory of 4672 856 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 85 PID 4672 wrote to memory of 1820 4672 bhhbtt.exe 86 PID 4672 wrote to memory of 1820 4672 bhhbtt.exe 86 PID 4672 wrote to memory of 1820 4672 bhhbtt.exe 86 PID 1820 wrote to memory of 1524 1820 hhhhbn.exe 87 PID 1820 wrote to memory of 1524 1820 hhhhbn.exe 87 PID 1820 wrote to memory of 1524 1820 hhhhbn.exe 87 PID 1524 wrote to memory of 4100 1524 7dddv.exe 88 PID 1524 wrote to memory of 4100 1524 7dddv.exe 88 PID 1524 wrote to memory of 4100 1524 7dddv.exe 88 PID 4100 wrote to memory of 4564 4100 lllfrrl.exe 89 PID 4100 wrote to memory of 4564 4100 lllfrrl.exe 89 PID 4100 wrote to memory of 4564 4100 lllfrrl.exe 89 PID 4564 wrote to memory of 4004 4564 flxxfff.exe 90 PID 4564 wrote to memory of 4004 4564 flxxfff.exe 90 PID 4564 wrote to memory of 4004 4564 flxxfff.exe 90 PID 4004 wrote to memory of 1716 4004 bhhnnn.exe 91 PID 4004 wrote to memory of 1716 4004 bhhnnn.exe 91 PID 4004 wrote to memory of 1716 4004 bhhnnn.exe 91 PID 1716 wrote to memory of 4552 1716 vjjdd.exe 92 PID 1716 wrote to memory of 4552 1716 vjjdd.exe 92 PID 1716 wrote to memory of 4552 1716 vjjdd.exe 92 PID 4552 wrote to memory of 1056 4552 rrfxrrl.exe 93 PID 4552 wrote to memory of 1056 4552 rrfxrrl.exe 93 PID 4552 wrote to memory of 1056 4552 rrfxrrl.exe 93 PID 1056 wrote to memory of 3660 1056 btbtbb.exe 94 PID 1056 wrote to memory of 3660 1056 btbtbb.exe 94 PID 1056 wrote to memory of 3660 1056 btbtbb.exe 94 PID 3660 wrote to memory of 2508 3660 bbbbtt.exe 96 PID 3660 wrote to memory of 2508 3660 bbbbtt.exe 96 PID 3660 wrote to memory of 2508 3660 bbbbtt.exe 96 PID 2508 wrote to memory of 3596 2508 djpjp.exe 97 PID 2508 wrote to memory of 3596 2508 djpjp.exe 97 PID 2508 wrote to memory of 3596 2508 djpjp.exe 97 PID 3596 wrote to memory of 1004 3596 rfffxrl.exe 98 PID 3596 wrote to memory of 1004 3596 rfffxrl.exe 98 PID 3596 wrote to memory of 1004 3596 rfffxrl.exe 98 PID 1004 wrote to memory of 764 1004 rxrrrll.exe 99 PID 1004 wrote to memory of 764 1004 rxrrrll.exe 99 PID 1004 wrote to memory of 764 1004 rxrrrll.exe 99 PID 764 wrote to memory of 3144 764 5hhbtt.exe 100 PID 764 wrote to memory of 3144 764 5hhbtt.exe 100 PID 764 wrote to memory of 3144 764 5hhbtt.exe 100 PID 3144 wrote to memory of 528 3144 9vvpd.exe 101 PID 3144 wrote to memory of 528 3144 9vvpd.exe 101 PID 3144 wrote to memory of 528 3144 9vvpd.exe 101 PID 528 wrote to memory of 4588 528 vjpdv.exe 102 PID 528 wrote to memory of 4588 528 vjpdv.exe 102 PID 528 wrote to memory of 4588 528 vjpdv.exe 102 PID 4588 wrote to memory of 2788 4588 3rxfxxr.exe 103 PID 4588 wrote to memory of 2788 4588 3rxfxxr.exe 103 PID 4588 wrote to memory of 2788 4588 3rxfxxr.exe 103 PID 2788 wrote to memory of 2464 2788 hnbtnn.exe 104 PID 2788 wrote to memory of 2464 2788 hnbtnn.exe 104 PID 2788 wrote to memory of 2464 2788 hnbtnn.exe 104 PID 2464 wrote to memory of 4876 2464 ppppp.exe 105 PID 2464 wrote to memory of 4876 2464 ppppp.exe 105 PID 2464 wrote to memory of 4876 2464 ppppp.exe 105 PID 4876 wrote to memory of 4624 4876 rrlxxxl.exe 106 PID 4876 wrote to memory of 4624 4876 rrlxxxl.exe 106 PID 4876 wrote to memory of 4624 4876 rrlxxxl.exe 106 PID 4624 wrote to memory of 4108 4624 btbnhh.