Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 03:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe
-
Size
457KB
-
MD5
ae84c0d570e5da7da0ef2b42fa59aece
-
SHA1
1f5b9df4edff452262fe5aeaeb206d415daa7c36
-
SHA256
aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4
-
SHA512
1d9c629a753f225c555ddb6c09dcf619d09e8b20071a70db11a9de516004cff77d8c70882a60828390e8a5f0ed968004ed1cc63f4ffbae1ecf51a718646d0f95
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4n:q7Tc2NYHUrAwfMp3CD4n
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1280-3-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-1020-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-1736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1836 jddvp.exe 3048 g6860.exe 4504 tbbtht.exe 5076 jdpjj.exe 3340 8886820.exe 4924 22642.exe 4696 4064468.exe 1856 4608660.exe 4964 8466602.exe 4996 06826.exe 4060 3lfrxlx.exe 1508 3ddjv.exe 4424 frxxrrl.exe 1100 668626.exe 4268 28866.exe 1520 fflxlfr.exe 4840 vjpjp.exe 4232 vppvj.exe 1456 rffxxxr.exe 3676 4644844.exe 3628 bhhthb.exe 3788 q80444.exe 2996 hnntht.exe 3452 088888.exe 1484 4226826.exe 728 228888.exe 3672 8882064.exe 4036 00060.exe 4704 40220.exe 2052 hhhhbt.exe 2784 m6860.exe 1356 68048.exe 2640 btbthh.exe 1900 20204.exe 2740 dddvp.exe 920 9btnhh.exe 1232 000202.exe 8 g6266.exe 3644 04262.exe 3956 lfxxrxr.exe 5052 0626660.exe 4368 0802626.exe 2212 3vpjv.exe 3492 480488.exe 1276 606004.exe 3360 xllfxxr.exe 4876 frxrffx.exe 4800 e84848.exe 2244 fffxrrl.exe 1020 hbtbbb.exe 1104 nhhnhh.exe 4940 nbnbbb.exe 4920 rxfxxrl.exe 4976 rlfffxf.exe 4776 m2888.exe 4356 rxrxrfx.exe 1460 4060448.exe 3124 jjdvp.exe 2764 xflfrxf.exe 4148 4460000.exe 4436 6082884.exe 4408 7djdv.exe 4152 6400848.exe 5004 w84822.exe -
resource yara_rule behavioral2/memory/1280-3-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-880-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c248808.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1836 1280 aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe 81 PID 1280 wrote to memory of 1836 1280 aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe 81 PID 1280 wrote to memory of 1836 1280 aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe 81 PID 1836 wrote to memory of 3048 1836 jddvp.exe 82 PID 1836 wrote to memory of 3048 1836 jddvp.exe 82 PID 1836 wrote to memory of 3048 1836 jddvp.exe 82 PID 3048 wrote to memory of 4504 3048 g6860.exe 83 PID 3048 wrote to memory of 4504 3048 g6860.exe 83 PID 3048 wrote to memory of 4504 3048 g6860.exe 83 PID 4504 wrote to memory of 5076 4504 tbbtht.exe 84 PID 4504 wrote to memory of 5076 4504 tbbtht.exe 84 PID 4504 wrote to memory of 5076 4504 tbbtht.exe 84 PID 5076 wrote to memory of 3340 5076 jdpjj.exe 85 PID 5076 wrote to memory of 3340 5076 jdpjj.exe 85 PID 5076 wrote to memory of 3340 5076 jdpjj.exe 85 PID 3340 wrote to memory of 4924 3340 8886820.exe 86 PID 3340 wrote to memory of 4924 3340 8886820.exe 86 PID 3340 wrote to memory of 4924 3340 8886820.exe 86 PID 4924 wrote to memory of 4696 4924 22642.exe 87 PID 4924 wrote to memory of 4696 4924 22642.exe 87 PID 4924 wrote to memory of 4696 4924 