Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe
-
Size
454KB
-
MD5
a319505930a36727b0caaf4835f67c4d
-
SHA1
df378a9be4fedd0ba75abc9b0aae4b98eb63a80f
-
SHA256
8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c
-
SHA512
f9ca48fdbb43b1336f9a727ec285950037bcd2294972fe4ae9c07d3f632f7fba374211379f42605b5bae927c54db08cf136d57321c57881fe2def271ae5b3742
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1A:q7Tc2NYHUrAwfMp3CD1A
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2960-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-45-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2720-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-80-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1936-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-470-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-496-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-711-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 624 3htntt.exe 2576 5pjpp.exe 2620 thbbnn.exe 2712 1dvjp.exe 2720 flxlxxr.exe 2416 nhbhhh.exe 2488 9dpvp.exe 2996 rfrrfrf.exe 476 nhtbhn.exe 1000 frfxrlx.exe 1804 nhnhtt.exe 2788 pppvp.exe 2804 bhhtbb.exe 1704 9jddp.exe 1936 lfrflxf.exe 1984 nthbtn.exe 2600 vpdpd.exe 2760 1jdjd.exe 1884 bhhnht.exe 2976 7ppdp.exe 3016 hbnbnt.exe 1264 1jvvd.exe 2912 hbnhhh.exe 3012 3pjpp.exe 2364 nhtbtb.exe 1216 1ppvj.exe 1452 thhbht.exe 2180 bbbnhn.exe 2296 lxlrffx.exe 2020 hhbhtt.exe 3064 lfrxflx.exe 884 hbntbb.exe 2068 7fflrxr.exe 1232 7rlxlfr.exe 1524 hbtbtb.exe 2548 jjjjv.exe 2628 rrllxxl.exe 2056 5tthtb.exe 2452 hhnbth.exe 2472 dvjpj.exe 2432 lfrfllf.exe 2460 hnbhtt.exe 2588 nhnntn.exe 1664 vpvpd.exe 320 fxxxllx.exe 900 9tnthh.exe 936 1vpvd.exe 1780 vpdvd.exe 1804 5xllrrf.exe 2800 5htnnn.exe 2820 tnhbnt.exe 2240 jjvdj.exe 1676 llflllr.exe 1724 thtbnn.exe 1656 ppdjp.exe 2092 jvpvv.exe 2680 xrfflfl.exe 1072 btbhnh.exe 2760 3thhbh.exe 344 ppjpv.exe 3032 fxlrrxl.exe 2904 5hhnnh.exe 2392 5btbnh.exe 2252 vpjpv.exe -
resource yara_rule behavioral1/memory/2960-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-591-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2612-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-901-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lflrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 624 2960 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 28 PID 2960 wrote to memory of 624 2960 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 28 PID 2960 wrote to memory of 624 2960 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 28 PID 2960 wrote to memory of 624 2960 8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe 28 PID 624 wrote to memory of 2576 624 3htntt.exe 29 PID 624 wrote to memory of 2576 624 3htntt.exe 29 PID 624 wrote to memory of 2576 624 3htntt.exe 29 PID 624 wrote to memory of 2576 624 3htntt.exe 29 PID 2576 wrote to memory of 2620 2576 5pjpp.exe 30 PID 2576 wrote to memory of 2620 2576 5pjpp.exe 30 PID 2576 wrote to memory of 2620 2576 5pjpp.exe 30 PID 2576 wrote to memory of 2620 2576 5pjpp.exe 30 PID 2620 wrote to memory of 2712 2620 thbbnn.exe 31 PID 2620 wrote to memory of 2712 2620 thbbnn.exe 31 PID 2620 wrote to memory of 2712 2620 thbbnn.exe 31 PID 2620 wrote to memory of 2712 2620 thbbnn.exe 31 PID 2712 wrote