Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe
-
Size
459KB
-
MD5
f33df94e8b76d59cd54eb8fa7327106f
-
SHA1
502d3345dc5484c6145363611468d9d48440c434
-
SHA256
5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2
-
SHA512
e20fb84ca4ebd2e5609b8dcb5a5bc1094aa70d0a26dacccca48d0d139522f43573c3290f83046afeb2c80339109c85d79d7f9eae41994b14b6b6f19c428fecf0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeWP:q7Tc2NYHUrAwfMp3CDWP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1948-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-1020-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-1387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-1745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-1825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3104 600422.exe 4176 q62682.exe 4584 dppvp.exe 3320 0842064.exe 4064 08422.exe 4144 3fxlfxr.exe 5084 28086.exe 2112 lxrfrlx.exe 1336 602682.exe 4912 022860.exe 3356 84860.exe 448 bbbthb.exe 904 3dppd.exe 1352 84642.exe 4420 dpvjj.exe 4164 htnhhh.exe 4344 lxxlfxr.exe 4900 844260.exe 3884 06860.exe 1468 0660820.exe 64 e62460.exe 4704 fffrffx.exe 1524 hhhbnb.exe 1216 k46082.exe 4352 82864.exe 4380 vdpvj.exe 4140 066086.exe 2584 44420.exe 2700 046420.exe 244 0846488.exe 2044 fxfrrll.exe 1572 a6082.exe 644 bbhtnh.exe 1980 208204.exe 3820 4220864.exe 5032 o620826.exe 2536 66264.exe 3576 llrrfxr.exe 1688 202004.exe 4792 2648266.exe 5048 g4486.exe 4992 xrxrlff.exe 4552 pvdpd.exe 3384 hthttn.exe 1228 jvdpp.exe 1648 1nnbnn.exe 1224 djjdp.exe 2796 8642262.exe 5052 00086.exe 1940 44086.exe 2456 xlffrlr.exe 2052 684204.exe 1204 dpdvd.exe 4404 6442602.exe 3180 jvpdp.exe 4388 802604.exe 2976 thtnbt.exe 2968 7vjvj.exe 4576 vjpjv.exe 2240 6402648.exe 4584 pddpd.exe 4500 xlrlfxr.exe 2384 u682048.exe 640 488884.exe -
resource yara_rule behavioral2/memory/1948-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-698-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8444826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u286420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1948 wrote to memory of 3104 1948 5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe 87 PID 1948 wrote to memory of 3104 1948 5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe 87 PID 1948 wrote to memory of 3104 1948 5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe 87 PID 3104 wrote to memory of 4176 3104 600422.exe 88 PID 3104 wrote to memory of 4176 3104 600422.exe 88 PID 3104 wrote to memory of 4176 3104 600422.exe 88 PID 4176 wrote to memory of 4584 4176 q62682.exe 89 PID 4176 wrote to memory of 4584 4176 q62682.exe 89 PID 4176 wrote to memory of 4584 4176 q62682.exe 89 PID 4584 wrote to memory of 3320 4584 dppvp.exe 90 PID 4584 wrote to memory of 3320 4584 dppvp.exe 90 PID 4584 wrote to memory of 3320 4584 dppvp.exe 90 PID 3320 wrote to memory of 4064 3320 0842064.exe 91 PID 3320 wrote to memory of 4064 3320 0842064.exe 91 PID 3320 wrote to memory of 4064 3320 0842064.exe 91 PID 4064 wrote to memory of 4144 4064 08422.exe 92 PID 4064 wrote to memory of 4144 4064 08422.exe 92 PID 4064 wrote to memory of 4144 4064 08422.exe 92 PID 4144 