Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 17:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe
-
Size
59KB
-
MD5
47cbe180e3f031c5f995da25249841d0
-
SHA1
e8f3d6d8a4d5f952cdc0acacd62bfc75cbd09187
-
SHA256
bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19a
-
SHA512
9f227e6e9ba7262d3012a0acfb78f5b81098ea9e47e8e29c8313b6a73743aac60d0eb8afdadb3c11b82701af849a6a823282432f8663e5a63dfb20b3c795f277
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFgw:ymb3NkkiQ3mdBjFIF7
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral2/memory/2772-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1980-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3948-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3680-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/756-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2740-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2468-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5024-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5000-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2724-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4988-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4612-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3152-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3936-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1144-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4652-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3920-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4608-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4668-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4756-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4984-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1244-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5036-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2772 1flxrxl.exe 3948 rllllll.exe 3680 thhhbb.exe 756 jdddv.exe 2740 hnbttn.exe 2468 vdpvp.exe 5024 xfxrxxr.exe 432 nhbbht.exe 5000 jvjjd.exe 2724 lrrrlll.exe 4988 1tbtnn.exe 4612 hnhbbb.exe 3152 7vdjj.exe 3936 lllfrrr.exe 1144 ttbbbb.exe 4652 jvvpj.exe 3920 djdjj.exe 4608 xrxxffr.exe 4352 ttbtnb.exe 4884 1bnnhh.exe 3872 dpppp.exe 4084 bntnnh.exe 700 htbthh.exe 2104 jdvpv.exe 1856 ppppj.exe 4668 xllfxxf.exe 4756 nhhhbb.exe 4700 jvdvp.exe 4984 dddvj.exe 1244 llfxfxr.exe 5036 hnttbb.exe 3980 dpddd.exe 1872 dpppd.exe 2028 xlrffxf.exe 3568 1tttnt.exe 1696 nhhtnn.exe 1028 ppvvj.exe 2736 9vdvv.exe 2088 fxlfflr.exe 2644 xrlllll.exe 2740 hhtttt.exe 1300 jpvpj.exe 2872 vvjjv.exe 3136 rfxlxlr.exe 5024 btttnn.exe 3744 thhhtt.exe 2888 pvddv.exe 4864 pvdvv.exe 3932 lffxxlf.exe 4904 ttbhbt.exe 1328 tnnhhh.exe 2504 5vddv.exe 5096 dpddd.exe 1504 lxfllrx.exe 4728 ntbtnn.exe 3628 thtbbn.exe 1188 vjjjj.exe 1700 jjjdd.exe 3104 rlxrlll.exe 1464 bhbhbb.exe 3940 tbbbhh.exe 4892 jjjdd.exe 924 dvpjd.exe 4084 xlrlllr.exe -
resource yara_rule behavioral2/memory/1980-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2772-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3948-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1980-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3948-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3680-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3680-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/756-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/756-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/756-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/756-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2740-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2740-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2740-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5024-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5024-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