Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe
-
Size
456KB
-
MD5
abed52bcf7e9b6a5cd98366774dd7756
-
SHA1
cf91cca3799be7682904cb8c8a76214ffa404ebd
-
SHA256
37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf
-
SHA512
975bc889da80d784fd93634eb3ced70c025b9108476c830300965003f332703564e56965fb8984bbbf74ccf1a877d1dcc5754ec1c26e0044f51e31f13bbc500b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRq:q7Tc2NYHUrAwfMp3CDRq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3484-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-1329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2636 ttbtnb.exe 896 7rrlxxr.exe 552 rlrlrrx.exe 3488 1hnhhh.exe 1804 pppjd.exe 3064 pjpjp.exe 4180 3nbbtt.exe 1152 fxxxxxf.exe 636 nbbtnn.exe 3028 djddd.exe 1148 ffrfrrf.exe 4052 hbbbtt.exe 388 5rllffx.exe 3744 vpdvd.exe 32 3hnhbb.exe 1440 jvdvp.exe 3540 lllffxr.exe 3676 hthbbb.exe 4300 xrrlffx.exe 3012 dpjjv.exe 3248 xxxlrlx.exe 4672 9pjvj.exe 3168 vvpdj.exe 2212 5hbntn.exe 4560 nbhbht.exe 1960 jppdp.exe 3332 3xlflfx.exe 2336 bbnbnh.exe 4044 dpdpj.exe 3968 lxxlxlf.exe 4448 tnhhtn.exe 3904 btnbnh.exe 4524 frxxlxx.exe 3740 nhhtht.exe 3224 7tnbht.exe 2180 xlxrrrx.exe 676 nbbnbt.exe 4132 vvvpp.exe 4320 xlfrfxl.exe 3148 hnbnht.exe 2464 jppdd.exe 960 rxrflxl.exe 1620 rxxrffr.exe 5116 bnhtht.exe 952 lxflfxl.exe 3960 llrfrfr.exe 4816 tbhthb.exe 5080 pjvjj.exe 4860 1djdj.exe 4708 7frfrfx.exe 3700 nhbnhb.exe 4412 vpvpj.exe 2924 9vjvd.exe 336 xfrfrlx.exe 2372 btnhtn.exe 2604 3vvjv.exe 2452 pdpdv.exe 3556 rflffrx.exe 3488 ttnnbh.exe 4480 5bnbnt.exe 2412 dpvjj.exe 4800 xrrflfx.exe 4180 9rffrlf.exe 2044 nnhbnh.exe -
resource yara_rule behavioral2/memory/2636-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-669-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2636 3484 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 82 PID 3484 wrote to memory of 2636 3484 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 82 PID 3484 wrote to memory of 2636 3484 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 82 PID 2636 wrote to memory of 896 2636 ttbtnb.exe 83 PID 2636 wrote to memory of 896 2636 ttbtnb.exe 83 PID 2636 wrote to memory of 896 2636 ttbtnb.exe 83 PID 896 wrote to memory of 552 896 7rrlxxr.exe 84 PID 896 wrote to memory of 552 896 7rrlxxr.exe 84 PID 896 wrote to memory of 552 896 7rrlxxr.exe 84 PID 552 wrote to memory of 3488 552 rlrlrrx.exe 85 PID 552 wrote to memory of 3488 552 rlrlrrx.exe 85 PID 552 wrote to memory of 3488 552 rlrlrrx.exe 85 PID 3488 wrote to memory of 1804 3488 1hnhhh.exe 86 PID 3488 wrote to memory of 1804 3488 1hnhhh.exe 86 PID 3488 wrote to memory of 1804 3488 1hnhhh.exe 86 PID 1804 wrote to memory of 3064 1804 pppjd.exe 87 PID 1804 wrote to memory of 3064 1804 pppjd.exe 87 PID 1804 wrote to memory of 3064 1804 pppjd.exe 87 PID 3064 wrote to memory of 4180 3064 pjpjp.exe 88 PID 3064 wrote to memory of 4180 3064 pjpjp.exe 88 PID 3064 wrote to memory of 4180 3064 pjpjp.exe 88 PID 4180 wrote to memory of 1152 4180 3nbbtt.exe 89 PID 4180 wrote to memory of 1152 4180 3nbbtt.exe 89 PID 4180 