Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
-
Size
453KB
-
MD5
4304bb1ac409f30a064f5c9bd4ee0455
-
SHA1
543744d7798a3b9d98f4f4c5257011b9d177c32b
-
SHA256
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f
-
SHA512
de92ec0bcaf96184c6369058fbed7b287f9a865441007037969d793d1fe2263a407b7a0f66fd76fd6276edff7d634cc2eea5fa42fea86b40ba93b446786ad589
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/2736-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-99-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1092-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-184-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2056-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-327-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2212-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-467-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-623-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2676 tnhbbh.exe 2784 xfflxfr.exe 2568 9nnhnt.exe 2664 vjdpd.exe 2596 tnhntb.exe 1920 jjpdd.exe 2768 lfxfllx.exe 2208 tnbhtt.exe 1420 dvjjp.exe 1948 xlfxllf.exe 1196 thbbhh.exe 576 5dddj.exe 1092 hbttnh.exe 2616 9vjpv.exe 596 hbhtnt.exe 1696 thnhnn.exe 2164 5fxfrxl.exe 2392 thbtbh.exe 2056 xrxlxff.exe 1900 tnhhbb.exe 1192 dvjvd.exe 1972 rxrlfrr.exe 940 7dpjp.exe 1648 xlfxxlr.exe 2908 bnhttb.exe 2936 5xllxfr.exe 1980 3ttbhn.exe 1792 rlxfflr.exe 1424 hhhtth.exe 2288 jddjp.exe 2136 tnnbbt.exe 2708 1hthnb.exe 2816 1xfrfrl.exe 2580 fxxfllr.exe 2572 nhbbnt.exe 2724 djvpv.exe 2556 xrllrrl.exe 2324 5btthh.exe 1676 vvjjp.exe 2212 xrlrllr.exe 860 hhbhtb.exe 2372 5hbbbb.exe 1672 9dpdd.exe 888 xrxrfxx.exe 2016 btnnhh.exe 2044 htnbhb.exe 2012 jdjpd.exe 1580 1lfflrx.exe 868 nnhntb.exe 2808 3djdp.exe 2616 fxxxflx.exe 1636 btnhht.exe 328 1dppv.exe 1932 1xxxxlr.exe 2184 lxlxlrf.exe 3044 bthhhh.exe 2056 jdppp.exe 2092 5frlllr.exe 804 tnbbhn.exe 1316 vvjjp.exe 2504 7rlrxfl.exe 1224 1xllrrf.exe 1944 hhnnbh.exe 1744 dpjjd.exe -
resource yara_rule behavioral1/memory/2736-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-452-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/3044-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-583-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2672-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-809-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2676 2736 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 2736 wrote to memory of 2676 2736 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 2736 wrote to memory of 2676 2736 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 2736 wrote to memory of 2676 2736 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 2676 wrote to memory of 2784 2676 tnhbbh.exe 31 PID 2676 wrote to memory of 2784 2676 tnhbbh.exe 31 PID 2676 wrote to memory of 2784 2676 tnhbbh.exe 31 PID 2676 wrote to memory of 2784 2676 tnhbbh.exe 31 PID 2784 wrote to memory of 2568 2784 xfflxfr.exe 32 PID 2784 wrote to memory of 2568 2784 xfflxfr.exe 32 PID 2784 wrote to memory of 2568 2784 xfflxfr.exe 32 PID 2784 wrote to memory of 2568 2784 xfflxfr.exe 32 PID 2568 wrote to memory of 2664 2568 9nnhnt.exe 33 PID 2568 wrote to memory of 2664 2568 9nnhnt.exe 33 PID 2568 wrote to memory of 2664 2568 9nnhnt.exe 33 PID 2568 wrote to