to memory of 2720 2712 1dvjp.exe 32 PID 2712 wrote to memory of 2720 2712 1dvjp.exe 32 PID 2712 wrote to memory of 2720 2712 1dvjp.exe 32 PID 2712 wrote to memory of 2720 2712 1dvjp.exe 32 PID 2720 wrote to memory of 2416 2720 flxlxxr.exe 33 PID 2720 wrote to memory of 2416 2720 flxlxxr.exe 33 PID 2720 wrote to memory of 2416 2720 flxlxxr.exe 33 PID 2720 wrote to memory of 2416 2720 flxlxxr.exe 33 PID 2416 wrote to memory of 2488 2416 nhbhhh.exe 34 PID 2416 wrote to memory of 2488 2416 nhbhhh.exe 34 PID 2416 wrote to memory of 2488 2416 nhbhhh.exe 34 PID 2416 wrote to memory of 2488 2416 nhbhhh.exe 34 PID 2488 wrote to memory of 2996 2488 9dpvp.exe 35 PID 2488 wrote to memory of 2996 2488 9dpvp.exe 35 PID 2488 wrote to memory of 2996 2488 9dpvp.exe 35 PID 2488 wrote to memory of 2996 2488 9dpvp.exe 35 PID 2996 wrote to memory of 476 2996 rfrrfrf.exe 36 PID 2996 wrote to memory of 476 2996 rfrrfrf.exe 36 PID 2996 wrote to memory of 476 2996 rfrrfrf.exe 36 PID 2996 wrote to memory of 476 2996 rfrrfrf.exe 36 PID 476 wrote to memory of 1000 476 nhtbhn.exe 37 PID 476 wrote to memory of 1000 476 nhtbhn.exe 37 PID 476 wrote to memory of 1000 476 nhtbhn.exe 37 PID 476 wrote to memory of 1000 476 nhtbhn.exe 37 PID 1000 wrote to memory of 1804 1000 frfxrlx.exe 38 PID 1000 wrote to memory of 1804 1000 frfxrlx.exe 38 PID 1000 wrote to memory of 1804 1000 frfxrlx.exe 38 PID 1000 wrote to memory of 1804 1000 frfxrlx.exe 38 PID 1804 wrote to memory of 2788 1804 nhnhtt.exe 39 PID 1804 wrote to memory of 2788 1804 nhnhtt.exe 39 PID 1804 wrote to memory of 2788 1804 nhnhtt.exe 39 PID 1804 wrote to memory of 2788 1804 nhnhtt.exe 39 PID 2788 wrote to memory of 2804 2788 pppvp.exe 40 PID 2788 wrote to memory of 2804 2788 pppvp.exe 40 PID 2788 wrote to memory of 2804 2788 pppvp.exe 40 PID 2788 wrote to memory of 2804 2788 pppvp.exe 40 PID 2804 wrote to memory of 1704 2804 bhhtbb.exe 41 PID 2804 wrote to memory of 1704 2804 bhhtbb.exe 41 PID 2804 wrote to memory of 1704 2804 bhhtbb.exe 41 PID 2804 wrote to memory of 1704 2804 bhhtbb.exe 41 PID 1704 wrote to memory of 1936 1704 9jddp.exe 42 PID 1704 wrote to memory of 1936 1704 9jddp.exe 42 PID 1704 wrote to memory of 1936 1704 9jddp.exe 42 PID 1704 wrote to memory of 1936 1704 9jddp.exe 42 PID 1936 wrote to memory of 1984 1936 lfrflxf.exe 43 PID 1936 wrote to memory of 1984 1936 lfrflxf.exe 43 PID 1936 wrote to memory of 1984 1936 lfrflxf.exe 43 PID 1936 wrote to memory of 1984 1936 lfrflxf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe"C:\Users\Admin\AppData\Local\Temp\8de23b1d7d29539f621e72778b363a6e2da512ba91c30674c83866b7da202a8c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\3htntt.exec:\3htntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\5pjpp.exec:\5pjpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\thbbnn.exec:\thbbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\1dvjp.exec:\1dvjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\flxlxxr.exec:\flxlxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\nhbhhh.exec:\nhbhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\9dpvp.exec:\9dpvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\rfrrfrf.exec:\rfrrfrf.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\nhtbhn.exec:\nhtbhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:476 -
