Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe
-
Size
454KB
-
MD5
5419fddb6941b9a56512deb764dcb61d
-
SHA1
61a8c5045326252175d0a9a3969cc1180957c48c
-
SHA256
9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb
-
SHA512
2292319a57cc024f263224aae6d73604195bc6d12de3d655d512aa62e02384adc9d21a230c9c40e2cc1b7fcb7dca6512a6a14477db1b0bf6cf1e178556eca66b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/3008-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-37-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2844-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-45-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2124-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-93-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2660-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1552-153-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1552-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-179-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2188-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-203-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-215-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1164-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-217-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2976-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-235-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3064-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-310-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2296-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-350-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2764-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-457-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1004-466-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/444-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-508-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2972-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-516-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-697-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1888-1054-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-1169-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2768-1281-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2192 ttnttb.exe 2380 3vpdd.exe 2844 3rlrxlf.exe 1832 xlxxfxl.exe 2808 pjpvd.exe 2860 1frxxrx.exe 2124 7xlllrl.exe 2764 7htttn.exe 2608 9frfllx.exe 3036 rlxllrf.exe 1432 lxrfllr.exe 2660 1frrffr.exe 1992 pjpjj.exe 1996 ffrrlrf.exe 1552 jvvvj.exe 2896 btbbhb.exe 1828 7dpvv.exe 2916 rlrrxxf.exe 2188 1dvdj.exe 2516 3xrflrf.exe 2576 nhttbb.exe 1164 dvjpv.exe 2976 tntbbh.exe 2080 rlrrxfl.exe 896 btthhn.exe 2472 dvpdp.exe 2208 xlffllr.exe 2228 rffrflr.exe 2992 jdpjv.exe 1424 ffrflrr.exe 2104 jjvdj.exe 3064 dvpdj.exe 2180 jdvvd.exe 2296 ddvjv.exe 2684 rrrxrxr.exe 2424 fflrlfx.exe 2804 bbtthn.exe 2736 pjpdj.exe 2820 rlrrrxf.exe 2832 9rllflx.exe 2728 9ntttn.exe 2704 jjjdp.exe 2764 dvpvv.exe 1896 xffrlrl.exe 3048 thbtbt.exe 1404 hnhbth.exe 1400 9vppv.exe 2116 lxffllx.exe 584 hhbntb.exe 2340 hhhtnt.exe 2500 dvvjj.exe 2076 rlfrxlf.exe 1012 rrrfrxr.exe 1584 3nbttt.exe 2768 dvppp.exe 1004 frxxrff.exe 2284 rlfxflx.exe 2688 9ttbnb.exe 2172 dpddj.exe 340 3flxxfr.exe 444 rrffllx.exe 2972 btnthh.exe 1616 1jpdj.exe 2012 9llrflx.exe -
