Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 23:15
Behavioral task
behavioral1
Sample
62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe
-
Size
92KB
-
MD5
b78227c496e6be0eda3dccd46ee6618a
-
SHA1
146a0d1753bf87bca658c62059e4c90bb284766f
-
SHA256
62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11
-
SHA512
4fa71154708d88758536bd1c16cdac44bf885c68e42e70f55f86623da38eb16a52e1a836da8a36b32c29d2b3a319eadadb9f6981f1fcd6dec12ba0fd84287c03
-
SSDEEP
1536:8vQBeOGtrYS3srx93UBWfwC6Ggnouy80fg3Cip8iXAsG5M0u5fVBA1m:8hOmTsF93UYfwC6GIout0fmCiiiXA6NF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3640-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/712-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3396-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1620-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3364-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1300-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-629-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-875-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-987-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2236 frxrrlr.exe 4004 24622.exe 2260 pvvjp.exe 4200 nnbbbb.exe 4268 rllllrr.exe 3364 ddjvp.exe 4500 bbbbbh.exe 4264 tttnnn.exe 4636 002200.exe 4632 m8448.exe 2132 88222.exe 3424 0024802.exe 412 9pvvv.exe 2488 dvdpj.exe 2008 o688288.exe 2040 22642.exe 4856 1rllxxl.exe 1620 ntnbnb.exe 4040 68000.exe 712 k84482.exe 1680 dpjvj.exe 2556 62882.exe 4868 jdpvv.exe 3244 rrfxrxf.exe 4860 g4608.exe 3396 82848.exe 4760 jdpjd.exe 4404 ppvpp.exe 2792 fxfrrll.exe 1584 8404882.exe 3208 60262.exe 2932 5fxrlff.exe 4952 lrlflfx.exe 1656 ffrffrx.exe 1964 84604.exe 4388 pjvjd.exe 4308 044844.exe 5032 pdvjv.exe 3572 2086600.exe 2212 bhtnhh.exe 4960 26440.exe 2564 xllxrlf.exe 2600 xxfxllr.exe 892 628266.exe 3616 vddpj.exe 3580 djjdv.exe 4228 thbtnh.exe 4652 40642.exe 4528 40442.exe 1472 hbbthh.exe 3692 jjpdd.exe 4732 266606.exe 412 2802884.exe 2552 xlxrffr.exe 3276 bbttnb.exe 1884 nbbbtn.exe 4736 lfrlxrl.exe 2032 fxlfffr.exe 4492 tnhbbt.exe 4772 024060.exe 1844 llxrrrr.exe 692 8460486.exe 1448 2488264.exe 5056 llfrfrf.exe -
resource yara_rule behavioral2/memory/3640-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002358a-3.dat upx behavioral2/memory/3640-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023f4a-10.dat upx behavioral2/memory/2236-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4004-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002404a-13.dat upx behavioral2/memory/2260-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002404b-19.dat upx behavioral2/memory/4200-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002404c-23.dat upx behavioral2/memory/4268-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002404e-35.dat upx behavioral2/files/0x0007000000024051-48.dat upx behavioral2/memory/4636-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024053-58.dat upx behavioral2/memory/3424-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3424-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/412-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024057-80.dat upx behavioral2/files/0x0007000000024058-84.dat upx behavioral2/files/0x0007000000024059-87.dat upx