Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 04:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe
-
Size
457KB
-
MD5
ae84c0d570e5da7da0ef2b42fa59aece
-
SHA1
1f5b9df4edff452262fe5aeaeb206d415daa7c36
-
SHA256
aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4
-
SHA512
1d9c629a753f225c555ddb6c09dcf619d09e8b20071a70db11a9de516004cff77d8c70882a60828390e8a5f0ed968004ed1cc63f4ffbae1ecf51a718646d0f95
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4n:q7Tc2NYHUrAwfMp3CD4n
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2276-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2276 5xfxrrx.exe 376 thnbtt.exe 2744 3hhbtt.exe 1784 3lffxxx.exe 4356 hnnhhh.exe 3360 9vpjj.exe 4956 lffxrrr.exe 1984 fxfxxrr.exe 4920 pdjdd.exe 4940 frxrffx.exe 3660 xxffxxr.exe 1980 9bhhbt.exe 1372 ddjvp.exe 3324 3dpdd.exe 4228 lffxfff.exe 704 3vppj.exe 3068 lrxfxrf.exe 2840 jjvjp.exe 4888 7tthnh.exe 3044 xlrllll.exe 3120 nttnbb.exe 3948 vdjdj.exe 868 xrxlfxr.exe 1248 1lfrfxl.exe 4496 hhhbbn.exe 5016 1ppjd.exe 3832 nnnhbn.exe 1852 3bbnhb.exe 2992 9fxlfrr.exe 1088 9hbbtt.exe 2212 pddvp.exe 4700 xlrrlfx.exe 4568 5pjvp.exe 2884 jdvdp.exe 3508 9rlxlfx.exe 5020 tbthhb.exe 4328 rxfrfxl.exe 2956 nhnhnh.exe 3860 pvdpj.exe 2272 3rllxxl.exe 3048 nbhhhh.exe 760 pjvpp.exe 4160 xlxlffx.exe 3124 7hhhhh.exe 1304 nbhbtn.exe 3356 3vdvv.exe 3220 5llfxxl.exe 3208 nbbtnh.exe 1368 pjvpv.exe 5096 llfffff.exe 1520 nhhtnn.exe 4876 7vjvp.exe 4776 5llfrrx.exe 532 rrrlxrl.exe 3224 tbbnht.exe 5080 jvvjv.exe 4864 xllxrfr.exe 640 1nhbtn.exe 4540 bnhbnb.exe 5108 1pjdp.exe 1788 1fxlxrf.exe 4076 5hhtnn.exe 224 7jjvj.exe 3324 jppjd.exe -
resource yara_rule behavioral2/memory/2276-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-723-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2276 2028 aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe 84 PID 2028 wrote to memory of 2276 2028 aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe 84 PID 2028 wrote to memory of 2276 2028 aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe 84 PID 2276 wrote to memory of 376 2276 5xfxrrx.exe 85 PID 2276 wrote to memory of 376 2276 5xfxrrx.exe 85 PID 2276 wrote to memory of 376 2276 5xfxrrx.exe 85 PID 376 wrote to memory of 2744 376 thnbtt.exe 86 PID 376 wrote to memory of 2744 376 thnbtt.exe 86 PID 376 wrote to memory of 2744 376 thnbtt.exe 86 PID 2744 wrote to memory of 1784 2744 3hhbtt.exe 87 PID 2744 wrote to memory of 1784 2744 3hhbtt.exe 87 PID 2744 wrote to memory of 1784 2744 3hhbtt.exe 87 PID 1784 wrote to memory of 4356 1784 3lffxxx.exe 88 PID 1784 wrote to memory of 4356 1784 3lffxxx.exe 88 PID 1784 wrote to memory of 4356 1784 3lffxxx.exe 88 PID 4356 wrote to memory of 3360 4356 hnnhhh.exe 89 PID 4356 wrote to memory of 3360 4356 hnnhhh.exe 89 PID 4356 wrote to memory of 3360 4356 hnnhhh.exe 89 PID 3360 wrote to memory of 4956 3360 9vpjj.exe 90 PID 3360 wrote to memory of 4956 3360 9vpjj.exe 90 PID 3360 wrote to memory of 4956 3360 9vpjj.exe 90 PID 4956 wrote to memory of 1984 4956 lffxrrr.exe 91 PID 4956 wrote to memory of 1984 4956 lffxrrr.exe 91 PID 4956 wrote to memory of 