Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe
Resource
win7-20241010-en
General
-
Target
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe
-
Size
119KB
-
MD5
ff9ff189eff875d53c2bc6878472fd50
-
SHA1
8d2cd948188fc8e1622fd1fbb6080821573a8d19
-
SHA256
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8
-
SHA512
89ac4d2c81093a782c1bea0ccfc6381e97d7e25555ebcc7a989b62eabb059391009a22bed1775a9e6fb8f45c9626aaac5e774cfe05a878caa6a68af98ba320a0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73oYUCD7R2F2UVbyy0zChFHOG:ymb3NkkiQ3mdBjFo73HUoMsAbrRFHH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral2/memory/2268-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2268-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3676-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4380-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/744-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4768-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2036-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1624-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2704-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3176-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3596-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4016-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4012-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2988-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1200-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3652-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2760-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1208-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/424-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1608-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1940-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3856-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1044-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5112-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3676 rrrlllf.exe 4380 vjjpj.exe 744 llrrxfx.exe 4768 pvpdp.exe 4372 lrlfrrf.exe 2036 tntbbh.exe 1624 vvdjj.exe 2704 jdjvp.exe 3176 xfrrxxx.exe 3596 vjvpd.exe 4016 flxlxfx.exe 4012 9pjjj.exe 2988 rxrxlrx.exe 1200 bnttnh.exe 3652 llflrfl.exe 2380 thtttb.exe 2060 vpppv.exe 2760 1ttttt.exe 1208 ppvpv.exe 424 tbtnth.exe 1608 vdjjj.exe 1940 jpjjp.exe 1592 tbntnh.exe 3856 dvjvv.exe 2628 btbnbn.exe 3476 tnbtnt.exe 5112 djppj.exe 1044 rxxrrxx.exe 3272 hnnbnn.exe 4916 3pjpv.exe 392 5flrfxf.exe 3020 btnnnn.exe 1128 jjppp.exe 60 rrlllxx.exe 3032 bntttb.exe 4584 jjvvv.exe 4508 xflrrxf.exe 4600 bnhntb.exe 2612 jjvpv.exe 2524 lffllxx.exe 2056 ththth.exe 3420 ntbbtb.exe 3952 dvvdv.exe 3516 1rfllxf.exe 4840 hhnhbt.exe 5036 pddjj.exe 3488 jpdvv.exe 1968 xfllrxl.exe 4396 ttttnn.exe 1840 hnttbh.exe 2672 jdjjp.exe 1256 1rlxfrf.exe 2384 nhnthb.exe 2336 ddddj.exe 4580 flxfflr.exe 4012 lxfrrxf.exe 4412 bnhbbb.exe 1388 dddvp.exe 4996 xfxrrrr.exe 4756 tbnntt.exe 1828 pdjjv.exe 2060 pvdpj.exe 2760 bnnbtn.exe 3508 ththth.exe -
resource yara_rule behavioral2/memory/2268-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2268-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3676-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4380-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/744-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4768-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4768-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4768-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2036-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1624-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2704-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3176-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4016-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