Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 23:22
Static task
static1
Behavioral task
behavioral1
Sample
723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe
Resource
win7-20240903-en
General
-
Target
723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe
-
Size
69KB
-
MD5
6d7f6ac74f3c76afb193faf660e92653
-
SHA1
6c094bf9d95ce1cc6e3afcd2861564ad9e984c50
-
SHA256
723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715
-
SHA512
1d8e210a2328d44770f769af15d81422ace240eaf9610dadfaf32bf820175ddc845eb9f4b76091fe2880ac0fbeeb72ce2085ded209d603fe4e8564ee2343e598
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh1214ar47:ymb3NkkiQ3mdBjFIFdJmdar47
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2680-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2680-19-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-30-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2852-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1580-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1284-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2388-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2904-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1968-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/568-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/560-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/608-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1988-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/928-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2236-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
vpvpv.exexlxfrrl.exe5thntt.exe3dpvv.exevpvvj.exe9nbbhh.exe3djvp.exejddvp.exexlflrrl.exerlxxllr.exe7bnbbh.exelfrxfrf.exexffffrx.exebtttbb.exennbbhh.exejdpdp.exefxlrxxf.exeffrxlrl.exe5nhbhh.exevpddj.exevpdjj.exe7flfrlr.exehbnthn.exennhhnt.exedvvdv.exejvpdd.exerlxfrrl.exe3nnthh.exetnhntb.exevpvpp.exerlllrxl.exefxrrflf.exe9bntbh.exebbhnbn.exedvdjj.exexrrrxfr.exexxxlllr.exenhnhbn.exethtthn.exe9pjpj.exerlrrrxl.exe1xllllf.exellxflfl.exehtbbnt.exe7vddj.exevpddj.exevjjjd.exe5xlfllx.exexrlrxfl.exe3tntht.exe1nbbbb.exe9ppdd.exe1jvdj.exe3rlfrrr.exelxlffrr.exe1bnhnn.exe3thbbb.exe5pdpv.exevpppj.exexrrllff.exe7rffflr.exethtnnn.exebbthtn.exe3ppvv.exepid process 2680 vpvpv.exe 2808 xlxfrrl.exe 2852 5thntt.exe 2600 3dpvv.exe 2576 vpvvj.exe 3056 9nbbhh.exe 1580 3djvp.exe 1284 jddvp.exe 2388 xlflrrl.exe 2980 rlxxllr.exe 2932 7bnbbh.exe 2904 lfrxfrf.exe 1968 xffffrx.exe 568 btttbb.exe 2068 nnbbhh.exe 560 jdpdp.exe 608 fxlrxxf.exe 2292 ffrxlrl.exe 1988 5nhbhh.exe 928 vpddj.exe 1652 vpdjj.exe 2100 7flfrlr.exe 1464 hbnthn.exe 2236 nnhhnt.exe 2476 dvvdv.exe 820 jvpdd.exe 2072 rlxfrrl.exe 