Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe
Resource
win7-20240903-en
General
-
Target
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe
-
Size
88KB
-
MD5
e6c2120a5267e7f106f9e1716031622b
-
SHA1
eef64e3a36ec9c8e2b5203c304645bb8b29a9610
-
SHA256
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd
-
SHA512
53c9366af1003db7c99f8a50e373fda94d86db8046c353437af57dd27dbc6f5a30b1cfd33414db8c011d40dde42491f6f3d6e4792572b5081387c0ee90b5eb19
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JxJ4EUQnR:ymb3NkkiQ3mdBjFIWeFGyAsJ4a
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2492-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1692-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2948-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2728-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2756-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2736-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2612-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1000-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1844-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2360-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1824-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1516-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2124-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2568-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1628-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2352-249-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-267-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1048-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-303-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pjppj.exexrlxllr.exebhnhbn.exejvjpd.exexrlxflr.exehbnbnn.exe5vvjv.exelfxxxfl.exe3nhbbh.exejjvdj.exexrflflf.exerlrxlrl.exennnthh.exenhtnbh.exe5jdpd.exexrllxxl.exebnhhtt.exebbbhtb.exedjpjj.exevpjvd.exerrlrfrl.exexfxlfll.exenhttnh.exedpvdp.exejdpdj.exelxrrfrx.exenhhthb.exejvvvd.exe7xlrxff.exefxlxrxf.exetnnntt.exe3ntbnh.exejdppp.exellxxlrf.exefxlrxxf.exebthhnt.exejjvdp.exe9vjjj.exerlllrfr.exerlfrlxl.exexxlxfrf.exe7tnnth.exe7thnhh.exejpdvd.exe7rfllrr.exefxlrrfl.exettntnh.exe3tnnbb.exe7jjpd.exe9frfllf.exerflflff.exenbhtbt.exe9btnbn.exedvjpp.exe9xrxrff.exe9lfffff.exehbbhbb.exepppjv.exe9jpjp.exexrrlxfl.exeflffxxr.exebtthtb.exe1nnntn.exepjddd.exepid process 2320 pjppj.exe 1692 xrlxllr.exe 2948 bhnhbn.exe 2728 jvjpd.exe 2756 xrlxflr.exe 2244 hbnbnn.exe 2736 5vvjv.exe 2612 lfxxxfl.exe 2656 3nhbbh.exe 1000 jjvdj.exe 2920 xrflflf.exe 1844 rlrxlrl.exe 792 nnnthh.exe 2360 nhtnbh.exe 1824 5jdpd.exe 1516 xrllxxl.exe 1808 bnhhtt.exe 2636 bbbhtb.exe 2124 djpjj.exe 2568 vpjvd.exe 1780 rrlrfrl.exe 