Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe
Resource
win7-20240903-en
General
-
Target
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe
-
Size
88KB
-
MD5
e6c2120a5267e7f106f9e1716031622b
-
SHA1
eef64e3a36ec9c8e2b5203c304645bb8b29a9610
-
SHA256
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd
-
SHA512
53c9366af1003db7c99f8a50e373fda94d86db8046c353437af57dd27dbc6f5a30b1cfd33414db8c011d40dde42491f6f3d6e4792572b5081387c0ee90b5eb19
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JxJ4EUQnR:ymb3NkkiQ3mdBjFIWeFGyAsJ4a
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/2664-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1536-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/60-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2580-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3608-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/8-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3608-34-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1912-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/408-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1012-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3548-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1872-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3008-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2748-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3960-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1776-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1756-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2400-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4200-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4416-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3516-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2496-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2500-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5080-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/224-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
frffxxr.exenbnhbb.exevpjdv.exe5xrfffl.exe1xlfxxl.exebtnnhh.exeppjjd.exexfllrlr.exe7fxrllf.exenbthbt.exe7tnhnn.exefxlxfxf.exe5htnhh.exedpvpd.exejdjjp.exefxrlffx.exellfrllf.exe5bhhbb.exenhnnnh.exepvjdj.exerrrlxrr.exelxxxrrr.exehnnbbb.exe7dddv.exelffxxxl.exexflfxrl.exebbhhnn.exedvjdp.exe3jvpj.exefxrlfxr.exehhnntt.exehbtnhh.exedddvj.exerxfrfll.exe1rxrllf.exehnnhbb.exetbhnht.exedvpjd.exejvpdp.exerrlxrxx.exexrlxrrx.exetnnhbt.exehttnhh.exejjjdd.exedddvj.exexrrlxxf.exetbnhbb.exettnttt.exe1tthtt.exepjpjp.exe1jpdd.exe7llfrlf.exe9llrllx.exennnntt.exenhbtht.exeddpjd.exevdjdv.exe7xllfff.exe9fxxxrf.exebthbtb.exethhbtn.exevvdvj.exejdvjp.exejddvj.exepid process 1536 frffxxr.exe 60 nbnhbb.exe 2580 vpjdv.exe 3608 5xrfffl.exe 8 1xlfxxl.exe 3288 