Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe
-
Size
454KB
-
MD5
0d3467fc5a779a1c3fae039d94d36e70
-
SHA1
3282492c7c9ad51e02dafbf4ef9ff0a7832267d3
-
SHA256
e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879
-
SHA512
34cdd181e3d21a252e48d591596529752460e8b0d14629799bff495f96625932bc8b737180327d4241666c5ff1354a76c91204b9ea2f234dac804e0b139428ab
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2872-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-1343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4112 nbbttn.exe 1268 rlrflfx.exe 3200 1hhthh.exe 4508 bhtnhn.exe 4396 rlxrlxr.exe 1768 vppjv.exe 4440 rllxlfx.exe 2368 bbtbbh.exe 1988 rfrfxrf.exe 2600 vdvjd.exe 3468 lffflrl.exe 4948 vppdv.exe 4904 9lrfllx.exe 4728 3hnbbt.exe 1320 pddvd.exe 3456 1rlfxxr.exe 1608 3btnbt.exe 4028 5frfrlx.exe 1060 tnnthn.exe 4476 jdvpj.exe 4520 3ffxfxl.exe 3924 frlrffx.exe 3840 nbbtnt.exe 2356 dddpd.exe 2968 nhtnnn.exe 2436 btthtn.exe 1316 7ppdp.exe 64 rxrfxlf.exe 1512 9hnbht.exe 3304 jvvjv.exe 2836 7jjdp.exe 2820 llfrfxr.exe 2852 bhhbnn.exe 2572 jjjvj.exe 4872 jvjvj.exe 3236 bnbthb.exe 1508 thtnhh.exe 1412 pdvvv.exe 2428 tbhbhb.exe 4700 ppdvv.exe 4612 xffrfrl.exe 3508 thhtnh.exe 3488 9pjdv.exe 4792 xllxlfx.exe 4832 lrxrffx.exe 1260 bhtnhb.exe 1636 dddpj.exe 3048 pjvpj.exe 3828 llxrrxx.exe 5112 7nnbtn.exe 2596 5vdpj.exe 1720 lffrlfl.exe 4396 hhbnhb.exe 3944 ppvpd.exe 1480 xllfxrl.exe 1972 tnhbtn.exe 4204 9tthtn.exe 2288 dvpjd.exe 1988 9lrfrlx.exe 2920 nbnhnh.exe 1192 htbtnh.exe 4048 vpjdv.exe 3244 5xxlxfx.exe 4992 tnhtnb.exe -
resource yara_rule behavioral2/memory/2872-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-724-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4112 2872 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 83 PID 2872 wrote to memory of 4112 2872 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 83 PID 2872 wrote to memory of 4112 2872 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 83 PID 4112 wrote to memory of 1268 4112 nbbttn.exe 84 PID 4112 wrote to memory of 1268 4112 nbbttn.exe 84 PID 4112 wrote to memory of 1268 4112 nbbttn.exe 84 PID 1268 wrote to memory of 3200 1268 rlrflfx.exe 85 PID 1268 wrote to memory of 3200 1268 rlrflfx.exe 85 PID 1268 wrote to memory of 3200 1268 rlrflfx.exe 85 PID 3200 wrote to memory of 4508 3200 1hhthh.exe 86 PID 3200 wrote to memory of 4508 3200 1hhthh.exe 86 PID 3200 wrote to memory of 4508 3200 1hhthh.exe 86 PID 4508 wrote to memory of 4396 4508 bhtnhn.exe 87 PID 4508 wrote to memory of 4396 4508 bhtnhn.exe 87 PID 4508 wrote to memory of 4396 4508 bhtnhn.exe 87 PID 4396 wrote to memory of 1768 4396 rlxrlxr.exe 88 PID 4396 wrote to memory of 1768 4396 rlxrlxr.exe 88 PID 4396 wrote to memory of 1768 4396 rlxrlxr.exe 88 PID 1768 wrote to memory of 4440 1768 vppjv.exe 89 PID 1768 wrote to memory of 4440 1768 vppjv.exe 89 PID 1768 wrote to memory of 4440 1768 vppjv.exe 89 PID 4440 wrote to memory of 2368 4440 rllxlfx.exe 90 PID 4440 wrote to memory of 2368 4440 rllxlfx.exe 90 PID 4440 wrote to memory of 2368 4440 rllxlfx.exe 90 PID 2368 wrote to memory of 1988 2368 bbtbbh.exe 