Analysis
-
max time kernel
119s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 12:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe
-
Size
230KB
-
MD5
7dfb0b8bdefd2065aa6bf6706132ca20
-
SHA1
f3e4f7f1495b9246d3d5b7c007db9cee5d5e4b04
-
SHA256
0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58
-
SHA512
58eef338c4ede6ba3447d670ae1814bbe46d00c786141d78ed6e6505a03cd1d692c1c57bb53b096a556aaa1767a6aa01224d84f5128eb4f4d4f9a9d67268330d
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1ff:n3C9BRo7MlrWKo+lxKk1ff
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/1480-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3596-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4788-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4100-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/372-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1048-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2084-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/404-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3756-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3756-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1288-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/208-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1508-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4740-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2284-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4792-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3920-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/760-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4616-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2628-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2840-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1804-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3308-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4916-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1964-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3596 rxxxrrx.exe 4788 pdpjd.exe 4100 xrxflrr.exe 372 jvdvv.exe 4576 xrrllll.exe 1048 nnbhnb.exe 2084 jvddv.exe 404 xrflllf.exe 3756 htbbnt.exe 3972 frfflll.exe 1288 7bhbth.exe 208 llfllxl.exe 1508 bbhnbt.exe 4740 vvppv.exe 2284 ffrrrrr.exe 4792 1bhhbb.exe 3224 ppjdd.exe 5068 flflrfr.exe 3920 nbnthn.exe 408 vjjpj.exe 760 ffffxff.exe 3732 tnbbbh.exe 4616 dvpjd.exe 1164 bnbhbt.exe 2628 pvppj.exe 2840 5pdpp.exe 1804 llrxxxx.exe 3308 tntnnb.exe 4916 fxrrrrr.exe 1964 hnhhhh.exe 4108 jddvv.exe 3168 lxlffrr.exe 464 hhnnhn.exe 3424 ddvvv.exe 4428 xrxrrll.exe 4444 5rrrlll.exe 616 hhtthb.exe 3392 vpjjp.exe 4228 xxlrrxl.exe 3596 hnbbbh.exe 3452 bntbnh.exe 3352 ffxlrxx.exe 316 xxlrxrr.exe 2308 btbbtt.exe 624 dvjjp.exe 3692 1pvvp.exe 4820 frflfxr.exe 1904 tthbbt.exe 1324 btbbnn.exe 2720 ppjdv.exe 4908 pvddd.exe 2968 rlflxlr.exe 4012 llfflrx.exe 3480 tnbbtn.exe 3884 dvdjj.exe 1728 rrrxfxf.exe 4600 thtnbb.exe 2072 bbhnth.exe 2576 7vjpp.exe 1444 rxlxflr.exe 2380 rrllxff.exe 5068 tbnnnt.exe 4496 9ppjj.exe 1900 vpjjj.exe -
resource yara_rule behavioral2/memory/1480-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4788-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4100-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/372-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1048-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2084-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/404-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/404-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/404-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3756-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3756-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3756-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3756-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1288-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/208-