wrote to memory of 1152 4180 3nbbtt.exe 89 PID 1152 wrote to memory of 636 1152 fxxxxxf.exe 90 PID 1152 wrote to memory of 636 1152 fxxxxxf.exe 90 PID 1152 wrote to memory of 636 1152 fxxxxxf.exe 90 PID 636 wrote to memory of 3028 636 nbbtnn.exe 91 PID 636 wrote to memory of 3028 636 nbbtnn.exe 91 PID 636 wrote to memory of 3028 636 nbbtnn.exe 91 PID 3028 wrote to memory of 1148 3028 djddd.exe 92 PID 3028 wrote to memory of 1148 3028 djddd.exe 92 PID 3028 wrote to memory of 1148 3028 djddd.exe 92 PID 1148 wrote to memory of 4052 1148 ffrfrrf.exe 93 PID 1148 wrote to memory of 4052 1148 ffrfrrf.exe 93 PID 1148 wrote to memory of 4052 1148 ffrfrrf.exe 93 PID 4052 wrote to memory of 388 4052 hbbbtt.exe 94 PID 4052 wrote to memory of 388 4052 hbbbtt.exe 94 PID 4052 wrote to memory of 388 4052 hbbbtt.exe 94 PID 388 wrote to memory of 3744 388 5rllffx.exe 95 PID 388 wrote to memory of 3744 388 5rllffx.exe 95 PID 388 wrote to memory of 3744 388 5rllffx.exe 95 PID 3744 wrote to memory of 32 3744 vpdvd.exe 96 PID 3744 wrote to memory of 32 3744 vpdvd.exe 96 PID 3744 wrote to memory of 32 3744 vpdvd.exe 96 PID 32 wrote to memory of 1440 32 3hnhbb.exe 97 PID 32 wrote to memory of 1440 32 3hnhbb.exe 97 PID 32 wrote to memory of 1440 32 3hnhbb.exe 97 PID 1440 wrote to memory of 3540 1440 jvdvp.exe 98 PID 1440 wrote to memory of 3540 1440 jvdvp.exe 98 PID 1440 wrote to memory of 3540 1440 jvdvp.exe 98 PID 3540 wrote to memory of 3676 3540 lllffxr.exe 99 PID 3540 wrote to memory of 3676 3540 lllffxr.exe 99 PID 3540 wrote to memory of 3676 3540 lllffxr.exe 99 PID 3676 wrote to memory of 4300 3676 hthbbb.exe 100 PID 3676 wrote to memory of 4300 3676 hthbbb.exe 100 PID 3676 wrote to memory of 4300 3676 hthbbb.exe 100 PID 4300 wrote to memory of 3012 4300 xrrlffx.exe 101 PID 4300 wrote to memory of 3012 4300 xrrlffx.exe 101 PID 4300 wrote to memory of 3012 4300 xrrlffx.exe 101 PID 3012 wrote to memory of 3248 3012 dpjjv.exe 102 PID 3012 wrote to memory of 3248 3012 dpjjv.exe 102 PID 3012 wrote to memory of 3248 3012 dpjjv.exe 102 PID 3248 wrote to memory of 4672 3248 xxxlrlx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe"C:\Users\Admin\AppData\Local\Temp\37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\ttbtnb.exec:\ttbtnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\7rrlxxr.exec:\7rrlxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\1hnhhh.exec:\1hnhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\pppjd.exec:\pppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\pjpjp.exec:\pjpjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\3nbbtt.exec:\3nbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\fxxxxxf.exec:\fxxxxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\nbbtnn.exec:\nbbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\djddd.exec:\djddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\ffrfrrf.exec:\ffrfrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\hbbbtt.exec:\hbbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\5rllffx.exec:\5rllffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