91 PID 2368 wrote to memory of 1988 2368 bbtbbh.exe 91 PID 2368 wrote to memory of 1988 2368 bbtbbh.exe 91 PID 1988 wrote to memory of 2600 1988 rfrfxrf.exe 92 PID 1988 wrote to memory of 2600 1988 rfrfxrf.exe 92 PID 1988 wrote to memory of 2600 1988 rfrfxrf.exe 92 PID 2600 wrote to memory of 3468 2600 vdvjd.exe 93 PID 2600 wrote to memory of 3468 2600 vdvjd.exe 93 PID 2600 wrote to memory of 3468 2600 vdvjd.exe 93 PID 3468 wrote to memory of 4948 3468 lffflrl.exe 94 PID 3468 wrote to memory of 4948 3468 lffflrl.exe 94 PID 3468 wrote to memory of 4948 3468 lffflrl.exe 94 PID 4948 wrote to memory of 4904 4948 vppdv.exe 95 PID 4948 wrote to memory of 4904 4948 vppdv.exe 95 PID 4948 wrote to memory of 4904 4948 vppdv.exe 95 PID 4904 wrote to memory of 4728 4904 9lrfllx.exe 96 PID 4904 wrote to memory of 4728 4904 9lrfllx.exe 96 PID 4904 wrote to memory of 4728 4904 9lrfllx.exe 96 PID 4728 wrote to memory of 1320 4728 3hnbbt.exe 97 PID 4728 wrote to memory of 1320 4728 3hnbbt.exe 97 PID 4728 wrote to memory of 1320 4728 3hnbbt.exe 97 PID 1320 wrote to memory of 3456 1320 pddvd.exe 98 PID 1320 wrote to memory of 3456 1320 pddvd.exe 98 PID 1320 wrote to memory of 3456 1320 pddvd.exe 98 PID 3456 wrote to memory of 1608 3456 1rlfxxr.exe 99 PID 3456 wrote to memory of 1608 3456 1rlfxxr.exe 99 PID 3456 wrote to memory of 1608 3456 1rlfxxr.exe 99 PID 1608 wrote to memory of 4028 1608 3btnbt.exe 100 PID 1608 wrote to memory of 4028 1608 3btnbt.exe 100 PID 1608 wrote to memory of 4028 1608 3btnbt.exe 100 PID 4028 wrote to memory of 1060 4028 5frfrlx.exe 101 PID 4028 wrote to memory of 1060 4028 5frfrlx.exe 101 PID 4028 wrote to memory of 1060 4028 5frfrlx.exe 101 PID 1060 wrote to memory of 4476 1060 tnnthn.exe 102 PID 1060 wrote to memory of 4476 1060 tnnthn.exe 102 PID 1060 wrote to memory of 4476 1060 tnnthn.exe 102 PID 4476 wrote to memory of 4520 4476 jdvpj.exe 103 PID 4476 wrote to memory of 4520 4476 jdvpj.exe 103 PID 4476 wrote to memory of 4520 4476 jdvpj.exe 103 PID 4520 wrote to memory of 3924 4520 3ffxfxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe"C:\Users\Admin\AppData\Local\Temp\e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\nbbttn.exec:\nbbttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\rlrflfx.exec:\rlrflfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\1hhthh.exec:\1hhthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\bhtnhn.exec:\bhtnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\rlxrlxr.exec:\rlxrlxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\vppjv.exec:\vppjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\rllxlfx.exec:\rllxlfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\bbtbbh.exec:\bbtbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\rfrfxrf.exec:\rfrfxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\vdvjd.exec:\vdvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\lffflrl.exec:\lffflrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\vppdv.exec:\vppdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\9lrfllx.exec:\9lrfllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