Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 22:11
Static task
static1
Behavioral task
behavioral1
Sample
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe
Resource
win7-20241010-en
General
-
Target
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe
-
Size
119KB
-
MD5
ff9ff189eff875d53c2bc6878472fd50
-
SHA1
8d2cd948188fc8e1622fd1fbb6080821573a8d19
-
SHA256
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8
-
SHA512
89ac4d2c81093a782c1bea0ccfc6381e97d7e25555ebcc7a989b62eabb059391009a22bed1775a9e6fb8f45c9626aaac5e774cfe05a878caa6a68af98ba320a0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73oYUCD7R2F2UVbyy0zChFHOG:ymb3NkkiQ3mdBjFo73HUoMsAbrRFHH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/1436-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3988-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3936-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5116-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4052-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4464-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2664-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1468-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2288-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4564-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3708-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3404-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2656-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3152-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1552-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4460-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2844-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1496-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4200-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2572-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4220-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4064-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3988 bnthbt.exe 3936 rfllxfl.exe 5116 5tnbbh.exe 4052 vvddd.exe 4464 tttttt.exe 2664 jvvvd.exe 1468 lflrlrr.exe 2288 dvjjp.exe 4564 lrfrrxf.exe 3708 5vvjd.exe 3404 frflllr.exe 4544 btbhnt.exe 2656 llrffll.exe 3152 hntbtb.exe 1372 vvvdd.exe 4396 xxllxrr.exe 4608 htntbn.exe 1552 vdpjp.exe 3924 xxlllfx.exe 2296 pvpvj.exe 4460 xrffrxr.exe 3140 tbbbbh.exe 1496 pdvvp.exe 2844 llfllrr.exe 2940 hntbbn.exe 1456 rxfxffl.exe 4200 xxrlffr.exe 1760 nhttbb.exe 2572 pjpvv.exe 4220 xxlffll.exe 4064 btbbbh.exe 4876 pvdpj.exe 5044 lrrlxxr.exe 4152 fxrfxll.exe 1944 bhnnth.exe 4352 jpvdd.exe 2556 rrfrlfl.exe 4276 bnhntb.exe 4088 vjjjd.exe 2592 9jjdd.exe 3860 lfllffr.exe 3604 nbnnbb.exe 2324 5ddpv.exe 4464 rflrrrl.exe 4136 tnnnbb.exe 1804 tttnnn.exe 1736 7jvvp.exe 1128 9vvdv.exe 1316 xxfxrlr.exe 4436 nbhhbb.exe 2272 pdpjd.exe 1076 ppvpp.exe 1656 fxxrlfx.exe 3408 7tbbtn.exe 1176 5bbhht.exe 4012 vppjv.exe 652 5fflrxx.exe 4696 lrffrxl.exe 2084 hnhntn.exe 4608 dppdd.exe 2412 7lfllrr.exe 2884 5lfrfrx.exe 1824 thhhbn.exe 1688 pvppp.exe -
resource yara_rule behavioral2/memory/1436-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1436-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3988-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5116-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4052-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4464-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2664-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1468-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1468-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1468-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4564-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3708-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3404-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