resource yara_rule behavioral1/memory/3008-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-45-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2808-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-648-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1720-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-1054-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/868-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-1106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-1119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-1132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/732-1237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-1264-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2192 3008 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 30 PID 3008 wrote to memory of 2192 3008 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 30 PID 3008 wrote to memory of 2192 3008 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 30 PID 3008 wrote to memory of 2192 3008 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 30 PID 2192 wrote to memory of 2380 2192 ttnttb.exe 31 PID 2192 wrote to memory of 2380 2192 ttnttb.exe 31 PID 2192 wrote to memory of 2380 2192 ttnttb.exe 31 PID 2192 wrote to memory of 2380 2192 ttnttb.exe 31 PID 2380 wrote to memory of 2844 2380 3vpdd.exe 32 PID 2380 wrote to memory of 2844 2380 3vpdd.exe 32 PID 2380 wrote to memory of 2844 2380 3vpdd.exe 32 PID 2380 wrote to memory of 2844 2380 3vpdd.exe 32 PID 2844 wrote to memory of 1832 2844 3rlrxlf.exe 33 PID 2844 wrote to memory of 1832 2844 3rlrxlf.exe 33 PID 2844 wrote to memory of 1832 2844 3rlrxlf.exe 33 PID 2844 wrote to memory of 1832 2844 3rlrxlf.exe 33 PID 1832 wrote to memory of 2808 1832 xlxxfxl.exe 34 PID 1832 wrote to memory of 2808 1832 xlxxfxl.exe 34 PID 1832 wrote to memory of 2808 1832 xlxxfxl.exe 34 PID 1832 wrote to memory of 2808 1832 xlxxfxl.exe 34 PID 2808 wrote to memory of 2860 2808 pjpvd.exe 35 PID 2808 wrote to memory of 2860 2808 pjpvd.exe 35 PID 2808 wrote to memory of 2860 2808 pjpvd.exe 35 PID 2808 wrote to memory of 2860 2808 pjpvd.exe 35 PID 2860 wrote to memory of 2124 2860 1frxxrx.exe 36 PID 2860 wrote to memory of 2124 2860 1frxxrx.exe 36 PID 2860 wrote to memory of 2124 2860 1frxxrx.exe 36 PID 2860 wrote to memory of 2124 2860 1frxxrx.exe 36 PID 2124 wrote to memory of 2764 2124 7xlllrl.exe 37 PID 2124 wrote to memory of 2764 2124 7xlllrl.exe 37 PID 2124 wrote to memory of 2764 2124 7xlllrl.exe 37 PID 2124 wrote to memory of 2764 2124 7xlllrl.exe 37 PID 2764 wrote to memory of 2608 2764 7htttn.exe 38 PID 2764 wrote to memory of 2608 2764 7htttn.exe 38 PID 2764 wrote to memory of 2608 2764 7htttn.exe 38 PID 2764 wrote to memory of 2608 2764 7htttn.exe 38 PID 2608 wrote to memory of 3036 2608 9frfllx.exe 39 PID 2608 wrote to memory of 3036 2608 9frfllx.exe 39 PID 2608 wrote to memory of 3036 2608 9frfllx.exe 39 PID 2608 wrote to memory of 3036 2608 9frfllx.exe 39 PID 3036 wrote to memory of 1432 3036 rlxllrf.exe 40 PID 3036 wrote to memory of 1432 3036 rlxllrf.exe 40 PID 3036 wrote to memory of 1432 3036 rlxllrf.exe 40 PID 3036 wrote to memory of 1432 3036 rlxllrf.exe 40 PID 1432 wrote to memory of 2660 1432 lxrfllr.exe 41 PID 1432 wrote to memory of 2660 1432 lxrfllr.exe 41 PID 1432 wrote to memory of 2660 1432 lxrfllr.exe 41 PID 1432 wrote to memory of 2660 1432 lxrfllr.exe 41 PID 2660 wrote to memory of 1992 2660 1frrffr.exe 42 PID 2660 wrote to memory of 1992 2660 1frrffr.exe 42 PID 2660 wrote to memory of 1992 2660 1frrffr.exe 42 PID 2660 wrote to memory of 1992 2660 1frrffr.exe 42 PID 1992 wrote to memory of 1996 1992 pjpjj.exe 43 PID 1992 wrote to memory of 1996 1992 pjpjj.exe 43 PID 1992 wrote to memory of 1996 1992 pjpjj.exe 43 PID 1992 wrote to memory of 1996 1992 pjpjj.exe 43 PID 1996 wrote to memory of 1552 1996 ffrrlrf.exe 44 PID 1996 wrote to memory of 1552 1996 ffrrlrf.exe 44 PID 1996 wrote to memory of 1552 1996 ffrrlrf.exe 44 PID 1996 wrote to memory of 1552 1996 ffrrlrf.exe 44 PID 1552 wrote to memory of 2896 1552 jvvvj.exe 45 PID 1552 wrote to memory of 2896 1552 jvvvj.exe 45 PID 1552 wrote to memory of 2896 1552 jvvvj.exe 45 PID 1552 wrote to memory of 2896 1552 jvvvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe"C:\Users\Admin\AppData\Local\Temp\9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\ttnttb.exec:\ttnttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\3vpdd.exec:\3vpdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\3rlrxlf.exec:\3rlrxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\xlxxfxl.exec:\xlxxfxl.