Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 12:31
Behavioral task
behavioral1
Sample
6858dd8a9d60f01b5dc270a39bf16450N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
6858dd8a9d60f01b5dc270a39bf16450N.exe
-
Size
75KB
-
MD5
6858dd8a9d60f01b5dc270a39bf16450
-
SHA1
6a5b5a308d1a7219a670ef8a77683a0b057f102a
-
SHA256
530a2820f4c38968c34f8d71389c64923e9eb024e916502e6cc085bc626aca06
-
SHA512
591ef44e496d9fc770dc1f7bc830dd23d132de83819fa2ebac7258baa3160f1bcc49a3e1212b8a73c5bcdefe6f98842fb314e747afe0f5c3786d0da0341d7b83
-
SSDEEP
1536:NvQBeOGtrYS3srx93UBWfwC6Ggnouy8KlAXmAXIBG/+WIFuTKLXvCB5yAXNlIQky:NhOmTsF93UYfwC6GIoutOP/WWGKL/SYo
Malware Config
Signatures
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/292-10-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2124-21-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/1736-30-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2396-38-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2240-48-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2368-51-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2852-66-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2684-75-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2072-85-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2936-96-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2656-114-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2816-127-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/3060-124-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/492-151-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/492-149-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/2820-161-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/1452-177-0x00000000003B0000-0x00000000003E3000-memory.dmp family_blackmoon behavioral1/memory/1452-179-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/1672-188-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/1672-189-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/2412-198-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/1096-248-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/1824-252-0x00000000003C0000-0x00000000003F3000-memory.dmp family_blackmoon behavioral1/memory/2440-281-0x00000000002C0000-0x00000000002F3000-memory.dmp family_blackmoon behavioral1/memory/2968-298-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2124-300-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2124-306-0x00000000002B0000-0x00000000002E3000-memory.dmp family_blackmoon behavioral1/memory/2116-319-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/1712-326-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2076-327-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2724-341-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2724-340-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/2740-366-0x00000000002C0000-0x00000000002F3000-memory.dmp family_blackmoon behavioral1/memory/492-429-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/988-466-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2096-473-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2548-480-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2248-487-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2456-501-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/760-509-0x0000000000440000-0x0000000000473000-memory.dmp family_blackmoon behavioral1/memory/2508-582-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2288-681-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2308-731-0x0000000000400000-0x0000000000433000-memory.dmp family_blackmoon behavioral1/memory/2512-805-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/2332-881-0x0000000000260000-0x0000000000293000-memory.dmp family_blackmoon behavioral1/memory/2332-900-0x0000000000260000-0x0000000000293000-memory.dmp family_blackmoon behavioral1/memory/2924-955-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/988-1004-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/936-1045-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon