Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 23:22
Static task
static1
Behavioral task
behavioral1
Sample
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe
Resource
win7-20240903-en
General
-
Target
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe
-
Size
80KB
-
MD5
fae884d54b6c38c0d57dc88865341d30
-
SHA1
683898c19fc504d2ab4a366e0e4d98bac3294ef1
-
SHA256
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408
-
SHA512
f8025ae2742d306932f214cece809586dd2d9c4c0cbad9d3eb399ffc7d9b567cec510965c8bf8fd3ad5045da0b885e301a358fd2fea853dd51a603068ed850cb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JxJX:ymb3NkkiQ3mdBjFIWeFGyAsJX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral1/memory/2232-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2716-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2820-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1632-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3036-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2524-96-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2124-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2376-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2664-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2240-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2416-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/604-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1812-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1660-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/540-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1736-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1244-258-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2440-294-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2716-303-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2524-383-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jddvj.exe5ddjv.exexrxxflf.exe9djvv.exexrfxxrf.exehbhhbb.exevdpdj.exexflxfff.exehnnnbt.exe7vdjp.exefllxfxf.exe7ntnhn.exevjjdj.exexrxxrff.exexxflxlr.exejjvdp.exevpjvj.exerxrxfxf.exennhthn.exepvdvd.exejdvpv.exeffrxrxl.exehbthnb.exeflfrlxr.exelxlflll.exenbnbbt.exe9jjdj.exefllffxx.exehnbhth.exetnbhnh.exedvddj.exexfxxrxx.exetnhbnb.exebbtbhn.exe1vpvv.exexlfxfxx.exexxrrffx.exethbthb.exedjjvd.exejpdvj.exexlxxfff.exelflrrlx.exenbhtbt.exe1tnbbh.exe9ddvv.exe5lffxxl.exerrfrfrf.exehhbnbh.exe7nhhtt.exepvdpp.exevvvpj.exe9frlfrr.exenhtbhb.exebhnhnn.exeppvvd.exelrlffxl.exe3rfxfxl.exetthhht.exejdpdd.exedpjjv.exefflffll.exellrfrxf.exebnnbbn.exeddvjp.exepid process 2716 jddvj.exe 2820 5ddjv.exe 2692 xrxxflf.exe 2600 9djvv.exe 2576 xrfxxrf.exe 1632 hbhhbb.exe 3036 vdpdj.exe 2524 xflxfff.exe 2124 hnnnbt.exe 2976 7vdjp.exe 2376 fllxfxf.exe 2664 