Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe
-
Size
454KB
-
MD5
965adcc33b520fa9887574931ddab55a
-
SHA1
6d6db2748fd3b694100bca0d64da43cc4050ba4f
-
SHA256
98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c
-
SHA512
57c84c36eb5bb2bfaadc4385250c196eb31d71c3218528e24e2b1d1e7a3c88d1284a62a9d8b7b66b47cecd8e5c49ab7185f3d3a672746d621bb70e2b783e24de
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1wc:q7Tc2NYHUrAwfMp3CD1V
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/3060-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-43-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2764-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-80-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-103-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-101-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1120-117-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2768-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-199-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1236-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-206-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-221-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1832-219-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1092-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-326-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2244-351-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-412-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2352-426-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2928-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-748-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3060 ttntht.exe 2440 pppvp.exe 2228 9dvdj.exe 2684 ttthbh.exe 2764 9vppd.exe 2820 lfxlxxr.exe 2816 vvvjv.exe 2804 rfxxffl.exe 2560 nntbth.exe 2584 1jjvd.exe 1440 5xlrrrf.exe 1120 pvpdp.exe 2768 3rflxlx.exe 2528 xrrfxfr.exe 804 1djjv.exe 3056 rlflxfr.exe 2508 ntnhbb.exe 3036 djpdv.exe 760 hthhnt.exe 1236 xfrfrfr.exe 2112 1nhnbt.exe 1832 fflllfr.exe 1632 pppdv.exe 1092 ffrflxf.exe 1892 1frxrxr.exe 1096 9htbbn.exe 2096 fxllxrf.exe 2400 5frxllf.exe 1008 hhbhnt.exe 1672 xxllrxr.exe 2336 vddvv.exe 1740 lrrfxfr.exe 2084 bbthnt.exe 2720 ffllrxr.exe 2260 ntnhbh.exe 2744 tnhnth.exe 2964 djvdj.exe 2244 dpjpd.exe 2832 9rrfrfx.exe 2676 7tthnt.exe 2824 jjdjp.exe 2612 fflffxr.exe 592 rlflxxl.exe 3044 3thhbn.exe 2028 ppppv.exe 1436 flffrrf.exe 1464 ttthbh.exe 2352 pjdjp.exe 1912 ppjjp.exe 2888 frlflrf.exe 2932 hbtbbb.exe 2928 1htbhn.exe 2852 pjjpv.exe 840 ffxlflf.exe 1776 xflrffr.exe 2448 3hbnbn.exe 844 vjjdj.exe 1588 xrffrxf.exe 1152 nnhhbh.exe 896 bbtbht.exe 1648 djddp.exe 2196 xrllrlx.exe 2248 nnttnn.exe 1900 bbbbtb.exe -
resource yara_rule behavioral1/memory/3060-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-82-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2560-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-122-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2768-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-175-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/760-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-290-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2084-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-394-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2028-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-748-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2800-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-834-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3060 2312 