Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 23:22
Static task
static1
Behavioral task
behavioral1
Sample
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe
Resource
win7-20240903-en
General
-
Target
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe
-
Size
80KB
-
MD5
fae884d54b6c38c0d57dc88865341d30
-
SHA1
683898c19fc504d2ab4a366e0e4d98bac3294ef1
-
SHA256
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408
-
SHA512
f8025ae2742d306932f214cece809586dd2d9c4c0cbad9d3eb399ffc7d9b567cec510965c8bf8fd3ad5045da0b885e301a358fd2fea853dd51a603068ed850cb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JxJX:ymb3NkkiQ3mdBjFIWeFGyAsJX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/1808-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4020-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/212-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/212-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3256-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4480-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2248-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2248-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4420-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2348-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3520-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1388-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3664-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1060-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3240-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4504-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1008-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2012-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3720-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1700-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3308-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2460-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4300-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rfllffl.exehbnnnt.exedddpd.exelflxllx.exe9lrlfxx.exebbhbbb.exe9xrfxlx.exentnttb.exedpjpv.exexlxllrr.exentbbnb.exe7dvpd.exelfrxrxx.exe7nhnbb.exevppjj.exe3llrrrr.exehntbtn.exejdvjv.exelrlllrr.exerlllxxr.exehhnnnt.exejjdvj.exejpjpp.exebbnhhn.exethtnnn.exeddpjd.exenhbbnt.exejpvjp.exedjjjj.exefxrrlfx.exebnnhbt.exenbntnt.exevdvdd.exerrxrrll.exefllfrrf.exe1tbthh.exejjdpp.exevpjjv.exeffxrrrf.exebbtttb.exehhbbnn.exejddjd.exevdddj.exellfrxxx.exedvddv.exelfrrlll.exebthbtt.exe9hbhbh.exevvddd.exejdvvv.exerfffxfx.exexxxxrxf.exetbtthb.exe7dppv.exe7djjj.exe5flllll.exerfxxxxf.exenbtbhn.exenbhttb.exejjvdd.exejvdvj.exerlrrxfx.exebbbbhh.exebbnnnn.exepid process 4020 rfllffl.exe 212 hbnnnt.exe 3256 dddpd.exe 4480 lflxllx.exe 2248 9lrlfxx.exe 2184 bbhbbb.exe 4420 9xrfxlx.exe 