behavioral2/memory/1620-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4856-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002405b-98.dat upx behavioral2/memory/712-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002405e-113.dat upx behavioral2/memory/4868-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002405f-119.dat upx behavioral2/files/0x0007000000024061-130.dat upx behavioral2/memory/4860-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024060-125.dat upx behavioral2/memory/3244-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3396-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024062-134.dat upx behavioral2/files/0x0007000000024064-139.dat upx behavioral2/memory/3244-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024065-148.dat upx behavioral2/memory/1584-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024066-154.dat upx behavioral2/memory/4952-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1656-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1656-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024067-158.dat upx behavioral2/memory/4388-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2380-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3572-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2792-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4404-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000024046-142.dat upx behavioral2/memory/2556-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002405d-109.dat upx behavioral2/files/0x000700000002405c-105.dat upx behavioral2/memory/4040-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1620-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002405a-94.dat upx behavioral2/files/0x0007000000024056-74.dat upx behavioral2/memory/2488-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000024055-71.dat upx behavioral2/files/0x0007000000024054-66.dat upx behavioral2/memory/2132-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-55-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w66844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6244444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o248822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3640 wrote to memory of 2236 3640 62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe 86 PID 3640 wrote to memory of 2236 3640 62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe 86 PID 3640 wrote to memory of 2236 3640 62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe 86 PID 2236 wrote to memory of 4004 2236 frxrrlr.exe 87 PID 2236 wrote to memory of 4004 2236 frxrrlr.exe 87 PID 2236 wrote to memory of 4004 2236 frxrrlr.exe 87 PID 4004 wrote to memory of 2260 4004 24622.exe 88 PID 4004 wrote to memory of 2260 4004 24622.exe 88 PID 4004 wrote to memory of 2260 4004 24622.exe 88 PID 2260 wrote to memory of 4200 2260 pvvjp.exe 89 PID 2260 wrote to memory of 4200 2260 pvvjp.exe 89 PID 2260 wrote to memory of 4200 2260 pvvjp.exe 89 PID 4200 wrote to memory of 4268 4200 nnbbbb.exe 90 PID 4200 wrote to memory of 4268 4200 nnbbbb.exe 90 PID 4200 wrote to memory of 4268 4200 nnbbbb.exe 90 PID 4268 wrote to memory of 3364 4268 rllllrr.exe 91 PID 4268 wrote to memory of 3364 4268 rllllrr.exe 91 PID 4268 wrote to memory of 