Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe
-
Size
453KB
-
MD5
b532ac678220298b41897f0d5ec9c4f1
-
SHA1
027d4d36d7ba8586251a6f280fb5b5dcdb96a546
-
SHA256
fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff
-
SHA512
a0d07cae24c072d5b0dbd913404c9d61ae364bee157026486eeed599fb3598cafb2d64ffc46ff56efdd16c6af058c7858cd70caf52998e3648ee891deb7cd95a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2380-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-57-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2120-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-575-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2392-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-770-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1636-763-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3052-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-445-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2688-378-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2168-351-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1688-331-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2760-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/476-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-899-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-924-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2380 fxxfllf.exe 2792 vjddj.exe 2756 xxxxrxf.exe 2228 hbnhnt.exe 2852 pppdj.exe 2920 xrfllrl.exe 2664 bttthh.exe 2432 vpddj.exe 2956 tnbtbb.exe 2120 pjjpd.exe 2788 rxrlxlx.exe 2872 frlxfrr.exe 2940 pvddv.exe 2976 rffxrff.exe 1792 1pdvd.exe 1440 xlxxxfl.exe 1672 1nthbn.exe 476 9ppvd.exe 2816 9lfxfxf.exe 2460 htntbb.exe 2268 jdvpv.exe 328 xfxlfxr.exe 2508 ttntnn.exe 2132 7rrxfll.exe 1776 bhhtbt.exe 2528 vjpdj.exe 2052 nbhbtn.exe 540 jpvvp.exe 1736 xflllff.exe 1812 bhtttn.exe 1588 pppdp.exe 2708 lfrxflr.exe 2744 thhtth.exe 2800 7hbttt.exe 2760 ffxxflx.exe 1688 ttnthn.exe 2656 vvpdj.exe 2736 fxrfxxl.exe 2168 rffxxrx.exe 2328 9htthh.exe 2620 vddvv.exe 1920 5lrxflf.exe 2688 nnntnb.exe 2884 vvdpd.exe 2880 jdddj.exe 2844 xxrfrrf.exe 2980 ttthtb.exe 396 5ddjv.exe 2340 rrxrrlf.exe 2004 flxxxff.exe 2696 hnnbtn.exe 532 pvvjd.exe 2504 rxllllr.exe 3064 5lfrfrf.exe 2580 hhbhnn.exe 992 jdvdp.exe 2184 fxlxlxr.exe 804 rxxxxxl.exe 3052 9nhnbn.exe 1684 5jvjp.exe 1352 rfxrfxf.exe 2532 9lrllfl.exe 1980 ntthnb.exe 2296 hhtnhn.exe -
resource yara_rule behavioral1/memory/2380-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-770-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3060-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-899-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2056-924-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2160-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2380 2936 fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe 30 PID 2936 wrote to memory of 2380 2936 fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe 30 PID 2936 wrote to memory of 2380 2936 fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe 30 PID 2936 wrote to memory of 2380 2936 fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe 30 PID 2380 wrote to memory of 2792 2380 fxxfllf.exe 31 PID 2380 wrote to memory of 2792 2380 fxxfllf.exe 31 PID 2380 wrote to memory of 2792 2380 fxxfllf.exe 31 PID 2380 wrote to memory of 2792 2380 fxxfllf.exe 31 PID 2792 wrote to memory