Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe
-
Size
453KB
-
MD5
6970d935b0d800e8d0a00d30cf021eb0
-
SHA1
1ddaac56e6874df4aac106ab5340b50bb51b95af
-
SHA256
75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98ee
-
SHA512
a0ac5bbc37903378763adfc4fd77785e6292cbf7969ba1734b66e3e6f570af972c5ca7a8bb6964bc16791649efb2c4ad8974a303c15ce0da23c4acec5e656ae9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3576-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-1122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5080 7pvpd.exe 3216 dpdpp.exe 3868 nthtnh.exe 2724 hbbttt.exe 2300 ddppp.exe 2152 xlfrfxl.exe 5068 btbttt.exe 2096 7jppd.exe 3648 xfffxrr.exe 4560 9lfxlxr.exe 1068 bnnnhb.exe 4768 vjpjd.exe 2012 pppjd.exe 4172 fflfxxr.exe 1220 hntnhb.exe 1656 vjvjp.exe 2172 1jjdp.exe 3728 lxlxrrr.exe 2440 3bntbn.exe 3180 7ppjv.exe 4800 ddjpd.exe 4516 7rlfxxr.exe 4868 bnnthn.exe 3916 1dvpj.exe 1392 7xfxffx.exe 4860 1lllffx.exe 4220 3tbtnn.exe 2544 7pvjd.exe 3344 rllxrrl.exe 392 fllfxxx.exe 412 nhhthb.exe 4884 1djvp.exe 3424 rrxxrlf.exe 3596 llxxxff.exe 3336 bnthnb.exe 4660 pjjdv.exe 4688 flflrlr.exe 516 nhhbtt.exe 3772 tbhbtn.exe 428 vjpjd.exe 2024 rlfrlfr.exe 2080 hbbtnh.exe 1712 1fxrlfx.exe 2920 3tntht.exe 1216 9ddpj.exe 3388 dvjvj.exe 4496 7rlfxrx.exe 3688 nbhnbb.exe 1596 bnnbth.exe 3084 vvpjd.exe 3444 3lxfrlx.exe 3152 3lfrflx.exe 2260 ntnbhb.exe 2696 5jjdp.exe 4416 1dvjv.exe 1992 lrrlrlx.exe 4268 htthth.exe 4968 httnhb.exe 912 ddjvp.exe 4832 xfxrlxl.exe 4768 xrxlxrf.exe 2012 nhbnhh.exe 4700 1ddpd.exe 1336 dvdpj.exe -
resource yara_rule behavioral2/memory/3576-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-800-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 5080 3576 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 82 PID 3576 wrote to memory of 5080 3576 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 82 PID 3576 wrote to memory of 5080 3576 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 82 PID 5080 wrote to memory of 3216 5080 7pvpd.exe 83 PID 5080 wrote to memory of 3216 5080 7pvpd.exe 83 PID 5080 wrote to memory of 3216 5080 7pvpd.exe 83 PID 3216 wrote to memory of 3868 3216 dpdpp.exe 84 PID 3216 wrote to memory of 3868 3216 dpdpp.exe 84 PID 3216 wrote to memory of 3868 3216 dpdpp.exe 84 PID 3868 wrote to memory of 2724 3868 nthtnh.exe 85 PID 3868 wrote to memory of 2724 3868 nthtnh.exe 85 PID 3868 wrote to memory of 2724 3868 nthtnh.exe 85 PID 2724 wrote to memory of 2300 2724 hbbttt.exe 86 PID 2724 wrote to memory of 2300 2724 hbbttt.exe 86 PID 2724 wrote to memory of 2300 2724 hbbttt.exe 86 PID 2300 wrote to memory of 2152 2300 ddppp.exe 87 PID 2300 wrote to memory of 2152 2300 ddppp.exe 87 PID 2300 wrote to memory of 2152 2300 ddppp.exe 87 PID 2152 wrote to memory of 5068 2152 xlfrfxl.exe 88 PID 2152 wrote to memory of 5068 2152 xlfrfxl.exe 88 PID 2152 wrote to memory of 5068 2152 xlfrfxl.exe 88 PID 5068 wrote to memory of 2096 5068 btbttt.exe 89 PID 5068 wrote to memory of 2096 5068 btbttt.exe 89 PID 5068 wrote to memory of 2096 5068 btbttt.exe 89 PID 2096 wrote to memory