Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe
-
Size
454KB
-
MD5
a10630f3225618121648cb7fbe9f2c1f
-
SHA1
f7f30eec18c1e3bd98172c2d4175db9f5a855f77
-
SHA256
b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43
-
SHA512
ef0474dc6b450fe5d2de416fff91812f94356f05eadf221d0496da1b88f238a70ed3c5e094d9d14ac40389c22c32b9ac82262b5186d73b54a2da8428c32d225c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 32 IoCs
resource yara_rule behavioral1/memory/2508-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-712-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1320 fxrxrrf.exe 1864 bthntt.exe 2784 pjppv.exe 1852 lrflxfr.exe 2852 9hthbn.exe 2724 dvppj.exe 2848 xrflxlr.exe 2620 5thntb.exe 2908 vddjv.exe 2664 ddpvp.exe 1408 1llrfrf.exe 648 lrllxxl.exe 828 ntnnbb.exe 2816 dvpvd.exe 2804 vvjdp.exe 2844 fxrxflx.exe 1080 tbtbnn.exe 1432 bthnhn.exe 1508 jjvjd.exe 2072 vvpvj.exe 700 xxllxlx.exe 1076 nhbhbb.exe 2964 hnhbth.exe 1608 dvppd.exe 3028 xxffrxl.exe 2460 9hbnhn.exe 772 7djjj.exe 1680 xlflrrx.exe 1884 tnthnb.exe 2192 bnhhbb.exe 2444 7djjd.exe 872 1lxxlfr.exe 2536 1btnbn.exe 2096 7tnhtt.exe 2404 jjpdj.exe 1724 xxlrxxf.exe 1832 xrlfrxf.exe 2168 thbhtt.exe 2748 ddjvj.exe 2912 ddvvj.exe 2732 ffllfxl.exe 2716 htbttn.exe 2632 7vppj.exe 2924 pjpvd.exe 2612 5fxflrl.exe 2204 9nbntb.exe 840 7ntbhh.exe 2156 pdjvd.exe 2300 llxfxlr.exe 2952 hbtbth.exe 1040 9jvvd.exe 2940 lfxfrxr.exe 268 3lfxllr.exe 1956 hbtbhn.exe 2128 jdpvj.exe 2308 xfflxff.exe 2696 nhbbhn.exe 536 jjvdp.exe 1404 7fxrxrf.exe 1284 7tnhhh.exe 1436 vpjvj.exe 2832 3ththn.exe 2224 jdvvd.exe 772 pjddj.exe -
resource yara_rule behavioral1/memory/2508-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-867-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-1268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-1356-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 1320 2508 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 30 PID 2508 wrote to memory of 1320 2508 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 30 PID 2508 wrote to memory of 1320 2508 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 30 PID 2508 wrote to memory of 1320 2508 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 30 PID 1320 wrote to memory of 1864 1320 fxrxrrf.exe 31 PID 1320 wrote to memory of 1864 1320 fxrxrrf.exe 31 PID 1320 wrote to memory of 1864 1320 fxrxrrf.exe 31 PID 1320 wrote to memory of 1864 1320 fxrxrrf.exe 31 PID 1864 wrote to memory of 2784 1864 bthntt.exe 32 PID 1864 wrote to memory of 2784 1864 bthntt.exe 32 PID 1864 wrote to memory of 2784 1864 bthntt.exe 32 PID 1864 wrote to memory of 2784 1864 bthntt.exe 32 PID 2784 wrote to memory of 1852 2784 pjppv.exe 33 PID 2784 wrote to memory of 1852 2784 pjppv.exe 33 PID 2784 wrote to memory of 1852 2784 pjppv.exe 33 PID 2784 wrote to memory of 1852 2784 pjppv.exe 33 PID 1852 wrote to memory of 2852 1852 lrflxfr.exe 34 PID 1852 wrote to memory of 2852 1852 lrflxfr.exe 34 PID 1852 wrote to memory of 2852 1852 lrflxfr.exe 34 PID 1852 wrote to memory of 2852 1852 lrflxfr.exe 34 PID 2852 wrote to memory of 2724 2852 9hthbn.exe 35 PID 2852 wrote to memory of 2724 