Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe
-
Size
454KB
-
MD5
5c077615482c4890935a4b4190848450
-
SHA1
b271b0bb9ebcd906861929cc4300dd171bb8c42a
-
SHA256
ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981
-
SHA512
7bfbbf277120dfaa7b648a3241dce877131e48cac44766b2323f17169d8ab8c265392f443eea5faec8af6a7069b46847211a90823bc7dc0ed53ffe6f9ca38ae3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTz:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2196-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-56-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2892-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-240-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1976-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-335-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2900-378-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-398-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/848-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-700-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1940-865-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1656-891-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1508-900-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2232-933-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1636-1336-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1340-1340-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/988-1350-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1884-1377-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2196 0440284.exe 2412 22624.exe 2072 860206.exe 2452 rflfffl.exe 2892 s0284.exe 2904 04846.exe 2648 5bnttt.exe 2788 3jvpp.exe 2624 648462.exe 2172 2640268.exe 696 8862402.exe 2308 jpdvj.exe 2124 9rrfrxx.exe 2712 0862228.exe 1980 bthhnh.exe 1152 7bntnn.exe 1736 42000.exe 488 602688.exe 600 08066.exe 1016 9tbtnn.exe 1036 hntthh.exe 2360 frxxllr.exe 1740 1jddj.exe 1292 bthhhn.exe 1512 nnhbnn.exe 1556 i600280.exe 1088 64224.exe 1976 ppddv.exe 2512 4282440.exe 2424 6444068.exe 1196 82620.exe 2480 7vjpj.exe 2392 dppjd.exe 1596 hhtntn.exe 1708 nhbnnh.exe 1748 60884.exe 2412 9lllfll.exe 1664 286862.exe 2820 hbnthn.exe 2724 lfrxxxl.exe 2756 bhhhnn.exe 2620 dpdvv.exe 2176 ttnbtt.exe 2900 42462.exe 2660 rflflfl.exe 2656 8606446.exe 2168 bntbhb.exe 2152 80006.exe 2248 vvdvp.exe 2856 nhnnnh.exe 848 pdvvj.exe 2844 6840000.exe 2832 xrlrrrf.exe 1640 1djdd.exe 1896 5tbbnt.exe 2148 jvddd.exe 1916 0244602.exe 2556 g8624.exe 1496 7xlxffl.exe 108 pvdjj.exe 2592 5nbtbb.exe 560 1pvpj.exe 3032 bntttt.exe 2292 jvjvv.exe -
resource yara_rule behavioral1/memory/2196-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-203-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1512-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-900-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1852-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-1131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-1182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-1239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1336-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1080-1357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-1370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-1377-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k48800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e82462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c428006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2196 2120 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 30 PID 2120 wrote