22642.exe 87 PID 4696 wrote to memory of 1856 4696 4064468.exe 88 PID 4696 wrote to memory of 1856 4696 4064468.exe 88 PID 4696 wrote to memory of 1856 4696 4064468.exe 88 PID 1856 wrote to memory of 4964 1856 4608660.exe 89 PID 1856 wrote to memory of 4964 1856 4608660.exe 89 PID 1856 wrote to memory of 4964 1856 4608660.exe 89 PID 4964 wrote to memory of 4996 4964 8466602.exe 90 PID 4964 wrote to memory of 4996 4964 8466602.exe 90 PID 4964 wrote to memory of 4996 4964 8466602.exe 90 PID 4996 wrote to memory of 4060 4996 06826.exe 91 PID 4996 wrote to memory of 4060 4996 06826.exe 91 PID 4996 wrote to memory of 4060 4996 06826.exe 91 PID 4060 wrote to memory of 1508 4060 3lfrxlx.exe 92 PID 4060 wrote to memory of 1508 4060 3lfrxlx.exe 92 PID 4060 wrote to memory of 1508 4060 3lfrxlx.exe 92 PID 1508 wrote to memory of 4424 1508 3ddjv.exe 154 PID 1508 wrote to memory of 4424 1508 3ddjv.exe 154 PID 1508 wrote to memory of 4424 1508 3ddjv.exe 154 PID 4424 wrote to memory of 1100 4424 frxxrrl.exe 94 PID 4424 wrote to memory of 1100 4424 frxxrrl.exe 94 PID 4424 wrote to memory of 1100 4424 frxxrrl.exe 94 PID 1100 wrote to memory of 4268 1100 668626.exe 95 PID 1100 wrote to memory of 4268 1100 668626.exe 95 PID 1100 wrote to memory of 4268 1100 668626.exe 95 PID 4268 wrote to memory of 1520 4268 28866.exe 96 PID 4268 wrote to memory of 1520 4268 28866.exe 96 PID 4268 wrote to memory of 1520 4268 28866.exe 96 PID 1520 wrote to memory of 4840 1520 fflxlfr.exe 97 PID 1520 wrote to memory of 4840 1520 fflxlfr.exe 97 PID 1520 wrote to memory of 4840 1520 fflxlfr.exe 97 PID 4840 wrote to memory of 4232 4840 vjpjp.exe 98 PID 4840 wrote to memory of 4232 4840 vjpjp.exe 98 PID 4840 wrote to memory of 4232 4840 vjpjp.exe 98 PID 4232 wrote to memory of 1456 4232 vppvj.exe 99 PID 4232 wrote to memory of 1456 4232 vppvj.exe 99 PID 4232 wrote to memory of 1456 4232 vppvj.exe 99 PID 1456 wrote to memory of 3676 1456 rffxxxr.exe 100 PID 1456 wrote to memory of 3676 1456 rffxxxr.exe 100 PID 1456 wrote to memory of 3676 1456 rffxxxr.exe 100 PID 3676 wrote to memory of 3628 3676 4644844.exe 101 PID 3676 wrote to memory of 3628 3676 4644844.exe 101 PID 3676 wrote to memory of 3628 3676 4644844.exe 101 PID 3628 wrote to memory of 3788 3628 bhhthb.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe"C:\Users\Admin\AppData\Local\Temp\aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\jddvp.exec:\jddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\g6860.exec:\g6860.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\tbbtht.exec:\tbbtht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\jdpjj.exec:\jdpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\8886820.exec:\8886820.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\22642.exec:\22642.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\4064468.exec:\4064468.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\4608660.exec:\4608660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\8466602.exec:\8466602.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\06826.exec:\06826.