2852 9hthbn.exe 35 PID 2852 wrote to memory of 2724 2852 9hthbn.exe 35 PID 2852 wrote to memory of 2724 2852 9hthbn.exe 35 PID 2724 wrote to memory of 2848 2724 dvppj.exe 36 PID 2724 wrote to memory of 2848 2724 dvppj.exe 36 PID 2724 wrote to memory of 2848 2724 dvppj.exe 36 PID 2724 wrote to memory of 2848 2724 dvppj.exe 36 PID 2848 wrote to memory of 2620 2848 xrflxlr.exe 37 PID 2848 wrote to memory of 2620 2848 xrflxlr.exe 37 PID 2848 wrote to memory of 2620 2848 xrflxlr.exe 37 PID 2848 wrote to memory of 2620 2848 xrflxlr.exe 37 PID 2620 wrote to memory of 2908 2620 5thntb.exe 38 PID 2620 wrote to memory of 2908 2620 5thntb.exe 38 PID 2620 wrote to memory of 2908 2620 5thntb.exe 38 PID 2620 wrote to memory of 2908 2620 5thntb.exe 38 PID 2908 wrote to memory of 2664 2908 vddjv.exe 39 PID 2908 wrote to memory of 2664 2908 vddjv.exe 39 PID 2908 wrote to memory of 2664 2908 vddjv.exe 39 PID 2908 wrote to memory of 2664 2908 vddjv.exe 39 PID 2664 wrote to memory of 1408 2664 ddpvp.exe 40 PID 2664 wrote to memory of 1408 2664 ddpvp.exe 40 PID 2664 wrote to memory of 1408 2664 ddpvp.exe 40 PID 2664 wrote to memory of 1408 2664 ddpvp.exe 40 PID 1408 wrote to memory of 648 1408 1llrfrf.exe 41 PID 1408 wrote to memory of 648 1408 1llrfrf.exe 41 PID 1408 wrote to memory of 648 1408 1llrfrf.exe 41 PID 1408 wrote to memory of 648 1408 1llrfrf.exe 41 PID 648 wrote to memory of 828 648 lrllxxl.exe 42 PID 648 wrote to memory of 828 648 lrllxxl.exe 42 PID 648 wrote to memory of 828 648 lrllxxl.exe 42 PID 648 wrote to memory of 828 648 lrllxxl.exe 42 PID 828 wrote to memory of 2816 828 ntnnbb.exe 43 PID 828 wrote to memory of 2816 828 ntnnbb.exe 43 PID 828 wrote to memory of 2816 828 ntnnbb.exe 43 PID 828 wrote to memory of 2816 828 ntnnbb.exe 43 PID 2816 wrote to memory of 2804 2816 dvpvd.exe 44 PID 2816 wrote to memory of 2804 2816 dvpvd.exe 44 PID 2816 wrote to memory of 2804 2816 dvpvd.exe 44 PID 2816 wrote to memory of 2804 2816 dvpvd.exe 44 PID 2804 wrote to memory of 2844 2804 vvjdp.exe 45 PID 2804 wrote to memory of 2844 2804 vvjdp.exe 45 PID 2804 wrote to memory of 2844 2804 vvjdp.exe 45 PID 2804 wrote to memory of 2844 2804 vvjdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe"C:\Users\Admin\AppData\Local\Temp\b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\fxrxrrf.exec:\fxrxrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\bthntt.exec:\bthntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\pjppv.exec:\pjppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\lrflxfr.exec:\lrflxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\9hthbn.exec:\9hthbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\dvppj.exec:\dvppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\xrflxlr.exec:\xrflxlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\5thntb.exec:\5thntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\vddjv.exec:\vddjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\ddpvp.exec:\ddpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\1llrfrf.exec:\1llrfrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\lrllxxl.exec:\lrllxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\ntnnbb.exec:\ntnnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\dvpvd.exec:\dvpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\vvjdp.exec:\vvjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\fxrxflx.exec:\fxrxflx.exe17⤵
