Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe
-
Size
454KB
-
MD5
04d1b6b41597b21d019113d19cf04a9e
-
SHA1
e9da23c0d17a1894e1f0bb3ca55f5db509f095a4
-
SHA256
e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e
-
SHA512
e3a140839d779a64c1b8749cdf95ba4240ed24277fc3ee72fe97a9cb9e2cae755e9f4a55f8a8ed53d4e0e24cd2ae212aae0c9277295bf653abd3600f32cd265c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3112-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-1358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-1431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-1666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3140 hthhhh.exe 2400 rrxrrll.exe 5116 dvjvj.exe 2944 fxxrfxx.exe 3576 rxfffff.exe 4536 hbhbtt.exe 5016 hhhtth.exe 3148 btbtth.exe 3700 bbbbbb.exe 1104 djdvj.exe 1784 bhtnhh.exe 2096 nhhbtt.exe 5044 bbtttb.exe 4944 hhhhbb.exe 4852 jjvjj.exe 3380 llrrlll.exe 1004 nhnnnn.exe 5068 1tttbh.exe 4768 pvdvv.exe 3600 rrfrfxr.exe 4572 bhhhtn.exe 1592 llrfrrl.exe 2308 nhnhhb.exe 1824 thhhbn.exe 1772 pdpdd.exe 4896 ppvjj.exe 4052 ttbttt.exe 4440 jdjdp.exe 3748 rffxrlf.exe 3412 3lrffxx.exe 3944 llrlfxr.exe 1944 hbhbbt.exe 696 hbbhbb.exe 4856 djvjd.exe 2500 jvdpd.exe 4252 ffrfrrr.exe 3468 5ttnnh.exe 3872 tnnbtn.exe 3360 dpdpv.exe 2560 flrfxrx.exe 2304 bbbbtn.exe 3196 vvdvj.exe 2692 vjjjd.exe 4360 rxxrfrl.exe 4220 nnhbtn.exe 4664 vpjpj.exe 1612 lxfxrrl.exe 4608 nttbtt.exe 4264 pjdvp.exe 4868 7rlfrrl.exe 4476 5xffffx.exe 3620 thhbbt.exe 2716 jdpjj.exe 3140 lflffxx.exe 5032 1hbnhn.exe 1164 tttnhh.exe 2516 vvdvp.exe 2116 lffxxxr.exe 3964 hnhtnh.exe 2320 nbnhtn.exe 3108 dvdjv.exe 336 lrxfxrr.exe 2884 tntnhb.exe 4748 9djvp.exe -
resource yara_rule behavioral2/memory/3112-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-1358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-1431-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frrfrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 3140 3112 e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe 82 PID 3112 wrote to memory of 3140 3112 e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe 82 PID 3112 wrote to memory of 3140 3112 e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe 82 PID 3140 wrote to memory of 2400 3140 hthhhh.exe 83 PID 3140 wrote to memory of 2400 3140 hthhhh.exe 83 PID 3140 wrote to memory of 2400 3140 hthhhh.exe 83 PID 2400 wrote to memory of 5116 2400 rrxrrll.exe 84 PID 2400 wrote to memory of 5116 2400 rrxrrll.exe 84 PID 2400 wrote to memory of 5116 2400 rrxrrll.exe 84 PID 5116 wrote to memory of 2944 5116 dvjvj.exe 85 PID 5116 wrote to memory of 2944 5116 dvjvj.exe 85 PID 5116 wrote to memory of 2944 5116 dvjvj.exe 85 PID 2944 wrote to memory of 3576 2944 fxxrfxx.exe 86 PID 2944 wrote to memory of 3576 2944 fxxrfxx.exe 86 PID 2944 wrote to memory of 3576 2944 fxxrfxx.exe 86 PID 3576 wrote to memory of 4536 3576 rxfffff.exe 87 PID 3576 wrote to memory of 4536 3576 rxfffff.exe 87 PID 3576 wrote to memory of 4536 3576 rxfffff.exe 87 PID 4536 wrote to memory of 5016 4536 hbhbtt.exe 88 PID 4536 wrote to memory of 5016 4536 hbhbtt.exe 88 PID 4536 wrote to memory of 5016 4536 hbhbtt.exe 88 PID 5016 wrote to memory of 3148 5016 