7ntnhn.exe 2240 vjjdj.exe 2752 xrxxrff.exe 2416 xxflxlr.exe 692 jjvdp.exe 604 vpjvj.exe 1996 rxrxfxf.exe 1812 nnhthn.exe 2264 pvdvd.exe 1660 jdvpv.exe 540 ffrxrxl.exe 1672 hbthnb.exe 1736 flfrlxr.exe 2860 lxlflll.exe 1244 nbnbbt.exe 2492 9jjdj.exe 2080 fllffxx.exe 1948 hnbhth.exe 2440 tnbhnh.exe 2716 dvddj.exe 2776 xfxxrxx.exe 2708 tnhbnb.exe 2396 bbtbhn.exe 2008 1vpvv.exe 2920 xlfxfxx.exe 3052 xxrrffx.exe 2652 thbthb.exe 2212 djjvd.exe 1580 jpdvj.exe 2540 xlxxfff.exe 2524 lflrrlx.exe 2452 nbhtbt.exe 2968 1tnbbh.exe 1716 9ddvv.exe 2876 5lffxxl.exe 2896 rrfrfrf.exe 2280 hhbnbh.exe 1968 7nhhtt.exe 568 pvdpp.exe 796 vvvpj.exe 592 9frlfrr.exe 2208 nhtbhb.exe 1928 bhnhnn.exe 2292 ppvvd.exe 2152 lrlffxl.exe 1364 3rfxfxl.exe 2060 tthhht.exe 1660 jdpdd.exe 540 dpjjv.exe 2024 fflffll.exe 1104 llrfrxf.exe 1944 bnnbbn.exe 536 ddvjp.exe -
Processes:
resource yara_rule behavioral1/memory/2232-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2716-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2820-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2820-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2820-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1632-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2124-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2376-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2240-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2416-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/604-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1812-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1660-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/540-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1736-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1244-258-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-285-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-294-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2716-303-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-383-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jvpvj.exejdvpv.exehhttnt.exexlxrrll.exebttbtb.exedjvvp.exelflxlxr.exerfllfrx.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exejddvj.exe5ddjv.exexrxxflf.exe9djvv.exexrfxxrf.exehbhhbb.exevdpdj.exexflxfff.exehnnnbt.exe7vdjp.exefllxfxf.exe7ntnhn.exevjjdj.exexrxxrff.exexxflxlr.exedescription pid process target process PID 2232 wrote to memory of 2716 2232 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe jddvj.exe PID 2232 wrote to memory of 2716 2232 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe jddvj.exe PID 2232 wrote to memory of 2716 2232 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe jddvj.exe PID 2232 wrote to memory of 2716 2232 