Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe
-
Size
454KB
-
MD5
eb49d564f56ee1bfb2e565d14bdc1170
-
SHA1
b31cd2d75517e4eaa1a11f0183c2a6953f4f9d52
-
SHA256
833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8
-
SHA512
61fb7ba092c82c6c77c9102d9aeb5c712e2322561018ecf335856fb292a832568b35626eb5240adceb77f35933a79761fbd01bd8222a17862d22d39a09fd62b6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2524-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-123-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2992-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-143-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1904-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-163-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1424-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-180-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-221-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2300-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-283-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/892-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-347-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2672-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/356-435-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1524-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-533-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-549-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1504-560-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2336-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-609-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1708-665-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/380-730-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2104-985-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2004-998-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1504-1113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2496 3vddv.exe 2316 rllffxx.exe 1616 pjvvv.exe 2056 frxrrll.exe 1920 nhthnn.exe 2800 thhbbt.exe 2156 dpddd.exe 2900 xfrrlll.exe 2804 vpvpp.exe 2840 pdpdd.exe 2688 ntthnh.exe 2992 7tnnhh.exe 1488 1dppj.exe 1968 lffllrx.exe 1904 jvdjj.exe 1284 vdvjv.exe 1340 5xrrrrf.exe 1424 3dddj.exe 2012 vjpjj.exe 1776 1rxllxr.exe 2448 rlrrrrx.exe 1848 tnbhhb.exe 448 frxxlll.exe 1948 nthbtt.exe 800 dvjvv.exe 1960 ffrflrf.exe 2300 tnbntt.exe 2952 7jppv.exe 2320 ththht.exe 892 jpjdj.exe 2492 rlxrrxr.exe 2488 7jpvd.exe 1812 tntbbb.exe 2316 1pjjj.exe 1864 lrxrrlr.exe 2988 1lxxfff.exe 2716 vpvvd.exe 1920 7xrrflx.exe 2660 3xxfflx.exe 2768 bbnbhh.exe 2672 5pppv.exe 2684 rlfllrf.exe 2572 9frrrxf.exe 2564 hhhntt.exe 2620 dvpvj.exe 1972 jddjv.exe 2292 fflrxfl.exe 1784 7thnhh.exe 1180 dvvvd.exe 1968 vjpjv.exe 356 lfrffxr.exe 1548 3htbnn.exe 1524 3dppd.exe 1952 dpddj.exe 2556 xrfxffl.exe 1160 7lrllfl.exe 2192 9tnntt.exe 2208 3pjpp.exe 2432 pjvvd.exe 860 xxxxrxl.exe 2168 btbhhb.exe 1996 vvvjv.exe 1336 pjvvv.exe 960 lfxllrx.exe -
resource yara_rule behavioral1/memory/2524-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-283-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/892-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-560-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2336-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-998-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2432-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-1105-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2496 2524 833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe 30 PID 2524 wrote to memory of 2496 2524 