Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe
-
Size
456KB
-
MD5
32e1140843a49039d3ec5ddcf59f863f
-
SHA1
7310c203f93cf5ec03e248c95301c765c94d0af8
-
SHA256
e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8
-
SHA512
883812f676d582ec24b20b45f99f89f5349e8d1d0ffcd4a974d99d96c949a3048d371fc89c6ebdd1c1f947bf51213964729052d9fd55d3f75d0dbd0623b1bd8a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT6:q7Tc2NYHUrAwfMp3CDu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2192-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-100-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/984-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/764-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-317-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2412-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-352-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2748-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/472-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-470-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-515-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1972-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-611-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2620-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-838-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2244-913-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2908-944-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/800-987-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/780-1025-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1080-1076-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1856-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-1186-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2652-1212-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-1232-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1300-1251-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2156 4684602.exe 1748 426868.exe 2380 3pdpv.exe 2744 lxrfllf.exe 3028 48642.exe 2620 20846.exe 2948 42884.exe 2668 nhbbhn.exe 2656 m4220.exe 2664 tnntbb.exe 984 o440286.exe 2964 i428068.exe 764 bbnnbb.exe 1372 fxxxxxl.exe 1452 0468628.exe 2144 vpdjd.exe 1376 k04088.exe 1648 1btbnn.exe 2396 m0880.exe 2592 vvpvj.exe 1636 2280884.exe 3048 thnbbb.exe 1080 xxrfrxf.exe 612 c040408.exe 1396 k86628.exe 1060 8062684.exe 928 048022.exe 712 2644446.exe 2080 7btbbh.exe 2420 lfllrll.exe 1336 82442.exe 1508 264622.exe 1932 1bhbnn.exe 2216 0462624.exe 2412 dvjpd.exe 2532 080004.exe 2068 hbthnh.exe 2936 m8628.exe 2888 nhbntb.exe 2744 jpdvj.exe 2748 nhttbb.exe 2640 g2008.exe 2776 1nbtbn.exe 2176 ppvpv.exe 2684 jvppv.exe 2188 hhbhbn.exe 2248 0424280.exe 2988 nnhhbn.exe 2848 g6446.exe 796 g8662.exe 1228 60264.exe 472 vjdpd.exe 1148 4802024.exe 2060 xxrfxfx.exe 1876 hbhnbb.exe 488 rfrlrlx.exe 1632 5hhnbh.exe 1488 frffllr.exe 2024 1rflffx.exe 1036 9xrlrlr.exe 2360 5hnnnn.exe 3040 82662.exe 1756 jddpp.exe 2584 g2600.exe -
resource yara_rule behavioral1/memory/2192-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-143-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1452-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-262-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1508-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/472-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/472-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-515-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1972-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-764-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2376-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-894-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-1059-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1780-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w24022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4240262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0480280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i866886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2156 