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe jddvj.exe PID 2716 wrote to memory of 2820 2716 jddvj.exe 5ddjv.exe PID 2716 wrote to memory of 2820 2716 jddvj.exe 5ddjv.exe PID 2716 wrote to memory of 2820 2716 jddvj.exe 5ddjv.exe PID 2716 wrote to memory of 2820 2716 jddvj.exe 5ddjv.exe PID 2820 wrote to memory of 2692 2820 5ddjv.exe xrxxflf.exe PID 2820 wrote to memory of 2692 2820 5ddjv.exe xrxxflf.exe PID 2820 wrote to memory of 2692 2820 5ddjv.exe xrxxflf.exe PID 2820 wrote to memory of 2692 2820 5ddjv.exe xrxxflf.exe PID 2692 wrote to memory of 2600 2692 xrxxflf.exe 9djvv.exe PID 2692 wrote to memory of 2600 2692 xrxxflf.exe 9djvv.exe PID 2692 wrote to memory of 2600 2692 xrxxflf.exe 9djvv.exe PID 2692 wrote to memory of 2600 2692 xrxxflf.exe 9djvv.exe PID 2600 wrote to memory of 2576 2600 9djvv.exe xrfxxrf.exe PID 2600 wrote to memory of 2576 2600 9djvv.exe xrfxxrf.exe PID 2600 wrote to memory of 2576 2600 9djvv.exe xrfxxrf.exe PID 2600 wrote to memory of 2576 2600 9djvv.exe xrfxxrf.exe PID 2576 wrote to memory of 1632 2576 xrfxxrf.exe hbhhbb.exe PID 2576 wrote to memory of 1632 2576 xrfxxrf.exe hbhhbb.exe PID 2576 wrote to memory of 1632 2576 xrfxxrf.exe hbhhbb.exe PID 2576 wrote to memory of 1632 2576 xrfxxrf.exe hbhhbb.exe PID 1632 wrote to memory of 3036 1632 hbhhbb.exe vdpdj.exe PID 1632 wrote to memory of 3036 1632 hbhhbb.exe vdpdj.exe PID 1632 wrote to memory of 3036 1632 hbhhbb.exe vdpdj.exe PID 1632 wrote to memory of 3036 1632 hbhhbb.exe vdpdj.exe PID 3036 wrote to memory of 2524 3036 vdpdj.exe xflxfff.exe PID 3036 wrote to memory of 2524 3036 vdpdj.exe xflxfff.exe PID 3036 wrote to memory of 2524 3036 vdpdj.exe xflxfff.exe PID 3036 wrote to memory of 2524 3036 vdpdj.exe xflxfff.exe PID 2524 wrote to memory of 2124 2524 xflxfff.exe hnnnbt.exe PID 2524 wrote to memory of 2124 2524 xflxfff.exe hnnnbt.exe PID 2524 wrote to memory of 2124 2524 xflxfff.exe hnnnbt.exe PID 2524 wrote to memory of 2124 2524 xflxfff.exe hnnnbt.exe PID 2124 wrote to memory of 2976 2124 hnnnbt.exe 7vdjp.exe PID 2124 wrote to memory of 2976 2124 hnnnbt.exe 7vdjp.exe PID 2124 wrote to memory of 2976 2124 hnnnbt.exe 7vdjp.exe PID 2124 wrote to memory of 2976 2124 hnnnbt.exe 7vdjp.exe PID 2976 wrote to memory of 2376 2976 7vdjp.exe fllxfxf.exe PID 2976 wrote to memory of 2376 2976 7vdjp.exe fllxfxf.exe PID 2976 wrote to memory of 2376 2976 7vdjp.exe fllxfxf.exe PID 2976 wrote to memory of 2376 2976 7vdjp.exe fllxfxf.exe PID 2376 wrote to memory of 2664 2376 fllxfxf.exe 7ntnhn.exe PID 2376 wrote to memory of 2664 2376 fllxfxf.exe 7ntnhn.exe PID 2376 wrote to memory of 2664 2376 fllxfxf.exe 7ntnhn.exe PID 2376 wrote to memory of 2664 2376 fllxfxf.exe 7ntnhn.exe PID 2664 wrote to memory of 2240 2664 