Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe
-
Size
455KB
-
MD5
7574fc0a1572fdde00fdedfd50cd1185
-
SHA1
f26a39e92474d33a229570fab2ae3da84717d8d3
-
SHA256
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5
-
SHA512
86028168a543d043a52ee24890ad5f6b9478d8b765c0a6fd77aca982f2d898e86607f3e776ed6a3150f84df363694a2b97877c47a8bb87905a354d7bcaee707b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0K:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2096-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-84-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2628-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-240-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2460-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-396-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1408-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-459-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-559-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1668-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-901-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2772-925-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2532 pvdpj.exe 1552 lfrrxxl.exe 1944 ffflrrx.exe 1912 nhbhnt.exe 2808 7pjpd.exe 2732 9tnbnt.exe 2976 7bnnnn.exe 2628 xlllrxr.exe 2604 3thnbt.exe 2728 ddddd.exe 1732 nttnnb.exe 592 vvjpv.exe 2592 lfrrrrr.exe 772 nthhhh.exe 1908 jvvpd.exe 2352 llfxrxf.exe 1500 hbbhhh.exe 2936 llrfxrl.exe 3052 7nttbb.exe 2400 pjvdj.exe 2960 ffrxffl.exe 1660 dpddp.exe 1124 llrxfff.exe 2896 1hbhnn.exe 1844 pdvvv.exe 2460 frffflr.exe 3040 btnntt.exe 556 flrxlfl.exe 1692 tnbhtb.exe 1484 djvdj.exe 3012 ffrflxl.exe 2356 pdvvd.exe 2544 llrllff.exe 2412 bbbbtb.exe 2372 dddjv.exe 2472 vvjvp.exe 2748 9rffrxl.exe 2820 tnthnt.exe 2816 5vjjv.exe 2844 jjdjd.exe 2364 xxllxxl.exe 2904 7hthnn.exe 2644 dpvpp.exe 2656 xxllffr.exe 2324 7httht.exe 1208 nnnhnn.exe 1408 1vjjv.exe 2512 xrxfffl.exe 1144 nhbthn.exe 624 bbtbhh.exe 1424 jdvdj.exe 1736 rxxfrrl.exe 1228 xxllfrx.exe 2952 thntbb.exe 2696 djjpd.exe 2892 xxxfxlx.exe 2076 rlllrrl.exe 2400 1hthbb.exe 576 ddpvp.exe 2908 jddjd.exe 1444 7lffrxl.exe 2932 nnhtht.exe 632 nnhthn.exe 1604 jjdjd.exe -
resource yara_rule behavioral1/memory/2096-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-925-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2616-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2532 2096 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 30 PID 2096 wrote to memory of 2532 2096 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 30 PID 2096 wrote to memory of 2532 2096 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 30 PID 2096 wrote to memory of 2532 2096 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 30 PID 2532 wrote to memory of 1552 2532 pvdpj.exe 31 PID 2532 wrote to memory of 1552 2532 pvdpj.exe 31 PID 2532 wrote to memory of 1552 2532 pvdpj.exe 31 PID 2532 wrote to memory of 1552 2532 pvdpj.exe 31 PID 1552 wrote to memory of 1944 1552 lfrrxxl.exe 32 PID 1552 wrote to memory of 1944 1552 lfrrxxl.exe 32 PID 1552 wrote to memory of 1944 1552 lfrrxxl.exe 32 PID 1552 wrote to memory of 1944 1552 lfrrxxl.exe 32 PID 1944 wrote to memory of 1912 1944 ffflrrx.exe 33 PID 1944 wrote to memory