Analysis
-
max time kernel
133s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe
-
Size
455KB
-
MD5
bebb29b116de1f3c81a744a33a1134f9
-
SHA1
d98930ff343d63589463e2306cbdf70f4d68ccc5
-
SHA256
fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c
-
SHA512
e96f55607bbf26f20b4d9a37a68aa54ae488689d8fd4e34eb7913666c14c9659aa094a396ee2bd865594ed4b7835a18a445d7ac0a5089847d829cf7585845d9e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRr:q7Tc2NYHUrAwfMp3CDRr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/3016-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-485-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2900-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-700-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1796-713-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2948-1083-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-1081-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2504-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-681-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2096-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-513-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1380-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-56-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1584 6044228.exe 3016 pddpv.exe 1436 1hbbbh.exe 2768 vpjjj.exe 2804 ppvdj.exe 2932 86804.exe 2792 dpppp.exe 2896 7hhtht.exe 2952 tnnttb.exe 2688 840668.exe 2988 04882.exe 584 5vppj.exe 1632 26446.exe 3068 fxrxlrl.exe 2876 7btbtt.exe 1640 a0806.exe 1560 442424.exe 1140 04680.exe 1712 vvpdv.exe 2352 hnnttn.exe 2088 2640220.exe 1772 ntnhtb.exe 2260 26402.exe 2660 4082484.exe 1380 420466.exe 2452 082244.exe 2620 rflxllr.exe 2120 djpvp.exe 1568 3flrflr.exe 2584 llxlfrf.exe 1700 flfrlxr.exe 1676 8646220.exe 1272 048428.exe 2252 djdjv.exe 2460 lfxfrxr.exe 2756 0862040.exe 2800 fxxrxlx.exe 2932 ppjvd.exe 2960 5frrflr.exe 2632 djdjv.exe 2984 888862.exe 2708 nnbhtb.exe 2692 008044.exe 2852 o488624.exe 2968 7rxlfll.exe 3060 602800.exe 2664 6080666.exe 3056 622840.exe 2884 nhhhhh.exe 1468 20280.exe 1260 vvjjp.exe 2212 428082.exe 1800 6428446.exe 2340 42062.exe 1796 xlrrxrx.exe 2536 hbbhnh.exe 2084 4000046.exe 2032 dppjp.exe 448 20646.exe 832 6084640.exe 2392 4200446.exe 1380 ffxxxfr.exe 688 pdvdd.exe 2900 82488.exe -
resource yara_rule behavioral1/memory/3016-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-917-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2468-1240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-1367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-1075-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-897-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-10-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e60202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w28020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e44604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1584 1304 fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe 30 PID 1304 wrote to memory of 1584 1304 fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe 30 PID 1304 wrote to memory of 1584 1304 fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe 30 PID 1304 wrote to memory of 1584 1304 fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe 30 PID 1584 wrote to memory of 3016 1584 6044228.exe 145 PID 1584 wrote to memory of 3016 1584 6044228.exe 145 PID 