wrote to memory of 5084 4144 3fxlfxr.exe 93 PID 4144 wrote to memory of 5084 4144 3fxlfxr.exe 93 PID 4144 wrote to memory of 5084 4144 3fxlfxr.exe 93 PID 5084 wrote to memory of 2112 5084 28086.exe 94 PID 5084 wrote to memory of 2112 5084 28086.exe 94 PID 5084 wrote to memory of 2112 5084 28086.exe 94 PID 2112 wrote to memory of 1336 2112 lxrfrlx.exe 95 PID 2112 wrote to memory of 1336 2112 lxrfrlx.exe 95 PID 2112 wrote to memory of 1336 2112 lxrfrlx.exe 95 PID 1336 wrote to memory of 4912 1336 602682.exe 96 PID 1336 wrote to memory of 4912 1336 602682.exe 96 PID 1336 wrote to memory of 4912 1336 602682.exe 96 PID 4912 wrote to memory of 3356 4912 022860.exe 97 PID 4912 wrote to memory of 3356 4912 022860.exe 97 PID 4912 wrote to memory of 3356 4912 022860.exe 97 PID 3356 wrote to memory of 448 3356 84860.exe 98 PID 3356 wrote to memory of 448 3356 84860.exe 98 PID 3356 wrote to memory of 448 3356 84860.exe 98 PID 448 wrote to memory of 904 448 bbbthb.exe 99 PID 448 wrote to memory of 904 448 bbbthb.exe 99 PID 448 wrote to memory of 904 448 bbbthb.exe 99 PID 904 wrote to memory of 1352 904 3dppd.exe 100 PID 904 wrote to memory of 1352 904 3dppd.exe 100 PID 904 wrote to memory of 1352 904 3dppd.exe 100 PID 1352 wrote to memory of 4420 1352 84642.exe 101 PID 1352 wrote to memory of 4420 1352 84642.exe 101 PID 1352 wrote to memory of 4420 1352 84642.exe 101 PID 4420 wrote to memory of 4164 4420 dpvjj.exe 102 PID 4420 wrote to memory of 4164 4420 dpvjj.exe 102 PID 4420 wrote to memory of 4164 4420 dpvjj.exe 102 PID 4164 wrote to memory of 4344 4164 htnhhh.exe 103 PID 4164 wrote to memory of 4344 4164 htnhhh.exe 103 PID 4164 wrote to memory of 4344 4164 htnhhh.exe 103 PID 4344 wrote to memory of 4900 4344 lxxlfxr.exe 104 PID 4344 wrote to memory of 4900 4344 lxxlfxr.exe 104 PID 4344 wrote to memory of 4900 4344 lxxlfxr.exe 104 PID 4900 wrote to memory of 3884 4900 844260.exe 105 PID 4900 wrote to memory of 3884 4900 844260.exe 105 PID 4900 wrote to memory of 3884 4900 844260.exe 105 PID 3884 wrote to memory of 1468 3884 06860.exe 106 PID 3884 wrote to memory of 1468 3884 06860.exe 106 PID 3884 wrote to memory of 1468 3884 06860.exe 106 PID 1468 wrote to memory of 64 1468 0660820.exe 107 PID 1468 wrote to memory of 64 1468 0660820.exe 107 PID 1468 wrote to memory of 64 1468 0660820.exe 107 PID 64 wrote to memory of 4704 64 e62460.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe"C:\Users\Admin\AppData\Local\Temp\5ee9eb2450ce82c8d4279a4a589134bd505f8e6f0e3e682d2a94b59ba0a7f4e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\600422.exec:\600422.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\q62682.exec:\q62682.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\dppvp.exec:\dppvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\0842064.exec:\0842064.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\08422.exec:\08422.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\3fxlfxr.exec:\3fxlfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\28086.exec:\28086.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\602682.exec:\602682.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\022860.exec:\022860.