of 1912 1944 ffflrrx.exe 33 PID 1944 wrote to memory of 1912 1944 ffflrrx.exe 33 PID 1944 wrote to memory of 1912 1944 ffflrrx.exe 33 PID 1912 wrote to memory of 2808 1912 nhbhnt.exe 34 PID 1912 wrote to memory of 2808 1912 nhbhnt.exe 34 PID 1912 wrote to memory of 2808 1912 nhbhnt.exe 34 PID 1912 wrote to memory of 2808 1912 nhbhnt.exe 34 PID 2808 wrote to memory of 2732 2808 7pjpd.exe 35 PID 2808 wrote to memory of 2732 2808 7pjpd.exe 35 PID 2808 wrote to memory of 2732 2808 7pjpd.exe 35 PID 2808 wrote to memory of 2732 2808 7pjpd.exe 35 PID 2732 wrote to memory of 2976 2732 9tnbnt.exe 36 PID 2732 wrote to memory of 2976 2732 9tnbnt.exe 36 PID 2732 wrote to memory of 2976 2732 9tnbnt.exe 36 PID 2732 wrote to memory of 2976 2732 9tnbnt.exe 36 PID 2976 wrote to memory of 2628 2976 7bnnnn.exe 37 PID 2976 wrote to memory of 2628 2976 7bnnnn.exe 37 PID 2976 wrote to memory of 2628 2976 7bnnnn.exe 37 PID 2976 wrote to memory of 2628 2976 7bnnnn.exe 37 PID 2628 wrote to memory of 2604 2628 xlllrxr.exe 38 PID 2628 wrote to memory of 2604 2628 xlllrxr.exe 38 PID 2628 wrote to memory of 2604 2628 xlllrxr.exe 38 PID 2628 wrote to memory of 2604 2628 xlllrxr.exe 38 PID 2604 wrote to memory of 2728 2604 3thnbt.exe 39 PID 2604 wrote to memory of 2728 2604 3thnbt.exe 39 PID 2604 wrote to memory of 2728 2604 3thnbt.exe 39 PID 2604 wrote to memory of 2728 2604 3thnbt.exe 39 PID 2728 wrote to memory of 1732 2728 ddddd.exe 40 PID 2728 wrote to memory of 1732 2728 ddddd.exe 40 PID 2728 wrote to memory of 1732 2728 ddddd.exe 40 PID 2728 wrote to memory of 1732 2728 ddddd.exe 40 PID 1732 wrote to memory of 592 1732 nttnnb.exe 41 PID 1732 wrote to memory of 592 1732 nttnnb.exe 41 PID 1732 wrote to memory of 592 1732 nttnnb.exe 41 PID 1732 wrote to memory of 592 1732 nttnnb.exe 41 PID 592 wrote to memory of 2592 592 vvjpv.exe 42 PID 592 wrote to memory of 2592 592 vvjpv.exe 42 PID 592 wrote to memory of 2592 592 vvjpv.exe 42 PID 592 wrote to memory of 2592 592 vvjpv.exe 42 PID 2592 wrote to memory of 772 2592 lfrrrrr.exe 43 PID 2592 wrote to memory of 772 2592 lfrrrrr.exe 43 PID 2592 wrote to memory of 772 2592 lfrrrrr.exe 43 PID 2592 wrote to memory of 772 2592 lfrrrrr.exe 43 PID 772 wrote to memory of 1908 772 nthhhh.exe 44 PID 772 wrote to memory of 1908 772 nthhhh.exe 44 PID 772 wrote to memory of 1908 772 nthhhh.exe 44 PID 772 wrote to memory of 1908 772 nthhhh.exe 44 PID 1908 wrote to memory of 2352 1908 jvvpd.exe 45 PID 1908 wrote to memory of 2352 1908 jvvpd.exe 45 PID 1908 wrote to memory of 2352 1908 jvvpd.exe 45 PID 1908 wrote to memory of 2352 1908 jvvpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe"C:\Users\Admin\AppData\Local\Temp\adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\pvdpj.exec:\pvdpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\ffflrrx.exec:\ffflrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\nhbhnt.exec:\nhbhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\7pjpd.exec:\7pjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9tnbnt.exec:\9tnbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\7bnnnn.exec:\7bnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xlllrxr.exec:\xlllrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\3thnbt.exec:\3thnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\ddddd.exec:\ddddd.