\vpdvd.exec:\vpdvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\3hnhbb.exec:\3hnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\jvdvp.exec:\jvdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\lllffxr.exec:\lllffxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\hthbbb.exec:\hthbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\xrrlffx.exec:\xrrlffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\dpjjv.exec:\dpjjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\xxxlrlx.exec:\xxxlrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\9pjvj.exec:\9pjvj.exe23⤵
- Executes dropped EXE
PID:4672 -
\??\c:\vvpdj.exec:\vvpdj.exe24⤵
- Executes dropped EXE
PID:3168 -
\??\c:\5hbntn.exec:\5hbntn.exe25⤵
- Executes dropped EXE
PID:2212 -
\??\c:\nbhbht.exec:\nbhbht.exe26⤵
- Executes dropped EXE
PID:4560 -
\??\c:\jppdp.exec:\jppdp.exe27⤵
- Executes dropped EXE
PID:1960 -
\??\c:\3xlflfx.exec:\3xlflfx.exe28⤵
- Executes dropped EXE
PID:3332 -
\??\c:\bbnbnh.exec:\bbnbnh.exe29⤵
- Executes dropped EXE
PID:2336 -
\??\c:\dpdpj.exec:\dpdpj.exe30⤵
- Executes dropped EXE
PID:4044 -
\??\c:\lxxlxlf.exec:\lxxlxlf.exe31⤵
- Executes dropped EXE
PID:3968 -
\??\c:\tnhhtn.exec:\tnhhtn.exe32⤵
- Executes dropped EXE
PID:4448 -
\??\c:\btnbnh.exec:\btnbnh.exe33⤵
- Executes dropped EXE
PID:3904 -
\??\c:\frxxlxx.exec:\frxxlxx.exe34⤵
- Executes dropped EXE
PID:4524 -
\??\c:\nhhtht.exec:\nhhtht.exe35⤵
- Executes dropped EXE
PID:3740 -
\??\c:\7tnbht.exec:\7tnbht.exe36⤵
- Executes dropped EXE
PID:3224 -
\??\c:\xlxrrrx.exec:\xlxrrrx.exe37⤵
- Executes dropped EXE
PID:2180 -
\??\c:\nbbnbt.exec:\nbbnbt.exe38⤵
- Executes dropped EXE
PID:676 -
\??\c:\vvvpp.exec:\vvvpp.exe39⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe40⤵
- Executes dropped EXE
PID:4320 -
\??\c:\hnbnht.exec:\hnbnht.exe41⤵
- Executes dropped EXE
PID:3148 -
\??\c:\jppdd.exec:\jppdd.exe42⤵
- Executes dropped EXE
PID:2464 -
\??\c:\rxrflxl.exec:\rxrflxl.exe43⤵
- Executes dropped EXE
PID:960 -
\??\c:\rxxrffr.exec:\rxxrffr.exe44⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bnhtht.exec:\bnhtht.exe45⤵
- Executes dropped EXE
PID:5116 -
\??\c:\lxflfxl.exec:\lxflfxl.exe46⤵
- Executes dropped EXE
PID:952 -
\??\c:\llrfrfr.exec:\llrfrfr.exe47⤵
- Executes dropped EXE
PID:3960 -
\??\c:\tbhthb.exec:\tbhthb.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pjvjj.exec:\pjvjj.exe49⤵
- Executes dropped EXE
PID:5080 -
\??\c:\1djdj.exec:\1djdj.exe50⤵
- Executes dropped EXE
PID:4860 -
\??\c:\7frfrfx.exec:\7frfrfx.exe51⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nhbnhb.exec:\nhbnhb.exe52⤵
- Executes dropped EXE
PID:3700 -
\??\c:\vpvpj.exec:\vpvpj.exe53⤵
- Executes dropped EXE
PID:4412 -
\??\c:\9vjvd.exec:\9vjvd.exe54⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xfrfrlx.exec:\xfrfrlx.exe55⤵
- Executes dropped EXE
PID:336 -
\??\c:\btnhtn.exec:\btnhtn.exe56⤵
- Executes dropped EXE
PID:2372 -
\??\c:\3vvjv.exec:\3vvjv.exe57⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pdpdv.exec:\pdpdv.exe58⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rflffrx.exec:\rflffrx.exe59⤵
