Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe
Resource
win7-20240903-en
General
-
Target
6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe
-
Size
89KB
-
MD5
ac6330b3a0beca73c6750a91cc010ac5
-
SHA1
42f9bc84b2780b172119527b58d359f2df3eb60f
-
SHA256
6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c
-
SHA512
4184929f5e7dfcbecc99d1baf61a56b9a176d0b8d306703bc66986e8c8c22ceb79783a0d4c3b8f26e489a4071d23a0128d688fee3198256dcf71855909a08caa
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIJSLCBCO+HlMO7s0yL+xwl:ymb3NkkiQ3mdBjFIwLMoHW8yL+xc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/2168-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2168-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1776-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2588-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4032-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2104-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/216-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/312-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2076-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5080-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1392-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4964-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3708-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2420-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3480-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1020-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4312-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4668-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4180-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3424-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/532-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4436-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3952-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1776 xxxrrxx.exe 2588 btnnht.exe 4032 802042.exe 216 6286640.exe 2104 444200.exe 312 5hnnnn.exe 4600 q66608.exe 2076 tbnttb.exe 5080 682024.exe 1392 s0008.exe 4964 ttntbt.exe 5040 jddpd.exe 2232 m2248.exe 3708 648686.exe 2752 tbhhtt.exe 2420 288604.exe 836 8826086.exe 3560 4884844.exe 3480 662226.exe 4312 nbhbhh.exe 1020 08266.exe 3600 jvpjd.exe 4668 04426.exe 1948 8646224.exe 4728 lxfffll.exe 4180 84000.exe 3424 rlfxxff.exe 532 9ntttb.exe 4436 8404882.exe 3952 htnhth.exe 2832 jdvpd.exe 848 rrlxllx.exe 5000 fxrfrfx.exe 4696 q28246.exe 4376 jvjpj.exe 4716 lrffrxx.exe 4056 htnbht.exe 3956 w04204.exe 3488 4200042.exe 3900 w42860.exe 2088 vpjjp.exe 1664 6060000.exe 1460 3frrxff.exe 1572 0060044.exe 3620 04246pp.exe 2404 dvvvv.exe 4336 frxrrfr.exe 4880 rllffxr.exe 5080 6268840.exe 4160 04808.exe 3804 bthnnt.exe 2252 ppjvp.exe 4964 vdvpv.exe 5040 nnttnt.exe 4332 tntnhb.exe 4764 lxrllrx.exe 1112 nntnhb.exe 3236 vvdpp.exe 4592 84220.exe 4928 dvvjd.exe 2780 6662244.exe 520 488248.exe 4980 tntbbh.exe 4272 lxffflr.exe -
resource yara_rule behavioral2/memory/2168-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2168-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1776-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1776-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1776-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1776-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2588-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4032-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4032-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2104-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/216-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4032-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/312-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/312-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2076-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2076-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5080-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