to memory of 2196 2120 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 30 PID 2120 wrote to memory of 2196 2120 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 30 PID 2120 wrote to memory of 2196 2120 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 30 PID 2196 wrote to memory of 2412 2196 0440284.exe 31 PID 2196 wrote to memory of 2412 2196 0440284.exe 31 PID 2196 wrote to memory of 2412 2196 0440284.exe 31 PID 2196 wrote to memory of 2412 2196 0440284.exe 31 PID 2412 wrote to memory of 2072 2412 22624.exe 32 PID 2412 wrote to memory of 2072 2412 22624.exe 32 PID 2412 wrote to memory of 2072 2412 22624.exe 32 PID 2412 wrote to memory of 2072 2412 22624.exe 32 PID 2072 wrote to memory of 2452 2072 860206.exe 33 PID 2072 wrote to memory of 2452 2072 860206.exe 33 PID 2072 wrote to memory of 2452 2072 860206.exe 33 PID 2072 wrote to memory of 2452 2072 860206.exe 33 PID 2452 wrote to memory of 2892 2452 rflfffl.exe 34 PID 2452 wrote to memory of 2892 2452 rflfffl.exe 34 PID 2452 wrote to memory of 2892 2452 rflfffl.exe 34 PID 2452 wrote to memory of 2892 2452 rflfffl.exe 34 PID 2892 wrote to memory of 2904 2892 s0284.exe 35 PID 2892 wrote to memory of 2904 2892 s0284.exe 35 PID 2892 wrote to memory of 2904 2892 s0284.exe 35 PID 2892 wrote to memory of 2904 2892 s0284.exe 35 PID 2904 wrote to memory of 2648 2904 04846.exe 36 PID 2904 wrote to memory of 2648 2904 04846.exe 36 PID 2904 wrote to memory of 2648 2904 04846.exe 36 PID 2904 wrote to memory of 2648 2904 04846.exe 36 PID 2648 wrote to memory of 2788 2648 5bnttt.exe 37 PID 2648 wrote to memory of 2788 2648 5bnttt.exe 37 PID 2648 wrote to memory of 2788 2648 5bnttt.exe 37 PID 2648 wrote to memory of 2788 2648 5bnttt.exe 37 PID 2788 wrote to memory of 2624 2788 3jvpp.exe 38 PID 2788 wrote to memory of 2624 2788 3jvpp.exe 38 PID 2788 wrote to memory of 2624 2788 3jvpp.exe 38 PID 2788 wrote to memory of 2624 2788 3jvpp.exe 38 PID 2624 wrote to memory of 2172 2624 648462.exe 39 PID 2624 wrote to memory of 2172 2624 648462.exe 39 PID 2624 wrote to memory of 2172 2624 648462.exe 39 PID 2624 wrote to memory of 2172 2624 648462.exe 39 PID 2172 wrote to memory of 696 2172 2640268.exe 40 PID 2172 wrote to memory of 696 2172 2640268.exe 40 PID 2172 wrote to memory of 696 2172 2640268.exe 40 PID 2172 wrote to memory of 696 2172 2640268.exe 40 PID 696 wrote to memory of 2308 696 8862402.exe 41 PID 696 wrote to memory of 2308 696 8862402.exe 41 PID 696 wrote to memory of 2308 696 8862402.exe 41 PID 696 wrote to memory of 2308 696 8862402.exe 41 PID 2308 wrote to memory of 2124 2308 jpdvj.exe 42 PID 2308 wrote to memory of 2124 2308 jpdvj.exe 42 PID 2308 wrote to memory of 2124 2308 jpdvj.exe 42 PID 2308 wrote to memory of 2124 2308 jpdvj.exe 42 PID 2124 wrote to memory of 2712 2124 9rrfrxx.exe 43 PID 2124 wrote to memory of 2712 2124 9rrfrxx.exe 43 PID 2124 wrote to memory of 2712 2124 9rrfrxx.exe 43 PID 2124 wrote to memory of 2712 2124 9rrfrxx.exe 43 PID 2712 wrote to memory of 1980 2712 0862228.exe 44 PID 2712 wrote to memory of 1980 2712 0862228.exe 44 PID 2712 wrote to memory of 1980 2712 0862228.exe 44 PID 2712 wrote to memory of 1980 2712 0862228.exe 44 PID 1980 wrote to memory of 1152 1980 bthhnh.exe 45 PID 1980 wrote to memory of 1152 1980 bthhnh.exe 45 PID 1980 wrote to memory of 1152 1980 bthhnh.exe 45 PID 1980 wrote to memory of 1152 1980 bthhnh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe"C:\Users\Admin\AppData\Local\Temp\ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\0440284.exec:\0440284.