7ntnhn.exe vjjdj.exe PID 2664 wrote to memory of 2240 2664 7ntnhn.exe vjjdj.exe PID 2664 wrote to memory of 2240 2664 7ntnhn.exe vjjdj.exe PID 2664 wrote to memory of 2240 2664 7ntnhn.exe vjjdj.exe PID 2240 wrote to memory of 2752 2240 vjjdj.exe xrxxrff.exe PID 2240 wrote to memory of 2752 2240 vjjdj.exe xrxxrff.exe PID 2240 wrote to memory of 2752 2240 vjjdj.exe xrxxrff.exe PID 2240 wrote to memory of 2752 2240 vjjdj.exe xrxxrff.exe PID 2752 wrote to memory of 2416 2752 xrxxrff.exe xxflxlr.exe PID 2752 wrote to memory of 2416 2752 xrxxrff.exe xxflxlr.exe PID 2752 wrote to memory of 2416 2752 xrxxrff.exe xxflxlr.exe PID 2752 wrote to memory of 2416 2752 xrxxrff.exe xxflxlr.exe PID 2416 wrote to memory of 692 2416 xxflxlr.exe jjvdp.exe PID 2416 wrote to memory of 692 2416 xxflxlr.exe jjvdp.exe PID 2416 wrote to memory of 692 2416 xxflxlr.exe jjvdp.exe PID 2416 wrote to memory of 692 2416 xxflxlr.exe jjvdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe"C:\Users\Admin\AppData\Local\Temp\19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jddvj.exec:\jddvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\5ddjv.exec:\5ddjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\xrxxflf.exec:\xrxxflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\9djvv.exec:\9djvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\xrfxxrf.exec:\xrfxxrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\hbhhbb.exec:\hbhhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\vdpdj.exec:\vdpdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\xflxfff.exec:\xflxfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\hnnnbt.exec:\hnnnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\7vdjp.exec:\7vdjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\fllxfxf.exec:\fllxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\7ntnhn.exec:\7ntnhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\vjjdj.exec:\vjjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\xrxxrff.exec:\xrxxrff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\xxflxlr.exec:\xxflxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\jjvdp.exec:\jjvdp.exe17⤵
- Executes dropped EXE
PID:692 -
\??\c:\vpjvj.exec:\vpjvj.exe18⤵
- Executes dropped EXE
PID:604 -
\??\c:\rxrxfxf.exec:\rxrxfxf.exe19⤵
- Executes dropped EXE
PID:1996 -
\??\c:\nnhthn.exec:\nnhthn.exe20⤵
- Executes dropped EXE
PID:1812 -
\??\c:\pvdvd.exec:\pvdvd.exe21⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jdvpv.exec:\jdvpv.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
\??\c:\ffrxrxl.exec:\ffrxrxl.exe23⤵
- Executes dropped EXE
PID:540 -
\??\c:\hbthnb.exec:\hbthnb.exe24⤵
- Executes dropped EXE
PID:1672 -
\??\c:\flfrlxr.exec:\flfrlxr.exe25⤵
- Executes dropped EXE
