Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe
-
Size
454KB
-
MD5
771da170f23dba886528cc3a03963340
-
SHA1
91bf98d83f4328c2d300059af58cbc33bc2bf164
-
SHA256
75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6
-
SHA512
5383160e325fcab7eb81ad35daac2727cc3eec6c3705d71ac487b97cfea61cf0c11d4d15bb7670457b186d5aa8ea5828b68078166f74b1a9ac13d382068295a3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeOo:q7Tc2NYHUrAwfMp3CDOo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3828-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-1474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-1644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-1672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1164 9vdvv.exe 5008 nhhttn.exe 5036 dddjp.exe 532 btbbtt.exe 3652 xrllrff.exe 4328 vdjjd.exe 2320 bbbhnn.exe 1068 hbhhtt.exe 2240 bntttt.exe 404 rxlrlrr.exe 320 bbtntt.exe 1732 rrlfxxl.exe 1712 bbbhhh.exe 316 nntnnt.exe 348 ddjjj.exe 3936 frxxxff.exe 720 hbhbbb.exe 4708 pvjjv.exe 3024 fxlllll.exe 2700 tnbbtt.exe 2656 jdppj.exe 1984 hbhnhn.exe 3432 vvvvv.exe 4412 fxfffrr.exe 3800 pjpvv.exe 624 3pppj.exe 4112 nhhbnh.exe 2368 9vvpd.exe 3984 djjdp.exe 4184 3bbnhh.exe 4688 dppjd.exe 2236 hbnhtb.exe 3708 rlrrlll.exe 1428 djvpj.exe 4352 vvppj.exe 836 rrfxrrr.exe 808 hbttbb.exe 4836 dvpvj.exe 1696 dppjd.exe 1508 rrlrffl.exe 4216 nhnhbt.exe 1896 jjpjd.exe 1960 pjvpj.exe 4236 7lrxrrl.exe 3460 nbbttn.exe 2388 ddddp.exe 3884 5lrrrrr.exe 3892 hntthh.exe 1524 jjjvv.exe 1680 xxlffrr.exe 2816 rxllrlf.exe 2972 bbtntb.exe 3004 7vvjj.exe 1484 lrfffll.exe 4640 lffffxx.exe 3176 9hbtnh.exe 4580 dpppj.exe 2052 nhtnnn.exe 4020 5dvvv.exe 4328 pjvvd.exe 4396 fxlflff.exe 3504 tbtthh.exe 1624 dddvv.exe 3412 9rffrrl.exe -
resource yara_rule behavioral2/memory/3828-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-1248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-1474-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3828 wrote to memory of 1164 3828 75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe 83 PID 3828 wrote to memory of 1164 3828 75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe 83 PID 3828 wrote to memory of 1164 3828 75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe 83 PID 1164 wrote to memory of 5008 1164 9vdvv.exe 84 PID 1164 wrote to memory of 5008 1164 9vdvv.exe 84 PID 1164 wrote to memory of 5008 1164 9vdvv.exe 84 PID 5008 wrote to memory of 5036 5008 nhhttn.exe 85 PID 5008 wrote to memory of 5036 5008 nhhttn.exe 85 PID 5008 wrote to memory of 5036 5008 nhhttn.exe 85 PID 5036 wrote to memory of 532 5036 dddjp.exe 86 PID 5036 wrote to memory of 532 5036 dddjp.exe 86 PID 5036 wrote to memory of 532 5036 dddjp.exe 86 PID 532 wrote to memory of 3652 532 btbbtt.exe 87 PID 532 wrote to memory of 3652 532 btbbtt.exe 87 PID 532 wrote to memory of 3652 532 btbbtt.exe 87 PID 3652 wrote to memory of 4328 3652 xrllrff.exe 88 PID 3652 wrote to memory of 4328 3652 xrllrff.exe 88 PID 3652 wrote to memory of 4328 3652 xrllrff.exe 88 PID 4328 wrote to memory of 2320 4328 vdjjd.exe 89 PID 4328 wrote to memory of 2320 4328 vdjjd.exe 89 PID 4328 wrote to memory of 2320 4328 vdjjd.exe 89 PID 