2576 xfxlfll.exe 1628 nhttnh.exe 2352 dpvdp.exe 1880 jdpdj.exe 1728 lxrrfrx.exe 1856 nhhthb.exe 1048 jvvvd.exe 1676 7xlrxff.exe 2260 fxlxrxf.exe 1916 tnnntt.exe 2572 3ntbnh.exe 2528 jdppp.exe 2256 llxxlrf.exe 2816 fxlrxxf.exe 2876 bthhnt.exe 2716 jjvdp.exe 2288 9vjjj.exe 2776 rlllrfr.exe 2712 rlfrlxl.exe 2600 xxlxfrf.exe 3044 7tnnth.exe 1668 7thnhh.exe 2656 jpdvd.exe 1772 7rfllrr.exe 2944 fxlrrfl.exe 1384 ttntnh.exe 2908 3tnnbb.exe 520 7jjpd.exe 1900 9frfllf.exe 2952 rflflff.exe 1648 nbhtbt.exe 3032 9btnbn.exe 2084 dvjpp.exe 2636 9xrxrff.exe 2284 9lfffff.exe 1400 hbbhbb.exe 1096 pppjv.exe 1492 9jpjp.exe 1612 xrrlxfl.exe 2068 flffxxr.exe 1360 btthtb.exe 2316 1nnntn.exe 2468 pjddd.exe -
Processes:
resource yara_rule behavioral1/memory/2320-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2492-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1692-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1692-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1692-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1000-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1844-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2360-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1824-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1516-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2124-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-232-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1628-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2352-249-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1728-267-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1048-285-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-303-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
lfrrxxf.exehbhntb.exexlrrrrr.exenhtttb.exe5ppjj.exehthnbb.exe5xrrxxl.exehhbnnt.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exepjppj.exexrlxllr.exebhnhbn.exejvjpd.exexrlxflr.exehbnbnn.exe5vvjv.exelfxxxfl.exe3nhbbh.exejjvdj.exexrflflf.exerlrxlrl.exennnthh.exenhtnbh.exe5jdpd.exedescription pid process target process PID 2492 wrote to memory of 2320 2492 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe pjppj.exe PID 2492 wrote to memory of 2320 2492 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe pjppj.exe PID 2492 wrote to memory of 2320 2492 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe pjppj.exe PID 2492 wrote to memory of 2320 2492 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe pjppj.exe PID 2320 wrote to memory of 1692 2320 pjppj.exe xrlxllr.exe PID 2320 wrote to memory of 1692 2320 pjppj.exe xrlxllr.exe PID 2320 wrote to memory of 1692 2320 pjppj.exe xrlxllr.exe PID 2320 wrote to memory