of 2756 2792 vjddj.exe 144 PID 2792 wrote to memory of 2756 2792 vjddj.exe 144 PID 2792 wrote to memory of 2756 2792 vjddj.exe 144 PID 2792 wrote to memory of 2756 2792 vjddj.exe 144 PID 2756 wrote to memory of 2228 2756 xxxxrxf.exe 33 PID 2756 wrote to memory of 2228 2756 xxxxrxf.exe 33 PID 2756 wrote to memory of 2228 2756 xxxxrxf.exe 33 PID 2756 wrote to memory of 2228 2756 xxxxrxf.exe 33 PID 2228 wrote to memory of 2852 2228 hbnhnt.exe 34 PID 2228 wrote to memory of 2852 2228 hbnhnt.exe 34 PID 2228 wrote to memory of 2852 2228 hbnhnt.exe 34 PID 2228 wrote to memory of 2852 2228 hbnhnt.exe 34 PID 2852 wrote to memory of 2920 2852 pppdj.exe 35 PID 2852 wrote to memory of 2920 2852 pppdj.exe 35 PID 2852 wrote to memory of 2920 2852 pppdj.exe 35 PID 2852 wrote to memory of 2920 2852 pppdj.exe 35 PID 2920 wrote to memory of 2664 2920 xrfllrl.exe 36 PID 2920 wrote to memory of 2664 2920 xrfllrl.exe 36 PID 2920 wrote to memory of 2664 2920 xrfllrl.exe 36 PID 2920 wrote to memory of 2664 2920 xrfllrl.exe 36 PID 2664 wrote to memory of 2432 2664 bttthh.exe 37 PID 2664 wrote to memory of 2432 2664 bttthh.exe 37 PID 2664 wrote to memory of 2432 2664 bttthh.exe 37 PID 2664 wrote to memory of 2432 2664 bttthh.exe 37 PID 2432 wrote to memory of 2956 2432 vpddj.exe 38 PID 2432 wrote to memory of 2956 2432 vpddj.exe 38 PID 2432 wrote to memory of 2956 2432 vpddj.exe 38 PID 2432 wrote to memory of 2956 2432 vpddj.exe 38 PID 2956 wrote to memory of 2120 2956 tnbtbb.exe 39 PID 2956 wrote to memory of 2120 2956 tnbtbb.exe 39 PID 2956 wrote to memory of 2120 2956 tnbtbb.exe 39 PID 2956 wrote to memory of 2120 2956 tnbtbb.exe 39 PID 2120 wrote to memory of 2788 2120 pjjpd.exe 40 PID 2120 wrote to memory of 2788 2120 pjjpd.exe 40 PID 2120 wrote to memory of 2788 2120 pjjpd.exe 40 PID 2120 wrote to memory of 2788 2120 pjjpd.exe 40 PID 2788 wrote to memory of 2872 2788 rxrlxlx.exe 41 PID 2788 wrote to memory of 2872 2788 rxrlxlx.exe 41 PID 2788 wrote to memory of 2872 2788 rxrlxlx.exe 41 PID 2788 wrote to memory of 2872 2788 rxrlxlx.exe 41 PID 2872 wrote to memory of 2940 2872 frlxfrr.exe 42 PID 2872 wrote to memory of 2940 2872 frlxfrr.exe 42 PID 2872 wrote to memory of 2940 2872 frlxfrr.exe 42 PID 2872 wrote to memory of 2940 2872 frlxfrr.exe 42 PID 2940 wrote to memory of 2976 2940 pvddv.exe 43 PID 2940 wrote to memory of 2976 2940 pvddv.exe 43 PID 2940 wrote to memory of 2976 2940 pvddv.exe 43 PID 2940 wrote to memory of 2976 2940 pvddv.exe 43 PID 2976 wrote to memory of 1792 2976 rffxrff.exe 44 PID 2976 wrote to memory of 1792 2976 rffxrff.exe 44 PID 2976 wrote to memory of 1792 2976 rffxrff.exe 44 PID 2976 wrote to memory of 1792 2976 rffxrff.exe 44 PID 1792 wrote to memory of 1440 1792 1pdvd.exe 45 PID 1792 wrote to memory of 1440 1792 1pdvd.exe 45 PID 1792 wrote to memory of 1440 1792 1pdvd.exe 45 PID 1792 wrote to memory of 1440 1792 1pdvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe"C:\Users\Admin\AppData\Local\Temp\fdf47e463e7d010e3fce26cb342139e860b76f5ee7fd44972a8bd8b4baa924ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\fxxfllf.exec:\fxxfllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vjddj.exec:\vjddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xxxxrxf.exec:\xxxxrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\hbnhnt.exec:\hbnhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\pppdj.exec:\pppdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\xrfllrl.exec:\xrfllrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\bttthh.exec:\bttthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\vpddj.exec:\vpddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\tnbtbb.exec:\tnbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\pjjpd.exec:\pjjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\rxrlxlx.exec:\rxrlxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\frlxfrr.exec:\frlxfrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\pvddv.exec:\pvddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\rffxrff.exec:\rffxrff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\1pdvd.exec:\1pdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\xlxxxfl.exec:\xlxxxfl.exe17⤵
- Executes dropped EXE
PID:1440 -
\??\c:\1nthbn.exec:\1nthbn.exe18⤵
- Executes dropped EXE
PID:1672 -
\??\c:\9ppvd.exec:\9ppvd.exe19⤵
- Executes dropped EXE
PID:476 -
\??\c:\9lfxfxf.exec:\9lfxfxf.exe20⤵
- Executes dropped EXE
PID:2816 -
\??\c:\htntbb.exec:\htntbb.exe21⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jdvpv.exec:\jdvpv.exe22⤵
- Executes dropped EXE
PID:2268 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:328 -
\??\c:\ttntnn.exec:\ttntnn.exe24⤵
- Executes dropped EXE
PID:2508 -
\??\c:\7rrxfll.exec:\7rrxfll.exe25⤵
- Executes dropped EXE
PID:2132 -
\??\c:\bhhtbt.exec:\bhhtbt.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vjpdj.exec:\vjpdj.exe27⤵
- Executes dropped EXE
PID:2528 -
\??\c:\nbhbtn.exec:\nbhbtn.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jpvvp.exec:\jpvvp.exe29⤵
- Executes dropped EXE
PID:540 -
\??\c:\xflllff.exec:\xflllff.exe30⤵
- Executes dropped EXE
PID:1736 -
\??\c:\bhtttn.exec:\bhtttn.exe31⤵
- Executes dropped EXE
PID:1812 -
\??\c:\pppdp.exec:\pppdp.exe32⤵
- Executes dropped EXE
PID:1588 -
\??\c:\lfrxflr.exec:\lfrxflr.exe33⤵
- Executes dropped EXE
PID:2708 -
\??\c:\thhtth.exec:\thhtth.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
\??\c:\7hbttt.exec:\7hbttt.exe35⤵
- Executes dropped EXE
PID:2800 -
\??\c:\ffxxflx.exec:\ffxxflx.exe36⤵
- Executes dropped EXE
PID:2760 -
\??\c:\ttnthn.exec:\ttnthn.exe37⤵
- Executes dropped EXE
PID:1688 -
\??\c:\vvpdj.exec:\vvpdj.exe38⤵
- Executes dropped EXE
PID:2656 -
\??\c:\fxrfxxl.exec:\fxrfxxl.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rffxxrx.exec:\rffxxrx.exe40⤵
- Executes dropped EXE
PID:2168 -
\??\c:\9htthh.exec:\9htthh.exe41⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vddvv.exec:\vddvv.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\5lrxflf.exec:\5lrxflf.exe43⤵
- Executes dropped EXE
PID:1920 -
\??\c:\nnntnb.exec:\nnntnb.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\vvdpd.exec:\vvdpd.exe45⤵
- Executes dropped EXE
PID:2884 -
\??\c:\jdddj.exec:\jdddj.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe47⤵
- Executes dropped EXE
PID:2844 -
\??\c:\ttthtb.exec:\ttthtb.exe48⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5ddjv.exec:\5ddjv.exe49⤵
- Executes dropped EXE
PID:396 -
\??\c:\rrxrrlf.exec:\rrxrrlf.exe50⤵
- Executes dropped EXE
PID:2340 -
\??\c:\flxxxff.exec:\flxxxff.exe51⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hnnbtn.exec:\hnnbtn.exe52⤵
- Executes dropped EXE
PID:2696 -
\??\c:\pvvjd.exec:\pvvjd.exe53⤵
- Executes dropped EXE
PID:532 -