2348 ntnttb.exe 216 dpjpv.exe 1684 xlxllrr.exe 3520 ntbbnb.exe 2232 7dvpd.exe 1388 lfrxrxx.exe 3664 7nhnbb.exe 1060 vppjj.exe 3240 3llrrrr.exe 2600 hntbtn.exe 4224 jdvjv.exe 4504 lrlllrr.exe 3948 rlllxxr.exe 3964 hhnnnt.exe 1008 jjdvj.exe 2012 jpjpp.exe 2292 bbnhhn.exe 3720 thtnnn.exe 1700 ddpjd.exe 2004 nhbbnt.exe 3308 jpvjp.exe 4396 djjjj.exe 2460 fxrrlfx.exe 4300 bnnhbt.exe 5016 nbntnt.exe 4024 vdvdd.exe 772 rrxrrll.exe 1640 fllfrrf.exe 756 1tbthh.exe 724 jjdpp.exe 4792 vpjjv.exe 1188 ffxrrrf.exe 4688 bbtttb.exe 2184 hhbbnn.exe 3512 jddjd.exe 4360 vdddj.exe 4400 llfrxxx.exe 4404 dvddv.exe 556 lfrrlll.exe 3036 bthbtt.exe 4644 9hbhbh.exe 1388 vvddd.exe 2392 jdvvv.exe 336 rfffxfx.exe 4192 xxxxrxf.exe 1584 tbtthb.exe 4068 7dppv.exe 532 7djjj.exe 2260 5flllll.exe 952 rfxxxxf.exe 4060 nbtbhn.exe 3384 nbhttb.exe 2276 jjvdd.exe 752 jvdvj.exe 4560 rlrrxfx.exe 4380 bbbbhh.exe 3720 bbnnnn.exe -
Processes:
resource yara_rule behavioral2/memory/1808-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1808-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4020-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/212-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/212-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/212-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3256-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3256-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4480-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4420-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2348-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2348-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2348-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1684-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3520-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1388-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1060-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3240-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1008-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2012-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3720-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1700-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3308-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2460-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4300-211-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ddddp.exe5tbtbb.exebbnhhn.exerrrllrx.exenttttt.exevpddd.exeffxrxfl.exerxfrlfr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exerfllffl.exehbnnnt.exedddpd.exelflxllx.exe9lrlfxx.exebbhbbb.exe9xrfxlx.exentnttb.exedpjpv.exexlxllrr.exentbbnb.exe7dvpd.exelfrxrxx.exe7nhnbb.exevppjj.exe3llrrrr.exehntbtn.exejdvjv.exelrlllrr.exerlllxxr.exehhnnnt.exedescription pid process target process PID 