behavioral1/memory/2300-1082-0x0000000000220000-0x0000000000253000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2124 3rlrxff.exe 1736 tnhntt.exe 2396 5pjvd.exe 2240 xxrrffr.exe 2368 1hhbnt.exe 2852 pjdjd.exe 2684 llfrxfr.exe 2072 9nnntn.exe 2936 1vjvp.exe 2868 pjdvd.exe 2656 fxrxlrx.exe 3060 3ttbhb.exe 2816 3ppvj.exe 1568 1fxxlrx.exe 492 rlxxxxl.exe 2820 bnbbnb.exe 2032 9vppp.exe 1452 ffxfrfx.exe 1672 7hbhbt.exe 2412 btnbhn.exe 2252 3frrflx.exe 1528 lflxffl.exe 692 nbhhhh.exe 2184 pjpdd.exe 2016 ppjpd.exe 1096 9fxrffr.exe 1824 nhtbnt.exe 2312 hthbhb.exe 2328 3xlxlfl.exe 2440 1xrxxxf.exe 2436 5hbhnn.exe 2968 1pdjp.exe 2124 lffrflf.exe 1580 3lffllx.exe 2116 5tnbnn.exe 1712 hthntn.exe 2076 vpvpv.exe 2724 vvpvj.exe 2896 7lxxxxl.exe 2736 hbhhnt.exe 2688 bthbbh.exe 2740 pvjdj.exe 2932 jvpdd.exe 2584 fxllxxx.exe 1784 ffrfrrx.exe 3048 hhbbhb.exe 2700 3bthbb.exe 3052 pdvpd.exe 1536 jdjjp.exe 1372 1dppd.exe 2568 lfrlllr.exe 2808 lffrxlr.exe 492 hhbbtb.exe 2820 hhbhnt.exe 2212 ppvvd.exe 1196 jppvv.exe 2172 lfxxxfx.exe 988 lfllrxx.exe 2096 tnhhhn.exe 2548 btbhhn.exe 2248 vpvpv.exe 1804 3frlxfr.exe 2456 3llxrrx.exe 760 tnbnbn.exe -
resource yara_rule behavioral1/memory/292-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/292-10-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2124-11-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00080000000122e3-9.dat upx behavioral1/files/0x0008000000016db1-20.dat upx behavioral1/memory/2124-21-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1736-30-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0008000000016dbf-29.dat upx behavioral1/files/0x0007000000016dd3-39.dat upx behavioral1/memory/2396-38-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0007000000016dda-49.dat upx behavioral1/memory/2240-48-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2368-51-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0007000000016ddf-57.dat upx behavioral1/memory/2852-66-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00090000000170f2-65.dat upx behavioral1/files/0x0008000000018c16-76.dat upx behavioral1/memory/2684-75-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2072-85-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2936-86-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0006000000018c3b-84.dat upx behavioral1/files/0x0006000000018c44-95.dat upx behavioral1/memory/2936-96-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2868-104-0x00000000002C0000-0x00000000002F3000-memory.dmp upx behavioral1/files/0x0005000000019209-105.dat upx behavioral1/files/0x00050000000193b7-115.dat upx behavioral1/memory/2656-114-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00050000000193e6-123.dat upx behavioral1/memory/2816-127-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/3060-124-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x000500000001940f-133.dat upx behavioral1/files/0x0005000000019419-141.dat upx behavioral1/memory/492-151-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00050000000194cc-150.dat upx behavioral1/memory/2820-159-0x0000000000230000-0x0000000000263000-memory.dmp upx behavioral1/files/0x00050000000194d4-160.dat upx behavioral1/memory/2820-161-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00050000000194e0-169.dat upx behavioral1/memory/1452-179-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00050000000194e9-180.dat upx behavioral1/files/0x00050000000194f3-186.dat upx behavioral1/memory/2412-198-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0005000000019503-197.dat upx behavioral1/files/0x0005000000019526-206.dat upx behavioral1/files/0x0005000000019553-215.dat upx behavioral1/files/0x0005000000019557-223.dat upx behavioral1/files/0x0005000000019571-231.dat upx behavioral1/files/0x00050000000195c9-239.dat upx behavioral1/files/0x000500000001960a-247.dat upx behavioral1/memory/1096-248-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x000500000001960c-257.dat upx