Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe
-
Size
454KB
-
MD5
41f966c420346180ad88d02de6d5b55f
-
SHA1
e7d96552e987512d3e91abe962aff08bb52d9d26
-
SHA256
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c
-
SHA512
005a2161854de170655b1130a52b2ccfaf7979f6511ba4f393d940e9af4e63624b3eb13272d41e2eb7911dbdf7fba3ea066ebda6054ea94aa03ebe81bacbd736
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1828-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-969-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-1165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-1340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3680 1flfrrl.exe 4164 40680.exe 3484 xlfrllf.exe 2684 xfxllfl.exe 4788 424844.exe 3252 002448.exe 1700 84600.exe 2620 i648848.exe 2416 22064.exe 2668 5djdv.exe 1224 rrrrlll.exe 780 jvppp.exe 5004 jdddd.exe 2768 602600.exe 3000 tntnhh.exe 952 42866.exe 1108 68048.exe 1728 thhbth.exe 3552 i408260.exe 2344 2804884.exe 4692 08826.exe 4468 4882266.exe 3156 68004.exe 2380 pjvjj.exe 916 xrrlxxr.exe 2508 48886.exe 4984 1vppp.exe 4536 420422.exe 1916 a2082.exe 2984 3ffxrrl.exe 1584 2282666.exe 1096 xlrllll.exe 4564 7jpjp.exe 1460 824422.exe 1804 fxfxxrr.exe 4356 8222882.exe 4088 28600.exe 4916 vdjdp.exe 4552 e02640.exe 4472 a8804.exe 3620 hhnhbt.exe 4824 08486.exe 1060 dvjdp.exe 3424 86482.exe 4440 e64848.exe 4664 bbnhnh.exe 1828 622220.exe 3536 nhnhhh.exe 4672 62882.exe 2548 4860604.exe 1480 204608.exe 2700 6084228.exe 700 8002222.exe 4228 nhhbtt.exe 5116 hthbtb.exe 4704 466482.exe 720 488822.exe 2308 rlllfxl.exe 220 ffrlffx.exe 4344 0882600.exe 620 ntbtnn.exe 404 tbhbbh.exe 3896 6846000.exe 4804 flxxrrf.exe -
resource yara_rule behavioral2/memory/1828-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-969-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8002222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i246022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2446482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1828 wrote to memory of 3680 1828 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 84 PID 1828 wrote to memory of 3680 1828 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 84 PID 1828 wrote to memory of 3680 1828 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 84 PID 3680 wrote to memory of 4164 3680 1flfrrl.exe 85 PID 3680 wrote to memory of 4164 3680 1flfrrl.exe 85 PID 3680 wrote to memory of 4164 3680 1flfrrl.exe 85 PID 4164 wrote to memory of 3484 4164 40680.exe 86 PID 4164 wrote to memory of 3484 4164 40680.exe 86 PID 4164 wrote to memory of 3484 4164 40680.exe 86 PID 3484 wrote to memory of 2684 3484 xlfrllf.exe 87 PID 3484 wrote to memory of 2684 3484 xlfrllf.exe 87 PID 3484 wrote to memory of 2684 3484 xlfrllf.exe 87 PID 2684 wrote to memory of 4788 2684 xfxllfl.exe 88 PID 2684 wrote to memory of 4788 2684 xfxllfl.exe 88 PID 2684 wrote to memory of 4788 2684 xfxllfl.exe 88 PID 4788 wrote to memory of 3252 4788 424844.exe 89 PID 4788 wrote to memory of 3252 4788 424844.exe 89 PID 4788 wrote to memory of 3252 4788 424844.exe 89 PID 3252 wrote to memory of 1700 3252 002448.exe 90 PID 3252 wrote to memory of 1700 3252 002448.exe 90 PID 3252 wrote to memory of 1700 