Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
-
Size
454KB
-
MD5
1390d192e4d3caaf5d1e113cbe77b659
-
SHA1
ae2efe64d9791170c790fb700a14ed4999ec667b
-
SHA256
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051
-
SHA512
5698693d36b45f5a5b5cf591bc7b3eb702ac960f9cd00482d7f8c42abcc95310eb0030188ecad03319173d4f8516b1bd0ef4108a260e0cce849890b4d241b630
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-1163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-1215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-1276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4032 xrxrrrr.exe 4100 nnhbbb.exe 4300 7xxrlll.exe 3636 7xrrlrl.exe 2056 btbbtt.exe 4104 fxfrxrx.exe 5028 1bbttt.exe 468 dppvj.exe 3776 bntbnn.exe 1748 1jpjv.exe 3540 lxlrlfx.exe 1676 thnhbt.exe 4916 xlxrlff.exe 396 xxxrrrl.exe 4732 vdjpv.exe 4624 nnnbnh.exe 4188 9vpdp.exe 1740 vvjjp.exe 1580 jdjdv.exe 4428 rrrrllf.exe 2328 jvdpv.exe 4740 1nthhh.exe 376 jvdvj.exe 4108 xrxrffx.exe 2348 5djjj.exe 4072 jvddp.exe 1344 7rlfxxr.exe 4660 vvjpj.exe 2948 1lrlxxx.exe 2932 tnhbhh.exe 4296 fxlfxxx.exe 4184 tbnnhh.exe 3844 lflfllf.exe 912 bntnbb.exe 1736 vpppj.exe 2676 lllfxrr.exe 5016 hntnhh.exe 1012 1hhbtn.exe 1480 jvdvp.exe 4596 thhbtb.exe 5076 dvvdd.exe 4904 jjvvv.exe 3512 xfffxrl.exe 3476 bthbbt.exe 4544 jpjvj.exe 1264 5rlxllx.exe 2736 nbhhbb.exe 1932 hhbbbh.exe 2804 pjpvd.exe 2052 rffrfxl.exe 4352 nhhthh.exe 4856 vvvpj.exe 516 pdjdp.exe 1748 lfrfrrx.exe 3152 ntthtn.exe 4728 pdvjd.exe 5060 dddvp.exe 3156 xflrflf.exe 4456 nnnhbt.exe 3292 ddvdj.exe 720 rlflxrl.exe 3564 btbtnn.exe 4396 5nhbtt.exe 4092 vddvp.exe -
resource yara_rule behavioral2/memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4032 3148 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 83 PID 3148 wrote to memory of 4032 3148 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 83 PID 3148 wrote to memory of 4032 3148 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 83 PID 4032 wrote to memory of 4100 4032 xrxrrrr.exe 84 PID 4032 wrote to memory of 4100 4032 xrxrrrr.exe 84 PID 4032 wrote to memory of 4100 4032 xrxrrrr.exe 84 PID 4100 wrote to memory of 4300 4100 nnhbbb.exe 85 PID 4100 wrote to memory of 4300 4100 nnhbbb.exe 85 PID 4100 wrote to memory of 4300 4100 nnhbbb.exe 85 PID 4300 wrote to memory of 3636 4300 7xxrlll.exe 86 PID 4300 wrote to memory of 3636 4300 7xxrlll.exe 86 PID 4300 wrote to memory of 3636 4300 7xxrlll.exe 86 PID 3636 wrote to memory of 2056 3636 7xrrlrl.exe 87 PID 3636 wrote to memory of 2056 3636 7xrrlrl.exe 87 PID 3636 wrote to memory of 2056 3636 7xrrlrl.exe 87 PID 2056 wrote to memory of 4104 2056 btbbtt.exe 88 PID 2056 wrote to memory of 4104 2056 btbbtt.exe 88 PID 2056 wrote to memory of 4104 2056 btbbtt.exe 88 PID 4104 wrote to memory of 5028 4104 fxfrxrx.exe 89 PID 4104 wrote to memory of 5028 4104 fxfrxrx.exe 89 PID 4104 wrote to memory of 5028 4104 fxfrxrx.exe 89 PID 5028 wrote to memory of 468 5028 1bbttt.exe 90 PID 5028 wrote to memory of 468 5028 1bbttt.exe 90 PID 5028 wrote to memory of 