hhhtth.exe 89 PID 5016 wrote to memory of 3148 5016 hhhtth.exe 89 PID 5016 wrote to memory of 3148 5016 hhhtth.exe 89 PID 3148 wrote to memory of 3700 3148 btbtth.exe 90 PID 3148 wrote to memory of 3700 3148 btbtth.exe 90 PID 3148 wrote to memory of 3700 3148 btbtth.exe 90 PID 3700 wrote to memory of 1104 3700 bbbbbb.exe 91 PID 3700 wrote to memory of 1104 3700 bbbbbb.exe 91 PID 3700 wrote to memory of 1104 3700 bbbbbb.exe 91 PID 1104 wrote to memory of 1784 1104 djdvj.exe 92 PID 1104 wrote to memory of 1784 1104 djdvj.exe 92 PID 1104 wrote to memory of 1784 1104 djdvj.exe 92 PID 1784 wrote to memory of 2096 1784 bhtnhh.exe 93 PID 1784 wrote to memory of 2096 1784 bhtnhh.exe 93 PID 1784 wrote to memory of 2096 1784 bhtnhh.exe 93 PID 2096 wrote to memory of 5044 2096 nhhbtt.exe 94 PID 2096 wrote to memory of 5044 2096 nhhbtt.exe 94 PID 2096 wrote to memory of 5044 2096 nhhbtt.exe 94 PID 5044 wrote to memory of 4944 5044 bbtttb.exe 95 PID 5044 wrote to memory of 4944 5044 bbtttb.exe 95 PID 5044 wrote to memory of 4944 5044 bbtttb.exe 95 PID 4944 wrote to memory of 4852 4944 hhhhbb.exe 96 PID 4944 wrote to memory of 4852 4944 hhhhbb.exe 96 PID 4944 wrote to memory of 4852 4944 hhhhbb.exe 96 PID 4852 wrote to memory of 3380 4852 jjvjj.exe 97 PID 4852 wrote to memory of 3380 4852 jjvjj.exe 97 PID 4852 wrote to memory of 3380 4852 jjvjj.exe 97 PID 3380 wrote to memory of 1004 3380 llrrlll.exe 98 PID 3380 wrote to memory of 1004 3380 llrrlll.exe 98 PID 3380 wrote to memory of 1004 3380 llrrlll.exe 98 PID 1004 wrote to memory of 5068 1004 nhnnnn.exe 99 PID 1004 wrote to memory of 5068 1004 nhnnnn.exe 99 PID 1004 wrote to memory of 5068 1004 nhnnnn.exe 99 PID 5068 wrote to memory of 4768 5068 1tttbh.exe 100 PID 5068 wrote to memory of 4768 5068 1tttbh.exe 100 PID 5068 wrote to memory of 4768 5068 1tttbh.exe 100 PID 4768 wrote to memory of 3600 4768 pvdvv.exe 101 PID 4768 wrote to memory of 3600 4768 pvdvv.exe 101 PID 4768 wrote to memory of 3600 4768 pvdvv.exe 101 PID 3600 wrote to memory of 4572 3600 rrfrfxr.exe 102 PID 3600 wrote to memory of 4572 3600 rrfrfxr.exe 102 PID 3600 wrote to memory of 4572 3600 rrfrfxr.exe 102 PID 4572 wrote to memory of 1592 4572 bhhhtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe"C:\Users\Admin\AppData\Local\Temp\e2ffaada1a7d7cf6e8c48c4768e8dcd6abd04ce9aa10009911eb873ee49c8a5e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\hthhhh.exec:\hthhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\rrxrrll.exec:\rrxrrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\dvjvj.exec:\dvjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\fxxrfxx.exec:\fxxrfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\rxfffff.exec:\rxfffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\hbhbtt.exec:\hbhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\hhhtth.exec:\hhhtth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\btbtth.exec:\btbtth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\bbbbbb.exec:\bbbbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\djdvj.exec:\djdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\bhtnhh.exec:\bhtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