btnnhh.exe 1912 ppjjd.exe 408 xfllrlr.exe 1012 7fxrllf.exe 3548 nbthbt.exe 1872 7tnhnn.exe 3008 fxlxfxf.exe 2748 5htnhh.exe 3960 dpvpd.exe 960 jdjjp.exe 2896 fxrlffx.exe 4800 llfrllf.exe 1776 5bhhbb.exe 4492 nhnnnh.exe 1756 pvjdj.exe 1596 rrrlxrr.exe 2400 lxxxrrr.exe 4200 hnnbbb.exe 4416 7dddv.exe 3516 lffxxxl.exe 2172 xflfxrl.exe 2496 bbhhnn.exe 2500 dvjdp.exe 5080 3jvpj.exe 2292 fxrlfxr.exe 224 hhnntt.exe 2612 hbtnhh.exe 1560 dddvj.exe 4160 rxfrfll.exe 4996 1rxrllf.exe 4212 hnnhbb.exe 1552 tbhnht.exe 2708 dvpjd.exe 4232 jvpdp.exe 8 rrlxrxx.exe 464 xrlxrrx.exe 1040 tnnhbt.exe 1348 httnhh.exe 5084 jjjdd.exe 408 dddvj.exe 1632 xrrlxxf.exe 2408 tbnhbb.exe 1712 ttnttt.exe 4248 1tthtt.exe 4716 pjpjp.exe 832 1jpdd.exe 4608 7llfrlf.exe 2700 9llrllx.exe 5076 nnnntt.exe 2628 nhbtht.exe 4896 ddpjd.exe 3640 vdjdv.exe 1776 7xllfff.exe 4604 9fxxxrf.exe 3656 bthbtb.exe 2888 thhbtn.exe 1596 vvdvj.exe 4752 jdvjp.exe 4504 jddvj.exe -
Processes:
resource yara_rule behavioral2/memory/2664-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1536-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/60-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2580-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3608-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/8-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3288-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1912-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1012-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3548-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3548-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3548-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1872-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3008-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2748-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3960-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1776-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1756-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2400-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4200-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4416-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3516-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2496-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2500-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5080-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/224-207-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pjdvp.exe618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exexffxrfx.exeppvpj.exefrrlffx.exennnbhh.exe5pvpj.exerllfrfr.exentbhhh.exepjppd.exeppdvp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exefrffxxr.exenbnhbb.exevpjdv.exe5xrfffl.exe1xlfxxl.exebtnnhh.exeppjjd.exexfllrlr.exe7fxrllf.exenbthbt.exe7tnhnn.exefxlxfxf.exe5htnhh.exedpvpd.exejdjjp.exefxrlffx.exellfrllf.exe5bhhbb.exenhnnnh.exepvjdj.exerrrlxrr.exedescription