Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe
-
Size
590KB
-
MD5
01335addfaf7aa894ec94da566e642e0
-
SHA1
768a88b356d32849adc5c5c3c17321efc09e1762
-
SHA256
f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6
-
SHA512
b239ae933557748e19127b19b31f26cfde33b29f1d9104175f94be317971178bf33a2e515a3e61b2ddd50865c1378c48c8e24ec352c427ab8b1ef5790365e10b
-
SSDEEP
6144:n3C9BRIj+ebjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJAyfgayh:n3C9Lebz+xt4vFeFmgayh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral2/memory/2628-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3852-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3312-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2892-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2228-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1468-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3564-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1952-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1172-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1988-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3684-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1324-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4548-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3864-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3348-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1696-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4156-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1832-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3624-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/208-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3852 frxrllf.exe 3312 9bhbbn.exe 2892 jpdvv.exe 2228 fxflrrr.exe 3564 xflfxxx.exe 1468 bnttnt.exe 1952 pddjd.exe 4344 rrxxflr.exe 4808 nnnttn.exe 1172 jpjpp.exe 3632 btthnt.exe 1988 pdjvd.exe 3428 fxlrlxx.exe 3684 bnnttt.exe 2760 vpddj.exe 208 xffxxxr.exe 3864 9ttnnn.exe 4548 5nhbtt.exe 1324 jdddd.exe 1584 thnhhh.exe 2868 dvpvv.exe 4976 rrrxxxx.exe 3624 bbnnnn.exe 1416 ddjvp.exe 1832 fxfllll.exe 4156 hbbtnn.exe 4920 bhnhhb.exe 1696 djjvp.exe 2504 5fllfll.exe 3348 ntbhbh.exe 3288 hhtthn.exe 1488 lfxlxrx.exe 2848 vdvdd.exe 4368 bbttnn.exe 4612 dvppd.exe 892 rxffrrl.exe 548 rlfxxlr.exe 1768 bhbbhn.exe 1900 pdjjj.exe 1732 rffxrll.exe 2652 9bbtnt.exe 3064 jddvj.exe 3404 pvvpv.exe 2688 fflllll.exe 5084 hhttnn.exe 4408 tbhbtt.exe 3620 pjdvv.exe 2628 rrrrrrr.exe 1856 bhnhbb.exe 3312 djppj.exe 2892 xrfffxf.exe 4288 tbbbbt.exe 2308 dvdjj.exe 1420 1rxrrrl.exe 1596 ntttnh.exe 4624 5ppjj.exe 3248 9llrrfx.exe 4464 bnhhtt.exe 4648 rfrrrll.exe 3508 5hntbb.exe 2864 vpjjp.exe 1792 rffxrlx.exe 668 frxrffx.exe 4864 7bhttn.exe -
resource yara_rule behavioral2/memory/2628-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2628-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3852-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3852-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3312-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2892-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2228-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1468-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3564-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1952-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1952-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4344-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4344-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4808-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1952-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1172-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1172-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1988-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3684-