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\22624.exec:\22624.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\860206.exec:\860206.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\rflfffl.exec:\rflfffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\s0284.exec:\s0284.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\04846.exec:\04846.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\5bnttt.exec:\5bnttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\3jvpp.exec:\3jvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\648462.exec:\648462.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\2640268.exec:\2640268.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\8862402.exec:\8862402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\jpdvj.exec:\jpdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\9rrfrxx.exec:\9rrfrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\0862228.exec:\0862228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\bthhnh.exec:\bthhnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\7bntnn.exec:\7bntnn.exe17⤵
- Executes dropped EXE
PID:1152 -
\??\c:\42000.exec:\42000.exe18⤵
- Executes dropped EXE
PID:1736 -
\??\c:\602688.exec:\602688.exe19⤵
- Executes dropped EXE
PID:488 -
\??\c:\08066.exec:\08066.exe20⤵
- Executes dropped EXE
PID:600 -
\??\c:\9tbtnn.exec:\9tbtnn.exe21⤵
- Executes dropped EXE
PID:1016 -
\??\c:\hntthh.exec:\hntthh.exe22⤵
- Executes dropped EXE
PID:1036 -
\??\c:\frxxllr.exec:\frxxllr.exe23⤵
- Executes dropped EXE
PID:2360 -
\??\c:\1jddj.exec:\1jddj.exe24⤵
- Executes dropped EXE
PID:1740 -
\??\c:\bthhhn.exec:\bthhhn.exe25⤵
- Executes dropped EXE
PID:1292 -
\??\c:\nnhbnn.exec:\nnhbnn.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
\??\c:\i600280.exec:\i600280.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\64224.exec:\64224.exe28⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ppddv.exec:\ppddv.exe29⤵
- Executes dropped EXE
PID:1976 -
\??\c:\4282440.exec:\4282440.exe30⤵
- Executes dropped EXE
PID:2512 -
\??\c:\6444068.exec:\6444068.exe31⤵
- Executes dropped EXE
PID:2424 -
\??\c:\82620.exec:\82620.exe32⤵
- Executes dropped EXE
PID:1196 -
\??\c:\7vjpj.exec:\7vjpj.exe33⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dppjd.exec:\dppjd.exe34⤵
- Executes dropped EXE
PID:2392 -
\??\c:\hhtntn.exec:\hhtntn.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\nhbnnh.exec:\nhbnnh.exe36⤵
- Executes dropped EXE
PID:1708 -
\??\c:\60884.exec:\60884.exe37⤵
- Executes dropped EXE
PID:1748 -
\??\c:\9lllfll.exec:\9lllfll.exe38⤵
- Executes dropped EXE
PID:2412 -
\??\c:\286862.exec:\286862.exe39⤵
- Executes dropped EXE
PID:1664 -
\??\c:\hbnthn.exec:\hbnthn.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\lfrxxxl.exec:\lfrxxxl.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\bhhhnn.exec:\bhhhnn.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\dpdvv.exec:\dpdvv.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ttnbtt.exec:\ttnbtt.exe44⤵
- Executes dropped EXE
PID:2176 -
\??\c:\42462.exec:\42462.exe45⤵
- Executes dropped EXE
PID:2900 -
\??\c:\rflflfl.exec:\rflflfl.exe46⤵
- Executes dropped EXE
PID:2660 -
\??\c:\8606446.exec:\8606446.exe47⤵
- Executes dropped EXE
PID:2656 -
\??\c:\bntbhb.exec:\bntbhb.exe48⤵
- Executes dropped EXE
PID:2168 -
\??\c:\80006.exec:\80006.exe49⤵
- Executes dropped EXE
PID:2152 -
\??\c:\vvdvp.exec:\vvdvp.exe50⤵
- Executes dropped EXE
PID:2248 -
\??\c:\nhnnnh.exec:\nhnnnh.exe51⤵
- Executes dropped EXE
PID:2856 -
\??\c:\pdvvj.exec:\pdvvj.exe52⤵
- Executes dropped EXE
PID:848 -