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1508-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2284-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4792-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3920-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/760-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4616-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2628-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1804-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3308-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1964-200-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 3596 1480 0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe 85 PID 1480 wrote to memory of 3596 1480 0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe 85 PID 1480 wrote to memory of 3596 1480 0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe 85 PID 3596 wrote to memory of 4788 3596 rxxxrrx.exe 86 PID 3596 wrote to memory of 4788 3596 rxxxrrx.exe 86 PID 3596 wrote to memory of 4788 3596 rxxxrrx.exe 86 PID 4788 wrote to memory of 4100 4788 pdpjd.exe 87 PID 4788 wrote to memory of 4100 4788 pdpjd.exe 87 PID 4788 wrote to memory of 4100 4788 pdpjd.exe 87 PID 4100 wrote to memory of 372 4100 xrxflrr.exe 88 PID 4100 wrote to memory of 372 4100 xrxflrr.exe 88 PID 4100 wrote to memory of 372 4100 xrxflrr.exe 88 PID 372 wrote to memory of 4576 372 jvdvv.exe 89 PID 372 wrote to memory of 4576 372 jvdvv.exe 89 PID 372 wrote to memory of 4576 372 jvdvv.exe 89 PID 4576 wrote to memory of 1048 4576 xrrllll.exe 90 PID 4576 wrote to memory of 1048 4576 xrrllll.exe 90 PID 4576 wrote to memory of 1048 4576 xrrllll.exe 90 PID 1048 wrote to memory of 2084 1048 nnbhnb.exe 91 PID 1048 wrote to memory of 2084 1048 nnbhnb.exe 91 PID 1048 wrote to memory of 2084 1048 nnbhnb.exe 91 PID 2084 wrote to memory of 404 2084 jvddv.exe 92 PID 2084 wrote to memory of 404 2084 jvddv.exe 92 PID 2084 wrote to memory of 404 2084 jvddv.exe 92 PID 404 wrote to memory of 3756 404 xrflllf.exe 93 PID 404 wrote to memory of 3756 404 xrflllf.exe 93 PID 404 wrote to memory of 3756 404 xrflllf.exe 93 PID 3756 wrote to memory of 3972 3756 htbbnt.exe 94 PID 3756 wrote to memory of 3972 3756 htbbnt.exe 94 PID 3756 wrote to memory of 3972 3756 htbbnt.exe 94 PID 3972 wrote to memory of 1288 3972 frfflll.exe 95 PID 3972 wrote to memory of 1288 3972 frfflll.exe 95 PID 3972 wrote to memory of 1288 3972 frfflll.exe 95 PID 1288 wrote to memory of 208 1288 7bhbth.exe 96 PID 1288 wrote to memory of 208 1288 7bhbth.exe 96 PID 1288 wrote to memory of 208 1288 7bhbth.exe 96 PID 208 wrote to memory of 1508 208 llfllxl.exe 97 PID 208 wrote to memory of 1508 208 llfllxl.exe 97 PID 208 wrote to memory of 1508 208 llfllxl.exe 97 PID 1508 wrote to memory of 4740 1508 bbhnbt.exe 98 PID 1508 wrote to memory of 4740 1508 bbhnbt.exe 98 PID 1508 wrote to memory of 4740 1508 bbhnbt.exe 98 PID 4740 wrote to memory of 2284 4740 vvppv.exe 99 PID 4740 wrote to memory of 2284 4740 vvppv.exe 99 PID 4740 wrote to memory of 2284 4740 vvppv.exe 99 PID 2284 wrote to memory of 4792 2284 ffrrrrr.exe 100 PID 2284 wrote to memory of 4792 2284 ffrrrrr.exe 100 PID 2284 wrote to memory of 4792 2284 ffrrrrr.exe 100 PID 4792 wrote to memory of 3224 4792 1bhhbb.exe 102 PID 4792 wrote to memory of 3224 4792 1bhhbb.exe 102 PID 4792 wrote to memory of 3224 4792 1bhhbb.exe 102 PID 3224 wrote to memory of 5068 3224 ppjdd.exe 103 PID 3224 wrote to memory of 5068 3224 ppjdd.exe 103 PID 3224 wrote to memory of 5068 3224 ppjdd.exe 103 PID 5068 wrote to memory of 3920 5068 flflrfr.exe 104 PID 5068 wrote to memory of 3920 5068 flflrfr.exe 104 PID 5068 wrote to memory of 3920 5068 flflrfr.exe 104 PID 3920 wrote to memory of 408 3920 nbnthn.exe 105 PID 3920 wrote to memory of 408 3920 nbnthn.exe 105 PID 3920 wrote to memory of 408 3920 nbnthn.exe 105 PID 408 wrote to memory of 760 408 vjjpj.exe 106 PID 408 wrote to memory of 760 408 vjjpj.exe 106 PID 408 wrote to memory of 760 408 vjjpj.exe 106 PID 760 wrote to memory of 3732 760 ffffxff.