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1324-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4548-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3864-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3348-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1696-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1832-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3624-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/208-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1952-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3852-12-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 3852 2628 f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe 82 PID 2628 wrote to memory of 3852 2628 f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe 82 PID 2628 wrote to memory of 3852 2628 f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe 82 PID 3852 wrote to memory of 3312 3852 frxrllf.exe 83 PID 3852 wrote to memory of 3312 3852 frxrllf.exe 83 PID 3852 wrote to memory of 3312 3852 frxrllf.exe 83 PID 3312 wrote to memory of 2892 3312 9bhbbn.exe 84 PID 3312 wrote to memory of 2892 3312 9bhbbn.exe 84 PID 3312 wrote to memory of 2892 3312 9bhbbn.exe 84 PID 2892 wrote to memory of 2228 2892 jpdvv.exe 85 PID 2892 wrote to memory of 2228 2892 jpdvv.exe 85 PID 2892 wrote to memory of 2228 2892 jpdvv.exe 85 PID 2228 wrote to memory of 3564 2228 fxflrrr.exe 86 PID 2228 wrote to memory of 3564 2228 fxflrrr.exe 86 PID 2228 wrote to memory of 3564 2228 fxflrrr.exe 86 PID 3564 wrote to memory of 1468 3564 xflfxxx.exe 87 PID 3564 wrote to memory of 1468 3564 xflfxxx.exe 87 PID 3564 wrote to memory of 1468 3564 xflfxxx.exe 87 PID 1468 wrote to memory of 1952 1468 bnttnt.exe 88 PID 1468 wrote to memory of 1952 1468 bnttnt.exe 88 PID 1468 wrote to memory of 1952 1468 bnttnt.exe 88 PID 1952 wrote to memory of 4344 1952 pddjd.exe 89 PID 1952 wrote to memory of 4344 1952 pddjd.exe 89 PID 1952 wrote to memory of 4344 1952 pddjd.exe 89 PID 4344 wrote to memory of 4808 4344 rrxxflr.exe 90 PID 4344 wrote to memory of 4808 4344 rrxxflr.exe 90 PID 4344 wrote to memory of 4808 4344 rrxxflr.exe 90 PID 4808 wrote to memory of 1172 4808 nnnttn.exe 91 PID 4808 wrote to memory of 1172 4808 nnnttn.exe 91 PID 4808 wrote to memory of 1172 4808 nnnttn.exe 91 PID 1172 wrote to memory of 3632 1172 jpjpp.exe 92 PID 1172 wrote to memory of 3632 1172 jpjpp.exe 92 PID 1172 wrote to memory of 3632 1172 jpjpp.exe 92 PID 3632 wrote to memory of 1988 3632 btthnt.exe 93 PID 3632 wrote to memory of 1988 3632 btthnt.exe 93 PID 3632 wrote to memory of 1988 3632 btthnt.exe 93 PID 1988 wrote to memory of 3428 1988 pdjvd.exe 94 PID 1988 wrote to memory of 3428 1988 pdjvd.exe 94 PID 1988 wrote to memory of 3428 1988 pdjvd.exe 94 PID 3428 wrote to memory of 3684 3428 fxlrlxx.exe 95 PID 3428 wrote to memory of 3684 3428 fxlrlxx.exe 95 PID 3428 wrote to memory of 3684 3428 fxlrlxx.exe 95 PID 3684 wrote to memory of 2760 3684 bnnttt.exe 96 PID 3684 wrote to memory of 2760 3684 bnnttt.exe 96 PID 3684 wrote to memory of 2760 3684 bnnttt.exe 96 PID 2760 wrote to memory of 208 2760 vpddj.exe 97 PID 2760 wrote to memory of 208 2760 vpddj.exe 97 PID 2760 wrote to memory of 208 2760 vpddj.exe 97 PID 208 wrote to memory of 3864 208 xffxxxr.exe 98 PID 208 wrote to memory of 3864 208 xffxxxr.exe 98 PID 208 wrote to memory of 3864 208 xffxxxr.exe 98 PID 3864 wrote to memory of 4548 3864 9ttnnn.exe 99 PID 3864 wrote to memory of 4548 3864 9ttnnn.exe 99 PID 3864 wrote to memory of 4548 3864 9ttnnn.exe 99 PID 4548 wrote to memory of 1324 4548 5nhbtt.exe 100 PID 4548 wrote to memory of 1324 4548 5nhbtt.exe 100 PID 4548 wrote to memory of 1324 4548 5nhbtt.exe 100 PID 1324 wrote to memory of 1584 1324 jdddd.exe 101 PID 1324 wrote to memory of 1584 1324 jdddd.exe 101 PID 