of 3648 2096 7jppd.exe 90 PID 2096 wrote to memory of 3648 2096 7jppd.exe 90 PID 2096 wrote to memory of 3648 2096 7jppd.exe 90 PID 3648 wrote to memory of 4560 3648 xfffxrr.exe 91 PID 3648 wrote to memory of 4560 3648 xfffxrr.exe 91 PID 3648 wrote to memory of 4560 3648 xfffxrr.exe 91 PID 4560 wrote to memory of 1068 4560 9lfxlxr.exe 92 PID 4560 wrote to memory of 1068 4560 9lfxlxr.exe 92 PID 4560 wrote to memory of 1068 4560 9lfxlxr.exe 92 PID 1068 wrote to memory of 4768 1068 bnnnhb.exe 93 PID 1068 wrote to memory of 4768 1068 bnnnhb.exe 93 PID 1068 wrote to memory of 4768 1068 bnnnhb.exe 93 PID 4768 wrote to memory of 2012 4768 vjpjd.exe 143 PID 4768 wrote to memory of 2012 4768 vjpjd.exe 143 PID 4768 wrote to memory of 2012 4768 vjpjd.exe 143 PID 2012 wrote to memory of 4172 2012 pppjd.exe 95 PID 2012 wrote to memory of 4172 2012 pppjd.exe 95 PID 2012 wrote to memory of 4172 2012 pppjd.exe 95 PID 4172 wrote to memory of 1220 4172 fflfxxr.exe 96 PID 4172 wrote to memory of 1220 4172 fflfxxr.exe 96 PID 4172 wrote to memory of 1220 4172 fflfxxr.exe 96 PID 1220 wrote to memory of 1656 1220 hntnhb.exe 97 PID 1220 wrote to memory of 1656 1220 hntnhb.exe 97 PID 1220 wrote to memory of 1656 1220 hntnhb.exe 97 PID 1656 wrote to memory of 2172 1656 vjvjp.exe 98 PID 1656 wrote to memory of 2172 1656 vjvjp.exe 98 PID 1656 wrote to memory of 2172 1656 vjvjp.exe 98 PID 2172 wrote to memory of 3728 2172 1jjdp.exe 99 PID 2172 wrote to memory of 3728 2172 1jjdp.exe 99 PID 2172 wrote to memory of 3728 2172 1jjdp.exe 99 PID 3728 wrote to memory of 2440 3728 lxlxrrr.exe 100 PID 3728 wrote to memory of 2440 3728 lxlxrrr.exe 100 PID 3728 wrote to memory of 2440 3728 lxlxrrr.exe 100 PID 2440 wrote to memory of 3180 2440 3bntbn.exe 101 PID 2440 wrote to memory of 3180 2440 3bntbn.exe 101 PID 2440 wrote to memory of 3180 2440 3bntbn.exe 101 PID 3180 wrote to memory of 4800 3180 7ppjv.exe 102 PID 3180 wrote to memory of 4800 3180 7ppjv.exe 102 PID 3180 wrote to memory of 4800 3180 7ppjv.exe 102 PID 4800 wrote to memory of 4516 4800 ddjpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe"C:\Users\Admin\AppData\Local\Temp\75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\7pvpd.exec:\7pvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\dpdpp.exec:\dpdpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\nthtnh.exec:\nthtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\hbbttt.exec:\hbbttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\ddppp.exec:\ddppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\btbttt.exec:\btbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\7jppd.exec:\7jppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\xfffxrr.exec:\xfffxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\9lfxlxr.exec:\9lfxlxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\bnnnhb.exec:\bnnnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\vjpjd.exec:\vjpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\pppjd.exec:\pppjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\fflfxxr.exec:\fflfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\hntnhb.exec:\hntnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\vjvjp.exec:\vjvjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\1jjdp.exec:\1jjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lxlxrrr.exec:\lxlxrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\3bntbn.exec:\3bntbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\7ppjv.exec:\7ppjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\ddjpd.exec:\ddjpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe23⤵
- Executes dropped EXE
PID:4516 -
\??\c:\bnnthn.exec:\bnnthn.exe24⤵
- Executes dropped EXE
PID:4868 -
\??\c:\1dvpj.exec:\1dvpj.exe25⤵
- Executes dropped EXE
PID:3916 -
\??\c:\7xfxffx.exec:\7xfxffx.exe26⤵
- Executes dropped EXE
PID:1392 -
\??\c:\1lllffx.exec:\1lllffx.exe27⤵
- Executes dropped EXE
PID:4860 -
\??\c:\3tbtnn.exec:\3tbtnn.exe28⤵
- Executes dropped EXE
PID:4220 -
\??\c:\7pvjd.exec:\7pvjd.exe29⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rllxrrl.exec:\rllxrrl.exe30⤵
- Executes dropped EXE
PID:3344 -
\??\c:\fllfxxx.exec:\fllfxxx.exe31⤵
- Executes dropped EXE
PID:392 -
\??\c:\nhhthb.exec:\nhhthb.exe32⤵
- Executes dropped EXE
PID:412 -
\??\c:\1djvp.exec:\1djvp.exe33⤵
- Executes dropped EXE
PID:4884 -
\??\c:\rrxxrlf.exec:\rrxxrlf.exe34⤵
- Executes dropped EXE
PID:3424 -
\??\c:\llxxxff.exec:\llxxxff.exe35⤵
- Executes dropped EXE
PID:3596 -
\??\c:\bnthnb.exec:\bnthnb.exe36⤵
- Executes dropped EXE
PID:3336 -
\??\c:\pjjdv.exec:\pjjdv.exe37⤵
- Executes dropped EXE
PID:4660 -
\??\c:\flflrlr.exec:\flflrlr.exe38⤵
- Executes dropped EXE
PID:4688 -
\??\c:\nhhbtt.exec:\nhhbtt.exe39⤵
- Executes dropped EXE
PID:516 -
\??\c:\tbhbtn.exec:\tbhbtn.exe40⤵
- Executes dropped EXE
PID:3772 -
\??\c:\vjpjd.exec:\vjpjd.exe41⤵
- Executes dropped EXE
PID:428 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe42⤵
- Executes dropped EXE
PID:2024 -
\??\c:\hbbtnh.exec:\hbbtnh.exe43⤵
- Executes dropped EXE
PID:2080 -
\??\c:\1fxrlfx.exec:\1fxrlfx.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
\??\c:\3tntht.exec:\3tntht.exe45⤵
- Executes dropped EXE
PID:2920 -
\??\c:\9ddpj.exec:\9ddpj.exe46⤵
- Executes dropped EXE
PID:1216 -
\??\c:\dvjvj.exec:\dvjvj.exe47⤵
- Executes dropped EXE
PID:3388 -
\??\c:\7rlfxrx.exec:\7rlfxrx.exe48⤵
- Executes dropped EXE
PID:4496 -
\??\c:\nbhnbb.exec:\nbhnbb.exe49⤵
- Executes dropped EXE
PID:3688 -
\??\c:\bnnbth.exec:\bnnbth.exe50⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vvpjd.exec:\vvpjd.exe51⤵
- Executes dropped EXE
PID:3084 -
\??\c:\3lxfrlx.exec:\3lxfrlx.exe52⤵
- Executes dropped EXE
PID:3444 -
\??\c:\3lfrflx.exec:\3lfrflx.exe53⤵
- Executes dropped EXE
PID:3152 -
\??\c:\ntnbhb.exec:\ntnbhb.exe54⤵
- Executes dropped EXE
PID:2260 -
\??\c:\5jjdp.exec:\5jjdp.exe55⤵
- Executes dropped EXE
PID:2696 -
\??\c:\1dvjv.exec:\1dvjv.exe56⤵
- Executes dropped EXE
PID:4416 -
\??\c:\lrrlrlx.exec:\lrrlrlx.exe57⤵
- Executes dropped EXE
PID:1992 -
\??\c:\htthth.exec:\htthth.exe58⤵
- Executes dropped EXE
PID:4268 -
\??\c:\httnhb.exec:\httnhb.exe59⤵
- Executes dropped EXE