1584 wrote to memory of 3016 1584 6044228.exe 145 PID 1584 wrote to memory of 3016 1584 6044228.exe 145 PID 3016 wrote to memory of 1436 3016 pddpv.exe 32 PID 3016 wrote to memory of 1436 3016 pddpv.exe 32 PID 3016 wrote to memory of 1436 3016 pddpv.exe 32 PID 3016 wrote to memory of 1436 3016 pddpv.exe 32 PID 1436 wrote to memory of 2768 1436 1hbbbh.exe 33 PID 1436 wrote to memory of 2768 1436 1hbbbh.exe 33 PID 1436 wrote to memory of 2768 1436 1hbbbh.exe 33 PID 1436 wrote to memory of 2768 1436 1hbbbh.exe 33 PID 2768 wrote to memory of 2804 2768 vpjjj.exe 318 PID 2768 wrote to memory of 2804 2768 vpjjj.exe 318 PID 2768 wrote to memory of 2804 2768 vpjjj.exe 318 PID 2768 wrote to memory of 2804 2768 vpjjj.exe 318 PID 2804 wrote to memory of 2932 2804 ppvdj.exe 2049 PID 2804 wrote to memory of 2932 2804 ppvdj.exe 2049 PID 2804 wrote to memory of 2932 2804 ppvdj.exe 2049 PID 2804 wrote to memory of 2932 2804 ppvdj.exe 2049 PID 2932 wrote to memory of 2792 2932 86804.exe 36 PID 2932 wrote to memory of 2792 2932 86804.exe 36 PID 2932 wrote to memory of 2792 2932 86804.exe 36 PID 2932 wrote to memory of 2792 2932 86804.exe 36 PID 2792 wrote to memory of 2896 2792 dpppp.exe 669 PID 2792 wrote to memory of 2896 2792 dpppp.exe 669 PID 2792 wrote to memory of 2896 2792 dpppp.exe 669 PID 2792 wrote to memory of 2896 2792 dpppp.exe 669 PID 2896 wrote to memory of 2952 2896 7hhtht.exe 38 PID 2896 wrote to memory of 2952 2896 7hhtht.exe 38 PID 2896 wrote to memory of 2952 2896 7hhtht.exe 38 PID 2896 wrote to memory of 2952 2896 7hhtht.exe 38 PID 2952 wrote to memory of 2688 2952 tnnttb.exe 39 PID 2952 wrote to memory of 2688 2952 tnnttb.exe 39 PID 2952 wrote to memory of 2688 2952 tnnttb.exe 39 PID 2952 wrote to memory of 2688 2952 tnnttb.exe 39 PID 2688 wrote to memory of 2988 2688 840668.exe 40 PID 2688 wrote to memory of 2988 2688 840668.exe 40 PID 2688 wrote to memory of 2988 2688 840668.exe 40 PID 2688 wrote to memory of 2988 2688 840668.exe 40 PID 2988 wrote to memory of 584 2988 04882.exe 154 PID 2988 wrote to memory of 584 2988 04882.exe 154 PID 2988 wrote to memory of 584 2988 04882.exe 154 PID 2988 wrote to memory of 584 2988 04882.exe 154 PID 584 wrote to memory of 1632 584 5vppj.exe 42 PID 584 wrote to memory of 1632 584 5vppj.exe 42 PID 584 wrote to memory of 1632 584 5vppj.exe 42 PID 584 wrote to memory of 1632 584 5vppj.exe 42 PID 1632 wrote to memory of 3068 1632 26446.exe 1954 PID 1632 wrote to memory of 3068 1632 26446.exe 1954 PID 1632 wrote to memory of 3068 1632 26446.exe 1954 PID 1632 wrote to memory of 3068 1632 26446.exe 1954 PID 3068 wrote to memory of 2876 3068 fxrxlrl.exe 44 PID 3068 wrote to memory of 2876 3068 fxrxlrl.exe 44 PID 3068 wrote to memory of 2876 3068 fxrxlrl.exe 44 PID 3068 wrote to memory of 2876 3068 fxrxlrl.exe 44 PID 2876 wrote to memory of 1640 2876 7btbtt.exe 45 PID 2876 wrote to memory of 1640 2876 7btbtt.exe 45 PID 2876 wrote to memory of 1640 2876 7btbtt.exe 45 PID 2876 wrote to memory of 1640 2876 7btbtt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe"C:\Users\Admin\AppData\Local\Temp\fd37ed8c5959303f3e839baa335b7c75291da1ad44a2901f2dfd3afe2bacb19c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\6044228.exec:\6044228.