904 3nnthh.exe 2180 tnhntb.exe 2704 vpvpp.exe 1596 rlllrxl.exe 2960 fxrrflf.exe 2692 9bntbh.exe 2612 bbhnbn.exe 2764 dvdjj.exe 2844 xrrrxfr.exe 2648 xxxlllr.exe 1528 nhnhbn.exe 448 thtthn.exe 1496 9pjpj.exe 1260 rlrrrxl.exe 1440 1xllllf.exe 2988 llxflfl.exe 2376 htbbnt.exe 2760 7vddj.exe 2936 vpddj.exe 1536 vjjjd.exe 1692 5xlfllx.exe 2096 xrlrxfl.exe 2144 3tntht.exe 1272 1nbbbb.exe 2200 9ppdd.exe 2368 1jvdj.exe 1812 3rlfrrr.exe 2140 lxlffrr.exe 2152 1bnhnn.exe 2060 3thbbb.exe 328 5pdpv.exe 2100 vpppj.exe 1732 xrrllff.exe 1540 7rffflr.exe 1792 thtnnn.exe 2492 bbthtn.exe 1688 3ppvv.exe -
Processes:
resource yara_rule behavioral1/memory/2168-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2680-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2852-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3056-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3056-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3056-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1580-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1284-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2388-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2904-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/568-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/560-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/608-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1988-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/928-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2236-239-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
xrfllrf.exentthhn.exerlxflxf.exebbntnt.exennbhbt.exerlxxflx.exevvpjv.exe9tnntb.exepvpvv.exeppppd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exevpvpv.exexlxfrrl.exe5thntt.exe3dpvv.exevpvvj.exe9nbbhh.exe3djvp.exejddvp.exexlflrrl.exerlxxllr.exe7bnbbh.exelfrxfrf.exexffffrx.exebtttbb.exennbbhh.exedescription pid process target process PID 2168 wrote to memory of 2680 2168 723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe vpvpv.exe PID 2168 wrote to memory of 2680 2168 723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe vpvpv.exe PID 2168 wrote to memory of 2680 2168 723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe vpvpv.exe PID 2168 wrote to memory of 2680 2168 723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe vpvpv.exe PID 2680 wrote to memory of 2808 2680 vpvpv.exe xlxfrrl.exe PID 2680 wrote to memory of 2808 2680 vpvpv.exe xlxfrrl.exe PID 2680 wrote to memory of 2808 2680 vpvpv.exe xlxfrrl.exe PID 2680 wrote to memory of 2808 2680 vpvpv.exe xlxfrrl.exe PID 2808 wrote to memory of 2852 2808 xlxfrrl.exe 5thntt.exe PID 2808 wrote to memory