3252 002448.exe 90 PID 1700 wrote to memory of 2620 1700 84600.exe 91 PID 1700 wrote to memory of 2620 1700 84600.exe 91 PID 1700 wrote to memory of 2620 1700 84600.exe 91 PID 2620 wrote to memory of 2416 2620 i648848.exe 92 PID 2620 wrote to memory of 2416 2620 i648848.exe 92 PID 2620 wrote to memory of 2416 2620 i648848.exe 92 PID 2416 wrote to memory of 2668 2416 22064.exe 93 PID 2416 wrote to memory of 2668 2416 22064.exe 93 PID 2416 wrote to memory of 2668 2416 22064.exe 93 PID 2668 wrote to memory of 1224 2668 5djdv.exe 94 PID 2668 wrote to memory of 1224 2668 5djdv.exe 94 PID 2668 wrote to memory of 1224 2668 5djdv.exe 94 PID 1224 wrote to memory of 780 1224 rrrrlll.exe 95 PID 1224 wrote to memory of 780 1224 rrrrlll.exe 95 PID 1224 wrote to memory of 780 1224 rrrrlll.exe 95 PID 780 wrote to memory of 5004 780 jvppp.exe 96 PID 780 wrote to memory of 5004 780 jvppp.exe 96 PID 780 wrote to memory of 5004 780 jvppp.exe 96 PID 5004 wrote to memory of 2768 5004 jdddd.exe 97 PID 5004 wrote to memory of 2768 5004 jdddd.exe 97 PID 5004 wrote to memory of 2768 5004 jdddd.exe 97 PID 2768 wrote to memory of 3000 2768 602600.exe 98 PID 2768 wrote to memory of 3000 2768 602600.exe 98 PID 2768 wrote to memory of 3000 2768 602600.exe 98 PID 3000 wrote to memory of 952 3000 tntnhh.exe 99 PID 3000 wrote to memory of 952 3000 tntnhh.exe 99 PID 3000 wrote to memory of 952 3000 tntnhh.exe 99 PID 952 wrote to memory of 1108 952 42866.exe 100 PID 952 wrote to memory of 1108 952 42866.exe 100 PID 952 wrote to memory of 1108 952 42866.exe 100 PID 1108 wrote to memory of 1728 1108 68048.exe 101 PID 1108 wrote to memory of 1728 1108 68048.exe 101 PID 1108 wrote to memory of 1728 1108 68048.exe 101 PID 1728 wrote to memory of 3552 1728 thhbth.exe 102 PID 1728 wrote to memory of 3552 1728 thhbth.exe 102 PID 1728 wrote to memory of 3552 1728 thhbth.exe 102 PID 3552 wrote to memory of 2344 3552 i408260.exe 103 PID 3552 wrote to memory of 2344 3552 i408260.exe 103 PID 3552 wrote to memory of 2344 3552 i408260.exe 103 PID 2344 wrote to memory of 4692 2344 2804884.exe 104 PID 2344 wrote to memory of 4692 2344 2804884.exe 104 PID 2344 wrote to memory of 4692 2344 2804884.exe 104 PID 4692 wrote to memory of 4468 4692 08826.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe"C:\Users\Admin\AppData\Local\Temp\600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\1flfrrl.exec:\1flfrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\40680.exec:\40680.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\xlfrllf.exec:\xlfrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\xfxllfl.exec:\xfxllfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\424844.exec:\424844.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\002448.exec:\002448.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\84600.exec:\84600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\i648848.exec:\i648848.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\22064.exec:\22064.