2192 e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe 30 PID 2192 wrote to memory of 2156 2192 e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe 30 PID 2192 wrote to memory of 2156 2192 e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe 30 PID 2192 wrote to memory of 2156 2192 e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe 30 PID 2156 wrote to memory of 1748 2156 4684602.exe 31 PID 2156 wrote to memory of 1748 2156 4684602.exe 31 PID 2156 wrote to memory of 1748 2156 4684602.exe 31 PID 2156 wrote to memory of 1748 2156 4684602.exe 31 PID 1748 wrote to memory of 2380 1748 426868.exe 32 PID 1748 wrote to memory of 2380 1748 426868.exe 32 PID 1748 wrote to memory of 2380 1748 426868.exe 32 PID 1748 wrote to memory of 2380 1748 426868.exe 32 PID 2380 wrote to memory of 2744 2380 3pdpv.exe 33 PID 2380 wrote to memory of 2744 2380 3pdpv.exe 33 PID 2380 wrote to memory of 2744 2380 3pdpv.exe 33 PID 2380 wrote to memory of 2744 2380 3pdpv.exe 33 PID 2744 wrote to memory of 3028 2744 lxrfllf.exe 34 PID 2744 wrote to memory of 3028 2744 lxrfllf.exe 34 PID 2744 wrote to memory of 3028 2744 lxrfllf.exe 34 PID 2744 wrote to memory of 3028 2744 lxrfllf.exe 34 PID 3028 wrote to memory of 2620 3028 48642.exe 35 PID 3028 wrote to memory of 2620 3028 48642.exe 35 PID 3028 wrote to memory of 2620 3028 48642.exe 35 PID 3028 wrote to memory of 2620 3028 48642.exe 35 PID 2620 wrote to memory of 2948 2620 20846.exe 36 PID 2620 wrote to memory of 2948 2620 20846.exe 36 PID 2620 wrote to memory of 2948 2620 20846.exe 36 PID 2620 wrote to memory of 2948 2620 20846.exe 36 PID 2948 wrote to memory of 2668 2948 42884.exe 37 PID 2948 wrote to memory of 2668 2948 42884.exe 37 PID 2948 wrote to memory of 2668 2948 42884.exe 37 PID 2948 wrote to memory of 2668 2948 42884.exe 37 PID 2668 wrote to memory of 2656 2668 nhbbhn.exe 38 PID 2668 wrote to memory of 2656 2668 nhbbhn.exe 38 PID 2668 wrote to memory of 2656 2668 nhbbhn.exe 38 PID 2668 wrote to memory of 2656 2668 nhbbhn.exe 38 PID 2656 wrote to memory of 2664 2656 m4220.exe 39 PID 2656 wrote to memory of 2664 2656 m4220.exe 39 PID 2656 wrote to memory of 2664 2656 m4220.exe 39 PID 2656 wrote to memory of 2664 2656 m4220.exe 39 PID 2664 wrote to memory of 984 2664 tnntbb.exe 40 PID 2664 wrote to memory of 984 2664 tnntbb.exe 40 PID 2664 wrote to memory of 984 2664 tnntbb.exe 40 PID 2664 wrote to memory of 984 2664 tnntbb.exe 40 PID 984 wrote to memory of 2964 984 o440286.exe 41 PID 984 wrote to memory of 2964 984 o440286.exe 41 PID 984 wrote to memory of 2964 984 o440286.exe 41 PID 984 wrote to memory of 2964 984 o440286.exe 41 PID 2964 wrote to memory of 764 2964 i428068.exe 42 PID 2964 wrote to memory of 764 2964 i428068.exe 42 PID 2964 wrote to memory of 764 2964 i428068.exe 42 PID 2964 wrote to memory of 764 2964 i428068.exe 42 PID 764 wrote to memory of 1372 764 bbnnbb.exe 43 PID 764 wrote to memory of 1372 764 bbnnbb.exe 43 PID 764 wrote to memory of 1372 764 bbnnbb.exe 43 PID 764 wrote to memory of 1372 764 bbnnbb.exe 43 PID 1372 wrote to memory of 1452 1372 fxxxxxl.exe 44 PID 1372 wrote to memory of 1452 1372 fxxxxxl.exe 44 PID 1372 wrote to memory of 1452 1372 fxxxxxl.exe 44 PID 1372 wrote to memory of 1452 1372 fxxxxxl.exe 44 PID 1452 wrote to memory of 2144 1452 0468628.exe 45 PID 1452 wrote to memory of 2144 1452 0468628.exe 45 PID 1452 wrote to memory of 2144 1452 0468628.exe 45 PID 1452 wrote to memory of 2144 1452 0468628.