of 2852 2808 xlxfrrl.exe 5thntt.exe PID 2808 wrote to memory of 2852 2808 xlxfrrl.exe 5thntt.exe PID 2808 wrote to memory of 2852 2808 xlxfrrl.exe 5thntt.exe PID 2852 wrote to memory of 2600 2852 5thntt.exe 3dpvv.exe PID 2852 wrote to memory of 2600 2852 5thntt.exe 3dpvv.exe PID 2852 wrote to memory of 2600 2852 5thntt.exe 3dpvv.exe PID 2852 wrote to memory of 2600 2852 5thntt.exe 3dpvv.exe PID 2600 wrote to memory of 2576 2600 3dpvv.exe vpvvj.exe PID 2600 wrote to memory of 2576 2600 3dpvv.exe vpvvj.exe PID 2600 wrote to memory of 2576 2600 3dpvv.exe vpvvj.exe PID 2600 wrote to memory of 2576 2600 3dpvv.exe vpvvj.exe PID 2576 wrote to memory of 3056 2576 vpvvj.exe 9nbbhh.exe PID 2576 wrote to memory of 3056 2576 vpvvj.exe 9nbbhh.exe PID 2576 wrote to memory of 3056 2576 vpvvj.exe 9nbbhh.exe PID 2576 wrote to memory of 3056 2576 vpvvj.exe 9nbbhh.exe PID 3056 wrote to memory of 1580 3056 9nbbhh.exe 3djvp.exe PID 3056 wrote to memory of 1580 3056 9nbbhh.exe 3djvp.exe PID 3056 wrote to memory of 1580 3056 9nbbhh.exe 3djvp.exe PID 3056 wrote to memory of 1580 3056 9nbbhh.exe 3djvp.exe PID 1580 wrote to memory of 1284 1580 3djvp.exe jddvp.exe PID 1580 wrote to memory of 1284 1580 3djvp.exe jddvp.exe PID 1580 wrote to memory of 1284 1580 3djvp.exe jddvp.exe PID 1580 wrote to memory of 1284 1580 3djvp.exe jddvp.exe PID 1284 wrote to memory of 2388 1284 jddvp.exe xlflrrl.exe PID 1284 wrote to memory of 2388 1284 jddvp.exe xlflrrl.exe PID 1284 wrote to memory of 2388 1284 jddvp.exe xlflrrl.exe PID 1284 wrote to memory of 2388 1284 jddvp.exe xlflrrl.exe PID 2388 wrote to memory of 2980 2388 xlflrrl.exe rlxxllr.exe PID 2388 wrote to memory of 2980 2388 xlflrrl.exe rlxxllr.exe PID 2388 wrote to memory of 2980 2388 xlflrrl.exe rlxxllr.exe PID 2388 wrote to memory of 2980 2388 xlflrrl.exe rlxxllr.exe PID 2980 wrote to memory of 2932 2980 rlxxllr.exe 7bnbbh.exe PID 2980 wrote to memory of 2932 2980 rlxxllr.exe 7bnbbh.exe PID 2980 wrote to memory of 2932 2980 rlxxllr.exe 7bnbbh.exe PID 2980 wrote to memory of 2932 2980 rlxxllr.exe 7bnbbh.exe PID 2932 wrote to memory of 2904 2932 7bnbbh.exe lfrxfrf.exe PID 2932 wrote to memory of 2904 2932 7bnbbh.exe lfrxfrf.exe PID 2932 wrote to memory of 2904 2932 7bnbbh.exe lfrxfrf.exe PID 2932 wrote to memory of 2904 2932 7bnbbh.exe lfrxfrf.exe PID 2904 wrote to memory of 1968 2904 lfrxfrf.exe xffffrx.exe PID 2904 wrote to memory of 1968 2904 lfrxfrf.exe xffffrx.exe PID 2904 wrote to memory of 1968 2904 lfrxfrf.exe xffffrx.exe PID 2904 wrote to memory of 1968 2904 lfrxfrf.exe xffffrx.exe PID 1968 wrote to memory of 568 1968 xffffrx.exe btttbb.exe PID 1968 wrote to memory of 568 1968 xffffrx.exe