468 5028 1bbttt.exe 90 PID 468 wrote to memory of 3776 468 dppvj.exe 91 PID 468 wrote to memory of 3776 468 dppvj.exe 91 PID 468 wrote to memory of 3776 468 dppvj.exe 91 PID 3776 wrote to memory of 1748 3776 bntbnn.exe 92 PID 3776 wrote to memory of 1748 3776 bntbnn.exe 92 PID 3776 wrote to memory of 1748 3776 bntbnn.exe 92 PID 1748 wrote to memory of 3540 1748 1jpjv.exe 93 PID 1748 wrote to memory of 3540 1748 1jpjv.exe 93 PID 1748 wrote to memory of 3540 1748 1jpjv.exe 93 PID 3540 wrote to memory of 1676 3540 lxlrlfx.exe 94 PID 3540 wrote to memory of 1676 3540 lxlrlfx.exe 94 PID 3540 wrote to memory of 1676 3540 lxlrlfx.exe 94 PID 1676 wrote to memory of 4916 1676 thnhbt.exe 95 PID 1676 wrote to memory of 4916 1676 thnhbt.exe 95 PID 1676 wrote to memory of 4916 1676 thnhbt.exe 95 PID 4916 wrote to memory of 396 4916 xlxrlff.exe 96 PID 4916 wrote to memory of 396 4916 xlxrlff.exe 96 PID 4916 wrote to memory of 396 4916 xlxrlff.exe 96 PID 396 wrote to memory of 4732 396 xxxrrrl.exe 97 PID 396 wrote to memory of 4732 396 xxxrrrl.exe 97 PID 396 wrote to memory of 4732 396 xxxrrrl.exe 97 PID 4732 wrote to memory of 4624 4732 vdjpv.exe 98 PID 4732 wrote to memory of 4624 4732 vdjpv.exe 98 PID 4732 wrote to memory of 4624 4732 vdjpv.exe 98 PID 4624 wrote to memory of 4188 4624 nnnbnh.exe 99 PID 4624 wrote to memory of 4188 4624 nnnbnh.exe 99 PID 4624 wrote to memory of 4188 4624 nnnbnh.exe 99 PID 4188 wrote to memory of 1740 4188 9vpdp.exe 100 PID 4188 wrote to memory of 1740 4188 9vpdp.exe 100 PID 4188 wrote to memory of 1740 4188 9vpdp.exe 100 PID 1740 wrote to memory of 1580 1740 vvjjp.exe 101 PID 1740 wrote to memory of 1580 1740 vvjjp.exe 101 PID 1740 wrote to memory of 1580 1740 vvjjp.exe 101 PID 1580 wrote to memory of 4428 1580 jdjdv.exe 102 PID 1580 wrote to memory of 4428 1580 jdjdv.exe 102 PID 1580 wrote to memory of 4428 1580 jdjdv.exe 102 PID 4428 wrote to memory of 2328 4428 rrrrllf.exe 103 PID 4428 wrote to memory of 2328 4428 rrrrllf.exe 103 PID 4428 wrote to memory of 2328 4428 rrrrllf.exe 103 PID 2328 wrote to memory of 4740 2328 jvdpv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\nnhbbb.exec:\nnhbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\7xxrlll.exec:\7xxrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\7xrrlrl.exec:\7xrrlrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\btbbtt.exec:\btbbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\fxfrxrx.exec:\fxfrxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\1bbttt.exec:\1bbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\dppvj.exec:\dppvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\bntbnn.exec:\bntbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\1jpjv.exec:\1jpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\lxlrlfx.exec:\lxlrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\thnhbt.exec:\thnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\xlxrlff.exec:\xlxrlff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\vdjpv.exec:\vdjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\nnnbnh.exec:\nnnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\9vpdp.exec:\9vpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\vvjjp.exec:\vvjjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\jdjdv.exec:\jdjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\rrrrllf.exec:\rrrrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\jvdpv.exec:\jvdpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\1nthhh.exec:\1nthhh.exe23⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jvdvj.exec:\jvdvj.exe24⤵
- Executes dropped EXE
PID:376 -
\??\c:\xrxrffx.exec:\xrxrffx.exe25⤵
- Executes dropped EXE
PID:4108 -
\??\c:\5djjj.exec:\5djjj.exe26⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jvddp.exec:\jvddp.exe27⤵
- Executes dropped EXE
PID:4072 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe28⤵
- Executes dropped EXE
PID:1344 -
\??\c:\vvjpj.exec:\vvjpj.exe29⤵
- Executes dropped EXE
PID:4660 -
\??\c:\1lrlxxx.exec:\1lrlxxx.exe30⤵
- Executes dropped EXE
PID:2948 -
\??\c:\tnhbhh.exec:\tnhbhh.exe31⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fxlfxxx.exec:\fxlfxxx.exe32⤵
- Executes dropped EXE
PID:4296 -
\??\c:\tbnnhh.exec:\tbnnhh.exe33⤵
- Executes dropped EXE
PID:4184 -
\??\c:\lflfllf.exec:\lflfllf.exe34⤵
- Executes dropped EXE
PID:3844 -
\??\c:\bntnbb.exec:\bntnbb.exe35⤵
- Executes dropped EXE
PID:912 -
\??\c:\vpppj.exec:\vpppj.exe36⤵
- Executes dropped EXE
PID:1736 -
\??\c:\lllfxrr.exec:\lllfxrr.exe37⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hntnhh.exec:\hntnhh.exe38⤵
- Executes dropped EXE
PID:5016 -
\??\c:\1hhbtn.exec:\1hhbtn.exe39⤵
- Executes dropped EXE
PID:1012 -
\??\c:\jvdvp.exec:\jvdvp.exe40⤵
- Executes dropped EXE
PID:1480 -
\??\c:\thhbtb.exec:\thhbtb.exe41⤵
- Executes dropped EXE
PID:4596 -
\??\c:\dvvdd.exec:\dvvdd.exe42⤵
- Executes dropped EXE
PID:5076 -
\??\c:\jjvvv.exec:\jjvvv.exe43⤵
- Executes dropped EXE
PID:4904 -
\??\c:\xfffxrl.exec:\xfffxrl.exe44⤵
- Executes dropped EXE
PID:3512 -
\??\c:\bthbbt.exec:\bthbbt.exe45⤵
- Executes dropped EXE
PID:3476 -
\??\c:\jpjvj.exec:\jpjvj.exe46⤵
- Executes dropped EXE
PID:4544 -
\??\c:\5rlxllx.exec:\5rlxllx.exe47⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nbhhbb.exec:\nbhhbb.exe48⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hhbbbh.exec:\hhbbbh.exe49⤵
- Executes dropped EXE
PID:1932 -
\??\c:\pjpvd.exec:\pjpvd.exe50⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rffrfxl.exec:\rffrfxl.exe51⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nhhthh.exec:\nhhthh.exe52⤵
- Executes dropped EXE
PID:4352 -
\??\c:\vvvpj.exec:\vvvpj.exe53⤵
- Executes dropped EXE
PID:4856 -
\??\c:\pdjdp.exec:\pdjdp.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516 -
\??\c:\lfrfrrx.exec:\lfrfrrx.exe55⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ntthtn.exec:\ntthtn.exe56⤵
- Executes dropped EXE
PID:3152 -
\??\c:\pdvjd.exec:\pdvjd.exe57⤵
- Executes dropped EXE
PID:4728 -
\??\c:\dddvp.exec:\dddvp.exe58⤵
- Executes dropped EXE
PID:5060 -