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\5djdv.exec:\5djdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\rrrrlll.exec:\rrrrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\jvppp.exec:\jvppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\jdddd.exec:\jdddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\602600.exec:\602600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\tntnhh.exec:\tntnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\42866.exec:\42866.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\68048.exec:\68048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\thhbth.exec:\thhbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\i408260.exec:\i408260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\2804884.exec:\2804884.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\08826.exec:\08826.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\4882266.exec:\4882266.exe23⤵
- Executes dropped EXE
PID:4468 -
\??\c:\68004.exec:\68004.exe24⤵
- Executes dropped EXE
PID:3156 -
\??\c:\pjvjj.exec:\pjvjj.exe25⤵
- Executes dropped EXE
PID:2380 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe26⤵
- Executes dropped EXE
PID:916 -
\??\c:\48886.exec:\48886.exe27⤵
- Executes dropped EXE
PID:2508 -
\??\c:\1vppp.exec:\1vppp.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4984 -
\??\c:\420422.exec:\420422.exe29⤵
- Executes dropped EXE
PID:4536 -
\??\c:\a2082.exec:\a2082.exe30⤵
- Executes dropped EXE
PID:1916 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe31⤵
- Executes dropped EXE
PID:2984 -
\??\c:\2282666.exec:\2282666.exe32⤵
- Executes dropped EXE
PID:1584 -
\??\c:\xlrllll.exec:\xlrllll.exe33⤵
- Executes dropped EXE
PID:1096 -
\??\c:\7jpjp.exec:\7jpjp.exe34⤵
- Executes dropped EXE
PID:4564 -
\??\c:\824422.exec:\824422.exe35⤵
- Executes dropped EXE
PID:1460 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe36⤵
- Executes dropped EXE
PID:1804 -
\??\c:\8222882.exec:\8222882.exe37⤵
- Executes dropped EXE
PID:4356 -
\??\c:\28600.exec:\28600.exe38⤵
- Executes dropped EXE
PID:4088 -
\??\c:\vdjdp.exec:\vdjdp.exe39⤵
- Executes dropped EXE
PID:4916 -
\??\c:\e02640.exec:\e02640.exe40⤵
- Executes dropped EXE
PID:4552 -
\??\c:\a8804.exec:\a8804.exe41⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hhnhbt.exec:\hhnhbt.exe42⤵
- Executes dropped EXE
PID:3620 -
\??\c:\08486.exec:\08486.exe43⤵
- Executes dropped EXE
PID:4824 -
\??\c:\dvjdp.exec:\dvjdp.exe44⤵
- Executes dropped EXE
PID:1060 -
\??\c:\86482.exec:\86482.exe45⤵
- Executes dropped EXE
PID:3424 -
\??\c:\e64848.exec:\e64848.exe46⤵
- Executes dropped EXE
PID:4440 -
\??\c:\bbnhnh.exec:\bbnhnh.exe47⤵
- Executes dropped EXE
PID:4664 -
\??\c:\622220.exec:\622220.exe48⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nhnhhh.exec:\nhnhhh.exe49⤵
- Executes dropped EXE
PID:3536 -
\??\c:\62882.exec:\62882.exe50⤵
- Executes dropped EXE
PID:4672 -
\??\c:\4860604.exec:\4860604.exe51⤵
- Executes dropped EXE
PID:2548 -
\??\c:\204608.exec:\204608.exe52⤵
- Executes dropped EXE
PID:1480 -
\??\c:\6084228.exec:\6084228.exe53⤵
- Executes dropped EXE
PID:2700 -
\??\c:\8002222.exec:\8002222.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:700 -
\??\c:\nhhbtt.exec:\nhhbtt.exe55⤵
- Executes dropped EXE
PID:4228 -
\??\c:\hthbtb.exec:\hthbtb.exe56⤵
- Executes dropped EXE
PID:5116 -
\??\c:\466482.exec:\466482.exe57⤵
- Executes dropped EXE
PID:4704 -
