Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe
-
Size
454KB
-
MD5
0d3467fc5a779a1c3fae039d94d36e70
-
SHA1
3282492c7c9ad51e02dafbf4ef9ff0a7832267d3
-
SHA256
e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879
-
SHA512
34cdd181e3d21a252e48d591596529752460e8b0d14629799bff495f96625932bc8b737180327d4241666c5ff1354a76c91204b9ea2f234dac804e0b139428ab
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2860-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-41-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-119-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2772-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-160-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1136-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-209-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2000-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1168-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-487-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1928-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-618-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2568-616-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2664-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-740-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2036 9hhbbn.exe 2820 5xfxlxx.exe 2696 hhbhnb.exe 2256 3ppdj.exe 2724 llfxfrx.exe 2600 rlllxlx.exe 2620 fxlxlrf.exe 2088 5lrlllr.exe 1740 hhbnth.exe 2584 rxxlxlf.exe 2236 hnhntn.exe 2772 nhbhtb.exe 2900 hbthnb.exe 1180 ntnbnh.exe 2440 7bbthh.exe 1612 fffxllf.exe 1136 5ntbnt.exe 2168 fflfrlr.exe 2388 vvppv.exe 1860 frflxfr.exe 696 bthnbb.exe 352 llxflxr.exe 904 hhhhhn.exe 2000 tnhhtb.exe 1168 jdvdv.exe 2032 ntnbnb.exe 1520 jvvjj.exe 2144 nnhtbt.exe 1688 ddvjd.exe 1884 hbbhnb.exe 620 1jvvd.exe 2264 5thhth.exe 2832 rlflflx.exe 2708 3nbbtb.exe 2736 dvpdj.exe 2704 pdvpj.exe 836 lffxrrf.exe 2544 bbbhth.exe 2664 pjvpv.exe 2096 rlffxxf.exe 2620 xxrxllx.exe 2888 tttnbn.exe 844 vvjpj.exe 2104 xffxlrl.exe 3048 1frrflr.exe 2876 hbhnhn.exe 1156 jvpjd.exe 2920 lfxfrrl.exe 2764 hbtbtb.exe 1160 nhbhnt.exe 2232 7ddjp.exe 1480 lffflxf.exe 1348 bnnbnt.exe 2384 vvppj.exe 2200 llflrfl.exe 3000 lxrxxfx.exe 1708 3btbht.exe 1788 7ppdv.exe 1860 fllrlrx.exe 1928 hhhnbh.exe 860 3nhbth.exe 1924 dvdvd.exe 2408 xfrrflf.exe 1368 bhntnb.exe -
resource yara_rule behavioral1/memory/2036-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-436-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1860-487-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/1928-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-616-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2664-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-701-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2108-706-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxfflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2036 2860 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 31 PID 2860 wrote to memory of 2036 2860 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 31 PID 2860 wrote to memory of 2036 2860 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 31 PID 2860 wrote to memory of 2036 2860 e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe 31 PID 2036 wrote to memory of 2820 2036 9hhbbn.exe 32 PID 2036 wrote to memory of 2820 2036 9hhbbn.exe 32 PID 2036 wrote to memory of 2820 2036 9hhbbn.exe 32 PID 2036 wrote to memory of 2820 2036 9hhbbn.exe 32 