pid process target process PID 2664 wrote to memory of 1536 2664 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe frffxxr.exe PID 2664 wrote to memory of 1536 2664 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe frffxxr.exe PID 2664 wrote to memory of 1536 2664 618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe frffxxr.exe PID 1536 wrote to memory of 60 1536 frffxxr.exe nbnhbb.exe PID 1536 wrote to memory of 60 1536 frffxxr.exe nbnhbb.exe PID 1536 wrote to memory of 60 1536 frffxxr.exe nbnhbb.exe PID 60 wrote to memory of 2580 60 nbnhbb.exe vpjdv.exe PID 60 wrote to memory of 2580 60 nbnhbb.exe vpjdv.exe PID 60 wrote to memory of 2580 60 nbnhbb.exe vpjdv.exe PID 2580 wrote to memory of 3608 2580 vpjdv.exe 5xrfffl.exe PID 2580 wrote to memory of 3608 2580 vpjdv.exe 5xrfffl.exe PID 2580 wrote to memory of 3608 2580 vpjdv.exe 5xrfffl.exe PID 3608 wrote to memory of 8 3608 5xrfffl.exe 1xlfxxl.exe PID 3608 wrote to memory of 8 3608 5xrfffl.exe 1xlfxxl.exe PID 3608 wrote to memory of 8 3608 5xrfffl.exe 1xlfxxl.exe PID 8 wrote to memory of 3288 8 1xlfxxl.exe btnnhh.exe PID 8 wrote to memory of 3288 8 1xlfxxl.exe btnnhh.exe PID 8 wrote to memory of 3288 8 1xlfxxl.exe btnnhh.exe PID 3288 wrote to memory of 1912 3288 btnnhh.exe ppjjd.exe PID 3288 wrote to memory of 1912 3288 btnnhh.exe ppjjd.exe PID 3288 wrote to memory of 1912 3288 btnnhh.exe ppjjd.exe PID 1912 wrote to memory of 408 1912 ppjjd.exe xfllrlr.exe PID 1912 wrote to memory of 408 1912 ppjjd.exe xfllrlr.exe PID 1912 wrote to memory of 408 1912 ppjjd.exe xfllrlr.exe PID 408 wrote to memory of 1012 408 xfllrlr.exe 7fxrllf.exe PID 408 wrote to memory of 1012 408 xfllrlr.exe 7fxrllf.exe PID 408 wrote to memory of 1012 408 xfllrlr.exe 7fxrllf.exe PID 1012 wrote to memory of 3548 1012 7fxrllf.exe nbthbt.exe PID 1012 wrote to memory of 3548 1012 7fxrllf.exe nbthbt.exe PID 1012 wrote to memory of 3548 1012 7fxrllf.exe nbthbt.exe PID 3548 wrote to memory of 1872 3548 nbthbt.exe 7tnhnn.exe PID 3548 wrote to memory of 1872 3548 nbthbt.exe 7tnhnn.exe PID 3548 wrote to memory of 1872 3548 nbthbt.exe 7tnhnn.exe PID 1872 wrote to memory of 3008 1872 7tnhnn.exe fxlxfxf.exe PID 1872 wrote to memory of 3008 1872 7tnhnn.exe fxlxfxf.exe PID 1872 wrote to memory of 3008 1872 7tnhnn.exe fxlxfxf.exe PID 3008 wrote to memory of 2748 3008 fxlxfxf.exe 5htnhh.exe PID 3008 wrote to memory of 2748 3008 fxlxfxf.exe 5htnhh.exe PID 3008 wrote to memory of 2748 3008 fxlxfxf.exe 5htnhh.exe PID 2748 wrote to memory of 3960 2748 5htnhh.exe dpvpd.exe PID 2748 wrote to memory of 3960 2748 5htnhh.exe dpvpd.exe PID 2748 wrote to memory of 3960 2748 5htnhh.exe dpvpd.exe PID 