\??\c:\6840000.exec:\6840000.exe53⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xrlrrrf.exec:\xrlrrrf.exe54⤵
- Executes dropped EXE
PID:2832 -
\??\c:\1djdd.exec:\1djdd.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\5tbbnt.exec:\5tbbnt.exe56⤵
- Executes dropped EXE
PID:1896 -
\??\c:\jvddd.exec:\jvddd.exe57⤵
- Executes dropped EXE
PID:2148 -
\??\c:\0244602.exec:\0244602.exe58⤵
- Executes dropped EXE
PID:1916 -
\??\c:\g8624.exec:\g8624.exe59⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7xlxffl.exec:\7xlxffl.exe60⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pvdjj.exec:\pvdjj.exe61⤵
- Executes dropped EXE
PID:108 -
\??\c:\5nbtbb.exec:\5nbtbb.exe62⤵
- Executes dropped EXE
PID:2592 -
\??\c:\1pvpj.exec:\1pvpj.exe63⤵
- Executes dropped EXE
PID:560 -
\??\c:\bntttt.exec:\bntttt.exe64⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jvjvv.exec:\jvjvv.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\rllrrrf.exec:\rllrrrf.exe66⤵PID:1548
-
\??\c:\86406.exec:\86406.exe67⤵PID:1704
-
\??\c:\2644684.exec:\2644684.exe68⤵PID:1432
-
\??\c:\bnbbbt.exec:\bnbbbt.exe69⤵PID:1512
-
\??\c:\vpjvv.exec:\vpjvv.exe70⤵PID:612
-
\??\c:\frfflll.exec:\frfflll.exe71⤵PID:844
-
\??\c:\882246.exec:\882246.exe72⤵PID:3008
-
\??\c:\ttnhtt.exec:\ttnhtt.exe73⤵PID:1976
-
\??\c:\nbtntt.exec:\nbtntt.exe74⤵PID:640
-
\??\c:\4262464.exec:\4262464.exe75⤵PID:1988
-
\??\c:\u646228.exec:\u646228.exe76⤵PID:2212
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe77⤵PID:1940
-
\??\c:\820084.exec:\820084.exe78⤵PID:1920
-
\??\c:\k48648.exec:\k48648.exe79⤵PID:1596
-
\??\c:\824644.exec:\824644.exe80⤵PID:1600
-
\??\c:\8680220.exec:\8680220.exe81⤵PID:2224
-
\??\c:\1nbbht.exec:\1nbbht.exe82⤵PID:1508
-
\??\c:\00802.exec:\00802.exe83⤵PID:1932
-
\??\c:\24006.exec:\24006.exe84⤵PID:2068
-
\??\c:\8640066.exec:\8640066.exe85⤵PID:2804
-
\??\c:\888066.exec:\888066.exe86⤵PID:2820
-
\??\c:\480688.exec:\480688.exe87⤵
- System Location Discovery: System Language Discovery
PID:2452 -
\??\c:\hbnhnt.exec:\hbnhnt.exe88⤵PID:2756
-
\??\c:\7jvvd.exec:\7jvvd.exe89⤵PID:2968
-
\??\c:\g8246.exec:\g8246.exe90⤵PID:2640
-
\??\c:\dpddj.exec:\dpddj.exe91⤵PID:2780
-
\??\c:\06022.exec:\06022.exe92⤵PID:2736
-
\??\c:\4862408.exec:\4862408.exe93⤵PID:2624
-
\??\c:\3vjdj.exec:\3vjdj.exe94⤵PID:840
-
\??\c:\thtnnn.exec:\thtnnn.exe95⤵PID:2996
-
\??\c:\bttthh.exec:\bttthh.exe96⤵PID:2248
-
\??\c:\3nnhhb.exec:\3nnhhb.exe97⤵PID:2856
-
\??\c:\8666282.exec:\8666282.exe98⤵PID:1372
-
\??\c:\68444.exec:\68444.exe99⤵PID:472
-
\??\c:\88646.exec:\88646.exe100⤵PID:1944
-
\??\c:\flxfrfl.exec:\flxfrfl.exe101⤵PID:2060
-
\??\c:\rllrffr.exec:\rllrffr.exe102⤵PID:2140
-
\??\c:\ppjvj.exec:\ppjvj.exe103⤵PID:876
-
\??\c:\a2682.exec:\a2682.exe104⤵PID:488
-
\??\c:\202844.exec:\202844.exe105⤵PID:2028
-
\??\c:\60886.exec:\60886.exe106⤵PID:2220
-
\??\c:\48608.exec:\48608.exe107⤵PID:1340
-
\??\c:\64068.exec:\64068.exe108⤵PID:1048
-
\??\c:\htnhtb.exec:\htnhtb.exe109⤵PID:2288
-
\??\c:\bhbnbh.exec:\bhbnbh.exe110⤵PID:3048
-
\??\c:\c446842.exec:\c446842.exe111⤵PID:1080
-
\??\c:\jddjp.exec:\jddjp.exe112⤵PID:1584
-
\??\c:\vpvpd.exec:\vpvpd.exe113⤵PID:1884
-
\??\c:\xrlrflx.exec:\xrlrflx.exe114⤵
- System Location Discovery: System Language Discovery
PID:2500 -
\??\c:\i460006.exec:\i460006.exe115⤵PID:1180
-
\??\c:\ttnbnn.exec:\ttnbnn.exe116⤵PID:612
-
\??\c:\jvppv.exec:\jvppv.exe117⤵PID:844
-
\??\c:\bbnbhh.exec:\bbnbhh.exe118⤵PID:3008
-
\??\c:\5nnbbh.exec:\5nnbbh.exe119⤵PID:2696
-
\??\c:\5vjpv.exec:\5vjpv.exe120⤵PID:1492
-
\??\c:\q86244.exec:\q86244.exe121⤵PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-