4012-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2988-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1200-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3652-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2760-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1208-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/424-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1608-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1940-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3856-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1044-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5112-186-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlxfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3676 2268 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 84 PID 2268 wrote to memory of 3676 2268 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 84 PID 2268 wrote to memory of 3676 2268 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 84 PID 3676 wrote to memory of 4380 3676 rrrlllf.exe 85 PID 3676 wrote to memory of 4380 3676 rrrlllf.exe 85 PID 3676 wrote to memory of 4380 3676 rrrlllf.exe 85 PID 4380 wrote to memory of 744 4380 vjjpj.exe 86 PID 4380 wrote to memory of 744 4380 vjjpj.exe 86 PID 4380 wrote to memory of 744 4380 vjjpj.exe 86 PID 744 wrote to memory of 4768 744 llrrxfx.exe 87 PID 744 wrote to memory of 4768 744 llrrxfx.exe 87 PID 744 wrote to memory of 4768 744 llrrxfx.exe 87 PID 4768 wrote to memory of 4372 4768 pvpdp.exe 88 PID 4768 wrote to memory of 4372 4768 pvpdp.exe 88 PID 4768 wrote to memory of 4372 4768 pvpdp.exe 88 PID 4372 wrote to memory of 2036 4372 lrlfrrf.exe 89 PID 4372 wrote to memory of 2036 4372 lrlfrrf.exe 89 PID 4372 wrote to memory of 2036 4372 lrlfrrf.exe 89 PID 2036 wrote to memory of 1624 2036 tntbbh.exe 90 PID 2036 wrote to memory of 1624 2036 tntbbh.exe 90 PID 2036 wrote to memory of 1624 2036 tntbbh.exe 90 PID 1624 wrote to memory of 2704 1624 vvdjj.exe 91 PID 1624 wrote to memory of 2704 1624 vvdjj.exe 91 PID 1624 wrote to memory of 2704 1624 vvdjj.exe 91 PID 2704 wrote to memory of 3176 2704 jdjvp.exe 92 PID 2704 wrote to memory of 3176 2704 jdjvp.exe 92 PID 2704 wrote to memory of 3176 2704 jdjvp.exe 92 PID 3176 wrote to memory of 3596 3176 xfrrxxx.exe 94 PID 3176 wrote to memory of 3596 3176 xfrrxxx.exe 94 PID 3176 wrote to memory of 3596 3176 xfrrxxx.exe 94 PID 3596 wrote to memory of 4016 3596 vjvpd.exe 95 PID 3596 wrote to memory of 4016 3596 vjvpd.exe 95 PID 3596 wrote to memory of 4016 3596 vjvpd.exe 95 PID 4016 wrote to memory of 4012 4016 flxlxfx.exe 96 PID 4016 wrote to memory of 4012 4016 flxlxfx.exe 96 PID 4016 wrote to memory of 4012 4016 flxlxfx.exe 96 PID 4012 wrote to memory of 2988 4012 9pjjj.exe 97 PID 4012 wrote to memory of 2988 4012 9pjjj.exe 97 PID 4012 wrote to memory of 2988 4012 9pjjj.exe 97 PID 2988 wrote to memory of 1200 2988 rxrxlrx.exe 98 PID 2988 wrote to memory of 1200 2988 rxrxlrx.exe 98 PID 2988 wrote to memory of 1200 2988 rxrxlrx.exe 98 PID 1200 wrote to memory of 3652 1200 bnttnh.exe 99 PID 1200 wrote to memory of 3652 1200 bnttnh.exe 99 PID 1200 wrote to memory of 3652 1200 bnttnh.exe 99 PID 3652 wrote to memory of 2380 3652 llflrfl.exe 100 PID 3652 wrote to memory of 2380 3652 llflrfl.exe 100 PID 3652 wrote to memory of 2380 3652 llflrfl.exe 100 PID 2380 wrote to memory of 2060 2380 thtttb.exe 101 PID 2380 wrote to memory of 2060 2380 thtttb.exe 101 PID 2380 wrote to memory of 2060 2380 thtttb.exe 101 PID 2060 wrote to memory of 2760 2060 vpppv.exe 102 PID 2060 wrote to memory of 2760 2060 vpppv.exe 102 PID 2060 wrote to memory of 2760 2060 vpppv.exe 102 PID 2760 wrote to memory of 1208 2760 1ttttt.exe 103 PID 2760 wrote to memory of 1208 2760 1ttttt.exe 103 PID 2760 wrote to memory of 