833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe 30 PID 2524 wrote to memory of 2496 2524 833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe 30 PID 2524 wrote to memory of 2496 2524 833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe 30 PID 2496 wrote to memory of 2316 2496 3vddv.exe 31 PID 2496 wrote to memory of 2316 2496 3vddv.exe 31 PID 2496 wrote to memory of 2316 2496 3vddv.exe 31 PID 2496 wrote to memory of 2316 2496 3vddv.exe 31 PID 2316 wrote to memory of 1616 2316 rllffxx.exe 32 PID 2316 wrote to memory of 1616 2316 rllffxx.exe 32 PID 2316 wrote to memory of 1616 2316 rllffxx.exe 32 PID 2316 wrote to memory of 1616 2316 rllffxx.exe 32 PID 1616 wrote to memory of 2056 1616 pjvvv.exe 33 PID 1616 wrote to memory of 2056 1616 pjvvv.exe 33 PID 1616 wrote to memory of 2056 1616 pjvvv.exe 33 PID 1616 wrote to memory of 2056 1616 pjvvv.exe 33 PID 2056 wrote to memory of 1920 2056 frxrrll.exe 34 PID 2056 wrote to memory of 1920 2056 frxrrll.exe 34 PID 2056 wrote to memory of 1920 2056 frxrrll.exe 34 PID 2056 wrote to memory of 1920 2056 frxrrll.exe 34 PID 1920 wrote to memory of 2800 1920 nhthnn.exe 35 PID 1920 wrote to memory of 2800 1920 nhthnn.exe 35 PID 1920 wrote to memory of 2800 1920 nhthnn.exe 35 PID 1920 wrote to memory of 2800 1920 nhthnn.exe 35 PID 2800 wrote to memory of 2156 2800 thhbbt.exe 36 PID 2800 wrote to memory of 2156 2800 thhbbt.exe 36 PID 2800 wrote to memory of 2156 2800 thhbbt.exe 36 PID 2800 wrote to memory of 2156 2800 thhbbt.exe 36 PID 2156 wrote to memory of 2900 2156 dpddd.exe 37 PID 2156 wrote to memory of 2900 2156 dpddd.exe 37 PID 2156 wrote to memory of 2900 2156 dpddd.exe 37 PID 2156 wrote to memory of 2900 2156 dpddd.exe 37 PID 2900 wrote to memory of 2804 2900 xfrrlll.exe 38 PID 2900 wrote to memory of 2804 2900 xfrrlll.exe 38 PID 2900 wrote to memory of 2804 2900 xfrrlll.exe 38 PID 2900 wrote to memory of 2804 2900 xfrrlll.exe 38 PID 2804 wrote to memory of 2840 2804 vpvpp.exe 39 PID 2804 wrote to memory of 2840 2804 vpvpp.exe 39 PID 2804 wrote to memory of 2840 2804 vpvpp.exe 39 PID 2804 wrote to memory of 2840 2804 vpvpp.exe 39 PID 2840 wrote to memory of 2688 2840 pdpdd.exe 40 PID 2840 wrote to memory of 2688 2840 pdpdd.exe 40 PID 2840 wrote to memory of 2688 2840 pdpdd.exe 40 PID 2840 wrote to memory of 2688 2840 pdpdd.exe 40 PID 2688 wrote to memory of 2992 2688 ntthnh.exe 41 PID 2688 wrote to memory of 2992 2688 ntthnh.exe 41 PID 2688 wrote to memory of 2992 2688 ntthnh.exe 41 PID 2688 wrote to memory of 2992 2688 ntthnh.exe 41 PID 2992 wrote to memory of 1488 2992 7tnnhh.exe 42 PID 2992 wrote to memory of 1488 2992 7tnnhh.exe 42 PID 2992 wrote to memory of 1488 2992 7tnnhh.exe 42 PID 2992 wrote to memory of 1488 2992 7tnnhh.exe 42 PID 1488 wrote to memory of 1968 1488 1dppj.exe 43 PID 1488 wrote to memory of 1968 1488 1dppj.exe 43 PID 1488 wrote to memory of 1968 1488 1dppj.exe 43 PID 1488 wrote to memory of 1968 1488 1dppj.exe 43 PID 1968 wrote to memory of 1904 1968 lffllrx.exe 44 PID 1968 wrote to memory of 1904 1968 lffllrx.exe 44 PID 1968 wrote to memory of 1904 1968 lffllrx.exe 44 PID 1968 wrote to memory of 1904 1968 lffllrx.exe 44 PID 1904 wrote to memory of 1284 1904 jvdjj.exe 45 PID 1904 wrote to memory of 1284 1904 jvdjj.exe 45 PID 1904 wrote to memory of 1284 1904 jvdjj.exe 45 PID 1904 wrote to memory of 1284 1904 