1808 wrote to memory of 4020 1808 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe rfllffl.exe PID 1808 wrote to memory of 4020 1808 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe rfllffl.exe PID 1808 wrote to memory of 4020 1808 19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe rfllffl.exe PID 4020 wrote to memory of 212 4020 rfllffl.exe hbnnnt.exe PID 4020 wrote to memory of 212 4020 rfllffl.exe hbnnnt.exe PID 4020 wrote to memory of 212 4020 rfllffl.exe hbnnnt.exe PID 212 wrote to memory of 3256 212 hbnnnt.exe dddpd.exe PID 212 wrote to memory of 3256 212 hbnnnt.exe dddpd.exe PID 212 wrote to memory of 3256 212 hbnnnt.exe dddpd.exe PID 3256 wrote to memory of 4480 3256 dddpd.exe lflxllx.exe PID 3256 wrote to memory of 4480 3256 dddpd.exe lflxllx.exe PID 3256 wrote to memory of 4480 3256 dddpd.exe lflxllx.exe PID 4480 wrote to memory of 2248 4480 lflxllx.exe 9lrlfxx.exe PID 4480 wrote to memory of 2248 4480 lflxllx.exe 9lrlfxx.exe PID 4480 wrote to memory of 2248 4480 lflxllx.exe 9lrlfxx.exe PID 2248 wrote to memory of 2184 2248 9lrlfxx.exe bbhbbb.exe PID 2248 wrote to memory of 2184 2248 9lrlfxx.exe bbhbbb.exe PID 2248 wrote to memory of 2184 2248 9lrlfxx.exe bbhbbb.exe PID 2184 wrote to memory of 4420 2184 bbhbbb.exe 9xrfxlx.exe PID 2184 wrote to memory of 4420 2184 bbhbbb.exe 9xrfxlx.exe PID 2184 wrote to memory of 4420 2184 bbhbbb.exe 9xrfxlx.exe PID 4420 wrote to memory of 2348 4420 9xrfxlx.exe ntnttb.exe PID 4420 wrote to memory of 2348 4420 9xrfxlx.exe ntnttb.exe PID 4420 wrote to memory of 2348 4420 9xrfxlx.exe ntnttb.exe PID 2348 wrote to memory of 216 2348 ntnttb.exe dpjpv.exe PID 2348 wrote to memory of 216 2348 ntnttb.exe dpjpv.exe PID 2348 wrote to memory of 216 2348 ntnttb.exe dpjpv.exe PID 216 wrote to memory of 1684 216 dpjpv.exe xlxllrr.exe PID 216 wrote to memory of 1684 216 dpjpv.exe xlxllrr.exe PID 216 wrote to memory of 1684 216 dpjpv.exe xlxllrr.exe PID 1684 wrote to memory of 3520 1684 xlxllrr.exe ntbbnb.exe PID 1684 wrote to memory of 3520 1684 xlxllrr.exe ntbbnb.exe PID 1684 wrote to memory of 3520 1684 xlxllrr.exe ntbbnb.exe PID 3520 wrote to memory of 2232 3520 ntbbnb.exe 7dvpd.exe PID 3520 wrote to memory of 2232 3520 ntbbnb.exe 7dvpd.exe PID 3520 wrote to memory of 2232 3520 ntbbnb.exe 7dvpd.exe PID 2232 wrote to memory of 1388 2232 7dvpd.exe lfrxrxx.exe PID 2232 wrote to memory of 1388 2232 7dvpd.exe lfrxrxx.exe PID 2232 wrote to memory of 1388 2232 7dvpd.exe lfrxrxx.exe PID 1388 wrote to memory of 3664 1388 lfrxrxx.exe 7nhnbb.exe PID 1388 wrote to memory of 3664 1388 lfrxrxx.exe 7nhnbb.exe PID 1388 wrote to memory of 3664 1388 lfrxrxx.exe 7nhnbb.exe PID 3664 wrote to memory of 1060 3664 7nhnbb.exe vppjj.exe PID 3664 wrote to memory of 1060 3664 7nhnbb.exe vppjj.exe PID 3664 wrote to memory of 1060 