Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
-
Size
454KB
-
MD5
1390d192e4d3caaf5d1e113cbe77b659
-
SHA1
ae2efe64d9791170c790fb700a14ed4999ec667b
-
SHA256
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051
-
SHA512
5698693d36b45f5a5b5cf591bc7b3eb702ac960f9cd00482d7f8c42abcc95310eb0030188ecad03319173d4f8516b1bd0ef4108a260e0cce849890b4d241b630
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2020-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-45-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2644-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-100-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2764-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-210-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2124-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-279-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/980-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-536-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1668-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-928-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1636 4288446.exe 2256 c240662.exe 2736 006244.exe 2644 jdpvv.exe 2636 o862284.exe 1668 llxxfxx.exe 2572 lxlrfxf.exe 2596 0800680.exe 1676 5nhbbb.exe 1472 k42626.exe 2708 86408.exe 2764 s0406.exe 2888 5rrxflr.exe 2856 4644622.exe 2500 hbhbbn.exe 2188 3rxrrlr.exe 1652 4682880.exe 1788 8222284.exe 2208 5xrrxff.exe 2136 s6840.exe 940 5dpdv.exe 2124 flxrllr.exe 2076 pjvvj.exe 2128 4240000.exe 2936 0462802.exe 620 rfxxxxf.exe 2972 pdjvj.exe 2332 420666.exe 1932 q64462.exe 980 2664220.exe 752 5xrxlrx.exe 2456 tttbnb.exe 1600 7fxxxfx.exe 2628 g0846.exe 2380 466686.exe 2672 628080.exe 2840 jpvjp.exe 2168 xxrlrxl.exe 2820 0428406.exe 2692 6664064.exe 2564 64266.exe 3052 1nbbbh.exe 2576 60464.exe 2348 2686280.exe 1968 48684.exe 2868 xfrxllf.exe 1988 42024.exe 2580 7nntnt.exe 2888 thbbnt.exe 300 bnhttb.exe 1392 nhbhnh.exe 2500 648468.exe 1744 26468.exe 2992 bnhhnt.exe 2140 3nbhnt.exe 2376 jjddj.exe 1980 264666.exe 2932 22020.exe 816 c244440.exe 1332 ppppv.exe 1552 7xlllll.exe 1284 e26806.exe 1660 202406.exe 1548 26402.exe -
resource yara_rule behavioral1/memory/2020-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-410-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/300-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-938-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i800260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0422846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1636 2020 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 2020 wrote to memory of 1636 2020 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 2020 wrote to memory of 1636 2020 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 2020 wrote to memory of 1636 2020 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 1636 wrote to memory of 2256 1636 4288446.exe 31 PID 1636 wrote to memory of 2256 1636 4288446.exe 31 PID 1636 wrote to memory of 2256 1636 4288446.exe 31 PID 1636 wrote to memory of 2256 1636 4288446.exe 31 PID 2256 wrote to memory of 2736 2256 c240662.exe 32 PID 2256 wrote to memory of 2736 2256 c240662.exe 32 PID 2256 wrote to memory of 2736 2256 c240662.exe 32 PID 2256 wrote to memory of 2736 2256 c240662.exe 