PID:4968 -
\??\c:\ddjvp.exec:\ddjvp.exe60⤵
- Executes dropped EXE
PID:912 -
\??\c:\xfxrlxl.exec:\xfxrlxl.exe61⤵
- Executes dropped EXE
PID:4832 -
\??\c:\xrxlxrf.exec:\xrxlxrf.exe62⤵
- Executes dropped EXE
PID:4768 -
\??\c:\nhbnhh.exec:\nhbnhh.exe63⤵
- Executes dropped EXE
PID:2012 -
\??\c:\1ddpd.exec:\1ddpd.exe64⤵
- Executes dropped EXE
PID:4700 -
\??\c:\dvdpj.exec:\dvdpj.exe65⤵
- Executes dropped EXE
PID:1336 -
\??\c:\1nhthn.exec:\1nhthn.exe66⤵PID:3468
-
\??\c:\jpvpj.exec:\jpvpj.exe67⤵PID:4104
-
\??\c:\1rlfrlf.exec:\1rlfrlf.exe68⤵PID:1148
-
\??\c:\tnnbnh.exec:\tnnbnh.exe69⤵PID:4232
-
\??\c:\ddjjd.exec:\ddjjd.exe70⤵PID:692
-
\??\c:\tnbtnh.exec:\tnbtnh.exe71⤵PID:3716
-
\??\c:\pdjvd.exec:\pdjvd.exe72⤵PID:5096
-
\??\c:\vjpjv.exec:\vjpjv.exe73⤵PID:1612
-
\??\c:\xrrrllf.exec:\xrrrllf.exe74⤵PID:4988
-
\??\c:\htbttn.exec:\htbttn.exe75⤵PID:2664
-
\??\c:\nnbbhh.exec:\nnbbhh.exe76⤵PID:932
-
\??\c:\pjdpd.exec:\pjdpd.exe77⤵PID:3232
-
\??\c:\flrlxrf.exec:\flrlxrf.exe78⤵PID:624
-
\??\c:\nbbtnh.exec:\nbbtnh.exe79⤵PID:2060
-
\??\c:\5dpjj.exec:\5dpjj.exe80⤵PID:412
-
\??\c:\lllfxrl.exec:\lllfxrl.exe81⤵PID:4884
-
\??\c:\nbbbbb.exec:\nbbbbb.exe82⤵PID:1232
-
\??\c:\jvpdv.exec:\jvpdv.exe83⤵PID:3096
-
\??\c:\hbhtht.exec:\hbhtht.exe84⤵PID:3448
-
\??\c:\pvdvp.exec:\pvdvp.exe85⤵PID:3732
-
\??\c:\xlrlrfr.exec:\xlrlrfr.exe86⤵PID:4092
-
\??\c:\thhbtn.exec:\thhbtn.exe87⤵PID:3772
-
\??\c:\vvdvp.exec:\vvdvp.exe88⤵PID:428
-
\??\c:\rffrfrf.exec:\rffrfrf.exe89⤵PID:4944
-
\??\c:\bthhnh.exec:\bthhnh.exe90⤵PID:3972
-
\??\c:\jjdjj.exec:\jjdjj.exe91⤵PID:3312
-
\??\c:\1rlrflf.exec:\1rlrflf.exe92⤵PID:4368
-
\??\c:\nhtnhb.exec:\nhtnhb.exe93⤵PID:4484
-
\??\c:\llrxxlf.exec:\llrxxlf.exe94⤵PID:4488
-
\??\c:\xxflrlr.exec:\xxflrlr.exe95⤵PID:452
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe96⤵PID:4496
-
\??\c:\tbbtnn.exec:\tbbtnn.exe97⤵PID:3576
-
\??\c:\frlllxf.exec:\frlllxf.exe98⤵PID:1596
-
\??\c:\fflffxx.exec:\fflffxx.exe99⤵PID:3084
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe100⤵PID:4600
-
\??\c:\3rxrrrl.exec:\3rxrrrl.exe101⤵PID:1916
-
\??\c:\nntnhn.exec:\nntnhn.exe102⤵PID:636
-
\??\c:\nbbtnb.exec:\nbbtnb.exe103⤵PID:4056
-
\??\c:\jvjvd.exec:\jvjvd.exe104⤵PID:3128
-
\??\c:\3ffxxxr.exec:\3ffxxxr.exe105⤵PID:4808
-
\??\c:\tnnhbt.exec:\tnnhbt.exe106⤵PID:5104
-
\??\c:\tnhbtt.exec:\tnhbtt.exe107⤵PID:1012
-
\??\c:\vdvjd.exec:\vdvjd.exe108⤵PID:1992
-
\??\c:\7llfffx.exec:\7llfffx.exe109⤵PID:4248
-
\??\c:\3lfxrll.exec:\3lfxrll.exe110⤵PID:5016
-
\??\c:\nnnhhh.exec:\nnnhhh.exe111⤵PID:4084
-
\??\c:\dvvpj.exec:\dvvpj.exe112⤵PID:4684
-
\??\c:\jvjdv.exec:\jvjdv.exe113⤵PID:1928
-
\??\c:\9flfxxr.exec:\9flfxxr.exe114⤵
- System Location Discovery: System Language Discovery
PID:4080 -
\??\c:\thnbhh.exec:\thnbhh.exe115⤵PID:1300
-
\??\c:\nhtnbb.exec:\nhtnbb.exe116⤵PID:5012
-
\??\c:\pjjjd.exec:\pjjjd.exe117⤵PID:3792
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe118⤵PID:3028
-
\??\c:\5bnhhn.exec:\5bnhhn.exe119⤵PID:1032
-
\??\c:\jpvpd.exec:\jpvpd.exe120⤵PID:3956
-
\??\c:\lrxrffr.exec:\lrxrffr.exe121⤵PID:2248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-