3664 7nhnbb.exe vppjj.exe PID 1060 wrote to memory of 3240 1060 vppjj.exe 3llrrrr.exe PID 1060 wrote to memory of 3240 1060 vppjj.exe 3llrrrr.exe PID 1060 wrote to memory of 3240 1060 vppjj.exe 3llrrrr.exe PID 3240 wrote to memory of 2600 3240 3llrrrr.exe hntbtn.exe PID 3240 wrote to memory of 2600 3240 3llrrrr.exe hntbtn.exe PID 3240 wrote to memory of 2600 3240 3llrrrr.exe hntbtn.exe PID 2600 wrote to memory of 4224 2600 hntbtn.exe jdvjv.exe PID 2600 wrote to memory of 4224 2600 hntbtn.exe jdvjv.exe PID 2600 wrote to memory of 4224 2600 hntbtn.exe jdvjv.exe PID 4224 wrote to memory of 4504 4224 jdvjv.exe lrlllrr.exe PID 4224 wrote to memory of 4504 4224 jdvjv.exe lrlllrr.exe PID 4224 wrote to memory of 4504 4224 jdvjv.exe lrlllrr.exe PID 4504 wrote to memory of 3948 4504 lrlllrr.exe rlllxxr.exe PID 4504 wrote to memory of 3948 4504 lrlllrr.exe rlllxxr.exe PID 4504 wrote to memory of 3948 4504 lrlllrr.exe rlllxxr.exe PID 3948 wrote to memory of 3964 3948 rlllxxr.exe hhnnnt.exe PID 3948 wrote to memory of 3964 3948 rlllxxr.exe hhnnnt.exe PID 3948 wrote to memory of 3964 3948 rlllxxr.exe hhnnnt.exe PID 3964 wrote to memory of 1008 3964 hhnnnt.exe jjdvj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe"C:\Users\Admin\AppData\Local\Temp\19d9d814aa19fd5afe6eb828dfbec1e87fc7bacea0428178b1d0485e278e9408N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\rfllffl.exec:\rfllffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\hbnnnt.exec:\hbnnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\dddpd.exec:\dddpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\lflxllx.exec:\lflxllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\9lrlfxx.exec:\9lrlfxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\bbhbbb.exec:\bbhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\9xrfxlx.exec:\9xrfxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\ntnttb.exec:\ntnttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\dpjpv.exec:\dpjpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\xlxllrr.exec:\xlxllrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ntbbnb.exec:\ntbbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\7dvpd.exec:\7dvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\lfrxrxx.exec:\lfrxrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\7nhnbb.exec:\7nhnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\vppjj.exec:\vppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\3llrrrr.exec:\3llrrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\hntbtn.exec:\hntbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\jdvjv.exec:\jdvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\lrlllrr.exec:\lrlllrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rlllxxr.exec:\rlllxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\hhnnnt.exec:\hhnnnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\jjdvj.exec:\jjdvj.exe23⤵