- Executes dropped EXE
PID:3556 -
\??\c:\ttnnbh.exec:\ttnnbh.exe60⤵
- Executes dropped EXE
PID:3488 -
\??\c:\5bnbnt.exec:\5bnbnt.exe61⤵
- Executes dropped EXE
PID:4480 -
\??\c:\dpvjj.exec:\dpvjj.exe62⤵
- Executes dropped EXE
PID:2412 -
\??\c:\xrrflfx.exec:\xrrflfx.exe63⤵
- Executes dropped EXE
PID:4800 -
\??\c:\9rffrlf.exec:\9rffrlf.exe64⤵
- Executes dropped EXE
PID:4180 -
\??\c:\nnhbnh.exec:\nnhbnh.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\djpjj.exec:\djpjj.exe66⤵PID:4944
-
\??\c:\jddvv.exec:\jddvv.exe67⤵PID:2280
-
\??\c:\rfrfrlx.exec:\rfrfrlx.exe68⤵PID:736
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe69⤵PID:1284
-
\??\c:\thbnbn.exec:\thbnbn.exe70⤵PID:4824
-
\??\c:\jddvj.exec:\jddvj.exe71⤵PID:3936
-
\??\c:\rxfllxx.exec:\rxfllxx.exe72⤵PID:2856
-
\??\c:\tbbnht.exec:\tbbnht.exe73⤵PID:4772
-
\??\c:\ntnnbb.exec:\ntnnbb.exe74⤵PID:644
-
\??\c:\9jppv.exec:\9jppv.exe75⤵PID:4748
-
\??\c:\rxxlxlf.exec:\rxxlxlf.exe76⤵PID:3520
-
\??\c:\1bnbtt.exec:\1bnbtt.exe77⤵PID:3176
-
\??\c:\jvpdp.exec:\jvpdp.exe78⤵PID:220
-
\??\c:\1pppv.exec:\1pppv.exe79⤵PID:1120
-
\??\c:\llxlxlx.exec:\llxlxlx.exe80⤵PID:3456
-
\??\c:\3flxxll.exec:\3flxxll.exe81⤵PID:1564
-
\??\c:\btnthn.exec:\btnthn.exe82⤵PID:1608
-
\??\c:\dddvj.exec:\dddvj.exe83⤵PID:4604
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe84⤵PID:2052
-
\??\c:\3lfxlfl.exec:\3lfxlfl.exe85⤵PID:1224
-
\??\c:\9bnbnn.exec:\9bnbnn.exe86⤵PID:2868
-
\??\c:\bhhttn.exec:\bhhttn.exe87⤵PID:4028
-
\??\c:\jpdjj.exec:\jpdjj.exe88⤵PID:2972
-
\??\c:\frlxxlx.exec:\frlxxlx.exe89⤵PID:3788
-
\??\c:\bhhthb.exec:\bhhthb.exe90⤵PID:4176
-
\??\c:\tnbtnn.exec:\tnbtnn.exe91⤵PID:1960
-
\??\c:\frllflx.exec:\frllflx.exe92⤵PID:3732
-
\??\c:\htthbn.exec:\htthbn.exe93⤵PID:1668
-
\??\c:\dpddp.exec:\dpddp.exe94⤵PID:1752
-
\??\c:\ppjvj.exec:\ppjvj.exe95⤵PID:2408
-
\??\c:\flfrxlx.exec:\flfrxlx.exe96⤵PID:400
-
\??\c:\hnnbnh.exec:\hnnbnh.exe97⤵PID:1172
-
\??\c:\jddpj.exec:\jddpj.exe98⤵PID:3776
-
\??\c:\jvpvj.exec:\jvpvj.exe99⤵PID:3588
-
\??\c:\xlrrffr.exec:\xlrrffr.exe100⤵PID:4868
-
\??\c:\7ththb.exec:\7ththb.exe101⤵PID:3572
-
\??\c:\pjvpv.exec:\pjvpv.exe102⤵PID:1672
-
\??\c:\pvdpv.exec:\pvdpv.exe103⤵PID:2232
-
\??\c:\lffrxrf.exec:\lffrxrf.exe104⤵PID:3992
-
\??\c:\nttnbt.exec:\nttnbt.exe105⤵PID:3260
-
\??\c:\vjpdj.exec:\vjpdj.exe106⤵PID:3368
-
\??\c:\3vdpd.exec:\3vdpd.exe107⤵PID:2164
-
\??\c:\lfxlrlx.exec:\lfxlrlx.exe108⤵PID:4320
-
\??\c:\ttnhbn.exec:\ttnhbn.exe109⤵PID:3148
-
\??\c:\jvpdj.exec:\jvpdj.exe110⤵PID:5100
-
\??\c:\vppjd.exec:\vppjd.exe111⤵PID:960
-
\??\c:\rlrrlxr.exec:\rlrrlxr.exe112⤵PID:4692
-
\??\c:\nhtnbn.exec:\nhtnbn.exe113⤵PID:1276
-
\??\c:\djdjv.exec:\djdjv.exe114⤵PID:4464
-
\??\c:\lfrrxrf.exec:\lfrrxrf.exe115⤵PID:4932
-
\??\c:\lllrfxl.exec:\lllrfxl.exe116⤵PID:1500
-
\??\c:\nttbth.exec:\nttbth.exe117⤵PID:4880
-
\??\c:\ntthbn.exec:\ntthbn.exe118⤵PID:3320
-
\??\c:\jvpjp.exec:\jvpjp.exe119⤵PID:4760
-
\??\c:\xlfrlff.exec:\xlfrlff.exe120⤵PID:4388
-
\??\c:\nhbttn.exec:\nhbttn.exe121⤵PID:4624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-