jvdjj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe"C:\Users\Admin\AppData\Local\Temp\833f637dbbadf4989ceb10085240016054914c342d788290afe78c12f07379c8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\3vddv.exec:\3vddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\rllffxx.exec:\rllffxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\pjvvv.exec:\pjvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\frxrrll.exec:\frxrrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\nhthnn.exec:\nhthnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\thhbbt.exec:\thhbbt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\dpddd.exec:\dpddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\xfrrlll.exec:\xfrrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\vpvpp.exec:\vpvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pdpdd.exec:\pdpdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\ntthnh.exec:\ntthnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\7tnnhh.exec:\7tnnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\1dppj.exec:\1dppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\lffllrx.exec:\lffllrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\jvdjj.exec:\jvdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\vdvjv.exec:\vdvjv.exe17⤵
- Executes dropped EXE
PID:1284 -
\??\c:\5xrrrrf.exec:\5xrrrrf.exe18⤵
- Executes dropped EXE
PID:1340 -
\??\c:\3dddj.exec:\3dddj.exe19⤵
- Executes dropped EXE
PID:1424 -
\??\c:\vjpjj.exec:\vjpjj.exe20⤵
- Executes dropped EXE
PID:2012 -
\??\c:\1rxllxr.exec:\1rxllxr.exe21⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe22⤵
- Executes dropped EXE
PID:2448 -
\??\c:\tnbhhb.exec:\tnbhhb.exe23⤵
- Executes dropped EXE
PID:1848 -
\??\c:\frxxlll.exec:\frxxlll.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\nthbtt.exec:\nthbtt.exe25⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dvjvv.exec:\dvjvv.exe26⤵
- Executes dropped EXE
PID:800 -
\??\c:\ffrflrf.exec:\ffrflrf.exe27⤵
- Executes dropped EXE
PID:1960 -
\??\c:\tnbntt.exec:\tnbntt.exe28⤵
- Executes dropped EXE
PID:2300 -
\??\c:\7jppv.exec:\7jppv.exe29⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ththht.exec:\ththht.exe30⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jpjdj.exec:\jpjdj.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\rlxrrxr.exec:\rlxrrxr.exe32⤵
- Executes dropped EXE
PID:2492 -
\??\c:\7jpvd.exec:\7jpvd.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\tntbbb.exec:\tntbbb.exe34⤵
- Executes dropped EXE
PID:1812 -
\??\c:\1pjjj.exec:\1pjjj.exe35⤵
- Executes dropped EXE
PID:2316 -
\??\c:\lrxrrlr.exec:\lrxrrlr.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\1lxxfff.exec:\1lxxfff.exe37⤵
- Executes dropped EXE
PID:2988 -
\??\c:\vpvvd.exec:\vpvvd.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\7xrrflx.exec:\7xrrflx.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
\??\c:\3xxfflx.exec:\3xxfflx.exe40⤵
- Executes dropped EXE
PID:2660 -
\??\c:\bbnbhh.exec:\bbnbhh.exe41⤵
- Executes dropped EXE
PID:2768 -
\??\c:\5pppv.exec:\5pppv.exe42⤵
- Executes dropped EXE
PID:2672 -
\??\c:\rlfllrf.exec:\rlfllrf.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9frrrxf.exec:\9frrrxf.exe44⤵
- Executes dropped EXE
PID:2572 -
\??\c:\hhhntt.exec:\hhhntt.exe45⤵
- Executes dropped EXE
PID:2564 -
\??\c:\dvpvj.exec:\dvpvj.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jddjv.exec:\jddjv.exe47⤵
- Executes dropped EXE
PID:1972 -
\??\c:\fflrxfl.exec:\fflrxfl.exe48⤵
- Executes dropped EXE
PID:2292 -
\??\c:\7thnhh.exec:\7thnhh.exe49⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dvvvd.exec:\dvvvd.exe50⤵
- Executes dropped EXE
PID:1180 -
\??\c:\vjpjv.exec:\vjpjv.exe51⤵
- Executes dropped EXE
PID:1968 -
\??\c:\lfrffxr.exec:\lfrffxr.exe52⤵
- Executes dropped EXE
PID:356 -
