Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 19:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe
-
Size
453KB
-
MD5
3c37577ab61b63bb95c81df12717f685
-
SHA1
7f1c2be1a76b6683d2801ed7cbffea93f0b743c5
-
SHA256
0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5
-
SHA512
622ee15fbd1906a5a0c9a7d1cc3c939f94d37fe0ba89bdb008c5ef76a467cd6c71553525a851d1fa5e18f9902e53af697eaa56876a71c4012758a2613571c849
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber:q7Tc2NYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 35 IoCs
resource yara_rule behavioral1/memory/1700-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-56-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/404-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-70-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/440-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2388 fffrxlf.exe 1616 nnhhbh.exe 2356 868426.exe 2884 ntthbt.exe 2292 pdjjp.exe 2812 3rxlrll.exe 1204 3bhhnh.exe 2636 086288.exe 2736 66848.exe 2596 flflxxl.exe 1648 w42480.exe 2372 bttbhn.exe 1540 k68068.exe 2980 w40022.exe 2952 lxfxfff.exe 2972 dvjdj.exe 344 9htnnh.exe 1988 pjppv.exe 1340 646662.exe 3012 jdpjp.exe 1956 djppv.exe 2084 1bhbbb.exe 1012 3ntthh.exe 404 vppvp.exe 1716 868660.exe 896 3ntnnh.exe 908 08606.exe 1316 w86088.exe 1400 e86022.exe 2428 1flffxx.exe 1604 s4262.exe 2324 1pjjd.exe 2520 1htthh.exe 2388 w08224.exe 1544 hhthnn.exe 1524 pjpvd.exe 872 42002.exe 1976 bthnbb.exe 2884 dpdvd.exe 2704 fxxrrrx.exe 2804 hhbnbn.exe 2808 u460668.exe 2716 btthhn.exe 2636 864084.exe 2612 htbbbb.exe 2648 nbnhhh.exe 2792 42828.exe 1872 vjddj.exe 1352 20228.exe 2996 08000.exe 2944 m2484.exe 1120 26846.exe 3000 w08022.exe 1476 08002.exe 848 2084228.exe 3028 1jvvd.exe 3052 7xfxxxx.exe 2332 9jvpj.exe 2696 ddppd.exe 404 hbttbh.exe 1172 206626.exe 1716 c862262.exe 896 7jjpp.exe 2176 688862.exe -
resource yara_rule behavioral1/memory/1700-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/440-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-1005-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-1042-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-1079-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-1105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-1246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-1295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1314-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4280880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6406822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8600662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i682266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w06488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6224.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2388 1700 0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe 30 PID 1700 wrote to memory of 2388 1700 0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe 30 PID 1700 wrote to memory of 2388 1700 0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe 30 PID 1700 wrote to memory of 2388 1700 0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe 30 PID 2388 wrote to memory of 1616 2388 fffrxlf.exe 31 PID 2388 wrote to memory of 1616 2388 fffrxlf.exe 31 PID 2388 wrote to memory of 1616 2388 fffrxlf.exe 31 PID 2388 wrote to memory of 1616 2388 fffrxlf.exe 