1984 4956 lffxrrr.exe 91 PID 1984 wrote to memory of 4920 1984 fxfxxrr.exe 92 PID 1984 wrote to memory of 4920 1984 fxfxxrr.exe 92 PID 1984 wrote to memory of 4920 1984 fxfxxrr.exe 92 PID 4920 wrote to memory of 4940 4920 pdjdd.exe 93 PID 4920 wrote to memory of 4940 4920 pdjdd.exe 93 PID 4920 wrote to memory of 4940 4920 pdjdd.exe 93 PID 4940 wrote to memory of 3660 4940 frxrffx.exe 94 PID 4940 wrote to memory of 3660 4940 frxrffx.exe 94 PID 4940 wrote to memory of 3660 4940 frxrffx.exe 94 PID 3660 wrote to memory of 1980 3660 xxffxxr.exe 95 PID 3660 wrote to memory of 1980 3660 xxffxxr.exe 95 PID 3660 wrote to memory of 1980 3660 xxffxxr.exe 95 PID 1980 wrote to memory of 1372 1980 9bhhbt.exe 96 PID 1980 wrote to memory of 1372 1980 9bhhbt.exe 96 PID 1980 wrote to memory of 1372 1980 9bhhbt.exe 96 PID 1372 wrote to memory of 3324 1372 ddjvp.exe 97 PID 1372 wrote to memory of 3324 1372 ddjvp.exe 97 PID 1372 wrote to memory of 3324 1372 ddjvp.exe 97 PID 3324 wrote to memory of 4228 3324 3dpdd.exe 98 PID 3324 wrote to memory of 4228 3324 3dpdd.exe 98 PID 3324 wrote to memory of 4228 3324 3dpdd.exe 98 PID 4228 wrote to memory of 704 4228 lffxfff.exe 99 PID 4228 wrote to memory of 704 4228 lffxfff.exe 99 PID 4228 wrote to memory of 704 4228 lffxfff.exe 99 PID 704 wrote to memory of 3068 704 3vppj.exe 100 PID 704 wrote to memory of 3068 704 3vppj.exe 100 PID 704 wrote to memory of 3068 704 3vppj.exe 100 PID 3068 wrote to memory of 2840 3068 lrxfxrf.exe 101 PID 3068 wrote to memory of 2840 3068 lrxfxrf.exe 101 PID 3068 wrote to memory of 2840 3068 lrxfxrf.exe 101 PID 2840 wrote to memory of 4888 2840 jjvjp.exe 102 PID 2840 wrote to memory of 4888 2840 jjvjp.exe 102 PID 2840 wrote to memory of 4888 2840 jjvjp.exe 102 PID 4888 wrote to memory of 3044 4888 7tthnh.exe 103 PID 4888 wrote to memory of 3044 4888 7tthnh.exe 103 PID 4888 wrote to memory of 3044 4888 7tthnh.exe 103 PID 3044 wrote to memory of 3120 3044 xlrllll.exe 104 PID 3044 wrote to memory of 3120 3044 xlrllll.exe 104 PID 3044 wrote to memory of 3120 3044 xlrllll.exe 104 PID 3120 wrote to memory of 3948 3120 nttnbb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe"C:\Users\Admin\AppData\Local\Temp\aa1341a7efc786b0881d17eb79c44e9c269def79997197bf3cc3ddc0d15aacb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\5xfxrrx.exec:\5xfxrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\thnbtt.exec:\thnbtt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\3hhbtt.exec:\3hhbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\3lffxxx.exec:\3lffxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\hnnhhh.exec:\hnnhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\9vpjj.exec:\9vpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\lffxrrr.exec:\lffxrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\pdjdd.exec:\pdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\frxrffx.exec:\frxrffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\xxffxxr.exec:\xxffxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\9bhhbt.exec:\9bhhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\ddjvp.exec:\ddjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\3dpdd.exec:\3dpdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\lffxfff.exec:\lffxfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\3vppj.exec:\3vppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\lrxfxrf.exec:\lrxfxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\jjvjp.exec:\jjvjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\7tthnh.exec:\7tthnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\xlrllll.exec:\xlrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nttnbb.exec:\nttnbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\vdjdj.exec:\vdjdj.exe23⤵
- Executes dropped EXE
PID:3948 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe24⤵
- Executes dropped EXE
PID:868 -
\??\c:\1lfrfxl.exec:\1lfrfxl.exe25⤵
- Executes dropped EXE
PID:1248 -
\??\c:\hhhbbn.exec:\hhhbbn.exe26⤵
- Executes dropped EXE
PID:4496 -
\??\c:\1ppjd.exec:\1ppjd.exe27⤵
- Executes dropped EXE
PID:5016 -
\??\c:\nnnhbn.exec:\nnnhbn.exe28⤵
- Executes dropped EXE
PID:3832 -
\??\c:\3bbnhb.exec:\3bbnhb.exe29⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9fxlfrr.exec:\9fxlfrr.exe30⤵
- Executes dropped EXE
PID:2992 -
\??\c:\9hbbtt.exec:\9hbbtt.exe31⤵
- Executes dropped EXE
PID:1088 -
\??\c:\pddvp.exec:\pddvp.exe32⤵
- Executes dropped EXE
PID:2212 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe33⤵
- Executes dropped EXE
PID:4700 -
\??\c:\5pjvp.exec:\5pjvp.exe34⤵
- Executes dropped EXE
PID:4568 -
\??\c:\jdvdp.exec:\jdvdp.exe35⤵
- Executes dropped EXE
PID:2884 -
\??\c:\9rlxlfx.exec:\9rlxlfx.exe36⤵
- Executes dropped EXE
PID:3508 -
\??\c:\tbthhb.exec:\tbthhb.exe37⤵
- Executes dropped EXE
PID:5020 -
\??\c:\rxfrfxl.exec:\rxfrfxl.exe38⤵
- Executes dropped EXE
PID:4328 -
\??\c:\nhnhnh.exec:\nhnhnh.exe39⤵
- Executes dropped EXE
PID:2956 -
\??\c:\pvdpj.exec:\pvdpj.exe40⤵
- Executes dropped EXE
PID:3860 -
\??\c:\3rllxxl.exec:\3rllxxl.exe41⤵
- Executes dropped EXE
PID:2272 -
\??\c:\nbhhhh.exec:\nbhhhh.exe42⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pjvpp.exec:\pjvpp.exe43⤵
- Executes dropped EXE
PID:760 -
\??\c:\xlxlffx.exec:\xlxlffx.exe44⤵
- Executes dropped EXE
PID:4160 -
\??\c:\7hhhhh.exec:\7hhhhh.exe45⤵
- Executes dropped EXE
PID:3124 -
\??\c:\nbhbtn.exec:\nbhbtn.exe46⤵
- Executes dropped EXE
PID:1304 -
\??\c:\3vdvv.exec:\3vdvv.exe47⤵
- Executes dropped EXE
PID:3356 -
\??\c:\5llfxxl.exec:\5llfxxl.exe48⤵
- Executes dropped EXE
PID:3220 -
\??\c:\nbbtnh.exec:\nbbtnh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208 -
\??\c:\pjvpv.exec:\pjvpv.exe50⤵
- Executes dropped EXE
PID:1368 -
\??\c:\llfffff.exec:\llfffff.exe51⤵
- Executes dropped EXE
PID:5096 -
\??\c:\nhhtnn.exec:\nhhtnn.exe52⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7vjvp.exec:\7vjvp.exe53⤵
- Executes dropped EXE
PID:4876 -
\??\c:\5llfrrx.exec:\5llfrrx.exe54⤵
- Executes dropped EXE
PID:4776 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe55⤵
- Executes dropped EXE
PID:532 -
\??\c:\tbbnht.exec:\tbbnht.exe56⤵
- Executes dropped EXE
PID:3224 -
\??\c:\jvvjv.exec:\jvvjv.exe57⤵
- Executes dropped EXE
