Analysis
-
max time kernel
117s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe
Resource
win7-20241010-en
General
-
Target
6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe
-
Size
94KB
-
MD5
5e62e687bff8b221a7bc9ce25c44af40
-
SHA1
782b3c99c29b1733532838e1a00c4fba6e1820da
-
SHA256
6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342
-
SHA512
9fedd851cc944e88a5caa8bbf7ff609569a2a4e17f2fc7142ce21593b8287070ef9c1b506e9b8f83e63459d1ab84606552eddb97e5216435db6543a94be364a8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo7xCkTsIwtOa2dY36i9XFhiKjVZ:ymb3NkkiQ3mdBjFo7LAIb+FbI+TN
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/1924-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4028-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3264-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2916-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/984-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2916-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2876-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1788-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1764-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3596-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4452-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4380-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/924-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4868-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2628-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1392-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3448-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1696-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4556-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4448-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1988-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2140-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2908-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3368-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3252-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3496 bhhbth.exe 4028 dppjj.exe 984 rxlfxxr.exe 2916 nhhnhh.exe 3264 9hhbnn.exe 1764 pjpjj.exe 2876 3tbthh.exe 1788 lrffrrl.exe 3596 rrxrlff.exe 4452 tbbttt.exe 4380 xlxrrrr.exe 924 3bhbhh.exe 4868 bbhbnt.exe 2628 pvdpj.exe 4668 xxlfrrf.exe 1492 hbhnhb.exe 1392 jdddd.exe 3448 pvdjp.exe 1060 xrxrllf.exe 1696 nntnhh.exe 2256 pvjdd.exe 4556 xxrlrxx.exe 916 9xffxxl.exe 4448 bnnhbb.exe 1988 vddvj.exe 4396 rlrlfrr.exe 2140 htbttb.exe 1228 dvvvv.exe 2908 llffxxf.exe 3368 hhhhtt.exe 3252 nttnbt.exe 3420 pvdvp.exe 2900 xllfxrl.exe 3892 tbhnnt.exe 4872 3jjjd.exe 4952 vpdpp.exe 3896 lfllfxr.exe 4276 7thbbb.exe 756 bbtnhh.exe 4424 pddvp.exe 184 xxlxrrf.exe 1644 bnhbtn.exe 4068 nhbnhh.exe 4028 vvjjj.exe 3492 lffxrlf.exe 4348 xrfxxxx.exe 1288 bnhtnn.exe 2400 pdvdv.exe 1192 jddjv.exe 3656 frxlfrl.exe 5108 ntbthb.exe 1588 vpdjp.exe 64 llfxrrl.exe 400 hhnhhb.exe 3020 dvdvd.exe 2172 djjpd.exe 2376 rlfxrrl.exe 932 hthhhn.exe 1400 pjppp.exe 1672 7rffflr.exe 3424 nhnhbb.exe 4720 hbthbt.exe 4828 pdjdj.exe 1832 xfflrxr.exe -
resource yara_rule behavioral2/memory/1924-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3496-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3496-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4028-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4028-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3264-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2916-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2916-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2916-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/984-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4028-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1764-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1764-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2916-