31 PID 1616 wrote to memory of 2356 1616 nnhhbh.exe 32 PID 1616 wrote to memory of 2356 1616 nnhhbh.exe 32 PID 1616 wrote to memory of 2356 1616 nnhhbh.exe 32 PID 1616 wrote to memory of 2356 1616 nnhhbh.exe 32 PID 2356 wrote to memory of 2884 2356 868426.exe 33 PID 2356 wrote to memory of 2884 2356 868426.exe 33 PID 2356 wrote to memory of 2884 2356 868426.exe 33 PID 2356 wrote to memory of 2884 2356 868426.exe 33 PID 2884 wrote to memory of 2292 2884 ntthbt.exe 34 PID 2884 wrote to memory of 2292 2884 ntthbt.exe 34 PID 2884 wrote to memory of 2292 2884 ntthbt.exe 34 PID 2884 wrote to memory of 2292 2884 ntthbt.exe 34 PID 2292 wrote to memory of 2812 2292 pdjjp.exe 35 PID 2292 wrote to memory of 2812 2292 pdjjp.exe 35 PID 2292 wrote to memory of 2812 2292 pdjjp.exe 35 PID 2292 wrote to memory of 2812 2292 pdjjp.exe 35 PID 2812 wrote to memory of 1204 2812 3rxlrll.exe 36 PID 2812 wrote to memory of 1204 2812 3rxlrll.exe 36 PID 2812 wrote to memory of 1204 2812 3rxlrll.exe 36 PID 2812 wrote to memory of 1204 2812 3rxlrll.exe 36 PID 1204 wrote to memory of 2636 1204 3bhhnh.exe 73 PID 1204 wrote to memory of 2636 1204 3bhhnh.exe 73 PID 1204 wrote to memory of 2636 1204 3bhhnh.exe 73 PID 1204 wrote to memory of 2636 1204 3bhhnh.exe 73 PID 2636 wrote to memory of 2736 2636 086288.exe 38 PID 2636 wrote to memory of 2736 2636 086288.exe 38 PID 2636 wrote to memory of 2736 2636 086288.exe 38 PID 2636 wrote to memory of 2736 2636 086288.exe 38 PID 2736 wrote to memory of 2596 2736 66848.exe 39 PID 2736 wrote to memory of 2596 2736 66848.exe 39 PID 2736 wrote to memory of 2596 2736 66848.exe 39 PID 2736 wrote to memory of 2596 2736 66848.exe 39 PID 2596 wrote to memory of 1648 2596 flflxxl.exe 40 PID 2596 wrote to memory of 1648 2596 flflxxl.exe 40 PID 2596 wrote to memory of 1648 2596 flflxxl.exe 40 PID 2596 wrote to memory of 1648 2596 flflxxl.exe 40 PID 1648 wrote to memory of 2372 1648 w42480.exe 41 PID 1648 wrote to memory of 2372 1648 w42480.exe 41 PID 1648 wrote to memory of 2372 1648 w42480.exe 41 PID 1648 wrote to memory of 2372 1648 w42480.exe 41 PID 2372 wrote to memory of 1540 2372 bttbhn.exe 42 PID 2372 wrote to memory of 1540 2372 bttbhn.exe 42 PID 2372 wrote to memory of 1540 2372 bttbhn.exe 42 PID 2372 wrote to memory of 1540 2372 bttbhn.exe 42 PID 1540 wrote to memory of 2980 1540 k68068.exe 43 PID 1540 wrote to memory of 2980 1540 k68068.exe 43 PID 1540 wrote to memory of 2980 1540 k68068.exe 43 PID 1540 wrote to memory of 2980 1540 k68068.exe 43 PID 2980 wrote to memory of 2952 2980 w40022.exe 44 PID 2980 wrote to memory of 2952 2980 w40022.exe 44 PID 2980 wrote to memory of 2952 2980 w40022.exe 44 PID 2980 wrote to memory of 2952 2980 w40022.exe 44 PID 2952 wrote to memory of 2972 2952 lxfxfff.exe 45 PID 2952 wrote to memory of 2972 2952 lxfxfff.exe 45 PID 2952 wrote to memory of 2972 2952 lxfxfff.exe 45 PID 2952 wrote to memory of 2972 2952 lxfxfff.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe"C:\Users\Admin\AppData\Local\Temp\0dab2635379eaa90b29c3858e5b9ff21f82518da51cf661245a63f62981527b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\fffrxlf.exec:\fffrxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\nnhhbh.exec:\nnhhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\868426.exec:\868426.