\??\c:\frfxrlx.exec:\frfxrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\nhnhtt.exec:\nhnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\pppvp.exec:\pppvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\bhhtbb.exec:\bhhtbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\9jddp.exec:\9jddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\lfrflxf.exec:\lfrflxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\nthbtn.exec:\nthbtn.exe17⤵
- Executes dropped EXE
PID:1984 -
\??\c:\vpdpd.exec:\vpdpd.exe18⤵
- Executes dropped EXE
PID:2600 -
\??\c:\1jdjd.exec:\1jdjd.exe19⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bhhnht.exec:\bhhnht.exe20⤵
- Executes dropped EXE
PID:1884 -
\??\c:\7ppdp.exec:\7ppdp.exe21⤵
- Executes dropped EXE
PID:2976 -
\??\c:\hbnbnt.exec:\hbnbnt.exe22⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1jvvd.exec:\1jvvd.exe23⤵
- Executes dropped EXE
PID:1264 -
\??\c:\hbnhhh.exec:\hbnhhh.exe24⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3pjpp.exec:\3pjpp.exe25⤵
- Executes dropped EXE
PID:3012 -
\??\c:\nhtbtb.exec:\nhtbtb.exe26⤵
- Executes dropped EXE
PID:2364 -
\??\c:\1ppvj.exec:\1ppvj.exe27⤵
- Executes dropped EXE
PID:1216 -
\??\c:\thhbht.exec:\thhbht.exe28⤵
- Executes dropped EXE
PID:1452 -
\??\c:\bbbnhn.exec:\bbbnhn.exe29⤵
- Executes dropped EXE
PID:2180 -
\??\c:\lxlrffx.exec:\lxlrffx.exe30⤵
- Executes dropped EXE
PID:2296 -
\??\c:\hhbhtt.exec:\hhbhtt.exe31⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lfrxflx.exec:\lfrxflx.exe32⤵
- Executes dropped EXE
PID:3064 -
\??\c:\hbntbb.exec:\hbntbb.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\7fflrxr.exec:\7fflrxr.exe34⤵
- Executes dropped EXE
PID:2068 -
\??\c:\7rlxlfr.exec:\7rlxlfr.exe35⤵
- Executes dropped EXE
PID:1232 -
\??\c:\hbtbtb.exec:\hbtbtb.exe36⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jjjjv.exec:\jjjjv.exe37⤵
- Executes dropped EXE
PID:2548 -
\??\c:\rrllxxl.exec:\rrllxxl.exe38⤵
- Executes dropped EXE
PID:2628 -
\??\c:\5tthtb.exec:\5tthtb.exe39⤵
- Executes dropped EXE
PID:2056 -
\??\c:\hhnbth.exec:\hhnbth.exe40⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dvjpj.exec:\dvjpj.exe41⤵
- Executes dropped EXE
PID:2472 -
\??\c:\lfrfllf.exec:\lfrfllf.exe42⤵
- Executes dropped EXE
PID:2432 -
\??\c:\hnbhtt.exec:\hnbhtt.exe43⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nhnntn.exec:\nhnntn.exe44⤵
- Executes dropped EXE
PID:2588 -
\??\c:\vpvpd.exec:\vpvpd.exe45⤵
- Executes dropped EXE
PID:1664 -
\??\c:\fxxxllx.exec:\fxxxllx.exe46⤵
- Executes dropped EXE
PID:320 -
\??\c:\9tnthh.exec:\9tnthh.exe47⤵
- Executes dropped EXE
PID:900 -
\??\c:\1vpvd.exec:\1vpvd.exe48⤵
- Executes dropped EXE
PID:936 -
\??\c:\vpdvd.exec:\vpdvd.exe49⤵
- Executes dropped EXE
PID:1780 -
\??\c:\5xllrrf.exec:\5xllrrf.exe50⤵
- Executes dropped EXE
PID:1804 -
\??\c:\5htnnn.exec:\5htnnn.exe51⤵
- Executes dropped EXE
PID:2800 -
\??\c:\tnhbnt.exec:\tnhbnt.exe52⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jjvdj.exec:\jjvdj.exe53⤵
- Executes dropped EXE
PID:2240 -
\??\c:\llflllr.exec:\llflllr.exe54⤵
- Executes dropped EXE
PID:1676 -