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe"C:\Users\Admin\AppData\Local\Temp\198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\bhhbtt.exec:\bhhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\hhhhbn.exec:\hhhhbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\7dddv.exec:\7dddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\lllfrrl.exec:\lllfrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\flxxfff.exec:\flxxfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\bhhnnn.exec:\bhhnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\vjjdd.exec:\vjjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\btbtbb.exec:\btbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\bbbbtt.exec:\bbbbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\djpjp.exec:\djpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\rfffxrl.exec:\rfffxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\rxrrrll.exec:\rxrrrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\5hhbtt.exec:\5hhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\9vvpd.exec:\9vvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\vjpdv.exec:\vjpdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\3rxfxxr.exec:\3rxfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\hnbtnn.exec:\hnbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\ppppp.exec:\ppppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\rrlxxxl.exec:\rrlxxxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\btbnhh.exec:\btbnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\ddjjd.exec:\ddjjd.exe23⤵
- Executes dropped EXE
PID:4108 -
\??\c:\jdjjd.exec:\jdjjd.exe24⤵
- Executes dropped EXE
PID:4148 -
\??\c:\7ffxxff.exec:\7ffxxff.exe25⤵
- Executes dropped EXE
PID:4196 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe26⤵
- Executes dropped EXE
PID:3088 -
\??\c:\bbhhbb.exec:\bbhhbb.exe27⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bhbhht.exec:\bhbhht.exe28⤵
- Executes dropped EXE
PID:5040 -
\??\c:\5jvvj.exec:\5jvvj.exe29⤵
- Executes dropped EXE
PID:3916 -
\??\c:\lrxxrxr.exec:\lrxxrxr.exe30⤵
- Executes dropped EXE
PID:1672 -
\??\c:\flllfff.exec:\flllfff.exe31⤵
- Executes dropped EXE
PID:1724 -
\??\c:\tbbnnn.exec:\tbbnnn.exe32⤵
- Executes dropped EXE
PID:1560 -
\??\c:\1hbbtn.exec:\1hbbtn.exe33⤵
- Executes dropped EXE
PID:1728 -
\??\c:\pddjj.exec:\pddjj.exe34⤵
- Executes dropped EXE
PID:4772 -
\??\c:\lxxxlll.exec:\lxxxlll.exe35⤵
- Executes dropped EXE
PID:3604 -
\??\c:\rlfrllf.exec:\rlfrllf.exe36⤵
- Executes dropped EXE
PID:4360 -
\??\c:\1tbbbt.exec:\1tbbbt.exe37⤵
- Executes dropped EXE
PID:3172 -
\??\c:\hnbbbb.exec:\hnbbbb.exe38⤵
- Executes dropped EXE
PID:4216 -
\??\c:\ppjjd.exec:\ppjjd.exe39⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ppjdj.exec:\ppjdj.exe40⤵
- Executes dropped EXE
PID:1632 -
\??\c:\lllfrrx.exec:\lllfrrx.exe41⤵
- Executes dropped EXE
PID:1396 -
\??\c:\bttnnn.exec:\bttnnn.exe42⤵
- Executes dropped EXE
PID:4328 -
\??\c:\hhhbnn.exec:\hhhbnn.exe43⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vdvpp.exec:\vdvpp.exe44⤵
- Executes dropped EXE
PID:4672 -
\??\c:\9vvpj.exec:\9vvpj.exe45⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lfllxfx.exec:\lfllxfx.exe46⤵
- Executes dropped EXE
PID:4808 -
\??\c:\ttbbtt.exec:\ttbbtt.exe47⤵
- Executes dropped EXE
PID:3276 -
\??\c:\tbttnt.exec:\tbttnt.exe48⤵
- Executes dropped EXE
PID:2036 -
\??\c:\nhhhbb.exec:\nhhhbb.exe49⤵
- Executes dropped EXE
PID:4260 -
\??\c:\pdddp.exec:\pdddp.exe50⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe51⤵
- Executes dropped EXE
PID:4376 -
\??\c:\flllffx.exec:\flllffx.exe52⤵
- Executes dropped EXE
PID:544 -
\??\c:\nhnnhh.exec:\nhnnhh.exe53⤵
