Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe
-
Size
456KB
-
MD5
ef09ba38d3b0b56618358100d8201a9b
-
SHA1
6f33ed6529f7fbd1d1fc9941de5e608c33815539
-
SHA256
d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4
-
SHA512
fa1685bc9b1c8f85b4348f05058ee734c5e9c970bff03b4a9e7154a0a8cda04acf5a32c324be3196af7364f2125766973b96d7f78e83654ca4c58d753e5c3784
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRy:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-123-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-178-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2088-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-406-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1656-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-1069-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1180 5fxllrf.exe 2692 9nntnb.exe 2696 vpdjd.exe 2796 ddvvj.exe 3012 xfxfrxl.exe 2544 ppvvd.exe 2664 fxxfrfx.exe 2980 nnhtnb.exe 2832 rrxlxlf.exe 2188 nhhhtt.exe 2368 5xrrxxl.exe 2120 nnntbh.exe 780 llxflrx.exe 2352 xrfxrxr.exe 1264 9pvpd.exe 1828 5lfrxfl.exe 1912 9dppv.exe 2904 dpddj.exe 2088 rlflxfx.exe 2204 vpjpp.exe 840 thbntn.exe 2508 vvvjv.exe 1568 vvddp.exe 2304 1rrlflr.exe 772 1tbhbb.exe 816 vdddj.exe 1564 xrflrxl.exe 2504 3vpvj.exe 988 nhbhtb.exe 880 vvjpv.exe 2500 9xrrxrl.exe 2684 bnbtbh.exe 1180 9dvpv.exe 1776 ffrrlfx.exe 2692 bbntbh.exe 2696 jdvdj.exe 2568 rlfxfff.exe 2716 hhhnhn.exe 2540 nbbtbb.exe 2596 pjvvv.exe 2544 xxxxflx.exe 2976 bhtbhn.exe 1972 dvjjp.exe 2864 pdpjv.exe 2832 fxxxflx.exe 2420 hbntbt.exe 700 ppjdp.exe 1696 jdvpd.exe 1768 lfrxxfl.exe 1656 7thhhh.exe 1748 1jjpd.exe 2836 9frlrxx.exe 1240 7lrxflr.exe 1148 hhbhtn.exe 1508 ddvjv.exe 1816 fxrrxfr.exe 2228 btnthn.exe 2428 dvjjv.exe 2896 7dvvj.exe 1336 frfffff.exe 2020 ttthth.exe 1924 pdppv.exe 956 1rxxlrx.exe 1680 xxrxfrf.exe -
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-46-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3012-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjpv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 1180 3024 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 31 PID 3024 wrote to memory of 1180 3024 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 31 PID 3024 wrote to memory of 1180 3024 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 31 PID 3024 wrote to memory of 1180 3024 d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe 31 PID 1180 wrote to memory of 2692 1180 5fxllrf.exe 32 PID 1180 wrote to memory of 2692 1180 5fxllrf.exe 32 PID 1180 wrote to memory of 2692 1180 5fxllrf.exe 32 PID 1180 wrote to memory of 2692 1180 5fxllrf.exe 32 PID 2692 wrote to memory of 2696 2692 9nntnb.exe 33 PID 2692 wrote to memory of 2696 2692 9nntnb.exe 33 PID 2692 wrote to memory of 2696 2692 9nntnb.exe 33 PID 2692 wrote to memory of 2696 2692 9nntnb.exe 33 PID 2696 wrote to memory of 2796 2696 vpdjd.exe 34 PID 2696 wrote to memory of 2796 2696 vpdjd.exe 34 PID 2696 wrote to memory of 2796 2696 vpdjd.exe 34 PID 2696 wrote to memory of 2796 2696 vpdjd.exe 34 PID 2796 wrote to memory of 3012 2796 ddvvj.exe 35 PID 2796 wrote to memory of 3012 2796 ddvvj.exe 35 PID 2796 wrote to memory of 3012 2796 ddvvj.exe 35 PID 2796 wrote to memory of 3012 2796 ddvvj.exe 