1324 wrote to memory of 1584 1324 jdddd.exe 101 PID 1584 wrote to memory of 2868 1584 thnhhh.exe 102 PID 1584 wrote to memory of 2868 1584 thnhhh.exe 102 PID 1584 wrote to memory of 2868 1584 thnhhh.exe 102 PID 2868 wrote to memory of 4976 2868 dvpvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe"C:\Users\Admin\AppData\Local\Temp\f8c64946fe4314a2ef35fc5f10f6a09cfc30895768aa6ff6d4b966205abb42f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\frxrllf.exec:\frxrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\9bhbbn.exec:\9bhbbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\jpdvv.exec:\jpdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\fxflrrr.exec:\fxflrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\xflfxxx.exec:\xflfxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\bnttnt.exec:\bnttnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\pddjd.exec:\pddjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\rrxxflr.exec:\rrxxflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\nnnttn.exec:\nnnttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\jpjpp.exec:\jpjpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\btthnt.exec:\btthnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\pdjvd.exec:\pdjvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\fxlrlxx.exec:\fxlrlxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\bnnttt.exec:\bnnttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\vpddj.exec:\vpddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\xffxxxr.exec:\xffxxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\9ttnnn.exec:\9ttnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\5nhbtt.exec:\5nhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\jdddd.exec:\jdddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\thnhhh.exec:\thnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\dvpvv.exec:\dvpvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rrrxxxx.exec:\rrrxxxx.exe23⤵
- Executes dropped EXE
PID:4976 -
\??\c:\bbnnnn.exec:\bbnnnn.exe24⤵
- Executes dropped EXE
PID:3624 -
\??\c:\ddjvp.exec:\ddjvp.exe25⤵
- Executes dropped EXE
PID:1416 -
\??\c:\fxfllll.exec:\fxfllll.exe26⤵
- Executes dropped EXE
PID:1832 -
\??\c:\hbbtnn.exec:\hbbtnn.exe27⤵
- Executes dropped EXE
PID:4156 -
\??\c:\bhnhhb.exec:\bhnhhb.exe28⤵
- Executes dropped EXE
PID:4920 -
\??\c:\djjvp.exec:\djjvp.exe29⤵
- Executes dropped EXE
PID:1696 -
\??\c:\5fllfll.exec:\5fllfll.exe30⤵
- Executes dropped EXE
PID:2504 -
\??\c:\ntbhbh.exec:\ntbhbh.exe31⤵
- Executes dropped EXE
PID:3348 -
\??\c:\hhtthn.exec:\hhtthn.exe32⤵
- Executes dropped EXE
PID:3288 -
\??\c:\lfxlxrx.exec:\lfxlxrx.exe33⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vdvdd.exec:\vdvdd.exe34⤵
- Executes dropped EXE
PID:2848 -
\??\c:\bbttnn.exec:\bbttnn.exe35⤵
- Executes dropped EXE
PID:4368 -
\??\c:\dvppd.exec:\dvppd.exe36⤵
- Executes dropped EXE
PID:4612 -
\??\c:\rxffrrl.exec:\rxffrrl.exe37⤵
- Executes dropped EXE
PID:892 -
\??\c:\rlfxxlr.exec:\rlfxxlr.exe38⤵
- Executes dropped EXE
PID:548 -
\??\c:\bhbbhn.exec:\bhbbhn.exe39⤵
- Executes dropped EXE
PID:1768 -
\??\c:\pdjjj.exec:\pdjjj.exe40⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rffxrll.exec:\rffxrll.exe41⤵
- Executes dropped EXE
PID:1732 -
\??\c:\9bbtnt.exec:\9bbtnt.exe42⤵
- Executes dropped EXE
PID:2652 -
\??\c:\jddvj.exec:\jddvj.exe43⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pvvpv.exec:\pvvpv.exe44⤵
- Executes dropped EXE
PID:3404 -
\??\c:\fflllll.exec:\fflllll.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hhttnn.exec:\hhttnn.exe46⤵
- Executes dropped EXE
PID:5084 -
\??\c:\tbhbtt.exec:\tbhbtt.exe47⤵
- Executes dropped EXE
PID:4408 -
\??\c:\pjdvv.exec:\pjdvv.exe48⤵
- Executes dropped EXE
PID:3620 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe49⤵