\??\c:\488822.exec:\488822.exe58⤵
- Executes dropped EXE
PID:720 -
\??\c:\rlllfxl.exec:\rlllfxl.exe59⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ffrlffx.exec:\ffrlffx.exe60⤵
- Executes dropped EXE
PID:220 -
\??\c:\0882600.exec:\0882600.exe61⤵
- Executes dropped EXE
PID:4344 -
\??\c:\ntbtnn.exec:\ntbtnn.exe62⤵
- Executes dropped EXE
PID:620 -
\??\c:\tbhbbh.exec:\tbhbbh.exe63⤵
- Executes dropped EXE
PID:404 -
\??\c:\6846000.exec:\6846000.exe64⤵
- Executes dropped EXE
PID:3896 -
\??\c:\flxxrrf.exec:\flxxrrf.exe65⤵
- Executes dropped EXE
PID:4804 -
\??\c:\2282660.exec:\2282660.exe66⤵PID:2288
-
\??\c:\btbtbb.exec:\btbtbb.exe67⤵PID:1324
-
\??\c:\hbtnhb.exec:\hbtnhb.exe68⤵PID:4072
-
\??\c:\9nbthh.exec:\9nbthh.exe69⤵PID:1288
-
\??\c:\4484820.exec:\4484820.exe70⤵PID:3328
-
\??\c:\vppjj.exec:\vppjj.exe71⤵PID:2244
-
\??\c:\8066488.exec:\8066488.exe72⤵PID:952
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe73⤵
- System Location Discovery: System Language Discovery
PID:4352 -
\??\c:\04448.exec:\04448.exe74⤵PID:1108
-
\??\c:\6682044.exec:\6682044.exe75⤵PID:3884
-
\??\c:\rlllffx.exec:\rlllffx.exe76⤵PID:4728
-
\??\c:\lrxrrlf.exec:\lrxrrlf.exe77⤵PID:3304
-
\??\c:\tbhbtb.exec:\tbhbtb.exe78⤵PID:3036
-
\??\c:\rlllxrf.exec:\rlllxrf.exe79⤵PID:1872
-
\??\c:\6022222.exec:\6022222.exe80⤵PID:1232
-
\??\c:\8246222.exec:\8246222.exe81⤵PID:1444
-
\??\c:\pddjd.exec:\pddjd.exe82⤵PID:2392
-
\??\c:\262820.exec:\262820.exe83⤵PID:2440
-
\??\c:\bnhtnh.exec:\bnhtnh.exe84⤵PID:3892
-
\??\c:\nntnnb.exec:\nntnnb.exe85⤵PID:4048
-
\??\c:\0880046.exec:\0880046.exe86⤵PID:3108
-
\??\c:\7ntnnn.exec:\7ntnnn.exe87⤵PID:760
-
\??\c:\fffrlxr.exec:\fffrlxr.exe88⤵PID:5092
-
\??\c:\w84260.exec:\w84260.exe89⤵PID:688
-
\??\c:\086088.exec:\086088.exe90⤵PID:2488
-
\??\c:\26822.exec:\26822.exe91⤵PID:212
-
\??\c:\bntbnn.exec:\bntbnn.exe92⤵PID:1816
-
\??\c:\tbnhtt.exec:\tbnhtt.exe93⤵PID:2984
-
\??\c:\bthttt.exec:\bthttt.exe94⤵PID:3676
-
\??\c:\frfxxxf.exec:\frfxxxf.exe95⤵PID:2628
-
\??\c:\bttttt.exec:\bttttt.exe96⤵PID:2840
-
\??\c:\4846466.exec:\4846466.exe97⤵PID:2020
-
\??\c:\dpvpd.exec:\dpvpd.exe98⤵PID:2860
-
\??\c:\9ddpd.exec:\9ddpd.exe99⤵PID:900
-
\??\c:\i620404.exec:\i620404.exe100⤵PID:4848
-
\??\c:\428206.exec:\428206.exe101⤵PID:2124
-
\??\c:\86264.exec:\86264.exe102⤵PID:3868
-
\??\c:\9xxxrrr.exec:\9xxxrrr.exe103⤵PID:4732
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe104⤵PID:2540
-
\??\c:\8866600.exec:\8866600.exe105⤵PID:3984
-
\??\c:\26260.exec:\26260.exe106⤵PID:3244
-
\??\c:\w40448.exec:\w40448.exe107⤵PID:312
-
\??\c:\24008.exec:\24008.exe108⤵PID:3004
-
\??\c:\vppjd.exec:\vppjd.exe109⤵PID:4440
-
\??\c:\lrfxxxx.exec:\lrfxxxx.exe110⤵PID:3516
-
\??\c:\046860.exec:\046860.exe111⤵PID:4008
-
\??\c:\q28260.exec:\q28260.exe112⤵PID:1832
-
\??\c:\7lrlfxx.exec:\7lrlfxx.exe113⤵PID:5088
-
\??\c:\jjpjd.exec:\jjpjd.exe114⤵PID:4200
-
\??\c:\llfxrrl.exec:\llfxrrl.exe115⤵PID:4676
-
\??\c:\htbthh.exec:\htbthh.exe116⤵PID:3960
-
\??\c:\q46000.exec:\q46000.exe117⤵PID:5112
-
\??\c:\jddvp.exec:\jddvp.exe118⤵PID:1668
-
\??\c:\c060882.exec:\c060882.exe119⤵PID:808
-
\??\c:\rfffffl.exec:\rfffffl.exe120⤵PID:5116
-
\??\c:\q84826.exec:\q84826.exe121⤵PID:4540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-