Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe
-
Size
454KB
-
MD5
5c077615482c4890935a4b4190848450
-
SHA1
b271b0bb9ebcd906861929cc4300dd171bb8c42a
-
SHA256
ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981
-
SHA512
7bfbbf277120dfaa7b648a3241dce877131e48cac44766b2323f17169d8ab8c265392f443eea5faec8af6a7069b46847211a90823bc7dc0ed53ffe6f9ca38ae3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTz:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4952-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-1181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3372 bnnnth.exe 4812 xxxxxff.exe 4584 tntbbb.exe 824 vpddd.exe 1164 rxlffff.exe 4208 llfflrf.exe 3828 tnhhhh.exe 4456 jdpjd.exe 1528 pdjdd.exe 1192 rlxffll.exe 452 nhbttt.exe 3788 jdjjj.exe 5092 pdvpp.exe 2852 xrxxxff.exe 32 hhnnnn.exe 3668 hhnntt.exe 2172 vvvvp.exe 1944 lxfffff.exe 4324 bthbbb.exe 2520 dpvpj.exe 2000 pdvjd.exe 4064 xrxrrrr.exe 2136 bnbbtb.exe 2956 vvdjd.exe 1920 ppvvp.exe 3316 xfffllr.exe 2904 5hnhnn.exe 4340 nhtbbh.exe 3612 pdddd.exe 2288 rlxlfll.exe 3352 llrrrxx.exe 3404 hhhbbh.exe 3844 dpdvp.exe 2068 fxffxxx.exe 2296 tttttt.exe 3912 jjppp.exe 3248 lrrrrxx.exe 2364 nnnbhb.exe 3312 fflrrxx.exe 5020 ttbbbb.exe 4652 vpddd.exe 2524 jpjpp.exe 1836 7flllrx.exe 4908 bbttnt.exe 4464 nttttt.exe 1544 ppjdd.exe 3228 xxffflr.exe 316 xlxxrxr.exe 396 htnhhh.exe 4556 jvjdv.exe 4668 7jjjj.exe 2728 rflllrx.exe 4536 nnnnhh.exe 3348 vvvpj.exe 1564 ddppp.exe 4456 rrfxxfr.exe 1528 tnnnnh.exe 3888 bntbbb.exe 1428 jjvpd.exe 4192 3ffllll.exe 1760 frflfll.exe 5108 ttbbbb.exe 1656 vdddv.exe 4968 xlxrlll.exe -
resource yara_rule behavioral2/memory/4952-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-767-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3372 4952 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 82 PID 4952 wrote to memory of 3372 4952 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 82 PID 4952 wrote to memory of 3372 4952 ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe 82 PID 3372 wrote to memory of 4812 3372 bnnnth.exe 83 PID 3372 wrote to memory of 4812 3372 bnnnth.exe 83 PID 3372 wrote to memory of 4812 3372 bnnnth.exe 83 PID 4812 wrote to memory of 4584 4812 xxxxxff.exe 84 PID 4812 wrote to memory of 4584 4812 xxxxxff.exe 84 PID 4812 wrote to memory of 4584 4812 xxxxxff.exe 84 PID 4584 wrote to memory of 824 4584 tntbbb.exe 85 PID 4584 wrote to memory of 824 4584 tntbbb.exe 85 PID 4584 wrote to memory of 824 4584 tntbbb.exe 85 PID 824 wrote to memory of 1164 824 vpddd.exe 86 PID 824 wrote to memory of 1164 824 vpddd.exe 86 PID 824 wrote to memory of 1164 824 vpddd.exe 86 PID 1164 wrote to memory of 4208 1164 rxlffff.exe 87 PID 1164 wrote to memory of 4208 1164 rxlffff.exe 87 PID 1164 wrote to memory of 4208 1164 rxlffff.exe 87 PID 4208 wrote to memory of 3828 4208 llfflrf.exe 88 PID 4208 wrote to memory of 3828 4208 llfflrf.exe 88 PID 4208 wrote to memory of 3828 4208 llfflrf.exe 88 PID 3828 wrote to memory of 4456 3828 tnhhhh.exe 137 PID 3828 wrote to memory of 4456 3828 tnhhhh.exe 137 PID 3828 wrote to memory of 4456 3828 tnhhhh.exe 137 PID 4456 wrote to memory of 