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4028-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2876-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2876-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1788-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1764-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4452-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4452-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4452-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4380-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/924-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4868-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2628-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1392-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3448-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1696-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4556-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1988-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2140-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2908-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3368-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3252-213-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 3496 1924 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 84 PID 1924 wrote to memory of 3496 1924 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 84 PID 1924 wrote to memory of 3496 1924 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 84 PID 3496 wrote to memory of 4028 3496 bhhbth.exe 85 PID 3496 wrote to memory of 4028 3496 bhhbth.exe 85 PID 3496 wrote to memory of 4028 3496 bhhbth.exe 85 PID 4028 wrote to memory of 984 4028 dppjj.exe 86 PID 4028 wrote to memory of 984 4028 dppjj.exe 86 PID 4028 wrote to memory of 984 4028 dppjj.exe 86 PID 984 wrote to memory of 2916 984 rxlfxxr.exe 87 PID 984 wrote to memory of 2916 984 rxlfxxr.exe 87 PID 984 wrote to memory of 2916 984 rxlfxxr.exe 87 PID 2916 wrote to memory of 3264 2916 nhhnhh.exe 88 PID 2916 wrote to memory of 3264 2916 nhhnhh.exe 88 PID 2916 wrote to memory of 3264 2916 nhhnhh.exe 88 PID 3264 wrote to memory of 1764 3264 9hhbnn.exe 89 PID 3264 wrote to memory of 1764 3264 9hhbnn.exe 89 PID 3264 wrote to memory of 1764 3264 9hhbnn.exe 89 PID 1764 wrote to memory of 2876 1764 pjpjj.exe 90 PID 1764 wrote to memory of 2876 1764 pjpjj.exe 90 PID 1764 wrote to memory of 2876 1764 pjpjj.exe 90 PID 2876 wrote to memory of 1788 2876 3tbthh.exe 91 PID 2876 wrote to memory of 1788 2876 3tbthh.exe 91 PID 2876 wrote to memory of 1788 2876 3tbthh.exe 91 PID 1788 wrote to memory of 3596 1788 lrffrrl.exe 92 PID 1788 wrote to memory of 3596 1788 lrffrrl.exe 92 PID 1788 wrote to memory of 3596 1788 lrffrrl.exe 92 PID 3596 wrote to memory of 4452 3596 rrxrlff.exe 93 PID 3596 wrote to memory of 4452 3596 rrxrlff.exe 93 PID 3596 wrote to memory of 4452 3596 rrxrlff.exe 93 PID 4452 wrote to memory of 4380 4452 tbbttt.exe 94 PID 4452 wrote to memory of 4380 4452 tbbttt.exe 94 PID 4452 wrote to memory of 4380 4452 tbbttt.exe 94 PID 4380 wrote to memory of 924 4380 xlxrrrr.exe 95 PID 4380 wrote to memory of 924 4380 xlxrrrr.exe 95 PID 4380 wrote to memory of 924 4380 xlxrrrr.exe 95 PID 924 wrote to memory of 4868 924 3bhbhh.exe 96 PID 924 wrote to memory of 4868 924 3bhbhh.exe 96 PID 924 wrote to memory of 4868 924 3bhbhh.exe 96 PID 4868 wrote to memory of 2628 4868 bbhbnt.exe 97 PID 4868 wrote to memory of 2628 4868 bbhbnt.exe 97 PID 4868 wrote to memory of 2628 4868 bbhbnt.exe 97 PID 2628 wrote to memory of 4668 2628 pvdpj.exe 98 PID 2628 wrote to memory of 4668 2628 pvdpj.exe 98 PID 2628 wrote to memory of 4668 2628 pvdpj.exe 98 PID 4668 wrote to memory of 1492 4668 xxlfrrf.exe 99 PID 4668 wrote to memory of 1492 4668 xxlfrrf.exe 99 PID 4668 wrote to memory of 1492 4668 xxlfrrf.exe 99 PID 1492 wrote to memory of 1392 1492 hbhnhb.exe 100 PID 1492 