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe"C:\Users\Admin\AppData\Local\Temp\0b4dfd2015d5cc1ab7c5be11f86b97df47765949bfefe8cfa2b45ccbf473ca58N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\rxxxrrx.exec:\rxxxrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\pdpjd.exec:\pdpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\xrxflrr.exec:\xrxflrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\jvdvv.exec:\jvdvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\xrrllll.exec:\xrrllll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\nnbhnb.exec:\nnbhnb.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\jvddv.exec:\jvddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\xrflllf.exec:\xrflllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\htbbnt.exec:\htbbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\frfflll.exec:\frfflll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\7bhbth.exec:\7bhbth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\llfllxl.exec:\llfllxl.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\bbhnbt.exec:\bbhnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\vvppv.exec:\vvppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\1bhhbb.exec:\1bhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\ppjdd.exec:\ppjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\flflrfr.exec:\flflrfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\nbnthn.exec:\nbnthn.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\vjjpj.exec:\vjjpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\ffffxff.exec:\ffffxff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\tnbbbh.exec:\tnbbbh.exe23⤵
- Executes dropped EXE
PID:3732 -
\??\c:\dvpjd.exec:\dvpjd.exe24⤵
- Executes dropped EXE
PID:4616 -
\??\c:\bnbhbt.exec:\bnbhbt.exe25⤵
- Executes dropped EXE
PID:1164 -
\??\c:\pvppj.exec:\pvppj.exe26⤵
- Executes dropped EXE
PID:2628 -
\??\c:\5pdpp.exec:\5pdpp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
\??\c:\llrxxxx.exec:\llrxxxx.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1804 -
\??\c:\tntnnb.exec:\tntnnb.exe29⤵
- Executes dropped EXE
PID:3308 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\hnhhhh.exec:\hnhhhh.exe31⤵
- Executes dropped EXE
PID:1964 -
\??\c:\jddvv.exec:\jddvv.exe32⤵
- Executes dropped EXE
PID:4108 -
\??\c:\lxlffrr.exec:\lxlffrr.exe33⤵
- Executes dropped EXE
PID:3168 -
\??\c:\hhnnhn.exec:\hhnnhn.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:464 -
\??\c:\ddvvv.exec:\ddvvv.exe35⤵
- Executes dropped EXE
PID:3424 -
\??\c:\xrxrrll.exec:\xrxrrll.exe36⤵
- Executes dropped EXE
PID:4428 -
\??\c:\5rrrlll.exec:\5rrrlll.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444 -
\??\c:\hhtthb.exec:\hhtthb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:616 -
\??\c:\vpjjp.exec:\vpjjp.exe39⤵
- Executes dropped EXE
PID:3392 -
\??\c:\xxlrrxl.exec:\xxlrrxl.exe40⤵
- Executes dropped EXE
PID:4228 -
\??\c:\hnbbbh.exec:\hnbbbh.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
\??\c:\bntbnh.exec:\bntbnh.exe42⤵
- Executes dropped EXE
PID:3452 -
\??\c:\ffxlrxx.exec:\ffxlrxx.exe43⤵
- Executes dropped EXE
PID:3352 -
\??\c:\xxlrxrr.exec:\xxlrxrr.exe44⤵
- Executes dropped EXE
PID:316 -
\??\c:\btbbtt.exec:\btbbtt.exe45⤵
- Executes dropped EXE
PID:2308 -
\??\c:\dvjjp.exec:\dvjjp.exe46⤵
- Executes dropped EXE
PID:624 -
\??\c:\1pvvp.exec:\1pvvp.exe47⤵
- Executes dropped EXE
PID:3692 -
\??\c:\frflfxr.exec:\frflfxr.exe48⤵
- Executes dropped EXE
PID:4820 -
\??\c:\tthbbt.exec:\tthbbt.exe49⤵
- Executes dropped EXE
PID:1904 -
\??\c:\btbbnn.exec:\btbbnn.exe50⤵
- Executes dropped EXE
PID:1324 -
\??\c:\ppjdv.exec:\ppjdv.exe51⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pvddd.exec:\pvddd.exe52⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rlflxlr.exec:\rlflxlr.exe53⤵
- Executes dropped EXE