PID:1736 -
\??\c:\lxlflll.exec:\lxlflll.exe26⤵
- Executes dropped EXE
PID:2860 -
\??\c:\nbnbbt.exec:\nbnbbt.exe27⤵
- Executes dropped EXE
PID:1244 -
\??\c:\9jjdj.exec:\9jjdj.exe28⤵
- Executes dropped EXE
PID:2492 -
\??\c:\fllffxx.exec:\fllffxx.exe29⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hnbhth.exec:\hnbhth.exe30⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tnbhnh.exec:\tnbhnh.exe31⤵
- Executes dropped EXE
PID:2440 -
\??\c:\dvddj.exec:\dvddj.exe32⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xfxxrxx.exec:\xfxxrxx.exe33⤵
- Executes dropped EXE
PID:2776 -
\??\c:\tnhbnb.exec:\tnhbnb.exe34⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bbtbhn.exec:\bbtbhn.exe35⤵
- Executes dropped EXE
PID:2396 -
\??\c:\1vpvv.exec:\1vpvv.exe36⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xlfxfxx.exec:\xlfxfxx.exe37⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xxrrffx.exec:\xxrrffx.exe38⤵
- Executes dropped EXE
PID:3052 -
\??\c:\thbthb.exec:\thbthb.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\djjvd.exec:\djjvd.exe40⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jpdvj.exec:\jpdvj.exe41⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xlxxfff.exec:\xlxxfff.exe42⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lflrrlx.exec:\lflrrlx.exe43⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nbhtbt.exec:\nbhtbt.exe44⤵
- Executes dropped EXE
PID:2452 -
\??\c:\1tnbbh.exec:\1tnbbh.exe45⤵
- Executes dropped EXE
PID:2968 -
\??\c:\9ddvv.exec:\9ddvv.exe46⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5lffxxl.exec:\5lffxxl.exe47⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rrfrfrf.exec:\rrfrfrf.exe48⤵
- Executes dropped EXE
PID:2896 -
\??\c:\hhbnbh.exec:\hhbnbh.exe49⤵
- Executes dropped EXE
PID:2280 -
\??\c:\7nhhtt.exec:\7nhhtt.exe50⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pvdpp.exec:\pvdpp.exe51⤵
- Executes dropped EXE
PID:568 -
\??\c:\vvvpj.exec:\vvvpj.exe52⤵
- Executes dropped EXE
PID:796 -
\??\c:\9frlfrr.exec:\9frlfrr.exe53⤵
- Executes dropped EXE
PID:592 -
\??\c:\nhtbhb.exec:\nhtbhb.exe54⤵
- Executes dropped EXE
PID:2208 -
\??\c:\bhnhnn.exec:\bhnhnn.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ppvvd.exec:\ppvvd.exe56⤵
- Executes dropped EXE
PID:2292 -
\??\c:\lrlffxl.exec:\lrlffxl.exe57⤵
- Executes dropped EXE
PID:2152 -
\??\c:\3rfxfxl.exec:\3rfxfxl.exe58⤵
- Executes dropped EXE
PID:1364 -
\??\c:\tthhht.exec:\tthhht.exe59⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jdpdd.exec:\jdpdd.exe60⤵
- Executes dropped EXE
PID:1660 -
\??\c:\dpjjv.exec:\dpjjv.exe61⤵
- Executes dropped EXE
PID:540 -
\??\c:\fflffll.exec:\fflffll.exe62⤵
- Executes dropped EXE
PID:2024 -
\??\c:\llrfrxf.exec:\llrfrxf.exe63⤵