35 PID 3012 wrote to memory of 2544 3012 xfxfrxl.exe 36 PID 3012 wrote to memory of 2544 3012 xfxfrxl.exe 36 PID 3012 wrote to memory of 2544 3012 xfxfrxl.exe 36 PID 3012 wrote to memory of 2544 3012 xfxfrxl.exe 36 PID 2544 wrote to memory of 2664 2544 ppvvd.exe 37 PID 2544 wrote to memory of 2664 2544 ppvvd.exe 37 PID 2544 wrote to memory of 2664 2544 ppvvd.exe 37 PID 2544 wrote to memory of 2664 2544 ppvvd.exe 37 PID 2664 wrote to memory of 2980 2664 fxxfrfx.exe 38 PID 2664 wrote to memory of 2980 2664 fxxfrfx.exe 38 PID 2664 wrote to memory of 2980 2664 fxxfrfx.exe 38 PID 2664 wrote to memory of 2980 2664 fxxfrfx.exe 38 PID 2980 wrote to memory of 2832 2980 nnhtnb.exe 39 PID 2980 wrote to memory of 2832 2980 nnhtnb.exe 39 PID 2980 wrote to memory of 2832 2980 nnhtnb.exe 39 PID 2980 wrote to memory of 2832 2980 nnhtnb.exe 39 PID 2832 wrote to memory of 2188 2832 rrxlxlf.exe 40 PID 2832 wrote to memory of 2188 2832 rrxlxlf.exe 40 PID 2832 wrote to memory of 2188 2832 rrxlxlf.exe 40 PID 2832 wrote to memory of 2188 2832 rrxlxlf.exe 40 PID 2188 wrote to memory of 2368 2188 nhhhtt.exe 41 PID 2188 wrote to memory of 2368 2188 nhhhtt.exe 41 PID 2188 wrote to memory of 2368 2188 nhhhtt.exe 41 PID 2188 wrote to memory of 2368 2188 nhhhtt.exe 41 PID 2368 wrote to memory of 2120 2368 5xrrxxl.exe 42 PID 2368 wrote to memory of 2120 2368 5xrrxxl.exe 42 PID 2368 wrote to memory of 2120 2368 5xrrxxl.exe 42 PID 2368 wrote to memory of 2120 2368 5xrrxxl.exe 42 PID 2120 wrote to memory of 780 2120 nnntbh.exe 43 PID 2120 wrote to memory of 780 2120 nnntbh.exe 43 PID 2120 wrote to memory of 780 2120 nnntbh.exe 43 PID 2120 wrote to memory of 780 2120 nnntbh.exe 43 PID 780 wrote to memory of 2352 780 llxflrx.exe 44 PID 780 wrote to memory of 2352 780 llxflrx.exe 44 PID 780 wrote to memory of 2352 780 llxflrx.exe 44 PID 780 wrote to memory of 2352 780 llxflrx.exe 44 PID 2352 wrote to memory of 1264 2352 xrfxrxr.exe 45 PID 2352 wrote to memory of 1264 2352 xrfxrxr.exe 45 PID 2352 wrote to memory of 1264 2352 xrfxrxr.exe 45 PID 2352 wrote to memory of 1264 2352 xrfxrxr.exe 45 PID 1264 wrote to memory of 1828 1264 9pvpd.exe 46 PID 1264 wrote to memory of 1828 1264 9pvpd.exe 46 PID 1264 wrote to memory of 1828 1264 9pvpd.exe 46 PID 1264 wrote to memory of 1828 1264 9pvpd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe"C:\Users\Admin\AppData\Local\Temp\d9e1d76d40bccbd1b460a21029643bca8bfbe9798beae0f08c138bcd7af693f4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\5fxllrf.exec:\5fxllrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\9nntnb.exec:\9nntnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\vpdjd.exec:\vpdjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\ddvvj.exec:\ddvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\xfxfrxl.exec:\xfxfrxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\ppvvd.exec:\ppvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\fxxfrfx.exec:\fxxfrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\nnhtnb.exec:\nnhtnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\rrxlxlf.exec:\rrxlxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\nhhhtt.exec:\nhhhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\5xrrxxl.exec:\5xrrxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\nnntbh.exec:\nnntbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\llxflrx.exec:\llxflrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\9pvpd.exec:\9pvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\5lfrxfl.exec:\5lfrxfl.exe17⤵
