Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe
-
Size
455KB
-
MD5
6857b120a773a359815780af834e4468
-
SHA1
ca4453d67a70ea409c62634172a7faaab566bea5
-
SHA256
97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56
-
SHA512
1062cc7297bde6a1e82e6a7a3b350afa571e510c0e71eaaae863f73c592828ac1706e6c754d711afd5176805f4e93847e12e0faf36b9ed746e05183c75a51757
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT+:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/800-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-58-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-210-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1852-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-287-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2348-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-361-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2940-369-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1408-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-558-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1228-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2940-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-651-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2204-665-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-720-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2168-735-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1312-768-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/896-798-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/768-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-1001-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-1008-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1856-1081-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/688-1102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-1154-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-1162-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/980-1223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2252-1319-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2384 nnnnnn.exe 2332 k88628.exe 2360 6068646.exe 2508 424404.exe 2868 pjdvj.exe 2784 rrfrflr.exe 2896 vjvdd.exe 2688 824800.exe 2664 8240846.exe 2192 xfrlflf.exe 1224 xrrxfxf.exe 1556 tttbth.exe 1408 48446.exe 484 60864.exe 1656 q60284.exe 1148 vjddv.exe 620 3lfffrf.exe 2004 3htnbb.exe 2628 86446.exe 1816 826204.exe 560 9btbhn.exe 1500 4806886.exe 1852 86846.exe 2252 ttntnt.exe 2476 48686.exe 688 hhbnbn.exe 2236 260802.exe 2584 llxrffr.exe 2132 k22400.exe 1228 04062.exe 2184 vvjpj.exe 2372 822428.exe 2348 hhnthn.exe 844 04880.exe 2568 20802.exe 2368 8606288.exe 2360 448622.exe 2800 64668.exe 2912 htbbhb.exe 2804 26020.exe 2396 0480224.exe 2960 9bttnt.exe 2940 9fxlxlf.exe 2920 5htbnn.exe 2736 s6046.exe 1840 264428.exe 980 482086.exe 672 lxrxlrx.exe 1992 826226.exe 1552 jdppd.exe 1408 nnhntb.exe 484 hbhtbb.exe 2020 xlrrfff.exe 840 26406.exe 1804 nhtbhn.exe 836 vpjjd.exe 2004 40080.exe 2356 8860420.exe 2756 6802062.exe 2644 4404482.exe 600 640622.exe 1144 xrrxlrl.exe 1888 lflflfx.exe 1856 q08462.exe -
resource yara_rule behavioral1/memory/800-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-369-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2920-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-377-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1992-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-558-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/888-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1081-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/332-1242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-1319-0x0000000000350000-0x000000000037A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c666628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6042026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6646280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2624668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 