Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe
-
Size
455KB
-
MD5
a3319195a96a1f367235b029c9b53f12
-
SHA1
2f991103478d9f7848269830d97f2f72d9900b88
-
SHA256
bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60
-
SHA512
c943099f8fee9cce1365f2b0e7c64480828170f6b8efffce1d846778c1398363b3f94d286a780bf53d57280bccd3f2edc93b9a7a84276a62842b0824348db9a2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTf:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/1892-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-152-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1136-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-440-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2488-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-588-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-645-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/296-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-702-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/584-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-732-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 hnhthb.exe 2804 ddvdp.exe 2708 jvddd.exe 2756 ttbnhn.exe 2912 vdvdv.exe 2544 hbnbnt.exe 2148 5djdp.exe 1824 vvvdp.exe 296 pjpjp.exe 2140 ppdjp.exe 2636 1dvjd.exe 2788 ppdpd.exe 2868 fxrxrlr.exe 768 hhnnnh.exe 2440 ppjdd.exe 1612 nhhthn.exe 1136 ppvpp.exe 2152 rxrxllx.exe 3000 lfrrflr.exe 448 thbhnt.exe 1280 ddvvj.exe 964 fxxlxff.exe 2344 3nhnbh.exe 1032 1dvvd.exe 1912 rrlfxlx.exe 1732 3vjdv.exe 1656 xxrlrlr.exe 1760 hbhhbn.exe 1744 fxxxlxl.exe 1908 tnbhtn.exe 1800 xxrrllf.exe 1996 dddjv.exe 2700 7llrffr.exe 2640 1dvdp.exe 2676 ddvpv.exe 2852 xrflxrx.exe 2696 3tnttb.exe 2724 pjdjj.exe 2844 vjpjp.exe 2592 flxxfxf.exe 2624 1hnnhh.exe 2276 jdvjp.exe 1896 fxlrlrf.exe 844 hnhtbh.exe 296 bhhnhn.exe 1808 pjvpd.exe 996 1frxflx.exe 2636 lllrffr.exe 2932 ttnnbb.exe 2968 ddvdp.exe 576 vpddj.exe 1332 lrrrrxf.exe 2244 ttthtb.exe 2384 jjdjj.exe 2200 9dppj.exe 3020 3fxxllf.exe 912 htnnhn.exe 1860 vdpdp.exe 448 7rlrflx.exe 2488 xxllfxl.exe 932 3nhbhn.exe 1924 dddvp.exe 2376 fxlrffl.exe 1964 5xllxlx.exe -
resource yara_rule behavioral1/memory/1892-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-152-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1136-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-588-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/296-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-724-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/584-732-0x00000000003B0000-0x00000000003DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1892 wrote to memory of 2108 1892 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 31 PID 1892 wrote to memory of 2108 1892 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 31 PID 1892 wrote to memory of 2108 1892 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 31 PID 1892 wrote to memory of 2108 1892 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 31 PID 2108 wrote to memory of 2804 2108 hnhthb.exe 32 PID 2108 wrote to memory of 2804 2108 hnhthb.exe 32 PID 2108 wrote to memory of 2804 2108 hnhthb.exe 32 PID 2108 wrote to memory of 2804 2108 hnhthb.exe 32 PID 2804 wrote to memory of 2708 2804 ddvdp.exe 33 PID 2804 wrote to memory of 2708 2804 ddvdp.exe 33 PID 2804 wrote to memory of 