Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 04:09
Static task
static1
Behavioral task
behavioral1
Sample
ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe
Resource
win7-20241010-en
General
-
Target
ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe
-
Size
91KB
-
MD5
ea35568f5eb608aec824bf329b62f488
-
SHA1
a4340335c17250cd3529b0013a9d1fd1f067c889
-
SHA256
ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e
-
SHA512
cca01f9acb201325e16ca66740731f72b1de128f333e0cda6c9149229f2f1ad7ec1910308119a779b11ab7b05fb79ee68733f9eb476d74fbe473d7c7a9e7b317
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmmdL2jqWkBB:ymb3NkkiQ3mdBjF+3TU2iBRioSumWS1z
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/824-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2844-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3592-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/824-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3492-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1168-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2344-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/452-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3404-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1464-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3132-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4572-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1192-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1652-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/624-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3984-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5068-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3396-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/532-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3968-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/564-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2916-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5100-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2404-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4916-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3592 3jdpj.exe 940 xxrfxrx.exe 2844 ntthbt.exe 3492 jjvpj.exe 1168 lrfflfr.exe 4632 rlfrlxr.exe 2344 hnhthb.exe 452 nttntn.exe 3404 jpjvj.exe 1464 frlxlfx.exe 3132 lfrfrll.exe 1192 tttnbt.exe 4572 vjpjj.exe 1652 jvpjv.exe 624 3xxxrlx.exe 3984 nntnhb.exe 5068 vddpp.exe 3396 lfllrfx.exe 532 ttthbt.exe 3968 3thtnh.exe 564 vppdd.exe 2916 rfxrfxr.exe 3804 tnhbnh.exe 5100 dvjvp.exe 3368 vdpvd.exe 2404 flxlxrf.exe 5032 bhhthb.exe 1432 bnnbbt.exe 4916 vvdpd.exe 4076 5dvjp.exe 2456 lrrfllx.exe 1980 thhhnh.exe 3924 bnhbhb.exe 4028 pddvv.exe 4024 frfrllr.exe 1404 bnnbtn.exe 2524 hbhbhb.exe 2632 dvpjv.exe 2844 jvjvp.exe 4476 1llxlfr.exe 4340 rrrlrlf.exe 3472 nbbtnh.exe 4632 dpppp.exe 4344 dddpd.exe 4584 llfrfxl.exe 2240 xffxrlx.exe 4928 tbnhbt.exe 4972 nhhbnn.exe 4200 djjdv.exe 4720 ddjvp.exe 2220 7xlflfr.exe 4648 bnnthh.exe 4780 9hbnhb.exe 3752 1dppv.exe 1652 xrxrrlf.exe 3704 ddvdv.exe 1092 xllxlfx.exe 1424 frlxffr.exe 2956 3bthtn.exe 3520 jdpdp.exe 3628 frfxrrr.exe 532 hbbhbt.exe 2564 dpppv.exe 2752 dppjv.exe -
resource yara_rule behavioral2/memory/824-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3592-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3592-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/940-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2844-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3592-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/824-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3492-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1168-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2344-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/452-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/452-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/452-