Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe
-
Size
455KB
-
MD5
4595b4eff7f51d606a7abd85086395f0
-
SHA1
5534ae5aeed3a9eb6d6981194e4a03ae7b05ea55
-
SHA256
7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12
-
SHA512
a27c1ee9c9bfc4cb9c988ff4bbf9fc5d4f41b9c11a34c834a6c33a75ddccb5933c1b5a918ae3c6ae29eb38883014c869eee5ff29269a92bb13ed71acd96d0602
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2752-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1968-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-252-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2060-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-312-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-575-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2832-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-873-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-1099-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-1139-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2872-1158-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2684-1165-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2804 042862.exe 2768 7xrlxfx.exe 2896 3rfrffr.exe 816 48402.exe 2080 fxrfxxf.exe 2732 6062440.exe 2580 60664.exe 320 m6682.exe 1428 rlfxflx.exe 2196 08668.exe 1692 tbbhtb.exe 2988 dvdjp.exe 2796 82440.exe 2696 rfrlrrx.exe 1968 2608468.exe 2260 jpjvj.exe 2516 fxrxflx.exe 1572 g4284.exe 3044 pvvjp.exe 1016 6028446.exe 2168 c824006.exe 1092 nbnttb.exe 2496 0866848.exe 2188 xrlrffr.exe 1524 6646664.exe 3056 042460.exe 620 4862446.exe 2060 vpddj.exe 2520 g2008.exe 1236 4862846.exe 2004 vppdj.exe 2372 u200262.exe 1636 5llrlrl.exe 2884 04280.exe 2768 9hthhn.exe 2896 0822628.exe 2608 8208286.exe 2872 42280.exe 2732 xrrrxxx.exe 2784 424844.exe 596 42664.exe 2488 dvppj.exe 1736 e26284.exe 1164 48406.exe 2144 q04088.exe 356 8266846.exe 1868 20844.exe 2708 vpddj.exe 1956 tnhnbb.exe 2940 1lflxfr.exe 2696 26620.exe 2660 3vppv.exe 2984 flflrxr.exe 1580 5thhtt.exe 324 dpjjj.exe 1780 5jvjp.exe 768 q82800.exe 2176 428400.exe 2236 6428046.exe 2288 6084664.exe 2140 2606824.exe 2072 0866628.exe 1712 042862.exe 1796 0406842.exe -
resource yara_rule behavioral1/memory/2752-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-213-0x00000000001C0000-0x00000000001EA000-memory.dmp upx behavioral1/memory/3056-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-1125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-1166-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4686262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2804 2752 7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe 30 PID 2752 wrote to memory of 2804 2752 7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe 30 PID 2752 wrote to memory of 2804 2752 7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe 30 PID 2752 wrote to memory of 2804 2752 7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe 30 PID 2804 wrote to memory of 2768 2804 042862.exe 31 PID 2804 wrote to memory of 2768 2804 042862.exe 31 PID 2804 wrote to memory of 2768 2804 042862.exe 31 PID 2804 wrote to memory of 2768 2804 042862.exe 31 PID 2768 wrote to memory of 2896 2768 7xrlxfx.exe 32 PID 2768 wrote to memory of 2896 2768 7xrlxfx.exe 32 PID 2768 wrote to memory of 2896 2768 7xrlxfx.exe 32 PID 2768 wrote to