800 wrote to memory of 2384 800 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 30 PID 800 wrote to memory of 2384 800 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 30 PID 800 wrote to memory of 2384 800 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 30 PID 800 wrote to memory of 2384 800 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 30 PID 2384 wrote to memory of 2332 2384 nnnnnn.exe 31 PID 2384 wrote to memory of 2332 2384 nnnnnn.exe 31 PID 2384 wrote to memory of 2332 2384 nnnnnn.exe 31 PID 2384 wrote to memory of 2332 2384 nnnnnn.exe 31 PID 2332 wrote to memory of 2360 2332 k88628.exe 32 PID 2332 wrote to memory of 2360 2332 k88628.exe 32 PID 2332 wrote to memory of 2360 2332 k88628.exe 32 PID 2332 wrote to memory of 2360 2332 k88628.exe 32 PID 2360 wrote to memory of 2508 2360 6068646.exe 33 PID 2360 wrote to memory of 2508 2360 6068646.exe 33 PID 2360 wrote to memory of 2508 2360 6068646.exe 33 PID 2360 wrote to memory of 2508 2360 6068646.exe 33 PID 2508 wrote to memory of 2868 2508 424404.exe 34 PID 2508 wrote to memory of 2868 2508 424404.exe 34 PID 2508 wrote to memory of 2868 2508 424404.exe 34 PID 2508 wrote to memory of 2868 2508 424404.exe 34 PID 2868 wrote to memory of 2784 2868 pjdvj.exe 35 PID 2868 wrote to memory of 2784 2868 pjdvj.exe 35 PID 2868 wrote to memory of 2784 2868 pjdvj.exe 35 PID 2868 wrote to memory of 2784 2868 pjdvj.exe 35 PID 2784 wrote to memory of 2896 2784 rrfrflr.exe 36 PID 2784 wrote to memory of 2896 2784 rrfrflr.exe 36 PID 2784 wrote to memory of 2896 2784 rrfrflr.exe 36 PID 2784 wrote to memory of 2896 2784 rrfrflr.exe 36 PID 2896 wrote to memory of 2688 2896 vjvdd.exe 37 PID 2896 wrote to memory of 2688 2896 vjvdd.exe 37 PID 2896 wrote to memory of 2688 2896 vjvdd.exe 37 PID 2896 wrote to memory of 2688 2896 vjvdd.exe 37 PID 2688 wrote to memory of 2664 2688 824800.exe 38 PID 2688 wrote to memory of 2664 2688 824800.exe 38 PID 2688 wrote to memory of 2664 2688 824800.exe 38 PID 2688 wrote to memory of 2664 2688 824800.exe 38 PID 2664 wrote to memory of 2192 2664 8240846.exe 39 PID 2664 wrote to memory of 2192 2664 8240846.exe 39 PID 2664 wrote to memory of 2192 2664 8240846.exe 39 PID 2664 wrote to memory of 2192 2664 8240846.exe 39 PID 2192 wrote to memory of 1224 2192 xfrlflf.exe 40 PID 2192 wrote to memory of 1224 2192 xfrlflf.exe 40 PID 2192 wrote to memory of 1224 2192 xfrlflf.exe 40 PID 2192 wrote to memory of 1224 2192 xfrlflf.exe 40 PID 1224 wrote to memory of 1556 1224 xrrxfxf.exe 41 PID 1224 wrote to memory of 1556 1224 xrrxfxf.exe 41 PID 1224 wrote to memory of 1556 1224 xrrxfxf.exe 41 PID 1224 wrote to memory of 1556 1224 xrrxfxf.exe 41 PID 1556 wrote to memory of 1408 1556 tttbth.exe 42 PID 1556 wrote to memory of 1408 1556 tttbth.exe 42 PID 1556 wrote to memory of 1408 1556 tttbth.exe 42 PID 1556 wrote to memory of 1408 1556 tttbth.exe 42 PID 1408 wrote to memory of 484 1408 48446.exe 43 PID 1408 wrote to memory of 484 1408 48446.exe 43 PID 1408 wrote to memory of 484 1408 48446.exe 43 PID 1408 wrote to memory of 484 1408 48446.exe 43 PID 484 wrote to memory of 1656 484 60864.exe 44 PID 484 wrote to memory of 1656 484 60864.exe 44 PID 484 wrote to memory of 1656 484 60864.exe 44 PID 484 wrote to memory of 1656 484 60864.exe 44 PID 1656 wrote to memory of 1148 1656 q60284.exe 45 PID 1656 wrote to memory of 1148 1656 q60284.exe 45 PID 1656 wrote to memory of 1148 1656 q60284.exe 45 PID 1656 wrote to memory of 1148 1656 q60284.