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3404-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1464-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3132-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4572-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1192-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1652-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/624-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3984-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5068-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3396-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/532-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3968-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/564-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2916-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5100-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2404-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-197-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 3592 824 ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe 83 PID 824 wrote to memory of 3592 824 ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe 83 PID 824 wrote to memory of 3592 824 ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe 83 PID 3592 wrote to memory of 940 3592 3jdpj.exe 85 PID 3592 wrote to memory of 940 3592 3jdpj.exe 85 PID 3592 wrote to memory of 940 3592 3jdpj.exe 85 PID 940 wrote to memory of 2844 940 xxrfxrx.exe 86 PID 940 wrote to memory of 2844 940 xxrfxrx.exe 86 PID 940 wrote to memory of 2844 940 xxrfxrx.exe 86 PID 2844 wrote to memory of 3492 2844 ntthbt.exe 87 PID 2844 wrote to memory of 3492 2844 ntthbt.exe 87 PID 2844 wrote to memory of 3492 2844 ntthbt.exe 87 PID 3492 wrote to memory of 1168 3492 jjvpj.exe 88 PID 3492 wrote to memory of 1168 3492 jjvpj.exe 88 PID 3492 wrote to memory of 1168 3492 jjvpj.exe 88 PID 1168 wrote to memory of 4632 1168 lrfflfr.exe 89 PID 1168 wrote to memory of 4632 1168 lrfflfr.exe 89 PID 1168 wrote to memory of 4632 1168 lrfflfr.exe 89 PID 4632 wrote to memory of 2344 4632 rlfrlxr.exe 90 PID 4632 wrote to memory of 2344 4632 rlfrlxr.exe 90 PID 4632 wrote to memory of 2344 4632 rlfrlxr.exe 90 PID 2344 wrote to memory of 452 2344 hnhthb.exe 91 PID 2344 wrote to memory of 452 2344 hnhthb.exe 91 PID 2344 wrote to memory of 452 2344 hnhthb.exe 91 PID 452 wrote to memory of 3404 452 nttntn.exe 92 PID 452 wrote to memory of 3404 452 nttntn.exe 92 PID 452 wrote to memory of 3404 452 nttntn.exe 92 PID 3404 wrote to memory of 1464 3404 jpjvj.exe 93 PID 3404 wrote to memory of 1464 3404 jpjvj.exe 93 PID 3404 wrote to memory of 1464 3404 jpjvj.exe 93 PID 1464 wrote to memory of 3132 1464 frlxlfx.exe 94 PID 1464 wrote to memory of 3132 1464 frlxlfx.exe 94 PID 1464 wrote to memory of 3132 1464 frlxlfx.exe 94 PID 3132 wrote to memory of 1192 3132 lfrfrll.exe 95 PID 3132 wrote to memory of 1192 3132 lfrfrll.exe 95 PID 3132 wrote to memory of 1192 3132 lfrfrll.exe 95 PID 1192 wrote to memory of 4572 1192 tttnbt.exe 97 PID 1192 wrote to memory of 4572 1192 tttnbt.exe 97 PID 1192 wrote to memory of 4572 1192 tttnbt.exe 97 PID 4572 wrote to memory of 1652 4572 vjpjj.exe 98 PID 4572 wrote to memory of 1652 4572 vjpjj.exe 98 PID 4572 wrote to memory of 1652 4572 vjpjj.exe 98 PID 1652 wrote to memory of 624 1652 jvpjv.exe 99 PID 1652 wrote to memory of 624 1652 jvpjv.exe 99 PID 1652 wrote to memory of 624 1652 jvpjv.exe 99 PID 624 wrote to memory of 3984 624 3xxxrlx.exe 100 PID 624 wrote to memory of 3984 624 3xxxrlx.exe 100 PID 624 wrote to memory of 3984 624 3xxxrlx.exe 100 PID 3984 wrote to memory of 5068 3984 nntnhb.exe 101 PID 3984 wrote to memory of 5068 3984 nntnhb.exe 101 PID 3984 wrote to memory of 5068 3984 nntnhb.exe 101 PID 5068 wrote to memory of 3396 5068 vddpp.exe 102 PID 5068 wrote to memory of 3396 5068 vddpp.exe 102 PID 5068 wrote to memory of 3396 5068 vddpp.exe 