- Executes dropped EXE
PID:2844 -
\??\c:\tbtbnn.exec:\tbtbnn.exe18⤵
- Executes dropped EXE
PID:1080 -
\??\c:\bthnhn.exec:\bthnhn.exe19⤵
- Executes dropped EXE
PID:1432 -
\??\c:\jjvjd.exec:\jjvjd.exe20⤵
- Executes dropped EXE
PID:1508 -
\??\c:\vvpvj.exec:\vvpvj.exe21⤵
- Executes dropped EXE
PID:2072 -
\??\c:\xxllxlx.exec:\xxllxlx.exe22⤵
- Executes dropped EXE
PID:700 -
\??\c:\nhbhbb.exec:\nhbhbb.exe23⤵
- Executes dropped EXE
PID:1076 -
\??\c:\hnhbth.exec:\hnhbth.exe24⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dvppd.exec:\dvppd.exe25⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xxffrxl.exec:\xxffrxl.exe26⤵
- Executes dropped EXE
PID:3028 -
\??\c:\9hbnhn.exec:\9hbnhn.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\7djjj.exec:\7djjj.exe28⤵
- Executes dropped EXE
PID:772 -
\??\c:\xlflrrx.exec:\xlflrrx.exe29⤵
- Executes dropped EXE
PID:1680 -
\??\c:\tnthnb.exec:\tnthnb.exe30⤵
- Executes dropped EXE
PID:1884 -
\??\c:\bnhhbb.exec:\bnhhbb.exe31⤵
- Executes dropped EXE
PID:2192 -
\??\c:\7djjd.exec:\7djjd.exe32⤵
- Executes dropped EXE
PID:2444 -
\??\c:\1lxxlfr.exec:\1lxxlfr.exe33⤵
- Executes dropped EXE
PID:872 -
\??\c:\1btnbn.exec:\1btnbn.exe34⤵
- Executes dropped EXE
PID:2536 -
\??\c:\7tnhtt.exec:\7tnhtt.exe35⤵
- Executes dropped EXE
PID:2096 -
\??\c:\jjpdj.exec:\jjpdj.exe36⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xxlrxxf.exec:\xxlrxxf.exe37⤵
- Executes dropped EXE
PID:1724 -
\??\c:\xrlfrxf.exec:\xrlfrxf.exe38⤵
- Executes dropped EXE
PID:1832 -
\??\c:\thbhtt.exec:\thbhtt.exe39⤵
- Executes dropped EXE
PID:2168 -
\??\c:\ddjvj.exec:\ddjvj.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ddvvj.exec:\ddvvj.exe41⤵
- Executes dropped EXE
PID:2912 -
\??\c:\ffllfxl.exec:\ffllfxl.exe42⤵
- Executes dropped EXE
PID:2732 -
\??\c:\htbttn.exec:\htbttn.exe43⤵
- Executes dropped EXE
PID:2716 -
\??\c:\7vppj.exec:\7vppj.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\pjpvd.exec:\pjpvd.exe45⤵
- Executes dropped EXE
PID:2924 -
\??\c:\5fxflrl.exec:\5fxflrl.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\9nbntb.exec:\9nbntb.exe47⤵
- Executes dropped EXE
PID:2204 -
\??\c:\7ntbhh.exec:\7ntbhh.exe48⤵
- Executes dropped EXE
PID:840 -
\??\c:\pdjvd.exec:\pdjvd.exe49⤵
- Executes dropped EXE
PID:2156 -
\??\c:\llxfxlr.exec:\llxfxlr.exe50⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hbtbth.exec:\hbtbth.exe51⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9jvvd.exec:\9jvvd.exe52⤵
- Executes dropped EXE
PID:1040 -
\??\c:\lfxfrxr.exec:\lfxfrxr.exe53⤵
- Executes dropped EXE
PID:2940 -
\??\c:\3lfxllr.exec:\3lfxllr.exe54⤵
- Executes dropped EXE
PID:268 -
\??\c:\hbtbhn.exec:\hbtbhn.exe55⤵
- Executes dropped EXE
PID:1956 -
\??\c:\jdpvj.exec:\jdpvj.exe56⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xfflxff.exec:\xfflxff.exe57⤵
- Executes dropped EXE
PID:2308 -
\??\c:\nhbbhn.exec:\nhbbhn.exe58⤵