- Executes dropped EXE
PID:1104 -
\??\c:\bnnbbn.exec:\bnnbbn.exe64⤵
- Executes dropped EXE
PID:1944 -
\??\c:\ddvjp.exec:\ddvjp.exe65⤵
- Executes dropped EXE
PID:536 -
\??\c:\pvvjj.exec:\pvvjj.exe66⤵PID:3068
-
\??\c:\ffllrxl.exec:\ffllrxl.exe67⤵PID:720
-
\??\c:\3xxlfll.exec:\3xxlfll.exe68⤵PID:2080
-
\??\c:\tnbthb.exec:\tnbthb.exe69⤵PID:1936
-
\??\c:\nnntnn.exec:\nnntnn.exe70⤵PID:2244
-
\??\c:\jpdvp.exec:\jpdvp.exe71⤵PID:2704
-
\??\c:\fxlrfrf.exec:\fxlrfrf.exe72⤵PID:2796
-
\??\c:\lrxxffl.exec:\lrxxffl.exe73⤵PID:2776
-
\??\c:\thbbnb.exec:\thbbnb.exe74⤵PID:1824
-
\??\c:\pvpvj.exec:\pvpvj.exe75⤵PID:2804
-
\??\c:\djvvp.exec:\djvvp.exe76⤵
- System Location Discovery: System Language Discovery
PID:2692 -
\??\c:\fffxfff.exec:\fffxfff.exe77⤵PID:2844
-
\??\c:\ttnbhh.exec:\ttnbhh.exe78⤵PID:3056
-
\??\c:\nbbtht.exec:\nbbtht.exe79⤵PID:3028
-
\??\c:\pdpjj.exec:\pdpjj.exe80⤵PID:3048
-
\??\c:\3vvpp.exec:\3vvpp.exe81⤵PID:2004
-
\??\c:\1rxfxlf.exec:\1rxfxlf.exe82⤵PID:2388
-
\??\c:\hhttnt.exec:\hhttnt.exe83⤵
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\tnhntb.exec:\tnhntb.exe84⤵PID:1808
-
\??\c:\7vpjp.exec:\7vpjp.exe85⤵PID:2408
-
\??\c:\3pjvd.exec:\3pjvd.exe86⤵PID:2400
-
\??\c:\llflxrl.exec:\llflxrl.exe87⤵PID:2932
-
\??\c:\fllfrxx.exec:\fllfrxx.exe88⤵PID:1692
-
\??\c:\hnnhbn.exec:\hnnhbn.exe89⤵PID:300
-
\??\c:\bnhtbb.exec:\bnhtbb.exe90⤵PID:2092
-
\??\c:\3ppdp.exec:\3ppdp.exe91⤵PID:1036
-
\??\c:\djvvp.exec:\djvvp.exe92⤵PID:908
-
\??\c:\frfxlxx.exec:\frfxlxx.exe93⤵PID:560
-
\??\c:\tbnnnn.exec:\tbnnnn.exe94⤵PID:608
-
\??\c:\1ddvj.exec:\1ddvj.exe95⤵PID:2420
-
\??\c:\7xfrrrx.exec:\7xfrrrx.exe96⤵PID:2120
-
\??\c:\rlrlrxr.exec:\rlrlrxr.exe97⤵PID:1984
-
\??\c:\bnhtth.exec:\bnhtth.exe98⤵PID:2224
-
\??\c:\tnbbhb.exec:\tnbbhb.exe99⤵PID:1616
-
\??\c:\jvdvd.exec:\jvdvd.exe100⤵PID:2476
-
\??\c:\lxxrxrf.exec:\lxxrxrf.exe101⤵PID:1656
-
\??\c:\fllffrx.exec:\fllffrx.exe102⤵PID:1804
-
\??\c:\nbttbn.exec:\nbttbn.exe103⤵PID:2352
-
\??\c:\tbnbnb.exec:\tbnbnb.exe104⤵PID:652
-
\??\c:\pvdvd.exec:\pvdvd.exe105⤵PID:536
-
\??\c:\rflrfxx.exec:\rflrfxx.exe106⤵PID:1636
-
\??\c:\fflxlxx.exec:\fflxlxx.exe107⤵PID:2288
-
\??\c:\tbbttb.exec:\tbbttb.exe108⤵PID:1768
-
\??\c:\tnhbtt.exec:\tnhbtt.exe109⤵PID:1936
-
\??\c:\pjjvj.exec:\pjjvj.exe110⤵PID:340
-
\??\c:\fllxrlx.exec:\fllxrlx.exe111⤵PID:2720
-
\??\c:\lrxllxf.exec:\lrxllxf.exe112⤵PID:2700
-
\??\c:\tnhtnt.exec:\tnhtnt.exe113⤵PID:1608
-
\??\c:\ntnhnh.exec:\ntnhnh.exe114⤵PID:2736
-
\??\c:\5pjvd.exec:\5pjvd.exe115⤵PID:2764
-
\??\c:\jjvdp.exec:\jjvdp.exe116⤵PID:2688
-
\??\c:\7flfllx.exec:\7flfllx.exe117⤵PID:2920
-
\??\c:\ttnbnt.exec:\ttnbnt.exe118⤵PID:2576
-
\??\c:\tnbntn.exec:\tnbntn.exe119⤵PID:2652
-
\??\c:\vvpjd.exec:\vvpjd.exe120⤵PID:2908
-
\??\c:\lrfxxrr.exec:\lrfxxrr.exe121⤵PID:2004