5080-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5080-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1392-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1392-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1392-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4964-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5040-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3708-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2420-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3480-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1020-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4312-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4668-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4180-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3424-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/532-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4436-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3952-209-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8864062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2840602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnth.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1776 2168 6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe 84 PID 2168 wrote to memory of 1776 2168 6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe 84 PID 2168 wrote to memory of 1776 2168 6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe 84 PID 1776 wrote to memory of 2588 1776 xxxrrxx.exe 85 PID 1776 wrote to memory of 2588 1776 xxxrrxx.exe 85 PID 1776 wrote to memory of 2588 1776 xxxrrxx.exe 85 PID 2588 wrote to memory of 4032 2588 btnnht.exe 86 PID 2588 wrote to memory of 4032 2588 btnnht.exe 86 PID 2588 wrote to memory of 4032 2588 btnnht.exe 86 PID 4032 wrote to memory of 216 4032 802042.exe 87 PID 4032 wrote to memory of 216 4032 802042.exe 87 PID 4032 wrote to memory of 216 4032 802042.exe 87 PID 216 wrote to memory of 2104 216 6286640.exe 88 PID 216 wrote to memory of 2104 216 6286640.exe 88 PID 216 wrote to memory of 2104 216 6286640.exe 88 PID 2104 wrote to memory of 312 2104 444200.exe 89 PID 2104 wrote to memory of 312 2104 444200.exe 89 PID 2104 wrote to memory of 312 2104 444200.exe 89 PID 312 wrote to memory of 4600 312 5hnnnn.exe 90 PID 312 wrote to memory of 4600 312 5hnnnn.exe 90 PID 312 wrote to memory of 4600 312 5hnnnn.exe 90 PID 4600 wrote to memory of 2076 4600 q66608.exe 91 PID 4600 wrote to memory of 2076 4600 q66608.exe 91 PID 4600 wrote to memory of 2076 4600 q66608.exe 91 PID 2076 wrote to memory of 5080 2076 tbnttb.exe 92 PID 2076 wrote to memory of 5080 2076 tbnttb.exe 92 PID 2076 wrote to memory of 5080 2076 tbnttb.exe 92 PID 5080 wrote to memory of 1392 5080 682024.exe 93 PID 5080 wrote to memory of 1392 5080 682024.exe 93 PID 5080 wrote to memory of 1392 5080 682024.exe 93 PID 1392 wrote to memory of 4964 1392 s0008.exe 94 PID 1392 wrote to memory of 4964 1392 s0008.exe 94 PID 1392 wrote to memory of 4964 1392 s0008.exe 94 PID 4964 wrote to memory of 5040 4964 ttntbt.exe 95 PID 4964 wrote to memory of 5040 4964 ttntbt.exe 95 PID 4964 wrote to memory of 5040 4964 ttntbt.exe 95 PID 5040 wrote to memory of 2232 5040 jddpd.exe 96 PID 5040 wrote to memory of 2232 5040 jddpd.exe 96 PID 5040 wrote to memory of 2232 5040 jddpd.exe 96 PID 2232 wrote to memory of 3708 2232 m2248.exe 97 PID 2232 wrote to memory of 3708 2232 m2248.exe 97 PID 2232 wrote to memory of 3708 2232 m2248.exe 97 PID 3708 wrote to memory of 2752 3708 648686.exe 98 PID 3708 wrote to memory of 2752 3708 648686.exe 98 PID 3708 wrote to memory of 2752 3708 648686.exe 98 PID 2752 wrote to memory of 2420 2752 tbhhtt.exe 99 PID 2752 wrote to memory of 2420 2752 tbhhtt.exe 99 PID 2752 wrote to memory of 2420 2752 tbhhtt.exe 99 PID 2420 wrote to memory of 836 2420 288604.exe 100 PID 2420 wrote to memory of 836 2420 288604.exe 100 PID 2420 wrote to memory of 836 2420 288604.exe 