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\nttnnb.exec:\nttnnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\vvjpv.exec:\vvjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\nthhhh.exec:\nthhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\jvvpd.exec:\jvvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\llfxrxf.exec:\llfxrxf.exe17⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hbbhhh.exec:\hbbhhh.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
\??\c:\llrfxrl.exec:\llrfxrl.exe19⤵
- Executes dropped EXE
PID:2936 -
\??\c:\7nttbb.exec:\7nttbb.exe20⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pjvdj.exec:\pjvdj.exe21⤵
- Executes dropped EXE
PID:2400 -
\??\c:\ffrxffl.exec:\ffrxffl.exe22⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dpddp.exec:\dpddp.exe23⤵
- Executes dropped EXE
PID:1660 -
\??\c:\llrxfff.exec:\llrxfff.exe24⤵
- Executes dropped EXE
PID:1124 -
\??\c:\1hbhnn.exec:\1hbhnn.exe25⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pdvvv.exec:\pdvvv.exe26⤵
- Executes dropped EXE
PID:1844 -
\??\c:\frffflr.exec:\frffflr.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\btnntt.exec:\btnntt.exe28⤵
- Executes dropped EXE
PID:3040 -
\??\c:\flrxlfl.exec:\flrxlfl.exe29⤵
- Executes dropped EXE
PID:556 -
\??\c:\tnbhtb.exec:\tnbhtb.exe30⤵
- Executes dropped EXE
PID:1692 -
\??\c:\djvdj.exec:\djvdj.exe31⤵
- Executes dropped EXE
PID:1484 -
\??\c:\ffrflxl.exec:\ffrflxl.exe32⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pdvvd.exec:\pdvvd.exe33⤵
- Executes dropped EXE
PID:2356 -
\??\c:\llrllff.exec:\llrllff.exe34⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bbbbtb.exec:\bbbbtb.exe35⤵
- Executes dropped EXE
PID:2412 -
\??\c:\dddjv.exec:\dddjv.exe36⤵
- Executes dropped EXE
PID:2372 -
\??\c:\vvjvp.exec:\vvjvp.exe37⤵
- Executes dropped EXE
PID:2472 -
\??\c:\9rffrxl.exec:\9rffrxl.exe38⤵
- Executes dropped EXE
PID:2748 -
\??\c:\tnthnt.exec:\tnthnt.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5vjjv.exec:\5vjjv.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jjdjd.exec:\jjdjd.exe41⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xxllxxl.exec:\xxllxxl.exe42⤵
- Executes dropped EXE
PID:2364 -
\??\c:\7hthnn.exec:\7hthnn.exe43⤵
- Executes dropped EXE
PID:2904 -
\??\c:\dpvpp.exec:\dpvpp.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\xxllffr.exec:\xxllffr.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\7httht.exec:\7httht.exe46⤵
- Executes dropped EXE
PID:2324 -
\??\c:\nnnhnn.exec:\nnnhnn.exe47⤵
- Executes dropped EXE
PID:1208 -
\??\c:\1vjjv.exec:\1vjjv.exe48⤵
- Executes dropped EXE
PID:1408 -
\??\c:\xrxfffl.exec:\xrxfffl.exe49⤵
- Executes dropped EXE
PID:2512 -
\??\c:\nhbthn.exec:\nhbthn.exe50⤵
- Executes dropped EXE
PID:1144 -
\??\c:\bbtbhh.exec:\bbtbhh.exe51⤵
- Executes dropped EXE
PID:624 -
\??\c:\jdvdj.exec:\jdvdj.exe52⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rxxfrrl.exec:\rxxfrrl.exe53⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xxllfrx.exec:\xxllfrx.exe54⤵
- Executes dropped EXE
PID:1228 -
\??\c:\thntbb.exec:\thntbb.exe55⤵
- Executes dropped EXE
PID:2952 -