PID:5080 -
\??\c:\xllxrfr.exec:\xllxrfr.exe58⤵
- Executes dropped EXE
PID:4864 -
\??\c:\1nhbtn.exec:\1nhbtn.exe59⤵
- Executes dropped EXE
PID:640 -
\??\c:\bnhbnb.exec:\bnhbnb.exe60⤵
- Executes dropped EXE
PID:4540 -
\??\c:\1pjdp.exec:\1pjdp.exe61⤵
- Executes dropped EXE
PID:5108 -
\??\c:\1fxlxrf.exec:\1fxlxrf.exe62⤵
- Executes dropped EXE
PID:1788 -
\??\c:\5hhtnn.exec:\5hhtnn.exe63⤵
- Executes dropped EXE
PID:4076 -
\??\c:\7jjvj.exec:\7jjvj.exe64⤵
- Executes dropped EXE
PID:224 -
\??\c:\jppjd.exec:\jppjd.exe65⤵
- Executes dropped EXE
PID:3324 -
\??\c:\1xrfffx.exec:\1xrfffx.exe66⤵PID:1224
-
\??\c:\1xrlfxl.exec:\1xrlfxl.exe67⤵PID:4228
-
\??\c:\dppvp.exec:\dppvp.exe68⤵PID:4844
-
\??\c:\lflfffr.exec:\lflfffr.exe69⤵PID:704
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe70⤵PID:2952
-
\??\c:\tbbnhb.exec:\tbbnhb.exe71⤵PID:2252
-
\??\c:\7ddvd.exec:\7ddvd.exe72⤵PID:2948
-
\??\c:\rfrlfxl.exec:\rfrlfxl.exe73⤵PID:3964
-
\??\c:\hbtnbt.exec:\hbtnbt.exe74⤵PID:3988
-
\??\c:\1dvpj.exec:\1dvpj.exe75⤵PID:2032
-
\??\c:\7ffxrrr.exec:\7ffxrrr.exe76⤵PID:4008
-
\??\c:\3fxrllx.exec:\3fxrllx.exe77⤵PID:1936
-
\??\c:\htbthb.exec:\htbthb.exe78⤵PID:1848
-
\??\c:\jvvjd.exec:\jvvjd.exe79⤵PID:2184
-
\??\c:\lfrfxrl.exec:\lfrfxrl.exe80⤵PID:1768
-
\??\c:\5hnhbb.exec:\5hnhbb.exe81⤵PID:1932
-
\??\c:\7hnhhh.exec:\7hnhhh.exe82⤵PID:3548
-
\??\c:\9ppjd.exec:\9ppjd.exe83⤵PID:2280
-
\??\c:\lffrlfx.exec:\lffrlfx.exe84⤵PID:3624
-
\??\c:\hbhttt.exec:\hbhttt.exe85⤵PID:1568
-
\??\c:\dddvj.exec:\dddvj.exe86⤵PID:316
-
\??\c:\9rrlxrl.exec:\9rrlxrl.exe87⤵PID:4092
-
\??\c:\bnhtnh.exec:\bnhtnh.exe88⤵PID:4972
-
\??\c:\vddvj.exec:\vddvj.exe89⤵PID:4696
-
\??\c:\fxrlfxx.exec:\fxrlfxx.exe90⤵PID:4524
-
\??\c:\fxfllxr.exec:\fxfllxr.exe91⤵PID:1576
-
\??\c:\ttthbh.exec:\ttthbh.exe92⤵PID:3396
-
\??\c:\jpvpj.exec:\jpvpj.exe93⤵PID:3440
-
\??\c:\rrxxffr.exec:\rrxxffr.exe94⤵PID:4700
-
\??\c:\5fxrlfx.exec:\5fxrlfx.exe95⤵PID:4040
-
\??\c:\hhnhbn.exec:\hhnhbn.exe96⤵PID:912
-
\??\c:\pddjj.exec:\pddjj.exe97⤵PID:2848
-
\??\c:\rlrrxrx.exec:\rlrrxrx.exe98⤵PID:4320
-
\??\c:\ththbt.exec:\ththbt.exe99⤵PID:2028
-
\??\c:\pjpjd.exec:\pjpjd.exe100⤵PID:4552
-
\??\c:\rxrfxrf.exec:\rxrfxrf.exe101⤵PID:2276
-
\??\c:\7hhbtn.exec:\7hhbtn.exe102⤵PID:4584
-
\??\c:\vvpjd.exec:\vvpjd.exe103⤵PID:4556
-
\??\c:\xfffxxr.exec:\xfffxxr.exe104⤵PID:2056
-
\??\c:\thnhhb.exec:\thnhhb.exe105⤵PID:1456
-
\??\c:\3hnhbb.exec:\3hnhbb.exe106⤵PID:4160
-
\??\c:\jjpvv.exec:\jjpvv.exe107⤵PID:4448
-
\??\c:\fxfxxxl.exec:\fxfxxxl.exe108⤵PID:1304
-
\??\c:\bbbttn.exec:\bbbttn.exe109⤵PID:1240
-
\??\c:\vjjdv.exec:\vjjdv.exe110⤵PID:3220
-
\??\c:\3lfxrlx.exec:\3lfxrlx.exe111⤵PID:3868
-
\??\c:\nhbbtt.exec:\nhbbtt.exe112⤵PID:1368
-
\??\c:\hnhbtn.exec:\hnhbtn.exe113⤵PID:3348
-
\??\c:\djpjd.exec:\djpjd.exe114⤵PID:1352
-
\??\c:\fffxrrl.exec:\fffxrrl.exe115⤵PID:4352
-
\??\c:\bntnbb.exec:\bntnbb.exe116⤵PID:4920
-
\??\c:\5ppjp.exec:\5ppjp.exe117⤵PID:2444
-
\??\c:\7jdvv.exec:\7jdvv.exe118⤵PID:3460
-
\??\c:\fxfxrll.exec:\fxfxrll.exe119⤵PID:5080
-
\??\c:\bntnhb.exec:\bntnhb.exe120⤵PID:4864
-
\??\c:\pvjjp.exec:\pvjjp.exe121⤵PID:3696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-