100 PID 836 wrote to memory of 3560 836 8826086.exe 101 PID 836 wrote to memory of 3560 836 8826086.exe 101 PID 836 wrote to memory of 3560 836 8826086.exe 101 PID 3560 wrote to memory of 3480 3560 4884844.exe 102 PID 3560 wrote to memory of 3480 3560 4884844.exe 102 PID 3560 wrote to memory of 3480 3560 4884844.exe 102 PID 3480 wrote to memory of 4312 3480 662226.exe 103 PID 3480 wrote to memory of 4312 3480 662226.exe 103 PID 3480 wrote to memory of 4312 3480 662226.exe 103 PID 4312 wrote to memory of 1020 4312 nbhbhh.exe 104 PID 4312 wrote to memory of 1020 4312 nbhbhh.exe 104 PID 4312 wrote to memory of 1020 4312 nbhbhh.exe 104 PID 1020 wrote to memory of 3600 1020 08266.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe"C:\Users\Admin\AppData\Local\Temp\6c9f1d4db12ffa97658705b5f2d0627731969f346b9d0646268c5b76c0f0724c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\xxxrrxx.exec:\xxxrrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\btnnht.exec:\btnnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\802042.exec:\802042.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\6286640.exec:\6286640.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\444200.exec:\444200.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\5hnnnn.exec:\5hnnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\q66608.exec:\q66608.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\tbnttb.exec:\tbnttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\682024.exec:\682024.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\s0008.exec:\s0008.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\ttntbt.exec:\ttntbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\jddpd.exec:\jddpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\m2248.exec:\m2248.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\648686.exec:\648686.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\tbhhtt.exec:\tbhhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\288604.exec:\288604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\8826086.exec:\8826086.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\4884844.exec:\4884844.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\662226.exec:\662226.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\nbhbhh.exec:\nbhbhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\08266.exec:\08266.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\jvpjd.exec:\jvpjd.exe23⤵
- Executes dropped EXE
PID:3600 -
\??\c:\04426.exec:\04426.exe24⤵
- Executes dropped EXE
PID:4668 -
\??\c:\8646224.exec:\8646224.exe25⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lxfffll.exec:\lxfffll.exe26⤵
- Executes dropped EXE
PID:4728 -
\??\c:\84000.exec:\84000.exe27⤵
- Executes dropped EXE
PID:4180 -
\??\c:\rlfxxff.exec:\rlfxxff.exe28⤵
- Executes dropped EXE
PID:3424 -
\??\c:\9ntttb.exec:\9ntttb.exe29⤵
- Executes dropped EXE
PID:532 -
\??\c:\8404882.exec:\8404882.exe30⤵
- Executes dropped EXE
PID:4436 -
\??\c:\htnhth.exec:\htnhth.exe31⤵
- Executes dropped EXE
PID:3952 -
\??\c:\jdvpd.exec:\jdvpd.exe32⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rrlxllx.exec:\rrlxllx.exe33⤵
- Executes dropped EXE
PID:848 -
\??\c:\fxrfrfx.exec:\fxrfrfx.exe34⤵
- Executes dropped EXE
PID:5000 -
\??\c:\q28246.exec:\q28246.exe35⤵
- Executes dropped EXE
PID:4696 -
\??\c:\jvjpj.exec:\jvjpj.exe36⤵
- Executes dropped EXE
PID:4376 -
\??\c:\lrffrxx.exec:\lrffrxx.exe37⤵
- Executes dropped EXE
PID:4716 -
\??\c:\htnbht.exec:\htnbht.exe38⤵
- Executes dropped EXE
PID:4056 -
\??\c:\w04204.exec:\w04204.exe39⤵
- Executes dropped EXE
PID:3956 -
\??\c:\4200042.exec:\4200042.exe40⤵
- Executes dropped EXE
PID:3488 -
\??\c:\w42860.exec:\w42860.exe41⤵
- Executes dropped EXE
PID:3900 -
\??\c:\vpjjp.exec:\vpjjp.exe42⤵
- Executes dropped EXE
PID:2088 -
\??\c:\6060000.exec:\6060000.exe43⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3frrxff.exec:\3frrxff.exe44⤵
- Executes dropped EXE
PID:1460 -
\??\c:\0060044.exec:\0060044.exe45⤵