\??\c:\djjpd.exec:\djjpd.exe56⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xxxfxlx.exec:\xxxfxlx.exe57⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rlllrrl.exec:\rlllrrl.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\1hthbb.exec:\1hthbb.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\ddpvp.exec:\ddpvp.exe60⤵
- Executes dropped EXE
PID:576 -
\??\c:\jddjd.exec:\jddjd.exe61⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7lffrxl.exec:\7lffrxl.exe62⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nnhtht.exec:\nnhtht.exe63⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nnhthn.exec:\nnhthn.exe64⤵
- Executes dropped EXE
PID:632 -
\??\c:\jjdjd.exec:\jjdjd.exe65⤵
- Executes dropped EXE
PID:1604 -
\??\c:\rrlrrxl.exec:\rrlrrxl.exe66⤵PID:1952
-
\??\c:\rlxxffl.exec:\rlxxffl.exe67⤵PID:2792
-
\??\c:\hhbhbh.exec:\hhbhbh.exe68⤵PID:1448
-
\??\c:\vpdjv.exec:\vpdjv.exe69⤵PID:1652
-
\??\c:\xllllrf.exec:\xllllrf.exe70⤵PID:1804
-
\??\c:\rlfflrx.exec:\rlfflrx.exe71⤵PID:1792
-
\??\c:\5nbhnt.exec:\5nbhnt.exe72⤵PID:2060
-
\??\c:\dvvjp.exec:\dvvjp.exe73⤵PID:1140
-
\??\c:\9xllxfr.exec:\9xllxfr.exe74⤵PID:840
-
\??\c:\nnhnhn.exec:\nnhnhn.exe75⤵PID:2380
-
\??\c:\bhhtth.exec:\bhhtth.exe76⤵PID:1668
-
\??\c:\dvjjp.exec:\dvjjp.exe77⤵PID:2140
-
\??\c:\fxflffl.exec:\fxflffl.exe78⤵PID:2536
-
\??\c:\bhbbbt.exec:\bhbbbt.exe79⤵PID:2800
-
\??\c:\nnhthn.exec:\nnhthn.exe80⤵PID:2320
-
\??\c:\jjdpv.exec:\jjdpv.exe81⤵PID:2852
-
\??\c:\rxflrrx.exec:\rxflrrx.exe82⤵PID:2860
-
\??\c:\bhhbth.exec:\bhhbth.exe83⤵PID:2808
-
\??\c:\tbnbtb.exec:\tbnbtb.exe84⤵PID:2640
-
\??\c:\9pdjv.exec:\9pdjv.exe85⤵PID:2488
-
\??\c:\flrxlrf.exec:\flrxlrf.exe86⤵PID:2904
-
\??\c:\rlflrrx.exec:\rlflrrx.exe87⤵PID:2672
-
\??\c:\bttbhn.exec:\bttbhn.exe88⤵PID:3060
-
\??\c:\1djjj.exec:\1djjj.exe89⤵PID:2300
-
\??\c:\lfflflx.exec:\lfflflx.exe90⤵PID:3068
-
\??\c:\rffrxrx.exec:\rffrxrx.exe91⤵PID:1412
-
\??\c:\tnnbnn.exec:\tnnbnn.exe92⤵PID:2668
-
\??\c:\5djvv.exec:\5djvv.exe93⤵PID:2448
-
\??\c:\rrllxxl.exec:\rrllxxl.exe94⤵PID:1188
-
\??\c:\lxllllr.exec:\lxllllr.exe95⤵PID:896
-
\??\c:\btntbh.exec:\btntbh.exe96⤵PID:1364
-
\??\c:\dpdjp.exec:\dpdjp.exe97⤵PID:1788
-
\??\c:\5jddv.exec:\5jddv.exe98⤵PID:1596
-
\??\c:\lfrxffl.exec:\lfrxffl.exe99⤵PID:2788
-
\??\c:\hhnnbh.exec:\hhnnbh.exe100⤵PID:2900
-
\??\c:\pdppv.exec:\pdppv.exe101⤵PID:2112
-
\??\c:\vvjvp.exec:\vvjvp.exe102⤵PID:1724
-
\??\c:\lxrxffr.exec:\lxrxffr.exe103⤵PID:584
-
\??\c:\xrlrffr.exec:\xrlrffr.exe104⤵PID:2464
-
\??\c:\nbhhhh.exec:\nbhhhh.exe105⤵PID:1116
-
\??\c:\pdpvd.exec:\pdpvd.exe106⤵PID:444
-
\??\c:\ppjpj.exec:\ppjpj.exe107⤵PID:944
-
\??\c:\fxllrxf.exec:\fxllrxf.exe108⤵PID:2308
-
\??\c:\btnthh.exec:\btnthh.exe109⤵PID:1308
-
\??\c:\thtttt.exec:\thtttt.exe110⤵PID:2252
-
\??\c:\dpddv.exec:\dpddv.exe111⤵PID:760
-
\??\c:\5xrrxfl.exec:\5xrrxfl.exe112⤵PID:872
-
\??\c:\bnhhnn.exec:\bnhhnn.exe113⤵PID:3040
-
\??\c:\hbttht.exec:\hbttht.exe114⤵PID:556
-
\??\c:\1djdd.exec:\1djdd.exe115⤵PID:604
-
\??\c:\llflflx.exec:\llflflx.exe116⤵PID:1792
-
\??\c:\thhnth.exec:\thhnth.exe117⤵PID:3024
-
\??\c:\nhhhnb.exec:\nhhhnb.exe118⤵PID:1140
-
\??\c:\vpdvj.exec:\vpdvj.exe119⤵PID:1928
-
\??\c:\pvppd.exec:\pvppd.exe120⤵PID:1640
-
\??\c:\fllrlxr.exec:\fllrlxr.exe121⤵PID:1668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-