102 PID 3396 wrote to memory of 532 3396 lfllrfx.exe 103 PID 3396 wrote to memory of 532 3396 lfllrfx.exe 103 PID 3396 wrote to memory of 532 3396 lfllrfx.exe 103 PID 532 wrote to memory of 3968 532 ttthbt.exe 104 PID 532 wrote to memory of 3968 532 ttthbt.exe 104 PID 532 wrote to memory of 3968 532 ttthbt.exe 104 PID 3968 wrote to memory of 564 3968 3thtnh.exe 105 PID 3968 wrote to memory of 564 3968 3thtnh.exe 105 PID 3968 wrote to memory of 564 3968 3thtnh.exe 105 PID 564 wrote to memory of 2916 564 vppdd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe"C:\Users\Admin\AppData\Local\Temp\ace900d5b9aac885994f897dce6013eb42cad2a3a70c6d4987184ee35b2b800e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\3jdpj.exec:\3jdpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\xxrfxrx.exec:\xxrfxrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\ntthbt.exec:\ntthbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\jjvpj.exec:\jjvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\lrfflfr.exec:\lrfflfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\rlfrlxr.exec:\rlfrlxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\hnhthb.exec:\hnhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\nttntn.exec:\nttntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\jpjvj.exec:\jpjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\frlxlfx.exec:\frlxlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\lfrfrll.exec:\lfrfrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\tttnbt.exec:\tttnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\vjpjj.exec:\vjpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\jvpjv.exec:\jvpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\3xxxrlx.exec:\3xxxrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\nntnhb.exec:\nntnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\vddpp.exec:\vddpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\lfllrfx.exec:\lfllrfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\ttthbt.exec:\ttthbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\3thtnh.exec:\3thtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\vppdd.exec:\vppdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe23⤵
- Executes dropped EXE
PID:2916 -
\??\c:\tnhbnh.exec:\tnhbnh.exe24⤵
- Executes dropped EXE
PID:3804 -
\??\c:\dvjvp.exec:\dvjvp.exe25⤵
- Executes dropped EXE
PID:5100 -
\??\c:\vdpvd.exec:\vdpvd.exe26⤵
- Executes dropped EXE
PID:3368 -
\??\c:\flxlxrf.exec:\flxlxrf.exe27⤵
- Executes dropped EXE
PID:2404 -
\??\c:\bhhthb.exec:\bhhthb.exe28⤵
- Executes dropped EXE
PID:5032 -
\??\c:\bnnbbt.exec:\bnnbbt.exe29⤵
- Executes dropped EXE
PID:1432 -
\??\c:\vvdpd.exec:\vvdpd.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\5dvjp.exec:\5dvjp.exe31⤵
- Executes dropped EXE
PID:4076 -
\??\c:\lrrfllx.exec:\lrrfllx.exe32⤵
- Executes dropped EXE
PID:2456 -
\??\c:\thhhnh.exec:\thhhnh.exe33⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bnhbhb.exec:\bnhbhb.exe34⤵
- Executes dropped EXE
PID:3924 -
\??\c:\jddpd.exec:\jddpd.exe35⤵PID:4316
-
\??\c:\pddvv.exec:\pddvv.exe36⤵
- Executes dropped EXE
PID:4028 -
\??\c:\frfrllr.exec:\frfrllr.exe37⤵
- Executes dropped EXE
PID:4024 -
\??\c:\bnnbtn.exec:\bnnbtn.exe38⤵
- Executes dropped EXE
PID:1404 -
\??\c:\hbhbhb.exec:\hbhbhb.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
\??\c:\dvpjv.exec:\dvpjv.exe40⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jvjvp.exec:\jvjvp.exe41⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1llxlfr.exec:\1llxlfr.exe42⤵
- Executes dropped EXE
PID:4476 -
\??\c:\rrrlrlf.exec:\rrrlrlf.exe43⤵
- Executes dropped EXE
PID:4340 -
\??\c:\nbbtnh.exec:\nbbtnh.exe44⤵
- Executes dropped EXE
PID:3472 -
\??\c:\dpppp.exec:\dpppp.exe45⤵
- Executes dropped EXE
PID:4632 -
\??\c:\dddpd.exec:\dddpd.exe46⤵
- Executes dropped EXE
PID:4344 -
\??\c:\llfrfxl.exec:\llfrfxl.exe47⤵
- Executes dropped EXE
PID:4584 -