btttbb.exe PID 1968 wrote to memory of 568 1968 xffffrx.exe btttbb.exe PID 1968 wrote to memory of 568 1968 xffffrx.exe btttbb.exe PID 568 wrote to memory of 2068 568 btttbb.exe nnbbhh.exe PID 568 wrote to memory of 2068 568 btttbb.exe nnbbhh.exe PID 568 wrote to memory of 2068 568 btttbb.exe nnbbhh.exe PID 568 wrote to memory of 2068 568 btttbb.exe nnbbhh.exe PID 2068 wrote to memory of 560 2068 nnbbhh.exe jdpdp.exe PID 2068 wrote to memory of 560 2068 nnbbhh.exe jdpdp.exe PID 2068 wrote to memory of 560 2068 nnbbhh.exe jdpdp.exe PID 2068 wrote to memory of 560 2068 nnbbhh.exe jdpdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe"C:\Users\Admin\AppData\Local\Temp\723309ad292f1dccdc04adf25f1f2a32530a783785340e23ba683039a67fa715.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\vpvpv.exec:\vpvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xlxfrrl.exec:\xlxfrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\5thntt.exec:\5thntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\3dpvv.exec:\3dpvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\vpvvj.exec:\vpvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\9nbbhh.exec:\9nbbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\3djvp.exec:\3djvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\jddvp.exec:\jddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\xlflrrl.exec:\xlflrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\rlxxllr.exec:\rlxxllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\7bnbbh.exec:\7bnbbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\lfrxfrf.exec:\lfrxfrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xffffrx.exec:\xffffrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\btttbb.exec:\btttbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\nnbbhh.exec:\nnbbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\jdpdp.exec:\jdpdp.exe17⤵
- Executes dropped EXE
PID:560 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe18⤵
- Executes dropped EXE
PID:608 -
\??\c:\ffrxlrl.exec:\ffrxlrl.exe19⤵
- Executes dropped EXE
PID:2292 -
\??\c:\5nhbhh.exec:\5nhbhh.exe20⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vpddj.exec:\vpddj.exe21⤵
- Executes dropped EXE
PID:928 -
\??\c:\vpdjj.exec:\vpdjj.exe22⤵
- Executes dropped EXE
PID:1652 -
\??\c:\7flfrlr.exec:\7flfrlr.exe23⤵
- Executes dropped EXE
PID:2100 -
\??\c:\hbnthn.exec:\hbnthn.exe24⤵
- Executes dropped EXE
PID:1464 -
\??\c:\nnhhnt.exec:\nnhhnt.exe25⤵
- Executes dropped EXE
PID:2236 -
\??\c:\dvvdv.exec:\dvvdv.exe26⤵
- Executes dropped EXE
PID:2476 -
\??\c:\jvpdd.exec:\jvpdd.exe27⤵
- Executes dropped EXE
PID:820 -
