Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe
-
Size
455KB
-
MD5
051eabd2813cdb993fbd81180fef6bb5
-
SHA1
8ec495aac344702d072fd87860923c5abd1d42d1
-
SHA256
e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf
-
SHA512
d19e475c262139cc097b9b35290cea7f413d93931152edc4a9584dd27b027e98b910e504aaaaf34d7aa22224589febd94ba47ec7bd725e867627ba18fe74841f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2788-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-127-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2824-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-181-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-253-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1872-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-332-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2636-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-624-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/640-680-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1588-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-875-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2816-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2840 vddpj.exe 3032 rxllxlr.exe 2496 jjddj.exe 2760 fflxfrl.exe 2564 nnhbth.exe 2692 pppvv.exe 2268 lxxrlxr.exe 2988 5lfxlll.exe 2020 ppdpv.exe 2668 ddvdv.exe 780 xrxlfff.exe 2632 jpppp.exe 2448 dvpdp.exe 2824 3nnnht.exe 2956 hhhtnt.exe 1988 rfrflrf.exe 2140 xxflfrl.exe 3052 7btnbb.exe 2432 xxrxrrl.exe 2112 bbbbth.exe 2040 rrxflll.exe 1932 9nntht.exe 1344 xxllxlx.exe 1964 1ttntn.exe 1736 ppjdp.exe 2320 1xflflf.exe 1872 1jdvp.exe 2092 hbbhth.exe 2324 jpvpp.exe 2152 5bthnb.exe 2356 dddvj.exe 2840 fxrxxrr.exe 1600 thtbtt.exe 2664 xxxfxfx.exe 2496 3nnbnb.exe 2736 djdpj.exe 2584 rlxrlxr.exe 1864 flrrxlx.exe 2848 nhthtt.exe 2636 5vvdd.exe 1584 fxrfrfl.exe 2260 nhbhth.exe 1808 1bnnbb.exe 2864 vvdvv.exe 2168 lllrxfx.exe 1216 9bnhnn.exe 1092 tthtnt.exe 640 pvpvd.exe 2968 fxxfxlx.exe 1140 hhbhtb.exe 2672 jpjdj.exe 2428 pjdpd.exe 1624 ffxlxlx.exe 2140 9btbhn.exe 2472 tttbnt.exe 2432 jdvjd.exe 2224 lrrxlll.exe 2196 nntnnt.exe 1296 9jvdd.exe 1932 xrrrflx.exe 1068 llxlxfr.exe 2384 nhtbnn.exe 1720 ppjvj.exe 1540 9lrlrrf.exe -
resource yara_rule behavioral1/memory/2788-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-803-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2856-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-873-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2816-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2840 2788 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 31 PID 2788 wrote to memory of 2840 2788 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 31 PID 2788 wrote to memory of 2840 2788 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 31 PID 2788 wrote to memory of 2840 2788 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 31 PID 2840 wrote to memory of 3032 2840 vddpj.exe 32 PID 2840 wrote to memory of 3032 2840 vddpj.exe 32 PID 2840 wrote to memory of 3032 2840 vddpj.exe 32 PID 2840 wrote to memory of 3032 2840 vddpj.exe 32 PID 3032 wrote to memory of 2496 3032 rxllxlr.exe 33 PID 3032 wrote to memory of 2496 3032 rxllxlr.exe 33 PID 3032 wrote to memory of 2496 3032 rxllxlr.exe 33 PID 3032 wrote to memory of 2496 3032 rxllxlr.exe 33 PID 2496 wrote to memory of 