2708 2804 ddvdp.exe 33 PID 2804 wrote to memory of 2708 2804 ddvdp.exe 33 PID 2708 wrote to memory of 2756 2708 jvddd.exe 34 PID 2708 wrote to memory of 2756 2708 jvddd.exe 34 PID 2708 wrote to memory of 2756 2708 jvddd.exe 34 PID 2708 wrote to memory of 2756 2708 jvddd.exe 34 PID 2756 wrote to memory of 2912 2756 ttbnhn.exe 35 PID 2756 wrote to memory of 2912 2756 ttbnhn.exe 35 PID 2756 wrote to memory of 2912 2756 ttbnhn.exe 35 PID 2756 wrote to memory of 2912 2756 ttbnhn.exe 35 PID 2912 wrote to memory of 2544 2912 vdvdv.exe 36 PID 2912 wrote to memory of 2544 2912 vdvdv.exe 36 PID 2912 wrote to memory of 2544 2912 vdvdv.exe 36 PID 2912 wrote to memory of 2544 2912 vdvdv.exe 36 PID 2544 wrote to memory of 2148 2544 hbnbnt.exe 37 PID 2544 wrote to memory of 2148 2544 hbnbnt.exe 37 PID 2544 wrote to memory of 2148 2544 hbnbnt.exe 37 PID 2544 wrote to memory of 2148 2544 hbnbnt.exe 37 PID 2148 wrote to memory of 1824 2148 5djdp.exe 38 PID 2148 wrote to memory of 1824 2148 5djdp.exe 38 PID 2148 wrote to memory of 1824 2148 5djdp.exe 38 PID 2148 wrote to memory of 1824 2148 5djdp.exe 38 PID 1824 wrote to memory of 296 1824 vvvdp.exe 39 PID 1824 wrote to memory of 296 1824 vvvdp.exe 39 PID 1824 wrote to memory of 296 1824 vvvdp.exe 39 PID 1824 wrote to memory of 296 1824 vvvdp.exe 39 PID 296 wrote to memory of 2140 296 pjpjp.exe 40 PID 296 wrote to memory of 2140 296 pjpjp.exe 40 PID 296 wrote to memory of 2140 296 pjpjp.exe 40 PID 296 wrote to memory of 2140 296 pjpjp.exe 40 PID 2140 wrote to memory of 2636 2140 ppdjp.exe 41 PID 2140 wrote to memory of 2636 2140 ppdjp.exe 41 PID 2140 wrote to memory of 2636 2140 ppdjp.exe 41 PID 2140 wrote to memory of 2636 2140 ppdjp.exe 41 PID 2636 wrote to memory of 2788 2636 1dvjd.exe 42 PID 2636 wrote to memory of 2788 2636 1dvjd.exe 42 PID 2636 wrote to memory of 2788 2636 1dvjd.exe 42 PID 2636 wrote to memory of 2788 2636 1dvjd.exe 42 PID 2788 wrote to memory of 2868 2788 ppdpd.exe 43 PID 2788 wrote to memory of 2868 2788 ppdpd.exe 43 PID 2788 wrote to memory of 2868 2788 ppdpd.exe 43 PID 2788 wrote to memory of 2868 2788 ppdpd.exe 43 PID 2868 wrote to memory of 768 2868 fxrxrlr.exe 44 PID 2868 wrote to memory of 768 2868 fxrxrlr.exe 44 PID 2868 wrote to memory of 768 2868 fxrxrlr.exe 44 PID 2868 wrote to memory of 768 2868 fxrxrlr.exe 44 PID 768 wrote to memory of 2440 768 hhnnnh.exe 45 PID 768 wrote to memory of 2440 768 hhnnnh.exe 45 PID 768 wrote to memory of 2440 768 hhnnnh.exe 45 PID 768 wrote to memory of 2440 768 hhnnnh.exe 45 PID 2440 wrote to memory of 1612 2440 ppjdd.exe 46 PID 2440 wrote to memory of 1612 2440 ppjdd.exe 46 PID 2440 wrote to memory of 1612 2440 ppjdd.exe 46 PID 2440 wrote to memory of 1612 2440 ppjdd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe"C:\Users\Admin\AppData\Local\Temp\bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\hnhthb.exec:\hnhthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\ddvdp.exec:\ddvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\jvddd.exec:\jvddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\ttbnhn.exec:\ttbnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\vdvdv.exec:\vdvdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hbnbnt.exec:\hbnbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\5djdp.exec:\5djdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\vvvdp.exec:\vvvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\pjpjp.exec:\pjpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296 -