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\pddpv.exec:\pddpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\1hbbbh.exec:\1hbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\vpjjj.exec:\vpjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\ppvdj.exec:\ppvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\86804.exec:\86804.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\dpppp.exec:\dpppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\7hhtht.exec:\7hhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\tnnttb.exec:\tnnttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\840668.exec:\840668.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\04882.exec:\04882.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\5vppj.exec:\5vppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\26446.exec:\26446.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\fxrxlrl.exec:\fxrxlrl.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\7btbtt.exec:\7btbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\a0806.exec:\a0806.exe17⤵
- Executes dropped EXE
PID:1640 -
\??\c:\442424.exec:\442424.exe18⤵
- Executes dropped EXE
PID:1560 -
\??\c:\04680.exec:\04680.exe19⤵
- Executes dropped EXE
PID:1140 -
\??\c:\vvpdv.exec:\vvpdv.exe20⤵
- Executes dropped EXE
PID:1712 -
\??\c:\hnnttn.exec:\hnnttn.exe21⤵
- Executes dropped EXE
PID:2352 -
\??\c:\2640220.exec:\2640220.exe22⤵
- Executes dropped EXE
PID:2088 -
\??\c:\ntnhtb.exec:\ntnhtb.exe23⤵
- Executes dropped EXE
PID:1772 -
\??\c:\26402.exec:\26402.exe24⤵
- Executes dropped EXE
PID:2260 -
\??\c:\4082484.exec:\4082484.exe25⤵
- Executes dropped EXE
PID:2660 -
\??\c:\420466.exec:\420466.exe26⤵
- Executes dropped EXE
PID:1380 -
\??\c:\082244.exec:\082244.exe27⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rflxllr.exec:\rflxllr.exe28⤵
- Executes dropped EXE
PID:2620 -
\??\c:\djpvp.exec:\djpvp.exe29⤵
- Executes dropped EXE
PID:2120 -
\??\c:\3flrflr.exec:\3flrflr.exe30⤵
- Executes dropped EXE
PID:1568 -
\??\c:\llxlfrf.exec:\llxlfrf.exe31⤵
- Executes dropped EXE
PID:2584 -
\??\c:\flfrlxr.exec:\flfrlxr.exe32⤵
- Executes dropped EXE
PID:1700 -
\??\c:\8646220.exec:\8646220.exe33⤵
- Executes dropped EXE
PID:1676 -
\??\c:\048428.exec:\048428.exe34⤵
- Executes dropped EXE
PID:1272 -
\??\c:\djdjv.exec:\djdjv.exe35⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lfxfrxr.exec:\lfxfrxr.exe36⤵
- Executes dropped EXE
PID:2460 -
\??\c:\0862040.exec:\0862040.exe37⤵
- Executes dropped EXE
PID:2756 -
\??\c:\fxxrxlx.exec:\fxxrxlx.exe38⤵
- Executes dropped EXE
PID:2800 -
\??\c:\ppjvd.exec:\ppjvd.exe39⤵
- Executes dropped EXE
PID:2932 -
\??\c:\5frrflr.exec:\5frrflr.exe40⤵
- Executes dropped EXE
PID:2960 -
\??\c:\djdjv.exec:\djdjv.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\888862.exec:\888862.exe42⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nnbhtb.exec:\nnbhtb.exe43⤵
- Executes dropped EXE
PID:2708 -
\??\c:\008044.exec:\008044.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\o488624.exec:\o488624.exe45⤵
- Executes dropped EXE
PID:2852 -
\??\c:\7rxlfll.exec:\7rxlfll.exe46⤵
- Executes dropped EXE
PID:2968 -
\??\c:\602800.exec:\602800.exe47⤵
- Executes dropped EXE
PID:3060 -
\??\c:\6080666.exec:\6080666.exe48⤵
- Executes dropped EXE
PID:2664 -
\??\c:\622840.exec:\622840.exe49⤵
- Executes dropped EXE
PID:3056 -
\??\c:\nhhhhh.exec:\nhhhhh.exe50⤵
- Executes dropped EXE
PID:2884 -
\??\c:\20280.exec:\20280.exe51⤵
- Executes dropped EXE
PID:1468 -
\??\c:\vvjjp.exec:\vvjjp.exe52⤵
- Executes dropped EXE
PID:1260 -
\??\c:\428082.exec:\428082.exe53⤵