- Executes dropped EXE
PID:1008 -
\??\c:\jpjpp.exec:\jpjpp.exe24⤵
- Executes dropped EXE
PID:2012 -
\??\c:\bbnhhn.exec:\bbnhhn.exe25⤵
- Executes dropped EXE
PID:2292 -
\??\c:\thtnnn.exec:\thtnnn.exe26⤵
- Executes dropped EXE
PID:3720 -
\??\c:\ddpjd.exec:\ddpjd.exe27⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nhbbnt.exec:\nhbbnt.exe28⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jpvjp.exec:\jpvjp.exe29⤵
- Executes dropped EXE
PID:3308 -
\??\c:\djjjj.exec:\djjjj.exe30⤵
- Executes dropped EXE
PID:4396 -
\??\c:\fxrrlfx.exec:\fxrrlfx.exe31⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bnnhbt.exec:\bnnhbt.exe32⤵
- Executes dropped EXE
PID:4300 -
\??\c:\nbntnt.exec:\nbntnt.exe33⤵
- Executes dropped EXE
PID:5016 -
\??\c:\vdvdd.exec:\vdvdd.exe34⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rrxrrll.exec:\rrxrrll.exe35⤵
- Executes dropped EXE
PID:772 -
\??\c:\fllfrrf.exec:\fllfrrf.exe36⤵
- Executes dropped EXE
PID:1640 -
\??\c:\1tbthh.exec:\1tbthh.exe37⤵
- Executes dropped EXE
PID:756 -
\??\c:\jjdpp.exec:\jjdpp.exe38⤵
- Executes dropped EXE
PID:724 -
\??\c:\vpjjv.exec:\vpjjv.exe39⤵
- Executes dropped EXE
PID:4792 -
\??\c:\ffxrrrf.exec:\ffxrrrf.exe40⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bbtttb.exec:\bbtttb.exe41⤵
- Executes dropped EXE
PID:4688 -
\??\c:\hhbbnn.exec:\hhbbnn.exe42⤵
- Executes dropped EXE
PID:2184 -
\??\c:\jddjd.exec:\jddjd.exe43⤵
- Executes dropped EXE
PID:3512 -
\??\c:\vdddj.exec:\vdddj.exe44⤵
- Executes dropped EXE
PID:4360 -
\??\c:\llfrxxx.exec:\llfrxxx.exe45⤵
- Executes dropped EXE
PID:4400 -
\??\c:\dvddv.exec:\dvddv.exe46⤵
- Executes dropped EXE
PID:4404 -
\??\c:\lfrrlll.exec:\lfrrlll.exe47⤵
- Executes dropped EXE
PID:556 -
\??\c:\bthbtt.exec:\bthbtt.exe48⤵
- Executes dropped EXE
PID:3036 -
\??\c:\9hbhbh.exec:\9hbhbh.exe49⤵
- Executes dropped EXE
PID:4644 -
\??\c:\vvddd.exec:\vvddd.exe50⤵
- Executes dropped EXE
PID:1388 -
\??\c:\jdvvv.exec:\jdvvv.exe51⤵
- Executes dropped EXE
PID:2392 -
\??\c:\rfffxfx.exec:\rfffxfx.exe52⤵
- Executes dropped EXE
PID:336 -
\??\c:\xxxxrxf.exec:\xxxxrxf.exe53⤵
- Executes dropped EXE
PID:4192 -
\??\c:\tbtthb.exec:\tbtthb.exe54⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7dppv.exec:\7dppv.exe55⤵
- Executes dropped EXE
PID:4068 -
\??\c:\7djjj.exec:\7djjj.exe56⤵
- Executes dropped EXE
PID:532 -
\??\c:\5flllll.exec:\5flllll.exe57⤵
- Executes dropped EXE
PID:2260 -
\??\c:\rfxxxxf.exec:\rfxxxxf.exe58⤵
- Executes dropped EXE
PID:952 -
\??\c:\nbtbhn.exec:\nbtbhn.exe59⤵
- Executes dropped EXE
PID:4060 -
\??\c:\nbhttb.exec:\nbhttb.exe60⤵
- Executes dropped EXE
PID:3384 -
\??\c:\jjvdd.exec:\jjvdd.exe61⤵
- Executes dropped EXE
PID:2276 -
\??\c:\jvdvj.exec:\jvdvj.exe62⤵