\??\c:\xflrflf.exec:\xflrflf.exe59⤵
- Executes dropped EXE
PID:3156 -
\??\c:\nnnhbt.exec:\nnnhbt.exe60⤵
- Executes dropped EXE
PID:4456 -
\??\c:\ddvdj.exec:\ddvdj.exe61⤵
- Executes dropped EXE
PID:3292 -
\??\c:\rlflxrl.exec:\rlflxrl.exe62⤵
- Executes dropped EXE
PID:720 -
\??\c:\btbtnn.exec:\btbtnn.exe63⤵
- Executes dropped EXE
PID:3564 -
\??\c:\5nhbtt.exec:\5nhbtt.exe64⤵
- Executes dropped EXE
PID:4396 -
\??\c:\vddvp.exec:\vddvp.exe65⤵
- Executes dropped EXE
PID:4092 -
\??\c:\fxlfflf.exec:\fxlfflf.exe66⤵PID:4124
-
\??\c:\pjvvp.exec:\pjvvp.exe67⤵PID:2260
-
\??\c:\dpppd.exec:\dpppd.exe68⤵PID:2064
-
\??\c:\rfllfxx.exec:\rfllfxx.exe69⤵PID:4228
-
\??\c:\bbbbtt.exec:\bbbbtt.exe70⤵PID:3532
-
\??\c:\3dvjv.exec:\3dvjv.exe71⤵PID:2372
-
\??\c:\jdpjv.exec:\jdpjv.exe72⤵PID:2232
-
\??\c:\xrxfxxx.exec:\xrxfxxx.exe73⤵PID:4372
-
\??\c:\tntttt.exec:\tntttt.exe74⤵PID:1948
-
\??\c:\vdppj.exec:\vdppj.exe75⤵PID:2548
-
\??\c:\3pvpp.exec:\3pvpp.exe76⤵PID:1808
-
\??\c:\fflfrrr.exec:\fflfrrr.exe77⤵PID:4764
-
\??\c:\hthbhh.exec:\hthbhh.exe78⤵PID:700
-
\??\c:\dpjdp.exec:\dpjdp.exe79⤵PID:4756
-
\??\c:\9llfrlf.exec:\9llfrlf.exe80⤵PID:5008
-
\??\c:\frxrllf.exec:\frxrllf.exe81⤵PID:4116
-
\??\c:\thnnhh.exec:\thnnhh.exe82⤵PID:3448
-
\??\c:\pdvjv.exec:\pdvjv.exe83⤵PID:1008
-
\??\c:\9vjdp.exec:\9vjdp.exe84⤵PID:4776
-
\??\c:\9rrfrlx.exec:\9rrfrlx.exe85⤵PID:5088
-
\??\c:\1bhttn.exec:\1bhttn.exe86⤵PID:4900
-
\??\c:\dppjd.exec:\dppjd.exe87⤵PID:4560
-
\??\c:\7xfxrlf.exec:\7xfxrlf.exe88⤵PID:992
-
\??\c:\rrrlffx.exec:\rrrlffx.exe89⤵PID:2192
-
\??\c:\1vvjd.exec:\1vvjd.exe90⤵PID:1732
-
\??\c:\vvpdv.exec:\vvpdv.exe91⤵PID:3336
-
\??\c:\lxxrffx.exec:\lxxrffx.exe92⤵PID:1348
-
\??\c:\thhbbb.exec:\thhbbb.exe93⤵PID:4068
-
\??\c:\3hhhhh.exec:\3hhhhh.exe94⤵PID:3844
-
\??\c:\vpdvd.exec:\vpdvd.exe95⤵PID:912
-
\??\c:\lllfxxr.exec:\lllfxxr.exe96⤵PID:4832
-
\??\c:\tntntt.exec:\tntntt.exe97⤵PID:1620
-
\??\c:\pppjv.exec:\pppjv.exe98⤵PID:1364
-
\??\c:\ppvpd.exec:\ppvpd.exe99⤵PID:432
-
\??\c:\rflfxlx.exec:\rflfxlx.exe100⤵PID:4432
-
\??\c:\nnnnhh.exec:\nnnnhh.exe101⤵PID:3484
-
\??\c:\tnbttt.exec:\tnbttt.exe102⤵PID:4308
-
\??\c:\jddvj.exec:\jddvj.exe103⤵PID:3120
-
\??\c:\3flfrrl.exec:\3flfrrl.exe104⤵PID:644
-
\??\c:\3hhbtt.exec:\3hhbtt.exe105⤵PID:4996
-
\??\c:\bthbbb.exec:\bthbbb.exe106⤵PID:4300
-
\??\c:\vjvpp.exec:\vjvpp.exe107⤵PID:3476
-
\??\c:\frrrfll.exec:\frrrfll.exe108⤵PID:4544
-
\??\c:\7tbttt.exec:\7tbttt.exe109⤵PID:3824
-
\??\c:\jdvvv.exec:\jdvvv.exe110⤵PID:4648
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe111⤵PID:4104
-
\??\c:\fxlflll.exec:\fxlflll.exe112⤵PID:3772
-
\??\c:\nhhbtt.exec:\nhhbtt.exe113⤵PID:3124
-
\??\c:\7flfrff.exec:\7flfrff.exe114⤵PID:2536
-
\??\c:\bttnnn.exec:\bttnnn.exe115⤵PID:3556
-
\??\c:\hnnhhh.exec:\hnnhhh.exe116⤵PID:516
-
\??\c:\5vdvp.exec:\5vdvp.exe117⤵PID:2636
-
\??\c:\rllfxxr.exec:\rllfxxr.exe118⤵PID:3152
-
\??\c:\llrrlll.exec:\llrrlll.exe119⤵PID:3328
-
\??\c:\3tnnhb.exec:\3tnnhb.exe120⤵PID:1528
-
\??\c:\9pvpj.exec:\9pvpj.exe121⤵PID:4548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-