3960 wrote to memory of 960 3960 dpvpd.exe jdjjp.exe PID 3960 wrote to memory of 960 3960 dpvpd.exe jdjjp.exe PID 3960 wrote to memory of 960 3960 dpvpd.exe jdjjp.exe PID 960 wrote to memory of 2896 960 jdjjp.exe fxrlffx.exe PID 960 wrote to memory of 2896 960 jdjjp.exe fxrlffx.exe PID 960 wrote to memory of 2896 960 jdjjp.exe fxrlffx.exe PID 2896 wrote to memory of 4800 2896 fxrlffx.exe llfrllf.exe PID 2896 wrote to memory of 4800 2896 fxrlffx.exe llfrllf.exe PID 2896 wrote to memory of 4800 2896 fxrlffx.exe llfrllf.exe PID 4800 wrote to memory of 1776 4800 llfrllf.exe 5bhhbb.exe PID 4800 wrote to memory of 1776 4800 llfrllf.exe 5bhhbb.exe PID 4800 wrote to memory of 1776 4800 llfrllf.exe 5bhhbb.exe PID 1776 wrote to memory of 4492 1776 5bhhbb.exe nhnnnh.exe PID 1776 wrote to memory of 4492 1776 5bhhbb.exe nhnnnh.exe PID 1776 wrote to memory of 4492 1776 5bhhbb.exe nhnnnh.exe PID 4492 wrote to memory of 1756 4492 nhnnnh.exe pvjdj.exe PID 4492 wrote to memory of 1756 4492 nhnnnh.exe pvjdj.exe PID 4492 wrote to memory of 1756 4492 nhnnnh.exe pvjdj.exe PID 1756 wrote to memory of 1596 1756 pvjdj.exe rrrlxrr.exe PID 1756 wrote to memory of 1596 1756 pvjdj.exe rrrlxrr.exe PID 1756 wrote to memory of 1596 1756 pvjdj.exe rrrlxrr.exe PID 1596 wrote to memory of 2400 1596 rrrlxrr.exe lxxxrrr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe"C:\Users\Admin\AppData\Local\Temp\618b0677149604f8029e8489db5c680f459e7f150c724652ec8cbfe73b7b38dd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\frffxxr.exec:\frffxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\nbnhbb.exec:\nbnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\vpjdv.exec:\vpjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\5xrfffl.exec:\5xrfffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\1xlfxxl.exec:\1xlfxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\btnnhh.exec:\btnnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\ppjjd.exec:\ppjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\xfllrlr.exec:\xfllrlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\7fxrllf.exec:\7fxrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\nbthbt.exec:\nbthbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\7tnhnn.exec:\7tnhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\fxlxfxf.exec:\fxlxfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\5htnhh.exec:\5htnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\dpvpd.exec:\dpvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\jdjjp.exec:\jdjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\fxrlffx.exec:\fxrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\llfrllf.exec:\llfrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\5bhhbb.exec:\5bhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\nhnnnh.exec:\nhnnnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\pvjdj.exec:\pvjdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\rrrlxrr.exec:\rrrlxrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hnnbbb.exec:\hnnbbb.exe24⤵