memory of 2896 2768 7xrlxfx.exe 32 PID 2896 wrote to memory of 816 2896 3rfrffr.exe 33 PID 2896 wrote to memory of 816 2896 3rfrffr.exe 33 PID 2896 wrote to memory of 816 2896 3rfrffr.exe 33 PID 2896 wrote to memory of 816 2896 3rfrffr.exe 33 PID 816 wrote to memory of 2080 816 48402.exe 34 PID 816 wrote to memory of 2080 816 48402.exe 34 PID 816 wrote to memory of 2080 816 48402.exe 34 PID 816 wrote to memory of 2080 816 48402.exe 34 PID 2080 wrote to memory of 2732 2080 fxrfxxf.exe 35 PID 2080 wrote to memory of 2732 2080 fxrfxxf.exe 35 PID 2080 wrote to memory of 2732 2080 fxrfxxf.exe 35 PID 2080 wrote to memory of 2732 2080 fxrfxxf.exe 35 PID 2732 wrote to memory of 2580 2732 6062440.exe 36 PID 2732 wrote to memory of 2580 2732 6062440.exe 36 PID 2732 wrote to memory of 2580 2732 6062440.exe 36 PID 2732 wrote to memory of 2580 2732 6062440.exe 36 PID 2580 wrote to memory of 320 2580 60664.exe 37 PID 2580 wrote to memory of 320 2580 60664.exe 37 PID 2580 wrote to memory of 320 2580 60664.exe 37 PID 2580 wrote to memory of 320 2580 60664.exe 37 PID 320 wrote to memory of 1428 320 m6682.exe 38 PID 320 wrote to memory of 1428 320 m6682.exe 38 PID 320 wrote to memory of 1428 320 m6682.exe 38 PID 320 wrote to memory of 1428 320 m6682.exe 38 PID 1428 wrote to memory of 2196 1428 rlfxflx.exe 39 PID 1428 wrote to memory of 2196 1428 rlfxflx.exe 39 PID 1428 wrote to memory of 2196 1428 rlfxflx.exe 39 PID 1428 wrote to memory of 2196 1428 rlfxflx.exe 39 PID 2196 wrote to memory of 1692 2196 08668.exe 40 PID 2196 wrote to memory of 1692 2196 08668.exe 40 PID 2196 wrote to memory of 1692 2196 08668.exe 40 PID 2196 wrote to memory of 1692 2196 08668.exe 40 PID 1692 wrote to memory of 2988 1692 tbbhtb.exe 41 PID 1692 wrote to memory of 2988 1692 tbbhtb.exe 41 PID 1692 wrote to memory of 2988 1692 tbbhtb.exe 41 PID 1692 wrote to memory of 2988 1692 tbbhtb.exe 41 PID 2988 wrote to memory of 2796 2988 dvdjp.exe 42 PID 2988 wrote to memory of 2796 2988 dvdjp.exe 42 PID 2988 wrote to memory of 2796 2988 dvdjp.exe 42 PID 2988 wrote to memory of 2796 2988 dvdjp.exe 42 PID 2796 wrote to memory of 2696 2796 82440.exe 43 PID 2796 wrote to memory of 2696 2796 82440.exe 43 PID 2796 wrote to memory of 2696 2796 82440.exe 43 PID 2796 wrote to memory of 2696 2796 82440.exe 43 PID 2696 wrote to memory of 1968 2696 rfrlrrx.exe 44 PID 2696 wrote to memory of 1968 2696 rfrlrrx.exe 44 PID 2696 wrote to memory of 1968 2696 rfrlrrx.exe 44 PID 2696 wrote to memory of 1968 2696 rfrlrrx.exe 44 PID 1968 wrote to memory of 2260 1968 2608468.exe 45 PID 1968 wrote to memory of 2260 1968 2608468.exe 45 PID 1968 wrote to memory of 2260 1968 2608468.exe 45 PID 1968 wrote to memory of 2260 1968 2608468.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe"C:\Users\Admin\AppData\Local\Temp\7adcb518691ad6f5fe21c4c004ad1340e465fb83766a6843cb8bc80e3cbedb12N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\042862.exec:\042862.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\7xrlxfx.exec:\7xrlxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\3rfrffr.exec:\3rfrffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\48402.exec:\48402.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\fxrfxxf.exec:\fxrfxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\6062440.exec:\6062440.