wrote to memory of 1392 1492 hbhnhb.exe 100 PID 1492 wrote to memory of 1392 1492 hbhnhb.exe 100 PID 1392 wrote to memory of 3448 1392 jdddd.exe 101 PID 1392 wrote to memory of 3448 1392 jdddd.exe 101 PID 1392 wrote to memory of 3448 1392 jdddd.exe 101 PID 3448 wrote to memory of 1060 3448 pvdjp.exe 102 PID 3448 wrote to memory of 1060 3448 pvdjp.exe 102 PID 3448 wrote to memory of 1060 3448 pvdjp.exe 102 PID 1060 wrote to memory of 1696 1060 xrxrllf.exe 103 PID 1060 wrote to memory of 1696 1060 xrxrllf.exe 103 PID 1060 wrote to memory of 1696 1060 xrxrllf.exe 103 PID 1696 wrote to memory of 2256 1696 nntnhh.exe 104 PID 1696 wrote to memory of 2256 1696 nntnhh.exe 104 PID 1696 wrote to memory of 2256 1696 nntnhh.exe 104 PID 2256 wrote to memory of 4556 2256 pvjdd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe"C:\Users\Admin\AppData\Local\Temp\6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\bhhbth.exec:\bhhbth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\dppjj.exec:\dppjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\nhhnhh.exec:\nhhnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\9hhbnn.exec:\9hhbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\pjpjj.exec:\pjpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\3tbthh.exec:\3tbthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\lrffrrl.exec:\lrffrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\rrxrlff.exec:\rrxrlff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\tbbttt.exec:\tbbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\3bhbhh.exec:\3bhbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\bbhbnt.exec:\bbhbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\pvdpj.exec:\pvdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\xxlfrrf.exec:\xxlfrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\hbhnhb.exec:\hbhnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\jdddd.exec:\jdddd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\pvdjp.exec:\pvdjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\xrxrllf.exec:\xrxrllf.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\nntnhh.exec:\nntnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\pvjdd.exec:\pvjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\xxrlrxx.exec:\xxrlrxx.exe23⤵
- Executes dropped EXE
PID:4556 -
\??\c:\9xffxxl.exec:\9xffxxl.exe24⤵
- Executes dropped EXE
PID:916 -
\??\c:\bnnhbb.exec:\bnnhbb.exe25⤵
- Executes dropped EXE
PID:4448 -
\??\c:\vddvj.exec:\vddvj.exe26⤵
- Executes dropped EXE
PID:1988 -
\??\c:\rlrlfrr.exec:\rlrlfrr.exe27⤵
- Executes dropped EXE
PID:4396 -
\??\c:\htbttb.exec:\htbttb.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
\??\c:\dvvvv.exec:\dvvvv.exe29⤵
- Executes dropped EXE
PID:1228 -
\??\c:\llffxxf.exec:\llffxxf.exe30⤵
- Executes dropped EXE
PID:2908 -
\??\c:\hhhhtt.exec:\hhhhtt.exe31⤵
- Executes dropped EXE
PID:3368 -
\??\c:\nttnbt.exec:\nttnbt.exe32⤵
- Executes dropped EXE
PID:3252 -
\??\c:\pvdvp.exec:\pvdvp.exe33⤵
- Executes dropped EXE
PID:3420 -
\??\c:\xllfxrl.exec:\xllfxrl.exe34⤵
- Executes dropped EXE
PID:2900 -
\??\c:\tbhnnt.exec:\tbhnnt.exe35⤵
- Executes dropped EXE
PID:3892 -
\??\c:\3jjjd.exec:\3jjjd.exe36⤵
- Executes dropped EXE
PID:4872 -
\??\c:\vpdpp.exec:\vpdpp.exe37⤵
- Executes dropped EXE
PID:4952 -
\??\c:\lfllfxr.exec:\lfllfxr.exe38⤵
- Executes dropped EXE
PID:3896 -
\??\c:\7thbbb.exec:\7thbbb.exe39⤵
- Executes dropped EXE
PID:4276 -
\??\c:\bbtnhh.exec:\bbtnhh.exe40⤵
- Executes dropped EXE
PID:756 -
\??\c:\pddvp.exec:\pddvp.exe41⤵
- Executes dropped EXE
PID:4424 -
\??\c:\xxlxrrf.exec:\xxlxrrf.exe42⤵
- Executes dropped EXE
PID:184 -
\??\c:\bnhbtn.exec:\bnhbtn.exe43⤵
- Executes dropped EXE
PID:1644 -
\??\c:\nhbnhh.exec:\nhbnhh.exe44⤵
- Executes dropped EXE
PID:4068 -
\??\c:\vvjjj.exec:\vvjjj.exe45⤵
- Executes dropped EXE
PID:4028 -
\??\c:\lffxrlf.exec:\lffxrlf.exe46⤵
- Executes dropped EXE