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe"C:\Users\Admin\AppData\Local\Temp\97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\nnnnnn.exec:\nnnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\k88628.exec:\k88628.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\6068646.exec:\6068646.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\424404.exec:\424404.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\pjdvj.exec:\pjdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rrfrflr.exec:\rrfrflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vjvdd.exec:\vjvdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\824800.exec:\824800.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\8240846.exec:\8240846.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\xfrlflf.exec:\xfrlflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\xrrxfxf.exec:\xrrxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\tttbth.exec:\tttbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\48446.exec:\48446.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\60864.exec:\60864.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\q60284.exec:\q60284.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\vjddv.exec:\vjddv.exe17⤵
- Executes dropped EXE
PID:1148 -
\??\c:\3lfffrf.exec:\3lfffrf.exe18⤵
- Executes dropped EXE
PID:620 -
\??\c:\3htnbb.exec:\3htnbb.exe19⤵
- Executes dropped EXE
PID:2004 -
\??\c:\86446.exec:\86446.exe20⤵
- Executes dropped EXE
PID:2628 -
\??\c:\826204.exec:\826204.exe21⤵
- Executes dropped EXE
PID:1816 -
\??\c:\9btbhn.exec:\9btbhn.exe22⤵
- Executes dropped EXE
PID:560 -
\??\c:\4806886.exec:\4806886.exe23⤵
- Executes dropped EXE
PID:1500 -
\??\c:\86846.exec:\86846.exe24⤵
- Executes dropped EXE
PID:1852 -
\??\c:\ttntnt.exec:\ttntnt.exe25⤵
- Executes dropped EXE
PID:2252 -
\??\c:\48686.exec:\48686.exe26⤵
- Executes dropped EXE
PID:2476 -
\??\c:\hhbnbn.exec:\hhbnbn.exe27⤵
- Executes dropped EXE
PID:688 -
\??\c:\260802.exec:\260802.exe28⤵
- Executes dropped EXE
PID:2236 -
\??\c:\llxrffr.exec:\llxrffr.exe29⤵
- Executes dropped EXE
PID:2584 -
\??\c:\k22400.exec:\k22400.exe30⤵
- Executes dropped EXE
PID:2132 -
\??\c:\04062.exec:\04062.exe31⤵
- Executes dropped EXE
PID:1228 -
\??\c:\vvjpj.exec:\vvjpj.exe32⤵
- Executes dropped EXE
PID:2184 -
\??\c:\822428.exec:\822428.exe33⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hhnthn.exec:\hhnthn.exe34⤵
- Executes dropped EXE
PID:2348 -
\??\c:\04880.exec:\04880.exe35⤵
- Executes dropped EXE
PID:844 -
\??\c:\20802.exec:\20802.exe36⤵
- Executes dropped EXE
PID:2568 -
\??\c:\8606288.exec:\8606288.exe37⤵
- Executes dropped EXE
PID:2368 -
\??\c:\448622.exec:\448622.exe38⤵
- Executes dropped EXE
PID:2360 -
\??\c:\64668.exec:\64668.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\htbbhb.exec:\htbbhb.exe40⤵
- Executes dropped EXE
PID:2912 -
\??\c:\26020.exec:\26020.exe41⤵
- Executes dropped EXE
PID:2804 -
\??\c:\0480224.exec:\0480224.exe42⤵
- Executes dropped EXE
PID:2396 -
\??\c:\9bttnt.exec:\9bttnt.exe43⤵
- Executes dropped EXE
PID:2960 -
\??\c:\9fxlxlf.exec:\9fxlxlf.exe44⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5htbnn.exec:\5htbnn.exe45⤵
- Executes dropped EXE
PID:2920 -
\??\c:\s6046.exec:\s6046.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\264428.exec:\264428.exe47⤵
- Executes dropped EXE
PID:1840 -
\??\c:\482086.exec:\482086.exe48⤵
- Executes dropped EXE
PID:980 -
\??\c:\lxrxlrx.exec:\lxrxlrx.exe49⤵
- Executes dropped EXE
PID:672 -