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 31 PID 2312 wrote to memory of 3060 2312 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 31 PID 2312 wrote to memory of 3060 2312 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 31 PID 2312 wrote to memory of 3060 2312 98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe 31 PID 3060 wrote to memory of 2440 3060 ttntht.exe 32 PID 3060 wrote to memory of 2440 3060 ttntht.exe 32 PID 3060 wrote to memory of 2440 3060 ttntht.exe 32 PID 3060 wrote to memory of 2440 3060 ttntht.exe 32 PID 2440 wrote to memory of 2228 2440 pppvp.exe 33 PID 2440 wrote to memory of 2228 2440 pppvp.exe 33 PID 2440 wrote to memory of 2228 2440 pppvp.exe 33 PID 2440 wrote to memory of 2228 2440 pppvp.exe 33 PID 2228 wrote to memory of 2684 2228 9dvdj.exe 34 PID 2228 wrote to memory of 2684 2228 9dvdj.exe 34 PID 2228 wrote to memory of 2684 2228 9dvdj.exe 34 PID 2228 wrote to memory of 2684 2228 9dvdj.exe 34 PID 2684 wrote to memory of 2764 2684 ttthbh.exe 35 PID 2684 wrote to memory of 2764 2684 ttthbh.exe 35 PID 2684 wrote to memory of 2764 2684 ttthbh.exe 35 PID 2684 wrote to memory of 2764 2684 ttthbh.exe 35 PID 2764 wrote to memory of 2820 2764 9vppd.exe 36 PID 2764 wrote to memory of 2820 2764 9vppd.exe 36 PID 2764 wrote to memory of 2820 2764 9vppd.exe 36 PID 2764 wrote to memory of 2820 2764 9vppd.exe 36 PID 2820 wrote to memory of 2816 2820 lfxlxxr.exe 37 PID 2820 wrote to memory of 2816 2820 lfxlxxr.exe 37 PID 2820 wrote to memory of 2816 2820 lfxlxxr.exe 37 PID 2820 wrote to memory of 2816 2820 lfxlxxr.exe 37 PID 2816 wrote to memory of 2804 2816 vvvjv.exe 38 PID 2816 wrote to memory of 2804 2816 vvvjv.exe 38 PID 2816 wrote to memory of 2804 2816 vvvjv.exe 38 PID 2816 wrote to memory of 2804 2816 vvvjv.exe 38 PID 2804 wrote to memory of 2560 2804 rfxxffl.exe 39 PID 2804 wrote to memory of 2560 2804 rfxxffl.exe 39 PID 2804 wrote to memory of 2560 2804 rfxxffl.exe 39 PID 2804 wrote to memory of 2560 2804 rfxxffl.exe 39 PID 2560 wrote to memory of 2584 2560 nntbth.exe 40 PID 2560 wrote to memory of 2584 2560 nntbth.exe 40 PID 2560 wrote to memory of 2584 2560 nntbth.exe 40 PID 2560 wrote to memory of 2584 2560 nntbth.exe 40 PID 2584 wrote to memory of 1440 2584 1jjvd.exe 41 PID 2584 wrote to memory of 1440 2584 1jjvd.exe 41 PID 2584 wrote to memory of 1440 2584 1jjvd.exe 41 PID 2584 wrote to memory of 1440 2584 1jjvd.exe 41 PID 1440 wrote to memory of 1120 1440 5xlrrrf.exe 42 PID 1440 wrote to memory of 1120 1440 5xlrrrf.exe 42 PID 1440 wrote to memory of 1120 1440 5xlrrrf.exe 42 PID 1440 wrote to memory of 1120 1440 5xlrrrf.exe 42 PID 1120 wrote to memory of 2768 1120 pvpdp.exe 43 PID 1120 wrote to memory of 2768 1120 pvpdp.exe 43 PID 1120 wrote to memory of 2768 1120 pvpdp.exe 43 PID 1120 wrote to memory of 2768 1120 pvpdp.exe 43 PID 2768 wrote to memory of 2528 2768 3rflxlx.exe 44 PID 2768 wrote to memory of 2528 2768 3rflxlx.exe 44 PID 2768 wrote to memory of 2528 2768 3rflxlx.exe 44 PID 2768 wrote to memory of 2528 2768 3rflxlx.exe 44 PID 2528 wrote to memory of 804 2528 xrrfxfr.exe 45 PID 2528 wrote to memory of 804 2528 xrrfxfr.exe 45 PID 2528 wrote to memory of 804 2528 xrrfxfr.exe 45 PID 2528 wrote to memory of 804 2528 xrrfxfr.exe 45 PID 804 wrote to memory of 3056 804 1djjv.exe 46 PID 804 wrote to memory of 3056 804 1djjv.exe 46 PID 804 wrote to memory of 3056 804 1djjv.exe 46 PID 804 wrote to memory of 3056 804 