- Executes dropped EXE
PID:1572 -
\??\c:\04246pp.exec:\04246pp.exe46⤵
- Executes dropped EXE
PID:3620 -
\??\c:\dvvvv.exec:\dvvvv.exe47⤵
- Executes dropped EXE
PID:2404 -
\??\c:\frxrrfr.exec:\frxrrfr.exe48⤵
- Executes dropped EXE
PID:4336 -
\??\c:\rllffxr.exec:\rllffxr.exe49⤵
- Executes dropped EXE
PID:4880 -
\??\c:\6268840.exec:\6268840.exe50⤵
- Executes dropped EXE
PID:5080 -
\??\c:\04808.exec:\04808.exe51⤵
- Executes dropped EXE
PID:4160 -
\??\c:\bthnnt.exec:\bthnnt.exe52⤵
- Executes dropped EXE
PID:3804 -
\??\c:\ppjvp.exec:\ppjvp.exe53⤵
- Executes dropped EXE
PID:2252 -
\??\c:\vdvpv.exec:\vdvpv.exe54⤵
- Executes dropped EXE
PID:4964 -
\??\c:\nnttnt.exec:\nnttnt.exe55⤵
- Executes dropped EXE
PID:5040 -
\??\c:\tntnhb.exec:\tntnhb.exe56⤵
- Executes dropped EXE
PID:4332 -
\??\c:\lxrllrx.exec:\lxrllrx.exe57⤵
- Executes dropped EXE
PID:4764 -
\??\c:\nntnhb.exec:\nntnhb.exe58⤵
- Executes dropped EXE
PID:1112 -
\??\c:\vvdpp.exec:\vvdpp.exe59⤵
- Executes dropped EXE
PID:3236 -
\??\c:\84220.exec:\84220.exe60⤵
- Executes dropped EXE
PID:4592 -
\??\c:\dvvjd.exec:\dvvjd.exe61⤵
- Executes dropped EXE
PID:4928 -
\??\c:\6662244.exec:\6662244.exe62⤵
- Executes dropped EXE
PID:2780 -
\??\c:\488248.exec:\488248.exe63⤵
- Executes dropped EXE
PID:520 -
\??\c:\tntbbh.exec:\tntbbh.exe64⤵
- Executes dropped EXE
PID:4980 -
\??\c:\lxffflr.exec:\lxffflr.exe65⤵
- Executes dropped EXE
PID:4272 -
\??\c:\82822.exec:\82822.exe66⤵PID:4476
-
\??\c:\dpvjj.exec:\dpvjj.exe67⤵PID:4856
-
\??\c:\lflfrrx.exec:\lflfrrx.exe68⤵PID:2964
-
\??\c:\2688402.exec:\2688402.exe69⤵PID:776
-
\??\c:\ddpvj.exec:\ddpvj.exe70⤵PID:5024
-
\??\c:\thbhnt.exec:\thbhnt.exe71⤵PID:4728
-
\??\c:\bbnttb.exec:\bbnttb.exe72⤵PID:224
-
\??\c:\m2444.exec:\m2444.exe73⤵PID:1640
-
\??\c:\4042088.exec:\4042088.exe74⤵PID:2620
-
\??\c:\bnntnb.exec:\bnntnb.exe75⤵PID:4996
-
\??\c:\vpvdv.exec:\vpvdv.exe76⤵PID:4788
-
\??\c:\2682600.exec:\2682600.exe77⤵PID:1964
-
\??\c:\g4246.exec:\g4246.exe78⤵PID:2304
-
\??\c:\802222.exec:\802222.exe79⤵PID:1900
-
\??\c:\llfffll.exec:\llfffll.exe80⤵PID:844
-
\??\c:\i444406.exec:\i444406.exe81⤵PID:5000
-
\??\c:\68222.exec:\68222.exe82⤵PID:808
-
\??\c:\vjjdd.exec:\vjjdd.exe83⤵PID:4936
-
\??\c:\04820.exec:\04820.exe84⤵PID:1696
-
\??\c:\4424482.exec:\4424482.exe85⤵PID:2896
-
\??\c:\2886082.exec:\2886082.exe86⤵PID:2588
-
\??\c:\488884.exec:\488884.exe87⤵PID:2644
-
\??\c:\vpdjv.exec:\vpdjv.exe88⤵PID:4032
-
\??\c:\xfxfxrx.exec:\xfxfxrx.exe89⤵PID:1312
-
\??\c:\8864882.exec:\8864882.exe90⤵PID:2688
-
\??\c:\rfrlrlr.exec:\rfrlrlr.exe91⤵PID:4404
-
\??\c:\lxxrlll.exec:\lxxrlll.exe92⤵PID:1016
-
\??\c:\22200.exec:\22200.exe93⤵PID:2268
-
\??\c:\468260.exec:\468260.exe94⤵PID:4968
-
\??\c:\88488.exec:\88488.exe95⤵PID:1088
-
\??\c:\xxrrrxx.exec:\xxrrrxx.exe96⤵PID:4756
-
\??\c:\680286.exec:\680286.exe97⤵PID:3712
-
\??\c:\428882.exec:\428882.exe98⤵PID:4004
-
\??\c:\lxllrxx.exec:\lxllrxx.exe99⤵PID:2364
-
\??\c:\tnhntt.exec:\tnhntt.exe100⤵PID:3468
-
\??\c:\44242.exec:\44242.exe101⤵PID:4620
-
\??\c:\vpdjd.exec:\vpdjd.exe102⤵PID:3696
-
\??\c:\6400620.exec:\6400620.exe103⤵PID:1700
-
\??\c:\nthbhn.exec:\nthbhn.exe104⤵PID:4608
-
\??\c:\llrrxlr.exec:\llrrxlr.exe105⤵PID:2352
-
\??\c:\7jvpv.exec:\7jvpv.exe106⤵PID:3140
-
\??\c:\4806684.exec:\4806684.exe107⤵PID:3664
-
\??\c:\642860.exec:\642860.exe108⤵PID:912
-
\??\c:\22288.exec:\22288.exe109⤵PID:4508
-
\??\c:\684266.exec:\684266.exe110⤵PID:4688
-
\??\c:\420606.exec:\420606.exe111⤵PID:436
-
\??\c:\lrxxrxr.exec:\lrxxrxr.exe112⤵PID:2652
-
\??\c:\66008.exec:\66008.exe113⤵PID:2704
-
\??\c:\2202282.exec:\2202282.exe114⤵PID:3916
-
\??\c:\880426.exec:\880426.exe115⤵PID:4628
-
\??\c:\xxfllrx.exec:\xxfllrx.exe116⤵PID:4784
-
\??\c:\62860.exec:\62860.exe117⤵PID:4360
-
\??\c:\jjjjj.exec:\jjjjj.exe118⤵PID:1964
-
\??\c:\220628.exec:\220628.exe119⤵PID:2332
-
\??\c:\o486482.exec:\o486482.exe120⤵PID:2380
-
\??\c:\8224288.exec:\8224288.exe121⤵PID:4228
-
\??\c:\62662.exec:\62662.exe122⤵PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-