1528 4456 jdpjd.exe 138 PID 4456 wrote to memory of 1528 4456 jdpjd.exe 138 PID 4456 wrote to memory of 1528 4456 jdpjd.exe 138 PID 1528 wrote to memory of 1192 1528 pdjdd.exe 91 PID 1528 wrote to memory of 1192 1528 pdjdd.exe 91 PID 1528 wrote to memory of 1192 1528 pdjdd.exe 91 PID 1192 wrote to memory of 452 1192 rlxffll.exe 92 PID 1192 wrote to memory of 452 1192 rlxffll.exe 92 PID 1192 wrote to memory of 452 1192 rlxffll.exe 92 PID 452 wrote to memory of 3788 452 nhbttt.exe 93 PID 452 wrote to memory of 3788 452 nhbttt.exe 93 PID 452 wrote to memory of 3788 452 nhbttt.exe 93 PID 3788 wrote to memory of 5092 3788 jdjjj.exe 94 PID 3788 wrote to memory of 5092 3788 jdjjj.exe 94 PID 3788 wrote to memory of 5092 3788 jdjjj.exe 94 PID 5092 wrote to memory of 2852 5092 pdvpp.exe 95 PID 5092 wrote to memory of 2852 5092 pdvpp.exe 95 PID 5092 wrote to memory of 2852 5092 pdvpp.exe 95 PID 2852 wrote to memory of 32 2852 xrxxxff.exe 96 PID 2852 wrote to memory of 32 2852 xrxxxff.exe 96 PID 2852 wrote to memory of 32 2852 xrxxxff.exe 96 PID 32 wrote to memory of 3668 32 hhnnnn.exe 97 PID 32 wrote to memory of 3668 32 hhnnnn.exe 97 PID 32 wrote to memory of 3668 32 hhnnnn.exe 97 PID 3668 wrote to memory of 2172 3668 hhnntt.exe 146 PID 3668 wrote to memory of 2172 3668 hhnntt.exe 146 PID 3668 wrote to memory of 2172 3668 hhnntt.exe 146 PID 2172 wrote to memory of 1944 2172 vvvvp.exe 99 PID 2172 wrote to memory of 1944 2172 vvvvp.exe 99 PID 2172 wrote to memory of 1944 2172 vvvvp.exe 99 PID 1944 wrote to memory of 4324 1944 lxfffff.exe 100 PID 1944 wrote to memory of 4324 1944 lxfffff.exe 100 PID 1944 wrote to memory of 4324 1944 lxfffff.exe 100 PID 4324 wrote to memory of 2520 4324 bthbbb.exe 101 PID 4324 wrote to memory of 2520 4324 bthbbb.exe 101 PID 4324 wrote to memory of 2520 4324 bthbbb.exe 101 PID 2520 wrote to memory of 2000 2520 dpvpj.exe 102 PID 2520 wrote to memory of 2000 2520 dpvpj.exe 102 PID 2520 wrote to memory of 2000 2520 dpvpj.exe 102 PID 2000 wrote to memory of 4064 2000 pdvjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe"C:\Users\Admin\AppData\Local\Temp\ceb338bc2d822685c4b3b63c319ef04642aa06dc55d8cfd34c37820a4d971981N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\bnnnth.exec:\bnnnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\xxxxxff.exec:\xxxxxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\tntbbb.exec:\tntbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\vpddd.exec:\vpddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\rxlffff.exec:\rxlffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\llfflrf.exec:\llfflrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\tnhhhh.exec:\tnhhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\jdpjd.exec:\jdpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\pdjdd.exec:\pdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\rlxffll.exec:\rlxffll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\nhbttt.exec:\nhbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\jdjjj.exec:\jdjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\pdvpp.exec:\pdvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\xrxxxff.exec:\xrxxxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\hhnnnn.exec:\hhnnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\hhnntt.exec:\hhnntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\vvvvp.exec:\vvvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lxfffff.exec:\lxfffff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\bthbbb.exec:\bthbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\dpvpj.exec:\dpvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\pdvjd.exec:\pdvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe23⤵
- Executes dropped EXE
PID:4064 -
\??\c:\bnbbtb.exec:\bnbbtb.exe24⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vvdjd.exec:\vvdjd.exe25⤵
- Executes dropped EXE
PID:2956 -
\??\c:\ppvvp.exec:\ppvvp.exe26⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xfffllr.exec:\xfffllr.exe27⤵
- Executes dropped EXE
PID:3316 -
\??\c:\5hnhnn.exec:\5hnhnn.exe28⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nhtbbh.exec:\nhtbbh.exe29⤵
- Executes dropped EXE
PID:4340 -
\??\c:\pdddd.exec:\pdddd.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
\??\c:\rlxlfll.exec:\rlxlfll.exe31⤵
- Executes dropped EXE
PID:2288 -
\??\c:\llrrrxx.exec:\llrrrxx.exe32⤵
- Executes dropped EXE
PID:3352 -
\??\c:\hhhbbh.exec:\hhhbbh.exe33⤵
- Executes dropped EXE
PID:3404 -
\??\c:\dpdvp.exec:\dpdvp.exe34⤵
- Executes dropped EXE
PID:3844 -
\??\c:\fxffxxx.exec:\fxffxxx.exe35⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tttttt.exec:\tttttt.exe36⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jjppp.exec:\jjppp.exe37⤵
- Executes dropped EXE
PID:3912 -
\??\c:\lrrrrxx.exec:\lrrrrxx.exe38⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nnnbhb.exec:\nnnbhb.exe39⤵
- Executes dropped EXE
PID:2364 -
\??\c:\fflrrxx.exec:\fflrrxx.exe40⤵
- Executes dropped EXE
PID:3312 -
\??\c:\ttbbbb.exec:\ttbbbb.exe41⤵
- Executes dropped EXE
PID:5020 -
\??\c:\vpddd.exec:\vpddd.exe42⤵
- Executes dropped EXE
PID:4652 -
\??\c:\jpjpp.exec:\jpjpp.exe43⤵
- Executes dropped EXE
PID:2524 -
\??\c:\7flllrx.exec:\7flllrx.exe44⤵
- Executes dropped EXE
PID:1836 -
\??\c:\bbttnt.exec:\bbttnt.exe45⤵
- Executes dropped EXE
PID:4908 -
\??\c:\nttttt.exec:\nttttt.exe46⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ppjdd.exec:\ppjdd.exe47⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xxffflr.exec:\xxffflr.exe48⤵
- Executes dropped EXE
PID:3228 -
\??\c:\xlxxrxr.exec:\xlxxrxr.exe49⤵
- Executes dropped EXE
PID:316 -
\??\c:\htnhhh.exec:\htnhhh.exe50⤵
- Executes dropped EXE
PID:396 -
\??\c:\jvjdv.exec:\jvjdv.exe51⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7jjjj.exec:\7jjjj.exe52⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rflllrx.exec:\rflllrx.exe53⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nnnnhh.exec:\nnnnhh.exe54⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vvvpj.exec:\vvvpj.exe55⤵
- Executes dropped EXE
PID:3348 -
\??\c:\ddppp.exec:\ddppp.exe56⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rrfxxfr.exec:\rrfxxfr.exe57⤵
- Executes dropped EXE
PID:4456 -