3364 4268 rllllrr.exe 91 PID 3364 wrote to memory of 4500 3364 ddjvp.exe 92 PID 3364 wrote to memory of 4500 3364 ddjvp.exe 92 PID 3364 wrote to memory of 4500 3364 ddjvp.exe 92 PID 4500 wrote to memory of 4264 4500 bbbbbh.exe 93 PID 4500 wrote to memory of 4264 4500 bbbbbh.exe 93 PID 4500 wrote to memory of 4264 4500 bbbbbh.exe 93 PID 4264 wrote to memory of 4636 4264 tttnnn.exe 94 PID 4264 wrote to memory of 4636 4264 tttnnn.exe 94 PID 4264 wrote to memory of 4636 4264 tttnnn.exe 94 PID 4636 wrote to memory of 4632 4636 002200.exe 95 PID 4636 wrote to memory of 4632 4636 002200.exe 95 PID 4636 wrote to memory of 4632 4636 002200.exe 95 PID 4632 wrote to memory of 2132 4632 m8448.exe 97 PID 4632 wrote to memory of 2132 4632 m8448.exe 97 PID 4632 wrote to memory of 2132 4632 m8448.exe 97 PID 2132 wrote to memory of 3424 2132 88222.exe 98 PID 2132 wrote to memory of 3424 2132 88222.exe 98 PID 2132 wrote to memory of 3424 2132 88222.exe 98 PID 3424 wrote to memory of 412 3424 0024802.exe 142 PID 3424 wrote to memory of 412 3424 0024802.exe 142 PID 3424 wrote to memory of 412 3424 0024802.exe 142 PID 412 wrote to memory of 2488 412 9pvvv.exe 100 PID 412 wrote to memory of 2488 412 9pvvv.exe 100 PID 412 wrote to memory of 2488 412 9pvvv.exe 100 PID 2488 wrote to memory of 2008 2488 dvdpj.exe 101 PID 2488 wrote to memory of 2008 2488 dvdpj.exe 101 PID 2488 wrote to memory of 2008 2488 dvdpj.exe 101 PID 2008 wrote to memory of 2040 2008 o688288.exe 103 PID 2008 wrote to memory of 2040 2008 o688288.exe 103 PID 2008 wrote to memory of 2040 2008 o688288.exe 103 PID 2040 wrote to memory of 4856 2040 22642.exe 104 PID 2040 wrote to memory of 4856 2040 22642.exe 104 PID 2040 wrote to memory of 4856 2040 22642.exe 104 PID 4856 wrote to memory of 1620 4856 1rllxxl.exe 105 PID 4856 wrote to memory of 1620 4856 1rllxxl.exe 105 PID 4856 wrote to memory of 1620 4856 1rllxxl.exe 105 PID 1620 wrote to memory of 4040 1620 ntnbnb.exe 106 PID 1620 wrote to memory of 4040 1620 ntnbnb.exe 106 PID 1620 wrote to memory of 4040 1620 ntnbnb.exe 106 PID 4040 wrote to memory of 712 4040 68000.exe 107 PID 4040 wrote to memory of 712 4040 68000.exe 107 PID 4040 wrote to memory of 712 4040 68000.exe 107 PID 712 wrote to memory of 1680 712 k84482.exe 155 PID 712 wrote to memory of 1680 712 k84482.exe 155 PID 712 wrote to memory of 1680 712 k84482.exe 155 PID 1680 wrote to memory of 2556 1680 dpjvj.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe"C:\Users\Admin\AppData\Local\Temp\62a6fead6ca9d371215a00ec87b058bd5954d8466ec38f823daa646a6bdbda11.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\frxrrlr.exec:\frxrrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\24622.exec:\24622.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\pvvjp.exec:\pvvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\nnbbbb.exec:\nnbbbb.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\rllllrr.exec:\rllllrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\ddjvp.exec:\ddjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\bbbbbh.exec:\bbbbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\tttnnn.exec:\tttnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\002200.exec:\002200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\m8448.exec:\m8448.