2656-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3152-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4460-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2844-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1496-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4200-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2572-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4220-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4064-210-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrxfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1436 wrote to memory of 3988 1436 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 84 PID 1436 wrote to memory of 3988 1436 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 84 PID 1436 wrote to memory of 3988 1436 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 84 PID 3988 wrote to memory of 3936 3988 bnthbt.exe 85 PID 3988 wrote to memory of 3936 3988 bnthbt.exe 85 PID 3988 wrote to memory of 3936 3988 bnthbt.exe 85 PID 3936 wrote to memory of 5116 3936 rfllxfl.exe 86 PID 3936 wrote to memory of 5116 3936 rfllxfl.exe 86 PID 3936 wrote to memory of 5116 3936 rfllxfl.exe 86 PID 5116 wrote to memory of 4052 5116 5tnbbh.exe 87 PID 5116 wrote to memory of 4052 5116 5tnbbh.exe 87 PID 5116 wrote to memory of 4052 5116 5tnbbh.exe 87 PID 4052 wrote to memory of 4464 4052 vvddd.exe 88 PID 4052 wrote to memory of 4464 4052 vvddd.exe 88 PID 4052 wrote to memory of 4464 4052 vvddd.exe 88 PID 4464 wrote to memory of 2664 4464 tttttt.exe 90 PID 4464 wrote to memory of 2664 4464 tttttt.exe 90 PID 4464 wrote to memory of 2664 4464 tttttt.exe 90 PID 2664 wrote to memory of 1468 2664 jvvvd.exe 91 PID 2664 wrote to memory of 1468 2664 jvvvd.exe 91 PID 2664 wrote to memory of 1468 2664 jvvvd.exe 91 PID 1468 wrote to memory of 2288 1468 lflrlrr.exe 92 PID 1468 wrote to memory of 2288 1468 lflrlrr.exe 92 PID 1468 wrote to memory of 2288 1468 lflrlrr.exe 92 PID 2288 wrote to memory of 4564 2288 dvjjp.exe 93 PID 2288 wrote to memory of 4564 2288 dvjjp.exe 93 PID 2288 wrote to memory of 4564 2288 dvjjp.exe 93 PID 4564 wrote to memory of 3708 4564 lrfrrxf.exe 94 PID 4564 wrote to memory of 3708 4564 lrfrrxf.exe 94 PID 4564 wrote to memory of 3708 4564 lrfrrxf.exe 94 PID 3708 wrote to memory of 3404 3708 5vvjd.exe 95 PID 3708 wrote to memory of 3404 3708 5vvjd.exe 95 PID 3708 wrote to memory of 3404 3708 5vvjd.exe 95 PID 3404 wrote to memory of 4544 3404 frflllr.exe 97 PID 3404 wrote to memory of 4544 3404 frflllr.exe 97 PID 3404 wrote to memory of 4544 3404 frflllr.exe 97 PID 4544 wrote to memory of 2656 4544 btbhnt.exe 98 PID 4544 wrote to memory of 2656 4544 btbhnt.exe 98 PID 4544 wrote to memory of 2656 4544 btbhnt.exe 98 PID 2656 wrote to memory of 3152 2656 llrffll.exe 99 PID 2656 wrote to memory of 3152 2656 llrffll.exe 99 PID 2656 wrote to memory of 3152 2656 llrffll.exe 99 PID 3152 wrote to memory of 1372 3152 hntbtb.exe 100 PID 3152 wrote to memory of 1372 3152 hntbtb.exe 100 PID 3152 wrote to memory of 1372 3152 hntbtb.exe 100 PID 1372 wrote to memory of 4396 1372 vvvdd.exe 101 PID 1372 wrote to memory of 4396 1372 vvvdd.exe 101 PID 1372 wrote to memory of 4396 1372 vvvdd.exe 101 PID 4396 wrote to memory of 4608 4396 xxllxrr.exe 102 PID 4396 wrote to memory of 4608 4396 xxllxrr.exe 102 PID 4396 wrote to memory of 4608 4396 xxllxrr.exe 102 PID 4608 wrote to memory of 1552 4608 htntbn.exe 103 PID 4608 wrote to memory of 1552 4608 htntbn.exe 103 PID 4608 wrote to memory of 1552 4608 htntbn.exe 103 PID 1552 wrote to memory of 3924 1552 vdpjp.exe 104 PID 1552 wrote to memory of 3924 1552 vdpjp.exe 104 PID 1552 wrote to memory of 3924 1552 vdpjp.exe 104 PID 3924 wrote to memory of 2296 3924 xxlllfx.exe 105 PID 3924 wrote to memory of 2296 3924 xxlllfx.exe 105 PID 3924 wrote to memory of 2296 3924 xxlllfx.exe 105 PID 2296 wrote to memory of 4460 2296 pvpvj.exe 106 PID 2296 wrote to memory of 4460 2296 pvpvj.exe 106 PID 2296 wrote to memory of 4460 2296 pvpvj.exe 106 PID 4460 wrote to memory of 3140 4460 xrffrxr.