\??\c:\rlxfrrl.exec:\rlxfrrl.exe28⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3nnthh.exec:\3nnthh.exe29⤵
- Executes dropped EXE
PID:904 -
\??\c:\tnhntb.exec:\tnhntb.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vpvpp.exec:\vpvpp.exe31⤵
- Executes dropped EXE
PID:2704 -
\??\c:\rlllrxl.exec:\rlllrxl.exe32⤵
- Executes dropped EXE
PID:1596 -
\??\c:\fxrrflf.exec:\fxrrflf.exe33⤵
- Executes dropped EXE
PID:2960 -
\??\c:\9bntbh.exec:\9bntbh.exe34⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bbhnbn.exec:\bbhnbn.exe35⤵
- Executes dropped EXE
PID:2612 -
\??\c:\dvdjj.exec:\dvdjj.exe36⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xrrrxfr.exec:\xrrrxfr.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xxxlllr.exec:\xxxlllr.exe38⤵
- Executes dropped EXE
PID:2648 -
\??\c:\nhnhbn.exec:\nhnhbn.exe39⤵
- Executes dropped EXE
PID:1528 -
\??\c:\thtthn.exec:\thtthn.exe40⤵
- Executes dropped EXE
PID:448 -
\??\c:\9pjpj.exec:\9pjpj.exe41⤵
- Executes dropped EXE
PID:1496 -
\??\c:\rlrrrxl.exec:\rlrrrxl.exe42⤵
- Executes dropped EXE
PID:1260 -
\??\c:\1xllllf.exec:\1xllllf.exe43⤵
- Executes dropped EXE
PID:1440 -
\??\c:\llxflfl.exec:\llxflfl.exe44⤵
- Executes dropped EXE
PID:2988 -
\??\c:\htbbnt.exec:\htbbnt.exe45⤵
- Executes dropped EXE
PID:2376 -
\??\c:\7vddj.exec:\7vddj.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\vpddj.exec:\vpddj.exe47⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vjjjd.exec:\vjjjd.exe48⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5xlfllx.exec:\5xlfllx.exe49⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xrlrxfl.exec:\xrlrxfl.exe50⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3tntht.exec:\3tntht.exe51⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1nbbbb.exec:\1nbbbb.exe52⤵
- Executes dropped EXE
PID:1272 -
\??\c:\9ppdd.exec:\9ppdd.exe53⤵
- Executes dropped EXE
PID:2200 -
\??\c:\1jvdj.exec:\1jvdj.exe54⤵
- Executes dropped EXE
PID:2368 -
\??\c:\3rlfrrr.exec:\3rlfrrr.exe55⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lxlffrr.exec:\lxlffrr.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\1bnhnn.exec:\1bnhnn.exe57⤵
- Executes dropped EXE
PID:2152 -
\??\c:\3thbbb.exec:\3thbbb.exe58⤵
- Executes dropped EXE
PID:2060 -
\??\c:\5pdpv.exec:\5pdpv.exe59⤵
- Executes dropped EXE
PID:328 -
\??\c:\vpppj.exec:\vpppj.exe60⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xrrllff.exec:\xrrllff.exe61⤵
- Executes dropped EXE
PID:1732 -
\??\c:\7rffflr.exec:\7rffflr.exe62⤵
- Executes dropped EXE
PID:1540 -
\??\c:\thtnnn.exec:\thtnnn.exe63⤵
- Executes dropped EXE
PID:1792 -
\??\c:\bbthtn.exec:\bbthtn.exe64⤵
- Executes dropped EXE
PID:2492 -
\??\c:\3ppvv.exec:\3ppvv.exe65⤵
- Executes dropped EXE
