Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe
-
Size
78KB
-
MD5
b4aad9e9832c9777edb6794b946cdc80
-
SHA1
04b8f1b1e2c70b55088f0bd231477ddaba65d2f7
-
SHA256
92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50
-
SHA512
b2ebd91dbd872fddf2037c6cffd7ab036624118fab7c8fd757a195155a6703330470f8d72c5a79d2536261eaf9c7afa26d06c062b9ab4e9242f71561935f2af3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb7GTi3ldD56u:ymb3NkkiQ3mdBjFIWYB56u
Malware Config
Signatures
-
Detect Blackmoon payload 30 IoCs
resource yara_rule behavioral2/memory/3148-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3148-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4928-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4820-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2652-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1116-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4848-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4848-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4212-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3628-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2804-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1884-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4516-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1308-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4052-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3092-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4736-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3648-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1896-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3636-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/512-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4632-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1892-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/384-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4440-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/376-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1976-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/408-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1044-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/884-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4928 rlrrffx.exe 4820 hnbhbt.exe 2652 jpvvp.exe 1116 lfxrxxf.exe 4848 btbbtb.exe 4212 dpdjd.exe 3628 xrllrrf.exe 2804 5rxrllx.exe 1884 lllrxfr.exe 4516 hbhhnh.exe 1308 djvpp.exe 4052 nbnhbb.exe 3092 dpvvd.exe 4736 1ffxllf.exe 3648 rxrrxfx.exe 1896 tnnbtt.exe 3636 7pvvp.exe 512 xllfxrl.exe 4632 tttttt.exe 1892 jdppv.exe 216 vddvp.exe 1060 lflfrrr.exe 384 nhttbh.exe 4440 dvpvd.exe 376 xlllfll.exe 4120 xrllfxx.exe 3876 9tnhnn.exe 1976 nbtnhb.exe 408 vpvpj.exe 1044 lfllllx.exe 884 tbbnnh.exe 5036 ddpdd.exe 2884 vdjdv.exe 2368 lxfrlll.exe 428 hbnhnh.exe 4472 djdjd.exe 3036 pjdpd.exe 3108 xfrrflf.exe 608 bhhhhn.exe 1696 pdvvv.exe 3644 dvjpp.exe 2484 fxffxrl.exe 4232 xrlfxff.exe 1812 9hhhbb.exe 1560 ppjjv.exe 3724 llfrlfr.exe 2520 llrxxrl.exe 4116 nhbthb.exe 1520 9dvpp.exe 4664 xxxflll.exe 808 1xxffll.exe 1928 thbbtt.exe 1308 nhnhnn.exe 4052 pddvp.exe 2488 lxlfxxr.exe 1232 nhhhhh.exe 3896 bhnnhh.exe 1952 jdpjd.exe 4696 djddv.exe 932 xrrxlrr.exe 4564 hbbtnn.exe 512 bttnhn.exe 4416 dvpjd.exe 4604 9rxxlrx.exe -
resource yara_rule behavioral2/memory/3148-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3148-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4928-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2652-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1116-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4848-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4848-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4848-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4848-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4212-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4212-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4212-