behavioral1/files/0x0009000000016d66-265.dat upx behavioral1/files/0x000500000001960e-273.dat upx behavioral1/files/0x0005000000019610-282.dat upx behavioral1/files/0x0005000000019612-290.dat upx behavioral1/memory/2968-298-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2124-300-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2116-319-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1712-326-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2076-327-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2724-341-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/492-429-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2212-441-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/988-466-0x0000000000400000-0x0000000000433000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 292 wrote to memory of 2124 292 6858dd8a9d60f01b5dc270a39bf16450N.exe 30 PID 292 wrote to memory of 2124 292 6858dd8a9d60f01b5dc270a39bf16450N.exe 30 PID 292 wrote to memory of 2124 292 6858dd8a9d60f01b5dc270a39bf16450N.exe 30 PID 292 wrote to memory of 2124 292 6858dd8a9d60f01b5dc270a39bf16450N.exe 30 PID 2124 wrote to memory of 1736 2124 3rlrxff.exe 31 PID 2124 wrote to memory of 1736 2124 3rlrxff.exe 31 PID 2124 wrote to memory of 1736 2124 3rlrxff.exe 31 PID 2124 wrote to memory of 1736 2124 3rlrxff.exe 31 PID 1736 wrote to memory of 2396 1736 tnhntt.exe 32 PID 1736 wrote to memory of 2396 1736 tnhntt.exe 32 PID 1736 wrote to memory of 2396 1736 tnhntt.exe 32 PID 1736 wrote to memory of 2396 1736 tnhntt.exe 32 PID 2396 wrote to memory of 2240 2396 5pjvd.exe 33 PID 2396 wrote to memory of 2240 2396 5pjvd.exe 33 PID 2396 wrote to memory of 2240 2396 5pjvd.exe 33 PID 2396 wrote to memory of 2240 2396 5pjvd.exe 33 PID 2240 wrote to memory of 2368 2240 xxrrffr.exe 34 PID 2240 wrote to memory of 2368 2240 xxrrffr.exe 34 PID 2240 wrote to memory of 2368 2240 xxrrffr.exe 34 PID 2240 wrote to memory of 2368 2240 xxrrffr.exe 34 PID 2368 wrote to memory of 2852 2368 1hhbnt.exe 35 PID 2368 wrote to memory of 2852 2368 1hhbnt.exe 35 PID 2368 wrote to memory of 2852 2368 1hhbnt.exe 35 PID 2368 wrote to memory of 2852 2368 1hhbnt.exe 35 PID 2852 wrote to memory of 2684 2852 pjdjd.exe 36 PID 2852 wrote to memory of 2684 2852 pjdjd.exe 36 PID 2852 wrote to memory of 2684 2852 pjdjd.exe 36 PID 2852 wrote to memory of 2684 2852 pjdjd.exe 36 PID 2684 wrote to memory of 2072 2684 llfrxfr.exe 37 PID 2684 wrote to memory of 2072 2684 llfrxfr.exe 37 PID 2684 wrote to memory of 2072 2684 llfrxfr.exe 37 PID 2684 wrote to memory of 2072 2684 llfrxfr.exe 37 PID 2072 wrote to memory of 2936 2072 9nnntn.exe 38 PID 2072 wrote to memory of 2936 2072 9nnntn.exe 38 PID 2072 wrote to memory of 2936 2072 9nnntn.exe 38 PID 2072 wrote to memory of 2936 2072 9nnntn.exe 38 PID 2936 wrote to memory of 2868 2936 1vjvp.exe 39 PID 2936 wrote to memory of 2868 2936 1vjvp.exe 39 PID 2936 wrote to memory of 2868 2936 1vjvp.exe 39 PID 2936 wrote to memory of 2868 2936 1vjvp.exe 39 PID 2868 wrote to memory of 2656 2868 pjdvd.exe 40 PID 2868 wrote to memory of 2656 2868 pjdvd.exe 40 PID 2868 wrote to memory of 2656 2868 pjdvd.exe 40 PID 2868 wrote to memory of 2656 2868 pjdvd.exe 40 PID 2656 wrote to memory of 3060 2656 fxrxlrx.exe 41 PID 2656 wrote to memory of 3060 2656 fxrxlrx.exe 41 PID 2656 wrote to memory of 3060 2656 fxrxlrx.exe 41 PID 2656 wrote to memory of 3060 2656 fxrxlrx.exe 41 PID 3060 wrote to memory of 2816 3060 3ttbhb.exe 42 PID 3060 wrote to memory of 2816 3060 3ttbhb.exe 42 PID 3060 wrote to memory of 2816 3060 3ttbhb.exe 42 PID 3060 wrote to memory of 2816 3060 3ttbhb.exe 42 PID 2816 wrote to memory of 1568 2816 3ppvj.exe 43 PID 2816 wrote to memory of 1568 2816 3ppvj.exe 43 PID 2816 wrote to memory of 1568 2816 3ppvj.exe 43 PID 2816 wrote to memory of 1568 2816 3ppvj.exe 43 PID 1568 wrote to memory of 492 1568 1fxxlrx.exe 44 PID 1568 wrote to memory of 492 1568 1fxxlrx.exe 44 PID 1568 wrote to memory of 492 1568 1fxxlrx.exe 44 PID 1568 wrote to memory of 492 