memory of 2664 2568 9nnhnt.exe 33 PID 2664 wrote to memory of 2596 2664 vjdpd.exe 34 PID 2664 wrote to memory of 2596 2664 vjdpd.exe 34 PID 2664 wrote to memory of 2596 2664 vjdpd.exe 34 PID 2664 wrote to memory of 2596 2664 vjdpd.exe 34 PID 2596 wrote to memory of 1920 2596 tnhntb.exe 35 PID 2596 wrote to memory of 1920 2596 tnhntb.exe 35 PID 2596 wrote to memory of 1920 2596 tnhntb.exe 35 PID 2596 wrote to memory of 1920 2596 tnhntb.exe 35 PID 1920 wrote to memory of 2768 1920 jjpdd.exe 36 PID 1920 wrote to memory of 2768 1920 jjpdd.exe 36 PID 1920 wrote to memory of 2768 1920 jjpdd.exe 36 PID 1920 wrote to memory of 2768 1920 jjpdd.exe 36 PID 2768 wrote to memory of 2208 2768 lfxfllx.exe 37 PID 2768 wrote to memory of 2208 2768 lfxfllx.exe 37 PID 2768 wrote to memory of 2208 2768 lfxfllx.exe 37 PID 2768 wrote to memory of 2208 2768 lfxfllx.exe 37 PID 2208 wrote to memory of 1420 2208 tnbhtt.exe 38 PID 2208 wrote to memory of 1420 2208 tnbhtt.exe 38 PID 2208 wrote to memory of 1420 2208 tnbhtt.exe 38 PID 2208 wrote to memory of 1420 2208 tnbhtt.exe 38 PID 1420 wrote to memory of 1948 1420 dvjjp.exe 39 PID 1420 wrote to memory of 1948 1420 dvjjp.exe 39 PID 1420 wrote to memory of 1948 1420 dvjjp.exe 39 PID 1420 wrote to memory of 1948 1420 dvjjp.exe 39 PID 1948 wrote to memory of 1196 1948 xlfxllf.exe 40 PID 1948 wrote to memory of 1196 1948 xlfxllf.exe 40 PID 1948 wrote to memory of 1196 1948 xlfxllf.exe 40 PID 1948 wrote to memory of 1196 1948 xlfxllf.exe 40 PID 1196 wrote to memory of 576 1196 thbbhh.exe 41 PID 1196 wrote to memory of 576 1196 thbbhh.exe 41 PID 1196 wrote to memory of 576 1196 thbbhh.exe 41 PID 1196 wrote to memory of 576 1196 thbbhh.exe 41 PID 576 wrote to memory of 1092 576 5dddj.exe 42 PID 576 wrote to memory of 1092 576 5dddj.exe 42 PID 576 wrote to memory of 1092 576 5dddj.exe 42 PID 576 wrote to memory of 1092 576 5dddj.exe 42 PID 1092 wrote to memory of 2616 1092 hbttnh.exe 43 PID 1092 wrote to memory of 2616 1092 hbttnh.exe 43 PID 1092 wrote to memory of 2616 1092 hbttnh.exe 43 PID 1092 wrote to memory of 2616 1092 hbttnh.exe 43 PID 2616 wrote to memory of 596 2616 9vjpv.exe 44 PID 2616 wrote to memory of 596 2616 9vjpv.exe 44 PID 2616 wrote to memory of 596 2616 9vjpv.exe 44 PID 2616 wrote to memory of 596 2616 9vjpv.exe 44 PID 596 wrote to memory of 1696 596 hbhtnt.exe 45 PID 596 wrote to memory of 1696 596 hbhtnt.exe 45 PID 596 wrote to memory of 1696 596 hbhtnt.exe 45 PID 596 wrote to memory of 1696 596 hbhtnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\tnhbbh.exec:\tnhbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\xfflxfr.exec:\xfflxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\9nnhnt.exec:\9nnhnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\vjdpd.exec:\vjdpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\tnhntb.exec:\tnhntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\jjpdd.exec:\jjpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\lfxfllx.exec:\lfxfllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\tnbhtt.exec:\tnbhtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\dvjjp.exec:\dvjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\xlfxllf.exec:\xlfxllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\thbbhh.exec:\thbbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\5dddj.exec:\5dddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\hbttnh.exec:\hbttnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\9vjpv.exec:\9vjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\hbhtnt.exec:\hbhtnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\thnhnn.exec:\thnhnn.exe17⤵
