Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe
-
Size
453KB
-
MD5
41143ecafdf68bfd1c9b4234a810463d
-
SHA1
cf578c330ef4d5761f3d008b0fbd2bcc2ddf0693
-
SHA256
9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db
-
SHA512
0a64c9b6938acae117e2310ae50987cd886eb1180d6451e1ef40a87a5b37270f9c8495376cb61a80b58efe3756af426f9e526afeb3ee98227d76b4d82b021eef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2364-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-276-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1732-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-302-0x0000000076FF0000-0x000000007710F000-memory.dmp family_blackmoon behavioral1/memory/1732-318-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2108-359-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-386-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2984-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-471-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-509-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2220-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-565-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2768-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-683-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/592-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2236 vppjp.exe 2780 xxxlxlf.exe 2108 fllrfrl.exe 2800 nbthtb.exe 2728 xxflxfl.exe 2572 bthntt.exe 3012 rrlrlrf.exe 1812 dvppd.exe 1456 1bbbnt.exe 2076 ddpvp.exe 292 nnbhth.exe 868 thbtnb.exe 992 3ttbnt.exe 2840 7vpdp.exe 2140 nnhtht.exe 1964 jdjvj.exe 2952 vppvd.exe 880 7pdvp.exe 2988 pppvj.exe 2996 rrlxllx.exe 1856 jvvdp.exe 748 xffrlxr.exe 1740 3jdjd.exe 1520 xxxllrf.exe 2352 djpvd.exe 1264 1fxxffr.exe 2376 9htthb.exe 1984 3vvdv.exe 772 5lrxxfl.exe 2068 hnttnt.exe 1732 tttbhn.exe 2004 ddvjd.exe 2236 jjpvv.exe 2708 ttnthn.exe 2820 5jpvv.exe 2108 fxllffr.exe 2808 tnbbhh.exe 2556 jvvpj.exe 2552 vpjjv.exe 2584 7lffflx.exe 1028 nnnthn.exe 1316 ppjpv.exe 2060 ffrrxxf.exe 1660 1xrxffr.exe 752 thnnhn.exe 2984 pjdjp.exe 2072 rrlrflx.exe 1480 7hnnbh.exe 572 nnbhtt.exe 2272 vdvjj.exe 2852 ffffrfr.exe 2024 tbbhbh.exe 2328 1bntbh.exe 2944 vpvpp.exe 2464 rxxfrfl.exe 3028 5btbtb.exe 3044 hnhtnt.exe 696 pjjdp.exe 884 ffxfrxr.exe 624 7tthnt.exe 1672 jdvvd.exe 1524 lllrffr.exe 1336 lrrfrxl.exe 340 bbbnbn.exe -
resource yara_rule behavioral1/memory/2364-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-276-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1732-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-302-0x0000000076FF0000-0x000000007710F000-memory.dmp upx behavioral1/memory/2584-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-479-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3044-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-509-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2220-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-711-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2236 2364 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 30 PID 2364 wrote to memory of 2236 2364 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 30 PID 2364 wrote to memory of 2236 2364 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 30 PID 2364 wrote to memory of 2236 2364 9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe 30 PID 2236 wrote to memory of 2780 2236 vppjp.exe 31 PID 2236 wrote to memory of 2780 2236 vppjp.exe 31 PID 2236 wrote to memory of 2780 