\??\c:\3htbnn.exec:\3htbnn.exe53⤵
- Executes dropped EXE
PID:1548 -
\??\c:\3dppd.exec:\3dppd.exe54⤵
- Executes dropped EXE
PID:1524 -
\??\c:\dpddj.exec:\dpddj.exe55⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xrfxffl.exec:\xrfxffl.exe56⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7lrllfl.exec:\7lrllfl.exe57⤵
- Executes dropped EXE
PID:1160 -
\??\c:\9tnntt.exec:\9tnntt.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3pjpp.exec:\3pjpp.exe59⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pjvvd.exec:\pjvvd.exe60⤵
- Executes dropped EXE
PID:2432 -
\??\c:\xxxxrxl.exec:\xxxxrxl.exe61⤵
- Executes dropped EXE
PID:860 -
\??\c:\btbhhb.exec:\btbhhb.exe62⤵
- Executes dropped EXE
PID:2168 -
\??\c:\vvvjv.exec:\vvvjv.exe63⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pjvvv.exec:\pjvvv.exe64⤵
- Executes dropped EXE
PID:1336 -
\??\c:\lfxllrx.exec:\lfxllrx.exe65⤵
- Executes dropped EXE
PID:960 -
\??\c:\9flxrxf.exec:\9flxrxf.exe66⤵PID:616
-
\??\c:\tnnhnn.exec:\tnnhnn.exe67⤵PID:2936
-
\??\c:\7ppjp.exec:\7ppjp.exe68⤵PID:1804
-
\??\c:\pjvvd.exec:\pjvvd.exe69⤵PID:1732
-
\??\c:\rfrrllx.exec:\rfrrllx.exe70⤵PID:2952
-
\??\c:\hhbhhn.exec:\hhbhhn.exe71⤵PID:1504
-
\??\c:\9htnnh.exec:\9htnnh.exe72⤵PID:892
-
\??\c:\dpdvd.exec:\dpdvd.exe73⤵PID:2520
-
\??\c:\fxllxxx.exec:\fxllxxx.exe74⤵PID:2516
-
\??\c:\nhntbb.exec:\nhntbb.exe75⤵PID:2336
-
\??\c:\nhnntn.exec:\nhnntn.exe76⤵PID:2240
-
\??\c:\1pddd.exec:\1pddd.exe77⤵PID:2316
-
\??\c:\pdjdd.exec:\pdjdd.exe78⤵PID:2236
-
\??\c:\5ffxxxx.exec:\5ffxxxx.exe79⤵PID:2988
-
\??\c:\nbnbhb.exec:\nbnbhb.exe80⤵PID:2720
-
\??\c:\7btbhh.exec:\7btbhh.exe81⤵PID:1920
-
\??\c:\5jpjj.exec:\5jpjj.exe82⤵PID:2848
-
\??\c:\xrfrxff.exec:\xrfrxff.exe83⤵PID:2712
-
\??\c:\tnhnbt.exec:\tnhnbt.exe84⤵
- System Location Discovery: System Language Discovery
PID:2672 -
\??\c:\btnntt.exec:\btnntt.exe85⤵PID:2792
-
\??\c:\ppdjp.exec:\ppdjp.exe86⤵PID:2744
-
\??\c:\7dpjj.exec:\7dpjj.exe87⤵PID:2580
-
\??\c:\xlxxfff.exec:\xlxxfff.exe88⤵PID:1708
-
\??\c:\nhttbt.exec:\nhttbt.exe89⤵PID:1956
-
\??\c:\1hbhhb.exec:\1hbhhb.exe90⤵PID:1560
-
\??\c:\pjjjd.exec:\pjjjd.exe91⤵PID:1308
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe92⤵PID:1660
-
\??\c:\xxlrrlr.exec:\xxlrrlr.exe93⤵PID:2272
-
\??\c:\1tthnh.exec:\1tthnh.exe94⤵PID:1968
-
\??\c:\jdvvd.exec:\jdvvd.exe95⤵PID:380
-
\??\c:\ddjdd.exec:\ddjdd.exe96⤵PID:2020
-
\??\c:\xxlfllr.exec:\xxlfllr.exe97⤵PID:1756
-
\??\c:\htbbbt.exec:\htbbbt.exe98⤵PID:1424
-
\??\c:\5httbt.exec:\5httbt.exe99⤵PID:1688
-
\??\c:\vpppv.exec:\vpppv.exe100⤵PID:2176
-
\??\c:\1xrrrxf.exec:\1xrrrxf.exe101⤵PID:2876
-
\??\c:\xrrrxxf.exec:\xrrrxxf.exe102⤵PID:2864
-
\??\c:\bnbbhh.exec:\bnbbhh.exe103⤵PID:1132
-
\??\c:\hbbhbb.exec:\hbbhbb.exe104⤵PID:2608
-
\??\c:\7jdpv.exec:\7jdpv.exe105⤵PID:844
-
\??\c:\5rrxrxf.exec:\5rrxrxf.exe106⤵PID:848
-
\??\c:\btnnbb.exec:\btnnbb.exe107⤵PID:1236
-
\??\c:\tnbhnn.exec:\tnbhnn.exe108⤵PID:2216
-
\??\c:\dvjpv.exec:\dvjpv.exe109⤵PID:1544
-
\??\c:\5xlrflr.exec:\5xlrflr.exe110⤵PID:1788
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe111⤵PID:2964
-
\??\c:\hnbhtb.exec:\hnbhtb.exe112⤵PID:2252
-
\??\c:\nhnntb.exec:\nhnntb.exe113⤵PID:2400
-
\??\c:\5dpjj.exec:\5dpjj.exe114⤵PID:3028
-
\??\c:\xrffrrx.exec:\xrffrrx.exe115⤵PID:1504
-
\??\c:\1rfflll.exec:\1rfflll.exe116⤵PID:892
-
\??\c:\9nbtnn.exec:\9nbtnn.exe117⤵PID:1600
-
\??\c:\1jdvv.exec:\1jdvv.exe118⤵PID:2488
-
\??\c:\jdjjj.exec:\jdjjj.exe119⤵PID:2336
-
\??\c:\frffxxf.exec:\frffxxf.exe120⤵PID:2380
-
\??\c:\thbbbb.exec:\thbbbb.exe121⤵PID:2316
-
\??\c:\tbttnh.exec:\tbttnh.exe122⤵PID:2236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-