5024-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/432-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/432-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/432-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5000-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2724-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4988-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4612-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3152-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1144-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4652-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3920-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4668-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4756-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4984-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1244-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5036-215-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2772 1980 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 84 PID 1980 wrote to memory of 2772 1980 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 84 PID 1980 wrote to memory of 2772 1980 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 84 PID 2772 wrote to memory of 3948 2772 1flxrxl.exe 85 PID 2772 wrote to memory of 3948 2772 1flxrxl.exe 85 PID 2772 wrote to memory of 3948 2772 1flxrxl.exe 85 PID 3948 wrote to memory of 3680 3948 rllllll.exe 86 PID 3948 wrote to memory of 3680 3948 rllllll.exe 86 PID 3948 wrote to memory of 3680 3948 rllllll.exe 86 PID 3680 wrote to memory of 756 3680 thhhbb.exe 87 PID 3680 wrote to memory of 756 3680 thhhbb.exe 87 PID 3680 wrote to memory of 756 3680 thhhbb.exe 87 PID 756 wrote to memory of 2740 756 jdddv.exe 88 PID 756 wrote to memory of 2740 756 jdddv.exe 88 PID 756 wrote to memory of 2740 756 jdddv.exe 88 PID 2740 wrote to memory of 2468 2740 hnbttn.exe 89 PID 2740 wrote to memory of 2468 2740 hnbttn.exe 89 PID 2740 wrote to memory of 2468 2740 hnbttn.exe 89 PID 2468 wrote to memory of 5024 2468 vdpvp.exe 90 PID 2468 wrote to memory of 5024 2468 vdpvp.exe 90 PID 2468 wrote to memory of 5024 2468 vdpvp.exe 90 PID 5024 wrote to memory of 432 5024 xfxrxxr.exe 91 PID 5024 wrote to memory of 432 5024 xfxrxxr.exe 91 PID 5024 wrote to memory of 432 5024 xfxrxxr.exe 91 PID 432 wrote to memory of 5000 432 nhbbht.exe 92 PID 432 wrote to memory of 5000 432 nhbbht.exe 92 PID 432 wrote to memory of 5000 432 nhbbht.exe 92 PID 5000 wrote to memory of 2724 5000 jvjjd.exe 93 PID 5000 wrote to memory of 2724 5000 jvjjd.exe 93 PID 5000 wrote to memory of 2724 5000 jvjjd.exe 93 PID 2724 wrote to memory of 4988 2724 lrrrlll.exe 94 PID 2724 wrote to memory of 4988 2724 lrrrlll.exe 94 PID 2724 wrote to memory of 4988 2724 lrrrlll.exe 94 PID 4988 wrote to memory of 4612 4988 1tbtnn.exe 95 PID 4988 wrote to memory of 4612 4988 1tbtnn.exe 95 PID 4988 wrote to memory of 4612 4988 1tbtnn.exe 95 PID 4612 wrote to memory of 3152 4612 hnhbbb.exe 96 PID 4612 wrote to memory of 3152 4612 hnhbbb.exe 96 PID 4612 wrote to memory of 3152 4612 hnhbbb.exe 96 PID 3152 wrote to memory of 3936 3152 7vdjj.exe 97 PID 3152 wrote to memory of 3936 3152 7vdjj.exe 97 PID 3152 wrote to memory of 3936 3152 7vdjj.exe 97 PID 3936 wrote to memory of 1144 3936 lllfrrr.exe 98 PID 3936 wrote to memory of 1144 3936 lllfrrr.exe 98 PID 3936 wrote to memory of 1144 3936 lllfrrr.exe 98 PID 1144 wrote to memory of 4652 1144 ttbbbb.exe 99 PID 1144 wrote to memory of 4652 1144 ttbbbb.exe 99 PID 1144 wrote to memory of 4652 1144 ttbbbb.exe 99 PID 4652 wrote to memory of 3920 4652 jvvpj.exe 100 PID 4652 wrote to memory of 3920 4652 jvvpj.exe 100 PID 4652 wrote to memory of 3920 4652 jvvpj.exe 100 PID 3920 wrote to memory of 4608 3920 djdjj.exe 102 PID 3920 wrote to memory of 4608 3920 djdjj.exe 102 PID 3920 wrote to memory