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\pjpvd.exec:\pjpvd.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\1frxxrx.exec:\1frxxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\7xlllrl.exec:\7xlllrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\7htttn.exec:\7htttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\9frfllx.exec:\9frfllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rlxllrf.exec:\rlxllrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\lxrfllr.exec:\lxrfllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\1frrffr.exec:\1frrffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\pjpjj.exec:\pjpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\ffrrlrf.exec:\ffrrlrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\jvvvj.exec:\jvvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\btbbhb.exec:\btbbhb.exe17⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7dpvv.exec:\7dpvv.exe18⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe19⤵
- Executes dropped EXE
PID:2916 -
\??\c:\1dvdj.exec:\1dvdj.exe20⤵
- Executes dropped EXE
PID:2188 -
\??\c:\3xrflrf.exec:\3xrflrf.exe21⤵
- Executes dropped EXE
PID:2516 -
\??\c:\nhttbb.exec:\nhttbb.exe22⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dvjpv.exec:\dvjpv.exe23⤵
- Executes dropped EXE
PID:1164 -
\??\c:\tntbbh.exec:\tntbbh.exe24⤵
- Executes dropped EXE
PID:2976 -
\??\c:\rlrrxfl.exec:\rlrrxfl.exe25⤵
- Executes dropped EXE
PID:2080 -
\??\c:\btthhn.exec:\btthhn.exe26⤵
- Executes dropped EXE
PID:896 -
\??\c:\dvpdp.exec:\dvpdp.exe27⤵
- Executes dropped EXE
PID:2472 -
\??\c:\xlffllr.exec:\xlffllr.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rffrflr.exec:\rffrflr.exe29⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jdpjv.exec:\jdpjv.exe30⤵
- Executes dropped EXE
PID:2992 -
\??\c:\ffrflrr.exec:\ffrflrr.exe31⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jjvdj.exec:\jjvdj.exe32⤵
- Executes dropped EXE
PID:2104 -
\??\c:\dvpdj.exec:\dvpdj.exe33⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jdvvd.exec:\jdvvd.exe34⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ddvjv.exec:\ddvjv.exe35⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rrrxrxr.exec:\rrrxrxr.exe36⤵
- Executes dropped EXE
PID:2684 -
\??\c:\fflrlfx.exec:\fflrlfx.exe37⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bbtthn.exec:\bbtthn.exe38⤵
- Executes dropped EXE
PID:2804 -
\??\c:\pjpdj.exec:\pjpdj.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rlrrrxf.exec:\rlrrrxf.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\9rllflx.exec:\9rllflx.exe41⤵
- Executes dropped EXE
PID:2832 -
\??\c:\9ntttn.exec:\9ntttn.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\jjjdp.exec:\jjjdp.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\dvpvv.exec:\dvpvv.exe44⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xffrlrl.exec:\xffrlrl.exe45⤵
- Executes dropped EXE
PID:1896 -
\??\c:\thbtbt.exec:\thbtbt.exe46⤵
- Executes dropped EXE
PID:3048 -
\??\c:\hnhbth.exec:\hnhbth.exe47⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9vppv.exec:\9vppv.exe48⤵
- Executes dropped EXE
PID:1400 -
\??\c:\lxffllx.exec:\lxffllx.exe49⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hhbntb.exec:\hhbntb.exe50⤵
- Executes dropped EXE