2760 2496 jjddj.exe 34 PID 2496 wrote to memory of 2760 2496 jjddj.exe 34 PID 2496 wrote to memory of 2760 2496 jjddj.exe 34 PID 2496 wrote to memory of 2760 2496 jjddj.exe 34 PID 2760 wrote to memory of 2564 2760 fflxfrl.exe 35 PID 2760 wrote to memory of 2564 2760 fflxfrl.exe 35 PID 2760 wrote to memory of 2564 2760 fflxfrl.exe 35 PID 2760 wrote to memory of 2564 2760 fflxfrl.exe 35 PID 2564 wrote to memory of 2692 2564 nnhbth.exe 36 PID 2564 wrote to memory of 2692 2564 nnhbth.exe 36 PID 2564 wrote to memory of 2692 2564 nnhbth.exe 36 PID 2564 wrote to memory of 2692 2564 nnhbth.exe 36 PID 2692 wrote to memory of 2268 2692 pppvv.exe 37 PID 2692 wrote to memory of 2268 2692 pppvv.exe 37 PID 2692 wrote to memory of 2268 2692 pppvv.exe 37 PID 2692 wrote to memory of 2268 2692 pppvv.exe 37 PID 2268 wrote to memory of 2988 2268 lxxrlxr.exe 38 PID 2268 wrote to memory of 2988 2268 lxxrlxr.exe 38 PID 2268 wrote to memory of 2988 2268 lxxrlxr.exe 38 PID 2268 wrote to memory of 2988 2268 lxxrlxr.exe 38 PID 2988 wrote to memory of 2020 2988 5lfxlll.exe 39 PID 2988 wrote to memory of 2020 2988 5lfxlll.exe 39 PID 2988 wrote to memory of 2020 2988 5lfxlll.exe 39 PID 2988 wrote to memory of 2020 2988 5lfxlll.exe 39 PID 2020 wrote to memory of 2668 2020 ppdpv.exe 40 PID 2020 wrote to memory of 2668 2020 ppdpv.exe 40 PID 2020 wrote to memory of 2668 2020 ppdpv.exe 40 PID 2020 wrote to memory of 2668 2020 ppdpv.exe 40 PID 2668 wrote to memory of 780 2668 ddvdv.exe 41 PID 2668 wrote to memory of 780 2668 ddvdv.exe 41 PID 2668 wrote to memory of 780 2668 ddvdv.exe 41 PID 2668 wrote to memory of 780 2668 ddvdv.exe 41 PID 780 wrote to memory of 2632 780 xrxlfff.exe 42 PID 780 wrote to memory of 2632 780 xrxlfff.exe 42 PID 780 wrote to memory of 2632 780 xrxlfff.exe 42 PID 780 wrote to memory of 2632 780 xrxlfff.exe 42 PID 2632 wrote to memory of 2448 2632 jpppp.exe 43 PID 2632 wrote to memory of 2448 2632 jpppp.exe 43 PID 2632 wrote to memory of 2448 2632 jpppp.exe 43 PID 2632 wrote to memory of 2448 2632 jpppp.exe 43 PID 2448 wrote to memory of 2824 2448 dvpdp.exe 44 PID 2448 wrote to memory of 2824 2448 dvpdp.exe 44 PID 2448 wrote to memory of 2824 2448 dvpdp.exe 44 PID 2448 wrote to memory of 2824 2448 dvpdp.exe 44 PID 2824 wrote to memory of 2956 2824 3nnnht.exe 45 PID 2824 wrote to memory of 2956 2824 3nnnht.exe 45 PID 2824 wrote to memory of 2956 2824 3nnnht.exe 45 PID 2824 wrote to memory of 2956 2824 3nnnht.exe 45 PID 2956 wrote to memory of 1988 2956 hhhtnt.exe 46 PID 2956 wrote to memory of 1988 2956 hhhtnt.exe 46 PID 2956 wrote to memory of 1988 2956 hhhtnt.exe 46 PID 2956 wrote to memory of 1988 2956 hhhtnt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe"C:\Users\Admin\AppData\Local\Temp\e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\vddpj.exec:\vddpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\rxllxlr.exec:\rxllxlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\jjddj.exec:\jjddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\fflxfrl.exec:\fflxfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\nnhbth.exec:\nnhbth.