PID:2968 -
\??\c:\llfflrx.exec:\llfflrx.exe54⤵
- Executes dropped EXE
PID:4012 -
\??\c:\tnbbtn.exec:\tnbbtn.exe55⤵
- Executes dropped EXE
PID:3480 -
\??\c:\dvdjj.exec:\dvdjj.exe56⤵
- Executes dropped EXE
PID:3884 -
\??\c:\rrrxfxf.exec:\rrrxfxf.exe57⤵
- Executes dropped EXE
PID:1728 -
\??\c:\thtnbb.exec:\thtnbb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600 -
\??\c:\bbhnth.exec:\bbhnth.exe59⤵
- Executes dropped EXE
PID:2072 -
\??\c:\7vjpp.exec:\7vjpp.exe60⤵
- Executes dropped EXE
PID:2576 -
\??\c:\rxlxflr.exec:\rxlxflr.exe61⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rrllxff.exec:\rrllxff.exe62⤵
- Executes dropped EXE
PID:2380 -
\??\c:\tbnnnt.exec:\tbnnnt.exe63⤵
- Executes dropped EXE
PID:5068 -
\??\c:\9ppjj.exec:\9ppjj.exe64⤵
- Executes dropped EXE
PID:4496 -
\??\c:\vpjjj.exec:\vpjjj.exe65⤵
- Executes dropped EXE
PID:1900 -
\??\c:\frxrrrf.exec:\frxrrrf.exe66⤵PID:4912
-
\??\c:\lfxffll.exec:\lfxffll.exe67⤵PID:688
-
\??\c:\ntntbn.exec:\ntntbn.exe68⤵PID:3796
-
\??\c:\vpvjj.exec:\vpvjj.exe69⤵PID:3592
-
\??\c:\lffxrrr.exec:\lffxrrr.exe70⤵PID:3952
-
\??\c:\rllxfxf.exec:\rllxfxf.exe71⤵PID:3316
-
\??\c:\btttbb.exec:\btttbb.exe72⤵PID:1956
-
\??\c:\djpvj.exec:\djpvj.exe73⤵PID:1848
-
\??\c:\vvdvp.exec:\vvdvp.exe74⤵PID:2840
-
\??\c:\llxflrx.exec:\llxflrx.exe75⤵PID:3668
-
\??\c:\tbntbn.exec:\tbntbn.exe76⤵PID:4568
-
\??\c:\hhttth.exec:\hhttth.exe77⤵PID:5020
-
\??\c:\ddpvd.exec:\ddpvd.exe78⤵PID:3428
-
\??\c:\xrfllrl.exec:\xrfllrl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2784 -
\??\c:\1rflrff.exec:\1rflrff.exe80⤵PID:3624
-
\??\c:\7httbh.exec:\7httbh.exe81⤵PID:1828
-
\??\c:\jvvvp.exec:\jvvvp.exe82⤵
- System Location Discovery: System Language Discovery
PID:3188 -
\??\c:\jpddd.exec:\jpddd.exe83⤵
- System Location Discovery: System Language Discovery
PID:4432 -
\??\c:\lrllllr.exec:\lrllllr.exe84⤵PID:3424
-
\??\c:\thntnh.exec:\thntnh.exe85⤵PID:1924
-
\??\c:\vvvpj.exec:\vvvpj.exe86⤵PID:3068
-
\??\c:\llxlffl.exec:\llxlffl.exe87⤵PID:4056
-
\??\c:\1nnntt.exec:\1nnntt.exe88⤵
- System Location Discovery: System Language Discovery
PID:3392 -
\??\c:\jdpjp.exec:\jdpjp.exe89⤵PID:456
-
\??\c:\xxxfrll.exec:\xxxfrll.exe90⤵PID:3364
-
\??\c:\xrxxrrx.exec:\xrxxrrx.exe91⤵PID:3452
-
\??\c:\ttbhbh.exec:\ttbhbh.exe92⤵PID:3180
-
\??\c:\9pddd.exec:\9pddd.exe93⤵PID:5052
-
\??\c:\dvdpd.exec:\dvdpd.exe94⤵PID:3540
-
\??\c:\7flrllf.exec:\7flrllf.exe95⤵PID:2416
-
\??\c:\ttttnn.exec:\ttttnn.exe96⤵PID:3792
-
\??\c:\tnhtbh.exec:\tnhtbh.exe97⤵PID:2980
-
\??\c:\lxxxfrx.exec:\lxxxfrx.exe98⤵PID:2528
-
\??\c:\xfrxxlr.exec:\xfrxxlr.exe99⤵PID:4844
-
\??\c:\hhtbbb.exec:\hhtbbb.exe100⤵PID:2288
-
\??\c:\jjjjj.exec:\jjjjj.exe101⤵PID:2200
-
\??\c:\bhhhhh.exec:\bhhhhh.exe102⤵
- System Location Discovery: System Language Discovery
PID:3600 -
\??\c:\thntbh.exec:\thntbh.exe103⤵PID:208
-
\??\c:\vvjpp.exec:\vvjpp.exe104⤵PID:4128
-
\??\c:\9xrrxff.exec:\9xrrxff.exe105⤵PID:4872
-
\??\c:\hnnbbn.exec:\hnnbbn.exe106⤵PID:3036
-
\??\c:\bhbbbh.exec:\bhbbbh.exe107⤵PID:1436
-
\??\c:\pvdpv.exec:\pvdpv.exe108⤵PID:776
-
\??\c:\pjvvp.exec:\pjvvp.exe109⤵PID:4052
-
\??\c:\xflrlll.exec:\xflrlll.exe110⤵
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\nnnbtb.exec:\nnnbtb.exe111⤵PID:3108
-
\??\c:\pjjvj.exec:\pjjvj.exe112⤵PID:2160
-
\??\c:\pddvj.exec:\pddvj.exe113⤵PID:3648
-
\??\c:\llxrfrf.exec:\llxrfrf.exe114⤵PID:3636
-
\??\c:\tnnhhh.exec:\tnnhhh.exe115⤵PID:212
-
\??\c:\tttttt.exec:\tttttt.exe116⤵
- System Location Discovery: System Language Discovery
PID:2572 -
\??\c:\vpjdd.exec:\vpjdd.exe117⤵PID:1488
-
\??\c:\pjppp.exec:\pjppp.exe118⤵PID:3860
-
\??\c:\xlxxxff.exec:\xlxxxff.exe119⤵
- System Location Discovery: System Language Discovery
PID:2172 -
\??\c:\hhbbhh.exec:\hhbbhh.exe120⤵
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\bttttn.exec:\bttttn.exe121⤵
- System Location Discovery: System Language Discovery
PID:4468 -
\??\c:\jdppp.exec:\jdppp.exe122⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-