PID:1688 -
\??\c:\dvpvj.exec:\dvpvj.exe66⤵PID:1040
-
\??\c:\fxfffxf.exec:\fxfffxf.exe67⤵PID:1768
-
\??\c:\lfrxfxx.exec:\lfrxfxx.exe68⤵PID:2320
-
\??\c:\9hbbbb.exec:\9hbbbb.exe69⤵PID:2732
-
\??\c:\tttbbb.exec:\tttbbb.exe70⤵PID:1576
-
\??\c:\jdppv.exec:\jdppv.exe71⤵PID:2728
-
\??\c:\3djvd.exec:\3djvd.exe72⤵PID:1524
-
\??\c:\pjpvv.exec:\pjpvv.exe73⤵PID:2956
-
\??\c:\fxlxflx.exec:\fxlxflx.exe74⤵PID:2920
-
\??\c:\rffrxlx.exec:\rffrxlx.exe75⤵PID:1296
-
\??\c:\nhnbht.exec:\nhnbht.exe76⤵PID:2628
-
\??\c:\tnntth.exec:\tnntth.exe77⤵PID:2576
-
\??\c:\jjpdj.exec:\jjpdj.exe78⤵PID:3028
-
\??\c:\7flllfl.exec:\7flllfl.exe79⤵PID:3036
-
\??\c:\7fffrlx.exec:\7fffrlx.exe80⤵PID:2004
-
\??\c:\fxflxfl.exec:\fxflxfl.exe81⤵PID:1780
-
\??\c:\hnhhht.exec:\hnhhht.exe82⤵PID:2524
-
\??\c:\nhbhhh.exec:\nhbhhh.exe83⤵PID:2400
-
\??\c:\vvdpv.exec:\vvdpv.exe84⤵PID:2408
-
\??\c:\pjdvv.exec:\pjdvv.exe85⤵PID:1716
-
\??\c:\rrrfflr.exec:\rrrfflr.exe86⤵PID:2240
-
\??\c:\1tnbbn.exec:\1tnbbn.exe87⤵PID:2564
-
\??\c:\nbhntt.exec:\nbhntt.exe88⤵PID:2156
-
\??\c:\jpvjd.exec:\jpvjd.exe89⤵PID:2128
-
\??\c:\vpddv.exec:\vpddv.exe90⤵PID:1008
-
\??\c:\fxrxxlf.exec:\fxrxxlf.exe91⤵PID:604
-
\??\c:\xrfrfrf.exec:\xrfrfrf.exe92⤵PID:1996
-
\??\c:\nntbnh.exec:\nntbnh.exe93⤵PID:2184
-
\??\c:\btnhtb.exec:\btnhtb.exe94⤵PID:2344
-
\??\c:\7djpp.exec:\7djpp.exe95⤵PID:2116
-
\??\c:\7dpdd.exec:\7dpdd.exe96⤵PID:928
-
\??\c:\rlxlllr.exec:\rlxlllr.exe97⤵PID:540
-
\??\c:\fffrlxr.exec:\fffrlxr.exe98⤵PID:2088
-
\??\c:\nnbnbh.exec:\nnbnbh.exe99⤵PID:716
-
\??\c:\btnbht.exec:\btnbht.exe100⤵PID:2432
-
\??\c:\dvpvd.exec:\dvpvd.exe101⤵PID:1372
-
\??\c:\7djpv.exec:\7djpv.exe102⤵PID:2476
-
\??\c:\5xxlrxf.exec:\5xxlrxf.exe103⤵PID:1020
-
\??\c:\rrrxxlf.exec:\rrrxxlf.exe104⤵PID:2080
-
\??\c:\hhbthn.exec:\hhbthn.exe105⤵PID:1064
-
\??\c:\ttbnbb.exec:\ttbnbb.exe106⤵PID:2028
-
\??\c:\pdppv.exec:\pdppv.exe107⤵PID:2168
-
\??\c:\djppd.exec:\djppd.exe108⤵PID:2684
-
\??\c:\vpdpd.exec:\vpdpd.exe109⤵PID:1708
-
\??\c:\rrffxxl.exec:\rrffxxl.exe110⤵PID:2708
-
\??\c:\lxxllxx.exec:\lxxllxx.exe111⤵PID:2840
-
\??\c:\bbtbnn.exec:\bbtbnn.exe112⤵PID:2692
-
\??\c:\tnhthn.exec:\tnhthn.exe113⤵PID:2812
-
\??\c:\vdvvv.exec:\vdvvv.exe114⤵PID:2800
-
\??\c:\jjvjv.exec:\jjvjv.exe115⤵PID:1632
-
\??\c:\7xrlrrx.exec:\7xrlrrx.exe116⤵PID:2696
-
\??\c:\7xrxrxf.exec:\7xrxrxf.exe117⤵PID:1276
-
\??\c:\nhbtbn.exec:\nhbtbn.exe118⤵PID:900
-
\??\c:\tthbbh.exec:\tthbbh.exe119⤵PID:3060
-
\??\c:\pjdjp.exec:\pjdjp.exe120⤵PID:1284
-
\??\c:\ddpvj.exec:\ddpvj.exe121⤵PID:1440
-
\??\c:\lfxflrr.exec:\lfxflrr.exe122⤵PID:2980
-
\??\c:\xrlfflx.exec:\xrlfflx.exe123⤵PID:2376
-
\??\c:\hhhnhn.exec:\hhhnhn.exe124⤵PID:2760
-
\??\c:\7nhhtt.exec:\7nhhtt.exe125⤵PID:2936