\??\c:\ppdjp.exec:\ppdjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\1dvjd.exec:\1dvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\ppdpd.exec:\ppdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\fxrxrlr.exec:\fxrxrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hhnnnh.exec:\hhnnnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\ppjdd.exec:\ppjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\nhhthn.exec:\nhhthn.exe17⤵
- Executes dropped EXE
PID:1612 -
\??\c:\ppvpp.exec:\ppvpp.exe18⤵
- Executes dropped EXE
PID:1136 -
\??\c:\rxrxllx.exec:\rxrxllx.exe19⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lfrrflr.exec:\lfrrflr.exe20⤵
- Executes dropped EXE
PID:3000 -
\??\c:\thbhnt.exec:\thbhnt.exe21⤵
- Executes dropped EXE
PID:448 -
\??\c:\ddvvj.exec:\ddvvj.exe22⤵
- Executes dropped EXE
PID:1280 -
\??\c:\fxxlxff.exec:\fxxlxff.exe23⤵
- Executes dropped EXE
PID:964 -
\??\c:\3nhnbh.exec:\3nhnbh.exe24⤵
- Executes dropped EXE
PID:2344 -
\??\c:\1dvvd.exec:\1dvvd.exe25⤵
- Executes dropped EXE
PID:1032 -
\??\c:\rrlfxlx.exec:\rrlfxlx.exe26⤵
- Executes dropped EXE
PID:1912 -
\??\c:\3vjdv.exec:\3vjdv.exe27⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xxrlrlr.exec:\xxrlrlr.exe28⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hbhhbn.exec:\hbhhbn.exe29⤵
- Executes dropped EXE
PID:1760 -
\??\c:\fxxxlxl.exec:\fxxxlxl.exe30⤵
- Executes dropped EXE
PID:1744 -
\??\c:\tnbhtn.exec:\tnbhtn.exe31⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xxrrllf.exec:\xxrrllf.exe32⤵
- Executes dropped EXE
PID:1800 -
\??\c:\dddjv.exec:\dddjv.exe33⤵
- Executes dropped EXE
PID:1996 -
\??\c:\7llrffr.exec:\7llrffr.exe34⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1dvdp.exec:\1dvdp.exe35⤵
- Executes dropped EXE
PID:2640 -
\??\c:\ddvpv.exec:\ddvpv.exe36⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xrflxrx.exec:\xrflxrx.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\3tnttb.exec:\3tnttb.exe38⤵
- Executes dropped EXE
PID:2696 -
\??\c:\pjdjj.exec:\pjdjj.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vjpjp.exec:\vjpjp.exe40⤵
- Executes dropped EXE
PID:2844 -
\??\c:\flxxfxf.exec:\flxxfxf.exe41⤵
- Executes dropped EXE
PID:2592 -
\??\c:\1hnnhh.exec:\1hnnhh.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jdvjp.exec:\jdvjp.exe43⤵
- Executes dropped EXE
PID:2276 -
\??\c:\fxlrlrf.exec:\fxlrlrf.exe44⤵
- Executes dropped EXE
PID:1896 -
\??\c:\hnhtbh.exec:\hnhtbh.exe45⤵
- Executes dropped EXE
PID:844 -
\??\c:\bhhnhn.exec:\bhhnhn.exe46⤵
- Executes dropped EXE
PID:296 -
\??\c:\pjvpd.exec:\pjvpd.exe47⤵
- Executes dropped EXE
PID:1808 -
\??\c:\1frxflx.exec:\1frxflx.exe48⤵
- Executes dropped EXE
PID:996 -
\??\c:\lllrffr.exec:\lllrffr.exe49⤵
- Executes dropped EXE
PID:2636 -
\??\c:\ttnnbb.exec:\ttnnbb.exe50⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ddvdp.exec:\ddvdp.exe51⤵
- Executes dropped EXE
PID:2968 -
\??\c:\vpddj.exec:\vpddj.exe52⤵
- Executes dropped EXE
PID:576 -
\??\c:\lrrrrxf.exec:\lrrrrxf.exe53⤵
- Executes dropped EXE
PID:1332 -
\??\c:\ttthtb.exec:\ttthtb.exe54⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jjdjj.exec:\jjdjj.exe55⤵