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3628-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3628-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3628-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3628-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2804-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1884-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1308-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4052-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3092-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4736-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3648-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1896-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3636-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/512-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4632-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1892-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/384-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4440-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/376-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1976-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1044-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-214-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4928 3148 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 84 PID 3148 wrote to memory of 4928 3148 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 84 PID 3148 wrote to memory of 4928 3148 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 84 PID 4928 wrote to memory of 4820 4928 rlrrffx.exe 85 PID 4928 wrote to memory of 4820 4928 rlrrffx.exe 85 PID 4928 wrote to memory of 4820 4928 rlrrffx.exe 85 PID 4820 wrote to memory of 2652 4820 hnbhbt.exe 86 PID 4820 wrote to memory of 2652 4820 hnbhbt.exe 86 PID 4820 wrote to memory of 2652 4820 hnbhbt.exe 86 PID 2652 wrote to memory of 1116 2652 jpvvp.exe 87 PID 2652 wrote to memory of 1116 2652 jpvvp.exe 87 PID 2652 wrote to memory of 1116 2652 jpvvp.exe 87 PID 1116 wrote to memory of 4848 1116 lfxrxxf.exe 88 PID 1116 wrote to memory of 4848 1116 lfxrxxf.exe 88 PID 1116 wrote to memory of 4848 1116 lfxrxxf.exe 88 PID 4848 wrote to memory of 4212 4848 btbbtb.exe 89 PID 4848 wrote to memory of 4212 4848 btbbtb.exe 89 PID 4848 wrote to memory of 4212 4848 btbbtb.exe 89 PID 4212 wrote to memory of 3628 4212 dpdjd.exe 90 PID 4212 wrote to memory of 3628 4212 dpdjd.exe 90 PID 4212 wrote to memory of 3628 4212 dpdjd.exe 90 PID 3628 wrote to memory of 2804 3628 xrllrrf.exe 91 PID 3628 wrote to memory of 2804 3628 xrllrrf.exe 91 PID 3628 wrote to memory of 2804 3628 xrllrrf.exe 91 PID 2804 wrote to memory of 1884 2804 5rxrllx.exe 92 PID 2804 wrote to memory of 1884 2804 5rxrllx.exe 92 PID 2804 wrote to memory of 1884 2804 5rxrllx.exe 92 PID 1884 wrote to memory of 4516 1884 lllrxfr.exe 93 PID 1884 wrote to memory of 4516 1884 lllrxfr.exe 93 PID 1884 wrote to memory of 4516 1884 lllrxfr.exe 93 PID 4516 wrote to memory of 1308 4516 hbhhnh.exe 94 PID 4516 wrote to memory of 1308 4516 hbhhnh.exe 94 PID 4516 wrote to memory of 1308 4516 hbhhnh.exe 94 PID 1308 wrote to memory of 4052 1308 djvpp.exe 95 PID 1308 wrote to memory of 4052 1308 djvpp.exe 95 PID 1308 wrote to memory of 4052 1308 djvpp.exe 95 PID 4052 wrote to memory of 3092 4052 nbnhbb.exe 96 PID 4052 wrote to memory of 3092 4052 nbnhbb.exe 96 PID 4052 wrote to memory of 3092 4052 nbnhbb.exe 96 PID 3092 wrote to memory of 4736 3092 dpvvd.exe 97 PID 3092 wrote to memory of 4736 3092 dpvvd.exe 97 PID 3092 wrote to memory of 4736 3092 dpvvd.exe 97 PID 4736 wrote to memory of 3648 4736 1ffxllf.exe 99 PID 4736 wrote to memory of 3648 4736 1ffxllf.exe 99 PID 4736 wrote to memory of 3648 4736 1ffxllf.exe 99 PID 3648 wrote to memory of 1896 3648 rxrrxfx.exe 100 PID 3648 wrote to memory of 1896 3648 rxrrxfx.exe 100 PID 3648 wrote to memory of 1896 3648 rxrrxfx.exe 100 PID 1896 wrote to memory of 3636 1896 tnnbtt.exe 101 PID 1896 wrote to memory of 3636 1896 