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\pppvv.exec:\pppvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\lxxrlxr.exec:\lxxrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\5lfxlll.exec:\5lfxlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\ppdpv.exec:\ppdpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\ddvdv.exec:\ddvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xrxlfff.exec:\xrxlfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\jpppp.exec:\jpppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\dvpdp.exec:\dvpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\3nnnht.exec:\3nnnht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\hhhtnt.exec:\hhhtnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\rfrflrf.exec:\rfrflrf.exe17⤵
- Executes dropped EXE
PID:1988 -
\??\c:\xxflfrl.exec:\xxflfrl.exe18⤵
- Executes dropped EXE
PID:2140 -
\??\c:\7btnbb.exec:\7btnbb.exe19⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xxrxrrl.exec:\xxrxrrl.exe20⤵
- Executes dropped EXE
PID:2432 -
\??\c:\bbbbth.exec:\bbbbth.exe21⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rrxflll.exec:\rrxflll.exe22⤵
- Executes dropped EXE
PID:2040 -
\??\c:\9nntht.exec:\9nntht.exe23⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xxllxlx.exec:\xxllxlx.exe24⤵
- Executes dropped EXE
PID:1344 -
\??\c:\1ttntn.exec:\1ttntn.exe25⤵
- Executes dropped EXE
PID:1964 -
\??\c:\ppjdp.exec:\ppjdp.exe26⤵
- Executes dropped EXE
PID:1736 -
\??\c:\1xflflf.exec:\1xflflf.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
\??\c:\1jdvp.exec:\1jdvp.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hbbhth.exec:\hbbhth.exe29⤵
- Executes dropped EXE
PID:2092 -
\??\c:\jpvpp.exec:\jpvpp.exe30⤵
- Executes dropped EXE
PID:2324 -
\??\c:\5bthnb.exec:\5bthnb.exe31⤵
- Executes dropped EXE
PID:2152 -
\??\c:\dddvj.exec:\dddvj.exe32⤵
- Executes dropped EXE
PID:2356 -
\??\c:\fxrxxrr.exec:\fxrxxrr.exe33⤵
- Executes dropped EXE
PID:2840 -
\??\c:\thtbtt.exec:\thtbtt.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\xxxfxfx.exec:\xxxfxfx.exe35⤵
- Executes dropped EXE
PID:2664 -
\??\c:\3nnbnb.exec:\3nnbnb.exe36⤵
- Executes dropped EXE
PID:2496 -
\??\c:\djdpj.exec:\djdpj.exe37⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rlxrlxr.exec:\rlxrlxr.exe38⤵
- Executes dropped EXE
PID:2584 -
\??\c:\flrrxlx.exec:\flrrxlx.exe39⤵
- Executes dropped EXE
PID:1864 -
\??\c:\nhthtt.exec:\nhthtt.exe40⤵
- Executes dropped EXE
PID:2848 -
\??\c:\5vvdd.exec:\5vvdd.exe41⤵
- Executes dropped EXE
PID:2636 -
\??\c:\fxrfrfl.exec:\fxrfrfl.exe42⤵
- Executes dropped EXE
PID:1584 -
\??\c:\nhbhth.exec:\nhbhth.exe43⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1bnnbb.exec:\1bnnbb.exe44⤵
- Executes dropped EXE
PID:1808 -
\??\c:\vvdvv.exec:\vvdvv.exe45⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lllrxfx.exec:\lllrxfx.exe46⤵
- Executes dropped EXE
PID:2168 -
\??\c:\9bnhnn.exec:\9bnhnn.exe47⤵
- Executes dropped EXE
PID:1216 -
\??\c:\tthtnt.exec:\tthtnt.exe48⤵
- Executes dropped EXE
PID:1092 -
\??\c:\pvpvd.exec:\pvpvd.exe49⤵
- Executes dropped EXE
PID:640 -
\??\c:\fxxfxlx.exec:\fxxfxlx.exe50⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hhbhtb.exec:\hhbhtb.exe51⤵
- Executes dropped EXE
PID:1140 -
\??\c:\jpjdj.exec:\jpjdj.exe52⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pjdpd.exec:\pjdpd.exe53⤵
- Executes dropped EXE
PID:2428 -
\??\c:\ffxlxlx.exec:\ffxlxlx.exe54⤵
- Executes dropped EXE
PID:1624 -
\??\c:\9btbhn.exec:\9btbhn.exe55⤵
- Executes dropped EXE
PID:2140 -