2320 wrote to memory of 1068 2320 bbbhnn.exe 90 PID 2320 wrote to memory of 1068 2320 bbbhnn.exe 90 PID 2320 wrote to memory of 1068 2320 bbbhnn.exe 90 PID 1068 wrote to memory of 2240 1068 hbhhtt.exe 91 PID 1068 wrote to memory of 2240 1068 hbhhtt.exe 91 PID 1068 wrote to memory of 2240 1068 hbhhtt.exe 91 PID 2240 wrote to memory of 404 2240 bntttt.exe 92 PID 2240 wrote to memory of 404 2240 bntttt.exe 92 PID 2240 wrote to memory of 404 2240 bntttt.exe 92 PID 404 wrote to memory of 320 404 rxlrlrr.exe 93 PID 404 wrote to memory of 320 404 rxlrlrr.exe 93 PID 404 wrote to memory of 320 404 rxlrlrr.exe 93 PID 320 wrote to memory of 1732 320 bbtntt.exe 94 PID 320 wrote to memory of 1732 320 bbtntt.exe 94 PID 320 wrote to memory of 1732 320 bbtntt.exe 94 PID 1732 wrote to memory of 1712 1732 rrlfxxl.exe 95 PID 1732 wrote to memory of 1712 1732 rrlfxxl.exe 95 PID 1732 wrote to memory of 1712 1732 rrlfxxl.exe 95 PID 1712 wrote to memory of 316 1712 bbbhhh.exe 96 PID 1712 wrote to memory of 316 1712 bbbhhh.exe 96 PID 1712 wrote to memory of 316 1712 bbbhhh.exe 96 PID 316 wrote to memory of 348 316 nntnnt.exe 97 PID 316 wrote to memory of 348 316 nntnnt.exe 97 PID 316 wrote to memory of 348 316 nntnnt.exe 97 PID 348 wrote to memory of 3936 348 ddjjj.exe 98 PID 348 wrote to memory of 3936 348 ddjjj.exe 98 PID 348 wrote to memory of 3936 348 ddjjj.exe 98 PID 3936 wrote to memory of 720 3936 frxxxff.exe 99 PID 3936 wrote to memory of 720 3936 frxxxff.exe 99 PID 3936 wrote to memory of 720 3936 frxxxff.exe 99 PID 720 wrote to memory of 4708 720 hbhbbb.exe 100 PID 720 wrote to memory of 4708 720 hbhbbb.exe 100 PID 720 wrote to memory of 4708 720 hbhbbb.exe 100 PID 4708 wrote to memory of 3024 4708 pvjjv.exe 101 PID 4708 wrote to memory of 3024 4708 pvjjv.exe 101 PID 4708 wrote to memory of 3024 4708 pvjjv.exe 101 PID 3024 wrote to memory of 2700 3024 fxlllll.exe 102 PID 3024 wrote to memory of 2700 3024 fxlllll.exe 102 PID 3024 wrote to memory of 2700 3024 fxlllll.exe 102 PID 2700 wrote to memory of 2656 2700 tnbbtt.exe 103 PID 2700 wrote to memory of 2656 2700 tnbbtt.exe 103 PID 2700 wrote to memory of 2656 2700 tnbbtt.exe 103 PID 2656 wrote to memory of 1984 2656 jdppj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe"C:\Users\Admin\AppData\Local\Temp\75b8cec517b6b471073e3cad11cea785f3bd7a813f8b52fe8ee2b9b1eee027e6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\9vdvv.exec:\9vdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\nhhttn.exec:\nhhttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\dddjp.exec:\dddjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\btbbtt.exec:\btbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\xrllrff.exec:\xrllrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\vdjjd.exec:\vdjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\bbbhnn.exec:\bbbhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\hbhhtt.exec:\hbhhtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\bntttt.exec:\bntttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\rxlrlrr.exec:\rxlrlrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\bbtntt.exec:\bbtntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\rrlfxxl.exec:\rrlfxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\bbbhhh.exec:\bbbhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\nntnnt.exec:\nntnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\ddjjj.exec:\ddjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\frxxxff.exec:\frxxxff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\hbhbbb.exec:\hbhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\pvjjv.exec:\pvjjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\fxlllll.exec:\fxlllll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\tnbbtt.exec:\tnbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\jdppj.exec:\jdppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\hbhnhn.exec:\hbhnhn.exe23⤵
- Executes dropped EXE
PID:1984 -
\??\c:\vvvvv.exec:\vvvvv.exe24⤵
- Executes dropped EXE
PID:3432 -
\??\c:\fxfffrr.exec:\fxfffrr.exe25⤵
- Executes dropped EXE
PID:4412 -
\??\c:\pjpvv.exec:\pjpvv.exe26⤵
- Executes dropped EXE
PID:3800 -
\??\c:\3pppj.exec:\3pppj.exe27⤵
- Executes dropped EXE
PID:624 -
\??\c:\nhhbnh.exec:\nhhbnh.exe28⤵
- Executes dropped EXE
PID:4112 -
\??\c:\9vvpd.exec:\9vvpd.exe29⤵
- Executes dropped EXE
PID:2368 -
\??\c:\djjdp.exec:\djjdp.exe30⤵
- Executes dropped EXE
PID:3984 -
\??\c:\3bbnhh.exec:\3bbnhh.exe31⤵
- Executes dropped EXE
PID:4184 -
\??\c:\dppjd.exec:\dppjd.exe32⤵
- Executes dropped EXE
PID:4688 -
\??\c:\hbnhtb.exec:\hbnhtb.exe33⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rlrrlll.exec:\rlrrlll.exe34⤵
- Executes dropped EXE
PID:3708 -
\??\c:\djvpj.exec:\djvpj.exe35⤵
- Executes dropped EXE
PID:1428 -
\??\c:\vvppj.exec:\vvppj.exe36⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\hbttbb.exec:\hbttbb.exe38⤵
- Executes dropped EXE
PID:808 -
\??\c:\dvpvj.exec:\dvpvj.exe39⤵
- Executes dropped EXE
PID:4836 -
\??\c:\dppjd.exec:\dppjd.exe40⤵
- Executes dropped EXE
PID:1696 -
\??\c:\rrlrffl.exec:\rrlrffl.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\nhnhbt.exec:\nhnhbt.exe42⤵
- Executes dropped EXE
PID:4216 -
\??\c:\jjpjd.exec:\jjpjd.exe43⤵
- Executes dropped EXE
PID:1896 -
\??\c:\pjvpj.exec:\pjvpj.exe44⤵
- Executes dropped EXE
PID:1960 -
\??\c:\7lrxrrl.exec:\7lrxrrl.exe45⤵
- Executes dropped EXE
PID:4236 -
\??\c:\nbbttn.exec:\nbbttn.exe46⤵
- Executes dropped EXE
PID:3460 -
\??\c:\ddddp.exec:\ddddp.exe47⤵
- Executes dropped EXE
PID:2388 -
\??\c:\5lrrrrr.exec:\5lrrrrr.exe48⤵
- Executes dropped EXE
PID:3884 -
\??\c:\hntthh.exec:\hntthh.exe49⤵
- Executes dropped EXE
PID:3892 -
\??\c:\jjjvv.exec:\jjjvv.exe50⤵
- Executes dropped EXE
PID:1524 -
\??\c:\xxlffrr.exec:\xxlffrr.exe51⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rxllrlf.exec:\rxllrlf.exe52⤵
- Executes dropped EXE
PID:2816 -
\??\c:\bbtntb.exec:\bbtntb.exe53⤵
- Executes dropped EXE
PID:2972 -
\??\c:\7vvjj.exec:\7vvjj.exe54⤵
- Executes dropped EXE
PID:3004 -
\??\c:\lrfffll.exec:\lrfffll.exe55⤵
- Executes dropped EXE
PID:1484 -
\??\c:\lffffxx.exec:\lffffxx.exe56⤵
- Executes dropped EXE
PID:4640 -
\??\c:\9hbtnh.exec:\9hbtnh.exe57⤵
- Executes dropped EXE
PID:3176 -
\??\c:\dpppj.exec:\dpppj.exe58⤵
- Executes dropped EXE
PID:4580 -