- Executes dropped EXE
PID:752 -
\??\c:\rlrrxfx.exec:\rlrrxfx.exe63⤵
- Executes dropped EXE
PID:4560 -
\??\c:\bbbbhh.exec:\bbbbhh.exe64⤵
- Executes dropped EXE
PID:4380 -
\??\c:\bbnnnn.exec:\bbnnnn.exe65⤵
- Executes dropped EXE
PID:3720 -
\??\c:\vjvpp.exec:\vjvpp.exe66⤵PID:1700
-
\??\c:\ddddp.exec:\ddddp.exe67⤵
- System Location Discovery: System Language Discovery
PID:2004 -
\??\c:\lxffxxx.exec:\lxffxxx.exe68⤵PID:4932
-
\??\c:\hntbbh.exec:\hntbbh.exe69⤵PID:4876
-
\??\c:\tbhbnt.exec:\tbhbnt.exe70⤵PID:3324
-
\??\c:\djppv.exec:\djppv.exe71⤵PID:3288
-
\??\c:\rxffxrf.exec:\rxffxrf.exe72⤵PID:3464
-
\??\c:\xrflrxx.exec:\xrflrxx.exe73⤵PID:700
-
\??\c:\htbnhb.exec:\htbnhb.exe74⤵PID:1940
-
\??\c:\pjdvv.exec:\pjdvv.exe75⤵PID:3404
-
\??\c:\pjdpd.exec:\pjdpd.exe76⤵PID:3032
-
\??\c:\1xrrrll.exec:\1xrrrll.exe77⤵PID:1560
-
\??\c:\flrrfxx.exec:\flrrfxx.exe78⤵PID:4480
-
\??\c:\bhnhbb.exec:\bhnhbb.exe79⤵PID:3012
-
\??\c:\jjpjv.exec:\jjpjv.exe80⤵PID:408
-
\??\c:\vjjdj.exec:\vjjdj.exe81⤵PID:1188
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe82⤵PID:4688
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe83⤵PID:3376
-
\??\c:\bnnnnn.exec:\bnnnnn.exe84⤵PID:1564
-
\??\c:\vvddd.exec:\vvddd.exe85⤵PID:1632
-
\??\c:\ddjjj.exec:\ddjjj.exe86⤵PID:2296
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe87⤵PID:3532
-
\??\c:\tntnnt.exec:\tntnnt.exe88⤵PID:2228
-
\??\c:\thttnt.exec:\thttnt.exe89⤵PID:4028
-
\??\c:\9djjd.exec:\9djjd.exe90⤵PID:868
-
\??\c:\9dvpj.exec:\9dvpj.exe91⤵PID:2232
-
\??\c:\ffllfll.exec:\ffllfll.exe92⤵PID:4248
-
\??\c:\fxfxffl.exec:\fxfxffl.exe93⤵PID:2172
-
\??\c:\7tbbtn.exec:\7tbbtn.exe94⤵PID:1388
-
\??\c:\thttnt.exec:\thttnt.exe95⤵PID:3176
-
\??\c:\7jdjj.exec:\7jdjj.exe96⤵PID:1320
-
\??\c:\lrrffff.exec:\lrrffff.exe97⤵PID:3612
-
\??\c:\3frxfrx.exec:\3frxfrx.exe98⤵PID:4740
-
\??\c:\nhtnbt.exec:\nhtnbt.exe99⤵PID:1528
-
\??\c:\jpppj.exec:\jpppj.exe100⤵PID:4576
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe101⤵PID:2060
-
\??\c:\rrxffff.exec:\rrxffff.exe102⤵PID:220
-
\??\c:\bhbttt.exec:\bhbttt.exe103⤵PID:4232
-
\??\c:\dvddj.exec:\dvddj.exe104⤵PID:4376
-
\??\c:\rrlxrfx.exec:\rrlxrfx.exe105⤵PID:4292
-
\??\c:\nnhbtt.exec:\nnhbtt.exe106⤵PID:2196
-
\??\c:\5nnhhh.exec:\5nnhhh.exe107⤵PID:3040
-
\??\c:\vpddv.exec:\vpddv.exe108⤵PID:4560
-
\??\c:\jddvp.exec:\jddvp.exe109⤵PID:3280
-
\??\c:\lxfrrll.exec:\lxfrrll.exe110⤵PID:664
-
\??\c:\tnnnhh.exec:\tnnnhh.exe111⤵PID:3304
-
\??\c:\hnbtnh.exec:\hnbtnh.exe112⤵PID:2272
-
\??\c:\9djvv.exec:\9djvv.exe113⤵PID:2044
-
\??\c:\jjjpj.exec:\jjjpj.exe114⤵PID:3484
-
\??\c:\xrxxxfx.exec:\xrxxxfx.exe115⤵PID:3324
-
\??\c:\ntthbb.exec:\ntthbb.exe116⤵PID:3064
-
\??\c:\vvvvj.exec:\vvvvj.exe117⤵PID:4020
-
\??\c:\ddpvp.exec:\ddpvp.exe118⤵PID:4720
-
\??\c:\xxfxrxx.exec:\xxfxrxx.exe119⤵PID:212
-
\??\c:\fffffll.exec:\fffffll.exe120⤵PID:5048