\??\c:\tttbnt.exec:\tttbnt.exe56⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jdvjd.exec:\jdvjd.exe57⤵
- Executes dropped EXE
PID:2432 -
\??\c:\lrrxlll.exec:\lrrxlll.exe58⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nntnnt.exec:\nntnnt.exe59⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9jvdd.exec:\9jvdd.exe60⤵
- Executes dropped EXE
PID:1296 -
\??\c:\xrrrflx.exec:\xrrrflx.exe61⤵
- Executes dropped EXE
PID:1932 -
\??\c:\llxlxfr.exec:\llxlxfr.exe62⤵
- Executes dropped EXE
PID:1068 -
\??\c:\nhtbnn.exec:\nhtbnn.exe63⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ppjvj.exec:\ppjvj.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\9lrlrrf.exec:\9lrlrrf.exe65⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xfxrrrx.exec:\xfxrrrx.exe66⤵PID:2656
-
\??\c:\tbhhht.exec:\tbhhht.exe67⤵PID:1496
-
\??\c:\djpvd.exec:\djpvd.exe68⤵PID:2220
-
\??\c:\9xxlxrx.exec:\9xxlxrx.exe69⤵PID:1636
-
\??\c:\fxlrflx.exec:\fxlrflx.exe70⤵PID:2180
-
\??\c:\hhnnbh.exec:\hhnnbh.exe71⤵PID:2348
-
\??\c:\pjvdv.exec:\pjvdv.exe72⤵PID:2836
-
\??\c:\9rrxxxf.exec:\9rrxxxf.exe73⤵PID:1792
-
\??\c:\xlrxlrr.exec:\xlrxlrr.exe74⤵PID:1604
-
\??\c:\hhbhbb.exec:\hhbhbb.exe75⤵PID:2576
-
\??\c:\pvjdd.exec:\pvjdd.exe76⤵PID:2748
-
\??\c:\1xllrxl.exec:\1xllrxl.exe77⤵PID:2732
-
\??\c:\xlrrrff.exec:\xlrrrff.exe78⤵PID:2580
-
\??\c:\bbbnbb.exec:\bbbnbb.exe79⤵PID:2592
-
\??\c:\pppdd.exec:\pppdd.exe80⤵PID:2648
-
\??\c:\ddvvd.exec:\ddvvd.exe81⤵PID:2276
-
\??\c:\fxrxlxl.exec:\fxrxlxl.exe82⤵PID:2980
-
\??\c:\tnttbb.exec:\tnttbb.exe83⤵PID:2252
-
\??\c:\hbtbhh.exec:\hbtbhh.exe84⤵PID:2932
-
\??\c:\9ddpd.exec:\9ddpd.exe85⤵PID:2164
-
\??\c:\xrflrfl.exec:\xrflrfl.exe86⤵PID:2916
-
\??\c:\fxrxflr.exec:\fxrxflr.exe87⤵PID:2868
-
\??\c:\1ntnnn.exec:\1ntnnn.exe88⤵PID:2168
-
\??\c:\1dvdv.exec:\1dvdv.exe89⤵PID:780
-
\??\c:\ddjpv.exec:\ddjpv.exe90⤵PID:680
-
\??\c:\lllxfrl.exec:\lllxfrl.exe91⤵PID:640
-
\??\c:\nnhbhh.exec:\nnhbhh.exe92⤵PID:2964
-
\??\c:\vdddp.exec:\vdddp.exe93⤵PID:1140
-
\??\c:\vdvdj.exec:\vdvdj.exe94⤵PID:3044
-
\??\c:\fxrrflr.exec:\fxrrflr.exe95⤵PID:3060
-
\??\c:\hnhnbb.exec:\hnhnbb.exe96⤵PID:1624
-
\??\c:\dvvdp.exec:\dvvdp.exe97⤵PID:2140
-
\??\c:\5jvjv.exec:\5jvjv.exe98⤵PID:2472
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe99⤵PID:2112
-
\??\c:\3btbnb.exec:\3btbnb.exe100⤵PID:1996
-
\??\c:\pjddp.exec:\pjddp.exe101⤵PID:1096
-
\??\c:\jjdpd.exec:\jjdpd.exe102⤵PID:1588
-
\??\c:\fxxlrrl.exec:\fxxlrrl.exe103⤵PID:3016
-
\??\c:\btnthh.exec:\btnthh.exe104⤵PID:1596
-
\??\c:\7dvdp.exec:\7dvdp.exe105⤵PID:1560
-
\??\c:\pppjd.exec:\pppjd.exe106⤵PID:568
-
\??\c:\rxlrffr.exec:\rxlrffr.exe107⤵PID:1692
-
\??\c:\nhthnb.exec:\nhthnb.exe108⤵PID:2332
-
\??\c:\ddvpd.exec:\ddvpd.exe109⤵PID:628
-
\??\c:\pdddv.exec:\pdddv.exe110⤵PID:288
-
\??\c:\nhhtbt.exec:\nhhtbt.exe111⤵PID:2324
-
\??\c:\tbtnhn.exec:\tbtnhn.exe112⤵PID:2492
-
\??\c:\vvpvj.exec:\vvpvj.exe113⤵PID:2856
-
\??\c:\3ffrflx.exec:\3ffrflx.exe114⤵PID:2768
-
\??\c:\xxxxlrl.exec:\xxxxlrl.exe115⤵PID:2696
-
\??\c:\bbhnht.exec:\bbhnht.exe116⤵PID:2808
-
\??\c:\vppdp.exec:\vppdp.exe117⤵PID:2624
-
\??\c:\xrlrrxl.exec:\xrlrrxl.exe118⤵PID:1548
-
\??\c:\lfrxflx.exec:\lfrxflx.exe119⤵PID:2628
-
\??\c:\pjjvv.exec:\pjjvv.exe120⤵PID:2008
-
\??\c:\jjdjd.exec:\jjdjd.exe121⤵PID:1812
-
\??\c:\xffrflr.exec:\xffrflr.exe122⤵PID:2100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-