32 PID 2736 wrote to memory of 2644 2736 006244.exe 33 PID 2736 wrote to memory of 2644 2736 006244.exe 33 PID 2736 wrote to memory of 2644 2736 006244.exe 33 PID 2736 wrote to memory of 2644 2736 006244.exe 33 PID 2644 wrote to memory of 2636 2644 jdpvv.exe 34 PID 2644 wrote to memory of 2636 2644 jdpvv.exe 34 PID 2644 wrote to memory of 2636 2644 jdpvv.exe 34 PID 2644 wrote to memory of 2636 2644 jdpvv.exe 34 PID 2636 wrote to memory of 1668 2636 o862284.exe 35 PID 2636 wrote to memory of 1668 2636 o862284.exe 35 PID 2636 wrote to memory of 1668 2636 o862284.exe 35 PID 2636 wrote to memory of 1668 2636 o862284.exe 35 PID 1668 wrote to memory of 2572 1668 llxxfxx.exe 36 PID 1668 wrote to memory of 2572 1668 llxxfxx.exe 36 PID 1668 wrote to memory of 2572 1668 llxxfxx.exe 36 PID 1668 wrote to memory of 2572 1668 llxxfxx.exe 36 PID 2572 wrote to memory of 2596 2572 lxlrfxf.exe 37 PID 2572 wrote to memory of 2596 2572 lxlrfxf.exe 37 PID 2572 wrote to memory of 2596 2572 lxlrfxf.exe 37 PID 2572 wrote to memory of 2596 2572 lxlrfxf.exe 37 PID 2596 wrote to memory of 1676 2596 0800680.exe 38 PID 2596 wrote to memory of 1676 2596 0800680.exe 38 PID 2596 wrote to memory of 1676 2596 0800680.exe 38 PID 2596 wrote to memory of 1676 2596 0800680.exe 38 PID 1676 wrote to memory of 1472 1676 5nhbbb.exe 39 PID 1676 wrote to memory of 1472 1676 5nhbbb.exe 39 PID 1676 wrote to memory of 1472 1676 5nhbbb.exe 39 PID 1676 wrote to memory of 1472 1676 5nhbbb.exe 39 PID 1472 wrote to memory of 2708 1472 k42626.exe 40 PID 1472 wrote to memory of 2708 1472 k42626.exe 40 PID 1472 wrote to memory of 2708 1472 k42626.exe 40 PID 1472 wrote to memory of 2708 1472 k42626.exe 40 PID 2708 wrote to memory of 2764 2708 86408.exe 41 PID 2708 wrote to memory of 2764 2708 86408.exe 41 PID 2708 wrote to memory of 2764 2708 86408.exe 41 PID 2708 wrote to memory of 2764 2708 86408.exe 41 PID 2764 wrote to memory of 2888 2764 s0406.exe 42 PID 2764 wrote to memory of 2888 2764 s0406.exe 42 PID 2764 wrote to memory of 2888 2764 s0406.exe 42 PID 2764 wrote to memory of 2888 2764 s0406.exe 42 PID 2888 wrote to memory of 2856 2888 5rrxflr.exe 43 PID 2888 wrote to memory of 2856 2888 5rrxflr.exe 43 PID 2888 wrote to memory of 2856 2888 5rrxflr.exe 43 PID 2888 wrote to memory of 2856 2888 5rrxflr.exe 43 PID 2856 wrote to memory of 2500 2856 4644622.exe 44 PID 2856 wrote to memory of 2500 2856 4644622.exe 44 PID 2856 wrote to memory of 2500 2856 4644622.exe 44 PID 2856 wrote to memory of 2500 2856 4644622.exe 44 PID 2500 wrote to memory of 2188 2500 hbhbbn.exe 45 PID 2500 wrote to memory of 2188 2500 hbhbbn.exe 45 PID 2500 wrote to memory of 2188 2500 hbhbbn.exe 45 PID 2500 wrote to memory of 2188 2500 hbhbbn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\4288446.exec:\4288446.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\c240662.exec:\c240662.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\006244.exec:\006244.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\jdpvv.exec:\jdpvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\o862284.exec:\o862284.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\llxxfxx.exec:\llxxfxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\lxlrfxf.exec:\lxlrfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\0800680.exec:\0800680.