- Executes dropped EXE
PID:2384 -
\??\c:\9dppj.exec:\9dppj.exe56⤵
- Executes dropped EXE
PID:2200 -
\??\c:\3fxxllf.exec:\3fxxllf.exe57⤵
- Executes dropped EXE
PID:3020 -
\??\c:\htnnhn.exec:\htnnhn.exe58⤵
- Executes dropped EXE
PID:912 -
\??\c:\vdpdp.exec:\vdpdp.exe59⤵
- Executes dropped EXE
PID:1860 -
\??\c:\7rlrflx.exec:\7rlrflx.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\xxllfxl.exec:\xxllfxl.exe61⤵
- Executes dropped EXE
PID:2488 -
\??\c:\3nhbhn.exec:\3nhbhn.exe62⤵
- Executes dropped EXE
PID:932 -
\??\c:\dddvp.exec:\dddvp.exe63⤵
- Executes dropped EXE
PID:1924 -
\??\c:\fxlrffl.exec:\fxlrffl.exe64⤵
- Executes dropped EXE
PID:2376 -
\??\c:\5xllxlx.exec:\5xllxlx.exe65⤵
- Executes dropped EXE
PID:1964 -
\??\c:\nbtbnh.exec:\nbtbnh.exe66⤵PID:1564
-
\??\c:\9vpvj.exec:\9vpvj.exe67⤵PID:2732
-
\??\c:\jdjpd.exec:\jdjpd.exe68⤵PID:1780
-
\??\c:\1fxfrxf.exec:\1fxfrxf.exe69⤵PID:572
-
\??\c:\3thhtt.exec:\3thhtt.exe70⤵PID:1900
-
\??\c:\ppjvj.exec:\ppjvj.exe71⤵PID:1184
-
\??\c:\3vvpv.exec:\3vvpv.exe72⤵PID:1692
-
\??\c:\xxxfrxf.exec:\xxxfrxf.exe73⤵PID:1908
-
\??\c:\3thhnn.exec:\3thhnn.exe74⤵PID:2300
-
\??\c:\ppddj.exec:\ppddj.exe75⤵PID:2456
-
\??\c:\7vpvj.exec:\7vpvj.exe76⤵PID:2656
-
\??\c:\xlllrxf.exec:\xlllrxf.exe77⤵PID:2824
-
\??\c:\ttnbnn.exec:\ttnbnn.exe78⤵PID:2812
-
\??\c:\jdpvj.exec:\jdpvj.exe79⤵PID:2988
-
\??\c:\rlxflfl.exec:\rlxflfl.exe80⤵PID:2580
-
\??\c:\7frxfxl.exec:\7frxfxl.exe81⤵PID:2872
-
\??\c:\nhntnn.exec:\nhntnn.exe82⤵PID:2600
-
\??\c:\jdvdj.exec:\jdvdj.exe83⤵PID:2672
-
\??\c:\7pdjj.exec:\7pdjj.exe84⤵PID:2592
-
\??\c:\lllxxfl.exec:\lllxxfl.exe85⤵PID:2624
-
\??\c:\tnhnhb.exec:\tnhnhb.exe86⤵PID:2068
-
\??\c:\dvpvp.exec:\dvpvp.exe87⤵PID:2584
-
\??\c:\1jjpd.exec:\1jjpd.exe88⤵PID:1816
-
\??\c:\fxlxflr.exec:\fxlxflr.exe89⤵PID:296
-
\??\c:\tthnbh.exec:\tthnbh.exe90⤵PID:2776
-
\??\c:\dvpvp.exec:\dvpvp.exe91⤵PID:2788
-
\??\c:\jjjvp.exec:\jjjvp.exe92⤵PID:664
-
\??\c:\lfflrxf.exec:\lfflrxf.exe93⤵PID:584
-
\??\c:\hbttbh.exec:\hbttbh.exe94⤵PID:1052
-
\??\c:\jjdpd.exec:\jjdpd.exe95⤵PID:2440
-
\??\c:\jddpv.exec:\jddpv.exe96⤵PID:2216
-
\??\c:\1lflrfl.exec:\1lflrfl.exe97⤵PID:2136
-
\??\c:\ttnbnn.exec:\ttnbnn.exe98⤵PID:2200
-
\??\c:\vvpdj.exec:\vvpdj.exe99⤵PID:2372
-
\??\c:\7jdpj.exec:\7jdpj.exe100⤵PID:3000
-
\??\c:\9lxxrrx.exec:\9lxxrrx.exe101⤵PID:1928
-
\??\c:\9btnbt.exec:\9btnbt.exe102⤵PID:1600
-
\??\c:\nthntt.exec:\nthntt.exe103⤵PID:2488
-
\??\c:\vvjpj.exec:\vvjpj.exe104⤵PID:932
-
\??\c:\xxxlflf.exec:\xxxlflf.exe105⤵PID:1696
-
\??\c:\xxrlffr.exec:\xxrlffr.exe106⤵PID:1772
-
\??\c:\5btbhn.exec:\5btbhn.exe107⤵PID:1544
-
\??\c:\pjjjd.exec:\pjjjd.exe108⤵PID:2028
-
\??\c:\pjdpd.exec:\pjdpd.exe109⤵PID:2732
-
\??\c:\rxxfffr.exec:\rxxfffr.exe110⤵PID:1780
-
\??\c:\bbthth.exec:\bbthth.exe111⤵PID:1920
-
\??\c:\jjpvd.exec:\jjpvd.exe112⤵PID:2004
-
\??\c:\pdpjp.exec:\pdpjp.exe113⤵PID:1884
-
\??\c:\lrffxxf.exec:\lrffxxf.exe114⤵PID:2452
-
\??\c:\tnnbnt.exec:\tnnbnt.exe115⤵PID:1908
-
\??\c:\bbthbn.exec:\bbthbn.exe116⤵PID:2632
-
\??\c:\lxxfffx.exec:\lxxfffx.exe117⤵PID:2680
-
\??\c:\tnbntb.exec:\tnbntb.exe118⤵PID:2832
-
\??\c:\hbntbh.exec:\hbntbh.exe119⤵PID:2800
-
\??\c:\djdjv.exec:\djdjv.exe120⤵PID:2812
-
\??\c:\xrflxfr.exec:\xrflxfr.exe121⤵PID:2880
-
\??\c:\3jpvv.exec:\3jpvv.exe122⤵PID:2720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-