PID:3492 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe47⤵
- Executes dropped EXE
PID:4348 -
\??\c:\bnhtnn.exec:\bnhtnn.exe48⤵
- Executes dropped EXE
PID:1288 -
\??\c:\pdvdv.exec:\pdvdv.exe49⤵
- Executes dropped EXE
PID:2400 -
\??\c:\jddjv.exec:\jddjv.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
\??\c:\frxlfrl.exec:\frxlfrl.exe51⤵
- Executes dropped EXE
PID:3656 -
\??\c:\ntbthb.exec:\ntbthb.exe52⤵
- Executes dropped EXE
PID:5108 -
\??\c:\vpdjp.exec:\vpdjp.exe53⤵
- Executes dropped EXE
PID:1588 -
\??\c:\llfxrrl.exec:\llfxrrl.exe54⤵
- Executes dropped EXE
PID:64 -
\??\c:\hhnhhb.exec:\hhnhhb.exe55⤵
- Executes dropped EXE
PID:400 -
\??\c:\dvdvd.exec:\dvdvd.exe56⤵
- Executes dropped EXE
PID:3020 -
\??\c:\djjpd.exec:\djjpd.exe57⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe58⤵
- Executes dropped EXE
PID:2376 -
\??\c:\hthhhn.exec:\hthhhn.exe59⤵
- Executes dropped EXE
PID:932 -
\??\c:\pjppp.exec:\pjppp.exe60⤵
- Executes dropped EXE
PID:1400 -
\??\c:\7rffflr.exec:\7rffflr.exe61⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nhnhbb.exec:\nhnhbb.exe62⤵
- Executes dropped EXE
PID:3424 -
\??\c:\hbthbt.exec:\hbthbt.exe63⤵
- Executes dropped EXE
PID:4720 -
\??\c:\pdjdj.exec:\pdjdj.exe64⤵
- Executes dropped EXE
PID:4828 -
\??\c:\xfflrxr.exec:\xfflrxr.exe65⤵
- Executes dropped EXE
PID:1832 -
\??\c:\hthbbt.exec:\hthbbt.exe66⤵PID:3680
-
\??\c:\xrxrrll.exec:\xrxrrll.exe67⤵PID:3668
-
\??\c:\frlrrrl.exec:\frlrrrl.exe68⤵PID:460
-
\??\c:\tnbbhb.exec:\tnbbhb.exe69⤵PID:1528
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe70⤵PID:2684
-
\??\c:\hnhbth.exec:\hnhbth.exe71⤵PID:1312
-
\??\c:\pddjj.exec:\pddjj.exe72⤵PID:2216
-
\??\c:\rlrlffx.exec:\rlrlffx.exe73⤵PID:1140
-
\??\c:\rllfffx.exec:\rllfffx.exe74⤵PID:4704
-
\??\c:\bnntth.exec:\bnntth.exe75⤵PID:2432
-
\??\c:\jvjjv.exec:\jvjjv.exe76⤵PID:4576
-
\??\c:\djvjd.exec:\djvjd.exe77⤵PID:2700
-
\??\c:\9xxxrrl.exec:\9xxxrrl.exe78⤵PID:5112
-
\??\c:\1tttnn.exec:\1tttnn.exe79⤵PID:3300
-
\??\c:\jvdvd.exec:\jvdvd.exe80⤵PID:4876
-
\??\c:\dvpvp.exec:\dvpvp.exe81⤵PID:1584
-
\??\c:\lxxrffx.exec:\lxxrffx.exe82⤵PID:868
-
\??\c:\lxrlfrl.exec:\lxrlfrl.exe83⤵PID:3296
-
\??\c:\5bnhbh.exec:\5bnhbh.exe84⤵PID:2404
-
\??\c:\3jjdp.exec:\3jjdp.exe85⤵PID:3896
-
\??\c:\jddpj.exec:\jddpj.exe86⤵PID:3624
-
\??\c:\nnhhbb.exec:\nnhhbb.exe87⤵PID:4552
-
\??\c:\5dpvp.exec:\5dpvp.exe88⤵PID:1496
-
\??\c:\vvdvp.exec:\vvdvp.exe89⤵PID:1644
-
\??\c:\fxllrrx.exec:\fxllrrx.exe90⤵PID:4416
-
\??\c:\ddddv.exec:\ddddv.exe91⤵PID:4812
-
\??\c:\lfxlffx.exec:\lfxlffx.exe92⤵PID:3492
-
\??\c:\tnntbb.exec:\tnntbb.exe93⤵PID:4324
-
\??\c:\nntttt.exec:\nntttt.exe94⤵PID:4348
-
\??\c:\pjjjd.exec:\pjjjd.exe95⤵PID:4456
-
\??\c:\vdpdp.exec:\vdpdp.exe96⤵PID:4740
-
\??\c:\xxfxllf.exec:\xxfxllf.exe97⤵PID:4212
-
\??\c:\bthhhb.exec:\bthhhb.exe98⤵PID:4988
-
\??\c:\7jddv.exec:\7jddv.exe99⤵PID:652
-
\??\c:\frxxrll.exec:\frxxrll.exe100⤵PID:628
-
\??\c:\htbtnn.exec:\htbtnn.exe101⤵PID:3580
-
\??\c:\pvdpp.exec:\pvdpp.exe102⤵PID:1904
-
\??\c:\dpppp.exec:\dpppp.exe103⤵PID:3956
-
\??\c:\rxfxxfl.exec:\rxfxxfl.exe104⤵PID:3804
-
\??\c:\thhhhn.exec:\thhhhn.exe105⤵PID:540
-
\??\c:\tnnhnn.exec:\tnnhnn.exe106⤵PID:744
-
\??\c:\pjjdp.exec:\pjjdp.exe107⤵PID:4216
-
\??\c:\pjjdd.exec:\pjjdd.exe108⤵PID:3056
-
\??\c:\lfrllfx.exec:\lfrllfx.exe109⤵PID:4496
-
\??\c:\3rrrrrr.exec:\3rrrrrr.exe110⤵PID:888
-
\??\c:\7bnnhn.exec:\7bnnhn.exe111⤵PID:4756
-
\??\c:\jjvdj.exec:\jjvdj.exe112⤵PID:5080
-
\??\c:\lxxrllf.exec:\lxxrllf.exe113⤵PID:3144
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe114⤵PID:5024
-
\??\c:\5httnh.exec:\5httnh.exe115⤵PID:4196
-
\??\c:\djjdp.exec:\djjdp.exe116⤵PID:2732
-
\??\c:\pjpjv.exec:\pjpjv.exe117⤵PID:2820
-
\??\c:\xrrlxxl.exec:\xrrlxxl.exe118⤵PID:1544
-
\??\c:\flrlffx.exec:\flrlffx.exe119⤵PID:3112
-
\??\c:\3bbthb.exec:\3bbthb.exe120⤵PID:2944
-
\??\c:\thtnbn.exec:\thtnbn.exe121⤵PID:3760
-
\??\c:\pvdvj.exec:\pvdvj.exe122⤵PID:3832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-