of 1692 2320 pjppj.exe xrlxllr.exe PID 1692 wrote to memory of 2948 1692 xrlxllr.exe bhnhbn.exe PID 1692 wrote to memory of 2948 1692 xrlxllr.exe bhnhbn.exe PID 1692 wrote to memory of 2948 1692 xrlxllr.exe bhnhbn.exe PID 1692 wrote to memory of 2948 1692 xrlxllr.exe bhnhbn.exe PID 2948 wrote to memory of 2728 2948 bhnhbn.exe jvjpd.exe PID 2948 wrote to memory of 2728 2948 bhnhbn.exe jvjpd.exe PID 2948 wrote to memory of 2728 2948 bhnhbn.exe jvjpd.exe PID 2948 wrote to memory of 2728 2948 bhnhbn.exe jvjpd.exe PID 2728 wrote to memory of 2756 2728 jvjpd.exe xrlxflr.exe PID 2728 wrote to memory of 2756 2728 jvjpd.exe xrlxflr.exe PID 2728 wrote to memory of 2756 2728 jvjpd.exe xrlxflr.exe PID 2728 wrote to memory of 2756 2728 jvjpd.exe xrlxflr.exe PID 2756 wrote to memory of 2244 2756 xrlxflr.exe hbnbnn.exe PID 2756 wrote to memory of 2244 2756 xrlxflr.exe hbnbnn.exe PID 2756 wrote to memory of 2244 2756 xrlxflr.exe hbnbnn.exe PID 2756 wrote to memory of 2244 2756 xrlxflr.exe hbnbnn.exe PID 2244 wrote to memory of 2736 2244 hbnbnn.exe 5vvjv.exe PID 2244 wrote to memory of 2736 2244 hbnbnn.exe 5vvjv.exe PID 2244 wrote to memory of 2736 2244 hbnbnn.exe 5vvjv.exe PID 2244 wrote to memory of 2736 2244 hbnbnn.exe 5vvjv.exe PID 2736 wrote to memory of 2612 2736 5vvjv.exe lfxxxfl.exe PID 2736 wrote to memory of 2612 2736 5vvjv.exe lfxxxfl.exe PID 2736 wrote to memory of 2612 2736 5vvjv.exe lfxxxfl.exe PID 2736 wrote to memory of 2612 2736 5vvjv.exe lfxxxfl.exe PID 2612 wrote to memory of 2656 2612 lfxxxfl.exe 3nhbbh.exe PID 2612 wrote to memory of 2656 2612 lfxxxfl.exe 3nhbbh.exe PID 2612 wrote to memory of 2656 2612 lfxxxfl.exe 3nhbbh.exe PID 2612 wrote to memory of 2656 2612 lfxxxfl.exe 3nhbbh.exe PID 2656 wrote to memory of 1000 2656 3nhbbh.exe jjvdj.exe PID 2656 wrote to memory of 1000 2656 3nhbbh.exe jjvdj.exe PID 2656 wrote to memory of 1000 2656 3nhbbh.exe jjvdj.exe PID 2656 wrote to memory of 1000 2656 3nhbbh.exe jjvdj.exe PID 1000 wrote to memory of 2920 1000 jjvdj.exe xrflflf.exe PID 1000 wrote to memory of 2920 1000 jjvdj.exe xrflflf.exe PID 1000 wrote to memory of 2920 1000 jjvdj.exe xrflflf.exe PID 1000 wrote to memory of 2920 1000 jjvdj.exe xrflflf.exe PID 2920 wrote to memory of 1844 2920 xrflflf.exe rlrxlrl.exe PID 2920 wrote to memory of 1844 2920 xrflflf.exe rlrxlrl.exe PID 2920 wrote to memory of 1844 2920 xrflflf.exe rlrxlrl.exe PID 2920 wrote to memory of 1844 2920 xrflflf.exe rlrxlrl.exe PID 1844 wrote to memory of 792 1844 rlrxlrl.exe nnnthh.exe PID 1844 wrote to memory of 792 1844 rlrxlrl.exe nnnthh.exe PID 1844 wrote to memory of 792 1844 rlrxlrl.exe nnnthh.exe PID 1844 wrote to memory of 792 1844 rlrxlrl.exe nnnthh.exe PID 792 