\3hnbbt.exec:\3hnbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\pddvd.exec:\pddvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\1rlfxxr.exec:\1rlfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\3btnbt.exec:\3btnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\5frfrlx.exec:\5frfrlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\tnnthn.exec:\tnnthn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\jdvpj.exec:\jdvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\3ffxfxl.exec:\3ffxfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\frlrffx.exec:\frlrffx.exe23⤵
- Executes dropped EXE
PID:3924 -
\??\c:\nbbtnt.exec:\nbbtnt.exe24⤵
- Executes dropped EXE
PID:3840 -
\??\c:\dddpd.exec:\dddpd.exe25⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhtnnn.exec:\nhtnnn.exe26⤵
- Executes dropped EXE
PID:2968 -
\??\c:\btthtn.exec:\btthtn.exe27⤵
- Executes dropped EXE
PID:2436 -
\??\c:\7ppdp.exec:\7ppdp.exe28⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rxrfxlf.exec:\rxrfxlf.exe29⤵
- Executes dropped EXE
PID:64 -
\??\c:\9hnbht.exec:\9hnbht.exe30⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jvvjv.exec:\jvvjv.exe31⤵
- Executes dropped EXE
PID:3304 -
\??\c:\7jjdp.exec:\7jjdp.exe32⤵
- Executes dropped EXE
PID:2836 -
\??\c:\llfrfxr.exec:\llfrfxr.exe33⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bhhbnn.exec:\bhhbnn.exe34⤵
- Executes dropped EXE
PID:2852 -
\??\c:\jjjvj.exec:\jjjvj.exe35⤵
- Executes dropped EXE
PID:2572 -
\??\c:\jvjvj.exec:\jvjvj.exe36⤵
- Executes dropped EXE
PID:4872 -
\??\c:\bnbthb.exec:\bnbthb.exe37⤵
- Executes dropped EXE
PID:3236 -
\??\c:\thtnhh.exec:\thtnhh.exe38⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pdvvv.exec:\pdvvv.exe39⤵
- Executes dropped EXE
PID:1412 -
\??\c:\tbhbhb.exec:\tbhbhb.exe40⤵
- Executes dropped EXE
PID:2428 -
\??\c:\ppdvv.exec:\ppdvv.exe41⤵
- Executes dropped EXE
PID:4700 -
\??\c:\xffrfrl.exec:\xffrfrl.exe42⤵
- Executes dropped EXE
PID:4612 -
\??\c:\thhtnh.exec:\thhtnh.exe43⤵
- Executes dropped EXE
PID:3508 -
\??\c:\9pjdv.exec:\9pjdv.exe44⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xllxlfx.exec:\xllxlfx.exe45⤵
- Executes dropped EXE
PID:4792 -
\??\c:\lrxrffx.exec:\lrxrffx.exe46⤵
- Executes dropped EXE
PID:4832 -
\??\c:\bhtnhb.exec:\bhtnhb.exe47⤵
- Executes dropped EXE
PID:1260 -
\??\c:\dddpj.exec:\dddpj.exe48⤵
- Executes dropped EXE
PID:1636 -
\??\c:\pjvpj.exec:\pjvpj.exe49⤵
- Executes dropped EXE
PID:3048 -
\??\c:\llxrrxx.exec:\llxrrxx.exe50⤵
- Executes dropped EXE
PID:3828 -
\??\c:\7nnbtn.exec:\7nnbtn.exe51⤵
- Executes dropped EXE
PID:5112 -
\??\c:\5vdpj.exec:\5vdpj.exe52⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lffrlfl.exec:\lffrlfl.exe53⤵
- Executes dropped EXE
PID:1720 -
\??\c:\hhbnhb.exec:\hhbnhb.exe54⤵
- Executes dropped EXE
PID:4396 -
\??\c:\ppvpd.exec:\ppvpd.exe55⤵
- Executes dropped EXE
PID:3944 -
\??\c:\xllfxrl.exec:\xllfxrl.exe56⤵
- Executes dropped EXE
PID:1480 -
\??\c:\tnhbtn.exec:\tnhbtn.exe57⤵
- Executes dropped EXE
PID:1972 -
\??\c:\9tthtn.exec:\9tthtn.exe58⤵
- Executes dropped EXE
PID:4204 -
\??\c:\dvpjd.exec:\dvpjd.exe59⤵