\nhhbtt.exec:\nhhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\bbtttb.exec:\bbtttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\hhhhbb.exec:\hhhhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\jjvjj.exec:\jjvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\llrrlll.exec:\llrrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\nhnnnn.exec:\nhnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\1tttbh.exec:\1tttbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\pvdvv.exec:\pvdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\rrfrfxr.exec:\rrfrfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\bhhhtn.exec:\bhhhtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\llrfrrl.exec:\llrfrrl.exe23⤵
- Executes dropped EXE
PID:1592 -
\??\c:\nhnhhb.exec:\nhnhhb.exe24⤵
- Executes dropped EXE
PID:2308 -
\??\c:\thhhbn.exec:\thhhbn.exe25⤵
- Executes dropped EXE
PID:1824 -
\??\c:\pdpdd.exec:\pdpdd.exe26⤵
- Executes dropped EXE
PID:1772 -
\??\c:\ppvjj.exec:\ppvjj.exe27⤵
- Executes dropped EXE
PID:4896 -
\??\c:\ttbttt.exec:\ttbttt.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\jdjdp.exec:\jdjdp.exe29⤵
- Executes dropped EXE
PID:4440 -
\??\c:\rffxrlf.exec:\rffxrlf.exe30⤵
- Executes dropped EXE
PID:3748 -
\??\c:\3lrffxx.exec:\3lrffxx.exe31⤵
- Executes dropped EXE
PID:3412 -
\??\c:\llrlfxr.exec:\llrlfxr.exe32⤵
- Executes dropped EXE
PID:3944 -
\??\c:\hbhbbt.exec:\hbhbbt.exe33⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hbbhbb.exec:\hbbhbb.exe34⤵
- Executes dropped EXE
PID:696 -
\??\c:\djvjd.exec:\djvjd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856 -
\??\c:\jvdpd.exec:\jvdpd.exe36⤵
- Executes dropped EXE
PID:2500 -
\??\c:\ffrfrrr.exec:\ffrfrrr.exe37⤵
- Executes dropped EXE
PID:4252 -
\??\c:\5ttnnh.exec:\5ttnnh.exe38⤵
- Executes dropped EXE
PID:3468 -
\??\c:\tnnbtn.exec:\tnnbtn.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3872 -
\??\c:\dpdpv.exec:\dpdpv.exe40⤵
- Executes dropped EXE
PID:3360 -
\??\c:\flrfxrx.exec:\flrfxrx.exe41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\bbbbtn.exec:\bbbbtn.exe42⤵
- Executes dropped EXE
PID:2304 -
\??\c:\vvdvj.exec:\vvdvj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3196 -
\??\c:\vjjjd.exec:\vjjjd.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe45⤵
- Executes dropped EXE
PID:4360 -
\??\c:\nnhbtn.exec:\nnhbtn.exe46⤵
- Executes dropped EXE
PID:4220 -
\??\c:\vpjpj.exec:\vpjpj.exe47⤵
- Executes dropped EXE
PID:4664 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe48⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nttbtt.exec:\nttbtt.exe49⤵
- Executes dropped EXE
PID:4608 -
\??\c:\pjdvp.exec:\pjdvp.exe50⤵
- Executes dropped EXE
PID:4264 -
\??\c:\7rlfrrl.exec:\7rlfrrl.exe51⤵
- Executes dropped EXE
PID:4868 -
\??\c:\5xffffx.exec:\5xffffx.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\thhbbt.exec:\thhbbt.exe53⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jdpjj.exec:\jdpjj.exe54⤵
- Executes dropped EXE
PID:2716 -
\??\c:\lflffxx.exec:\lflffxx.exe55⤵
- Executes dropped EXE
PID:3140 -
\??\c:\1hbnhn.exec:\1hbnhn.exe56⤵
- Executes dropped EXE
PID:5032 -
\??\c:\tttnhh.exec:\tttnhh.exe57⤵
- Executes dropped EXE