wrote to memory of 2360 792 nnnthh.exe nhtnbh.exe PID 792 wrote to memory of 2360 792 nnnthh.exe nhtnbh.exe PID 792 wrote to memory of 2360 792 nnnthh.exe nhtnbh.exe PID 792 wrote to memory of 2360 792 nnnthh.exe nhtnbh.exe PID 2360 wrote to memory of 1824 2360 nhtnbh.exe 5jdpd.exe PID 2360 wrote to memory of 1824 2360 nhtnbh.exe 5jdpd.exe PID 2360 wrote to memory of 1824 2360 nhtnbh.exe 5jdpd.exe PID 2360 wrote to memory of 1824 2360 nhtnbh.exe 5jdpd.exe PID 1824 wrote to memory of 1516 1824 5jdpd.exe xrllxxl.exe PID 1824 wrote to memory of 1516 1824 5jdpd.exe xrllxxl.exe PID 1824 wrote to memory of 1516 1824 5jdpd.exe xrllxxl.exe PID 1824 wrote to memory of 1516 1824 5jdpd.exe xrllxxl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe"C:\Users\Admin\AppData\Local\Temp\618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\pjppj.exec:\pjppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\xrlxllr.exec:\xrlxllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\bhnhbn.exec:\bhnhbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\jvjpd.exec:\jvjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\xrlxflr.exec:\xrlxflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\hbnbnn.exec:\hbnbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\5vvjv.exec:\5vvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lfxxxfl.exec:\lfxxxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\3nhbbh.exec:\3nhbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\jjvdj.exec:\jjvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\xrflflf.exec:\xrflflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rlrxlrl.exec:\rlrxlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\nnnthh.exec:\nnnthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\nhtnbh.exec:\nhtnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\5jdpd.exec:\5jdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\xrllxxl.exec:\xrllxxl.exe17⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bnhhtt.exec:\bnhhtt.exe18⤵
- Executes dropped EXE
PID:1808 -
\??\c:\bbbhtb.exec:\bbbhtb.exe19⤵
- Executes dropped EXE
PID:2636 -
\??\c:\djpjj.exec:\djpjj.exe20⤵
- Executes dropped EXE
PID:2124 -
\??\c:\vpjvd.exec:\vpjvd.exe21⤵
- Executes dropped EXE
PID:2568 -
\??\c:\rrlrfrl.exec:\rrlrfrl.exe22⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xfxlfll.exec:\xfxlfll.exe23⤵
- Executes dropped EXE
PID:2576 -
\??\c:\nhttnh.exec:\nhttnh.exe24⤵
- Executes dropped EXE
PID:1628 -
\??\c:\dpvdp.exec:\dpvdp.exe25⤵
- Executes dropped EXE
PID:2352 -
\??\c:\jdpdj.exec:\jdpdj.exe26⤵
- Executes dropped EXE
PID:1880 -
\??\c:\lxrrfrx.exec:\lxrrfrx.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nhhthb.exec:\nhhthb.exe28⤵