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe"C:\Users\Admin\AppData\Local\Temp\e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\bnthbt.exec:\bnthbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\rfllxfl.exec:\rfllxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\5tnbbh.exec:\5tnbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\vvddd.exec:\vvddd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\tttttt.exec:\tttttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\jvvvd.exec:\jvvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\lflrlrr.exec:\lflrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\dvjjp.exec:\dvjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\lrfrrxf.exec:\lrfrrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\5vvjd.exec:\5vvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\frflllr.exec:\frflllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\btbhnt.exec:\btbhnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\llrffll.exec:\llrffll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\hntbtb.exec:\hntbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\vvvdd.exec:\vvvdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\xxllxrr.exec:\xxllxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\htntbn.exec:\htntbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\vdpjp.exec:\vdpjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\xxlllfx.exec:\xxlllfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\pvpvj.exec:\pvpvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\xrffrxr.exec:\xrffrxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\tbbbbh.exec:\tbbbbh.exe23⤵
- Executes dropped EXE
PID:3140 -
\??\c:\pdvvp.exec:\pdvvp.exe24⤵
- Executes dropped EXE
PID:1496 -
\??\c:\llfllrr.exec:\llfllrr.exe25⤵
- Executes dropped EXE
PID:2844 -
\??\c:\hntbbn.exec:\hntbbn.exe26⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rxfxffl.exec:\rxfxffl.exe27⤵
- Executes dropped EXE
PID:1456 -
\??\c:\xxrlffr.exec:\xxrlffr.exe28⤵
- Executes dropped EXE
PID:4200 -
\??\c:\nhttbb.exec:\nhttbb.exe29⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pjpvv.exec:\pjpvv.exe30⤵
- Executes dropped EXE
PID:2572 -
\??\c:\xxlffll.exec:\xxlffll.exe31⤵
- Executes dropped EXE
PID:4220 -
\??\c:\btbbbh.exec:\btbbbh.exe32⤵
- Executes dropped EXE
PID:4064 -
\??\c:\pvdpj.exec:\pvdpj.exe33⤵
- Executes dropped EXE
PID:4876 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\fxrfxll.exec:\fxrfxll.exe35⤵
- Executes dropped EXE
PID:4152 -
\??\c:\bhnnth.exec:\bhnnth.exe36⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jpvdd.exec:\jpvdd.exe37⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rrfrlfl.exec:\rrfrlfl.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bnhntb.exec:\bnhntb.exe39⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vjjjd.exec:\vjjjd.exe40⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9jjdd.exec:\9jjdd.exe41⤵
- Executes dropped EXE
PID:2592 -
\??\c:\lfllffr.exec:\lfllffr.exe42⤵
- Executes dropped EXE
PID:3860 -
\??\c:\nbnnbb.exec:\nbnnbb.exe43⤵
- Executes dropped EXE
PID:3604 -
\??\c:\5ddpv.exec:\5ddpv.exe44⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rflrrrl.exec:\rflrrrl.exe45⤵
- Executes dropped EXE
PID:4464 -
\??\c:\tnnnbb.exec:\tnnnbb.exe46⤵
- Executes dropped EXE
PID:4136 -
\??\c:\tttnnn.exec:\tttnnn.exe47⤵
- Executes dropped EXE
PID:1804 -
\??\c:\7jvvp.exec:\7jvvp.exe48⤵
- Executes dropped EXE
PID:1736 -
\??\c:\9vvdv.exec:\9vvdv.exe49⤵
- Executes dropped EXE
PID:1128 -