- Executes dropped EXE
PID:1828 -
\??\c:\9dppv.exec:\9dppv.exe18⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dpddj.exec:\dpddj.exe19⤵
- Executes dropped EXE
PID:2904 -
\??\c:\rlflxfx.exec:\rlflxfx.exe20⤵
- Executes dropped EXE
PID:2088 -
\??\c:\vpjpp.exec:\vpjpp.exe21⤵
- Executes dropped EXE
PID:2204 -
\??\c:\thbntn.exec:\thbntn.exe22⤵
- Executes dropped EXE
PID:840 -
\??\c:\vvvjv.exec:\vvvjv.exe23⤵
- Executes dropped EXE
PID:2508 -
\??\c:\vvddp.exec:\vvddp.exe24⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1rrlflr.exec:\1rrlflr.exe25⤵
- Executes dropped EXE
PID:2304 -
\??\c:\1tbhbb.exec:\1tbhbb.exe26⤵
- Executes dropped EXE
PID:772 -
\??\c:\vdddj.exec:\vdddj.exe27⤵
- Executes dropped EXE
PID:816 -
\??\c:\xrflrxl.exec:\xrflrxl.exe28⤵
- Executes dropped EXE
PID:1564 -
\??\c:\3vpvj.exec:\3vpvj.exe29⤵
- Executes dropped EXE
PID:2504 -
\??\c:\nhbhtb.exec:\nhbhtb.exe30⤵
- Executes dropped EXE
PID:988 -
\??\c:\vvjpv.exec:\vvjpv.exe31⤵
- Executes dropped EXE
PID:880 -
\??\c:\9xrrxrl.exec:\9xrrxrl.exe32⤵
- Executes dropped EXE
PID:2500 -
\??\c:\bnbtbh.exec:\bnbtbh.exe33⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9dvpv.exec:\9dvpv.exe34⤵
- Executes dropped EXE
PID:1180 -
\??\c:\ffrrlfx.exec:\ffrrlfx.exe35⤵
- Executes dropped EXE
PID:1776 -
\??\c:\bbntbh.exec:\bbntbh.exe36⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jdvdj.exec:\jdvdj.exe37⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rlfxfff.exec:\rlfxfff.exe38⤵
- Executes dropped EXE
PID:2568 -
\??\c:\hhhnhn.exec:\hhhnhn.exe39⤵
- Executes dropped EXE
PID:2716 -
\??\c:\nbbtbb.exec:\nbbtbb.exe40⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pjvvv.exec:\pjvvv.exe41⤵
- Executes dropped EXE
PID:2596 -
\??\c:\xxxxflx.exec:\xxxxflx.exe42⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bhtbhn.exec:\bhtbhn.exe43⤵
- Executes dropped EXE
PID:2976 -
\??\c:\dvjjp.exec:\dvjjp.exe44⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pdpjv.exec:\pdpjv.exe45⤵
- Executes dropped EXE
PID:2864 -
\??\c:\fxxxflx.exec:\fxxxflx.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hbntbt.exec:\hbntbt.exe47⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ppjdp.exec:\ppjdp.exe48⤵
- Executes dropped EXE
PID:700 -
\??\c:\jdvpd.exec:\jdvpd.exe49⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lfrxxfl.exec:\lfrxxfl.exe50⤵
- Executes dropped EXE
PID:1768 -
\??\c:\7thhhh.exec:\7thhhh.exe51⤵
- Executes dropped EXE
PID:1656 -
\??\c:\1jjpd.exec:\1jjpd.exe52⤵
- Executes dropped EXE
PID:1748 -
\??\c:\9frlrxx.exec:\9frlrxx.exe53⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7lrxflr.exec:\7lrxflr.exe54⤵
- Executes dropped EXE
PID:1240 -
\??\c:\hhbhtn.exec:\hhbhtn.exe55⤵
- Executes dropped EXE
PID:1148 -
\??\c:\ddvjv.exec:\ddvjv.exe56⤵
- Executes dropped EXE
PID:1508 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe57⤵
- Executes dropped EXE
PID:1816 -
\??\c:\btnthn.exec:\btnthn.exe58⤵
- Executes dropped EXE