- Executes dropped EXE
PID:1856 -
\??\c:\jvvvd.exec:\jvvvd.exe29⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7xlrxff.exec:\7xlrxff.exe30⤵
- Executes dropped EXE
PID:1676 -
\??\c:\fxlxrxf.exec:\fxlxrxf.exe31⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tnnntt.exec:\tnnntt.exe32⤵
- Executes dropped EXE
PID:1916 -
\??\c:\3ntbnh.exec:\3ntbnh.exe33⤵
- Executes dropped EXE
PID:2572 -
\??\c:\jdppp.exec:\jdppp.exe34⤵
- Executes dropped EXE
PID:2528 -
\??\c:\llxxlrf.exec:\llxxlrf.exe35⤵
- Executes dropped EXE
PID:2256 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\bthhnt.exec:\bthhnt.exe37⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jjvdp.exec:\jjvdp.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\9vjjj.exec:\9vjjj.exe39⤵
- Executes dropped EXE
PID:2288 -
\??\c:\rlllrfr.exec:\rlllrfr.exe40⤵
- Executes dropped EXE
PID:2776 -
\??\c:\rlfrlxl.exec:\rlfrlxl.exe41⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xxlxfrf.exec:\xxlxfrf.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\7tnnth.exec:\7tnnth.exe43⤵
- Executes dropped EXE
PID:3044 -
\??\c:\7thnhh.exec:\7thnhh.exe44⤵
- Executes dropped EXE
PID:1668 -
\??\c:\jpdvd.exec:\jpdvd.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\7rfllrr.exec:\7rfllrr.exe46⤵
- Executes dropped EXE
PID:1772 -
\??\c:\fxlrrfl.exec:\fxlrrfl.exe47⤵
- Executes dropped EXE
PID:2944 -
\??\c:\ttntnh.exec:\ttntnh.exe48⤵
- Executes dropped EXE
PID:1384 -
\??\c:\3tnnbb.exec:\3tnnbb.exe49⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7jjpd.exec:\7jjpd.exe50⤵
- Executes dropped EXE
PID:520 -
\??\c:\9frfllf.exec:\9frfllf.exe51⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rflflff.exec:\rflflff.exe52⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nbhtbt.exec:\nbhtbt.exe53⤵
- Executes dropped EXE
PID:1648 -
\??\c:\9btnbn.exec:\9btnbn.exe54⤵
- Executes dropped EXE
PID:3032 -
\??\c:\dvjpp.exec:\dvjpp.exe55⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9xrxrff.exec:\9xrxrff.exe56⤵
- Executes dropped EXE
PID:2636 -
\??\c:\9lfffff.exec:\9lfffff.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\hbbhbb.exec:\hbbhbb.exe58⤵
- Executes dropped EXE
PID:1400 -
\??\c:\pppjv.exec:\pppjv.exe59⤵
- Executes dropped EXE
PID:1096 -
\??\c:\9jpjp.exec:\9jpjp.exe60⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xrrlxfl.exec:\xrrlxfl.exe61⤵
- Executes dropped EXE
PID:1612 -
\??\c:\flffxxr.exec:\flffxxr.exe62⤵
- Executes dropped EXE
PID:2068 -
\??\c:\btthtb.exec:\btthtb.exe63⤵
- Executes dropped EXE
PID:1360 -
\??\c:\1nnntn.exec:\1nnntn.exe64⤵
- Executes dropped EXE
PID:2316 -
\??\c:\pjddd.exec:\pjddd.exe65⤵
- Executes dropped EXE
PID:2468 -