-
\??\c:\fllfrxf.exec:\fllfrxf.exe122⤵PID:1780
-
\??\c:\1bnntn.exec:\1bnntn.exe123⤵PID:2524
-
\??\c:\htbhnn.exec:\htbhnn.exe124⤵PID:2452
-
\??\c:\jjjjp.exec:\jjjjp.exe125⤵PID:2888
-
\??\c:\rrlrxxf.exec:\rrlrxxf.exe126⤵PID:2892
-
\??\c:\7xlllfl.exec:\7xlllfl.exe127⤵PID:2868
-
\??\c:\1nntnb.exec:\1nntnb.exe128⤵PID:2896
-
\??\c:\jdpjj.exec:\jdpjj.exe129⤵PID:1748
-
\??\c:\pdvvp.exec:\pdvvp.exe130⤵PID:1728
-
\??\c:\rlfflfl.exec:\rlfflfl.exe131⤵PID:2752
-
\??\c:\ntbhhn.exec:\ntbhhn.exe132⤵PID:1012
-
\??\c:\bnhthb.exec:\bnhthb.exe133⤵PID:2196
-
\??\c:\5pvpd.exec:\5pvpd.exe134⤵PID:2368
-
\??\c:\dppdj.exec:\dppdj.exe135⤵PID:2140
-
\??\c:\rrfrfll.exec:\rrfrfll.exe136⤵PID:2292
-
\??\c:\xrrffxr.exec:\xrrffxr.exe137⤵PID:1988
-
\??\c:\bnttbh.exec:\bnttbh.exe138⤵PID:600
-
\??\c:\jvpvv.exec:\jvpvv.exe139⤵PID:2060
-
\??\c:\dpjjp.exec:\dpjjp.exe140⤵PID:1772
-
\??\c:\fflxlxx.exec:\fflxlxx.exe141⤵PID:1100
-
\??\c:\flxrxrr.exec:\flxrxrr.exe142⤵PID:2656
-
\??\c:\nhnhhb.exec:\nhnhhb.exe143⤵PID:304
-
\??\c:\5ddjj.exec:\5ddjj.exe144⤵PID:2112
-
\??\c:\djpjv.exec:\djpjv.exe145⤵PID:1020
-
\??\c:\9xlfrff.exec:\9xlfrff.exe146⤵PID:320
-
\??\c:\bhtnnt.exec:\bhtnnt.exe147⤵PID:1044
-
\??\c:\7btthh.exec:\7btthh.exe148⤵PID:2320
-
\??\c:\7vjpd.exec:\7vjpd.exe149⤵PID:2136
-
\??\c:\vjjpv.exec:\vjjpv.exe150⤵PID:2728
-
\??\c:\fxlrflx.exec:\fxlrflx.exe151⤵PID:2824
-
\??\c:\tbhnhh.exec:\tbhnhh.exe152⤵PID:1596
-
\??\c:\bhntht.exec:\bhntht.exe153⤵PID:2772
-
\??\c:\pdddd.exec:\pdddd.exe154⤵PID:2812
-
\??\c:\fxxlxfr.exec:\fxxlxfr.exe155⤵PID:2008
-
\??\c:\rrlrllf.exec:\rrlrllf.exe156⤵PID:2628
-
\??\c:\htbtbb.exec:\htbtbb.exe157⤵PID:3052
-
\??\c:\jvppd.exec:\jvppd.exe158⤵PID:2748
-
\??\c:\vvdvd.exec:\vvdvd.exe159⤵PID:3044
-
\??\c:\rrlrflx.exec:\rrlrflx.exe160⤵PID:2620
-
\??\c:\thnhhh.exec:\thnhhh.exe161⤵PID:2540
-
\??\c:\tnbbtt.exec:\tnbbtt.exe162⤵PID:1276
-
\??\c:\dpdvd.exec:\dpdvd.exe163⤵PID:2536
-
\??\c:\1frrlll.exec:\1frrlll.exe164⤵PID:2976
-
\??\c:\tnhnbn.exec:\tnhnbn.exe165⤵PID:1132
-
\??\c:\jvddj.exec:\jvddj.exe166⤵PID:2644
-
\??\c:\rfrlxxl.exec:\rfrlxxl.exe167⤵PID:2932
-
\??\c:\lrrlfff.exec:\lrrlfff.exe168⤵PID:668
-
\??\c:\tbhhbb.exec:\tbhhbb.exe169⤵PID:2156
-
\??\c:\ntntnb.exec:\ntntnb.exe170⤵PID:1036
-
\??\c:\vjpjp.exec:\vjpjp.exe171⤵PID:484
-
\??\c:\xfrrlrr.exec:\xfrrlrr.exe172⤵PID:2372
-
\??\c:\thbttt.exec:\thbttt.exe173⤵PID:692
-
\??\c:\9hbnnh.exec:\9hbnnh.exe174⤵PID:2000
-
\??\c:\djdjv.exec:\djdjv.exe175⤵PID:1996
-
\??\c:\ddjjp.exec:\ddjjp.exe176⤵PID:2152
-
\??\c:\fxrflxl.exec:\fxrflxl.exe177⤵PID:2996
-
\??\c:\bhthth.exec:\bhthth.exe178⤵PID:2332
-
\??\c:\bthhtt.exec:\bthhtt.exe179⤵PID:2012
-
\??\c:\pdjdj.exec:\pdjdj.exe180⤵PID:1884
-
\??\c:\lrxrrll.exec:\lrxrrll.exe181⤵PID:1792
-
\??\c:\rffffxf.exec:\rffffxf.exe182⤵PID:2300