- Executes dropped EXE
PID:4200 -
\??\c:\7dddv.exec:\7dddv.exe25⤵
- Executes dropped EXE
PID:4416 -
\??\c:\lffxxxl.exec:\lffxxxl.exe26⤵
- Executes dropped EXE
PID:3516 -
\??\c:\xflfxrl.exec:\xflfxrl.exe27⤵
- Executes dropped EXE
PID:2172 -
\??\c:\bbhhnn.exec:\bbhhnn.exe28⤵
- Executes dropped EXE
PID:2496 -
\??\c:\dvjdp.exec:\dvjdp.exe29⤵
- Executes dropped EXE
PID:2500 -
\??\c:\3jvpj.exec:\3jvpj.exe30⤵
- Executes dropped EXE
PID:5080 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe31⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hhnntt.exec:\hhnntt.exe32⤵
- Executes dropped EXE
PID:224 -
\??\c:\hbtnhh.exec:\hbtnhh.exe33⤵
- Executes dropped EXE
PID:2612 -
\??\c:\dddvj.exec:\dddvj.exe34⤵
- Executes dropped EXE
PID:1560 -
\??\c:\rxfrfll.exec:\rxfrfll.exe35⤵
- Executes dropped EXE
PID:4160 -
\??\c:\1rxrllf.exec:\1rxrllf.exe36⤵
- Executes dropped EXE
PID:4996 -
\??\c:\hnnhbb.exec:\hnnhbb.exe37⤵
- Executes dropped EXE
PID:4212 -
\??\c:\tbhnht.exec:\tbhnht.exe38⤵
- Executes dropped EXE
PID:1552 -
\??\c:\dvpjd.exec:\dvpjd.exe39⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jvpdp.exec:\jvpdp.exe40⤵
- Executes dropped EXE
PID:4232 -
\??\c:\rrlxrxx.exec:\rrlxrxx.exe41⤵
- Executes dropped EXE
PID:8 -
\??\c:\xrlxrrx.exec:\xrlxrrx.exe42⤵
- Executes dropped EXE
PID:464 -
\??\c:\tnnhbt.exec:\tnnhbt.exe43⤵
- Executes dropped EXE
PID:1040 -
\??\c:\httnhh.exec:\httnhh.exe44⤵
- Executes dropped EXE
PID:1348 -
\??\c:\jjjdd.exec:\jjjdd.exe45⤵
- Executes dropped EXE
PID:5084 -
\??\c:\dddvj.exec:\dddvj.exe46⤵
- Executes dropped EXE
PID:408 -
\??\c:\xrrlxxf.exec:\xrrlxxf.exe47⤵
- Executes dropped EXE
PID:1632 -
\??\c:\tbnhbb.exec:\tbnhbb.exe48⤵
- Executes dropped EXE
PID:2408 -
\??\c:\ttnttt.exec:\ttnttt.exe49⤵
- Executes dropped EXE
PID:1712 -
\??\c:\1tthtt.exec:\1tthtt.exe50⤵
- Executes dropped EXE
PID:4248 -
\??\c:\pjpjp.exec:\pjpjp.exe51⤵
- Executes dropped EXE
PID:4716 -
\??\c:\1jpdd.exec:\1jpdd.exe52⤵
- Executes dropped EXE
PID:832 -
\??\c:\7llfrlf.exec:\7llfrlf.exe53⤵
- Executes dropped EXE
PID:4608 -
\??\c:\9llrllx.exec:\9llrllx.exe54⤵
- Executes dropped EXE
PID:2700 -
\??\c:\nnnntt.exec:\nnnntt.exe55⤵
- Executes dropped EXE
PID:5076 -
\??\c:\nhbtht.exec:\nhbtht.exe56⤵
- Executes dropped EXE
PID:2628 -
\??\c:\ddpjd.exec:\ddpjd.exe57⤵
- Executes dropped EXE
PID:4896 -
\??\c:\vdjdv.exec:\vdjdv.exe58⤵
- Executes dropped EXE
PID:3640 -
\??\c:\7xllfff.exec:\7xllfff.exe59⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9fxxxrf.exec:\9fxxxrf.exe60⤵
- Executes dropped EXE
PID:4604 -