- Executes dropped EXE
PID:2288 -
\??\c:\9lrfrlx.exec:\9lrfrlx.exe60⤵
- Executes dropped EXE
PID:1988 -
\??\c:\nbnhnh.exec:\nbnhnh.exe61⤵
- Executes dropped EXE
PID:2920 -
\??\c:\htbtnh.exec:\htbtnh.exe62⤵
- Executes dropped EXE
PID:1192 -
\??\c:\vpjdv.exec:\vpjdv.exe63⤵
- Executes dropped EXE
PID:4048 -
\??\c:\5xxlxfx.exec:\5xxlxfx.exe64⤵
- Executes dropped EXE
PID:3244 -
\??\c:\tnhtnb.exec:\tnhtnb.exe65⤵
- Executes dropped EXE
PID:4992 -
\??\c:\7ddvp.exec:\7ddvp.exe66⤵PID:4220
-
\??\c:\djdpj.exec:\djdpj.exe67⤵PID:4044
-
\??\c:\llfxrlf.exec:\llfxrlf.exe68⤵PID:512
-
\??\c:\nttnbt.exec:\nttnbt.exe69⤵PID:3720
-
\??\c:\bnhtbt.exec:\bnhtbt.exe70⤵PID:1832
-
\??\c:\jdjjv.exec:\jdjjv.exe71⤵PID:3388
-
\??\c:\rfffxxr.exec:\rfffxxr.exe72⤵PID:392
-
\??\c:\xllxrxr.exec:\xllxrxr.exe73⤵PID:1060
-
\??\c:\3hnhtt.exec:\3hnhtt.exe74⤵PID:4704
-
\??\c:\pdjdj.exec:\pdjdj.exe75⤵PID:1416
-
\??\c:\vppdj.exec:\vppdj.exe76⤵PID:2868
-
\??\c:\fllxlfx.exec:\fllxlfx.exe77⤵PID:1704
-
\??\c:\btnbtt.exec:\btnbtt.exe78⤵PID:2580
-
\??\c:\djvpj.exec:\djvpj.exe79⤵PID:3076
-
\??\c:\fxlxfxf.exec:\fxlxfxf.exe80⤵PID:2176
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe81⤵PID:764
-
\??\c:\bhtbhh.exec:\bhtbhh.exe82⤵PID:2824
-
\??\c:\ddpvv.exec:\ddpvv.exe83⤵PID:4644
-
\??\c:\rfxlfxr.exec:\rfxlfxr.exe84⤵PID:3156
-
\??\c:\htnnhb.exec:\htnnhb.exe85⤵PID:3812
-
\??\c:\htttbt.exec:\htttbt.exe86⤵PID:4264
-
\??\c:\dddpj.exec:\dddpj.exe87⤵PID:2836
-
\??\c:\fflfrlx.exec:\fflfrlx.exe88⤵PID:2948
-
\??\c:\thbnbb.exec:\thbnbb.exe89⤵PID:1952
-
\??\c:\vvpjv.exec:\vvpjv.exe90⤵PID:4012
-
\??\c:\jvdvj.exec:\jvdvj.exe91⤵PID:1204
-
\??\c:\flrfffl.exec:\flrfffl.exe92⤵PID:1292
-
\??\c:\7nhbnh.exec:\7nhbnh.exe93⤵PID:1688
-
\??\c:\hhnbnh.exec:\hhnbnh.exe94⤵PID:1508
-
\??\c:\jjjdj.exec:\jjjdj.exe95⤵PID:1412
-
\??\c:\lxfxfxl.exec:\lxfxfxl.exe96⤵PID:4648
-
\??\c:\nbbnbt.exec:\nbbnbt.exe97⤵PID:3240
-
\??\c:\jddvd.exec:\jddvd.exe98⤵PID:2740
-
\??\c:\jvvdv.exec:\jvvdv.exe99⤵PID:540
-
\??\c:\xrrxllx.exec:\xrrxllx.exe100⤵PID:4516
-
\??\c:\hhhbnh.exec:\hhhbnh.exe101⤵PID:1336
-
\??\c:\vvjdd.exec:\vvjdd.exe102⤵PID:2640
-
\??\c:\vpppd.exec:\vpppd.exe103⤵PID:4368
-
\??\c:\xfxflxr.exec:\xfxflxr.exe104⤵PID:3376
-
\??\c:\nbthtn.exec:\nbthtn.exe105⤵PID:2256
-
\??\c:\vddjv.exec:\vddjv.exe106⤵PID:4908
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe107⤵PID:4356
-
\??\c:\rllfrlf.exec:\rllfrlf.exe108⤵PID:2928
-
\??\c:\bnthtn.exec:\bnthtn.exe109⤵PID:4832
-
\??\c:\5pvpv.exec:\5pvpv.exe110⤵PID:2632
-
\??\c:\rffxrfr.exec:\rffxrfr.exe111⤵PID:1264
-
\??\c:\frlxrlx.exec:\frlxrlx.exe112⤵PID:4956
-
\??\c:\vjvpj.exec:\vjvpj.exe113⤵PID:2628
-
\??\c:\jddpd.exec:\jddpd.exe114⤵PID:4576
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe115⤵PID:940
-
\??\c:\5tthtn.exec:\5tthtn.exe116⤵PID:4276
-
\??\c:\3tnhtn.exec:\3tnhtn.exe117⤵PID:4200
-
\??\c:\1ppvj.exec:\1ppvj.exe118⤵PID:1768
-
\??\c:\xllrfxl.exec:\xllrfxl.exe119⤵PID:4452
-
\??\c:\1nthnh.exec:\1nthnh.exe120⤵PID:1480
-
\??\c:\pppdp.exec:\pppdp.exe121⤵PID:552
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe122⤵PID:4148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-