PID:2228 -
\??\c:\dvjjv.exec:\dvjjv.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\7dvvj.exec:\7dvvj.exe60⤵
- Executes dropped EXE
PID:2896 -
\??\c:\frfffff.exec:\frfffff.exe61⤵
- Executes dropped EXE
PID:1336 -
\??\c:\ttthth.exec:\ttthth.exe62⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pdppv.exec:\pdppv.exe63⤵
- Executes dropped EXE
PID:1924 -
\??\c:\1rxxlrx.exec:\1rxxlrx.exe64⤵
- Executes dropped EXE
PID:956 -
\??\c:\xxrxfrf.exec:\xxrxfrf.exe65⤵
- Executes dropped EXE
PID:1680 -
\??\c:\bthhtt.exec:\bthhtt.exe66⤵PID:2148
-
\??\c:\ppjvj.exec:\ppjvj.exe67⤵PID:1492
-
\??\c:\pjvvd.exec:\pjvvd.exe68⤵PID:1960
-
\??\c:\xrfxllr.exec:\xrfxllr.exe69⤵PID:2308
-
\??\c:\bntthh.exec:\bntthh.exe70⤵PID:1596
-
\??\c:\1ppjj.exec:\1ppjj.exe71⤵PID:1292
-
\??\c:\jjdvv.exec:\jjdvv.exe72⤵PID:1484
-
\??\c:\xxxxllr.exec:\xxxxllr.exe73⤵PID:1968
-
\??\c:\hbhhnt.exec:\hbhhnt.exe74⤵PID:880
-
\??\c:\3vjpv.exec:\3vjpv.exe75⤵
- System Location Discovery: System Language Discovery
PID:2500 -
\??\c:\jdpjp.exec:\jdpjp.exe76⤵PID:2748
-
\??\c:\9frlfxx.exec:\9frlfxx.exe77⤵PID:1580
-
\??\c:\3tttbb.exec:\3tttbb.exe78⤵PID:2740
-
\??\c:\3jvjp.exec:\3jvjp.exe79⤵PID:2688
-
\??\c:\frlfrrx.exec:\frlfrrx.exe80⤵PID:2852
-
\??\c:\7tbbnn.exec:\7tbbnn.exe81⤵PID:2384
-
\??\c:\dvvdd.exec:\dvvdd.exe82⤵PID:2552
-
\??\c:\lrfrflr.exec:\lrfrflr.exe83⤵PID:3012
-
\??\c:\lrffffl.exec:\lrffffl.exe84⤵
- System Location Discovery: System Language Discovery
PID:2964 -
\??\c:\7bnntb.exec:\7bnntb.exe85⤵PID:2044
-
\??\c:\jvjjv.exec:\jvjjv.exe86⤵PID:1852
-
\??\c:\vvpvv.exec:\vvpvv.exe87⤵PID:2960
-
\??\c:\9lfrrrx.exec:\9lfrrrx.exe88⤵PID:2644
-
\??\c:\hhhhbh.exec:\hhhhbh.exe89⤵PID:612
-
\??\c:\tnbbhh.exec:\tnbbhh.exe90⤵PID:2436
-
\??\c:\ppppv.exec:\ppppv.exe91⤵PID:1604
-
\??\c:\llfflrx.exec:\llfflrx.exe92⤵PID:1664
-
\??\c:\tnbbhn.exec:\tnbbhn.exe93⤵PID:1932
-
\??\c:\7bhhhh.exec:\7bhhhh.exe94⤵PID:1044
-
\??\c:\vjjpj.exec:\vjjpj.exe95⤵PID:2356
-
\??\c:\fxlfllr.exec:\fxlfllr.exe96⤵PID:2612
-
\??\c:\9tntnt.exec:\9tntnt.exe97⤵PID:1980
-
\??\c:\5pjpj.exec:\5pjpj.exe98⤵PID:1076
-
\??\c:\fxlrxff.exec:\fxlrxff.exe99⤵PID:1508
-
\??\c:\7rllxfx.exec:\7rllxfx.exe100⤵PID:2860
-
\??\c:\1htthh.exec:\1htthh.exe101⤵PID:2196
-
\??\c:\9vppp.exec:\9vppp.exe102⤵PID:2088
-
\??\c:\7rrrfxf.exec:\7rrrfxf.exe103⤵PID:2896
-
\??\c:\xrflllx.exec:\xrflllx.exe104⤵PID:1308
-
\??\c:\tnbhbb.exec:\tnbhbb.exe105⤵PID:1032
-
\??\c:\pddvv.exec:\pddvv.exe106⤵PID:2112
-
\??\c:\lfllrll.exec:\lfllrll.exe107⤵PID:1532
-
\??\c:\3nhnnn.exec:\3nhnnn.exe108⤵PID:1780
-
\??\c:\9dppd.exec:\9dppd.exe109⤵
- System Location Discovery: System Language Discovery
PID:616 -
\??\c:\7pjpv.exec:\7pjpv.exe110⤵PID:344
-
\??\c:\rfxfflx.exec:\rfxfflx.exe111⤵PID:1804
-
\??\c:\thbhhh.exec:\thbhhh.exe112⤵PID:1404
-
\??\c:\pjvvd.exec:\pjvvd.exe113⤵PID:2504
-
\??\c:\9pjjp.exec:\9pjjp.exe114⤵PID:1736
-
\??\c:\3rrllrx.exec:\3rrllrx.exe115⤵PID:1496
-
\??\c:\vvvvv.exec:\vvvvv.exe116⤵PID:3036
-
\??\c:\ffrxrfl.exec:\ffrxrfl.exe117⤵PID:2884
-
\??\c:\3hnttb.exec:\3hnttb.exe118⤵PID:1572
-
\??\c:\pjvvv.exec:\pjvvv.exe119⤵PID:2768
-
\??\c:\xrllrrx.exec:\xrllrrx.exe120⤵PID:2244
-
\??\c:\xrlfrfx.exec:\xrlfrfx.exe121⤵PID:2880
-
\??\c:\1hntbh.exec:\1hntbh.exe122⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-