PID:1164 -
\??\c:\vvdvp.exec:\vvdvp.exe58⤵
- Executes dropped EXE
PID:2516 -
\??\c:\lffxxxr.exec:\lffxxxr.exe59⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hnhtnh.exec:\hnhtnh.exe60⤵
- Executes dropped EXE
PID:3964 -
\??\c:\nbnhtn.exec:\nbnhtn.exe61⤵
- Executes dropped EXE
PID:2320 -
\??\c:\dvdjv.exec:\dvdjv.exe62⤵
- Executes dropped EXE
PID:3108 -
\??\c:\lrxfxrr.exec:\lrxfxrr.exe63⤵
- Executes dropped EXE
PID:336 -
\??\c:\tntnhb.exec:\tntnhb.exe64⤵
- Executes dropped EXE
PID:2884 -
\??\c:\9djvp.exec:\9djvp.exe65⤵
- Executes dropped EXE
PID:4748 -
\??\c:\3lflxrx.exec:\3lflxrx.exe66⤵PID:4884
-
\??\c:\1rxrffr.exec:\1rxrffr.exe67⤵PID:1540
-
\??\c:\nbbthh.exec:\nbbthh.exe68⤵PID:1100
-
\??\c:\djpdp.exec:\djpdp.exe69⤵PID:1836
-
\??\c:\pddpd.exec:\pddpd.exe70⤵PID:5064
-
\??\c:\xlfxrlx.exec:\xlfxrlx.exe71⤵PID:4632
-
\??\c:\nhhthh.exec:\nhhthh.exe72⤵PID:2096
-
\??\c:\dddvp.exec:\dddvp.exe73⤵PID:4504
-
\??\c:\7pjvp.exec:\7pjvp.exe74⤵PID:3484
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe75⤵PID:228
-
\??\c:\ffrfrrl.exec:\ffrfrrl.exe76⤵PID:1040
-
\??\c:\nnbnhb.exec:\nnbnhb.exe77⤵PID:4876
-
\??\c:\dvvpd.exec:\dvvpd.exe78⤵PID:4512
-
\??\c:\ppdvp.exec:\ppdvp.exe79⤵PID:3728
-
\??\c:\rlllffx.exec:\rlllffx.exe80⤵PID:1952
-
\??\c:\1hhhhn.exec:\1hhhhn.exe81⤵PID:4820
-
\??\c:\5jpdd.exec:\5jpdd.exe82⤵PID:2920
-
\??\c:\llrrrrx.exec:\llrrrrx.exe83⤵PID:3600
-
\??\c:\llrrlrr.exec:\llrrlrr.exe84⤵PID:4296
-
\??\c:\hbhhhh.exec:\hbhhhh.exe85⤵PID:1312
-
\??\c:\dvdvj.exec:\dvdvj.exe86⤵PID:4008
-
\??\c:\fxllfrr.exec:\fxllfrr.exe87⤵PID:3472
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe88⤵PID:2180
-
\??\c:\9nnhbb.exec:\9nnhbb.exe89⤵PID:1824
-
\??\c:\pjpjd.exec:\pjpjd.exe90⤵PID:1936
-
\??\c:\fllfxxx.exec:\fllfxxx.exe91⤵PID:752
-
\??\c:\bbhhnn.exec:\bbhhnn.exe92⤵PID:2788
-
\??\c:\jdddd.exec:\jdddd.exe93⤵PID:2484
-
\??\c:\xflfrlf.exec:\xflfrlf.exe94⤵PID:2528
-
\??\c:\btntbh.exec:\btntbh.exe95⤵PID:3748
-
\??\c:\hhttnh.exec:\hhttnh.exe96⤵PID:4952
-
\??\c:\jjpvv.exec:\jjpvv.exe97⤵PID:5056
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe98⤵PID:2852
-
\??\c:\fxxlxxf.exec:\fxxlxxf.exe99⤵PID:2868
-
\??\c:\btbbbn.exec:\btbbbn.exe100⤵PID:4760
-
\??\c:\pjddv.exec:\pjddv.exe101⤵PID:1516
-
\??\c:\xrxrffx.exec:\xrxrffx.exe102⤵PID:1136
-
\??\c:\7xllxfr.exec:\7xllxfr.exe103⤵PID:3176
-
\??\c:\btbtnn.exec:\btbtnn.exe104⤵PID:4088
-
\??\c:\vdjpp.exec:\vdjpp.exe105⤵PID:464
-
\??\c:\rfrfrrl.exec:\rfrfrrl.exe106⤵PID:4428
-
\??\c:\btttbb.exec:\btttbb.exe107⤵PID:3452
-
\??\c:\dvddp.exec:\dvddp.exe108⤵PID:1240
-
\??\c:\jjvvp.exec:\jjvvp.exe109⤵PID:4116
-
\??\c:\frflxxr.exec:\frflxxr.exe110⤵PID:2568
-
\??\c:\nnbhhh.exec:\nnbhhh.exe111⤵PID:4872
-
\??\c:\jjpjv.exec:\jjpjv.exe112⤵PID:1892
-
\??\c:\xxrlrxr.exec:\xxrlrxr.exe113⤵PID:4256
-
\??\c:\btnhtt.exec:\btnhtt.exe114⤵PID:2204
-
\??\c:\hbhbnn.exec:\hbhbnn.exe115⤵PID:2028
-
\??\c:\dvdvp.exec:\dvdvp.exe116⤵PID:4608
-
\??\c:\nntnhh.exec:\nntnhh.exe117⤵PID:1336
-
\??\c:\bbnhhn.exec:\bbnhhn.exe118⤵PID:2832
-
\??\c:\dvjdj.exec:\dvjdj.exe119⤵PID:3220
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe120⤵PID:5020
-
\??\c:\frlllrr.exec:\frlllrr.exe121⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-