\??\c:\pjvpp.exec:\pjvpp.exe66⤵PID:3012
-
\??\c:\rlfflxl.exec:\rlfflxl.exe67⤵PID:1928
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe68⤵PID:1040
-
\??\c:\tnbthb.exec:\tnbthb.exe69⤵PID:2156
-
\??\c:\hbhttb.exec:\hbhttb.exe70⤵PID:2276
-
\??\c:\jjvdj.exec:\jjvdj.exe71⤵PID:1860
-
\??\c:\xrllrfl.exec:\xrllrfl.exe72⤵PID:1916
-
\??\c:\3fxxrrl.exec:\3fxxrrl.exe73⤵PID:2328
-
\??\c:\bnbbhh.exec:\bnbbhh.exe74⤵PID:840
-
\??\c:\vjvdd.exec:\vjvdd.exe75⤵PID:2808
-
\??\c:\jddpv.exec:\jddpv.exe76⤵PID:2704
-
\??\c:\3frfxfx.exec:\3frfxfx.exe77⤵PID:2756
-
\??\c:\rllfrlr.exec:\rllfrlr.exe78⤵PID:2740
-
\??\c:\nhnntn.exec:\nhnntn.exe79⤵PID:2288
-
\??\c:\vpjvj.exec:\vpjvj.exe80⤵PID:2168
-
\??\c:\dpvvv.exec:\dpvvv.exe81⤵PID:2152
-
\??\c:\nhtbbb.exec:\nhtbbb.exe82⤵PID:2344
-
\??\c:\thtbbn.exec:\thtbbn.exe83⤵PID:2228
-
\??\c:\7jdpv.exec:\7jdpv.exe84⤵PID:1912
-
\??\c:\pjpjp.exec:\pjpjp.exe85⤵PID:2924
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe86⤵PID:592
-
\??\c:\thnntn.exec:\thnntn.exe87⤵PID:1844
-
\??\c:\ntthnn.exec:\ntthnn.exe88⤵PID:1316
-
\??\c:\rlxlxfl.exec:\rlxlxfl.exe89⤵PID:2868
-
\??\c:\xrxfrxl.exec:\xrxfrxl.exe90⤵PID:2120
-
\??\c:\bnbhnn.exec:\bnbhnn.exe91⤵PID:1836
-
\??\c:\nnnthn.exec:\nnnthn.exe92⤵PID:832
-
\??\c:\vpdjj.exec:\vpdjj.exe93⤵PID:1736
-
\??\c:\fffxlfx.exec:\fffxlfx.exe94⤵PID:2192
-
\??\c:\xxxlllr.exec:\xxxlllr.exe95⤵PID:2540
-
\??\c:\3hhtht.exec:\3hhtht.exe96⤵PID:1720
-
\??\c:\tnnbtb.exec:\tnnbtb.exe97⤵PID:772
-
\??\c:\ppdvp.exec:\ppdvp.exe98⤵PID:1640
-
\??\c:\pvpjp.exec:\pvpjp.exe99⤵PID:1140
-
\??\c:\fllxxlf.exec:\fllxxlf.exe100⤵PID:2992
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe101⤵PID:1612
-
\??\c:\nhtnnn.exec:\nhtnnn.exe102⤵PID:2352
-
\??\c:\7hnnnt.exec:\7hnnnt.exe103⤵PID:296
-
\??\c:\dddjj.exec:\dddjj.exe104⤵PID:2076
-
\??\c:\ddpjp.exec:\ddpjp.exe105⤵PID:1788
-
\??\c:\fxxxfrl.exec:\fxxxfrl.exe106⤵PID:1904
-
\??\c:\xrffflx.exec:\xrffflx.exe107⤵PID:1688
-
\??\c:\xrffllr.exec:\xrffllr.exe108⤵PID:1600
-
\??\c:\9nttbh.exec:\9nttbh.exe109⤵PID:2564
-
\??\c:\nhthhn.exec:\nhthhn.exe110⤵PID:1576
-
\??\c:\pjpvv.exec:\pjpvv.exe111⤵PID:2964
-
\??\c:\xrxxlrx.exec:\xrxxlrx.exe112⤵PID:2172
-
\??\c:\fxrrflx.exec:\fxrrflx.exe113⤵PID:2528
-
\??\c:\lfxxxxr.exec:\lfxxxxr.exe114⤵PID:2872
-
\??\c:\7btbtt.exec:\7btbtt.exe115⤵PID:2808
-
\??\c:\hhhnbb.exec:\hhhnbb.exe116⤵PID:2876
-
\??\c:\dvpvd.exec:\dvpvd.exe117⤵PID:2888
-
\??\c:\jvvjj.exec:\jvvjj.exe118⤵PID:2772
-
\??\c:\9ffflrx.exec:\9ffflrx.exe119⤵PID:2832
-
\??\c:\rrfxlrl.exec:\rrfxlrl.exe120⤵PID:2676
-
\??\c:\bttbtn.exec:\bttbtn.exe121⤵PID:2672
-
\??\c:\tnnhtt.exec:\tnnhtt.exe122⤵PID:2616
-
\??\c:\ttnnbb.exec:\ttnnbb.exe123⤵PID:1100
-
\??\c:\ddjpj.exec:\ddjpj.exe124⤵PID:1496
-