\??\c:\thtbnn.exec:\thtbnn.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ppdjp.exec:\ppdjp.exe56⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jvpvv.exec:\jvpvv.exe57⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xrfflfl.exec:\xrfflfl.exe58⤵
- Executes dropped EXE
PID:2680 -
\??\c:\btbhnh.exec:\btbhnh.exe59⤵
- Executes dropped EXE
PID:1072 -
\??\c:\3thhbh.exec:\3thhbh.exe60⤵
- Executes dropped EXE
PID:2760 -
\??\c:\ppjpv.exec:\ppjpv.exe61⤵
- Executes dropped EXE
PID:344 -
\??\c:\fxlrrxl.exec:\fxlrrxl.exe62⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5hhnnh.exec:\5hhnnh.exe63⤵
- Executes dropped EXE
PID:2904 -
\??\c:\5btbnh.exec:\5btbnh.exe64⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vpjpv.exec:\vpjpv.exe65⤵
- Executes dropped EXE
PID:2252 -
\??\c:\xrlxllr.exec:\xrlxllr.exe66⤵PID:3036
-
\??\c:\9flxffr.exec:\9flxffr.exe67⤵PID:1160
-
\??\c:\hhbnnh.exec:\hhbnnh.exe68⤵PID:448
-
\??\c:\ddpvd.exec:\ddpvd.exe69⤵PID:1720
-
\??\c:\1rrffxx.exec:\1rrffxx.exe70⤵PID:2228
-
\??\c:\xxffxxf.exec:\xxffxxf.exe71⤵PID:340
-
\??\c:\ttttnn.exec:\ttttnn.exe72⤵PID:1500
-
\??\c:\tnhthn.exec:\tnhthn.exe73⤵PID:752
-
\??\c:\vppjv.exec:\vppjv.exe74⤵PID:2932
-
\??\c:\7fxlxxl.exec:\7fxlxxl.exe75⤵PID:2020
-
\??\c:\nnnhhh.exec:\nnnhhh.exe76⤵PID:1960
-
\??\c:\1bnhhh.exec:\1bnhhh.exe77⤵PID:2948
-
\??\c:\jjdpd.exec:\jjdpd.exe78⤵PID:2272
-
\??\c:\rlfrffr.exec:\rlfrffr.exe79⤵PID:1520
-
\??\c:\rrllxxr.exec:\rrllxxr.exe80⤵PID:2612
-
\??\c:\htnnbn.exec:\htnnbn.exe81⤵PID:2560
-
\??\c:\jvdjj.exec:\jvdjj.exe82⤵PID:1448
-
\??\c:\dvpdj.exec:\dvpdj.exe83⤵PID:2616
-
\??\c:\frfxfxf.exec:\frfxfxf.exe84⤵PID:2464
-
\??\c:\nnhhnh.exec:\nnhhnh.exe85⤵PID:2412
-
\??\c:\nnhnhb.exec:\nnhnhb.exe86⤵PID:2532
-
\??\c:\jdjpd.exec:\jdjpd.exe87⤵PID:1968
-
\??\c:\xxflxxl.exec:\xxflxxl.exe88⤵PID:2588
-
\??\c:\hhbhtb.exec:\hhbhtb.exe89⤵PID:1932
-
\??\c:\bbntht.exec:\bbntht.exe90⤵PID:584
-
\??\c:\1jdvd.exec:\1jdvd.exe91⤵PID:900
-
\??\c:\xxlrfxr.exec:\xxlrfxr.exe92⤵PID:1668
-
\??\c:\nhbbhh.exec:\nhbbhh.exe93⤵PID:2772
-
\??\c:\5hhhhh.exec:\5hhhhh.exe94⤵PID:2856
-
\??\c:\pjdjp.exec:\pjdjp.exe95⤵PID:2836
-
\??\c:\1vjpv.exec:\1vjpv.exe96⤵PID:2828
-
\??\c:\rrfrfxl.exec:\rrfrfxl.exe97⤵PID:2240
-
\??\c:\9hbbtn.exec:\9hbbtn.exe98⤵PID:2168
-
\??\c:\3jpdp.exec:\3jpdp.exe99⤵PID:1928
-
\??\c:\7jjvd.exec:\7jjvd.exe100⤵PID:1912
-
\??\c:\xrflrrf.exec:\xrflrrf.exe101⤵PID:2672
-
\??\c:\nbnnbb.exec:\nbnnbb.exe102⤵PID:2680
-
\??\c:\bthbhb.exec:\bthbhb.exe103⤵PID:2660
-
\??\c:\1djjj.exec:\1djjj.exe104⤵PID:2760
-
\??\c:\rlxfrxl.exec:\rlxfrxl.exe105⤵PID:344
-
\??\c:\rlxfllr.exec:\rlxfllr.exe106⤵PID:3016
-
\??\c:\9nnbbt.exec:\9nnbbt.exe107⤵PID:2916
-
\??\c:\jjpvd.exec:\jjpvd.exe108⤵PID:2116
-
\??\c:\vjjjp.exec:\vjjjp.exe109⤵PID:2124
-
\??\c:\llxxfxf.exec:\llxxfxf.exe110⤵PID:1248
-
\??\c:\5rrlrrr.exec:\5rrlrrr.exe111⤵PID:2160
-
\??\c:\bnnttt.exec:\bnnttt.exe112⤵PID:1468
-
\??\c:\vjvvp.exec:\vjvvp.exe113⤵PID:1856
-
\??\c:\jjvdj.exec:\jjvdj.exe114⤵PID:692
-
\??\c:\xrfrrlr.exec:\xrfrrlr.exe115⤵PID:2332
-
\??\c:\btbbhh.exec:\btbbhh.exe116⤵PID:2156
-
\??\c:\btbhhh.exec:\btbhhh.exe117⤵PID:328
-
\??\c:\jdpjd.exec:\jdpjd.exe118⤵PID:1540
-
\??\c:\fxfllrr.exec:\fxfllrr.exe119⤵PID:2932
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe120⤵PID:300
-
\??\c:\hbnbnn.exec:\hbnbnn.exe121⤵PID:2940
-
\??\c:\dvjjd.exec:\dvjjd.exe122⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-