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\5nhbbb.exec:\5nhbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\k42626.exec:\k42626.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\86408.exec:\86408.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\s0406.exec:\s0406.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\5rrxflr.exec:\5rrxflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\4644622.exec:\4644622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\hbhbbn.exec:\hbhbbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\3rxrrlr.exec:\3rxrrlr.exe17⤵
- Executes dropped EXE
PID:2188 -
\??\c:\4682880.exec:\4682880.exe18⤵
- Executes dropped EXE
PID:1652 -
\??\c:\8222284.exec:\8222284.exe19⤵
- Executes dropped EXE
PID:1788 -
\??\c:\5xrrxff.exec:\5xrrxff.exe20⤵
- Executes dropped EXE
PID:2208 -
\??\c:\s6840.exec:\s6840.exe21⤵
- Executes dropped EXE
PID:2136 -
\??\c:\5dpdv.exec:\5dpdv.exe22⤵
- Executes dropped EXE
PID:940 -
\??\c:\flxrllr.exec:\flxrllr.exe23⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pjvvj.exec:\pjvvj.exe24⤵
- Executes dropped EXE
PID:2076 -
\??\c:\4240000.exec:\4240000.exe25⤵
- Executes dropped EXE
PID:2128 -
\??\c:\0462802.exec:\0462802.exe26⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rfxxxxf.exec:\rfxxxxf.exe27⤵
- Executes dropped EXE
PID:620 -
\??\c:\pdjvj.exec:\pdjvj.exe28⤵
- Executes dropped EXE
PID:2972 -
\??\c:\420666.exec:\420666.exe29⤵
- Executes dropped EXE
PID:2332 -
\??\c:\q64462.exec:\q64462.exe30⤵
- Executes dropped EXE
PID:1932 -
\??\c:\2664220.exec:\2664220.exe31⤵
- Executes dropped EXE
PID:980 -
\??\c:\5xrxlrx.exec:\5xrxlrx.exe32⤵
- Executes dropped EXE
PID:752 -
\??\c:\tttbnb.exec:\tttbnb.exe33⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7fxxxfx.exec:\7fxxxfx.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\g0846.exec:\g0846.exe35⤵
- Executes dropped EXE
PID:2628 -
\??\c:\466686.exec:\466686.exe36⤵
- Executes dropped EXE
PID:2380 -
\??\c:\628080.exec:\628080.exe37⤵
- Executes dropped EXE
PID:2672 -
\??\c:\jpvjp.exec:\jpvjp.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\xxrlrxl.exec:\xxrlrxl.exe39⤵
- Executes dropped EXE
PID:2168 -
\??\c:\0428406.exec:\0428406.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\6664064.exec:\6664064.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\64266.exec:\64266.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\1nbbbh.exec:\1nbbbh.exe43⤵
- Executes dropped EXE
PID:3052 -
\??\c:\60464.exec:\60464.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\2686280.exec:\2686280.exe45⤵
- Executes dropped EXE
PID:2348 -
\??\c:\48684.exec:\48684.exe46⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xfrxllf.exec:\xfrxllf.exe47⤵
- Executes dropped EXE
PID:2868 -
\??\c:\42024.exec:\42024.exe48⤵
- Executes dropped EXE
PID:1988 -
\??\c:\7nntnt.exec:\7nntnt.exe49⤵
- Executes dropped EXE
PID:2580 -
\??\c:\thbbnt.exec:\thbbnt.exe50⤵
- Executes dropped EXE
PID:2888 -
\??\c:\bnhttb.exec:\bnhttb.exe51⤵
- Executes dropped EXE
PID:300 -
\??\c:\nhbhnh.exec:\nhbhnh.exe52⤵
- Executes dropped EXE
PID:1392 -
\??\c:\648468.exec:\648468.exe53⤵
- Executes dropped EXE
PID:2500 -
\??\c:\26468.exec:\26468.exe54⤵
- Executes dropped EXE
PID:1744 -