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\ntthbt.exec:\ntthbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\pdjjp.exec:\pdjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\3rxlrll.exec:\3rxlrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\3bhhnh.exec:\3bhhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\086288.exec:\086288.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\66848.exec:\66848.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\flflxxl.exec:\flflxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\w42480.exec:\w42480.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\bttbhn.exec:\bttbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\k68068.exec:\k68068.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\w40022.exec:\w40022.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\lxfxfff.exec:\lxfxfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\dvjdj.exec:\dvjdj.exe17⤵
- Executes dropped EXE
PID:2972 -
\??\c:\9htnnh.exec:\9htnnh.exe18⤵
- Executes dropped EXE
PID:344 -
\??\c:\pjppv.exec:\pjppv.exe19⤵
- Executes dropped EXE
PID:1988 -
\??\c:\646662.exec:\646662.exe20⤵
- Executes dropped EXE
PID:1340 -
\??\c:\jdpjp.exec:\jdpjp.exe21⤵
- Executes dropped EXE
PID:3012 -
\??\c:\djppv.exec:\djppv.exe22⤵
- Executes dropped EXE
PID:1956 -
\??\c:\1bhbbb.exec:\1bhbbb.exe23⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3ntthh.exec:\3ntthh.exe24⤵
- Executes dropped EXE
PID:1012 -
\??\c:\vppvp.exec:\vppvp.exe25⤵
- Executes dropped EXE
PID:404 -
\??\c:\868660.exec:\868660.exe26⤵
- Executes dropped EXE
PID:1716 -
\??\c:\3ntnnh.exec:\3ntnnh.exe27⤵
- Executes dropped EXE
PID:896 -
\??\c:\08606.exec:\08606.exe28⤵
- Executes dropped EXE
PID:908 -
\??\c:\w86088.exec:\w86088.exe29⤵
- Executes dropped EXE
PID:1316 -
\??\c:\e86022.exec:\e86022.exe30⤵
- Executes dropped EXE
PID:1400 -
\??\c:\1flffxx.exec:\1flffxx.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\s4262.exec:\s4262.exe32⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1pjjd.exec:\1pjjd.exe33⤵
- Executes dropped EXE
PID:2324 -
\??\c:\1htthh.exec:\1htthh.exe34⤵
- Executes dropped EXE
PID:2520 -
\??\c:\w08224.exec:\w08224.exe35⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hhthnn.exec:\hhthnn.exe36⤵
- Executes dropped EXE
PID:1544 -
\??\c:\pjpvd.exec:\pjpvd.exe37⤵
- Executes dropped EXE
PID:1524 -
\??\c:\42002.exec:\42002.exe38⤵
- Executes dropped EXE
PID:872 -
\??\c:\bthnbb.exec:\bthnbb.exe39⤵
- Executes dropped EXE
PID:1976 -
\??\c:\dpdvd.exec:\dpdvd.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe41⤵
- Executes dropped EXE
PID:2704 -
\??\c:\hhbnbn.exec:\hhbnbn.exe42⤵
- Executes dropped EXE
PID:2804 -
\??\c:\u460668.exec:\u460668.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\btthhn.exec:\btthhn.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\864084.exec:\864084.exe45⤵
- Executes dropped EXE
PID:2636 -
\??\c:\htbbbb.exec:\htbbbb.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\nbnhhh.exec:\nbnhhh.exe47⤵
- Executes dropped EXE
PID:2648 -
\??\c:\42828.exec:\42828.exe48⤵
- Executes dropped EXE
PID:2792 -
\??\c:\vjddj.exec:\vjddj.exe49⤵
- Executes dropped EXE
PID:1872 -
\??\c:\20228.exec:\20228.exe50⤵
- Executes dropped EXE
PID:1352 -
\??\c:\08000.exec:\08000.exe51⤵
- Executes dropped EXE
PID:2996 -
\??\c:\m2484.exec:\m2484.exe52⤵
- Executes dropped EXE
PID:2944 -
\??\c:\26846.exec:\26846.exe53⤵
- Executes dropped EXE