of 4608 3920 djdjj.exe 102 PID 4608 wrote to memory of 4352 4608 xrxxffr.exe 103 PID 4608 wrote to memory of 4352 4608 xrxxffr.exe 103 PID 4608 wrote to memory of 4352 4608 xrxxffr.exe 103 PID 4352 wrote to memory of 4884 4352 ttbtnb.exe 104 PID 4352 wrote to memory of 4884 4352 ttbtnb.exe 104 PID 4352 wrote to memory of 4884 4352 ttbtnb.exe 104 PID 4884 wrote to memory of 3872 4884 1bnnhh.exe 105 PID 4884 wrote to memory of 3872 4884 1bnnhh.exe 105 PID 4884 wrote to memory of 3872 4884 1bnnhh.exe 105 PID 3872 wrote to memory of 4084 3872 dpppp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe"C:\Users\Admin\AppData\Local\Temp\bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\1flxrxl.exec:\1flxrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\rllllll.exec:\rllllll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\thhhbb.exec:\thhhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\jdddv.exec:\jdddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\hnbttn.exec:\hnbttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vdpvp.exec:\vdpvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\xfxrxxr.exec:\xfxrxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\nhbbht.exec:\nhbbht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\jvjjd.exec:\jvjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\lrrrlll.exec:\lrrrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\1tbtnn.exec:\1tbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\hnhbbb.exec:\hnhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\7vdjj.exec:\7vdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\lllfrrr.exec:\lllfrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\ttbbbb.exec:\ttbbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\jvvpj.exec:\jvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\djdjj.exec:\djdjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\xrxxffr.exec:\xrxxffr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\ttbtnb.exec:\ttbtnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\1bnnhh.exec:\1bnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\dpppp.exec:\dpppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\bntnnh.exec:\bntnnh.exe23⤵
- Executes dropped EXE
PID:4084 -
\??\c:\htbthh.exec:\htbthh.exe24⤵
- Executes dropped EXE
PID:700 -
\??\c:\jdvpv.exec:\jdvpv.exe25⤵
- Executes dropped EXE
PID:2104 -
\??\c:\ppppj.exec:\ppppj.exe26⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xllfxxf.exec:\xllfxxf.exe27⤵
- Executes dropped EXE
PID:4668 -
\??\c:\nhhhbb.exec:\nhhhbb.exe28⤵
- Executes dropped EXE
PID:4756 -
\??\c:\jvdvp.exec:\jvdvp.exe29⤵
- Executes dropped EXE
PID:4700 -
\??\c:\dddvj.exec:\dddvj.exe30⤵
- Executes dropped EXE
PID:4984 -
\??\c:\llfxfxr.exec:\llfxfxr.exe31⤵
- Executes dropped EXE
PID:1244 -
\??\c:\hnttbb.exec:\hnttbb.exe32⤵
- Executes dropped EXE
PID:5036 -
\??\c:\dpddd.exec:\dpddd.exe33⤵
- Executes dropped EXE
PID:3980 -
\??\c:\dpppd.exec:\dpppd.exe34⤵
- Executes dropped EXE
PID:1872 -
\??\c:\xlrffxf.exec:\xlrffxf.exe35⤵
- Executes dropped EXE
PID:2028 -
\??\c:\1tttnt.exec:\1tttnt.exe36⤵
- Executes dropped EXE
PID:3568 -
\??\c:\nhhtnn.exec:\nhhtnn.exe37⤵
- Executes dropped EXE
PID:1696 -
\??\c:\ppvvj.exec:\ppvvj.exe38⤵
- Executes dropped EXE
PID:1028 -
\??\c:\9vdvv.exec:\9vdvv.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\fxlfflr.exec:\fxlfflr.exe40⤵
- Executes dropped EXE
PID:2088 -
\??\c:\xrlllll.exec:\xrlllll.exe41⤵
- Executes dropped EXE
PID:2644 -
\??\c:\hhtttt.exec:\hhtttt.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jpvpj.exec:\jpvpj.exe43⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vvjjv.exec:\vvjjv.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\rfxlxlr.exec:\rfxlxlr.exe45⤵
- Executes dropped EXE
PID:3136 -
\??\c:\btttnn.exec:\btttnn.exe46⤵
- Executes dropped EXE
PID:5024 -
\??\c:\thhhtt.exec:\thhhtt.exe47⤵
