Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe
-
Size
455KB
-
MD5
051eabd2813cdb993fbd81180fef6bb5
-
SHA1
8ec495aac344702d072fd87860923c5abd1d42d1
-
SHA256
e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf
-
SHA512
d19e475c262139cc097b9b35290cea7f413d93931152edc4a9584dd27b027e98b910e504aaaaf34d7aa22224589febd94ba47ec7bd725e867627ba18fe74841f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3728-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-1092-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-1114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-1457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-1663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3752 hnbtnt.exe 1468 thhtbb.exe 3304 hbnbtb.exe 4972 vdpvj.exe 4008 fxffflr.exe 2376 hnttnt.exe 2328 hhbthh.exe 4380 hbnnnn.exe 1312 dpvdd.exe 1120 dpvpj.exe 2196 nnthbb.exe 1984 nhhhbb.exe 2984 vdddd.exe 2660 xrfrlxx.exe 1720 nbhhhh.exe 1028 nntbtb.exe 2024 ffrrrrr.exe 4284 lfrrrxx.exe 216 lxfxxrl.exe 2220 jpdjp.exe 4496 dvdjd.exe 1828 nbhbtt.exe 4108 djvdv.exe 1976 xfllffx.exe 3852 bbbbtt.exe 2724 thnhbh.exe 4572 jpddd.exe 3324 nnbhtt.exe 4660 frfxllr.exe 2608 9hnbht.exe 2360 ttbttt.exe 4940 tthnnt.exe 4696 rllrrrr.exe 3568 btbtnn.exe 4560 pjjdv.exe 1584 frxxrrr.exe 4648 hnbbbb.exe 2124 pppdj.exe 1116 jvjdd.exe 3100 rrlrxff.exe 2144 btbbtt.exe 2488 pjdvp.exe 4516 flrrrxx.exe 1040 btnnnn.exe 4736 ddjdv.exe 1848 jddvj.exe 2708 rlrfxxr.exe 3632 3ntnnn.exe 4892 djjdj.exe 4328 ffxxrll.exe 4180 lfflrrf.exe 4832 nbthbt.exe 3752 ppjdj.exe 1260 pjvpj.exe 3988 5xlxlxr.exe 3664 thnnnn.exe 3640 3jvpd.exe 4464 xflffll.exe 812 bhhbbb.exe 1744 jpddd.exe 1768 ppddv.exe 1708 7flfffx.exe 3088 bnnhhh.exe 2812 vpvpj.exe -
resource yara_rule behavioral2/memory/3752-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-1114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-1217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-1323-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 3752 3728 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 82 PID 3728 wrote to memory of 3752 3728 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 82 PID 3728 wrote to memory of 3752 3728 e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe 82 PID 3752 wrote to memory of 1468 3752 hnbtnt.exe 83 PID 3752 wrote to memory of 1468 3752 hnbtnt.exe 83 PID 3752 wrote to memory of 1468 3752 hnbtnt.exe 83 PID 1468 wrote to memory of 3304 1468 thhtbb.exe 84 PID 1468 wrote to memory of 3304 1468 thhtbb.exe 84 PID 1468 wrote to memory of 3304 1468 thhtbb.exe 84 PID 3304 wrote to memory of 4972 3304 hbnbtb.exe 85 PID 3304 wrote to memory of 4972 3304 hbnbtb.exe 85 PID 3304 wrote to memory of 4972 3304 hbnbtb.exe 85 PID 4972 wrote to memory of 4008 4972 vdpvj.exe 86 PID 4972 wrote to memory of 4008 4972 vdpvj.exe 86 PID 4972 wrote to memory of 4008 4972 vdpvj.exe 86 PID 4008 wrote to memory of 2376 4008 fxffflr.exe 87 PID 4008 wrote to memory of 2376 4008 fxffflr.exe 87 PID 4008 wrote to memory of 2376 4008 fxffflr.exe 87 PID 2376 wrote to memory of 2328 2376 hnttnt.exe 88 PID 2376 wrote to memory of 2328 2376 hnttnt.exe 88 PID 2376 wrote