-
\??\c:\7rrxlxl.exec:\7rrxlxl.exe126⤵PID:1392
-
\??\c:\3llxlrf.exec:\3llxlrf.exe127⤵PID:1968
-
\??\c:\bbbhbh.exec:\bbbhbh.exe128⤵PID:692
-
\??\c:\5ntnht.exec:\5ntnht.exe129⤵PID:2144
-
\??\c:\9pjvd.exec:\9pjvd.exe130⤵PID:2268
-
\??\c:\vvppj.exec:\vvppj.exe131⤵PID:2384
-
\??\c:\ddpdv.exec:\ddpdv.exe132⤵PID:1964
-
\??\c:\llxrxfr.exec:\llxrxfr.exe133⤵PID:2420
-
\??\c:\9lfrrll.exec:\9lfrrll.exe134⤵PID:1660
-
\??\c:\1bbbhn.exec:\1bbbhn.exe135⤵PID:1620
-
\??\c:\1nbnbn.exec:\1nbnbn.exe136⤵PID:2060
-
\??\c:\vpjvd.exec:\vpjvd.exe137⤵PID:328
-
\??\c:\vvjjv.exec:\vvjjv.exe138⤵PID:112
-
\??\c:\xxxxfrl.exec:\xxxxfrl.exe139⤵PID:1640
-
\??\c:\flfxlrf.exec:\flfxlrf.exe140⤵PID:1540
-
\??\c:\nhtbbh.exec:\nhtbbh.exe141⤵PID:332
-
\??\c:\bbtntb.exec:\bbtntb.exe142⤵PID:720
-
\??\c:\bbtnhn.exec:\bbtnhn.exe143⤵PID:1688
-
\??\c:\djjvd.exec:\djjvd.exe144⤵PID:1064
-
\??\c:\ddddp.exec:\ddddp.exe145⤵PID:1768
-
\??\c:\fxrlrxl.exec:\fxrlrxl.exe146⤵PID:2508
-
\??\c:\lfffllr.exec:\lfffllr.exe147⤵PID:2732
-
\??\c:\3nbhnb.exec:\3nbhnb.exe148⤵PID:1596
-
\??\c:\7btbhb.exec:\7btbhb.exe149⤵PID:2396
-
\??\c:\pddpv.exec:\pddpv.exe150⤵PID:2832
-
\??\c:\1ppdp.exec:\1ppdp.exe151⤵PID:2772
-
\??\c:\rlxflxf.exec:\rlxflxf.exe152⤵
- System Location Discovery: System Language Discovery
PID:2588 -
\??\c:\xrrxfll.exec:\xrrxfll.exe153⤵PID:1296
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe154⤵PID:2580
-
\??\c:\1btbnt.exec:\1btbnt.exe155⤵PID:2212
-
\??\c:\hhntnt.exec:\hhntnt.exe156⤵PID:2404
-
\??\c:\vvvvj.exec:\vvvvj.exe157⤵PID:3036
-
\??\c:\jjjdv.exec:\jjjdv.exe158⤵PID:1492
-
\??\c:\rlrrxrf.exec:\rlrrxrf.exe159⤵PID:1780
-
\??\c:\ffrxflx.exec:\ffrxflx.exe160⤵PID:2756
-
\??\c:\tthbbh.exec:\tthbbh.exe161⤵PID:2536
-
\??\c:\7hbnbh.exec:\7hbnbh.exe162⤵PID:2616
-
\??\c:\ppppv.exec:\ppppv.exe163⤵PID:2932
-
\??\c:\jjppd.exec:\jjppd.exe164⤵PID:300
-
\??\c:\3xxrxll.exec:\3xxrxll.exe165⤵PID:2564
-
\??\c:\btntnn.exec:\btntnn.exe166⤵PID:1036
-
\??\c:\nbntbh.exec:\nbntbh.exe167⤵PID:908
-
\??\c:\vpddj.exec:\vpddj.exe168⤵PID:2144
-
\??\c:\dvpdd.exec:\dvpdd.exe169⤵PID:604
-
\??\c:\rrlrxfr.exec:\rrlrxfr.exe170⤵PID:2372
-
\??\c:\xxrfllr.exec:\xxrfllr.exe171⤵PID:2040
-
\??\c:\rlxrrfr.exec:\rlxrrfr.exe172⤵PID:2224
-
\??\c:\tnbtbb.exec:\tnbtbb.exe173⤵PID:1984
-
\??\c:\nbttht.exec:\nbttht.exe174⤵PID:2152
-
\??\c:\ppddd.exec:\ppddd.exe175⤵PID:540
-
\??\c:\vpjpd.exec:\vpjpd.exe176⤵PID:600
-
\??\c:\ffxxffr.exec:\ffxxffr.exe177⤵PID:716
-
\??\c:\rrrlfrl.exec:\rrrlfrl.exe178⤵PID:2432
-
\??\c:\bthnhh.exec:\bthnhh.exe179⤵PID:1372
-
\??\c:\hhthtb.exec:\hhthtb.exe180⤵PID:332
-
\??\c:\dvjdj.exec:\dvjdj.exe181⤵PID:2336
-
\??\c:\dvvpp.exec:\dvvpp.exe182⤵PID:1052
-
\??\c:\dvpjv.exec:\dvpjv.exe183⤵PID:1700