\??\c:\rxllllr.exec:\rxllllr.exe54⤵
- Executes dropped EXE
PID:2504 -
\??\c:\5lfrfrf.exec:\5lfrfrf.exe55⤵
- Executes dropped EXE
PID:3064 -
\??\c:\hhbhnn.exec:\hhbhnn.exe56⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jdvdp.exec:\jdvdp.exe57⤵
- Executes dropped EXE
PID:992 -
\??\c:\fxlxlxr.exec:\fxlxlxr.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rxxxxxl.exec:\rxxxxxl.exe59⤵
- Executes dropped EXE
PID:804 -
\??\c:\9nhnbn.exec:\9nhnbn.exe60⤵
- Executes dropped EXE
PID:3052 -
\??\c:\5jvjp.exec:\5jvjp.exe61⤵
- Executes dropped EXE
PID:1684 -
\??\c:\rfxrfxf.exec:\rfxrfxf.exe62⤵
- Executes dropped EXE
PID:1352 -
\??\c:\9lrllfl.exec:\9lrllfl.exe63⤵
- Executes dropped EXE
PID:2532 -
\??\c:\ntthnb.exec:\ntthnb.exe64⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhtnhn.exec:\hhtnhn.exe65⤵
- Executes dropped EXE
PID:2296 -
\??\c:\vdjpv.exec:\vdjpv.exe66⤵PID:2080
-
\??\c:\rxrxlrx.exec:\rxrxlrx.exe67⤵PID:1532
-
\??\c:\rxxfflf.exec:\rxxfflf.exe68⤵PID:1284
-
\??\c:\bbhnnt.exec:\bbhnnt.exe69⤵PID:1736
-
\??\c:\vdvjv.exec:\vdvjv.exe70⤵PID:1812
-
\??\c:\7dddd.exec:\7dddd.exe71⤵PID:1588
-
\??\c:\5xrrflx.exec:\5xrrflx.exe72⤵PID:2748
-
\??\c:\ffxlxfl.exec:\ffxlxfl.exe73⤵PID:3036
-
\??\c:\bhnbhh.exec:\bhnbhh.exe74⤵PID:2780
-
\??\c:\vpppd.exec:\vpppd.exe75⤵PID:2912
-
\??\c:\ppjpj.exec:\ppjpj.exe76⤵PID:2740
-
\??\c:\xfxxxll.exec:\xfxxxll.exe77⤵PID:2624
-
\??\c:\tbbhth.exec:\tbbhth.exe78⤵PID:2704
-
\??\c:\7ttbht.exec:\7ttbht.exe79⤵PID:2820
-
\??\c:\jdvdp.exec:\jdvdp.exe80⤵PID:1808
-
\??\c:\jppvp.exec:\jppvp.exe81⤵PID:2328
-
\??\c:\rxlxfll.exec:\rxlxfll.exe82⤵PID:2392
-
\??\c:\nnthtt.exec:\nnthtt.exe83⤵PID:344
-
\??\c:\bnhbhh.exec:\bnhbhh.exe84⤵PID:2108
-
\??\c:\vvjpv.exec:\vvjpv.exe85⤵PID:3012
-
\??\c:\nhtbtb.exec:\nhtbtb.exe86⤵PID:2964
-
\??\c:\jjvvd.exec:\jjvvd.exe87⤵PID:2984
-
\??\c:\vpdjv.exec:\vpdjv.exe88⤵PID:1228
-
\??\c:\xxlffrx.exec:\xxlffrx.exe89⤵PID:1292
-
\??\c:\fxrfffx.exec:\fxrfffx.exe90⤵PID:1916
-
\??\c:\bhtnnb.exec:\bhtnnb.exe91⤵PID:2012
-
\??\c:\pvjpv.exec:\pvjpv.exe92⤵PID:1304
-
\??\c:\vpvjj.exec:\vpvjj.exe93⤵PID:1672
-
\??\c:\lllflrr.exec:\lllflrr.exe94⤵PID:556
-
\??\c:\btthnt.exec:\btthnt.exe95⤵PID:576
-
\??\c:\pdpdv.exec:\pdpdv.exe96⤵PID:3060
-
\??\c:\xrrxfll.exec:\xrrxfll.exe97⤵PID:2580
-
\??\c:\1ffffll.exec:\1ffffll.exe98⤵PID:2312
-
\??\c:\bnnhbn.exec:\bnnhbn.exe99⤵PID:1520
-
\??\c:\jjjvj.exec:\jjjvj.exe100⤵PID:2508
-
\??\c:\vdpdv.exec:\vdpdv.exe101⤵PID:2428
-
\??\c:\xxrrxrf.exec:\xxrrxrf.exe102⤵PID:2936
-
\??\c:\frfrfll.exec:\frfrfll.exe103⤵PID:1636
-
\??\c:\tnhtbn.exec:\tnhtbn.exe104⤵PID:2568
-
\??\c:\ttnnbb.exec:\ttnnbb.exe105⤵PID:1392
-
\??\c:\pjvdp.exec:\pjvdp.exe106⤵PID:2296
-
\??\c:\llflxfr.exec:\llflxfr.exe107⤵PID:2080
-
\??\c:\5rfffll.exec:\5rfffll.exe108⤵PID:1532
-
\??\c:\hbnbhh.exec:\hbnbhh.exe109⤵PID:1284
-
\??\c:\5hntth.exec:\5hntth.exe110⤵PID:2548
-
\??\c:\3jddj.exec:\3jddj.exe111⤵PID:1344
-
\??\c:\vpddj.exec:\vpddj.exe112⤵PID:1952
-
\??\c:\xrllrxl.exec:\xrllrxl.exe113⤵PID:2796
-
\??\c:\1lxxflr.exec:\1lxxflr.exe114⤵PID:2660
-
\??\c:\tbhbnh.exec:\tbhbnh.exe115⤵PID:2800
-
\??\c:\dpvvd.exec:\dpvvd.exe116⤵PID:2756
-
\??\c:\pjdjv.exec:\pjdjv.exe117⤵PID:848
-
\??\c:\7fxfffr.exec:\7fxfffr.exe118⤵PID:2612
-
\??\c:\1xlrxrx.exec:\1xlrxrx.exe119⤵PID:2284
-
\??\c:\hnthbn.exec:\hnthbn.exe120⤵PID:2736
-
\??\c:\tttthn.exec:\tttthn.exe121⤵PID:2316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-