to memory of 2328 2376 hnttnt.exe 88 PID 2328 wrote to memory of 4380 2328 hhbthh.exe 89 PID 2328 wrote to memory of 4380 2328 hhbthh.exe 89 PID 2328 wrote to memory of 4380 2328 hhbthh.exe 89 PID 4380 wrote to memory of 1312 4380 hbnnnn.exe 90 PID 4380 wrote to memory of 1312 4380 hbnnnn.exe 90 PID 4380 wrote to memory of 1312 4380 hbnnnn.exe 90 PID 1312 wrote to memory of 1120 1312 dpvdd.exe 91 PID 1312 wrote to memory of 1120 1312 dpvdd.exe 91 PID 1312 wrote to memory of 1120 1312 dpvdd.exe 91 PID 1120 wrote to memory of 2196 1120 dpvpj.exe 92 PID 1120 wrote to memory of 2196 1120 dpvpj.exe 92 PID 1120 wrote to memory of 2196 1120 dpvpj.exe 92 PID 2196 wrote to memory of 1984 2196 nnthbb.exe 93 PID 2196 wrote to memory of 1984 2196 nnthbb.exe 93 PID 2196 wrote to memory of 1984 2196 nnthbb.exe 93 PID 1984 wrote to memory of 2984 1984 nhhhbb.exe 94 PID 1984 wrote to memory of 2984 1984 nhhhbb.exe 94 PID 1984 wrote to memory of 2984 1984 nhhhbb.exe 94 PID 2984 wrote to memory of 2660 2984 vdddd.exe 95 PID 2984 wrote to memory of 2660 2984 vdddd.exe 95 PID 2984 wrote to memory of 2660 2984 vdddd.exe 95 PID 2660 wrote to memory of 1720 2660 xrfrlxx.exe 96 PID 2660 wrote to memory of 1720 2660 xrfrlxx.exe 96 PID 2660 wrote to memory of 1720 2660 xrfrlxx.exe 96 PID 1720 wrote to memory of 1028 1720 nbhhhh.exe 97 PID 1720 wrote to memory of 1028 1720 nbhhhh.exe 97 PID 1720 wrote to memory of 1028 1720 nbhhhh.exe 97 PID 1028 wrote to memory of 2024 1028 nntbtb.exe 98 PID 1028 wrote to memory of 2024 1028 nntbtb.exe 98 PID 1028 wrote to memory of 2024 1028 nntbtb.exe 98 PID 2024 wrote to memory of 4284 2024 ffrrrrr.exe 99 PID 2024 wrote to memory of 4284 2024 ffrrrrr.exe 99 PID 2024 wrote to memory of 4284 2024 ffrrrrr.exe 99 PID 4284 wrote to memory of 216 4284 lfrrrxx.exe 100 PID 4284 wrote to memory of 216 4284 lfrrrxx.exe 100 PID 4284 wrote to memory of 216 4284 lfrrrxx.exe 100 PID 216 wrote to memory of 2220 216 lxfxxrl.exe 101 PID 216 wrote to memory of 2220 216 lxfxxrl.exe 101 PID 216 wrote to memory of 2220 216 lxfxxrl.exe 101 PID 2220 wrote to memory of 4496 2220 jpdjp.exe 102 PID 2220 wrote to memory of 4496 2220 jpdjp.exe 102 PID 2220 wrote to memory of 4496 2220 jpdjp.exe 102 PID 4496 wrote to memory of 1828 4496 dvdjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe"C:\Users\Admin\AppData\Local\Temp\e2b99538caae8420eb297a3e04290f2ce475416ec8914d52039a659866364bdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\hnbtnt.exec:\hnbtnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\thhtbb.exec:\thhtbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\hbnbtb.exec:\hbnbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\vdpvj.exec:\vdpvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\fxffflr.exec:\fxffflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\hnttnt.exec:\hnttnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\hhbthh.exec:\hhbthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\hbnnnn.exec:\hbnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\dpvdd.exec:\dpvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\dpvpj.exec:\dpvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