tnnbtt.exe 101 PID 1896 wrote to memory of 3636 1896 tnnbtt.exe 101 PID 3636 wrote to memory of 512 3636 7pvvp.exe 102 PID 3636 wrote to memory of 512 3636 7pvvp.exe 102 PID 3636 wrote to memory of 512 3636 7pvvp.exe 102 PID 512 wrote to memory of 4632 512 xllfxrl.exe 103 PID 512 wrote to memory of 4632 512 xllfxrl.exe 103 PID 512 wrote to memory of 4632 512 xllfxrl.exe 103 PID 4632 wrote to memory of 1892 4632 tttttt.exe 105 PID 4632 wrote to memory of 1892 4632 tttttt.exe 105 PID 4632 wrote to memory of 1892 4632 tttttt.exe 105 PID 1892 wrote to memory of 216 1892 jdppv.exe 106 PID 1892 wrote to memory of 216 1892 jdppv.exe 106 PID 1892 wrote to memory of 216 1892 jdppv.exe 106 PID 216 wrote to memory of 1060 216 vddvp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe"C:\Users\Admin\AppData\Local\Temp\92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\rlrrffx.exec:\rlrrffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\hnbhbt.exec:\hnbhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\jpvvp.exec:\jpvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\btbbtb.exec:\btbbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\dpdjd.exec:\dpdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\xrllrrf.exec:\xrllrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\5rxrllx.exec:\5rxrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\lllrxfr.exec:\lllrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\hbhhnh.exec:\hbhhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\djvpp.exec:\djvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\nbnhbb.exec:\nbnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\dpvvd.exec:\dpvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\1ffxllf.exec:\1ffxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\rxrrxfx.exec:\rxrrxfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\tnnbtt.exec:\tnnbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\7pvvp.exec:\7pvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\xllfxrl.exec:\xllfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\tttttt.exec:\tttttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\jdppv.exec:\jdppv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\vddvp.exec:\vddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\lflfrrr.exec:\lflfrrr.exe23⤵
- Executes dropped EXE
PID:1060 -
\??\c:\nhttbh.exec:\nhttbh.exe24⤵
- Executes dropped EXE
PID:384 -
\??\c:\dvpvd.exec:\dvpvd.exe25⤵
- Executes dropped EXE
PID:4440 -
\??\c:\xlllfll.exec:\xlllfll.exe26⤵
- Executes dropped EXE
PID:376 -
\??\c:\xrllfxx.exec:\xrllfxx.exe27⤵
- Executes dropped EXE
PID:4120 -
\??\c:\9tnhnn.exec:\9tnhnn.exe28⤵
- Executes dropped EXE
PID:3876 -
\??\c:\nbtnhb.exec:\nbtnhb.exe29⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vpvpj.exec:\vpvpj.exe30⤵
- Executes dropped EXE
PID:408 -
\??\c:\lfllllx.exec:\lfllllx.exe31⤵
- Executes dropped EXE
PID:1044 -
\??\c:\tbbnnh.exec:\tbbnnh.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\ddpdd.exec:\ddpdd.exe33⤵
- Executes dropped EXE
PID:5036 -
\??\c:\vdjdv.exec:\vdjdv.exe34⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lxfrlll.exec:\lxfrlll.exe35⤵
- Executes dropped EXE
PID:2368 -
\??\c:\hbnhnh.exec:\hbnhnh.exe36⤵
- Executes dropped EXE
PID:428 -
\??\c:\djdjd.exec:\djdjd.exe37⤵
- Executes dropped EXE
PID:4472 -
\??\c:\pjdpd.exec:\pjdpd.exe38⤵
- Executes dropped EXE
PID:3036 -
\??\c:\xfrrflf.exec:\xfrrflf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\bhhhhn.exec:\bhhhhn.exe40⤵
- Executes dropped EXE
PID:608 -
\??\c:\pdvvv.exec:\pdvvv.exe41⤵
- Executes dropped EXE
PID:1696 -
\??\c:\dvjpp.exec:\dvjpp.exe42⤵
- Executes dropped EXE
PID:3644 -
\??\c:\fxffxrl.exec:\fxffxrl.exe43⤵
- Executes dropped EXE
PID:2484 -
\??\c:\xrlfxff.exec:\xrlfxff.exe44⤵
- Executes dropped EXE
PID:4232 -
\??\c:\9hhhbb.exec:\9hhhbb.exe45⤵
- Executes dropped EXE
PID:1812 -
\??\c:\ppjjv.exec:\ppjjv.exe46⤵
- Executes dropped EXE
PID:1560 -
\??\c:\llfrlfr.exec:\llfrlfr.exe47⤵
- Executes dropped EXE