\??\c:\tnnnnh.exec:\tnnnnh.exe58⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bntbbb.exec:\bntbbb.exe59⤵
- Executes dropped EXE
PID:3888 -
\??\c:\jjvpd.exec:\jjvpd.exe60⤵
- Executes dropped EXE
PID:1428 -
\??\c:\3ffllll.exec:\3ffllll.exe61⤵
- Executes dropped EXE
PID:4192 -
\??\c:\frflfll.exec:\frflfll.exe62⤵
- Executes dropped EXE
PID:1760 -
\??\c:\ttbbbb.exec:\ttbbbb.exe63⤵
- Executes dropped EXE
PID:5108 -
\??\c:\vdddv.exec:\vdddv.exe64⤵
- Executes dropped EXE
PID:1656 -
\??\c:\xlxrlll.exec:\xlxrlll.exe65⤵
- Executes dropped EXE
PID:4968 -
\??\c:\9tbttt.exec:\9tbttt.exe66⤵PID:2172
-
\??\c:\dpppd.exec:\dpppd.exe67⤵PID:2132
-
\??\c:\1rxxxff.exec:\1rxxxff.exe68⤵PID:2776
-
\??\c:\1ntttb.exec:\1ntttb.exe69⤵PID:1896
-
\??\c:\1dvpp.exec:\1dvpp.exe70⤵PID:1392
-
\??\c:\fxffxxx.exec:\fxffxxx.exe71⤵PID:1912
-
\??\c:\llfxrrr.exec:\llfxrrr.exe72⤵PID:4260
-
\??\c:\hhbnhb.exec:\hhbnhb.exe73⤵PID:2280
-
\??\c:\pppdp.exec:\pppdp.exe74⤵PID:2508
-
\??\c:\nhhbbt.exec:\nhhbbt.exe75⤵PID:860
-
\??\c:\fxrflll.exec:\fxrflll.exe76⤵PID:3532
-
\??\c:\1nhbtt.exec:\1nhbtt.exe77⤵PID:724
-
\??\c:\vdpjd.exec:\vdpjd.exe78⤵PID:3216
-
\??\c:\vpjpv.exec:\vpjpv.exe79⤵PID:448
-
\??\c:\1nnhtt.exec:\1nnhtt.exe80⤵PID:4708
-
\??\c:\nbhhbt.exec:\nbhhbt.exe81⤵PID:3820
-
\??\c:\fxxrfrx.exec:\fxxrfrx.exe82⤵PID:3404
-
\??\c:\dvpjd.exec:\dvpjd.exe83⤵PID:2068
-
\??\c:\xxrrllf.exec:\xxrrllf.exe84⤵PID:1552
-
\??\c:\pvvjv.exec:\pvvjv.exe85⤵PID:2296
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe86⤵PID:3632
-
\??\c:\bttnbn.exec:\bttnbn.exe87⤵PID:1736
-
\??\c:\fxffrrx.exec:\fxffrrx.exe88⤵PID:3412
-
\??\c:\pvpjd.exec:\pvpjd.exe89⤵PID:2592
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe90⤵PID:1952
-
\??\c:\btbbtt.exec:\btbbtt.exe91⤵PID:2036
-
\??\c:\djjvd.exec:\djjvd.exe92⤵PID:1364
-
\??\c:\pdppj.exec:\pdppj.exe93⤵PID:3372
-
\??\c:\llrlffx.exec:\llrlffx.exe94⤵PID:3264
-
\??\c:\xrxrllf.exec:\xrxrllf.exe95⤵PID:2880
-
\??\c:\djjjj.exec:\djjjj.exe96⤵
- System Location Discovery: System Language Discovery
PID:3212 -
\??\c:\frffxxf.exec:\frffxxf.exe97⤵PID:2944
-
\??\c:\hbnnnt.exec:\hbnnnt.exe98⤵PID:4444
-
\??\c:\hbhhhh.exec:\hbhhhh.exe99⤵PID:4608
-
\??\c:\pvvpd.exec:\pvvpd.exe100⤵PID:3376
-
\??\c:\xfrlllr.exec:\xfrlllr.exe101⤵PID:4000
-
\??\c:\hnttbb.exec:\hnttbb.exe102⤵PID:4600
-
\??\c:\dvvvv.exec:\dvvvv.exe103⤵PID:2728
-
\??\c:\fxfrlxr.exec:\fxfrlxr.exe104⤵PID:4292
-
\??\c:\nnhbhh.exec:\nnhbhh.exe105⤵PID:4584
-
\??\c:\5pppd.exec:\5pppd.exe106⤵PID:3348
-
\??\c:\7vvvv.exec:\7vvvv.exe107⤵PID:1568
-
\??\c:\9lxxffx.exec:\9lxxffx.exe108⤵PID:4436
-
\??\c:\nttbbh.exec:\nttbbh.exe109⤵PID:2012
-
\??\c:\1djjd.exec:\1djjd.exe110⤵PID:4400
-
\??\c:\jdpjd.exec:\jdpjd.exe111⤵PID:3004
-
\??\c:\flrrrxr.exec:\flrrrxr.exe112⤵PID:1820
-
\??\c:\nhnnnt.exec:\nhnnnt.exe113⤵PID:5096
-
\??\c:\jjjjd.exec:\jjjjd.exe114⤵PID:1784
-
\??\c:\jdjvv.exec:\jdjvv.exe115⤵PID:928
-
\??\c:\1rxrlxr.exec:\1rxrlxr.exe116⤵PID:668
-
\??\c:\fxffxxx.exec:\fxffxxx.exe117⤵PID:3784
-
\??\c:\tbnbbh.exec:\tbnbbh.exe118⤵PID:4692
-
\??\c:\ddjdv.exec:\ddjdv.exe119⤵PID:1188
-
\??\c:\frlfxfl.exec:\frlfxfl.exe120⤵PID:2216
-
\??\c:\nntbtb.exec:\nntbtb.exe121⤵PID:1128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-