\??\c:\pdddd.exec:\pdddd.exe125⤵PID:752
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe126⤵
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\xfxfxlf.exec:\xfxfxlf.exe127⤵PID:264
-
\??\c:\nnthhb.exec:\nnthhb.exe128⤵PID:1316
-
\??\c:\vpvpv.exec:\vpvpv.exe129⤵PID:520
-
\??\c:\vpdjp.exec:\vpdjp.exe130⤵PID:1900
-
\??\c:\dppvv.exec:\dppvv.exe131⤵PID:1516
-
\??\c:\flxrxrl.exec:\flxrxrl.exe132⤵PID:1648
-
\??\c:\llrflfl.exec:\llrflfl.exe133⤵PID:2036
-
\??\c:\hbthnb.exec:\hbthnb.exe134⤵PID:2084
-
\??\c:\hbhhhb.exec:\hbhhhb.exe135⤵PID:2072
-
\??\c:\5vvvj.exec:\5vvvj.exe136⤵PID:2284
-
\??\c:\7vjjp.exec:\7vjjp.exe137⤵PID:3004
-
\??\c:\5xxrxxr.exec:\5xxrxxr.exe138⤵PID:1336
-
\??\c:\xlxfllx.exec:\xlxfllx.exe139⤵PID:1972
-
\??\c:\xrffrrl.exec:\xrffrrl.exe140⤵PID:1760
-
\??\c:\ttntnt.exec:\ttntnt.exe141⤵PID:316
-
\??\c:\tntbnh.exec:\tntbnh.exe142⤵PID:1360
-
\??\c:\ddvdj.exec:\ddvdj.exe143⤵PID:288
-
\??\c:\ppjvd.exec:\ppjvd.exe144⤵PID:2316
-
\??\c:\3rllxrl.exec:\3rllxrl.exe145⤵PID:3012
-
\??\c:\lfllxxf.exec:\lfllxxf.exe146⤵PID:1928
-
\??\c:\ttbbtb.exec:\ttbbtb.exe147⤵PID:1040
-
\??\c:\nhbbbb.exec:\nhbbbb.exe148⤵PID:2156
-
\??\c:\nnntbn.exec:\nnntbn.exe149⤵PID:2384
-
\??\c:\vpjjj.exec:\vpjjj.exe150⤵PID:1860
-
\??\c:\vvvjv.exec:\vvvjv.exe151⤵PID:2428
-
\??\c:\xrllrxl.exec:\xrllrxl.exe152⤵PID:2208
-
\??\c:\hbthnn.exec:\hbthnn.exe153⤵PID:1692
-
\??\c:\tnbhnn.exec:\tnbhnn.exe154⤵PID:2816
-
\??\c:\jdvvj.exec:\jdvvj.exe155⤵PID:2860
-
\??\c:\1jpjj.exec:\1jpjj.exe156⤵PID:2756
-
\??\c:\xrxxlfr.exec:\xrxxlfr.exe157⤵PID:2740
-
\??\c:\nbbtbh.exec:\nbbtbh.exe158⤵PID:2288
-
\??\c:\nnhhnn.exec:\nnhhnn.exe159⤵PID:2720
-
\??\c:\vpvdj.exec:\vpvdj.exe160⤵PID:2152
-
\??\c:\jpjdj.exec:\jpjdj.exe161⤵PID:1620
-
\??\c:\7xrfrrf.exec:\7xrfrrf.exe162⤵PID:2344
-
\??\c:\1bntbb.exec:\1bntbb.exe163⤵PID:2656
-
\??\c:\nhnbtb.exec:\nhnbtb.exe164⤵PID:2924
-
\??\c:\jpjdj.exec:\jpjdj.exe165⤵PID:592
-
\??\c:\3jdvv.exec:\3jdvv.exe166⤵PID:2500
-
\??\c:\xxllrxf.exec:\xxllrxf.exe167⤵PID:2908
-
\??\c:\lfrrlxl.exec:\lfrrlxl.exe168⤵PID:2868
-
\??\c:\thnhnn.exec:\thnhnn.exe169⤵PID:2120
-
\??\c:\7vvdv.exec:\7vvdv.exe170⤵PID:1836
-
\??\c:\jdppv.exec:\jdppv.exe171⤵PID:2952
-
\??\c:\lxrlrll.exec:\lxrlrll.exe172⤵PID:1736
-
\??\c:\frffllr.exec:\frffllr.exe173⤵PID:2192
-
\??\c:\hhhnbn.exec:\hhhnbn.exe174⤵PID:2540
-
\??\c:\pjpjp.exec:\pjpjp.exe175⤵PID:2144
-
\??\c:\1pddp.exec:\1pddp.exe176⤵PID:440
-
\??\c:\xlrllll.exec:\xlrllll.exe177⤵PID:1640
-
\??\c:\frlfllr.exec:\frlfllr.exe178⤵PID:1140
-
\??\c:\9nttbh.exec:\9nttbh.exe179⤵PID:2992
-
\??\c:\tbbnht.exec:\tbbnht.exe180⤵PID:1612
-
\??\c:\7ppvd.exec:\7ppvd.exe181⤵PID:1628
-
\??\c:\jdppj.exec:\jdppj.exe182⤵PID:296
-
\??\c:\lrxxrff.exec:\lrxxrff.exe183⤵PID:2468