PID 2820 wrote to memory of 2696 2820 5xfxlxx.exe 33 PID 2820 wrote to memory of 2696 2820 5xfxlxx.exe 33 PID 2820 wrote to memory of 2696 2820 5xfxlxx.exe 33 PID 2820 wrote to memory of 2696 2820 5xfxlxx.exe 33 PID 2696 wrote to memory of 2256 2696 hhbhnb.exe 34 PID 2696 wrote to memory of 2256 2696 hhbhnb.exe 34 PID 2696 wrote to memory of 2256 2696 hhbhnb.exe 34 PID 2696 wrote to memory of 2256 2696 hhbhnb.exe 34 PID 2256 wrote to memory of 2724 2256 3ppdj.exe 35 PID 2256 wrote to memory of 2724 2256 3ppdj.exe 35 PID 2256 wrote to memory of 2724 2256 3ppdj.exe 35 PID 2256 wrote to memory of 2724 2256 3ppdj.exe 35 PID 2724 wrote to memory of 2600 2724 llfxfrx.exe 36 PID 2724 wrote to memory of 2600 2724 llfxfrx.exe 36 PID 2724 wrote to memory of 2600 2724 llfxfrx.exe 36 PID 2724 wrote to memory of 2600 2724 llfxfrx.exe 36 PID 2600 wrote to memory of 2620 2600 rlllxlx.exe 37 PID 2600 wrote to memory of 2620 2600 rlllxlx.exe 37 PID 2600 wrote to memory of 2620 2600 rlllxlx.exe 37 PID 2600 wrote to memory of 2620 2600 rlllxlx.exe 37 PID 2620 wrote to memory of 2088 2620 fxlxlrf.exe 38 PID 2620 wrote to memory of 2088 2620 fxlxlrf.exe 38 PID 2620 wrote to memory of 2088 2620 fxlxlrf.exe 38 PID 2620 wrote to memory of 2088 2620 fxlxlrf.exe 38 PID 2088 wrote to memory of 1740 2088 5lrlllr.exe 39 PID 2088 wrote to memory of 1740 2088 5lrlllr.exe 39 PID 2088 wrote to memory of 1740 2088 5lrlllr.exe 39 PID 2088 wrote to memory of 1740 2088 5lrlllr.exe 39 PID 1740 wrote to memory of 2584 1740 hhbnth.exe 40 PID 1740 wrote to memory of 2584 1740 hhbnth.exe 40 PID 1740 wrote to memory of 2584 1740 hhbnth.exe 40 PID 1740 wrote to memory of 2584 1740 hhbnth.exe 40 PID 2584 wrote to memory of 2236 2584 rxxlxlf.exe 41 PID 2584 wrote to memory of 2236 2584 rxxlxlf.exe 41 PID 2584 wrote to memory of 2236 2584 rxxlxlf.exe 41 PID 2584 wrote to memory of 2236 2584 rxxlxlf.exe 41 PID 2236 wrote to memory of 2772 2236 hnhntn.exe 42 PID 2236 wrote to memory of 2772 2236 hnhntn.exe 42 PID 2236 wrote to memory of 2772 2236 hnhntn.exe 42 PID 2236 wrote to memory of 2772 2236 hnhntn.exe 42 PID 2772 wrote to memory of 2900 2772 nhbhtb.exe 43 PID 2772 wrote to memory of 2900 2772 nhbhtb.exe 43 PID 2772 wrote to memory of 2900 2772 nhbhtb.exe 43 PID 2772 wrote to memory of 2900 2772 nhbhtb.exe 43 PID 2900 wrote to memory of 1180 2900 hbthnb.exe 44 PID 2900 wrote to memory of 1180 2900 hbthnb.exe 44 PID 2900 wrote to memory of 1180 2900 hbthnb.exe 44 PID 2900 wrote to memory of 1180 2900 hbthnb.exe 44 PID 1180 wrote to memory of 2440 1180 ntnbnh.exe 45 PID 1180 wrote to memory of 2440 1180 ntnbnh.exe 45 PID 1180 wrote to memory of 2440 1180 ntnbnh.exe 45 PID 1180 wrote to memory of 2440 1180 ntnbnh.exe 45 PID 2440 wrote to memory of 1612 2440 7bbthh.exe 46 PID 2440 wrote to memory of 1612 2440 7bbthh.exe 46 PID 2440 wrote to memory of 1612 2440 7bbthh.exe 46 PID 2440 wrote to memory of 1612 2440 7bbthh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe"C:\Users\Admin\AppData\Local\Temp\e2ccfe9f0ae0c25414dee982b0322235f6a71787b364206508900341f8506879N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\9hhbbn.exec:\9hhbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\5xfxlxx.exec:\5xfxlxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\hhbhnb.exec:\hhbhnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\3ppdj.exec:\3ppdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\llfxfrx.exec:\llfxfrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\rlllxlx.exec:\rlllxlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\fxlxlrf.exec:\fxlxlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\5lrlllr.exec:\5lrlllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\hhbnth.exec:\hhbnth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\rxxlxlf.exec:\rxxlxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\hnhntn.exec:\hnhntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\nhbhtb.exec:\nhbhtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\hbthnb.exec:\hbthnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\ntnbnh.exec:\ntnbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\7bbthh.exec:\7bbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\fffxllf.exec:\fffxllf.exe17⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5ntbnt.exec:\5ntbnt.exe18⤵
- Executes dropped EXE
PID:1136 -
\??\c:\fflfrlr.exec:\fflfrlr.exe19⤵
- Executes dropped EXE
PID:2168 -
\??\c:\vvppv.exec:\vvppv.exe20⤵
- Executes dropped EXE
PID:2388 -
\??\c:\frflxfr.exec:\frflxfr.exe21⤵
- Executes dropped EXE
PID:1860 -
\??\c:\bthnbb.exec:\bthnbb.exe22⤵
- Executes dropped EXE
PID:696 -
\??\c:\llxflxr.exec:\llxflxr.exe23⤵
- Executes dropped EXE
PID:352 -
\??\c:\hhhhhn.exec:\hhhhhn.exe24⤵
- Executes dropped EXE
PID:904 -
\??\c:\tnhhtb.exec:\tnhhtb.exe25⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jdvdv.exec:\jdvdv.exe26⤵
- Executes dropped EXE
PID:1168 -
\??\c:\ntnbnb.exec:\ntnbnb.exe27⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jvvjj.exec:\jvvjj.exe28⤵
- Executes dropped EXE
PID:1520 -
\??\c:\nnhtbt.exec:\nnhtbt.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ddvjd.exec:\ddvjd.exe30⤵
- Executes dropped EXE
PID:1688 -
\??\c:\hbbhnb.exec:\hbbhnb.exe31⤵
- Executes dropped EXE
PID:1884 -
\??\c:\1jvvd.exec:\1jvvd.exe32⤵
- Executes dropped EXE
PID:620 -
\??\c:\5thhth.exec:\5thhth.exe33⤵
- Executes dropped EXE
PID:2264 -
\??\c:\rlflflx.exec:\rlflflx.exe34⤵
- Executes dropped EXE
PID:2832 -
\??\c:\3nbbtb.exec:\3nbbtb.exe35⤵
- Executes dropped EXE
PID:2708 -
\??\c:\dvpdj.exec:\dvpdj.exe36⤵
- Executes dropped EXE
PID:2736 -
\??\c:\pdvpj.exec:\pdvpj.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\lffxrrf.exec:\lffxrrf.exe38⤵
- Executes dropped EXE
PID:836 -
\??\c:\bbbhth.exec:\bbbhth.exe39⤵
- Executes dropped EXE
PID:2544 -
\??\c:\pjvpv.exec:\pjvpv.exe40⤵
- Executes dropped EXE
PID:2664 -
\??\c:\rlffxxf.exec:\rlffxxf.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xxrxllx.exec:\xxrxllx.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\tttnbn.exec:\tttnbn.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\vvjpj.exec:\vvjpj.exe44⤵
- Executes dropped EXE
PID:844 -
\??\c:\xffxlrl.exec:\xffxlrl.exe45⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1frrflr.exec:\1frrflr.exe46⤵
- Executes dropped EXE
PID:3048 -
\??\c:\hbhnhn.exec:\hbhnhn.exe47⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jvpjd.exec:\jvpjd.exe48⤵
- Executes dropped EXE
PID:1156 -
\??\c:\lfxfrrl.exec:\lfxfrrl.exe49⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hbtbtb.exec:\hbtbtb.exe50⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nhbhnt.exec:\nhbhnt.exe51⤵
- Executes dropped EXE
PID:1160 -
\??\c:\7ddjp.exec:\7ddjp.exe52⤵
- Executes dropped EXE
PID:2232 -
\??\c:\lffflxf.exec:\lffflxf.exe53⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bnnbnt.exec:\bnnbnt.exe54⤵