- Executes dropped EXE
PID:1696 -
\??\c:\5fxfrxl.exec:\5fxfrxl.exe18⤵
- Executes dropped EXE
PID:2164 -
\??\c:\thbtbh.exec:\thbtbh.exe19⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xrxlxff.exec:\xrxlxff.exe20⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tnhhbb.exec:\tnhhbb.exe21⤵
- Executes dropped EXE
PID:1900 -
\??\c:\dvjvd.exec:\dvjvd.exe22⤵
- Executes dropped EXE
PID:1192 -
\??\c:\rxrlfrr.exec:\rxrlfrr.exe23⤵
- Executes dropped EXE
PID:1972 -
\??\c:\7dpjp.exec:\7dpjp.exe24⤵
- Executes dropped EXE
PID:940 -
\??\c:\xlfxxlr.exec:\xlfxxlr.exe25⤵
- Executes dropped EXE
PID:1648 -
\??\c:\bnhttb.exec:\bnhttb.exe26⤵
- Executes dropped EXE
PID:2908 -
\??\c:\5xllxfr.exec:\5xllxfr.exe27⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3ttbhn.exec:\3ttbhn.exe28⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rlxfflr.exec:\rlxfflr.exe29⤵
- Executes dropped EXE
PID:1792 -
\??\c:\hhhtth.exec:\hhhtth.exe30⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jddjp.exec:\jddjp.exe31⤵
- Executes dropped EXE
PID:2288 -
\??\c:\tnnbbt.exec:\tnnbbt.exe32⤵
- Executes dropped EXE
PID:2136 -
\??\c:\1hthnb.exec:\1hthnb.exe33⤵
- Executes dropped EXE
PID:2708 -
\??\c:\1xfrfrl.exec:\1xfrfrl.exe34⤵
- Executes dropped EXE
PID:2816 -
\??\c:\fxxfllr.exec:\fxxfllr.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\nhbbnt.exec:\nhbbnt.exe36⤵
- Executes dropped EXE
PID:2572 -
\??\c:\djvpv.exec:\djvpv.exe37⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xrllrrl.exec:\xrllrrl.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\5btthh.exec:\5btthh.exe39⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vvjjp.exec:\vvjjp.exe40⤵
- Executes dropped EXE
PID:1676 -
\??\c:\xrlrllr.exec:\xrlrllr.exe41⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hhbhtb.exec:\hhbhtb.exe42⤵
- Executes dropped EXE
PID:860 -
\??\c:\5hbbbb.exec:\5hbbbb.exe43⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9dpdd.exec:\9dpdd.exe44⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xrxrfxx.exec:\xrxrfxx.exe45⤵
- Executes dropped EXE
PID:888 -
\??\c:\btnnhh.exec:\btnnhh.exe46⤵
- Executes dropped EXE
PID:2016 -
\??\c:\htnbhb.exec:\htnbhb.exe47⤵
- Executes dropped EXE
PID:2044 -
\??\c:\jdjpd.exec:\jdjpd.exe48⤵
- Executes dropped EXE
PID:2012 -
\??\c:\1lfflrx.exec:\1lfflrx.exe49⤵
- Executes dropped EXE
PID:1580 -
\??\c:\nnhntb.exec:\nnhntb.exe50⤵
- Executes dropped EXE
PID:868 -
\??\c:\3djdp.exec:\3djdp.exe51⤵
- Executes dropped EXE
PID:2808 -
\??\c:\fxxxflx.exec:\fxxxflx.exe52⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btnhht.exec:\btnhht.exe53⤵
- Executes dropped EXE
PID:1636 -
\??\c:\1dppv.exec:\1dppv.exe54⤵
- Executes dropped EXE
PID:328 -
\??\c:\1xxxxlr.exec:\1xxxxlr.exe55⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lxlxlrf.exec:\lxlxlrf.exe56⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bthhhh.exec:\bthhhh.exe57⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jdppp.exec:\jdppp.exe58⤵