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe184⤵PID:2316
-
\??\c:\btbhbh.exec:\btbhbh.exe185⤵PID:1904
-
\??\c:\hhnbbt.exec:\hhnbbt.exe186⤵PID:1688
-
\??\c:\7vvdv.exec:\7vvdv.exe187⤵PID:2376
-
\??\c:\fxffflx.exec:\fxffflx.exe188⤵PID:1596
-
\??\c:\thttbb.exec:\thttbb.exe189⤵PID:1576
-
\??\c:\9fflxfx.exec:\9fflxfx.exe190⤵PID:2964
-
\??\c:\thnntn.exec:\thnntn.exe191⤵PID:2328
-
\??\c:\5thbbt.exec:\5thbbt.exe192⤵PID:2172
-
\??\c:\xrlrxlx.exec:\xrlrxlx.exe193⤵PID:2872
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe194⤵PID:2724
-
\??\c:\thnthn.exec:\thnthn.exe195⤵PID:2876
-
\??\c:\tnnhtb.exec:\tnnhtb.exe196⤵PID:2888
-
\??\c:\jjdjd.exec:\jjdjd.exe197⤵PID:2772
-
\??\c:\rxlxlrl.exec:\rxlxlrl.exe198⤵PID:2832
-
\??\c:\lxxlrxx.exec:\lxxlrxx.exe199⤵PID:2676
-
\??\c:\tnbtbh.exec:\tnbtbh.exe200⤵PID:2672
-
\??\c:\hnnhnn.exec:\hnnhnn.exe201⤵PID:2228
-
\??\c:\hththn.exec:\hththn.exe202⤵PID:1100
-
\??\c:\1pvpp.exec:\1pvpp.exe203⤵PID:1496
-
\??\c:\xrrrxxf.exec:\xrrrxxf.exe204⤵PID:752
-
\??\c:\5xxxrxf.exec:\5xxxrxf.exe205⤵PID:2944
-
\??\c:\7fffrfx.exec:\7fffrfx.exe206⤵PID:264
-
\??\c:\hthhnn.exec:\hthhnn.exe207⤵PID:1472
-
\??\c:\vjjvv.exec:\vjjvv.exe208⤵PID:520
-
\??\c:\vpjvj.exec:\vpjvj.exe209⤵PID:2116
-
\??\c:\lxfxfxr.exec:\lxfxfxr.exe210⤵PID:1516
-
\??\c:\1rllxfl.exec:\1rllxfl.exe211⤵PID:1808
-
\??\c:\tnnbnb.exec:\tnnbnb.exe212⤵PID:2036
-
\??\c:\jdppd.exec:\jdppd.exe213⤵PID:2084
-
\??\c:\vpvpp.exec:\vpvpp.exe214⤵PID:404
-
\??\c:\frfflrx.exec:\frfflrx.exe215⤵PID:772
-
\??\c:\5hbttn.exec:\5hbttn.exe216⤵PID:3004
-
\??\c:\hntbtb.exec:\hntbtb.exe217⤵PID:2136
-
\??\c:\vpjdv.exec:\vpjdv.exe218⤵PID:1972
-
\??\c:\1pppv.exec:\1pppv.exe219⤵PID:1760
-
\??\c:\3fffrrr.exec:\3fffrrr.exe220⤵PID:2352
-
\??\c:\1lxflff.exec:\1lxflff.exe221⤵PID:1360
-
\??\c:\hhbhnt.exec:\hhbhnt.exe222⤵PID:288
-
\??\c:\nhhntt.exec:\nhhntt.exe223⤵PID:1788
-
\??\c:\3jjpd.exec:\3jjpd.exe224⤵PID:3012
-
\??\c:\ddpvd.exec:\ddpvd.exe225⤵PID:1344
-
\??\c:\xlxrllf.exec:\xlxrllf.exe226⤵PID:2308
-
\??\c:\fxlfrff.exec:\fxlfrff.exe227⤵PID:2184
-
\??\c:\9hbhtb.exec:\9hbhtb.exe228⤵PID:1584
-
\??\c:\ddpvd.exec:\ddpvd.exe229⤵PID:2380
-
\??\c:\vpddp.exec:\vpddp.exe230⤵PID:2276
-
\??\c:\5xlffxf.exec:\5xlffxf.exe231⤵PID:1820
-
\??\c:\fxrrflx.exec:\fxrrflx.exe232⤵PID:2728
-
\??\c:\hbtbnn.exec:\hbtbnn.exe233⤵PID:2572
-
\??\c:\hbbhnt.exec:\hbbhnt.exe234⤵PID:2828
-
\??\c:\jdpvd.exec:\jdpvd.exe235⤵PID:2812
-
\??\c:\vpjpd.exec:\vpjpd.exe236⤵PID:2800
-
\??\c:\lrrflfx.exec:\lrrflfx.exe237⤵PID:2608
-
\??\c:\xxrflxr.exec:\xxrflxr.exe238⤵PID:2600
-
\??\c:\hhhnhn.exec:\hhhnhn.exe239⤵PID:1624
-
\??\c:\htthhh.exec:\htthhh.exe240⤵PID:2664
-
\??\c:\ddvpv.exec:\ddvpv.exe241⤵PID:952
-
\??\c:\3vjpv.exec:\3vjpv.exe242⤵PID:1100