1208 2760 1ttttt.exe 103 PID 1208 wrote to memory of 424 1208 ppvpv.exe 104 PID 1208 wrote to memory of 424 1208 ppvpv.exe 104 PID 1208 wrote to memory of 424 1208 ppvpv.exe 104 PID 424 wrote to memory of 1608 424 tbtnth.exe 105 PID 424 wrote to memory of 1608 424 tbtnth.exe 105 PID 424 wrote to memory of 1608 424 tbtnth.exe 105 PID 1608 wrote to memory of 1940 1608 vdjjj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe"C:\Users\Admin\AppData\Local\Temp\e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\rrrlllf.exec:\rrrlllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\vjjpj.exec:\vjjpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\llrrxfx.exec:\llrrxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\pvpdp.exec:\pvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\lrlfrrf.exec:\lrlfrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\tntbbh.exec:\tntbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\vvdjj.exec:\vvdjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\jdjvp.exec:\jdjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\xfrrxxx.exec:\xfrrxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\vjvpd.exec:\vjvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\flxlxfx.exec:\flxlxfx.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\9pjjj.exec:\9pjjj.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\rxrxlrx.exec:\rxrxlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\bnttnh.exec:\bnttnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\llflrfl.exec:\llflrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\thtttb.exec:\thtttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vpppv.exec:\vpppv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\1ttttt.exec:\1ttttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\ppvpv.exec:\ppvpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\tbtnth.exec:\tbtnth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424 -
\??\c:\vdjjj.exec:\vdjjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\jpjjp.exec:\jpjjp.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tbntnh.exec:\tbntnh.exe24⤵
- Executes dropped EXE
PID:1592 -
\??\c:\dvjvv.exec:\dvjvv.exe25⤵
- Executes dropped EXE
PID:3856 -
\??\c:\btbnbn.exec:\btbnbn.exe26⤵
- Executes dropped EXE
PID:2628 -
\??\c:\tnbtnt.exec:\tnbtnt.exe27⤵
- Executes dropped EXE
PID:3476 -
\??\c:\djppj.exec:\djppj.exe28⤵
- Executes dropped EXE
PID:5112 -
\??\c:\rxxrrxx.exec:\rxxrrxx.exe29⤵
- Executes dropped EXE
PID:1044 -
\??\c:\hnnbnn.exec:\hnnbnn.exe30⤵
- Executes dropped EXE
PID:3272 -
\??\c:\3pjpv.exec:\3pjpv.exe31⤵
- Executes dropped EXE
PID:4916 -
\??\c:\5flrfxf.exec:\5flrfxf.exe32⤵
- Executes dropped EXE
PID:392 -
\??\c:\btnnnn.exec:\btnnnn.exe33⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jjppp.exec:\jjppp.exe34⤵
- Executes dropped EXE
PID:1128 -
\??\c:\rrlllxx.exec:\rrlllxx.exe35⤵
- Executes dropped EXE
PID:60 -
\??\c:\bntttb.exec:\bntttb.exe36⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jjvvv.exec:\jjvvv.exe37⤵
- Executes dropped EXE
PID:4584 -
\??\c:\xflrrxf.exec:\xflrrxf.exe38⤵
- Executes dropped EXE
PID:4508 -
\??\c:\bnhntb.exec:\bnhntb.exe39⤵
- Executes dropped EXE
PID:4600 -
\??\c:\jjvpv.exec:\jjvpv.exe40⤵
- Executes dropped EXE
PID:2612 -
\??\c:\lffllxx.exec:\lffllxx.exe41⤵
- Executes dropped EXE
PID:2524 -
\??\c:\ththth.exec:\ththth.exe42⤵
- Executes dropped EXE
PID:2056 -
\??\c:\ntbbtb.exec:\ntbbtb.exe43⤵
- Executes dropped EXE
PID:3420 -
\??\c:\dvvdv.exec:\dvvdv.exe44⤵
- Executes dropped EXE
PID:3952 -
\??\c:\1rfllxf.exec:\1rfllxf.exe45⤵
- Executes dropped EXE
PID:3516 -
\??\c:\hhnhbt.exec:\hhnhbt.exe46⤵
- Executes dropped EXE
PID:4840 -
\??\c:\pddjj.exec:\pddjj.exe47⤵
- Executes dropped EXE
PID:5036 -