PID:584 -
\??\c:\hhhtnt.exec:\hhhtnt.exe51⤵
- Executes dropped EXE
PID:2340 -
\??\c:\dvvjj.exec:\dvvjj.exe52⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rlfrxlf.exec:\rlfrxlf.exe53⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rrrfrxr.exec:\rrrfrxr.exe54⤵
- Executes dropped EXE
PID:1012 -
\??\c:\3nbttt.exec:\3nbttt.exe55⤵
- Executes dropped EXE
PID:1584 -
\??\c:\dvppp.exec:\dvppp.exe56⤵
- Executes dropped EXE
PID:2768 -
\??\c:\frxxrff.exec:\frxxrff.exe57⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rlfxflx.exec:\rlfxflx.exe58⤵
- Executes dropped EXE
PID:2284 -
\??\c:\9ttbnb.exec:\9ttbnb.exe59⤵
- Executes dropped EXE
PID:2688 -
\??\c:\dpddj.exec:\dpddj.exe60⤵
- Executes dropped EXE
PID:2172 -
\??\c:\3flxxfr.exec:\3flxxfr.exe61⤵
- Executes dropped EXE
PID:340 -
\??\c:\rrffllx.exec:\rrffllx.exe62⤵
- Executes dropped EXE
PID:444 -
\??\c:\btnthh.exec:\btnthh.exe63⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1jpdj.exec:\1jpdj.exe64⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9llrflx.exec:\9llrflx.exe65⤵
- Executes dropped EXE
PID:2012 -
\??\c:\7ttnbn.exec:\7ttnbn.exe66⤵PID:864
-
\??\c:\bbbnbn.exec:\bbbnbn.exe67⤵PID:336
-
\??\c:\pjdvv.exec:\pjdvv.exe68⤵PID:980
-
\??\c:\3frrrrx.exec:\3frrrrx.exe69⤵PID:2164
-
\??\c:\tnhhnt.exec:\tnhhnt.exe70⤵PID:2948
-
\??\c:\nnbhtt.exec:\nnbhtt.exe71⤵PID:884
-
\??\c:\7pvvp.exec:\7pvvp.exe72⤵PID:2468
-
\??\c:\ddddj.exec:\ddddj.exe73⤵PID:2532
-
\??\c:\1xlfffr.exec:\1xlfffr.exe74⤵PID:1732
-
\??\c:\htnthn.exec:\htnthn.exe75⤵PID:1976
-
\??\c:\7nhnnn.exec:\7nhnnn.exe76⤵PID:3064
-
\??\c:\5dpjj.exec:\5dpjj.exe77⤵PID:2940
-
\??\c:\lflrfxx.exec:\lflrfxx.exe78⤵PID:2540
-
\??\c:\5flfxxx.exec:\5flfxxx.exe79⤵
- System Location Discovery: System Language Discovery
PID:2672 -
\??\c:\7nhntn.exec:\7nhntn.exe80⤵PID:2784
-
\??\c:\vpvvd.exec:\vpvvd.exe81⤵PID:2968
-
\??\c:\ffxxlrr.exec:\ffxxlrr.exe82⤵PID:2788
-
\??\c:\nhbnnh.exec:\nhbnnh.exe83⤵PID:2792
-
\??\c:\nbnntt.exec:\nbnntt.exe84⤵PID:2920
-
\??\c:\7jdvv.exec:\7jdvv.exe85⤵PID:2832
-
\??\c:\lfxlfrx.exec:\lfxlfrx.exe86⤵PID:2604
-
\??\c:\5rrrrrx.exec:\5rrrrrx.exe87⤵PID:3032
-
\??\c:\btbhnn.exec:\btbhnn.exe88⤵PID:2664
-
\??\c:\1jjpv.exec:\1jjpv.exe89⤵PID:1720
-
\??\c:\pvvjd.exec:\pvvjd.exe90⤵PID:1352
-
\??\c:\9flxrfx.exec:\9flxrfx.exe91⤵PID:1864
-
\??\c:\tthhnn.exec:\tthhnn.exe92⤵PID:2660
-
\??\c:\tbhtnn.exec:\tbhtnn.exe93⤵PID:1956
-
\??\c:\pjpjp.exec:\pjpjp.exe94⤵PID:796
-
\??\c:\ffflllf.exec:\ffflllf.exe95⤵PID:3060
-
\??\c:\xflxxrl.exec:\xflxxrl.exe96⤵PID:1304
-
\??\c:\hhtbnn.exec:\hhtbnn.exe97⤵PID:1556
-
\??\c:\pjddj.exec:\pjddj.exe98⤵PID:2900
-
\??\c:\llfrrxl.exec:\llfrrxl.exe99⤵PID:1828
-
\??\c:\9llrllf.exec:\9llrllf.exe100⤵PID:1184
-
\??\c:\nbtthh.exec:\nbtthh.exe101⤵PID:2352
-
\??\c:\pppvp.exec:\pppvp.exe102⤵PID:2220
-
\??\c:\lfrrxlr.exec:\lfrrxlr.exe103⤵PID:3012
-
\??\c:\7xlrxfl.exec:\7xlrxfl.exe104⤵PID:1588
-
\??\c:\nnbhth.exec:\nnbhth.exe105⤵PID:340
-
\??\c:\9vvjj.exec:\9vvjj.exe106⤵PID:444
-
\??\c:\jjppv.exec:\jjppv.exe107⤵PID:2972
-
\??\c:\rflfrrx.exec:\rflfrrx.exe108⤵PID:1468
-
\??\c:\5nbhtb.exec:\5nbhtb.exe109⤵PID:392
-
\??\c:\bthntt.exec:\bthntt.exe110⤵PID:2140
-
\??\c:\pvppj.exec:\pvppj.exe111⤵PID:2288
-
\??\c:\flxxxxf.exec:\flxxxxf.exe112⤵PID:2496
-
\??\c:\7htbnn.exec:\7htbnn.exe113⤵PID:868
-
\??\c:\ttnhtb.exec:\ttnhtb.exe114⤵PID:2164
-
\??\c:\jdddp.exec:\jdddp.exe115⤵PID:2992
-
\??\c:\ffxflrf.exec:\ffxflrf.exe116⤵PID:2096
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe117⤵PID:1728
-
\??\c:\nhbhhh.exec:\nhbhhh.exe118⤵PID:3068
-
\??\c:\vvvjp.exec:\vvvjp.exe119⤵PID:2944
-
\??\c:\rlfxffr.exec:\rlfxffr.exe120⤵PID:1520
-
\??\c:\1tntbh.exec:\1tntbh.exe121⤵PID:2880
-
\??\c:\bbbnhn.exec:\bbbnhn.exe122⤵PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-