- Executes dropped EXE
PID:3744 -
\??\c:\pvddv.exec:\pvddv.exe48⤵
- Executes dropped EXE
PID:2888 -
\??\c:\pvdvv.exec:\pvdvv.exe49⤵
- Executes dropped EXE
PID:4864 -
\??\c:\lffxxlf.exec:\lffxxlf.exe50⤵
- Executes dropped EXE
PID:3932 -
\??\c:\ttbhbt.exec:\ttbhbt.exe51⤵
- Executes dropped EXE
PID:4904 -
\??\c:\tnnhhh.exec:\tnnhhh.exe52⤵
- Executes dropped EXE
PID:1328 -
\??\c:\5vddv.exec:\5vddv.exe53⤵
- Executes dropped EXE
PID:2504 -
\??\c:\dpddd.exec:\dpddd.exe54⤵
- Executes dropped EXE
PID:5096 -
\??\c:\lxfllrx.exec:\lxfllrx.exe55⤵
- Executes dropped EXE
PID:1504 -
\??\c:\ntbtnn.exec:\ntbtnn.exe56⤵
- Executes dropped EXE
PID:4728 -
\??\c:\thtbbn.exec:\thtbbn.exe57⤵
- Executes dropped EXE
PID:3628 -
\??\c:\vjjjj.exec:\vjjjj.exe58⤵
- Executes dropped EXE
PID:1188 -
\??\c:\jjjdd.exec:\jjjdd.exe59⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rlxrlll.exec:\rlxrlll.exe60⤵
- Executes dropped EXE
PID:3104 -
\??\c:\bhbhbb.exec:\bhbhbb.exe61⤵
- Executes dropped EXE
PID:1464 -
\??\c:\tbbbhh.exec:\tbbbhh.exe62⤵
- Executes dropped EXE
PID:3940 -
\??\c:\jjjdd.exec:\jjjdd.exe63⤵
- Executes dropped EXE
PID:4892 -
\??\c:\dvpjd.exec:\dvpjd.exe64⤵
- Executes dropped EXE
PID:924 -
\??\c:\xlrlllr.exec:\xlrlllr.exe65⤵
- Executes dropped EXE
PID:4084 -
\??\c:\tttnnn.exec:\tttnnn.exe66⤵PID:3716
-
\??\c:\hntnnh.exec:\hntnnh.exe67⤵PID:2104
-
\??\c:\jddvp.exec:\jddvp.exe68⤵PID:4116
-
\??\c:\7vvvp.exec:\7vvvp.exe69⤵PID:4676
-
\??\c:\ffllflx.exec:\ffllflx.exe70⤵PID:780
-
\??\c:\frxrfxf.exec:\frxrfxf.exe71⤵PID:4600
-
\??\c:\3bhhbb.exec:\3bhhbb.exe72⤵PID:4732
-
\??\c:\thnnhh.exec:\thnnhh.exe73⤵PID:4972
-
\??\c:\pjdjd.exec:\pjdjd.exe74⤵PID:4568
-
\??\c:\lxfrfxf.exec:\lxfrfxf.exe75⤵PID:4616
-
\??\c:\llrrlxl.exec:\llrrlxl.exe76⤵PID:1096
-
\??\c:\bbbtnb.exec:\bbbtnb.exe77⤵PID:2988
-
\??\c:\jdvdp.exec:\jdvdp.exe78⤵PID:2060
-
\??\c:\rxxrllx.exec:\rxxrllx.exe79⤵PID:4488
-
\??\c:\nhbnhh.exec:\nhbnhh.exe80⤵PID:2380
-
\??\c:\vvvpv.exec:\vvvpv.exe81⤵PID:2764
-
\??\c:\lfrlfrl.exec:\lfrlfrl.exe82⤵PID:1736
-
\??\c:\bhnhnh.exec:\bhnhnh.exe83⤵PID:4308
-
\??\c:\jjdjj.exec:\jjdjj.exe84⤵PID:756
-
\??\c:\lflfrrr.exec:\lflfrrr.exe85⤵PID:212
-
\??\c:\xrllrrx.exec:\xrllrrx.exe86⤵PID:2056
-
\??\c:\tbbhbb.exec:\tbbhbb.exe87⤵PID:3900
-
\??\c:\bbthbh.exec:\bbthbh.exe88⤵PID:2468
-
\??\c:\vpjpp.exec:\vpjpp.exe89⤵PID:396
-
\??\c:\fxxrlll.exec:\fxxrlll.exe90⤵PID:4740
-
\??\c:\btbtnh.exec:\btbtnh.exe91⤵PID:1400
-
\??\c:\hnttnt.exec:\hnttnt.exe92⤵PID:1600
-
\??\c:\ppjpd.exec:\ppjpd.exe93⤵PID:2132
-
\??\c:\vvjjd.exec:\vvjjd.exe94⤵PID:1296
-
\??\c:\lrxxllf.exec:\lrxxllf.exe95⤵PID:1192
-
\??\c:\hbbtnn.exec:\hbbtnn.exe96⤵PID:4288
-
\??\c:\9tbtnn.exec:\9tbtnn.exe97⤵PID:4520
-
\??\c:\jjvjd.exec:\jjvjd.exe98⤵PID:3152
-
\??\c:\jvdvv.exec:\jvdvv.exe99⤵PID:4596
-
\??\c:\xflfxxr.exec:\xflfxxr.exe100⤵PID:1140
-
\??\c:\thbbtn.exec:\thbbtn.exe101⤵PID:1620
-
\??\c:\nhnhbb.exec:\nhnhbb.exe102⤵PID:2832
-
\??\c:\nnnhbb.exec:\nnnhbb.exe103⤵PID:4948
-
\??\c:\pdppp.exec:\pdppp.exe104⤵PID:1588
-
\??\c:\9lxrlxr.exec:\9lxrlxr.exe105⤵PID:4352
-
\??\c:\xlrrllf.exec:\xlrrllf.exe106⤵PID:3532
-
\??\c:\hbhbbb.exec:\hbhbbb.exe107⤵PID:944
-
\??\c:\tbbbtt.exec:\tbbbtt.exe108⤵PID:3656
-
\??\c:\pvvpj.exec:\pvvpj.exe109⤵PID:3368
-
\??\c:\lllxfxr.exec:\lllxfxr.exe110⤵PID:2484
-
\??\c:\fllrfff.exec:\fllrfff.exe111⤵PID:1968
-
\??\c:\hbntnh.exec:\hbntnh.exe112⤵PID:632
-
\??\c:\bbhthb.exec:\bbhthb.exe113⤵PID:812
-
\??\c:\vpddv.exec:\vpddv.exe114⤵PID:4868
-
\??\c:\vpdvv.exec:\vpdvv.exe115⤵PID:1428
-
\??\c:\lfxllfr.exec:\lfxllfr.exe116⤵PID:2220
-
\??\c:\rfllfff.exec:\rfllfff.exe117⤵PID:4700
-
\??\c:\bttnhh.exec:\bttnhh.exe118⤵PID:4640
-
\??\c:\jddvv.exec:\jddvv.exe119⤵PID:1540
-
\??\c:\jdvdp.exec:\jdvdp.exe120⤵PID:3588
-
\??\c:\fxrrllr.exec:\fxrrllr.exe121⤵PID:3980
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe122⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-