-
\??\c:\ttbbtb.exec:\ttbbtb.exe121⤵PID:4816
-
\??\c:\9dvpp.exec:\9dvpp.exe122⤵PID:3260
-
\??\c:\vdppd.exec:\vdppd.exe123⤵PID:2500
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe124⤵PID:2020
-
\??\c:\pvjpv.exec:\pvjpv.exe125⤵PID:1188
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe126⤵PID:3004
-
\??\c:\btnhbh.exec:\btnhbh.exe127⤵PID:2348
-
\??\c:\thhtnt.exec:\thhtnt.exe128⤵PID:216
-
\??\c:\dvppj.exec:\dvppj.exe129⤵PID:3676
-
\??\c:\rlflxlx.exec:\rlflxlx.exe130⤵PID:3220
-
\??\c:\ttbtnn.exec:\ttbtnn.exe131⤵PID:3472
-
\??\c:\bthbbb.exec:\bthbbb.exe132⤵PID:404
-
\??\c:\vdddv.exec:\vdddv.exe133⤵PID:868
-
\??\c:\lrxffxl.exec:\lrxffxl.exe134⤵PID:3132
-
\??\c:\rllfrfx.exec:\rllfrfx.exe135⤵PID:1892
-
\??\c:\3hhnnn.exec:\3hhnnn.exe136⤵PID:840
-
\??\c:\jdddv.exec:\jdddv.exe137⤵PID:4484
-
\??\c:\jvpvp.exec:\jvpvp.exe138⤵PID:1780
-
\??\c:\rfxlfrl.exec:\rfxlfrl.exe139⤵PID:2096
-
\??\c:\bhthbt.exec:\bhthbt.exe140⤵PID:1128
-
\??\c:\tnbthn.exec:\tnbthn.exe141⤵PID:3044
-
\??\c:\jvpdp.exec:\jvpdp.exe142⤵PID:1528
-
\??\c:\jpdpp.exec:\jpdpp.exe143⤵PID:3948
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe144⤵PID:4668
-
\??\c:\lffxrrr.exec:\lffxrrr.exe145⤵PID:220
-
\??\c:\1bhbtt.exec:\1bhbtt.exe146⤵PID:3384
-
\??\c:\7vdvp.exec:\7vdvp.exe147⤵PID:4376
-
\??\c:\xxxxlrf.exec:\xxxxlrf.exe148⤵PID:752
-
\??\c:\bhtbhn.exec:\bhtbhn.exe149⤵PID:2196
-
\??\c:\jpvvv.exec:\jpvvv.exe150⤵PID:3040
-
\??\c:\jjjjj.exec:\jjjjj.exe151⤵PID:4544
-
\??\c:\lrrflxf.exec:\lrrflxf.exe152⤵PID:3280
-
\??\c:\5tbhhn.exec:\5tbhhn.exe153⤵PID:1212
-
\??\c:\7bhntb.exec:\7bhntb.exe154⤵PID:3304
-
\??\c:\nhthhh.exec:\nhthhh.exe155⤵PID:2272
-
\??\c:\9vjjj.exec:\9vjjj.exe156⤵PID:2648
-
\??\c:\rlxfxrr.exec:\rlxfxrr.exe157⤵PID:3484
-
\??\c:\fxlllll.exec:\fxlllll.exe158⤵PID:3324
-
\??\c:\bnhbnb.exec:\bnhbnb.exe159⤵PID:3464
-
\??\c:\3ntbtb.exec:\3ntbtb.exe160⤵PID:1596
-
\??\c:\dvpjd.exec:\dvpjd.exe161⤵PID:4564
-
\??\c:\jjjjj.exec:\jjjjj.exe162⤵PID:432
-
\??\c:\xlxflll.exec:\xlxflll.exe163⤵PID:3756
-
\??\c:\rxlrlfx.exec:\rxlrlfx.exe164⤵PID:2104
-
\??\c:\1nbbbh.exec:\1nbbbh.exe165⤵PID:2224
-
\??\c:\bthhtt.exec:\bthhtt.exe166⤵PID:2500
-
\??\c:\pdjjp.exec:\pdjjp.exe167⤵PID:1432
-
\??\c:\1flxfrf.exec:\1flxfrf.exe168⤵PID:4860
-
\??\c:\llxxxrl.exec:\llxxxrl.exe169⤵PID:4460
-
\??\c:\hbbttt.exec:\hbbttt.exe170⤵PID:3520
-
\??\c:\jddvp.exec:\jddvp.exe171⤵PID:4964
-
\??\c:\vppjp.exec:\vppjp.exe172⤵PID:4172
-
\??\c:\lllffll.exec:\lllffll.exe173⤵PID:2364
-
\??\c:\xrffrrr.exec:\xrffrrr.exe174⤵PID:2172
-
\??\c:\9bnhht.exec:\9bnhht.exe175⤵PID:3476
-
\??\c:\btbbbb.exec:\btbbbb.exe176⤵PID:4536
-
\??\c:\dpvpd.exec:\dpvpd.exe177⤵PID:3184
-
\??\c:\xlrlfff.exec:\xlrlfff.exe178⤵PID:2096
-
\??\c:\lllllxf.exec:\lllllxf.exe179⤵PID:1128
-
\??\c:\nnbhhn.exec:\nnbhhn.exe180⤵PID:4576
-
\??\c:\1pddj.exec:\1pddj.exe181⤵PID:3692