\nnthbb.exec:\nnthbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\nhhhbb.exec:\nhhhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\vdddd.exec:\vdddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\xrfrlxx.exec:\xrfrlxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\nbhhhh.exec:\nbhhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\nntbtb.exec:\nntbtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\jpdjp.exec:\jpdjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\dvdjd.exec:\dvdjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\nbhbtt.exec:\nbhbtt.exe23⤵
- Executes dropped EXE
PID:1828 -
\??\c:\djvdv.exec:\djvdv.exe24⤵
- Executes dropped EXE
PID:4108 -
\??\c:\xfllffx.exec:\xfllffx.exe25⤵
- Executes dropped EXE
PID:1976 -
\??\c:\bbbbtt.exec:\bbbbtt.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3852 -
\??\c:\thnhbh.exec:\thnhbh.exe27⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jpddd.exec:\jpddd.exe28⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nnbhtt.exec:\nnbhtt.exe29⤵
- Executes dropped EXE
PID:3324 -
\??\c:\frfxllr.exec:\frfxllr.exe30⤵
- Executes dropped EXE
PID:4660 -
\??\c:\9hnbht.exec:\9hnbht.exe31⤵
- Executes dropped EXE
PID:2608 -
\??\c:\ttbttt.exec:\ttbttt.exe32⤵
- Executes dropped EXE
PID:2360 -
\??\c:\tthnnt.exec:\tthnnt.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940 -
\??\c:\rllrrrr.exec:\rllrrrr.exe34⤵
- Executes dropped EXE
PID:4696 -
\??\c:\btbtnn.exec:\btbtnn.exe35⤵
- Executes dropped EXE
PID:3568 -
\??\c:\pjjdv.exec:\pjjdv.exe36⤵
- Executes dropped EXE
PID:4560 -
\??\c:\frxxrrr.exec:\frxxrrr.exe37⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hnbbbb.exec:\hnbbbb.exe38⤵
- Executes dropped EXE
PID:4648 -
\??\c:\pppdj.exec:\pppdj.exe39⤵
- Executes dropped EXE
PID:2124 -
\??\c:\jvjdd.exec:\jvjdd.exe40⤵
- Executes dropped EXE
PID:1116 -
\??\c:\rrlrxff.exec:\rrlrxff.exe41⤵
- Executes dropped EXE
PID:3100 -
\??\c:\btbbtt.exec:\btbbtt.exe42⤵
- Executes dropped EXE
PID:2144 -
\??\c:\pjdvp.exec:\pjdvp.exe43⤵
- Executes dropped EXE
PID:2488 -
\??\c:\flrrrxx.exec:\flrrrxx.exe44⤵
- Executes dropped EXE
PID:4516 -
\??\c:\btnnnn.exec:\btnnnn.exe45⤵
- Executes dropped EXE
PID:1040 -
\??\c:\ddjdv.exec:\ddjdv.exe46⤵
- Executes dropped EXE
PID:4736 -
\??\c:\jddvj.exec:\jddvj.exe47⤵
- Executes dropped EXE
PID:1848 -
\??\c:\rlrfxxr.exec:\rlrfxxr.exe48⤵
- Executes dropped EXE
PID:2708 -
\??\c:\3ntnnn.exec:\3ntnnn.exe49⤵
- Executes dropped EXE
PID:3632 -
\??\c:\djjdj.exec:\djjdj.exe50⤵
- Executes dropped EXE
PID:4892 -
\??\c:\ffxxrll.exec:\ffxxrll.exe51⤵
- Executes dropped EXE
PID:4328 -
\??\c:\lfflrrf.exec:\lfflrrf.exe52⤵
- Executes dropped EXE
PID:4180 -
\??\c:\nbthbt.exec:\nbthbt.exe53⤵
- Executes dropped EXE
PID:4832 -
\??\c:\ppjdj.exec:\ppjdj.exe54⤵
- Executes dropped EXE
PID:3752 -
\??\c:\pjvpj.exec:\pjvpj.exe55⤵
- Executes dropped EXE
PID:1260 -
\??\c:\5xlxlxr.exec:\5xlxlxr.exe56⤵
- Executes dropped EXE
PID:3988 -
\??\c:\thnnnn.exec:\thnnnn.exe57⤵
- Executes dropped EXE
PID:3664 -
\??\c:\3jvpd.exec:\3jvpd.exe58⤵
- Executes dropped EXE
PID:3640 -
\??\c:\xflffll.exec:\xflffll.exe59⤵
- Executes dropped EXE