-
\??\c:\ffxllrl.exec:\ffxllrl.exe184⤵PID:896
-
\??\c:\9tbtnb.exec:\9tbtnb.exe185⤵PID:2380
-
\??\c:\hbbbtt.exec:\hbbbtt.exe186⤵PID:2684
-
\??\c:\btbnnt.exec:\btbnnt.exe187⤵PID:1708
-
\??\c:\dvpvd.exec:\dvpvd.exe188⤵PID:2960
-
\??\c:\7pppd.exec:\7pppd.exe189⤵PID:2712
-
\??\c:\xrflxll.exec:\xrflxll.exe190⤵PID:2692
-
\??\c:\5ffrfrl.exec:\5ffrfrl.exe191⤵PID:2592
-
\??\c:\bnbhbh.exec:\bnbhbh.exe192⤵PID:3040
-
\??\c:\tthtth.exec:\tthtth.exe193⤵PID:1528
-
\??\c:\pjddd.exec:\pjddd.exe194⤵PID:3056
-
\??\c:\3ddjd.exec:\3ddjd.exe195⤵PID:1276
-
\??\c:\fxrxlll.exec:\fxrxlll.exe196⤵PID:1496
-
\??\c:\9rxfrxf.exec:\9rxfrxf.exe197⤵PID:1340
-
\??\c:\5nthtn.exec:\5nthtn.exe198⤵PID:1260
-
\??\c:\hbthbn.exec:\hbthbn.exe199⤵PID:3012
-
\??\c:\btnbbn.exec:\btnbbn.exe200⤵PID:2664
-
\??\c:\dvjpd.exec:\dvjpd.exe201⤵PID:2940
-
\??\c:\1dvdj.exec:\1dvdj.exe202⤵PID:668
-
\??\c:\llfrlrf.exec:\llfrlrf.exe203⤵PID:864
-
\??\c:\lfrfrfl.exec:\lfrfrfl.exe204⤵PID:1392
-
\??\c:\9thntt.exec:\9thntt.exe205⤵PID:1692
-
\??\c:\nhbnth.exec:\nhbnth.exe206⤵PID:484
-
\??\c:\3djpd.exec:\3djpd.exe207⤵PID:2104
-
\??\c:\dvpvd.exec:\dvpvd.exe208⤵PID:2208
-
\??\c:\fflrfrr.exec:\fflrfrr.exe209⤵PID:1776
-
\??\c:\3rlrxlx.exec:\3rlrxlx.exe210⤵PID:2040
-
\??\c:\nbnntn.exec:\nbnntn.exe211⤵PID:2264
-
\??\c:\pdvvd.exec:\pdvvd.exe212⤵PID:1660
-
\??\c:\jdvvd.exec:\jdvvd.exe213⤵PID:920
-
\??\c:\1lfrxfr.exec:\1lfrxfr.exe214⤵PID:628
-
\??\c:\lflrffl.exec:\lflrffl.exe215⤵PID:2204
-
\??\c:\btntbh.exec:\btntbh.exe216⤵PID:1876
-
\??\c:\5nnbth.exec:\5nnbth.exe217⤵PID:2112
-
\??\c:\hbtthn.exec:\hbtthn.exe218⤵PID:1372
-
\??\c:\ppddd.exec:\ppddd.exe219⤵PID:1744
-
\??\c:\1pjpv.exec:\1pjpv.exe220⤵PID:320
-
\??\c:\xxlflll.exec:\xxlflll.exe221⤵PID:904
-
\??\c:\llllflx.exec:\llllflx.exe222⤵PID:1760
-
\??\c:\tbhtth.exec:\tbhtth.exe223⤵PID:2792
-
\??\c:\hhtbhh.exec:\hhtbhh.exe224⤵PID:1824
-
\??\c:\jdpvd.exec:\jdpvd.exe225⤵PID:1600
-
\??\c:\pjjpd.exec:\pjjpd.exe226⤵PID:2700
-
\??\c:\1xffrrf.exec:\1xffrrf.exe227⤵PID:2736
-
\??\c:\rrrrxfr.exec:\rrrrxfr.exe228⤵PID:2008
-
\??\c:\tnntnh.exec:\tnntnh.exe229⤵PID:2764
-
\??\c:\1bntbh.exec:\1bntbh.exe230⤵PID:2920
-
\??\c:\btthbh.exec:\btthbh.exe231⤵PID:2628
-
\??\c:\jdppv.exec:\jdppv.exe232⤵PID:1676
-
\??\c:\3jpjj.exec:\3jpjj.exe233⤵PID:448
-
\??\c:\xrlrflx.exec:\xrlrflx.exe234⤵PID:2620
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe235⤵PID:1584
-
\??\c:\nnhbnn.exec:\nnhbnn.exe236⤵PID:1492
-
\??\c:\nhbhnb.exec:\nhbhnb.exe237⤵PID:1808
-
\??\c:\9djdp.exec:\9djdp.exe238⤵PID:2672
-
\??\c:\pdjjv.exec:\pdjjv.exe239⤵PID:2876
-
\??\c:\3xrlxxl.exec:\3xrlxxl.exe240⤵PID:2980
-
\??\c:\rxxxxlf.exec:\rxxxxlf.exe241⤵PID:2924
-
\??\c:\3nbbbh.exec:\3nbbbh.exe242⤵PID:2752