- Executes dropped EXE
PID:2696 -
\??\c:\jjvdp.exec:\jjvdp.exe59⤵
- Executes dropped EXE
PID:536 -
\??\c:\7fxrxrf.exec:\7fxrxrf.exe60⤵
- Executes dropped EXE
PID:1404 -
\??\c:\7tnhhh.exec:\7tnhhh.exe61⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vpjvj.exec:\vpjvj.exe62⤵
- Executes dropped EXE
PID:1436 -
\??\c:\3ththn.exec:\3ththn.exe63⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jdvvd.exec:\jdvvd.exe64⤵
- Executes dropped EXE
PID:2224 -
\??\c:\pjddj.exec:\pjddj.exe65⤵
- Executes dropped EXE
PID:772 -
\??\c:\lfxlrfl.exec:\lfxlrfl.exe66⤵PID:1884
-
\??\c:\hnhntt.exec:\hnhntt.exe67⤵PID:688
-
\??\c:\pvvpj.exec:\pvvpj.exe68⤵PID:2656
-
\??\c:\1rlrxfr.exec:\1rlrxfr.exe69⤵PID:3056
-
\??\c:\hbhhnh.exec:\hbhhnh.exe70⤵PID:2476
-
\??\c:\llxfrxr.exec:\llxfrxr.exe71⤵PID:2336
-
\??\c:\hhtthh.exec:\hhtthh.exe72⤵PID:1624
-
\??\c:\jjvdp.exec:\jjvdp.exe73⤵PID:2396
-
\??\c:\xrrxlrf.exec:\xrrxlrf.exe74⤵PID:2508
-
\??\c:\lxlrxxl.exec:\lxlrxxl.exe75⤵PID:1904
-
\??\c:\htnhnn.exec:\htnhnn.exe76⤵PID:2352
-
\??\c:\ddjjp.exec:\ddjjp.exe77⤵PID:2172
-
\??\c:\1fxxllr.exec:\1fxxllr.exe78⤵PID:1196
-
\??\c:\lfxflrl.exec:\lfxflrl.exe79⤵PID:2116
-
\??\c:\7tnnth.exec:\7tnnth.exe80⤵PID:1916
-
\??\c:\9hbhhn.exec:\9hbhhn.exe81⤵PID:2708
-
\??\c:\3pjpd.exec:\3pjpd.exe82⤵PID:2716
-
\??\c:\xxlxflf.exec:\xxlxflf.exe83⤵PID:2740
-
\??\c:\tnbhbh.exec:\tnbhbh.exe84⤵PID:2900
-
\??\c:\jvppv.exec:\jvppv.exe85⤵PID:2908
-
\??\c:\vjvvd.exec:\vjvvd.exe86⤵PID:2596
-
\??\c:\lrrxffl.exec:\lrrxffl.exe87⤵PID:2068
-
\??\c:\nbhnnt.exec:\nbhnnt.exe88⤵PID:2016
-
\??\c:\btnthh.exec:\btnthh.exe89⤵PID:324
-
\??\c:\pppvj.exec:\pppvj.exe90⤵PID:2824
-
\??\c:\xxxflxl.exec:\xxxflxl.exe91⤵PID:2752
-
\??\c:\lrllrrx.exec:\lrllrrx.exe92⤵PID:2856
-
\??\c:\tbnbhn.exec:\tbnbhn.exe93⤵PID:2772
-
\??\c:\7dpjp.exec:\7dpjp.exe94⤵PID:2624
-
\??\c:\pjjjv.exec:\pjjjv.exe95⤵PID:2952
-
\??\c:\fffxlfr.exec:\fffxlfr.exe96⤵PID:2644
-
\??\c:\xrflrxl.exec:\xrflrxl.exe97⤵PID:1080
-
\??\c:\thtthn.exec:\thtthn.exe98⤵PID:1740
-
\??\c:\pjjpj.exec:\pjjpj.exe99⤵PID:2000
-
\??\c:\vppjd.exec:\vppjd.exe100⤵PID:2056
-
\??\c:\lfffrrr.exec:\lfffrrr.exe101⤵PID:2616
-
\??\c:\nhnbht.exec:\nhnbht.exe102⤵PID:700
-
\??\c:\nhnntt.exec:\nhnntt.exe103⤵PID:1932
-
\??\c:\pdpvj.exec:\pdpvj.exe104⤵PID:832
-
\??\c:\lffrrxf.exec:\lffrrxf.exe105⤵PID:236
-
\??\c:\bthntt.exec:\bthntt.exe106⤵PID:1512
-
\??\c:\5ntbbn.exec:\5ntbbn.exe107⤵PID:1240
-
\??\c:\jjdpj.exec:\jjdpj.exe108⤵PID:2580
-
\??\c:\vvpvj.exec:\vvpvj.exe109⤵PID:2480
-
\??\c:\rxrlfff.exec:\rxrlfff.exe110⤵PID:2412
-
\??\c:\hbntbn.exec:\hbntbn.exe111⤵PID:2188
-
\??\c:\tttbnt.exec:\tttbnt.exe112⤵PID:3060
-
\??\c:\jvppd.exec:\jvppd.exe113⤵PID:2656
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe114⤵PID:2332
-
\??\c:\rlxxffl.exec:\rlxxffl.exe115⤵PID:2536
-
\??\c:\nhhntt.exec:\nhhntt.exe116⤵PID:2096
-
\??\c:\ppjvp.exec:\ppjvp.exe117⤵PID:1264
-
\??\c:\jdddp.exec:\jdddp.exe118⤵PID:1736
-
\??\c:\3rffxxx.exec:\3rffxxx.exe119⤵PID:2284
-
\??\c:\1xrrffx.exec:\1xrrffx.exe120⤵PID:1260
-
\??\c:\ttthth.exec:\ttthth.exe121⤵PID:2352
-
\??\c:\jjdjd.exec:\jjdjd.exe122⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-