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\3lfrxlx.exec:\3lfrxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\3ddjv.exec:\3ddjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\frxxrrl.exec:\frxxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\668626.exec:\668626.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\28866.exec:\28866.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\fflxlfr.exec:\fflxlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\vjpjp.exec:\vjpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\vppvj.exec:\vppvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\rffxxxr.exec:\rffxxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\4644844.exec:\4644844.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\bhhthb.exec:\bhhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\q80444.exec:\q80444.exe23⤵
- Executes dropped EXE
PID:3788 -
\??\c:\hnntht.exec:\hnntht.exe24⤵
- Executes dropped EXE
PID:2996 -
\??\c:\088888.exec:\088888.exe25⤵
- Executes dropped EXE
PID:3452 -
\??\c:\4226826.exec:\4226826.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\228888.exec:\228888.exe27⤵
- Executes dropped EXE
PID:728 -
\??\c:\8882064.exec:\8882064.exe28⤵
- Executes dropped EXE
PID:3672 -
\??\c:\00060.exec:\00060.exe29⤵
- Executes dropped EXE
PID:4036 -
\??\c:\40220.exec:\40220.exe30⤵
- Executes dropped EXE
PID:4704 -
\??\c:\hhhhbt.exec:\hhhhbt.exe31⤵
- Executes dropped EXE
PID:2052 -
\??\c:\m6860.exec:\m6860.exe32⤵
- Executes dropped EXE
PID:2784 -
\??\c:\68048.exec:\68048.exe33⤵
- Executes dropped EXE
PID:1356 -
\??\c:\btbthh.exec:\btbthh.exe34⤵
- Executes dropped EXE
PID:2640 -
\??\c:\20204.exec:\20204.exe35⤵
- Executes dropped EXE
PID:1900 -
\??\c:\dddvp.exec:\dddvp.exe36⤵
- Executes dropped EXE
PID:2740 -
\??\c:\9btnhh.exec:\9btnhh.exe37⤵
- Executes dropped EXE
PID:920 -
\??\c:\000202.exec:\000202.exe38⤵
- Executes dropped EXE
PID:1232 -
\??\c:\g6266.exec:\g6266.exe39⤵
- Executes dropped EXE
PID:8 -
\??\c:\04262.exec:\04262.exe40⤵
- Executes dropped EXE
PID:3644 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe41⤵
- Executes dropped EXE
PID:3956 -
\??\c:\0626660.exec:\0626660.exe42⤵
- Executes dropped EXE
PID:5052 -
\??\c:\0802626.exec:\0802626.exe43⤵
- Executes dropped EXE
PID:4368 -
\??\c:\3vpjv.exec:\3vpjv.exe44⤵
- Executes dropped EXE
PID:2212 -
\??\c:\480488.exec:\480488.exe45⤵
- Executes dropped EXE
PID:3492 -
\??\c:\606004.exec:\606004.exe46⤵
- Executes dropped EXE
PID:1276 -
\??\c:\xllfxxr.exec:\xllfxxr.exe47⤵
- Executes dropped EXE
PID:3360 -
\??\c:\frxrffx.exec:\frxrffx.exe48⤵
- Executes dropped EXE
PID:4876 -
\??\c:\e84848.exec:\e84848.exe49⤵
- Executes dropped EXE
PID:4800 -
\??\c:\fffxrrl.exec:\fffxrrl.exe50⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hbtbbb.exec:\hbtbbb.exe51⤵
- Executes dropped EXE
PID:1020 -
\??\c:\nhhnhh.exec:\nhhnhh.exe52⤵
- Executes dropped EXE
PID:1104 -
\??\c:\nbnbbb.exec:\nbnbbb.exe53⤵
- Executes dropped EXE
PID:4940 -
\??\c:\rxfxxrl.exec:\rxfxxrl.exe54⤵
- Executes dropped EXE
PID:4920 -
\??\c:\rlfffxf.exec:\rlfffxf.exe55⤵
- Executes dropped EXE
PID:4976 -
\??\c:\m2888.exec:\m2888.exe56⤵
- Executes dropped EXE
PID:4776 -