-
\??\c:\9nbnhb.exec:\9nbnhb.exe183⤵PID:2352
-
\??\c:\dpvdp.exec:\dpvdp.exe184⤵PID:3060
-
\??\c:\vddjp.exec:\vddjp.exe185⤵PID:2348
-
\??\c:\7rrfrfr.exec:\7rrfrfr.exe186⤵PID:720
-
\??\c:\flflffr.exec:\flflffr.exe187⤵PID:2028
-
\??\c:\1nbttt.exec:\1nbttt.exe188⤵PID:2176
-
\??\c:\jvppd.exec:\jvppd.exe189⤵PID:2244
-
\??\c:\pvddp.exec:\pvddp.exe190⤵PID:2716
-
\??\c:\lfrxrlf.exec:\lfrxrlf.exe191⤵PID:2796
-
\??\c:\frrlrrx.exec:\frrlrrx.exe192⤵PID:2708
-
\??\c:\nbnbnb.exec:\nbnbnb.exe193⤵PID:2392
-
\??\c:\dpvvj.exec:\dpvvj.exe194⤵PID:2804
-
\??\c:\ddppv.exec:\ddppv.exe195⤵PID:2692
-
\??\c:\lfllllx.exec:\lfllllx.exe196⤵PID:2600
-
\??\c:\nhbnnt.exec:\nhbnnt.exe197⤵PID:2640
-
\??\c:\bthnhh.exec:\bthnhh.exe198⤵PID:1676
-
\??\c:\djddp.exec:\djddp.exe199⤵PID:1260
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe200⤵PID:3036
-
\??\c:\fxrfrfr.exec:\fxrfrfr.exe201⤵PID:2388
-
\??\c:\thhbbt.exec:\thhbbt.exe202⤵PID:2556
-
\??\c:\1nbntt.exec:\1nbntt.exe203⤵PID:1808
-
\??\c:\jvjdp.exec:\jvjdp.exe204⤵PID:2672
-
\??\c:\llrlrrr.exec:\llrlrrr.exe205⤵PID:1536
-
\??\c:\rrflflf.exec:\rrflflf.exe206⤵PID:2916
-
\??\c:\3lxllrr.exec:\3lxllrr.exe207⤵PID:2932
-
\??\c:\bbbnnt.exec:\bbbnnt.exe208⤵PID:2912
-
\??\c:\vpjjv.exec:\vpjjv.exe209⤵PID:2144
-
\??\c:\vjvpp.exec:\vjvpp.exe210⤵PID:588
-
\??\c:\3lfrfrf.exec:\3lfrfrf.exe211⤵PID:2132
-
\??\c:\fffrfxx.exec:\fffrfxx.exe212⤵PID:2196
-
\??\c:\bnhhnt.exec:\bnhhnt.exe213⤵PID:2344
-
\??\c:\pvddv.exec:\pvddv.exe214⤵PID:2040
-
\??\c:\ddvjj.exec:\ddvjj.exe215⤵PID:1280
-
\??\c:\fllfrrf.exec:\fllfrrf.exe216⤵PID:1984
-
\??\c:\xlxrrlx.exec:\xlxrrlx.exe217⤵PID:716
-
\??\c:\nnnnbb.exec:\nnnnbb.exe218⤵PID:2204
-
\??\c:\jpdvv.exec:\jpdvv.exe219⤵PID:2056
-
\??\c:\pjjvd.exec:\pjjvd.exe220⤵PID:1564
-
\??\c:\1xfxlrr.exec:\1xfxlrr.exe221⤵PID:1104
-
\??\c:\bbttnt.exec:\bbttnt.exe222⤵PID:548
-
\??\c:\5bnnbb.exec:\5bnnbb.exe223⤵PID:572
-
\??\c:\djpjv.exec:\djpjv.exe224⤵PID:3004
-
\??\c:\jddjd.exec:\jddjd.exe225⤵PID:1636
-
\??\c:\lrlrxrf.exec:\lrlrxrf.exe226⤵PID:2080
-
\??\c:\fxxfxfr.exec:\fxxfxfr.exe227⤵PID:1052
-
\??\c:\bhbthb.exec:\bhbthb.exe228⤵PID:2684
-
\??\c:\9dppd.exec:\9dppd.exe229⤵PID:2244
-
\??\c:\vddpv.exec:\vddpv.exe230⤵PID:2720
-
\??\c:\ffrxrxx.exec:\ffrxrxx.exe231⤵PID:2732
-
\??\c:\rrflffx.exec:\rrflffx.exe232⤵PID:1604
-
\??\c:\nbntbb.exec:\nbntbb.exe233⤵PID:2736
-
\??\c:\vjppd.exec:\vjppd.exe234⤵PID:2764
-
\??\c:\dvppv.exec:\dvppv.exe235⤵PID:2844
-
\??\c:\9rfflrx.exec:\9rfflrx.exe236⤵PID:3056
-
\??\c:\bnbtbn.exec:\bnbtbn.exe237⤵PID:2212
-
\??\c:\bbbhtt.exec:\bbbhtt.exe238⤵PID:2884
-
\??\c:\dvppd.exec:\dvppd.exe239⤵PID:1340
-
\??\c:\3djjj.exec:\3djjj.exe240⤵PID:1440
-
\??\c:\fxrrffr.exec:\fxrrffr.exe241⤵PID:1648
-
\??\c:\tnhhth.exec:\tnhhth.exe242⤵PID:2756