1djjv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe"C:\Users\Admin\AppData\Local\Temp\98e6dfce32bd165d6853b3fc8542afae6b419051ac961de67fe03cc99643ec5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\ttntht.exec:\ttntht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\pppvp.exec:\pppvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\9dvdj.exec:\9dvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\ttthbh.exec:\ttthbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9vppd.exec:\9vppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\lfxlxxr.exec:\lfxlxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\vvvjv.exec:\vvvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\rfxxffl.exec:\rfxxffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\nntbth.exec:\nntbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\1jjvd.exec:\1jjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\5xlrrrf.exec:\5xlrrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\pvpdp.exec:\pvpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\3rflxlx.exec:\3rflxlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\xrrfxfr.exec:\xrrfxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\1djjv.exec:\1djjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\rlflxfr.exec:\rlflxfr.exe17⤵
- Executes dropped EXE
PID:3056 -
\??\c:\ntnhbb.exec:\ntnhbb.exe18⤵
- Executes dropped EXE
PID:2508 -
\??\c:\djpdv.exec:\djpdv.exe19⤵
- Executes dropped EXE
PID:3036 -
\??\c:\hthhnt.exec:\hthhnt.exe20⤵
- Executes dropped EXE
PID:760 -
\??\c:\xfrfrfr.exec:\xfrfrfr.exe21⤵
- Executes dropped EXE
PID:1236 -
\??\c:\1nhnbt.exec:\1nhnbt.exe22⤵
- Executes dropped EXE
PID:2112 -
\??\c:\fflllfr.exec:\fflllfr.exe23⤵
- Executes dropped EXE
PID:1832 -
\??\c:\pppdv.exec:\pppdv.exe24⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ffrflxf.exec:\ffrflxf.exe25⤵
- Executes dropped EXE
PID:1092 -
\??\c:\1frxrxr.exec:\1frxrxr.exe26⤵
- Executes dropped EXE
PID:1892 -
\??\c:\9htbbn.exec:\9htbbn.exe27⤵
- Executes dropped EXE
PID:1096 -
\??\c:\fxllxrf.exec:\fxllxrf.exe28⤵
- Executes dropped EXE
PID:2096 -
\??\c:\5frxllf.exec:\5frxllf.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hhbhnt.exec:\hhbhnt.exe30⤵
- Executes dropped EXE
PID:1008 -
\??\c:\xxllrxr.exec:\xxllrxr.exe31⤵
- Executes dropped EXE
PID:1672 -
\??\c:\vddvv.exec:\vddvv.exe32⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lrrfxfr.exec:\lrrfxfr.exe33⤵
- Executes dropped EXE
PID:1740 -
\??\c:\bbthnt.exec:\bbthnt.exe34⤵
- Executes dropped EXE
PID:2084 -
\??\c:\ffllrxr.exec:\ffllrxr.exe35⤵
- Executes dropped EXE
PID:2720 -
\??\c:\ntnhbh.exec:\ntnhbh.exe36⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tnhnth.exec:\tnhnth.exe37⤵
- Executes dropped EXE
PID:2744 -
\??\c:\djvdj.exec:\djvdj.exe38⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dpjpd.exec:\dpjpd.exe39⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9rrfrfx.exec:\9rrfrfx.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\7tthnt.exec:\7tthnt.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jjdjp.exec:\jjdjp.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\fflffxr.exec:\fflffxr.exe43⤵
- Executes dropped EXE
PID:2612 -
\??\c:\rlflxxl.exec:\rlflxxl.exe44⤵
- Executes dropped EXE
PID:592 -
\??\c:\3thhbn.exec:\3thhbn.exe45⤵
- Executes dropped EXE
PID:3044 -
\??\c:\ppppv.exec:\ppppv.exe46⤵
- Executes dropped EXE
PID:2028 -
\??\c:\flffrrf.exec:\flffrrf.exe47⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ttthbh.exec:\ttthbh.exe48⤵
- Executes dropped EXE
PID:1464 -
\??\c:\pjdjp.exec:\pjdjp.exe49⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ppjjp.exec:\ppjjp.exe50⤵
- Executes dropped EXE
PID:1912 -
\??\c:\frlflrf.exec:\frlflrf.exe51⤵
- Executes dropped EXE