\??\c:\xffxrlx.exec:\xffxrlx.exe48⤵
- Executes dropped EXE
PID:2240 -
\??\c:\tbnhbt.exec:\tbnhbt.exe49⤵
- Executes dropped EXE
PID:4928 -
\??\c:\nhhbnn.exec:\nhhbnn.exe50⤵
- Executes dropped EXE
PID:4972 -
\??\c:\djjdv.exec:\djjdv.exe51⤵
- Executes dropped EXE
PID:4200 -
\??\c:\ddjvp.exec:\ddjvp.exe52⤵
- Executes dropped EXE
PID:4720 -
\??\c:\7xlflfr.exec:\7xlflfr.exe53⤵
- Executes dropped EXE
PID:2220 -
\??\c:\bnnthh.exec:\bnnthh.exe54⤵
- Executes dropped EXE
PID:4648 -
\??\c:\9hbnhb.exec:\9hbnhb.exe55⤵
- Executes dropped EXE
PID:4780 -
\??\c:\1dppv.exec:\1dppv.exe56⤵
- Executes dropped EXE
PID:3752 -
\??\c:\xrxrrlf.exec:\xrxrrlf.exe57⤵
- Executes dropped EXE
PID:1652 -
\??\c:\ddvdv.exec:\ddvdv.exe58⤵
- Executes dropped EXE
PID:3704 -
\??\c:\xllxlfx.exec:\xllxlfx.exe59⤵
- Executes dropped EXE
PID:1092 -
\??\c:\frlxffr.exec:\frlxffr.exe60⤵
- Executes dropped EXE
PID:1424 -
\??\c:\3bthtn.exec:\3bthtn.exe61⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jdpdp.exec:\jdpdp.exe62⤵
- Executes dropped EXE
PID:3520 -
\??\c:\frfxrrr.exec:\frfxrrr.exe63⤵
- Executes dropped EXE
PID:3628 -
\??\c:\hbbhbt.exec:\hbbhbt.exe64⤵
- Executes dropped EXE
PID:532 -
\??\c:\dpppv.exec:\dpppv.exe65⤵
- Executes dropped EXE
PID:2564 -
\??\c:\dppjv.exec:\dppjv.exe66⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rfrflfr.exec:\rfrflfr.exe67⤵PID:4212
-
\??\c:\xlffrll.exec:\xlffrll.exe68⤵PID:2916
-
\??\c:\hhhbtn.exec:\hhhbtn.exe69⤵PID:2764
-
\??\c:\1nthnt.exec:\1nthnt.exe70⤵PID:4488
-
\??\c:\7jddv.exec:\7jddv.exe71⤵PID:1992
-
\??\c:\lffxllf.exec:\lffxllf.exe72⤵PID:744
-
\??\c:\xrrfxlf.exec:\xrrfxlf.exe73⤵PID:1988
-
\??\c:\hnnhbt.exec:\hnnhbt.exe74⤵PID:468
-
\??\c:\jvvvp.exec:\jvvvp.exe75⤵PID:1320
-
\??\c:\7dpvj.exec:\7dpvj.exe76⤵PID:5104
-
\??\c:\rlfrrrx.exec:\rlfrrrx.exe77⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\hbnbhb.exec:\hbnbhb.exe78⤵PID:1508
-
\??\c:\thbntn.exec:\thbntn.exe79⤵PID:3476
-
\??\c:\jpvpj.exec:\jpvpj.exe80⤵PID:2480
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe81⤵PID:4280
-
\??\c:\hbhhnn.exec:\hbhhnn.exe82⤵PID:640
-
\??\c:\jvdjd.exec:\jvdjd.exe83⤵PID:4108
-
\??\c:\fxfrffl.exec:\fxfrffl.exe84⤵PID:2944
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe85⤵PID:4252
-
\??\c:\7btthn.exec:\7btthn.exe86⤵PID:4948
-
\??\c:\hbhtbn.exec:\hbhtbn.exe87⤵PID:872
-
\??\c:\vjdpv.exec:\vjdpv.exe88⤵PID:3412
-
\??\c:\vjppp.exec:\vjppp.exe89⤵PID:1800
-
\??\c:\lrlxlfr.exec:\lrlxlfr.exe90⤵PID:3796
-
\??\c:\fxrlfff.exec:\fxrlfff.exe91⤵PID:1672
-
\??\c:\nnbttn.exec:\nnbttn.exe92⤵PID:4664
-
\??\c:\bththt.exec:\bththt.exe93⤵PID:4312
-
\??\c:\pdjdv.exec:\pdjdv.exe94⤵PID:2808
-
\??\c:\frfrfxr.exec:\frfrfxr.exe95⤵PID:3748
-
\??\c:\frlfrxf.exec:\frlfrxf.exe96⤵PID:2448
-
\??\c:\thnbtn.exec:\thnbtn.exe97⤵PID:4944
-
\??\c:\bnhthb.exec:\bnhthb.exe98⤵PID:964
-
\??\c:\dddjd.exec:\dddjd.exe99⤵PID:3056
-
\??\c:\vvvjv.exec:\vvvjv.exe100⤵PID:4552
-
\??\c:\jvpdp.exec:\jvpdp.exe101⤵PID:4436
-
\??\c:\1xlflfr.exec:\1xlflfr.exe102⤵PID:1984
-
\??\c:\5xxlfxr.exec:\5xxlfxr.exe103⤵PID:1224
-
\??\c:\bbnhbt.exec:\bbnhbt.exe104⤵PID:464
-
\??\c:\htnhnh.exec:\htnhnh.exe105⤵PID:4864
-
\??\c:\vdjvj.exec:\vdjvj.exe106⤵PID:3352
-
\??\c:\rxxxrrf.exec:\rxxxrrf.exe107⤵PID:3096
-
\??\c:\xlfrlxl.exec:\xlfrlxl.exe108⤵PID:1424
-
\??\c:\hhnhnn.exec:\hhnhnn.exe109⤵PID:2956
-
\??\c:\nhbnbt.exec:\nhbnbt.exe110⤵PID:2356
-
\??\c:\hbbnhb.exec:\hbbnhb.exe111⤵PID:3648
-
\??\c:\ddvvp.exec:\ddvvp.exe112⤵PID:688
-
\??\c:\vvdvj.exec:\vvdvj.exe113⤵PID:4392
-
\??\c:\flllrlf.exec:\flllrlf.exe114⤵PID:4940
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe115⤵PID:912
-
\??\c:\httnbt.exec:\httnbt.exe116⤵PID:3088
-
\??\c:\bbnnhh.exec:\bbnnhh.exe117⤵PID:3656
-
\??\c:\pvvpv.exec:\pvvpv.exe118⤵PID:3948
-
\??\c:\ppvpd.exec:\ppvpd.exe119⤵PID:3860
-
\??\c:\lrlfxxl.exec:\lrlfxxl.exe120⤵PID:1512
-
\??\c:\htnhtn.exec:\htnhtn.exe121⤵PID:3960
-
\??\c:\httbbb.exec:\httbbb.exe122⤵PID:5052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-