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe"C:\Users\Admin\AppData\Local\Temp\e090f8ec3f8ab9ed5418d366424c1f5c4c0eae3d7156954ad54f5ffd908ed8d8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\4684602.exec:\4684602.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\426868.exec:\426868.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\3pdpv.exec:\3pdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\lxrfllf.exec:\lxrfllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\48642.exec:\48642.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\20846.exec:\20846.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\42884.exec:\42884.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\nhbbhn.exec:\nhbbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\m4220.exec:\m4220.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\tnntbb.exec:\tnntbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\o440286.exec:\o440286.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\i428068.exec:\i428068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\bbnnbb.exec:\bbnnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\fxxxxxl.exec:\fxxxxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\0468628.exec:\0468628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\vpdjd.exec:\vpdjd.exe17⤵
- Executes dropped EXE
PID:2144 -
\??\c:\k04088.exec:\k04088.exe18⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1btbnn.exec:\1btbnn.exe19⤵
- Executes dropped EXE
PID:1648 -
\??\c:\m0880.exec:\m0880.exe20⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vvpvj.exec:\vvpvj.exe21⤵
- Executes dropped EXE
PID:2592 -
\??\c:\2280884.exec:\2280884.exe22⤵
- Executes dropped EXE
PID:1636 -
\??\c:\thnbbb.exec:\thnbbb.exe23⤵
- Executes dropped EXE
PID:3048 -
\??\c:\xxrfrxf.exec:\xxrfrxf.exe24⤵
- Executes dropped EXE
PID:1080 -
\??\c:\c040408.exec:\c040408.exe25⤵
- Executes dropped EXE
PID:612 -
\??\c:\k86628.exec:\k86628.exe26⤵
- Executes dropped EXE
PID:1396 -
\??\c:\8062684.exec:\8062684.exe27⤵
- Executes dropped EXE
PID:1060 -
\??\c:\048022.exec:\048022.exe28⤵
- Executes dropped EXE
PID:928 -
\??\c:\2644446.exec:\2644446.exe29⤵
- Executes dropped EXE
PID:712 -
\??\c:\7btbbh.exec:\7btbbh.exe30⤵
- Executes dropped EXE
PID:2080 -
\??\c:\lfllrll.exec:\lfllrll.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
\??\c:\82442.exec:\82442.exe32⤵
- Executes dropped EXE
PID:1336 -
\??\c:\264622.exec:\264622.exe33⤵
- Executes dropped EXE
PID:1508 -
\??\c:\1bhbnn.exec:\1bhbnn.exe34⤵
- Executes dropped EXE
PID:1932 -
\??\c:\0462624.exec:\0462624.exe35⤵
- Executes dropped EXE
PID:2216 -
\??\c:\dvjpd.exec:\dvjpd.exe36⤵
- Executes dropped EXE
PID:2412 -
\??\c:\080004.exec:\080004.exe37⤵
- Executes dropped EXE
PID:2532 -
\??\c:\hbthnh.exec:\hbthnh.exe38⤵
- Executes dropped EXE
PID:2068 -
\??\c:\m8628.exec:\m8628.exe39⤵
- Executes dropped EXE
PID:2936 -
\??\c:\nhbntb.exec:\nhbntb.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\jpdvj.exec:\jpdvj.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\nhttbb.exec:\nhttbb.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\g2008.exec:\g2008.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\1nbtbn.exec:\1nbtbn.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ppvpv.exec:\ppvpv.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jvppv.exec:\jvppv.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\hhbhbn.exec:\hhbhbn.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188 -
\??\c:\0424280.exec:\0424280.exe48⤵
- Executes dropped EXE
PID:2248 -