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\88222.exec:\88222.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\0024802.exec:\0024802.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\9pvvv.exec:\9pvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\dvdpj.exec:\dvdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\o688288.exec:\o688288.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\22642.exec:\22642.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\1rllxxl.exec:\1rllxxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\ntnbnb.exec:\ntnbnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\68000.exec:\68000.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\k84482.exec:\k84482.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\dpjvj.exec:\dpjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\62882.exec:\62882.exe23⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jdpvv.exec:\jdpvv.exe24⤵
- Executes dropped EXE
PID:4868 -
\??\c:\rrfxrxf.exec:\rrfxrxf.exe25⤵
- Executes dropped EXE
PID:3244 -
\??\c:\g4608.exec:\g4608.exe26⤵
- Executes dropped EXE
PID:4860 -
\??\c:\82848.exec:\82848.exe27⤵
- Executes dropped EXE
PID:3396 -
\??\c:\jdpjd.exec:\jdpjd.exe28⤵
- Executes dropped EXE
PID:4760 -
\??\c:\ppvpp.exec:\ppvpp.exe29⤵
- Executes dropped EXE
PID:4404 -
\??\c:\fxfrrll.exec:\fxfrrll.exe30⤵
- Executes dropped EXE
PID:2792 -
\??\c:\8404882.exec:\8404882.exe31⤵
- Executes dropped EXE
PID:1584 -
\??\c:\60262.exec:\60262.exe32⤵
- Executes dropped EXE
PID:3208 -
\??\c:\5fxrlff.exec:\5fxrlff.exe33⤵
- Executes dropped EXE
PID:2932 -
\??\c:\lrlflfx.exec:\lrlflfx.exe34⤵
- Executes dropped EXE
PID:4952 -
\??\c:\ffrffrx.exec:\ffrffrx.exe35⤵
- Executes dropped EXE
PID:1656 -
\??\c:\84604.exec:\84604.exe36⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pjvjd.exec:\pjvjd.exe37⤵
- Executes dropped EXE
PID:4388 -
\??\c:\044844.exec:\044844.exe38⤵
- Executes dropped EXE
PID:4308 -
\??\c:\pjjdp.exec:\pjjdp.exe39⤵PID:2380
-
\??\c:\pdvjv.exec:\pdvjv.exe40⤵
- Executes dropped EXE
PID:5032 -
\??\c:\2086600.exec:\2086600.exe41⤵
- Executes dropped EXE
PID:3572 -
\??\c:\bhtnhh.exec:\bhtnhh.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\26440.exec:\26440.exe43⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xllxrlf.exec:\xllxrlf.exe44⤵
- Executes dropped EXE
PID:2564 -
\??\c:\xxfxllr.exec:\xxfxllr.exe45⤵
- Executes dropped EXE
PID:2600 -
\??\c:\628266.exec:\628266.exe46⤵
- Executes dropped EXE
PID:892 -
\??\c:\vddpj.exec:\vddpj.exe47⤵
- Executes dropped EXE
PID:3616 -
\??\c:\djjdv.exec:\djjdv.exe48⤵
- Executes dropped EXE
PID:3580 -
\??\c:\thbtnh.exec:\thbtnh.exe49⤵
- Executes dropped EXE
PID:4228 -
\??\c:\40642.exec:\40642.exe50⤵
- Executes dropped EXE
PID:4652 -
\??\c:\40442.exec:\40442.exe51⤵
- Executes dropped EXE
PID:4528 -
\??\c:\hbbthh.exec:\hbbthh.exe52⤵
- Executes dropped EXE
PID:1472 -
\??\c:\jjpdd.exec:\jjpdd.exe53⤵
- Executes dropped EXE
PID:3692 -
\??\c:\266606.exec:\266606.exe54⤵
- Executes dropped EXE
PID:4732 -
\??\c:\2802884.exec:\2802884.exe55⤵
- Executes dropped EXE
PID:412 -
\??\c:\xlxrffr.exec:\xlxrffr.exe56⤵
- Executes dropped EXE
PID:2552 -
\??\c:\bbttnb.exec:\bbttnb.exe57⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nbbbtn.exec:\nbbbtn.exe58⤵