\??\c:\xxfxrlr.exec:\xxfxrlr.exe50⤵
- Executes dropped EXE
PID:1316 -
\??\c:\nbhhbb.exec:\nbhhbb.exe51⤵
- Executes dropped EXE
PID:4436 -
\??\c:\pdpjd.exec:\pdpjd.exe52⤵
- Executes dropped EXE
PID:2272 -
\??\c:\ppvpp.exec:\ppvpp.exe53⤵
- Executes dropped EXE
PID:1076 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe54⤵
- Executes dropped EXE
PID:1656 -
\??\c:\7tbbtn.exec:\7tbbtn.exe55⤵
- Executes dropped EXE
PID:3408 -
\??\c:\5bbhht.exec:\5bbhht.exe56⤵
- Executes dropped EXE
PID:1176 -
\??\c:\vppjv.exec:\vppjv.exe57⤵
- Executes dropped EXE
PID:4012 -
\??\c:\5fflrxx.exec:\5fflrxx.exe58⤵
- Executes dropped EXE
PID:652 -
\??\c:\lrffrxl.exec:\lrffrxl.exe59⤵
- Executes dropped EXE
PID:4696 -
\??\c:\hnhntn.exec:\hnhntn.exe60⤵
- Executes dropped EXE
PID:2084 -
\??\c:\dppdd.exec:\dppdd.exe61⤵
- Executes dropped EXE
PID:4608 -
\??\c:\7lfllrr.exec:\7lfllrr.exe62⤵
- Executes dropped EXE
PID:2412 -
\??\c:\5lfrfrx.exec:\5lfrfrx.exe63⤵
- Executes dropped EXE
PID:2884 -
\??\c:\thhhbn.exec:\thhhbn.exe64⤵
- Executes dropped EXE
PID:1824 -
\??\c:\pvppp.exec:\pvppp.exe65⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jpppd.exec:\jpppd.exe66⤵PID:392
-
\??\c:\rffffrx.exec:\rffffrx.exe67⤵PID:832
-
\??\c:\nhttnt.exec:\nhttnt.exe68⤵PID:1584
-
\??\c:\7thhhh.exec:\7thhhh.exe69⤵PID:3852
-
\??\c:\ppppp.exec:\ppppp.exe70⤵PID:1496
-
\??\c:\1fxflxl.exec:\1fxflxl.exe71⤵PID:4676
-
\??\c:\xxxlxrf.exec:\xxxlxrf.exe72⤵PID:2856
-
\??\c:\1hhnht.exec:\1hhnht.exe73⤵
- System Location Discovery: System Language Discovery
PID:3928 -
\??\c:\vddjj.exec:\vddjj.exe74⤵PID:3460
-
\??\c:\rlxflrx.exec:\rlxflrx.exe75⤵PID:2224
-
\??\c:\xffllll.exec:\xffllll.exe76⤵PID:4688
-
\??\c:\nnhnhb.exec:\nnhnhb.exe77⤵PID:968
-
\??\c:\ddvvd.exec:\ddvvd.exe78⤵PID:4220
-
\??\c:\3jpvv.exec:\3jpvv.exe79⤵PID:1432
-
\??\c:\flffrrx.exec:\flffrrx.exe80⤵PID:4804
-
\??\c:\hnttbb.exec:\hnttbb.exe81⤵PID:4876
-
\??\c:\ttbbhh.exec:\ttbbhh.exe82⤵PID:5044
-
\??\c:\dpvdj.exec:\dpvdj.exe83⤵PID:4416
-
\??\c:\frllfll.exec:\frllfll.exe84⤵PID:2552
-
\??\c:\fxlflrf.exec:\fxlflrf.exe85⤵PID:3596
-
\??\c:\hhtttb.exec:\hhtttb.exe86⤵PID:3628
-
\??\c:\frlllrr.exec:\frlllrr.exe87⤵PID:3360
-
\??\c:\hnbtbh.exec:\hnbtbh.exe88⤵PID:2268
-
\??\c:\pdjjv.exec:\pdjjv.exe89⤵PID:2592
-
\??\c:\ppvvv.exec:\ppvvv.exe90⤵PID:4540
-
\??\c:\rlrxflr.exec:\rlrxflr.exe91⤵PID:2936
-
\??\c:\thhhhn.exec:\thhhhn.exe92⤵PID:2888
-
\??\c:\htbhht.exec:\htbhht.exe93⤵PID:3868
-
\??\c:\ddppv.exec:\ddppv.exe94⤵PID:4972
-
\??\c:\xfrlrlr.exec:\xfrlrlr.exe95⤵PID:3060
-
\??\c:\rfrxfrx.exec:\rfrxfrx.exe96⤵PID:4568
-
\??\c:\hththn.exec:\hththn.exe97⤵PID:3136
-
\??\c:\ppjjj.exec:\ppjjj.exe98⤵PID:1916
-
\??\c:\xlrllll.exec:\xlrllll.exe99⤵PID:680
-
\??\c:\rlxfrfl.exec:\rlxfrfl.exe100⤵PID:5072
-
\??\c:\hhttth.exec:\hhttth.exe101⤵PID:2656
-
\??\c:\tbnnnn.exec:\tbnnnn.exe102⤵PID:3484
-
\??\c:\pdjjv.exec:\pdjjv.exe103⤵PID:3668
-
\??\c:\flrrrxl.exec:\flrrrxl.exe104⤵
- System Location Discovery: System Language Discovery
PID:1132 -
\??\c:\nbbhtb.exec:\nbbhtb.exe105⤵PID:4396
-
\??\c:\jdvjj.exec:\jdvjj.exe106⤵PID:1324
-
\??\c:\vpvjd.exec:\vpvjd.exe107⤵PID:2924
-
\??\c:\rrllxxf.exec:\rrllxxf.exe108⤵PID:3692
-
\??\c:\hhthbh.exec:\hhthbh.exe109⤵PID:1540
-
\??\c:\5thnnh.exec:\5thnnh.exe110⤵PID:232
-
\??\c:\jdjjv.exec:\jdjjv.exe111⤵PID:2508
-
\??\c:\fxrxllf.exec:\fxrxllf.exe112⤵PID:3128
-
\??\c:\xxlllff.exec:\xxlllff.exe113⤵PID:1240
-
\??\c:\hbtnnn.exec:\hbtnnn.exe114⤵PID:3140
-
\??\c:\vvvjv.exec:\vvvjv.exe115⤵PID:260
-
\??\c:\vjpdp.exec:\vjpdp.exe116⤵PID:1740
-
\??\c:\5xlxxfr.exec:\5xlxxfr.exe117⤵PID:212
-
\??\c:\bbnhnt.exec:\bbnhnt.exe118⤵PID:3720
-
\??\c:\htnntb.exec:\htnntb.exe119⤵PID:2460
-
\??\c:\pvdjp.exec:\pvdjp.exe120⤵PID:4388
-
\??\c:\pvddd.exec:\pvddd.exe121⤵PID:2028
-
\??\c:\flfllll.exec:\flfllll.exe122⤵PID:3168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-