\??\c:\826226.exec:\826226.exe50⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jdppd.exec:\jdppd.exe51⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nnhntb.exec:\nnhntb.exe52⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hbhtbb.exec:\hbhtbb.exe53⤵
- Executes dropped EXE
PID:484 -
\??\c:\xlrrfff.exec:\xlrrfff.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\26406.exec:\26406.exe55⤵
- Executes dropped EXE
PID:840 -
\??\c:\nhtbhn.exec:\nhtbhn.exe56⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vpjjd.exec:\vpjjd.exe57⤵
- Executes dropped EXE
PID:836 -
\??\c:\40080.exec:\40080.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\8860420.exec:\8860420.exe59⤵
- Executes dropped EXE
PID:2356 -
\??\c:\6802062.exec:\6802062.exe60⤵
- Executes dropped EXE
PID:2756 -
\??\c:\4404482.exec:\4404482.exe61⤵
- Executes dropped EXE
PID:2644 -
\??\c:\640622.exec:\640622.exe62⤵
- Executes dropped EXE
PID:600 -
\??\c:\xrrxlrl.exec:\xrrxlrl.exe63⤵
- Executes dropped EXE
PID:1144 -
\??\c:\lflflfx.exec:\lflflfx.exe64⤵
- Executes dropped EXE
PID:1888 -
\??\c:\q08462.exec:\q08462.exe65⤵
- Executes dropped EXE
PID:1856 -
\??\c:\rxrlrfx.exec:\rxrlrfx.exe66⤵PID:848
-
\??\c:\202884.exec:\202884.exe67⤵PID:940
-
\??\c:\882802.exec:\882802.exe68⤵PID:988
-
\??\c:\hhbbtt.exec:\hhbbtt.exe69⤵PID:768
-
\??\c:\3dddp.exec:\3dddp.exe70⤵PID:1012
-
\??\c:\g4608.exec:\g4608.exe71⤵PID:552
-
\??\c:\djpdd.exec:\djpdd.exe72⤵PID:2324
-
\??\c:\868280.exec:\868280.exe73⤵PID:1228
-
\??\c:\q26200.exec:\q26200.exe74⤵PID:888
-
\??\c:\3nhnbh.exec:\3nhnbh.exe75⤵PID:2372
-
\??\c:\xrfxrxl.exec:\xrfxrxl.exe76⤵PID:2076
-
\??\c:\dvvdj.exec:\dvvdj.exe77⤵PID:2488
-
\??\c:\264684.exec:\264684.exe78⤵PID:2600
-
\??\c:\080040.exec:\080040.exe79⤵PID:2936
-
\??\c:\20284.exec:\20284.exe80⤵PID:2768
-
\??\c:\004644.exec:\004644.exe81⤵PID:2360
-
\??\c:\jjppp.exec:\jjppp.exe82⤵PID:2856
-
\??\c:\ppjpv.exec:\ppjpv.exe83⤵PID:2928
-
\??\c:\w86240.exec:\w86240.exe84⤵PID:2284
-
\??\c:\q42884.exec:\q42884.exe85⤵PID:1752
-
\??\c:\o646840.exec:\o646840.exe86⤵PID:2828
-
\??\c:\606222.exec:\606222.exe87⤵PID:2940
-
\??\c:\ttnnhn.exec:\ttnnhn.exe88⤵PID:2880
-
\??\c:\c480464.exec:\c480464.exe89⤵PID:2204
-
\??\c:\3jvpv.exec:\3jvpv.exe90⤵PID:112
-
\??\c:\o428628.exec:\o428628.exe91⤵PID:980
-
\??\c:\8200240.exec:\8200240.exe92⤵PID:672
-
\??\c:\7ppvj.exec:\7ppvj.exe93⤵PID:1992
-
\??\c:\vjpdp.exec:\vjpdp.exe94⤵PID:2916
-
\??\c:\e88422.exec:\e88422.exe95⤵PID:1212
-
\??\c:\7vjjp.exec:\7vjjp.exe96⤵PID:1436
-
\??\c:\jdvpv.exec:\jdvpv.exe97⤵PID:2112
-
\??\c:\2624668.exec:\2624668.exe98⤵
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\k26022.exec:\k26022.exe99⤵PID:1560
-
\??\c:\420240.exec:\420240.exe100⤵PID:2168
-
\??\c:\lfrrflx.exec:\lfrrflx.exe101⤵PID:2536
-
\??\c:\26884.exec:\26884.exe102⤵PID:2200
-
\??\c:\xrflxfr.exec:\xrflxfr.exe103⤵PID:3044
-
\??\c:\820628.exec:\820628.exe104⤵PID:1016
-
\??\c:\u668686.exec:\u668686.exe105⤵PID:1312
-
\??\c:\4862462.exec:\4862462.exe106⤵PID:352
-
\??\c:\jjvdj.exec:\jjvdj.exe107⤵PID:1244
-
\??\c:\4262402.exec:\4262402.exe108⤵PID:1908
-
\??\c:\hbnbbt.exec:\hbnbbt.exe109⤵PID:1896
-
\??\c:\5lfrxlf.exec:\5lfrxlf.exe110⤵PID:896
-
\??\c:\6088624.exec:\6088624.exe111⤵PID:1668
-
\??\c:\lfrfflx.exec:\lfrfflx.exe112⤵PID:768
-
\??\c:\86804.exec:\86804.exe113⤵PID:972
-
\??\c:\8688008.exec:\8688008.exe114⤵PID:2380
-
\??\c:\6244406.exec:\6244406.exe115⤵PID:3012
-
\??\c:\88208.exec:\88208.exe116⤵PID:880
-
\??\c:\i868440.exec:\i868440.exe117⤵PID:800
-
\??\c:\20622.exec:\20622.exe118⤵PID:1524
-
\??\c:\flxlrlx.exec:\flxlrlx.exe119⤵PID:2100
-
\??\c:\vjvvd.exec:\vjvvd.exe120⤵PID:1520
-
\??\c:\pjvvj.exec:\pjvvj.exe121⤵PID:2840
-
\??\c:\5thhhn.exec:\5thhhn.exe122⤵PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-