- Executes dropped EXE
PID:1884 -
\??\c:\lfrlxrl.exec:\lfrlxrl.exe59⤵
- Executes dropped EXE
PID:4736 -
\??\c:\fxlfffr.exec:\fxlfffr.exe60⤵
- Executes dropped EXE
PID:2032 -
\??\c:\tnhbbt.exec:\tnhbbt.exe61⤵
- Executes dropped EXE
PID:4492 -
\??\c:\024060.exec:\024060.exe62⤵
- Executes dropped EXE
PID:4772 -
\??\c:\llxrrrr.exec:\llxrrrr.exe63⤵
- Executes dropped EXE
PID:1844 -
\??\c:\8460486.exec:\8460486.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\2488264.exec:\2488264.exe65⤵
- Executes dropped EXE
PID:1448 -
\??\c:\llfrfrf.exec:\llfrfrf.exe66⤵
- Executes dropped EXE
PID:5056 -
\??\c:\vddvv.exec:\vddvv.exe67⤵PID:1680
-
\??\c:\jdppv.exec:\jdppv.exe68⤵PID:1916
-
\??\c:\02044.exec:\02044.exe69⤵PID:756
-
\??\c:\3lrrrrr.exec:\3lrrrrr.exe70⤵PID:3996
-
\??\c:\nbhtbt.exec:\nbhtbt.exe71⤵PID:4996
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe72⤵PID:4860
-
\??\c:\jjjjd.exec:\jjjjd.exe73⤵PID:552
-
\??\c:\86628.exec:\86628.exe74⤵PID:4224
-
\??\c:\3rlfxrl.exec:\3rlfxrl.exe75⤵PID:4768
-
\??\c:\xrxrllf.exec:\xrxrllf.exe76⤵PID:1792
-
\??\c:\dvvvp.exec:\dvvvp.exe77⤵PID:5116
-
\??\c:\jjjdd.exec:\jjjdd.exe78⤵PID:1564
-
\??\c:\04248.exec:\04248.exe79⤵PID:4756
-
\??\c:\822666.exec:\822666.exe80⤵PID:1068
-
\??\c:\82448.exec:\82448.exe81⤵PID:3024
-
\??\c:\624068.exec:\624068.exe82⤵PID:2916
-
\??\c:\pddjd.exec:\pddjd.exe83⤵PID:1584
-
\??\c:\dvddd.exec:\dvddd.exe84⤵PID:2016
-
\??\c:\vpppp.exec:\vpppp.exe85⤵PID:2672
-
\??\c:\426646.exec:\426646.exe86⤵PID:1300
-
\??\c:\66484.exec:\66484.exe87⤵PID:1164
-
\??\c:\jvvdd.exec:\jvvdd.exe88⤵PID:1808
-
\??\c:\684826.exec:\684826.exe89⤵PID:4368
-
\??\c:\028888.exec:\028888.exe90⤵PID:2676
-
\??\c:\844482.exec:\844482.exe91⤵PID:2380
-
\??\c:\frlfxxx.exec:\frlfxxx.exe92⤵PID:2580
-
\??\c:\2222840.exec:\2222840.exe93⤵PID:3572
-
\??\c:\flrfxrl.exec:\flrfxrl.exe94⤵PID:3612
-
\??\c:\lxxrffx.exec:\lxxrffx.exe95⤵PID:1912
-
\??\c:\tbbbtb.exec:\tbbbtb.exe96⤵PID:4440
-
\??\c:\9vdpj.exec:\9vdpj.exe97⤵PID:3704
-
\??\c:\o682622.exec:\o682622.exe98⤵PID:2600
-
\??\c:\6244444.exec:\6244444.exe99⤵
- System Location Discovery: System Language Discovery
PID:4500 -
\??\c:\0062000.exec:\0062000.exe100⤵PID:4636
-
\??\c:\a8006.exec:\a8006.exe101⤵PID:2384
-
\??\c:\1nnnhh.exec:\1nnnhh.exe102⤵PID:232
-
\??\c:\nbbtnh.exec:\nbbtnh.exe103⤵
- System Location Discovery: System Language Discovery
PID:3664 -
\??\c:\jpppj.exec:\jpppj.exe104⤵PID:2228
-
\??\c:\tnhbnn.exec:\tnhbnn.exe105⤵PID:2128
-
\??\c:\44000.exec:\44000.exe106⤵PID:4444
-
\??\c:\tnhbhh.exec:\tnhbhh.exe107⤵PID:4732
-
\??\c:\rrllfff.exec:\rrllfff.exe108⤵PID:2484
-
\??\c:\xllxllf.exec:\xllxllf.exe109⤵PID:3936
-
\??\c:\ntbttt.exec:\ntbttt.exe110⤵PID:4188
-
\??\c:\hbnbhb.exec:\hbnbhb.exe111⤵PID:2724
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe112⤵PID:2040
-
\??\c:\24660.exec:\24660.exe113⤵PID:2032
-
\??\c:\48022.exec:\48022.exe114⤵PID:4856
-
\??\c:\42822.exec:\42822.exe115⤵PID:1844
-
\??\c:\rrfflxr.exec:\rrfflxr.exe116⤵PID:692
-
\??\c:\s0226.exec:\s0226.exe117⤵PID:1448
-
\??\c:\60820.exec:\60820.exe118⤵PID:2756
-
\??\c:\004444.exec:\004444.exe119⤵
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\044224.exec:\044224.exe120⤵PID:4944
-
\??\c:\djjjd.exec:\djjjd.exe121⤵PID:4552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-