- Executes dropped EXE
PID:2628 -
\??\c:\bhnhbb.exec:\bhnhbb.exe50⤵
- Executes dropped EXE
PID:1856 -
\??\c:\djppj.exec:\djppj.exe51⤵
- Executes dropped EXE
PID:3312 -
\??\c:\xrfffxf.exec:\xrfffxf.exe52⤵
- Executes dropped EXE
PID:2892 -
\??\c:\tbbbbt.exec:\tbbbbt.exe53⤵
- Executes dropped EXE
PID:4288 -
\??\c:\dvdjj.exec:\dvdjj.exe54⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1rxrrrl.exec:\1rxrrrl.exe55⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ntttnh.exec:\ntttnh.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5ppjj.exec:\5ppjj.exe57⤵
- Executes dropped EXE
PID:4624 -
\??\c:\9llrrfx.exec:\9llrrfx.exe58⤵
- Executes dropped EXE
PID:3248 -
\??\c:\bnhhtt.exec:\bnhhtt.exe59⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rfrrrll.exec:\rfrrrll.exe60⤵
- Executes dropped EXE
PID:4648 -
\??\c:\5hntbb.exec:\5hntbb.exe61⤵
- Executes dropped EXE
PID:3508 -
\??\c:\vpjjp.exec:\vpjjp.exe62⤵
- Executes dropped EXE
PID:2864 -
\??\c:\rffxrlx.exec:\rffxrlx.exe63⤵
- Executes dropped EXE
PID:1792 -
\??\c:\frxrffx.exec:\frxrffx.exe64⤵
- Executes dropped EXE
PID:668 -
\??\c:\7bhttn.exec:\7bhttn.exe65⤵
- Executes dropped EXE
PID:4864 -
\??\c:\lxxlfrl.exec:\lxxlfrl.exe66⤵PID:4636
-
\??\c:\dvvdj.exec:\dvvdj.exe67⤵PID:3832
-
\??\c:\rllllxr.exec:\rllllxr.exe68⤵PID:2428
-
\??\c:\hhtbbh.exec:\hhtbbh.exe69⤵PID:216
-
\??\c:\9rlfxrf.exec:\9rlfxrf.exe70⤵PID:2248
-
\??\c:\lllfrxf.exec:\lllfrxf.exe71⤵PID:500
-
\??\c:\bthttn.exec:\bthttn.exe72⤵PID:4088
-
\??\c:\jjpjv.exec:\jjpjv.exe73⤵PID:776
-
\??\c:\7vjdv.exec:\7vjdv.exe74⤵PID:3456
-
\??\c:\fffrffr.exec:\fffrffr.exe75⤵PID:2208
-
\??\c:\9hbtnn.exec:\9hbtnn.exe76⤵PID:4076
-
\??\c:\jdvvp.exec:\jdvvp.exe77⤵PID:4776
-
\??\c:\xrlllll.exec:\xrlllll.exe78⤵PID:3332
-
\??\c:\thnhhb.exec:\thnhhb.exe79⤵PID:5024
-
\??\c:\ttbnhb.exec:\ttbnhb.exe80⤵PID:1616
-
\??\c:\5dpjd.exec:\5dpjd.exe81⤵PID:3252
-
\??\c:\7rllflf.exec:\7rllflf.exe82⤵PID:2776
-
\??\c:\1bbnhb.exec:\1bbnhb.exe83⤵PID:2360
-
\??\c:\jdvpp.exec:\jdvpp.exe84⤵PID:2256
-
\??\c:\nttnbt.exec:\nttnbt.exe85⤵PID:1708
-
\??\c:\3nbtnn.exec:\3nbtnn.exe86⤵PID:1556
-
\??\c:\djdvp.exec:\djdvp.exe87⤵PID:3532
-
\??\c:\lffxllx.exec:\lffxllx.exe88⤵PID:1080
-
\??\c:\7thhbb.exec:\7thhbb.exe89⤵PID:4368
-
\??\c:\vjdvp.exec:\vjdvp.exe90⤵PID:3284
-
\??\c:\ffllrxf.exec:\ffllrxf.exe91⤵PID:3056
-
\??\c:\bbhtht.exec:\bbhtht.exe92⤵PID:4340
-
\??\c:\dvvvp.exec:\dvvvp.exe93⤵PID:1608
-
\??\c:\5xxrlfx.exec:\5xxrlfx.exe94⤵PID:4568
-
\??\c:\tthhnn.exec:\tthhnn.exe95⤵PID:3012
-
\??\c:\ppvvv.exec:\ppvvv.exe96⤵PID:3216
-
\??\c:\rflrrrr.exec:\rflrrrr.exe97⤵PID:1868
-
\??\c:\hnbnbh.exec:\hnbnbh.exe98⤵PID:384
-
\??\c:\3dvvj.exec:\3dvvj.exe99⤵PID:5116
-
\??\c:\fflfrrl.exec:\fflfrrl.exe100⤵PID:3968
-
\??\c:\thhbtt.exec:\thhbtt.exe101⤵PID:3560
-
\??\c:\vvppj.exec:\vvppj.exe102⤵
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\djjdd.exec:\djjdd.exe103⤵PID:2624
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe104⤵PID:5112
-
\??\c:\btthhn.exec:\btthhn.exe105⤵PID:4308
-
\??\c:\ddppp.exec:\ddppp.exe106⤵PID:60
-
\??\c:\xfllffx.exec:\xfllffx.exe107⤵PID:656
-
\??\c:\hbbnbt.exec:\hbbnbt.exe108⤵PID:936
-
\??\c:\3pvpv.exec:\3pvpv.exe109⤵PID:3484
-
\??\c:\bbhhbb.exec:\bbhhbb.exe110⤵PID:1952
-
\??\c:\ddjvv.exec:\ddjvv.exe111⤵PID:4136
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe112⤵PID:4808
-
\??\c:\rflfflf.exec:\rflfflf.exe113⤵PID:1040
-
\??\c:\nthhbb.exec:\nthhbb.exe114⤵PID:244
-
\??\c:\ppddp.exec:\ppddp.exe115⤵PID:4336
-
\??\c:\flxxflr.exec:\flxxflr.exe116⤵PID:2096
-
\??\c:\1hhbnn.exec:\1hhbnn.exe117⤵PID:224
-
\??\c:\7vjdd.exec:\7vjdd.exe118⤵PID:2432
-
\??\c:\9flxxrf.exec:\9flxxrf.exe119⤵PID:3684
-
\??\c:\lrfxlfr.exec:\lrfxlfr.exe120⤵PID:4844
-
\??\c:\bhttnn.exec:\bhttnn.exe121⤵PID:1324
-
\??\c:\pjdpp.exec:\pjdpp.exe122⤵PID:4692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-