\??\c:\jpdvv.exec:\jpdvv.exe48⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xfllrxl.exec:\xfllrxl.exe49⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ttttnn.exec:\ttttnn.exe50⤵
- Executes dropped EXE
PID:4396 -
\??\c:\hnttbh.exec:\hnttbh.exe51⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jdjjp.exec:\jdjjp.exe52⤵
- Executes dropped EXE
PID:2672 -
\??\c:\1rlxfrf.exec:\1rlxfrf.exe53⤵
- Executes dropped EXE
PID:1256 -
\??\c:\nhnthb.exec:\nhnthb.exe54⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ddddj.exec:\ddddj.exe55⤵
- Executes dropped EXE
PID:2336 -
\??\c:\flxfflr.exec:\flxfflr.exe56⤵
- Executes dropped EXE
PID:4580 -
\??\c:\lxfrrxf.exec:\lxfrrxf.exe57⤵
- Executes dropped EXE
PID:4012 -
\??\c:\bnhbbb.exec:\bnhbbb.exe58⤵
- Executes dropped EXE
PID:4412 -
\??\c:\dddvp.exec:\dddvp.exe59⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xfxrrrr.exec:\xfxrrrr.exe60⤵
- Executes dropped EXE
PID:4996 -
\??\c:\tbnntt.exec:\tbnntt.exe61⤵
- Executes dropped EXE
PID:4756 -
\??\c:\pdjjv.exec:\pdjjv.exe62⤵
- Executes dropped EXE
PID:1828 -
\??\c:\pvdpj.exec:\pvdpj.exe63⤵
- Executes dropped EXE
PID:2060 -
\??\c:\bnnbtn.exec:\bnnbtn.exe64⤵
- Executes dropped EXE
PID:2760 -
\??\c:\ththth.exec:\ththth.exe65⤵
- Executes dropped EXE
PID:3508 -
\??\c:\vdvvd.exec:\vdvvd.exe66⤵PID:3844
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe67⤵PID:1892
-
\??\c:\nttnhh.exec:\nttnhh.exe68⤵PID:4848
-
\??\c:\bhhnnb.exec:\bhhnnb.exe69⤵PID:4304
-
\??\c:\dpvjp.exec:\dpvjp.exe70⤵PID:3920
-
\??\c:\1lfllxx.exec:\1lfllxx.exe71⤵PID:1596
-
\??\c:\nhbhht.exec:\nhbhht.exe72⤵PID:1544
-
\??\c:\bbnhbb.exec:\bbnhbb.exe73⤵PID:4592
-
\??\c:\jvvjp.exec:\jvvjp.exe74⤵PID:1576
-
\??\c:\ffrxflf.exec:\ffrxflf.exe75⤵PID:4884
-
\??\c:\bhtttb.exec:\bhtttb.exe76⤵PID:2296
-
\??\c:\bbnntb.exec:\bbnntb.exe77⤵PID:1296
-
\??\c:\pjpjv.exec:\pjpjv.exe78⤵PID:4852
-
\??\c:\9lxxxff.exec:\9lxxxff.exe79⤵PID:1976
-
\??\c:\xxlrfrl.exec:\xxlrfrl.exe80⤵PID:4876
-
\??\c:\bbbttn.exec:\bbbttn.exe81⤵PID:540
-
\??\c:\djjjj.exec:\djjjj.exe82⤵PID:544
-
\??\c:\pddvd.exec:\pddvd.exe83⤵PID:1764
-
\??\c:\hhnbbb.exec:\hhnbbb.exe84⤵PID:4284
-
\??\c:\vjpvd.exec:\vjpvd.exe85⤵PID:4280
-
\??\c:\fxfflrl.exec:\fxfflrl.exe86⤵PID:408
-
\??\c:\rrrffrl.exec:\rrrffrl.exe87⤵PID:2464
-
\??\c:\bbhbhh.exec:\bbhbhh.exe88⤵PID:4920
-
\??\c:\vvppv.exec:\vvppv.exe89⤵PID:1052
-
\??\c:\1xrxrxl.exec:\1xrxrxl.exe90⤵PID:5072
-
\??\c:\flrrlrr.exec:\flrrlrr.exe91⤵PID:2536
-
\??\c:\9nntbn.exec:\9nntbn.exe92⤵PID:4416
-
\??\c:\djddp.exec:\djddp.exe93⤵PID:4372
-
\??\c:\pjdvp.exec:\pjdvp.exe94⤵PID:2036
-
\??\c:\frfflrl.exec:\frfflrl.exe95⤵PID:2984
-
\??\c:\bhbnbn.exec:\bhbnbn.exe96⤵PID:2808
-
\??\c:\thbbtn.exec:\thbbtn.exe97⤵PID:2356
-
\??\c:\pvpdj.exec:\pvpdj.exe98⤵PID:2324
-
\??\c:\fxlrfrf.exec:\fxlrfrf.exe99⤵PID:2948
-
\??\c:\ttthhh.exec:\ttthhh.exe100⤵PID:1152
-
\??\c:\ppppv.exec:\ppppv.exe101⤵PID:4580
-
\??\c:\vdpdp.exec:\vdpdp.exe102⤵PID:1512
-
\??\c:\frrlrfr.exec:\frrlrfr.exe103⤵PID:2844
-
\??\c:\9bhbtn.exec:\9bhbtn.exe104⤵PID:3172
-
\??\c:\vppjp.exec:\vppjp.exe105⤵PID:3084
-
\??\c:\3ppdd.exec:\3ppdd.exe106⤵PID:4100
-
\??\c:\ffxrlff.exec:\ffxrlff.exe107⤵PID:1208
-
\??\c:\ntnnhn.exec:\ntnnhn.exe108⤵PID:4076
-
\??\c:\pvvdv.exec:\pvvdv.exe109⤵PID:736
-
\??\c:\dvdvj.exec:\dvdvj.exe110⤵PID:2408
-
\??\c:\rflfrrf.exec:\rflfrrf.exe111⤵PID:1784
-
\??\c:\bbhntb.exec:\bbhntb.exe112⤵PID:2932
-
\??\c:\pvdjv.exec:\pvdjv.exe113⤵PID:628
-
\??\c:\7ffffll.exec:\7ffffll.exe114⤵PID:2608
-
\??\c:\nbnhtn.exec:\nbnhtn.exe115⤵PID:632
-
\??\c:\5pvpd.exec:\5pvpd.exe116⤵PID:4788
-
\??\c:\thhhtb.exec:\thhhtb.exe117⤵PID:1376
-
\??\c:\ppppp.exec:\ppppp.exe118⤵PID:1192
-
\??\c:\dvvdd.exec:\dvvdd.exe119⤵PID:3020
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe120⤵PID:1380
-
\??\c:\nnnhhn.exec:\nnnhhn.exe121⤵PID:4536
-
\??\c:\vvddd.exec:\vvddd.exe122⤵PID:4876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-