- Executes dropped EXE
PID:2952 -
\??\c:\jdppd.exec:\jdppd.exe54⤵
- Executes dropped EXE
PID:4384 -
\??\c:\jjvpv.exec:\jjvpv.exe55⤵
- Executes dropped EXE
PID:2332 -
\??\c:\rrlflfl.exec:\rrlflfl.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe57⤵
- Executes dropped EXE
PID:2776 -
\??\c:\5ttttb.exec:\5ttttb.exe58⤵
- Executes dropped EXE
PID:2112 -
\??\c:\nntnhh.exec:\nntnhh.exe59⤵
- Executes dropped EXE
PID:4812 -
\??\c:\vjdjp.exec:\vjdjp.exe60⤵
- Executes dropped EXE
PID:624 -
\??\c:\1pvpp.exec:\1pvpp.exe61⤵
- Executes dropped EXE
PID:3144 -
\??\c:\fflfxfx.exec:\fflfxfx.exe62⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bbnnnn.exec:\bbnnnn.exe63⤵
- Executes dropped EXE
PID:316 -
\??\c:\nnhbth.exec:\nnhbth.exe64⤵
- Executes dropped EXE
PID:2724 -
\??\c:\djddv.exec:\djddv.exe65⤵
- Executes dropped EXE
PID:1428 -
\??\c:\vpdvv.exec:\vpdvv.exe66⤵PID:1452
-
\??\c:\rrfxxfx.exec:\rrfxxfx.exe67⤵PID:3440
-
\??\c:\bhtnth.exec:\bhtnth.exe68⤵PID:3724
-
\??\c:\nthbtt.exec:\nthbtt.exe69⤵PID:5056
-
\??\c:\pjvjj.exec:\pjvjj.exe70⤵PID:3664
-
\??\c:\jpvvp.exec:\jpvvp.exe71⤵PID:2900
-
\??\c:\rrflrxf.exec:\rrflrxf.exe72⤵PID:2672
-
\??\c:\1tbttb.exec:\1tbttb.exe73⤵PID:4740
-
\??\c:\hbnhbh.exec:\hbnhbh.exe74⤵PID:4952
-
\??\c:\3vjvv.exec:\3vjvv.exe75⤵PID:5068
-
\??\c:\jpppj.exec:\jpppj.exe76⤵PID:5076
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe77⤵PID:872
-
\??\c:\hbtnhb.exec:\hbtnhb.exe78⤵PID:5040
-
\??\c:\vdjpp.exec:\vdjpp.exe79⤵PID:3548
-
\??\c:\djvpj.exec:\djvpj.exe80⤵PID:1052
-
\??\c:\bhhnnn.exec:\bhhnnn.exe81⤵PID:2232
-
\??\c:\bthhbb.exec:\bthhbb.exe82⤵PID:2444
-
\??\c:\hbbbnn.exec:\hbbbnn.exe83⤵PID:1560
-
\??\c:\vddjd.exec:\vddjd.exe84⤵PID:3108
-
\??\c:\fxlfllr.exec:\fxlfllr.exe85⤵PID:2812
-
\??\c:\7xxxrlf.exec:\7xxxrlf.exe86⤵PID:940
-
\??\c:\3nnttt.exec:\3nnttt.exe87⤵PID:3692
-
\??\c:\bbhbtn.exec:\bbhbtn.exe88⤵PID:676
-
\??\c:\pjvpv.exec:\pjvpv.exe89⤵PID:3332
-
\??\c:\jvddv.exec:\jvddv.exe90⤵PID:4036
-
\??\c:\flrrrxx.exec:\flrrrxx.exe91⤵PID:4760
-
\??\c:\bhbhbb.exec:\bhbhbb.exe92⤵PID:1632
-
\??\c:\9nnhbb.exec:\9nnhbb.exe93⤵PID:1396
-
\??\c:\vjppj.exec:\vjppj.exe94⤵PID:444
-
\??\c:\lfxxlll.exec:\lfxxlll.exe95⤵PID:3932
-
\??\c:\lllrrlf.exec:\lllrrlf.exe96⤵PID:2040
-
\??\c:\3bnnbh.exec:\3bnnbh.exe97⤵PID:404
-
\??\c:\hhhhbh.exec:\hhhhbh.exe98⤵PID:2976
-
\??\c:\ttbtnn.exec:\ttbtnn.exe99⤵PID:4932
-
\??\c:\7dpjv.exec:\7dpjv.exe100⤵PID:3712
-
\??\c:\7dvvd.exec:\7dvvd.exe101⤵PID:1984
-
\??\c:\fflfffx.exec:\fflfffx.exe102⤵PID:4376
-
\??\c:\7rrxxxx.exec:\7rrxxxx.exe103⤵PID:544
-
\??\c:\nnthtt.exec:\nnthtt.exe104⤵PID:2952
-
\??\c:\dvvvp.exec:\dvvvp.exe105⤵PID:4852
-
\??\c:\rrxxffl.exec:\rrxxffl.exe106⤵PID:1124
-
\??\c:\fllflrl.exec:\fllflrl.exe107⤵PID:3504
-
\??\c:\hntttt.exec:\hntttt.exe108⤵PID:4792
-
\??\c:\jvddv.exec:\jvddv.exe109⤵PID:2112
-
\??\c:\rrrllll.exec:\rrrllll.exe110⤵PID:4812
-
\??\c:\3nnhbb.exec:\3nnhbb.exe111⤵PID:3080
-
\??\c:\bnbhbb.exec:\bnbhbb.exe112⤵PID:4820
-
\??\c:\ppdvd.exec:\ppdvd.exe113⤵PID:5108
-
\??\c:\rrfxxxf.exec:\rrfxxxf.exe114⤵PID:3188
-
\??\c:\rlfxrrx.exec:\rlfxrrx.exe115⤵PID:5084
-
\??\c:\btnhht.exec:\btnhht.exe116⤵PID:5092
-
\??\c:\3tnntb.exec:\3tnntb.exe117⤵PID:2188
-
\??\c:\jjvvp.exec:\jjvvp.exe118⤵PID:3440
-
\??\c:\3jdvv.exec:\3jdvv.exe119⤵PID:5044
-
\??\c:\xxfxxxf.exec:\xxfxxxf.exe120⤵PID:652
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe121⤵PID:2692
-
\??\c:\ttbtnb.exec:\ttbtnb.exe122⤵PID:4220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-