PID:2888 -
\??\c:\hbtbbb.exec:\hbtbbb.exe52⤵
- Executes dropped EXE
PID:2932 -
\??\c:\1htbhn.exec:\1htbhn.exe53⤵
- Executes dropped EXE
PID:2928 -
\??\c:\pjjpv.exec:\pjjpv.exe54⤵
- Executes dropped EXE
PID:2852 -
\??\c:\ffxlflf.exec:\ffxlflf.exe55⤵
- Executes dropped EXE
PID:840 -
\??\c:\xflrffr.exec:\xflrffr.exe56⤵
- Executes dropped EXE
PID:1776 -
\??\c:\3hbnbn.exec:\3hbnbn.exe57⤵
- Executes dropped EXE
PID:2448 -
\??\c:\vjjdj.exec:\vjjdj.exe58⤵
- Executes dropped EXE
PID:844 -
\??\c:\xrffrxf.exec:\xrffrxf.exe59⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nnhhbh.exec:\nnhhbh.exe60⤵
- Executes dropped EXE
PID:1152 -
\??\c:\bbtbht.exec:\bbtbht.exe61⤵
- Executes dropped EXE
PID:896 -
\??\c:\djddp.exec:\djddp.exe62⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xrllrlx.exec:\xrllrlx.exe63⤵
- Executes dropped EXE
PID:2196 -
\??\c:\nnttnn.exec:\nnttnn.exe64⤵
- Executes dropped EXE
PID:2248 -
\??\c:\bbbbtb.exec:\bbbbtb.exe65⤵
- Executes dropped EXE
PID:1900 -
\??\c:\jdvvj.exec:\jdvvj.exe66⤵PID:2396
-
\??\c:\xxrrxlx.exec:\xxrrxlx.exe67⤵PID:1096
-
\??\c:\9xrrxfr.exec:\9xrrxfr.exe68⤵PID:2096
-
\??\c:\hhthbh.exec:\hhthbh.exe69⤵PID:2132
-
\??\c:\5dddj.exec:\5dddj.exe70⤵PID:1788
-
\??\c:\ffflfxr.exec:\ffflfxr.exe71⤵PID:2120
-
\??\c:\5thhth.exec:\5thhth.exe72⤵PID:2624
-
\??\c:\7hnnnb.exec:\7hnnnb.exe73⤵PID:2340
-
\??\c:\dpjpv.exec:\dpjpv.exe74⤵PID:2324
-
\??\c:\rffxlrx.exec:\rffxlrx.exe75⤵PID:2472
-
\??\c:\3bbntn.exec:\3bbntn.exe76⤵PID:2944
-
\??\c:\btnntn.exec:\btnntn.exe77⤵PID:2180
-
\??\c:\1pddj.exec:\1pddj.exe78⤵PID:2648
-
\??\c:\9dpvd.exec:\9dpvd.exe79⤵PID:2796
-
\??\c:\rrllxfr.exec:\rrllxfr.exe80⤵PID:2760
-
\??\c:\btnnhn.exec:\btnnhn.exe81⤵PID:2656
-
\??\c:\bbtthn.exec:\bbtthn.exe82⤵PID:2808
-
\??\c:\vpddv.exec:\vpddv.exe83⤵PID:2576
-
\??\c:\rrrxffr.exec:\rrrxffr.exe84⤵PID:2540
-
\??\c:\3hhhnt.exec:\3hhhnt.exe85⤵PID:2604
-
\??\c:\tttnbn.exec:\tttnbn.exe86⤵PID:3064
-
\??\c:\3dddp.exec:\3dddp.exe87⤵PID:2272
-
\??\c:\llfflrf.exec:\llfflrf.exe88⤵PID:2868
-
\??\c:\rrlrlrl.exec:\rrlrlrl.exe89⤵PID:1792
-
\??\c:\9tntnb.exec:\9tntnb.exe90⤵PID:2772
-
\??\c:\djjjd.exec:\djjjd.exe91⤵PID:1232
-
\??\c:\pjvdp.exec:\pjvdp.exe92⤵PID:2768
-
\??\c:\1flrffl.exec:\1flrffl.exe93⤵PID:2000
-
\??\c:\nnbhnt.exec:\nnbhnt.exe94⤵PID:2528
-
\??\c:\tnhnbb.exec:\tnhnbb.exe95⤵PID:1688
-
\??\c:\5ppvd.exec:\5ppvd.exe96⤵PID:2872
-
\??\c:\xrlxflx.exec:\xrlxflx.exe97⤵PID:2928
-
\??\c:\nnhbhh.exec:\nnhbhh.exe98⤵PID:680
-
\??\c:\9nnnht.exec:\9nnnht.exe99⤵PID:3036
-
\??\c:\5jppv.exec:\5jppv.exe100⤵PID:448
-
\??\c:\5fxxxlx.exec:\5fxxxlx.exe101⤵PID:2356
-
\??\c:\lfllxxl.exec:\lfllxxl.exe102⤵PID:844
-
\??\c:\9hnbnt.exec:\9hnbnt.exe103⤵PID:1296
-
\??\c:\ppvvd.exec:\ppvvd.exe104⤵PID:1916
-
\??\c:\3xfxxll.exec:\3xfxxll.exe105⤵PID:900
-
\??\c:\7flrrxf.exec:\7flrrxf.exe106⤵PID:2800
-
\??\c:\3tnttb.exec:\3tnttb.exe107⤵PID:864
-
\??\c:\vjvpv.exec:\vjvpv.exe108⤵PID:1572
-
\??\c:\9pjpd.exec:\9pjpd.exe109⤵PID:1696
-
\??\c:\ffflrxl.exec:\ffflrxl.exe110⤵PID:696
-
\??\c:\tttthn.exec:\tttthn.exe111⤵PID:1824
-
\??\c:\tbthbh.exec:\tbthbh.exe112⤵PID:2996
-
\??\c:\7rlrfxl.exec:\7rlrfxl.exe113⤵PID:2860
-
\??\c:\bbnnhh.exec:\bbnnhh.exe114⤵PID:1552
-
\??\c:\ddpdp.exec:\ddpdp.exe115⤵PID:3016
-
\??\c:\1lflrxx.exec:\1lflrxx.exe116⤵PID:2308
-
\??\c:\hhbhtb.exec:\hhbhtb.exe117⤵PID:1756
-
\??\c:\nhbtbh.exec:\nhbtbh.exe118⤵PID:1488
-
\??\c:\vpdpv.exec:\vpdpv.exe119⤵PID:1516
-
\??\c:\fxrllrx.exec:\fxrllrx.exe120⤵PID:1508
-
\??\c:\hbnbbb.exec:\hbnbbb.exe121⤵PID:2736
-
\??\c:\9nbbnn.exec:\9nbbnn.exe122⤵PID:2260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-