- Executes dropped EXE
PID:2056 -
\??\c:\5frlllr.exec:\5frlllr.exe59⤵
- Executes dropped EXE
PID:2092 -
\??\c:\tnbbhn.exec:\tnbbhn.exe60⤵
- Executes dropped EXE
PID:804 -
\??\c:\vvjjp.exec:\vvjjp.exe61⤵
- Executes dropped EXE
PID:1316 -
\??\c:\7rlrxfl.exec:\7rlrxfl.exe62⤵
- Executes dropped EXE
PID:2504 -
\??\c:\1xllrrf.exec:\1xllrrf.exe63⤵
- Executes dropped EXE
PID:1224 -
\??\c:\hhnnbh.exec:\hhnnbh.exe64⤵
- Executes dropped EXE
PID:1944 -
\??\c:\dpjjd.exec:\dpjjd.exe65⤵
- Executes dropped EXE
PID:1744 -
\??\c:\7xlfffl.exec:\7xlfffl.exe66⤵PID:2928
-
\??\c:\lfflrxr.exec:\lfflrxr.exe67⤵PID:2100
-
\??\c:\3pddv.exec:\3pddv.exe68⤵PID:2096
-
\??\c:\djjjp.exec:\djjjp.exe69⤵PID:2508
-
\??\c:\7xllrxf.exec:\7xllrxf.exe70⤵
- System Location Discovery: System Language Discovery
PID:904 -
\??\c:\thbtbb.exec:\thbtbb.exe71⤵PID:1856
-
\??\c:\7jvvd.exec:\7jvvd.exe72⤵PID:2316
-
\??\c:\1xrfrfr.exec:\1xrfrfr.exe73⤵PID:1508
-
\??\c:\tnthnt.exec:\tnthnt.exe74⤵PID:2884
-
\??\c:\dpjjv.exec:\dpjjv.exe75⤵PID:2712
-
\??\c:\pppjd.exec:\pppjd.exe76⤵PID:2980
-
\??\c:\xrflrrx.exec:\xrflrrx.exe77⤵PID:2684
-
\??\c:\tbbnhn.exec:\tbbnhn.exe78⤵PID:2572
-
\??\c:\9dppj.exec:\9dppj.exe79⤵PID:2724
-
\??\c:\fxrxlrr.exec:\fxrxlrr.exe80⤵PID:2672
-
\??\c:\fxlrrxl.exec:\fxlrrxl.exe81⤵PID:2324
-
\??\c:\9pvpp.exec:\9pvpp.exe82⤵PID:1668
-
\??\c:\pppdj.exec:\pppdj.exe83⤵PID:1924
-
\??\c:\5lxfxff.exec:\5lxfxff.exe84⤵PID:2584
-
\??\c:\lfflrrf.exec:\lfflrrf.exe85⤵PID:2420
-
\??\c:\9ttbth.exec:\9ttbth.exe86⤵PID:1672
-
\??\c:\vjvvd.exec:\vjvvd.exe87⤵PID:1464
-
\??\c:\5ffrrfx.exec:\5ffrrfx.exe88⤵PID:2268
-
\??\c:\xxxxfff.exec:\xxxxfff.exe89⤵PID:1196
-
\??\c:\btntbh.exec:\btntbh.exe90⤵PID:2012
-
\??\c:\dvpjj.exec:\dvpjj.exe91⤵PID:848
-
\??\c:\ffxflrl.exec:\ffxflrl.exe92⤵PID:1852
-
\??\c:\lxxrlxr.exec:\lxxrlxr.exe93⤵PID:1240
-
\??\c:\htnnbh.exec:\htnnbh.exe94⤵PID:296
-
\??\c:\pdppd.exec:\pdppd.exe95⤵PID:2364
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe96⤵PID:2168
-
\??\c:\5frrffr.exec:\5frrffr.exe97⤵PID:1888
-
\??\c:\bthntb.exec:\bthntb.exe98⤵PID:2392
-
\??\c:\bbtnhh.exec:\bbtnhh.exe99⤵PID:1416
-
\??\c:\jdjjp.exec:\jdjjp.exe100⤵PID:1460
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe101⤵PID:2408
-
\??\c:\btbhtb.exec:\btbhtb.exe102⤵PID:1868
-
\??\c:\tnbbbh.exec:\tnbbbh.exe103⤵PID:2312
-
\??\c:\pdpjj.exec:\pdpjj.exe104⤵PID:940
-
\??\c:\fllrfxx.exec:\fllrfxx.exe105⤵PID:2496
-
\??\c:\hntbbn.exec:\hntbbn.exe106⤵PID:2920
-
\??\c:\nhtbhb.exec:\nhtbhb.exe107⤵PID:2888
-
\??\c:\vjvdv.exec:\vjvdv.exe108⤵PID:2488
-
\??\c:\3fxfxfr.exec:\3fxfxfr.exe109⤵PID:1468
-
\??\c:\3ttbhh.exec:\3ttbhh.exe110⤵PID:1020
-
\??\c:\tnhntt.exec:\tnhntt.exe111⤵PID:1720
-
\??\c:\7ppjj.exec:\7ppjj.exe112⤵PID:1440
-
\??\c:\xrfflxl.exec:\xrfflxl.exe113⤵PID:3004
-
\??\c:\hbtbnt.exec:\hbtbnt.exe114⤵PID:2288
-
\??\c:\3vvjp.exec:\3vvjp.exe115⤵PID:1508
-
\??\c:\dppjj.exec:\dppjj.exe116⤵PID:2880
-
\??\c:\rfffffl.exec:\rfffffl.exe117⤵PID:3060
-
\??\c:\nbnntt.exec:\nbnntt.exe118⤵PID:2716
-
\??\c:\pjdjv.exec:\pjdjv.exe119⤵PID:2544
-
\??\c:\lfrxflr.exec:\lfrxflr.exe120⤵PID:2560
-
\??\c:\rllxfxl.exec:\rllxfxl.exe121⤵PID:2576
-
\??\c:\9nntht.exec:\9nntht.exe122⤵PID:1276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-