- Executes dropped EXE
PID:1348 -
\??\c:\vvppj.exec:\vvppj.exe55⤵
- Executes dropped EXE
PID:2384 -
\??\c:\llflrfl.exec:\llflrfl.exe56⤵
- Executes dropped EXE
PID:2200 -
\??\c:\lxrxxfx.exec:\lxrxxfx.exe57⤵
- Executes dropped EXE
PID:3000 -
\??\c:\3btbht.exec:\3btbht.exe58⤵
- Executes dropped EXE
PID:1708 -
\??\c:\7ppdv.exec:\7ppdv.exe59⤵
- Executes dropped EXE
PID:1788 -
\??\c:\fllrlrx.exec:\fllrlrx.exe60⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hhhnbh.exec:\hhhnbh.exe61⤵
- Executes dropped EXE
PID:1928 -
\??\c:\3nhbth.exec:\3nhbth.exe62⤵
- Executes dropped EXE
PID:860 -
\??\c:\dvdvd.exec:\dvdvd.exe63⤵
- Executes dropped EXE
PID:1924 -
\??\c:\xfrrflf.exec:\xfrrflf.exe64⤵
- Executes dropped EXE
PID:2408 -
\??\c:\bhntnb.exec:\bhntnb.exe65⤵
- Executes dropped EXE
PID:1368 -
\??\c:\7jvvd.exec:\7jvvd.exe66⤵PID:992
-
\??\c:\9vjdd.exec:\9vjdd.exe67⤵PID:1656
-
\??\c:\rlllflx.exec:\rlllflx.exe68⤵PID:2420
-
\??\c:\tnhhhh.exec:\tnhhhh.exe69⤵PID:1736
-
\??\c:\1tnhnn.exec:\1tnhnn.exe70⤵PID:3024
-
\??\c:\9pjvj.exec:\9pjvj.exe71⤵PID:2632
-
\??\c:\flrfrrf.exec:\flrfrrf.exe72⤵PID:1184
-
\??\c:\hnhhth.exec:\hnhhth.exe73⤵PID:2640
-
\??\c:\bnbnhh.exec:\bnbnhh.exe74⤵
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\jpvdj.exec:\jpvdj.exe75⤵PID:1996
-
\??\c:\5llxflx.exec:\5llxflx.exe76⤵PID:2264
-
\??\c:\3nnttt.exec:\3nnttt.exe77⤵PID:2828
-
\??\c:\5bnbhn.exec:\5bnbhn.exe78⤵PID:2712
-
\??\c:\9llflxf.exec:\9llflxf.exe79⤵PID:2568
-
\??\c:\5fxxxxf.exec:\5fxxxxf.exe80⤵PID:2688
-
\??\c:\7hhnbb.exec:\7hhnbb.exe81⤵PID:2724
-
\??\c:\dvvdp.exec:\dvvdp.exe82⤵PID:2592
-
\??\c:\5rlxfxr.exec:\5rlxfxr.exe83⤵PID:2664
-
\??\c:\fffrllx.exec:\fffrllx.exe84⤵PID:2760
-
\??\c:\nnnbnb.exec:\nnnbnb.exe85⤵PID:320
-
\??\c:\5jvjd.exec:\5jvjd.exe86⤵
- System Location Discovery: System Language Discovery
PID:2888 -
\??\c:\vpjpd.exec:\vpjpd.exe87⤵PID:1344
-
\??\c:\xffxrfx.exec:\xffxrfx.exe88⤵PID:2636
-
\??\c:\bththh.exec:\bththh.exe89⤵PID:3048
-
\??\c:\tntbnn.exec:\tntbnn.exe90⤵PID:2868
-
\??\c:\flllflx.exec:\flllflx.exe91⤵PID:664
-
\??\c:\5rlflrl.exec:\5rlflrl.exe92⤵PID:2936
-
\??\c:\1hbnth.exec:\1hbnth.exe93⤵PID:2108
-
\??\c:\dvddj.exec:\dvddj.exe94⤵PID:1904
-
\??\c:\xlflrxf.exec:\xlflrxf.exe95⤵PID:2904
-
\??\c:\xrlrlrf.exec:\xrlrlrf.exe96⤵PID:280
-
\??\c:\hhhnbn.exec:\hhhnbn.exe97⤵PID:2100
-
\??\c:\jjdjp.exec:\jjdjp.exe98⤵PID:3020
-
\??\c:\rrflxxl.exec:\rrflxxl.exe99⤵PID:912
-
\??\c:\nnhtnh.exec:\nnhtnh.exe100⤵PID:2080
-
\??\c:\7jdvd.exec:\7jdvd.exe101⤵PID:1252
-
\??\c:\djpvp.exec:\djpvp.exe102⤵PID:1600
-
\??\c:\rrxrfff.exec:\rrxrfff.exe103⤵PID:932
-
\??\c:\thtnbt.exec:\thtnbt.exe104⤵PID:692
-
\??\c:\dddvj.exec:\dddvj.exe105⤵PID:1792
-
\??\c:\pjvpv.exec:\pjvpv.exe106⤵PID:1404
-
\??\c:\lrrlxfr.exec:\lrrlxfr.exe107⤵PID:2332
-
\??\c:\5nntbh.exec:\5nntbh.exe108⤵PID:2044
-
\??\c:\5vvvd.exec:\5vvvd.exe109⤵PID:288
-
\??\c:\xxllfrl.exec:\xxllfrl.exe110⤵PID:2032
-
\??\c:\httthb.exec:\httthb.exe111⤵PID:2460
-
\??\c:\5ddjd.exec:\5ddjd.exe112⤵PID:1000
-
\??\c:\xrlrlrx.exec:\xrlrlrx.exe113⤵PID:892
-
\??\c:\7bthht.exec:\7bthht.exe114⤵PID:1756
-
\??\c:\7vpvd.exec:\7vpvd.exe115⤵PID:2860
-
\??\c:\ffflrfx.exec:\ffflrfx.exe116⤵PID:620
-
\??\c:\bbntbn.exec:\bbntbn.exe117⤵PID:2036
-
\??\c:\hhbhnt.exec:\hhbhnt.exe118⤵PID:2816
-
\??\c:\vpdjp.exec:\vpdjp.exe119⤵PID:2748
-
\??\c:\xrlxrxl.exec:\xrlxrxl.exe120⤵PID:2804
-
\??\c:\ttnhbn.exec:\ttnhbn.exe121⤵PID:2712
-
\??\c:\jjdvj.exec:\jjdvj.exe122⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-