PID:3724 -
\??\c:\llrxxrl.exec:\llrxxrl.exe48⤵
- Executes dropped EXE
PID:2520 -
\??\c:\nhbthb.exec:\nhbthb.exe49⤵
- Executes dropped EXE
PID:4116 -
\??\c:\9dvpp.exec:\9dvpp.exe50⤵
- Executes dropped EXE
PID:1520 -
\??\c:\xxxflll.exec:\xxxflll.exe51⤵
- Executes dropped EXE
PID:4664 -
\??\c:\1xxffll.exec:\1xxffll.exe52⤵
- Executes dropped EXE
PID:808 -
\??\c:\thbbtt.exec:\thbbtt.exe53⤵
- Executes dropped EXE
PID:1928 -
\??\c:\nhnhnn.exec:\nhnhnn.exe54⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pddvp.exec:\pddvp.exe55⤵
- Executes dropped EXE
PID:4052 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe56⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nhhhhh.exec:\nhhhhh.exe57⤵
- Executes dropped EXE
PID:1232 -
\??\c:\bhnnhh.exec:\bhnnhh.exe58⤵
- Executes dropped EXE
PID:3896 -
\??\c:\jdpjd.exec:\jdpjd.exe59⤵
- Executes dropped EXE
PID:1952 -
\??\c:\djddv.exec:\djddv.exe60⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xrrxlrr.exec:\xrrxlrr.exe61⤵
- Executes dropped EXE
PID:932 -
\??\c:\hbbtnn.exec:\hbbtnn.exe62⤵
- Executes dropped EXE
PID:4564 -
\??\c:\bttnhn.exec:\bttnhn.exe63⤵
- Executes dropped EXE
PID:512 -
\??\c:\dvpjd.exec:\dvpjd.exe64⤵
- Executes dropped EXE
PID:4416 -
\??\c:\9rxxlrx.exec:\9rxxlrx.exe65⤵
- Executes dropped EXE
PID:4604 -
\??\c:\tnhbnh.exec:\tnhbnh.exe66⤵PID:4992
-
\??\c:\bbhbtn.exec:\bbhbtn.exe67⤵PID:3060
-
\??\c:\dpvvj.exec:\dpvvj.exe68⤵PID:2232
-
\??\c:\djvdp.exec:\djvdp.exe69⤵PID:3952
-
\??\c:\lllffrx.exec:\lllffrx.exe70⤵PID:3520
-
\??\c:\nnbnhn.exec:\nnbnhn.exe71⤵PID:4488
-
\??\c:\bthhhh.exec:\bthhhh.exe72⤵PID:4120
-
\??\c:\vddvp.exec:\vddvp.exe73⤵PID:764
-
\??\c:\djvvj.exec:\djvvj.exe74⤵PID:3872
-
\??\c:\1lrfrrf.exec:\1lrfrrf.exe75⤵PID:2780
-
\??\c:\tthnbh.exec:\tthnbh.exe76⤵PID:1332
-
\??\c:\7nnttt.exec:\7nnttt.exe77⤵PID:3548
-
\??\c:\jdjjj.exec:\jdjjj.exe78⤵PID:1432
-
\??\c:\xxllfff.exec:\xxllfff.exe79⤵PID:364
-
\??\c:\3xxrrrl.exec:\3xxrrrl.exe80⤵PID:3792
-
\??\c:\5thnhh.exec:\5thnhh.exe81⤵PID:2328
-
\??\c:\1ddvj.exec:\1ddvj.exe82⤵PID:2100
-
\??\c:\flflllx.exec:\flflllx.exe83⤵
- System Location Discovery: System Language Discovery
PID:4912 -
\??\c:\nntnhn.exec:\nntnhn.exe84⤵PID:1700
-
\??\c:\vpdvv.exec:\vpdvv.exe85⤵PID:2104
-
\??\c:\5fxlfxr.exec:\5fxlfxr.exe86⤵PID:4100
-
\??\c:\rrllfff.exec:\rrllfff.exe87⤵PID:1008
-
\??\c:\hhnnht.exec:\hhnnht.exe88⤵PID:4820
-
\??\c:\jvppv.exec:\jvppv.exe89⤵PID:1364
-
\??\c:\flllxxr.exec:\flllxxr.exe90⤵PID:3960
-
\??\c:\5lfxflr.exec:\5lfxflr.exe91⤵PID:1280
-
\??\c:\jppvd.exec:\jppvd.exe92⤵PID:2704
-
\??\c:\pjdvj.exec:\pjdvj.exe93⤵PID:4620
-
\??\c:\lxffrrr.exec:\lxffrrr.exe94⤵PID:3796
-
\??\c:\1nhhhn.exec:\1nhhhn.exe95⤵PID:4812
-
\??\c:\pppjj.exec:\pppjj.exe96⤵PID:1884
-
\??\c:\1frffxx.exec:\1frffxx.exe97⤵PID:3816
-
\??\c:\tthntb.exec:\tthntb.exe98⤵PID:3660
-
\??\c:\htttbt.exec:\htttbt.exe99⤵PID:3964
-
\??\c:\jdpjv.exec:\jdpjv.exe100⤵PID:4328
-
\??\c:\xrxfxff.exec:\xrxfxff.exe101⤵PID:3092
-
\??\c:\7tnnnn.exec:\7tnnnn.exe102⤵PID:5108
-
\??\c:\jvvpv.exec:\jvvpv.exe103⤵PID:3020
-
\??\c:\pddvv.exec:\pddvv.exe104⤵PID:2152
-
\??\c:\llxxrrl.exec:\llxxrrl.exe105⤵PID:3064
-
\??\c:\nhtttt.exec:\nhtttt.exe106⤵PID:2556
-
\??\c:\vvvpj.exec:\vvvpj.exe107⤵PID:5080
-
\??\c:\lxffxrl.exec:\lxffxrl.exe108⤵
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\nttbtt.exec:\nttbtt.exe109⤵PID:2872
-
\??\c:\jdpjp.exec:\jdpjp.exe110⤵PID:4604
-
\??\c:\flffxxr.exec:\flffxxr.exe111⤵PID:4992
-
\??\c:\thnnnn.exec:\thnnnn.exe112⤵PID:1516
-
\??\c:\nbhhhh.exec:\nbhhhh.exe113⤵
- System Location Discovery: System Language Discovery
PID:4452 -
\??\c:\djpjd.exec:\djpjd.exe114⤵PID:1256
-
\??\c:\rrffxxr.exec:\rrffxxr.exe115⤵PID:1068
-
\??\c:\3tbbtb.exec:\3tbbtb.exe116⤵PID:2508
-
\??\c:\9nbthh.exec:\9nbthh.exe117⤵PID:3084
-
\??\c:\thhnbn.exec:\thhnbn.exe118⤵PID:3260
-
\??\c:\jdjdd.exec:\jdjdd.exe119⤵PID:3872
-
\??\c:\pjdvp.exec:\pjdvp.exe120⤵PID:508
-
\??\c:\lrlxfxr.exec:\lrlxfxr.exe121⤵PID:5048
-
\??\c:\tbbtnn.exec:\tbbtnn.exe122⤵PID:2180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-