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\60664.exec:\60664.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\m6682.exec:\m6682.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\rlfxflx.exec:\rlfxflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\08668.exec:\08668.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\tbbhtb.exec:\tbbhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\dvdjp.exec:\dvdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\82440.exec:\82440.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\2608468.exec:\2608468.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\jpjvj.exec:\jpjvj.exe17⤵
- Executes dropped EXE
PID:2260 -
\??\c:\fxrxflx.exec:\fxrxflx.exe18⤵
- Executes dropped EXE
PID:2516 -
\??\c:\g4284.exec:\g4284.exe19⤵
- Executes dropped EXE
PID:1572 -
\??\c:\pvvjp.exec:\pvvjp.exe20⤵
- Executes dropped EXE
PID:3044 -
\??\c:\6028446.exec:\6028446.exe21⤵
- Executes dropped EXE
PID:1016 -
\??\c:\c824006.exec:\c824006.exe22⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nbnttb.exec:\nbnttb.exe23⤵
- Executes dropped EXE
PID:1092 -
\??\c:\0866848.exec:\0866848.exe24⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xrlrffr.exec:\xrlrffr.exe25⤵
- Executes dropped EXE
PID:2188 -
\??\c:\6646664.exec:\6646664.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\042460.exec:\042460.exe27⤵
- Executes dropped EXE
PID:3056 -
\??\c:\4862446.exec:\4862446.exe28⤵
- Executes dropped EXE
PID:620 -
\??\c:\vpddj.exec:\vpddj.exe29⤵
- Executes dropped EXE
PID:2060 -
\??\c:\g2008.exec:\g2008.exe30⤵
- Executes dropped EXE
PID:2520 -
\??\c:\4862846.exec:\4862846.exe31⤵
- Executes dropped EXE
PID:1236 -
\??\c:\vppdj.exec:\vppdj.exe32⤵
- Executes dropped EXE
PID:2004 -
\??\c:\u200262.exec:\u200262.exe33⤵
- Executes dropped EXE
PID:2372 -
\??\c:\5llrlrl.exec:\5llrlrl.exe34⤵
- Executes dropped EXE
PID:1636 -
\??\c:\04280.exec:\04280.exe35⤵
- Executes dropped EXE
PID:2884 -
\??\c:\9hthhn.exec:\9hthhn.exe36⤵
- Executes dropped EXE
PID:2768 -
\??\c:\0822628.exec:\0822628.exe37⤵
- Executes dropped EXE
PID:2896 -
\??\c:\8208286.exec:\8208286.exe38⤵
- Executes dropped EXE
PID:2608 -
\??\c:\42280.exec:\42280.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\xrrrxxx.exec:\xrrrxxx.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\424844.exec:\424844.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\42664.exec:\42664.exe42⤵
- Executes dropped EXE
PID:596 -
\??\c:\dvppj.exec:\dvppj.exe43⤵
- Executes dropped EXE
PID:2488 -
\??\c:\e26284.exec:\e26284.exe44⤵
- Executes dropped EXE
PID:1736 -
\??\c:\48406.exec:\48406.exe45⤵
- Executes dropped EXE
PID:1164 -
\??\c:\q04088.exec:\q04088.exe46⤵
- Executes dropped EXE
PID:2144 -
\??\c:\8266846.exec:\8266846.exe47⤵
- Executes dropped EXE
PID:356 -
\??\c:\20844.exec:\20844.exe48⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vpddj.exec:\vpddj.exe49⤵
- Executes dropped EXE
PID:2708 -
\??\c:\tnhnbb.exec:\tnhnbb.exe50⤵
- Executes dropped EXE
PID:1956 -
\??\c:\1lflxfr.exec:\1lflxfr.exe51⤵
- Executes dropped EXE
PID:2940 -
\??\c:\26620.exec:\26620.exe52⤵
- Executes dropped EXE
PID:2696 -
\??\c:\3vppv.exec:\3vppv.exe53⤵
- Executes dropped EXE
PID:2660 -
\??\c:\flflrxr.exec:\flflrxr.exe54⤵
- Executes dropped EXE
PID:2984 -
\??\c:\5thhtt.exec:\5thhtt.exe55⤵