2236 vppjp.exe 31 PID 2236 wrote to memory of 2780 2236 vppjp.exe 31 PID 2780 wrote to memory of 2108 2780 xxxlxlf.exe 32 PID 2780 wrote to memory of 2108 2780 xxxlxlf.exe 32 PID 2780 wrote to memory of 2108 2780 xxxlxlf.exe 32 PID 2780 wrote to memory of 2108 2780 xxxlxlf.exe 32 PID 2108 wrote to memory of 2800 2108 fllrfrl.exe 33 PID 2108 wrote to memory of 2800 2108 fllrfrl.exe 33 PID 2108 wrote to memory of 2800 2108 fllrfrl.exe 33 PID 2108 wrote to memory of 2800 2108 fllrfrl.exe 33 PID 2800 wrote to memory of 2728 2800 nbthtb.exe 34 PID 2800 wrote to memory of 2728 2800 nbthtb.exe 34 PID 2800 wrote to memory of 2728 2800 nbthtb.exe 34 PID 2800 wrote to memory of 2728 2800 nbthtb.exe 34 PID 2728 wrote to memory of 2572 2728 xxflxfl.exe 35 PID 2728 wrote to memory of 2572 2728 xxflxfl.exe 35 PID 2728 wrote to memory of 2572 2728 xxflxfl.exe 35 PID 2728 wrote to memory of 2572 2728 xxflxfl.exe 35 PID 2572 wrote to memory of 3012 2572 bthntt.exe 36 PID 2572 wrote to memory of 3012 2572 bthntt.exe 36 PID 2572 wrote to memory of 3012 2572 bthntt.exe 36 PID 2572 wrote to memory of 3012 2572 bthntt.exe 36 PID 3012 wrote to memory of 1812 3012 rrlrlrf.exe 37 PID 3012 wrote to memory of 1812 3012 rrlrlrf.exe 37 PID 3012 wrote to memory of 1812 3012 rrlrlrf.exe 37 PID 3012 wrote to memory of 1812 3012 rrlrlrf.exe 37 PID 1812 wrote to memory of 1456 1812 dvppd.exe 38 PID 1812 wrote to memory of 1456 1812 dvppd.exe 38 PID 1812 wrote to memory of 1456 1812 dvppd.exe 38 PID 1812 wrote to memory of 1456 1812 dvppd.exe 38 PID 1456 wrote to memory of 2076 1456 1bbbnt.exe 39 PID 1456 wrote to memory of 2076 1456 1bbbnt.exe 39 PID 1456 wrote to memory of 2076 1456 1bbbnt.exe 39 PID 1456 wrote to memory of 2076 1456 1bbbnt.exe 39 PID 2076 wrote to memory of 292 2076 ddpvp.exe 40 PID 2076 wrote to memory of 292 2076 ddpvp.exe 40 PID 2076 wrote to memory of 292 2076 ddpvp.exe 40 PID 2076 wrote to memory of 292 2076 ddpvp.exe 40 PID 292 wrote to memory of 868 292 nnbhth.exe 41 PID 292 wrote to memory of 868 292 nnbhth.exe 41 PID 292 wrote to memory of 868 292 nnbhth.exe 41 PID 292 wrote to memory of 868 292 nnbhth.exe 41 PID 868 wrote to memory of 992 868 thbtnb.exe 42 PID 868 wrote to memory of 992 868 thbtnb.exe 42 PID 868 wrote to memory of 992 868 thbtnb.exe 42 PID 868 wrote to memory of 992 868 thbtnb.exe 42 PID 992 wrote to memory of 2840 992 3ttbnt.exe 43 PID 992 wrote to memory of 2840 992 3ttbnt.exe 43 PID 992 wrote to memory of 2840 992 3ttbnt.exe 43 PID 992 wrote to memory of 2840 992 3ttbnt.exe 43 PID 2840 wrote to memory of 2140 2840 7vpdp.exe 44 PID 2840 wrote to memory of 2140 2840 7vpdp.exe 44 PID 2840 wrote to memory of 2140 2840 7vpdp.exe 44 PID 2840 wrote to memory of 2140 2840 7vpdp.exe 44 PID 2140 wrote to memory of 1964 2140 nnhtht.exe 45 PID 2140 wrote to memory of 1964 2140 nnhtht.exe 45 PID 2140 wrote to memory of 1964 2140 nnhtht.exe 45 PID 2140 wrote to memory of 1964 2140 nnhtht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe"C:\Users\Admin\AppData\Local\Temp\9d78d59db9342b0f142033a3d920c835572c7e9ffa3017605b59c04c517b35db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\vppjp.exec:\vppjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\xxxlxlf.exec:\xxxlxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\fllrfrl.exec:\fllrfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\nbthtb.exec:\nbthtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\xxflxfl.exec:\xxflxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\bthntt.exec:\bthntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\rrlrlrf.exec:\rrlrlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\dvppd.exec:\dvppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\1bbbnt.exec:\1bbbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\ddpvp.exec:\ddpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\nnbhth.exec:\nnbhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\thbtnb.exec:\thbtnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\3ttbnt.exec:\3ttbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\7vpdp.exec:\7vpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\nnhtht.exec:\nnhtht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\jdjvj.exec:\jdjvj.exe17⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vppvd.exec:\vppvd.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
\??\c:\7pdvp.exec:\7pdvp.exe19⤵
- Executes dropped EXE
PID:880 -
\??\c:\pppvj.exec:\pppvj.exe20⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rrlxllx.exec:\rrlxllx.exe21⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jvvdp.exec:\jvvdp.exe22⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xffrlxr.exec:\xffrlxr.exe23⤵
- Executes dropped EXE
PID:748 -
\??\c:\3jdjd.exec:\3jdjd.exe24⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xxxllrf.exec:\xxxllrf.exe25⤵
- Executes dropped EXE
PID:1520 -
\??\c:\djpvd.exec:\djpvd.exe26⤵
- Executes dropped EXE
PID:2352 -
\??\c:\1fxxffr.exec:\1fxxffr.exe27⤵
- Executes dropped EXE
PID:1264 -
\??\c:\9htthb.exec:\9htthb.exe28⤵
- Executes dropped EXE
PID:2376 -
\??\c:\3vvdv.exec:\3vvdv.exe29⤵
- Executes dropped EXE
PID:1984 -
\??\c:\5lrxxfl.exec:\5lrxxfl.exe30⤵
- Executes dropped EXE
PID:772 -
\??\c:\hnttnt.exec:\hnttnt.exe31⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tttbhn.exec:\tttbhn.exe32⤵
- Executes dropped EXE
PID:1732 -
\??\c:\ddvjd.exec:\ddvjd.exe33⤵
- Executes dropped EXE
PID:2004 -
\??\c:\9nhnhb.exec:\9nhnhb.exe34⤵PID:2756
-
\??\c:\jjpvv.exec:\jjpvv.exe35⤵
- Executes dropped EXE
PID:2236 -
\??\c:\ttnthn.exec:\ttnthn.exe36⤵
- Executes dropped EXE
PID:2708 -
\??\c:\5jpvv.exec:\5jpvv.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\fxllffr.exec:\fxllffr.exe38⤵
- Executes dropped EXE
PID:2108 -
\??\c:\tnbbhh.exec:\tnbbhh.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jvvpj.exec:\jvvpj.exe40⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vpjjv.exec:\vpjjv.exe41⤵
- Executes dropped EXE
PID:2552 -
\??\c:\7lffflx.exec:\7lffflx.exe42⤵
- Executes dropped EXE
PID:2584 -
\??\c:\nnnthn.exec:\nnnthn.exe43⤵
- Executes dropped EXE
PID:1028 -
\??\c:\ppjpv.exec:\ppjpv.exe44⤵
- Executes dropped EXE
PID:1316 -
\??\c:\ffrrxxf.exec:\ffrrxxf.exe45⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1xrxffr.exec:\1xrxffr.exe46⤵
- Executes dropped EXE
PID:1660 -
\??\c:\thnnhn.exec:\thnnhn.exe47⤵
- Executes dropped EXE
PID:752 -
\??\c:\pjdjp.exec:\pjdjp.exe48⤵
- Executes dropped EXE
PID:2984 -
\??\c:\rrlrflx.exec:\rrlrflx.exe49⤵
- Executes dropped EXE
PID:2072 -
\??\c:\7hnnbh.exec:\7hnnbh.exe50⤵
- Executes dropped EXE
PID:1480 -
\??\c:\nnbhtt.exec:\nnbhtt.exe51⤵
- Executes dropped EXE
PID:572 -
\??\c:\vdvjj.exec:\vdvjj.exe52⤵
- Executes dropped EXE
PID:2272 -
\??\c:\ffffrfr.exec:\ffffrfr.exe53⤵
- Executes dropped EXE
PID:2852 -
\??\c:\tbbhbh.exec:\tbbhbh.exe54⤵
- Executes dropped EXE
PID:2024 -