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\84860.exec:\84860.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\bbbthb.exec:\bbbthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\3dppd.exec:\3dppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\84642.exec:\84642.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\dpvjj.exec:\dpvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\htnhhh.exec:\htnhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\844260.exec:\844260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\06860.exec:\06860.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\0660820.exec:\0660820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\e62460.exec:\e62460.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\fffrffx.exec:\fffrffx.exe23⤵
- Executes dropped EXE
PID:4704 -
\??\c:\hhhbnb.exec:\hhhbnb.exe24⤵
- Executes dropped EXE
PID:1524 -
\??\c:\k46082.exec:\k46082.exe25⤵
- Executes dropped EXE
PID:1216 -
\??\c:\82864.exec:\82864.exe26⤵
- Executes dropped EXE
PID:4352 -
\??\c:\vdpvj.exec:\vdpvj.exe27⤵
- Executes dropped EXE
PID:4380 -
\??\c:\066086.exec:\066086.exe28⤵
- Executes dropped EXE
PID:4140 -
\??\c:\44420.exec:\44420.exe29⤵
- Executes dropped EXE
PID:2584 -
\??\c:\046420.exec:\046420.exe30⤵
- Executes dropped EXE
PID:2700 -
\??\c:\0846488.exec:\0846488.exe31⤵
- Executes dropped EXE
PID:244 -
\??\c:\fxfrrll.exec:\fxfrrll.exe32⤵
- Executes dropped EXE
PID:2044 -
\??\c:\a6082.exec:\a6082.exe33⤵
- Executes dropped EXE
PID:1572 -
\??\c:\bbhtnh.exec:\bbhtnh.exe34⤵
- Executes dropped EXE
PID:644 -
\??\c:\208204.exec:\208204.exe35⤵
- Executes dropped EXE
PID:1980 -
\??\c:\4220864.exec:\4220864.exe36⤵
- Executes dropped EXE
PID:3820 -
\??\c:\o620826.exec:\o620826.exe37⤵
- Executes dropped EXE
PID:5032 -
\??\c:\66264.exec:\66264.exe38⤵
- Executes dropped EXE
PID:2536 -
\??\c:\llrrfxr.exec:\llrrfxr.exe39⤵
- Executes dropped EXE
PID:3576 -
\??\c:\202004.exec:\202004.exe40⤵
- Executes dropped EXE
PID:1688 -
\??\c:\2648266.exec:\2648266.exe41⤵
- Executes dropped EXE
PID:4792 -
\??\c:\g4486.exec:\g4486.exe42⤵
- Executes dropped EXE
PID:5048 -
\??\c:\xrxrlff.exec:\xrxrlff.exe43⤵
- Executes dropped EXE
PID:4992 -
\??\c:\pvdpd.exec:\pvdpd.exe44⤵
- Executes dropped EXE
PID:4552 -
\??\c:\hthttn.exec:\hthttn.exe45⤵
- Executes dropped EXE
PID:3384 -
\??\c:\jvdpp.exec:\jvdpp.exe46⤵
- Executes dropped EXE
PID:1228 -
\??\c:\1nnbnn.exec:\1nnbnn.exe47⤵
- Executes dropped EXE
PID:1648 -
\??\c:\djjdp.exec:\djjdp.exe48⤵
- Executes dropped EXE
PID:1224 -
\??\c:\8642262.exec:\8642262.exe49⤵
- Executes dropped EXE
PID:2796 -
\??\c:\00086.exec:\00086.exe50⤵
- Executes dropped EXE
PID:5052 -
\??\c:\44086.exec:\44086.exe51⤵
- Executes dropped EXE
PID:1940 -
\??\c:\xlffrlr.exec:\xlffrlr.exe52⤵
- Executes dropped EXE
PID:2456 -
\??\c:\684204.exec:\684204.exe53⤵
- Executes dropped EXE
PID:2052 -
\??\c:\dpdvd.exec:\dpdvd.exe54⤵
- Executes dropped EXE
PID:1204 -
\??\c:\6442602.exec:\6442602.exe55⤵
- Executes dropped EXE
PID:4404 -
\??\c:\jvpdp.exec:\jvpdp.exe56⤵
- Executes dropped EXE
PID:3180 -
\??\c:\802604.exec:\802604.exe57⤵