-
\??\c:\5xfxrrf.exec:\5xfxrrf.exe182⤵PID:4432
-
\??\c:\btbhhn.exec:\btbhhn.exe183⤵PID:4852
-
\??\c:\dvvvj.exec:\dvvvj.exe184⤵PID:1008
-
\??\c:\lfrffrr.exec:\lfrffrr.exe185⤵PID:3384
-
\??\c:\fffffff.exec:\fffffff.exe186⤵PID:4376
-
\??\c:\btbhhn.exec:\btbhhn.exe187⤵PID:628
-
\??\c:\thhthh.exec:\thhthh.exe188⤵PID:4408
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe189⤵PID:3156
-
\??\c:\9rlfrlx.exec:\9rlfrlx.exe190⤵PID:664
-
\??\c:\bhhhhb.exec:\bhhhhb.exe191⤵PID:3280
-
\??\c:\dvjpj.exec:\dvjpj.exe192⤵PID:3024
-
\??\c:\dpvvp.exec:\dpvvp.exe193⤵PID:5044
-
\??\c:\lxxrlll.exec:\lxxrlll.exe194⤵PID:2272
-
\??\c:\xfflxfr.exec:\xfflxfr.exe195⤵PID:3316
-
\??\c:\hbhhhh.exec:\hbhhhh.exe196⤵PID:1204
-
\??\c:\djpjp.exec:\djpjp.exe197⤵PID:2164
-
\??\c:\rrlflff.exec:\rrlflff.exe198⤵PID:4020
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe199⤵PID:3816
-
\??\c:\bttbnn.exec:\bttbnn.exe200⤵PID:5048
-
\??\c:\vvddv.exec:\vvddv.exe201⤵PID:432
-
\??\c:\jdpjv.exec:\jdpjv.exe202⤵PID:1936
-
\??\c:\frfxxxf.exec:\frfxxxf.exe203⤵PID:4992
-
\??\c:\ffxfxxr.exec:\ffxfxxr.exe204⤵PID:2500
-
\??\c:\bthhhh.exec:\bthhhh.exe205⤵PID:4016
-
\??\c:\jdjjj.exec:\jdjjj.exe206⤵PID:3380
-
\??\c:\7pvvv.exec:\7pvvv.exe207⤵PID:1284
-
\??\c:\fflfrlx.exec:\fflfrlx.exe208⤵PID:3036
-
\??\c:\bbtbbn.exec:\bbtbbn.exe209⤵PID:404
-
\??\c:\jvvvd.exec:\jvvvd.exe210⤵PID:3992
-
\??\c:\djjdp.exec:\djjdp.exe211⤵PID:2364
-
\??\c:\xlfflrr.exec:\xlfflrr.exe212⤵PID:2172
-
\??\c:\5rfffll.exec:\5rfffll.exe213⤵PID:2392
-
\??\c:\bbhnhn.exec:\bbhnhn.exe214⤵PID:2040
-
\??\c:\htbhhb.exec:\htbhhb.exe215⤵PID:436
-
\??\c:\ppjvp.exec:\ppjvp.exe216⤵PID:1584
-
\??\c:\lrflffx.exec:\lrflffx.exe217⤵PID:2984
-
\??\c:\fffxxfl.exec:\fffxxfl.exe218⤵PID:2060
-
\??\c:\ntbbnn.exec:\ntbbnn.exe219⤵PID:3964
-
\??\c:\pvvvd.exec:\pvvvd.exe220⤵PID:2860
-
\??\c:\ppppd.exec:\ppppd.exe221⤵PID:4232
-
\??\c:\frxxrff.exec:\frxxrff.exe222⤵PID:2636
-
\??\c:\xlxlxfr.exec:\xlxlxfr.exe223⤵PID:3384
-
\??\c:\nbbtnn.exec:\nbbtnn.exe224⤵PID:4908
-
\??\c:\1ddvp.exec:\1ddvp.exe225⤵PID:4344
-
\??\c:\lrffrfx.exec:\lrffrfx.exe226⤵PID:4560
-
\??\c:\bnhnht.exec:\bnhnht.exe227⤵PID:972
-
\??\c:\nbbtnn.exec:\nbbtnn.exe228⤵PID:4936
-
\??\c:\1jjdd.exec:\1jjdd.exe229⤵PID:4728
-
\??\c:\1xrrxxf.exec:\1xrrxxf.exe230⤵PID:1800
-
\??\c:\lflxllx.exec:\lflxllx.exe231⤵PID:4876
-
\??\c:\nbtnhb.exec:\nbtnhb.exe232⤵PID:872
-
\??\c:\hnhbtn.exec:\hnhbtn.exe233⤵PID:1160
-
\??\c:\vjppj.exec:\vjppj.exe234⤵PID:228
-
\??\c:\ffffrrx.exec:\ffffrrx.exe235⤵PID:5028
-
\??\c:\fflrrrr.exec:\fflrrrr.exe236⤵PID:5016
-
\??\c:\nbtnhh.exec:\nbtnhh.exe237⤵PID:2148
-
\??\c:\ddddv.exec:\ddddv.exe238⤵PID:2140
-
\??\c:\jdpjp.exec:\jdpjp.exe239⤵PID:1904
-
\??\c:\xllrxxl.exec:\xllrxxl.exe240⤵PID:1380
-
\??\c:\rlfflrf.exec:\rlfflrf.exe241⤵PID:2224
-
\??\c:\nhtttt.exec:\nhtttt.exe242⤵PID:4556