\??\c:\nhtnnn.exec:\nhtnnn.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\5dvvv.exec:\5dvvv.exe60⤵
- Executes dropped EXE
PID:4020 -
\??\c:\pjvvd.exec:\pjvvd.exe61⤵
- Executes dropped EXE
PID:4328 -
\??\c:\fxlflff.exec:\fxlflff.exe62⤵
- Executes dropped EXE
PID:4396 -
\??\c:\tbtthh.exec:\tbtthh.exe63⤵
- Executes dropped EXE
PID:3504 -
\??\c:\dddvv.exec:\dddvv.exe64⤵
- Executes dropped EXE
PID:1624 -
\??\c:\9rffrrl.exec:\9rffrrl.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3412 -
\??\c:\hbhhtt.exec:\hbhhtt.exe66⤵PID:404
-
\??\c:\djddv.exec:\djddv.exe67⤵PID:516
-
\??\c:\vdjjd.exec:\vdjjd.exe68⤵PID:2152
-
\??\c:\llffrrr.exec:\llffrrr.exe69⤵PID:1732
-
\??\c:\7bbbhh.exec:\7bbbhh.exe70⤵PID:4524
-
\??\c:\dppjv.exec:\dppjv.exe71⤵PID:1712
-
\??\c:\pdddv.exec:\pdddv.exe72⤵PID:3168
-
\??\c:\rrrllfr.exec:\rrrllfr.exe73⤵PID:348
-
\??\c:\nbhbtt.exec:\nbhbtt.exe74⤵PID:4544
-
\??\c:\ddpdp.exec:\ddpdp.exe75⤵PID:4320
-
\??\c:\xlrrfxr.exec:\xlrrfxr.exe76⤵PID:4200
-
\??\c:\nthhbb.exec:\nthhbb.exe77⤵PID:1384
-
\??\c:\hbnnnt.exec:\hbnnnt.exe78⤵PID:4500
-
\??\c:\jvppd.exec:\jvppd.exe79⤵PID:3096
-
\??\c:\ffffrrl.exec:\ffffrrl.exe80⤵PID:3404
-
\??\c:\nhnhhh.exec:\nhnhhh.exe81⤵PID:2716
-
\??\c:\3vpjj.exec:\3vpjj.exe82⤵PID:4572
-
\??\c:\fxllfll.exec:\fxllfll.exe83⤵PID:3292
-
\??\c:\tttttb.exec:\tttttb.exe84⤵PID:3856
-
\??\c:\dvjpv.exec:\dvjpv.exe85⤵PID:5076
-
\??\c:\ddpjv.exec:\ddpjv.exe86⤵PID:1528
-
\??\c:\rfllfff.exec:\rfllfff.exe87⤵PID:512
-
\??\c:\frfffff.exec:\frfffff.exe88⤵PID:4164
-
\??\c:\thhtnn.exec:\thhtnn.exe89⤵PID:2624
-
\??\c:\pvvvv.exec:\pvvvv.exe90⤵PID:5060
-
\??\c:\flxlxlx.exec:\flxlxlx.exe91⤵PID:2368
-
\??\c:\3lrrrrl.exec:\3lrrrrl.exe92⤵PID:2492
-
\??\c:\hbbnnh.exec:\hbbnnh.exe93⤵PID:448
-
\??\c:\ppddp.exec:\ppddp.exe94⤵PID:64
-
\??\c:\flfffff.exec:\flfffff.exe95⤵PID:4900
-
\??\c:\btnhhh.exec:\btnhhh.exe96⤵PID:4416
-
\??\c:\nbnhhh.exec:\nbnhhh.exe97⤵PID:3956
-
\??\c:\jjppj.exec:\jjppj.exe98⤵PID:2644
-
\??\c:\lffxffr.exec:\lffxffr.exe99⤵PID:1692
-
\??\c:\btbbtb.exec:\btbbtb.exe100⤵
- System Location Discovery: System Language Discovery
PID:1196 -
\??\c:\hbbbtb.exec:\hbbbtb.exe101⤵PID:1108
-
\??\c:\9pdvv.exec:\9pdvv.exe102⤵PID:2004
-
\??\c:\hnnnnn.exec:\hnnnnn.exe103⤵PID:3396
-
\??\c:\1nnhhh.exec:\1nnhhh.exe104⤵PID:3728
-
\??\c:\dvdvp.exec:\dvdvp.exe105⤵PID:1868
-
\??\c:\xxllrrf.exec:\xxllrrf.exe106⤵PID:1028
-
\??\c:\tbnttn.exec:\tbnttn.exe107⤵PID:3676
-
\??\c:\dpvjd.exec:\dpvjd.exe108⤵PID:4660
-
\??\c:\3pppj.exec:\3pppj.exe109⤵
- System Location Discovery: System Language Discovery
PID:4596 -
\??\c:\frlrrxr.exec:\frlrrxr.exe110⤵PID:3384
-
\??\c:\ttbbbt.exec:\ttbbbt.exe111⤵PID:2956
-
\??\c:\7bhhhn.exec:\7bhhhn.exe112⤵
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\jjjdp.exec:\jjjdp.exe113⤵PID:3892
-
\??\c:\lfllffl.exec:\lfllffl.exe114⤵PID:3720
-
\??\c:\hbnhhb.exec:\hbnhhb.exe115⤵PID:1680
-
\??\c:\djpdj.exec:\djpdj.exe116⤵PID:4760
-
\??\c:\rffffff.exec:\rffffff.exe117⤵PID:5068
-
\??\c:\9rlxfxl.exec:\9rlxfxl.exe118⤵PID:3004
-
\??\c:\hbhbtt.exec:\hbhbtt.exe119⤵PID:5036
-
\??\c:\pdvvj.exec:\pdvvj.exe120⤵PID:4128
-
\??\c:\lflfxlf.exec:\lflfxlf.exe121⤵PID:1224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-