- Executes dropped EXE
PID:1580 -
\??\c:\dpjjj.exec:\dpjjj.exe56⤵
- Executes dropped EXE
PID:324 -
\??\c:\5jvjp.exec:\5jvjp.exe57⤵
- Executes dropped EXE
PID:1780 -
\??\c:\q82800.exec:\q82800.exe58⤵
- Executes dropped EXE
PID:768 -
\??\c:\428400.exec:\428400.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\6428046.exec:\6428046.exe60⤵
- Executes dropped EXE
PID:2236 -
\??\c:\6084664.exec:\6084664.exe61⤵
- Executes dropped EXE
PID:2288 -
\??\c:\2606824.exec:\2606824.exe62⤵
- Executes dropped EXE
PID:2140 -
\??\c:\0866628.exec:\0866628.exe63⤵
- Executes dropped EXE
PID:2072 -
\??\c:\042862.exec:\042862.exe64⤵
- Executes dropped EXE
PID:1712 -
\??\c:\0406842.exec:\0406842.exe65⤵
- Executes dropped EXE
PID:1796 -
\??\c:\llflrfr.exec:\llflrfr.exe66⤵PID:1896
-
\??\c:\6460684.exec:\6460684.exe67⤵PID:1976
-
\??\c:\ffflllr.exec:\ffflllr.exe68⤵PID:924
-
\??\c:\1pdvj.exec:\1pdvj.exe69⤵PID:916
-
\??\c:\3ffrrrf.exec:\3ffrrrf.exe70⤵PID:2252
-
\??\c:\xrfrxfr.exec:\xrfrxfr.exe71⤵PID:2008
-
\??\c:\828084.exec:\828084.exe72⤵PID:2352
-
\??\c:\5dvjd.exec:\5dvjd.exe73⤵PID:2056
-
\??\c:\hthhhn.exec:\hthhhn.exe74⤵PID:2764
-
\??\c:\ppjjd.exec:\ppjjd.exe75⤵PID:2908
-
\??\c:\6688668.exec:\6688668.exe76⤵PID:2832
-
\??\c:\7frxflr.exec:\7frxflr.exe77⤵PID:3028
-
\??\c:\xrlrflf.exec:\xrlrflf.exe78⤵PID:2636
-
\??\c:\o640806.exec:\o640806.exe79⤵PID:2748
-
\??\c:\826068.exec:\826068.exe80⤵PID:2772
-
\??\c:\608846.exec:\608846.exe81⤵PID:1128
-
\??\c:\c228068.exec:\c228068.exe82⤵PID:2724
-
\??\c:\1bnhnt.exec:\1bnhnt.exe83⤵PID:2580
-
\??\c:\7pdjj.exec:\7pdjj.exe84⤵PID:2672
-
\??\c:\202844.exec:\202844.exe85⤵PID:2488
-
\??\c:\64802.exec:\64802.exe86⤵PID:3068
-
\??\c:\dvvdp.exec:\dvvdp.exe87⤵PID:2256
-
\??\c:\q42406.exec:\q42406.exe88⤵PID:2096
-
\??\c:\m0840.exec:\m0840.exe89⤵PID:1648
-
\??\c:\nnnthh.exec:\nnnthh.exe90⤵PID:2856
-
\??\c:\2208068.exec:\2208068.exe91⤵PID:1764
-
\??\c:\nhtbhn.exec:\nhtbhn.exe92⤵PID:1748
-
\??\c:\8206220.exec:\8206220.exe93⤵PID:2976
-
\??\c:\pvvjp.exec:\pvvjp.exe94⤵PID:2596
-
\??\c:\26020.exec:\26020.exe95⤵PID:840
-
\??\c:\260088.exec:\260088.exe96⤵PID:2984
-
\??\c:\pppvp.exec:\pppvp.exe97⤵PID:704
-
\??\c:\q82846.exec:\q82846.exe98⤵PID:3040
-
\??\c:\04242.exec:\04242.exe99⤵PID:3032
-
\??\c:\rfrrrrf.exec:\rfrrrrf.exe100⤵PID:768
-
\??\c:\lxrxlrx.exec:\lxrxlrx.exe101⤵PID:1248
-
\??\c:\ppdpv.exec:\ppdpv.exe102⤵PID:2236
-
\??\c:\264084.exec:\264084.exe103⤵PID:1092
-
\??\c:\080040.exec:\080040.exe104⤵PID:1488
-
\??\c:\48062.exec:\48062.exe105⤵PID:2460
-
\??\c:\2062446.exec:\2062446.exe106⤵PID:1356
-
\??\c:\g4688.exec:\g4688.exe107⤵PID:780
-
\??\c:\1nnttt.exec:\1nnttt.exe108⤵PID:1896
-
\??\c:\246600.exec:\246600.exe109⤵PID:920
-
\??\c:\3jppj.exec:\3jppj.exe110⤵PID:1612
-
\??\c:\dvpvj.exec:\dvpvj.exe111⤵PID:1652
-
\??\c:\c022866.exec:\c022866.exe112⤵PID:1208
-
\??\c:\006442.exec:\006442.exe113⤵PID:1440
-
\??\c:\tttnnh.exec:\tttnnh.exe114⤵PID:2352
-
\??\c:\7fxfrxx.exec:\7fxfrxx.exe115⤵PID:2716
-
\??\c:\jdvvd.exec:\jdvvd.exe116⤵
- System Location Discovery: System Language Discovery
PID:2816 -
\??\c:\86402.exec:\86402.exe117⤵PID:2908
-
\??\c:\24668.exec:\24668.exe118⤵PID:876
-
\??\c:\0462880.exec:\0462880.exe119⤵PID:2892
-
\??\c:\206244.exec:\206244.exe120⤵PID:3016
-
\??\c:\42448.exec:\42448.exe121⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-