\??\c:\rxrxrfx.exec:\rxrxrfx.exe57⤵
- Executes dropped EXE
PID:4356 -
\??\c:\4060448.exec:\4060448.exe58⤵
- Executes dropped EXE
PID:1460 -
\??\c:\jjdvp.exec:\jjdvp.exe59⤵
- Executes dropped EXE
PID:3124 -
\??\c:\xflfrxf.exec:\xflfrxf.exe60⤵
- Executes dropped EXE
PID:2764 -
\??\c:\4460000.exec:\4460000.exe61⤵
- Executes dropped EXE
PID:4148 -
\??\c:\6082884.exec:\6082884.exe62⤵
- Executes dropped EXE
PID:4436 -
\??\c:\7djdv.exec:\7djdv.exe63⤵
- Executes dropped EXE
PID:4408 -
\??\c:\6400848.exec:\6400848.exe64⤵
- Executes dropped EXE
PID:4152 -
\??\c:\w84822.exec:\w84822.exe65⤵
- Executes dropped EXE
PID:5004 -
\??\c:\xxfxrrf.exec:\xxfxrrf.exe66⤵PID:792
-
\??\c:\lrlrllr.exec:\lrlrllr.exe67⤵PID:4496
-
\??\c:\880204.exec:\880204.exe68⤵PID:2520
-
\??\c:\868226.exec:\868226.exe69⤵PID:5048
-
\??\c:\c220448.exec:\c220448.exe70⤵PID:4384
-
\??\c:\66426.exec:\66426.exe71⤵PID:4540
-
\??\c:\lrrllfx.exec:\lrrllfx.exe72⤵PID:3516
-
\??\c:\nbbtnn.exec:\nbbtnn.exe73⤵PID:1452
-
\??\c:\frrlrlf.exec:\frrlrlf.exe74⤵PID:3708
-
\??\c:\rllxxrr.exec:\rllxxrr.exe75⤵PID:4424
-
\??\c:\tbthbn.exec:\tbthbn.exe76⤵PID:4416
-
\??\c:\2620884.exec:\2620884.exe77⤵PID:1068
-
\??\c:\5dvjj.exec:\5dvjj.exe78⤵PID:1816
-
\??\c:\k84884.exec:\k84884.exe79⤵PID:3856
-
\??\c:\660422.exec:\660422.exe80⤵PID:1564
-
\??\c:\9llxrlx.exec:\9llxrlx.exe81⤵PID:4588
-
\??\c:\lxrfrxl.exec:\lxrfrxl.exe82⤵PID:4852
-
\??\c:\jpvjv.exec:\jpvjv.exe83⤵PID:4772
-
\??\c:\lxrxffl.exec:\lxrxffl.exe84⤵PID:3404
-
\??\c:\nnhbbb.exec:\nnhbbb.exe85⤵PID:5008
-
\??\c:\g6608.exec:\g6608.exe86⤵PID:4856
-
\??\c:\062648.exec:\062648.exe87⤵PID:3788
-
\??\c:\dpvpp.exec:\dpvpp.exe88⤵PID:1708
-
\??\c:\3bhthh.exec:\3bhthh.exe89⤵PID:3164
-
\??\c:\pjpjj.exec:\pjpjj.exe90⤵PID:4480
-
\??\c:\i664608.exec:\i664608.exe91⤵PID:3888
-
\??\c:\s4826.exec:\s4826.exe92⤵PID:1968
-
\??\c:\hntntn.exec:\hntntn.exe93⤵PID:864
-
\??\c:\djjvj.exec:\djjvj.exe94⤵PID:3116
-
\??\c:\rxxfrlx.exec:\rxxfrlx.exe95⤵PID:2976
-
\??\c:\2608426.exec:\2608426.exe96⤵PID:1524
-
\??\c:\tbthtn.exec:\tbthtn.exe97⤵PID:4396
-
\??\c:\i284266.exec:\i284266.exe98⤵PID:3148
-
\??\c:\q02648.exec:\q02648.exe99⤵PID:1356
-
\??\c:\c040042.exec:\c040042.exe100⤵PID:2640
-
\??\c:\860860.exec:\860860.exe101⤵PID:1388
-
\??\c:\dddpd.exec:\dddpd.exe102⤵PID:388
-
\??\c:\lxrflfr.exec:\lxrflfr.exe103⤵PID:1732
-
\??\c:\408204.exec:\408204.exe104⤵PID:4084
-
\??\c:\xlflrlx.exec:\xlflrlx.exe105⤵PID:4040
-
\??\c:\7pjvj.exec:\7pjvj.exe106⤵PID:8
-
\??\c:\868860.exec:\868860.exe107⤵PID:2860
-
\??\c:\pvvpj.exec:\pvvpj.exe108⤵PID:3956
-
\??\c:\frfrlxl.exec:\frfrlxl.exe109⤵PID:5052
-
\??\c:\tbbnbt.exec:\tbbnbt.exe110⤵PID:3508
-
\??\c:\42826.exec:\42826.exe111⤵PID:3024
-
\??\c:\e48682.exec:\e48682.exe112⤵PID:512
-
\??\c:\u448608.exec:\u448608.exe113⤵PID:3284
-
\??\c:\226084.exec:\226084.exe114⤵PID:1276
-
\??\c:\vjjdj.exec:\vjjdj.exe115⤵PID:3360
-
\??\c:\2060608.exec:\2060608.exe116⤵PID:4876
-
\??\c:\a6264.exec:\a6264.exe117⤵PID:1532
-
\??\c:\868882.exec:\868882.exe118⤵PID:2532
-
\??\c:\ddjvj.exec:\ddjvj.exe119⤵PID:3952
-
\??\c:\pppdv.exec:\pppdv.exe120⤵PID:1020
-
\??\c:\26488.exec:\26488.exe121⤵PID:1104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-