\??\c:\bnhhnt.exec:\bnhhnt.exe55⤵
- Executes dropped EXE
PID:2992 -
\??\c:\3nbhnt.exec:\3nbhnt.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\jjddj.exec:\jjddj.exe57⤵
- Executes dropped EXE
PID:2376 -
\??\c:\264666.exec:\264666.exe58⤵
- Executes dropped EXE
PID:1980 -
\??\c:\22020.exec:\22020.exe59⤵
- Executes dropped EXE
PID:2932 -
\??\c:\c244440.exec:\c244440.exe60⤵
- Executes dropped EXE
PID:816 -
\??\c:\ppppv.exec:\ppppv.exe61⤵
- Executes dropped EXE
PID:1332 -
\??\c:\7xlllll.exec:\7xlllll.exe62⤵
- Executes dropped EXE
PID:1552 -
\??\c:\e26806.exec:\e26806.exe63⤵
- Executes dropped EXE
PID:1284 -
\??\c:\202406.exec:\202406.exe64⤵
- Executes dropped EXE
PID:1660 -
\??\c:\26402.exec:\26402.exe65⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vvvdp.exec:\vvvdp.exe66⤵PID:776
-
\??\c:\bttntt.exec:\bttntt.exe67⤵PID:336
-
\??\c:\nhtbbb.exec:\nhtbbb.exe68⤵PID:3008
-
\??\c:\jddjv.exec:\jddjv.exe69⤵PID:1684
-
\??\c:\1btbbb.exec:\1btbbb.exe70⤵PID:560
-
\??\c:\7dppp.exec:\7dppp.exe71⤵PID:680
-
\??\c:\u868064.exec:\u868064.exe72⤵PID:2428
-
\??\c:\5dvdp.exec:\5dvdp.exe73⤵PID:876
-
\??\c:\pjddp.exec:\pjddp.exe74⤵PID:752
-
\??\c:\bttbhn.exec:\bttbhn.exe75⤵PID:1956
-
\??\c:\ntntbh.exec:\ntntbh.exe76⤵PID:2308
-
\??\c:\1ddjv.exec:\1ddjv.exe77⤵PID:2368
-
\??\c:\4822446.exec:\4822446.exe78⤵PID:2628
-
\??\c:\lfxlrrl.exec:\lfxlrrl.exe79⤵PID:2380
-
\??\c:\6400262.exec:\6400262.exe80⤵PID:2672
-
\??\c:\lfrxflr.exec:\lfrxflr.exe81⤵PID:2804
-
\??\c:\o646240.exec:\o646240.exe82⤵PID:1784
-
\??\c:\pjpvj.exec:\pjpvj.exe83⤵PID:2544
-
\??\c:\9jdjp.exec:\9jdjp.exe84⤵PID:2688
-
\??\c:\264080.exec:\264080.exe85⤵PID:2516
-
\??\c:\2060044.exec:\2060044.exe86⤵PID:2592
-
\??\c:\266262.exec:\266262.exe87⤵PID:2768
-
\??\c:\2062228.exec:\2062228.exe88⤵PID:760
-
\??\c:\5htttt.exec:\5htttt.exe89⤵PID:1096
-
\??\c:\flxrxrx.exec:\flxrxrx.exe90⤵PID:2876
-
\??\c:\820644.exec:\820644.exe91⤵PID:2460
-
\??\c:\e20680.exec:\e20680.exe92⤵PID:1992
-
\??\c:\7tbhbb.exec:\7tbhbb.exe93⤵PID:2884
-
\??\c:\424862.exec:\424862.exe94⤵PID:1308
-
\??\c:\0428662.exec:\0428662.exe95⤵PID:836
-
\??\c:\0444624.exec:\0444624.exe96⤵PID:2132
-
\??\c:\9jvvj.exec:\9jvvj.exe97⤵PID:1148
-
\??\c:\826800.exec:\826800.exe98⤵PID:2996
-
\??\c:\7pdjv.exec:\7pdjv.exe99⤵PID:2072
-
\??\c:\g6066.exec:\g6066.exe100⤵PID:2140
-
\??\c:\jdjvd.exec:\jdjvd.exe101⤵PID:2148
-
\??\c:\vppjp.exec:\vppjp.exe102⤵PID:2800
-
\??\c:\1xllrxx.exec:\1xllrxx.exe103⤵PID:1052
-
\??\c:\48284.exec:\48284.exe104⤵PID:2216
-
\??\c:\268400.exec:\268400.exe105⤵PID:1332
-
\??\c:\pjdvj.exec:\pjdvj.exe106⤵PID:1552
-
\??\c:\llxfrxl.exec:\llxfrxl.exe107⤵PID:968
-
\??\c:\26024.exec:\26024.exe108⤵PID:3000
-
\??\c:\6044284.exec:\6044284.exe109⤵PID:1548
-
\??\c:\9fxlllx.exec:\9fxlllx.exe110⤵PID:1984
-
\??\c:\3djvd.exec:\3djvd.exe111⤵PID:1632
-
\??\c:\26006.exec:\26006.exe112⤵PID:3008
-
\??\c:\048062.exec:\048062.exe113⤵PID:2344
-
\??\c:\48068.exec:\48068.exe114⤵PID:3012
-
\??\c:\0602884.exec:\0602884.exe115⤵PID:1240
-
\??\c:\jjdjd.exec:\jjdjd.exe116⤵PID:748
-
\??\c:\82400.exec:\82400.exe117⤵PID:2480
-
\??\c:\xrllrrf.exec:\xrllrrf.exe118⤵PID:2448
-
\??\c:\ppjpd.exec:\ppjpd.exe119⤵PID:1640
-
\??\c:\hhhnnb.exec:\hhhnnb.exe120⤵PID:2364
-
\??\c:\nbnnbb.exec:\nbnnbb.exe121⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-