\??\c:\nnhhbn.exec:\nnhhbn.exe49⤵
- Executes dropped EXE
PID:2988 -
\??\c:\g6446.exec:\g6446.exe50⤵
- Executes dropped EXE
PID:2848 -
\??\c:\g8662.exec:\g8662.exe51⤵
- Executes dropped EXE
PID:796 -
\??\c:\60264.exec:\60264.exe52⤵
- Executes dropped EXE
PID:1228 -
\??\c:\vjdpd.exec:\vjdpd.exe53⤵
- Executes dropped EXE
PID:472 -
\??\c:\4802024.exec:\4802024.exe54⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xxrfxfx.exec:\xxrfxfx.exe55⤵
- Executes dropped EXE
PID:2060 -
\??\c:\hbhnbb.exec:\hbhnbb.exe56⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rfrlrlx.exec:\rfrlrlx.exe57⤵
- Executes dropped EXE
PID:488 -
\??\c:\5hhnbh.exec:\5hhnbh.exe58⤵
- Executes dropped EXE
PID:1632 -
\??\c:\frffllr.exec:\frffllr.exe59⤵
- Executes dropped EXE
PID:1488 -
\??\c:\1rflffx.exec:\1rflffx.exe60⤵
- Executes dropped EXE
PID:2024 -
\??\c:\9xrlrlr.exec:\9xrlrlr.exe61⤵
- Executes dropped EXE
PID:1036 -
\??\c:\5hnnnn.exec:\5hnnnn.exe62⤵
- Executes dropped EXE
PID:2360 -
\??\c:\82662.exec:\82662.exe63⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jddpp.exec:\jddpp.exe64⤵
- Executes dropped EXE
PID:1756 -
\??\c:\g2600.exec:\g2600.exe65⤵
- Executes dropped EXE
PID:2584 -
\??\c:\642802.exec:\642802.exe66⤵PID:1704
-
\??\c:\480284.exec:\480284.exe67⤵PID:1056
-
\??\c:\vvjpv.exec:\vvjpv.exe68⤵PID:2012
-
\??\c:\7frlfff.exec:\7frlfff.exe69⤵PID:1688
-
\??\c:\2628068.exec:\2628068.exe70⤵PID:1000
-
\??\c:\frxrlll.exec:\frxrlll.exe71⤵PID:2036
-
\??\c:\vpvdp.exec:\vpvdp.exe72⤵PID:2692
-
\??\c:\3vdvv.exec:\3vdvv.exe73⤵PID:640
-
\??\c:\rlxfxxr.exec:\rlxfxxr.exe74⤵PID:572
-
\??\c:\868844.exec:\868844.exe75⤵PID:316
-
\??\c:\jpjpj.exec:\jpjpj.exe76⤵PID:2212
-
\??\c:\5rllrxx.exec:\5rllrxx.exe77⤵PID:2392
-
\??\c:\nnbbbh.exec:\nnbbbh.exe78⤵PID:1700
-
\??\c:\1lxxffl.exec:\1lxxffl.exe79⤵PID:1972
-
\??\c:\04626.exec:\04626.exe80⤵PID:1716
-
\??\c:\0244040.exec:\0244040.exe81⤵PID:2032
-
\??\c:\pdjpd.exec:\pdjpd.exe82⤵PID:1720
-
\??\c:\20222.exec:\20222.exe83⤵PID:2720
-
\??\c:\4206880.exec:\4206880.exe84⤵PID:2896
-
\??\c:\pjpjp.exec:\pjpjp.exe85⤵PID:2772
-
\??\c:\1nhhnt.exec:\1nhhnt.exe86⤵PID:2240
-
\??\c:\i428486.exec:\i428486.exe87⤵PID:2808
-
\??\c:\a2444.exec:\a2444.exe88⤵PID:2620
-
\??\c:\ntbnhn.exec:\ntbnhn.exe89⤵PID:2624
-
\??\c:\nbnhnt.exec:\nbnhnt.exe90⤵PID:2668
-
\??\c:\6404006.exec:\6404006.exe91⤵PID:2656
-
\??\c:\48646.exec:\48646.exe92⤵PID:2676
-
\??\c:\648042.exec:\648042.exe93⤵PID:848
-
\??\c:\8606062.exec:\8606062.exe94⤵PID:2700
-
\??\c:\m6684.exec:\m6684.exe95⤵PID:2972
-
\??\c:\5jdjv.exec:\5jdjv.exe96⤵PID:2712
-
\??\c:\08628.exec:\08628.exe97⤵PID:764
-
\??\c:\4800284.exec:\4800284.exe98⤵PID:2508
-
\??\c:\20880.exec:\20880.exe99⤵PID:676
-
\??\c:\2088280.exec:\2088280.exe100⤵PID:1452
-
\??\c:\48680.exec:\48680.exe101⤵PID:1816
-
\??\c:\rrllrrx.exec:\rrllrrx.exe102⤵PID:1948
-
\??\c:\bnbhnn.exec:\bnbhnn.exe103⤵PID:600
-
\??\c:\bthhbh.exec:\bthhbh.exe104⤵PID:1016
-
\??\c:\4428406.exec:\4428406.exe105⤵PID:1904
-
\??\c:\9nbbhn.exec:\9nbbhn.exe106⤵PID:2472
-
\??\c:\0466446.exec:\0466446.exe107⤵PID:1772
-
\??\c:\1xlxlxr.exec:\1xlxlxr.exe108⤵PID:1636
-
\??\c:\6468440.exec:\6468440.exe109⤵PID:3048
-
\??\c:\q82866.exec:\q82866.exe110⤵PID:1912
-
\??\c:\dvpvj.exec:\dvpvj.exe111⤵PID:1432
-
\??\c:\pjvvj.exec:\pjvvj.exe112⤵PID:1884
-
\??\c:\1vpjp.exec:\1vpjp.exe113⤵PID:1692
-
\??\c:\1jdpj.exec:\1jdpj.exe114⤵PID:2044
-
\??\c:\hnbhth.exec:\hnbhth.exe115⤵PID:1688
-
\??\c:\ddvpj.exec:\ddvpj.exe116⤵PID:844
-
\??\c:\5tnthn.exec:\5tnthn.exe117⤵PID:2076
-
\??\c:\jddvp.exec:\jddvp.exe118⤵PID:2692
-
\??\c:\lrrxlxr.exec:\lrrxlxr.exe119⤵PID:2420
-
\??\c:\26808.exec:\26808.exe120⤵PID:768
-
\??\c:\60280.exec:\60280.exe121⤵PID:1936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-