\??\c:\1bntbh.exec:\1bntbh.exe55⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vpvpp.exec:\vpvpp.exe56⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rxxfrfl.exec:\rxxfrfl.exe57⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5btbtb.exec:\5btbtb.exe58⤵
- Executes dropped EXE
PID:3028 -
\??\c:\hnhtnt.exec:\hnhtnt.exe59⤵
- Executes dropped EXE
PID:3044 -
\??\c:\pjjdp.exec:\pjjdp.exe60⤵
- Executes dropped EXE
PID:696 -
\??\c:\ffxfrxr.exec:\ffxfrxr.exe61⤵
- Executes dropped EXE
PID:884 -
\??\c:\7tthnt.exec:\7tthnt.exe62⤵
- Executes dropped EXE
PID:624 -
\??\c:\jdvvd.exec:\jdvvd.exe63⤵
- Executes dropped EXE
PID:1672 -
\??\c:\lllrffr.exec:\lllrffr.exe64⤵
- Executes dropped EXE
PID:1524 -
\??\c:\lrrfrxl.exec:\lrrfrxl.exe65⤵
- Executes dropped EXE
PID:1336 -
\??\c:\bbbnbn.exec:\bbbnbn.exe66⤵
- Executes dropped EXE
PID:340 -
\??\c:\dvjjv.exec:\dvjjv.exe67⤵PID:2100
-
\??\c:\xxffrxl.exec:\xxffrxl.exe68⤵PID:2220
-
\??\c:\ffxlfrx.exec:\ffxlfrx.exe69⤵PID:1720
-
\??\c:\tthntb.exec:\tthntb.exe70⤵PID:2360
-
\??\c:\5pdpd.exec:\5pdpd.exe71⤵PID:2268
-
\??\c:\ffxlrxr.exec:\ffxlrxr.exe72⤵PID:876
-
\??\c:\rlflrxf.exec:\rlflrxf.exe73⤵PID:2068
-
\??\c:\5hbhnb.exec:\5hbhnb.exe74⤵PID:2900
-
\??\c:\3pjvj.exec:\3pjvj.exe75⤵PID:2768
-
\??\c:\1frrxfl.exec:\1frrxfl.exe76⤵PID:2664
-
\??\c:\9hhntb.exec:\9hhntb.exe77⤵PID:2764
-
\??\c:\bbthbb.exec:\bbthbb.exe78⤵PID:2688
-
\??\c:\vvpdv.exec:\vvpdv.exe79⤵PID:2588
-
\??\c:\lrrrxfl.exec:\lrrrxfl.exe80⤵PID:2576
-
\??\c:\tnhnbh.exec:\tnhnbh.exe81⤵PID:1056
-
\??\c:\ttnbnt.exec:\ttnbnt.exe82⤵
- System Location Discovery: System Language Discovery
PID:2548 -
\??\c:\vvppv.exec:\vvppv.exe83⤵PID:2632
-
\??\c:\rllrxxl.exec:\rllrxxl.exe84⤵PID:2384
-
\??\c:\bbtbnt.exec:\bbtbnt.exe85⤵PID:2644
-
\??\c:\jjjvd.exec:\jjjvd.exe86⤵PID:2412
-
\??\c:\vddvp.exec:\vddvp.exe87⤵PID:2008
-
\??\c:\fxxxlrr.exec:\fxxxlrr.exe88⤵PID:2456
-
\??\c:\hbntnt.exec:\hbntnt.exe89⤵PID:1332
-
\??\c:\tnhnbh.exec:\tnhnbh.exe90⤵PID:580
-
\??\c:\djpvp.exec:\djpvp.exe91⤵PID:2324
-
\??\c:\rllrxxl.exec:\rllrxxl.exe92⤵PID:592
-
\??\c:\lllxrrl.exec:\lllxrrl.exe93⤵PID:2336
-
\??\c:\jpjpj.exec:\jpjpj.exe94⤵PID:2136
-
\??\c:\rlflfll.exec:\rlflfll.exe95⤵PID:1132
-
\??\c:\9bntbb.exec:\9bntbb.exe96⤵PID:632
-
\??\c:\hhbbbn.exec:\hhbbbn.exe97⤵PID:2960
-
\??\c:\vvpvj.exec:\vvpvj.exe98⤵PID:2328
-
\??\c:\7pjjp.exec:\7pjjp.exe99⤵PID:1076
-
\??\c:\lrlfxfr.exec:\lrlfxfr.exe100⤵PID:1972
-
\??\c:\3nnthn.exec:\3nnthn.exe101⤵PID:3028
-
\??\c:\pvjvj.exec:\pvjvj.exe102⤵PID:2988
-
\??\c:\pdvdp.exec:\pdvdp.exe103⤵PID:2104
-
\??\c:\frlrflr.exec:\frlrflr.exe104⤵PID:1980
-
\??\c:\tbbbnt.exec:\tbbbnt.exe105⤵PID:2284
-
\??\c:\ntntht.exec:\ntntht.exe106⤵PID:1764
-
\??\c:\pppvj.exec:\pppvj.exe107⤵PID:1952
-
\??\c:\tnbhnn.exec:\tnbhnn.exe108⤵PID:2884
-
\??\c:\jjddd.exec:\jjddd.exe109⤵PID:1788
-
\??\c:\jppvd.exec:\jppvd.exe110⤵PID:2116
-
\??\c:\llfrrfr.exec:\llfrrfr.exe111⤵PID:2356
-
\??\c:\tttbnt.exec:\tttbnt.exe112⤵
- System Location Discovery: System Language Discovery
PID:2824 -
\??\c:\jjddj.exec:\jjddj.exe113⤵PID:1040
-
\??\c:\ddddp.exec:\ddddp.exe114⤵PID:772
-
\??\c:\5lflrxl.exec:\5lflrxl.exe115⤵PID:1656
-
\??\c:\bhhtht.exec:\bhhtht.exe116⤵PID:1676
-
\??\c:\tttbht.exec:\tttbht.exe117⤵PID:2364
-
\??\c:\jpjvp.exec:\jpjvp.exe118⤵PID:2916
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe119⤵PID:2760
-
\??\c:\7rlrrxr.exec:\7rlrrxr.exe120⤵PID:2560
-
\??\c:\9nhhnt.exec:\9nhhnt.exe121⤵PID:2712
-
\??\c:\vvpdd.exec:\vvpdd.exe122⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-