PID:1120 -
\??\c:\w08022.exec:\w08022.exe54⤵
- Executes dropped EXE
PID:3000 -
\??\c:\08002.exec:\08002.exe55⤵
- Executes dropped EXE
PID:1476 -
\??\c:\2084228.exec:\2084228.exe56⤵
- Executes dropped EXE
PID:848 -
\??\c:\1jvvd.exec:\1jvvd.exe57⤵
- Executes dropped EXE
PID:3028 -
\??\c:\7xfxxxx.exec:\7xfxxxx.exe58⤵
- Executes dropped EXE
PID:3052 -
\??\c:\9jvpj.exec:\9jvpj.exe59⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ddppd.exec:\ddppd.exe60⤵
- Executes dropped EXE
PID:2696 -
\??\c:\hbttbh.exec:\hbttbh.exe61⤵
- Executes dropped EXE
PID:404 -
\??\c:\206626.exec:\206626.exe62⤵
- Executes dropped EXE
PID:1172 -
\??\c:\c862262.exec:\c862262.exe63⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7jjpp.exec:\7jjpp.exe64⤵
- Executes dropped EXE
PID:896 -
\??\c:\688862.exec:\688862.exe65⤵
- Executes dropped EXE
PID:2176 -
\??\c:\46224.exec:\46224.exe66⤵PID:2140
-
\??\c:\xlffrrx.exec:\xlffrrx.exe67⤵PID:2272
-
\??\c:\80228.exec:\80228.exe68⤵PID:1500
-
\??\c:\9jvpp.exec:\9jvpp.exe69⤵PID:2896
-
\??\c:\xrflrxf.exec:\xrflrxf.exe70⤵PID:2276
-
\??\c:\w06004.exec:\w06004.exe71⤵PID:1440
-
\??\c:\llxrrrf.exec:\llxrrrf.exe72⤵PID:868
-
\??\c:\q08888.exec:\q08888.exe73⤵PID:1544
-
\??\c:\6608242.exec:\6608242.exe74⤵PID:328
-
\??\c:\xrlllll.exec:\xrlllll.exe75⤵PID:2380
-
\??\c:\20280.exec:\20280.exe76⤵PID:2544
-
\??\c:\424882.exec:\424882.exe77⤵PID:2884
-
\??\c:\20606.exec:\20606.exe78⤵PID:2684
-
\??\c:\4682262.exec:\4682262.exe79⤵PID:2532
-
\??\c:\w48666.exec:\w48666.exe80⤵PID:2808
-
\??\c:\42842.exec:\42842.exe81⤵PID:2744
-
\??\c:\2024888.exec:\2024888.exe82⤵PID:3036
-
\??\c:\88280.exec:\88280.exe83⤵PID:2256
-
\??\c:\7thnnt.exec:\7thnnt.exe84⤵PID:2868
-
\??\c:\2644684.exec:\2644684.exe85⤵PID:1648
-
\??\c:\rrllrxr.exec:\rrllrxr.exe86⤵PID:1872
-
\??\c:\hbtbnn.exec:\hbtbnn.exe87⤵PID:2904
-
\??\c:\tthbtb.exec:\tthbtb.exe88⤵PID:2656
-
\??\c:\22002.exec:\22002.exe89⤵PID:2732
-
\??\c:\44026.exec:\44026.exe90⤵PID:296
-
\??\c:\60884.exec:\60884.exe91⤵PID:2000
-
\??\c:\82024.exec:\82024.exe92⤵PID:2976
-
\??\c:\04240.exec:\04240.exe93⤵PID:884
-
\??\c:\5bnbtb.exec:\5bnbtb.exe94⤵PID:2776
-
\??\c:\1btbbh.exec:\1btbbh.exe95⤵PID:2900
-
\??\c:\48068.exec:\48068.exe96⤵PID:1744
-
\??\c:\5dvpp.exec:\5dvpp.exe97⤵PID:1444
-
\??\c:\48242.exec:\48242.exe98⤵PID:1032
-
\??\c:\rrfrflf.exec:\rrfrflf.exe99⤵PID:2092
-
\??\c:\jdppv.exec:\jdppv.exe100⤵PID:2032
-
\??\c:\42488.exec:\42488.exe101⤵PID:2740
-
\??\c:\rlxlrrf.exec:\rlxlrrf.exe102⤵PID:3020
-
\??\c:\6084662.exec:\6084662.exe103⤵PID:2568
-
\??\c:\k20088.exec:\k20088.exe104⤵PID:2236
-
\??\c:\1htntb.exec:\1htntb.exe105⤵PID:1028
-
\??\c:\42662.exec:\42662.exe106⤵PID:1172
-
\??\c:\xrlfflx.exec:\xrlfflx.exe107⤵PID:440
-
\??\c:\c862ttb.exec:\c862ttb.exe108⤵PID:752
-
\??\c:\20828.exec:\20828.exe109⤵PID:1680
-
\??\c:\xrrxlrx.exec:\xrrxlrx.exe110⤵PID:2428
-
\??\c:\w46244.exec:\w46244.exe111⤵PID:2284
-
\??\c:\nbtbtb.exec:\nbtbtb.exe112⤵PID:2324
-
\??\c:\rlfllfl.exec:\rlfllfl.exe113⤵PID:980
-
\??\c:\7jpjj.exec:\7jpjj.exe114⤵PID:1188
-
\??\c:\04446.exec:\04446.exe115⤵PID:2388
-
\??\c:\o428008.exec:\o428008.exe116⤵PID:1524
-
\??\c:\204444.exec:\204444.exe117⤵PID:2168
-
\??\c:\48846.exec:\48846.exe118⤵PID:676
-
\??\c:\bbhttt.exec:\bbhttt.exe119⤵PID:2380
-
\??\c:\pjddd.exec:\pjddd.exe120⤵PID:2528
-
\??\c:\0046402.exec:\0046402.exe121⤵PID:1712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-