PID:4464 -
\??\c:\bhhbbb.exec:\bhhbbb.exe60⤵
- Executes dropped EXE
PID:812 -
\??\c:\jpddd.exec:\jpddd.exe61⤵
- Executes dropped EXE
PID:1744 -
\??\c:\ppddv.exec:\ppddv.exe62⤵
- Executes dropped EXE
PID:1768 -
\??\c:\7flfffx.exec:\7flfffx.exe63⤵
- Executes dropped EXE
PID:1708 -
\??\c:\bnnhhh.exec:\bnnhhh.exe64⤵
- Executes dropped EXE
PID:3088 -
\??\c:\vpvpj.exec:\vpvpj.exe65⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xxffffx.exec:\xxffffx.exe66⤵PID:1120
-
\??\c:\5tttnn.exec:\5tttnn.exe67⤵PID:1556
-
\??\c:\jdvpj.exec:\jdvpj.exe68⤵PID:1440
-
\??\c:\rrxfffx.exec:\rrxfffx.exe69⤵PID:464
-
\??\c:\tttnhh.exec:\tttnhh.exe70⤵PID:4416
-
\??\c:\tttntt.exec:\tttntt.exe71⤵PID:2676
-
\??\c:\vpvvv.exec:\vpvvv.exe72⤵PID:4316
-
\??\c:\lfrllxr.exec:\lfrllxr.exe73⤵PID:1888
-
\??\c:\lrxxrxx.exec:\lrxxrxx.exe74⤵PID:1804
-
\??\c:\tthtth.exec:\tthtth.exe75⤵PID:3284
-
\??\c:\vvvpj.exec:\vvvpj.exe76⤵PID:4356
-
\??\c:\rflfxxr.exec:\rflfxxr.exe77⤵PID:4680
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe78⤵PID:2580
-
\??\c:\nhnhbb.exec:\nhnhbb.exe79⤵PID:228
-
\??\c:\djvvp.exec:\djvvp.exe80⤵PID:4704
-
\??\c:\xflfrrr.exec:\xflfrrr.exe81⤵PID:2220
-
\??\c:\5llfxxr.exec:\5llfxxr.exe82⤵PID:1668
-
\??\c:\bntntn.exec:\bntntn.exe83⤵PID:4780
-
\??\c:\dvjvd.exec:\dvjvd.exe84⤵PID:2308
-
\??\c:\xrlffxf.exec:\xrlffxf.exe85⤵PID:3340
-
\??\c:\lfffrrr.exec:\lfffrrr.exe86⤵PID:2656
-
\??\c:\tntnhb.exec:\tntnhb.exe87⤵PID:1716
-
\??\c:\pjvvp.exec:\pjvvp.exe88⤵PID:4544
-
\??\c:\jjpjv.exec:\jjpjv.exe89⤵PID:2724
-
\??\c:\ffxllxl.exec:\ffxllxl.exe90⤵PID:1020
-
\??\c:\hbbbtt.exec:\hbbbtt.exe91⤵PID:2936
-
\??\c:\pjjjd.exec:\pjjjd.exe92⤵PID:1232
-
\??\c:\ddvpp.exec:\ddvpp.exe93⤵PID:4660
-
\??\c:\rrxrlrr.exec:\rrxrlrr.exe94⤵PID:1836
-
\??\c:\1hhhtb.exec:\1hhhtb.exe95⤵PID:3976
-
\??\c:\vdjdp.exec:\vdjdp.exe96⤵PID:1472
-
\??\c:\1frxflf.exec:\1frxflf.exe97⤵PID:968
-
\??\c:\thhhbh.exec:\thhhbh.exe98⤵PID:2544
-
\??\c:\vddpj.exec:\vddpj.exe99⤵PID:2584
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe100⤵PID:3568
-
\??\c:\tbhhbb.exec:\tbhhbb.exe101⤵PID:4552
-
\??\c:\bntttt.exec:\bntttt.exe102⤵PID:688
-
\??\c:\jvppj.exec:\jvppj.exe103⤵PID:1824
-
\??\c:\xllfxrl.exec:\xllfxrl.exe104⤵PID:1944
-
\??\c:\hntnhh.exec:\hntnhh.exe105⤵PID:3696
-
\??\c:\9vvpp.exec:\9vvpp.exe106⤵PID:8
-
\??\c:\xrrllll.exec:\xrrllll.exe107⤵PID:4876
-
\??\c:\bhhhbh.exec:\bhhhbh.exe108⤵PID:3968
-
\??\c:\hnbtnn.exec:\hnbtnn.exe109⤵PID:1536
-
\??\c:\pppdd.exec:\pppdd.exe110⤵PID:1776
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe111⤵PID:2756
-
\??\c:\nhtnhh.exec:\nhtnhh.exe112⤵PID:4692
-
\??\c:\vddvp.exec:\vddvp.exe113⤵
- System Location Discovery: System Language Discovery
PID:1300 -
\??\c:\pdjvv.exec:\pdjvv.exe114⤵PID:1528
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe115⤵PID:4388
-
\??\c:\btbbtb.exec:\btbbtb.exe116⤵PID:4256
-
\??\c:\jdvvv.exec:\jdvvv.exe117⤵PID:4180
-
\??\c:\frrrrrr.exec:\frrrrrr.exe118⤵PID:1932
-
\??\c:\ffflxfr.exec:\ffflxfr.exe119⤵PID:3752
-
\??\c:\nbnhnn.exec:\nbnhnn.exe120⤵PID:1260
-
\??\c:\jjjdv.exec:\jjjdv.exe121⤵PID:4008
-
\??\c:\lrffxrf.exec:\lrffxrf.exe122⤵PID:4948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-