\??\c:\bthbtb.exec:\bthbtb.exe61⤵
- Executes dropped EXE
PID:3656 -
\??\c:\thhbtn.exec:\thhbtn.exe62⤵
- Executes dropped EXE
PID:2888 -
\??\c:\vvdvj.exec:\vvdvj.exe63⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jdvjp.exec:\jdvjp.exe64⤵
- Executes dropped EXE
PID:4752 -
\??\c:\jddvj.exec:\jddvj.exe65⤵
- Executes dropped EXE
PID:4504 -
\??\c:\lllfxxr.exec:\lllfxxr.exe66⤵PID:2728
-
\??\c:\hnntth.exec:\hnntth.exe67⤵PID:5048
-
\??\c:\tbbttt.exec:\tbbttt.exe68⤵PID:3644
-
\??\c:\7dpjv.exec:\7dpjv.exe69⤵PID:624
-
\??\c:\ddpjj.exec:\ddpjj.exe70⤵PID:2876
-
\??\c:\xxrrlxr.exec:\xxrrlxr.exe71⤵PID:4952
-
\??\c:\7thhnn.exec:\7thhnn.exe72⤵PID:3672
-
\??\c:\vpjjv.exec:\vpjjv.exe73⤵PID:620
-
\??\c:\dppdv.exec:\dppdv.exe74⤵PID:2536
-
\??\c:\lfxrffx.exec:\lfxrffx.exe75⤵PID:3052
-
\??\c:\ffllxlf.exec:\ffllxlf.exe76⤵PID:1744
-
\??\c:\hhhbtt.exec:\hhhbtt.exe77⤵PID:3664
-
\??\c:\tnhbnb.exec:\tnhbnb.exe78⤵PID:4420
-
\??\c:\pvdvj.exec:\pvdvj.exe79⤵PID:4000
-
\??\c:\vppjp.exec:\vppjp.exe80⤵PID:744
-
\??\c:\ffrllxf.exec:\ffrllxf.exe81⤵PID:1536
-
\??\c:\7fllfff.exec:\7fllfff.exe82⤵PID:1692
-
\??\c:\hbtbhh.exec:\hbtbhh.exe83⤵PID:4664
-
\??\c:\jdvvj.exec:\jdvvj.exe84⤵PID:3928
-
\??\c:\1jvpj.exec:\1jvpj.exe85⤵PID:3484
-
\??\c:\ppjdp.exec:\ppjdp.exe86⤵PID:2112
-
\??\c:\xfrfxxr.exec:\xfrfxxr.exe87⤵PID:5060
-
\??\c:\3frlllr.exec:\3frlllr.exe88⤵PID:4028
-
\??\c:\bbtntb.exec:\bbtntb.exe89⤵PID:3940
-
\??\c:\pvdvv.exec:\pvdvv.exe90⤵PID:372
-
\??\c:\vvjjd.exec:\vvjjd.exe91⤵PID:1648
-
\??\c:\llfrlff.exec:\llfrlff.exe92⤵PID:3548
-
\??\c:\lxfxfxf.exec:\lxfxfxf.exe93⤵PID:2408
-
\??\c:\hbhhhn.exec:\hbhhhn.exe94⤵PID:3084
-
\??\c:\hthbbb.exec:\hthbbb.exe95⤵PID:3008
-
\??\c:\vvjdd.exec:\vvjdd.exe96⤵PID:3200
-
\??\c:\pvdvj.exec:\pvdvj.exe97⤵PID:832
-
\??\c:\lflxxrr.exec:\lflxxrr.exe98⤵PID:1992
-
\??\c:\rllffxf.exec:\rllffxf.exe99⤵PID:3376
-
\??\c:\ttbtnn.exec:\ttbtnn.exe100⤵PID:5076
-
\??\c:\nhbtnt.exec:\nhbtnt.exe101⤵PID:2628
-
\??\c:\pdjdv.exec:\pdjdv.exe102⤵PID:3628
-
\??\c:\dvddd.exec:\dvddd.exe103⤵PID:4072
-
\??\c:\rxlfrrx.exec:\rxlfrrx.exe104⤵PID:3824
-
\??\c:\nbtnhn.exec:\nbtnhn.exe105⤵PID:4344
-
\??\c:\5bbbnn.exec:\5bbbnn.exe106⤵PID:2892
-
\??\c:\1vdvj.exec:\1vdvj.exe107⤵PID:920
-
\??\c:\pvvpd.exec:\pvvpd.exe108⤵PID:4668
-
\??\c:\9xfrllf.exec:\9xfrllf.exe109⤵PID:2724
-
\??\c:\fxrlfff.exec:\fxrlfff.exe110⤵PID:1664
-
\??\c:\btbtnt.exec:\btbtnt.exe111⤵PID:4648
-
\??\c:\thnnhn.exec:\thnnhn.exe112⤵PID:732
-
\??\c:\hthbbt.exec:\hthbbt.exe113⤵PID:2712
-
\??\c:\ppjdp.exec:\ppjdp.exe114⤵PID:2532
-
\??\c:\dvjdv.exec:\dvjdv.exe115⤵PID:3836
-
\??\c:\xxrlrxx.exec:\xxrlrxx.exe116⤵PID:2500
-
\??\c:\fxlxfxx.exec:\fxlxfxx.exe117⤵PID:4832
-
\??\c:\thnhhh.exec:\thnhhh.exe118⤵PID:524
-
\??\c:\bbthth.exec:\bbthth.exe119⤵PID:1716
-
\??\c:\pddvj.exec:\pddvj.exe120⤵PID:364
-
\??\c:\dvpjv.exec:\dvpjv.exe121⤵PID:2952