- Executes dropped EXE
PID:4388 -
\??\c:\thtnbt.exec:\thtnbt.exe58⤵
- Executes dropped EXE
PID:2976 -
\??\c:\7vjvj.exec:\7vjvj.exe59⤵
- Executes dropped EXE
PID:2968 -
\??\c:\vjpjv.exec:\vjpjv.exe60⤵
- Executes dropped EXE
PID:4576 -
\??\c:\6402648.exec:\6402648.exe61⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pddpd.exec:\pddpd.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe63⤵
- Executes dropped EXE
PID:4500 -
\??\c:\u682048.exec:\u682048.exe64⤵
- Executes dropped EXE
PID:2384 -
\??\c:\488884.exec:\488884.exe65⤵
- Executes dropped EXE
PID:640 -
\??\c:\0064264.exec:\0064264.exe66⤵PID:4000
-
\??\c:\ppvjp.exec:\ppvjp.exe67⤵PID:4220
-
\??\c:\088448.exec:\088448.exe68⤵PID:4252
-
\??\c:\vpvpp.exec:\vpvpp.exe69⤵PID:3964
-
\??\c:\62420.exec:\62420.exe70⤵PID:2224
-
\??\c:\s2864.exec:\s2864.exe71⤵PID:3804
-
\??\c:\6408260.exec:\6408260.exe72⤵PID:4784
-
\??\c:\rfffxrf.exec:\rfffxrf.exe73⤵PID:2168
-
\??\c:\hbbnbt.exec:\hbbnbt.exe74⤵PID:4908
-
\??\c:\bbhthb.exec:\bbhthb.exe75⤵PID:4948
-
\??\c:\88464.exec:\88464.exe76⤵PID:3444
-
\??\c:\htthbt.exec:\htthbt.exe77⤵PID:4244
-
\??\c:\288260.exec:\288260.exe78⤵PID:3484
-
\??\c:\64064.exec:\64064.exe79⤵PID:2316
-
\??\c:\nbbnbt.exec:\nbbnbt.exe80⤵PID:1468
-
\??\c:\e88648.exec:\e88648.exe81⤵PID:3408
-
\??\c:\jdvjv.exec:\jdvjv.exe82⤵PID:4704
-
\??\c:\u404264.exec:\u404264.exe83⤵PID:1984
-
\??\c:\8660424.exec:\8660424.exe84⤵PID:1556
-
\??\c:\620882.exec:\620882.exe85⤵PID:2740
-
\??\c:\62006.exec:\62006.exe86⤵PID:4968
-
\??\c:\u408264.exec:\u408264.exe87⤵PID:244
-
\??\c:\rxffxrl.exec:\rxffxrl.exe88⤵PID:2044
-
\??\c:\9nbnhb.exec:\9nbnhb.exe89⤵PID:1452
-
\??\c:\6620482.exec:\6620482.exe90⤵PID:1928
-
\??\c:\jvpdv.exec:\jvpdv.exe91⤵PID:3820
-
\??\c:\040826.exec:\040826.exe92⤵PID:3780
-
\??\c:\c882222.exec:\c882222.exe93⤵PID:4652
-
\??\c:\ntbnth.exec:\ntbnth.exe94⤵PID:3980
-
\??\c:\o404282.exec:\o404282.exe95⤵PID:4324
-
\??\c:\ntbnhb.exec:\ntbnhb.exe96⤵PID:4436
-
\??\c:\88220.exec:\88220.exe97⤵PID:3836
-
\??\c:\q80482.exec:\q80482.exe98⤵PID:3384
-
\??\c:\jdppj.exec:\jdppj.exe99⤵PID:3096
-
\??\c:\402644.exec:\402644.exe100⤵PID:592
-
\??\c:\022648.exec:\022648.exe101⤵PID:4924
-
\??\c:\frrlxlf.exec:\frrlxlf.exe102⤵PID:4816
-
\??\c:\64404.exec:\64404.exe103⤵PID:2912
-
\??\c:\4820822.exec:\4820822.exe104⤵PID:4572
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe105⤵PID:2328
-
\??\c:\lxfrlfr.exec:\lxfrlfr.exe106⤵PID:1204
-
\??\c:\pjjdv.exec:\pjjdv.exe107⤵PID:2856
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe108⤵PID:1620
-
\??\c:\w06004.exec:\w06004.exe109⤵PID:4016
-
\??\c:\8664820.exec:\8664820.exe110⤵PID:2160
-
\??\c:\640446.exec:\640446.exe111⤵PID:4576
-
\??\c:\9rxrllx.exec:\9rxrllx.exe112⤵PID:2240
-
\??\c:\rlxlllx.exec:\rlxlllx.exe113⤵PID:4736
-
\??\c:\8608628.exec:\8608628.exe114⤵PID:4400
-
\??\c:\7dddv.exec:\7dddv.exe115⤵PID:2408
-
\??\c:\04408.exec:\04408.exe116⤵PID:4252
-
\??\c:\8886820.exec:\8886820.exe117⤵PID:1336
-
\??\c:\htthtn.exec:\htthtn.exe118⤵PID:3224
-
\??\c:\nhhbnh.exec:\nhhbnh.exe119⤵PID:1988
-
\??\c:\9jdpv.exec:\9jdpv.exe120⤵PID:3760
-
\??\c:\9ffrxrx.exec:\9ffrxrx.exe121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-