- Executes dropped EXE
PID:2212 -
\??\c:\6428446.exec:\6428446.exe54⤵
- Executes dropped EXE
PID:1800 -
\??\c:\42062.exec:\42062.exe55⤵
- Executes dropped EXE
PID:2340 -
\??\c:\xlrrxrx.exec:\xlrrxrx.exe56⤵
- Executes dropped EXE
PID:1796 -
\??\c:\hbbhnh.exec:\hbbhnh.exe57⤵
- Executes dropped EXE
PID:2536 -
\??\c:\4000046.exec:\4000046.exe58⤵
- Executes dropped EXE
PID:2084 -
\??\c:\dppjp.exec:\dppjp.exe59⤵
- Executes dropped EXE
PID:2032 -
\??\c:\20646.exec:\20646.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\6084640.exec:\6084640.exe61⤵
- Executes dropped EXE
PID:832 -
\??\c:\4200446.exec:\4200446.exe62⤵
- Executes dropped EXE
PID:2392 -
\??\c:\ffxxxfr.exec:\ffxxxfr.exe63⤵
- Executes dropped EXE
PID:1380 -
\??\c:\pdvdd.exec:\pdvdd.exe64⤵
- Executes dropped EXE
PID:688 -
\??\c:\82488.exec:\82488.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
\??\c:\vjdjp.exec:\vjdjp.exe66⤵PID:976
-
\??\c:\86280.exec:\86280.exe67⤵PID:1716
-
\??\c:\64668.exec:\64668.exe68⤵PID:1052
-
\??\c:\bthbnt.exec:\bthbnt.exe69⤵PID:1576
-
\??\c:\42062.exec:\42062.exe70⤵PID:768
-
\??\c:\64684.exec:\64684.exe71⤵PID:344
-
\??\c:\42028.exec:\42028.exe72⤵PID:1436
-
\??\c:\jdjjv.exec:\jdjjv.exe73⤵PID:2092
-
\??\c:\bttbtt.exec:\bttbtt.exe74⤵PID:2460
-
\??\c:\5pvvj.exec:\5pvvj.exe75⤵PID:2096
-
\??\c:\1rrxffl.exec:\1rrxffl.exe76⤵PID:1760
-
\??\c:\602688.exec:\602688.exe77⤵PID:2592
-
\??\c:\420684.exec:\420684.exe78⤵PID:2932
-
\??\c:\04686.exec:\04686.exe79⤵PID:3020
-
\??\c:\3xflxfr.exec:\3xflxfr.exe80⤵PID:2672
-
\??\c:\w46248.exec:\w46248.exe81⤵PID:1032
-
\??\c:\lxrxxlf.exec:\lxrxxlf.exe82⤵PID:2236
-
\??\c:\bbthbb.exec:\bbthbb.exe83⤵PID:2708
-
\??\c:\9jvpj.exec:\9jvpj.exe84⤵PID:2692
-
\??\c:\2062880.exec:\2062880.exe85⤵PID:3040
-
\??\c:\64622.exec:\64622.exe86⤵PID:1464
-
\??\c:\0868008.exec:\0868008.exe87⤵PID:2604
-
\??\c:\220824.exec:\220824.exe88⤵PID:2860
-
\??\c:\3dpjj.exec:\3dpjj.exe89⤵PID:2256
-
\??\c:\4200600.exec:\4200600.exe90⤵PID:2076
-
\??\c:\llflllr.exec:\llflllr.exe91⤵PID:1556
-
\??\c:\jvjdp.exec:\jvjdp.exe92⤵PID:1468
-
\??\c:\lfxxxlr.exec:\lfxxxlr.exe93⤵PID:1260
-
\??\c:\08006.exec:\08006.exe94⤵PID:2292
-
\??\c:\frlrxrf.exec:\frlrxrf.exe95⤵PID:1652
-
\??\c:\s2002.exec:\s2002.exe96⤵PID:2140
-
\??\c:\64064.exec:\64064.exe97⤵PID:1796
-
\??\c:\dpddj.exec:\dpddj.exe98⤵PID:820
-
\??\c:\frxfrrx.exec:\frxfrrx.exe99⤵PID:1648
-
\??\c:\s4628.exec:\s4628.exe100⤵PID:1072
-
\??\c:\2262000.exec:\2262000.exe101⤵PID:2744
-
\??\c:\4800488.exec:\4800488.exe102⤵PID:1860
-
\??\c:\64280.exec:\64280.exe103⤵PID:288
-
\??\c:\260648.exec:\260648.exe104⤵PID:2776
-
\??\c:\w02800.exec:\w02800.exe105⤵PID:2496
-
\??\c:\264026.exec:\264026.exe106⤵PID:688
-
\??\c:\hthhnh.exec:\hthhnh.exe107⤵PID:2120
-
\??\c:\3frrxfl.exec:\3frrxfl.exe108⤵PID:2396
-
\??\c:\xfflfrf.exec:\xfflfrf.exe109⤵PID:1256
-
\??\c:\vvjvd.exec:\vvjvd.exe110⤵PID:2152
-
\??\c:\lfxfrxf.exec:\lfxfrxf.exe111⤵PID:2572
-
\??\c:\jjppv.exec:\jjppv.exe112⤵PID:1840
-
\??\c:\hbthhh.exec:\hbthhh.exe113⤵PID:356
-
\??\c:\0064826.exec:\0064826.exe114⤵PID:2940
-
\??\c:\62448.exec:\62448.exe115⤵PID:2504
-
\??\c:\bbthtt.exec:\bbthtt.exe116⤵PID:1816
-
\??\c:\e48806.exec:\e48806.exe117⤵PID:3016
-
\??\c:\bbhtht.exec:\bbhtht.exe118⤵PID:2712
-
\??\c:\1thnbh.exec:\1thnbh.exe119⤵PID:1492
-
\??\c:\vpdjd.exec:\vpdjd.exe120⤵PID:3012
-
\??\c:\2662680.exec:\2662680.exe121⤵PID:2732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-