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe122⤵PID:3956
-
\??\c:\xxxrxlr.exec:\xxxrxlr.exe123⤵PID:4960
-
\??\c:\fxlfffl.exec:\fxlfffl.exe124⤵PID:4488
-
\??\c:\hhnhnn.exec:\hhnhnn.exe125⤵PID:1536
-
\??\c:\1bbbbt.exec:\1bbbbt.exe126⤵PID:1692
-
\??\c:\pjdvp.exec:\pjdvp.exe127⤵PID:2576
-
\??\c:\vdvpp.exec:\vdvpp.exe128⤵PID:4456
-
\??\c:\jvjjv.exec:\jvjjv.exe129⤵PID:1740
-
\??\c:\xffxrfx.exec:\xffxrfx.exe130⤵
- System Location Discovery: System Language Discovery
PID:464 -
\??\c:\xllrlxr.exec:\xllrlxr.exe131⤵PID:1912
-
\??\c:\tnbthh.exec:\tnbthh.exe132⤵PID:2688
-
\??\c:\bhhbnh.exec:\bhhbnh.exe133⤵PID:232
-
\??\c:\btbtnn.exec:\btbtnn.exe134⤵PID:3220
-
\??\c:\pvvpp.exec:\pvvpp.exe135⤵PID:1648
-
\??\c:\vjjdv.exec:\vjjdv.exe136⤵PID:4736
-
\??\c:\xllfxxr.exec:\xllfxxr.exe137⤵PID:2248
-
\??\c:\fxxxrll.exec:\fxxxrll.exe138⤵PID:2760
-
\??\c:\lxllffx.exec:\lxllffx.exe139⤵PID:3596
-
\??\c:\5bnnnh.exec:\5bnnnh.exe140⤵PID:2168
-
\??\c:\7nnhtt.exec:\7nnhtt.exe141⤵PID:1960
-
\??\c:\3pvvp.exec:\3pvvp.exe142⤵PID:2896
-
\??\c:\lfrllff.exec:\lfrllff.exe143⤵PID:3376
-
\??\c:\lfxrllf.exec:\lfxrllf.exe144⤵PID:4896
-
\??\c:\3fxlfrf.exec:\3fxlfrf.exe145⤵PID:4556
-
\??\c:\hbhhbb.exec:\hbhhbb.exe146⤵PID:3388
-
\??\c:\5hnhhh.exec:\5hnhhh.exe147⤵PID:452
-
\??\c:\pjjdp.exec:\pjjdp.exe148⤵PID:2216
-
\??\c:\vpjdp.exec:\vpjdp.exe149⤵PID:2888
-
\??\c:\lrrfffr.exec:\lrrfffr.exe150⤵PID:1596
-
\??\c:\3ntbtb.exec:\3ntbtb.exe151⤵PID:2040
-
\??\c:\3ffxrlx.exec:\3ffxrlx.exe152⤵PID:4964
-
\??\c:\frrrxxx.exec:\frrrxxx.exe153⤵PID:4284
-
\??\c:\nhbtnh.exec:\nhbtnh.exe154⤵PID:4976
-
\??\c:\rlrllfx.exec:\rlrllfx.exe155⤵PID:1460
-
\??\c:\7frfxrx.exec:\7frfxrx.exe156⤵PID:3632
-
\??\c:\hththb.exec:\hththb.exe157⤵PID:216
-
\??\c:\vvpdv.exec:\vvpdv.exe158⤵PID:1376
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe159⤵PID:3988
-
\??\c:\nbtbnh.exec:\nbtbnh.exe160⤵PID:4912
-
\??\c:\nhhthb.exec:\nhhthb.exe161⤵PID:5080
-
\??\c:\jvvpd.exec:\jvvpd.exe162⤵PID:1744
-
\??\c:\3ppjj.exec:\3ppjj.exe163⤵PID:2612
-
\??\c:\xfxlrlf.exec:\xfxlrlf.exe164⤵PID:3664
-
\??\c:\rxrlxrf.exec:\rxrlxrf.exe165⤵PID:4588
-
\??\c:\tbbthb.exec:\tbbthb.exe166⤵PID:1132
-
\??\c:\vjdpv.exec:\vjdpv.exe167⤵PID:2624
-
\??\c:\vdppd.exec:\vdppd.exe168⤵PID:4212
-
\??\c:\fxfxlrl.exec:\fxfxlrl.exe169⤵PID:4296
-
\??\c:\llrrlrx.exec:\llrrlrx.exe170⤵PID:3320
-
\??\c:\btntbt.exec:\btntbt.exe171⤵PID:4332
-
\??\c:\nhttbh.exec:\nhttbh.exe172⤵PID:968
-
\??\c:\9jdpv.exec:\9jdpv.exe173⤵PID:1604
-
\??\c:\dvdpp.exec:\dvdpp.exe174⤵PID:3968
-
\??\c:\ffrrfxr.exec:\ffrrfxr.exe175⤵PID:3428
-
\??\c:\hhhtnn.exec:\hhhtnn.exe176⤵PID:4384
-
\??\c:\bnbnhb.exec:\bnbnhb.exe177⤵PID:3324
-
\??\c:\jvpdp.exec:\jvpdp.exe178⤵PID:220
-
\??\c:\1dvpd.exec:\1dvpd.exe179⤵PID:1712
-
\??\c:\frxrxll.exec:\frxrxll.exe180⤵PID:4248
-
\??\c:\1htnbh.exec:\1htnbh.exe181⤵PID:4348
-
\??\c:\nbthbt.exec:\nbthbt.exe182⤵PID:1000
-
\??\c:\5vjvd.exec:\5vjvd.exe183⤵PID:4608
-
\??\c:\jvjjd.exec:\jvjjd.exe184⤵PID:3808
-
\??\c:\1xlrlff.exec:\1xlrlff.exe185⤵PID:2232
-
\??\c:\thhttn.exec:\thhttn.exe186⤵PID:4168
-
\??\c:\bnhthb.exec:\bnhthb.exe187⤵PID:2960
-
\??\c:\pdpjp.exec:\pdpjp.exe188⤵PID:2652
-
\??\c:\7rrffxl.exec:\7rrffxl.exe189⤵PID:3688
-
\??\c:\xlxffxl.exec:\xlxffxl.exe190⤵PID:3824
-
\??\c:\rfrfxrx.exec:\rfrfxrx.exe191⤵PID:2928
-
\??\c:\9nnbnh.exec:\9nnbnh.exe192⤵PID:2400
-
\??\c:\vddpd.exec:\vddpd.exe193⤵PID:2336
-
\??\c:\pjdvd.exec:\pjdvd.exe194⤵PID:3724
-
\??\c:\frlxlfx.exec:\frlxlfx.exe195⤵PID:2260
-
\??\c:\xlflxrr.exec:\xlflxrr.exe196⤵PID:316
-
\??\c:\bnhthb.exec:\bnhthb.exe197⤵PID:1844
-
\??\c:\hbbtbt.exec:\hbbtbt.exe198⤵PID:3384
-
\??\c:\jdpjp.exec:\jdpjp.exe199⤵PID:2920
-
\??\c:\7jjvd.exec:\7jjvd.exe200⤵PID:3836
-
\??\c:\rffrrlx.exec:\rffrrlx.exe201⤵PID:4936
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe202⤵PID:3988
-
\??\c:\3bbnbt.exec:\3bbnbt.exe203⤵PID:3052
-
\??\c:\jjpdv.exec:\jjpdv.exe204⤵PID:4820
-
\??\c:\9ddpv.exec:\9ddpv.exe205⤵PID:4412
-
\??\c:\ttbnht.exec:\ttbnht.exe206⤵PID:2952
-
\??\c:\vjddp.exec:\vjddp.exe207⤵PID:4000
-
\??\c:\lffrfrf.exec:\lffrfrf.exe208⤵PID:4104
-
\??\c:\9xfrrlr.exec:\9xfrrlr.exe209⤵PID:2984
-
\??\c:\ffrfrxl.exec:\ffrfrxl.exe210⤵PID:3608
-
\??\c:\btnhtn.exec:\btnhtn.exe211⤵PID:4516
-
\??\c:\pjjdp.exec:\pjjdp.exe212⤵PID:4044
-
\??\c:\vpjjd.exec:\vpjjd.exe213⤵PID:3288
-
\??\c:\ffrfrfl.exec:\ffrfrfl.exe214⤵PID:1772
-
\??\c:\nhnhbh.exec:\nhnhbh.exe215⤵PID:968
-
\??\c:\hthbnb.exec:\hthbnb.exe216⤵PID:1348
-
\??\c:\dpdpd.exec:\dpdpd.exe217⤵PID:5084
-
\??\c:\jppjv.exec:\jppjv.exe218⤵PID:3312
-
\??\c:\rllxflf.exec:\rllxflf.exe219⤵PID:4700
-
\??\c:\rxrlxxl.exec:\rxrlxxl.exe220⤵PID:2408
-
\??\c:\7thbtn.exec:\7thbtn.exe221⤵PID:4736
-
\??\c:\jdvpd.exec:\jdvpd.exe222⤵PID:3752
-
\??\c:\vjvpv.exec:\vjvpv.exe223⤵PID:1196
-
\??\c:\3ffrrlx.exec:\3ffrrlx.exe224⤵PID:4512
-
\??\c:\xfxxlrl.exec:\xfxxlrl.exe225⤵PID:560
-
\??\c:\nhnbtn.exec:\nhnbtn.exe226⤵PID:1824
-
\??\c:\thhtnb.exec:\thhtnb.exe227⤵PID:4800
-
\??\c:\jdjjj.exec:\jdjjj.exe228⤵PID:2232
-
\??\c:\9fffxrl.exec:\9fffxrl.exe229⤵PID:5116
-
\??\c:\xllxrrl.exec:\xllxrrl.exe230⤵PID:2960
-
\??\c:\7tttnt.exec:\7tttnt.exe231⤵PID:2652
-
\??\c:\tntbnn.exec:\tntbnn.exe232⤵PID:2772
-
\??\c:\vvddj.exec:\vvddj.exe233⤵PID:4656
-
\??\c:\dpvjd.exec:\dpvjd.exe234⤵PID:2928
-
\??\c:\frrlxxr.exec:\frrlxxr.exe235⤵PID:2400
-
\??\c:\rrxrrll.exec:\rrxrrll.exe236⤵PID:3420
-
\??\c:\bhbhbt.exec:\bhbhbt.exe237⤵PID:3724
-
\??\c:\bnhbnn.exec:\bnhbnn.exe238⤵PID:2284
-
\??\c:\vjddp.exec:\vjddp.exe239⤵PID:4976
-
\??\c:\ddppp.exec:\ddppp.exe240⤵PID:4924
-
\??\c:\rxfxrll.exec:\rxfxrll.exe241⤵PID:4952
-
\??\c:\tnhbnn.exec:\tnhbnn.exe242⤵PID:2532