1568 1fxxlrx.exe 44 PID 492 wrote to memory of 2820 492 rlxxxxl.exe 45 PID 492 wrote to memory of 2820 492 rlxxxxl.exe 45 PID 492 wrote to memory of 2820 492 rlxxxxl.exe 45 PID 492 wrote to memory of 2820 492 rlxxxxl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6858dd8a9d60f01b5dc270a39bf16450N.exe"C:\Users\Admin\AppData\Local\Temp\6858dd8a9d60f01b5dc270a39bf16450N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\3rlrxff.exec:\3rlrxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\tnhntt.exec:\tnhntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\5pjvd.exec:\5pjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\xxrrffr.exec:\xxrrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\1hhbnt.exec:\1hhbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\pjdjd.exec:\pjdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\llfrxfr.exec:\llfrxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9nnntn.exec:\9nnntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\1vjvp.exec:\1vjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\pjdvd.exec:\pjdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\fxrxlrx.exec:\fxrxlrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\3ttbhb.exec:\3ttbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\3ppvj.exec:\3ppvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\1fxxlrx.exec:\1fxxlrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\rlxxxxl.exec:\rlxxxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\bnbbnb.exec:\bnbbnb.exe17⤵
- Executes dropped EXE
PID:2820 -
\??\c:\9vppp.exec:\9vppp.exe18⤵
- Executes dropped EXE
PID:2032 -
\??\c:\ffxfrfx.exec:\ffxfrfx.exe19⤵
- Executes dropped EXE
PID:1452 -
\??\c:\7hbhbt.exec:\7hbhbt.exe20⤵
- Executes dropped EXE
PID:1672 -
\??\c:\btnbhn.exec:\btnbhn.exe21⤵
- Executes dropped EXE
PID:2412 -
\??\c:\3frrflx.exec:\3frrflx.exe22⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lflxffl.exec:\lflxffl.exe23⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nbhhhh.exec:\nbhhhh.exe24⤵
- Executes dropped EXE
PID:692 -
\??\c:\pjpdd.exec:\pjpdd.exe25⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ppjpd.exec:\ppjpd.exe26⤵
- Executes dropped EXE
PID:2016 -
\??\c:\9fxrffr.exec:\9fxrffr.exe27⤵
- Executes dropped EXE
PID:1096 -
\??\c:\nhtbnt.exec:\nhtbnt.exe28⤵
- Executes dropped EXE
PID:1824 -
\??\c:\hthbhb.exec:\hthbhb.exe29⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3xlxlfl.exec:\3xlxlfl.exe30⤵
- Executes dropped EXE
PID:2328 -
\??\c:\1xrxxxf.exec:\1xrxxxf.exe31⤵
- Executes dropped EXE
PID:2440 -
\??\c:\5hbhnn.exec:\5hbhnn.exe32⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1pdjp.exec:\1pdjp.exe33⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lffrflf.exec:\lffrflf.exe34⤵
- Executes dropped EXE
PID:2124 -
\??\c:\3lffllx.exec:\3lffllx.exe35⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5tnbnn.exec:\5tnbnn.exe36⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hthntn.exec:\hthntn.exe37⤵
- Executes dropped EXE
PID:1712 -
\??\c:\vpvpv.exec:\vpvpv.exe38⤵
- Executes dropped EXE
PID:2076 -
\??\c:\vvpvj.exec:\vvpvj.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\7lxxxxl.exec:\7lxxxxl.exe40⤵
- Executes dropped EXE
PID:2896 -
\??\c:\hbhhnt.exec:\hbhhnt.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bthbbh.exec:\bthbbh.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\pvjdj.exec:\pvjdj.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jvpdd.exec:\jvpdd.exe44⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fxllxxx.exec:\fxllxxx.exe45⤵
- Executes dropped EXE
PID:2584 -
\??\c:\ffrfrrx.exec:\ffrfrrx.exe46⤵
- Executes dropped EXE
PID:1784 -
\??\c:\hhbbhb.exec:\hhbbhb.exe47⤵
- Executes dropped EXE
PID:3048 -
\??\c:\3bthbb.exec:\3bthbb.exe48⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pdvpd.exec:\pdvpd.exe49⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdjjp.exec:\jdjjp.exe50⤵
- Executes dropped EXE
PID:1536 -
\??\c:\1dppd.exec:\1dppd.exe51⤵
- Executes dropped EXE
PID:1372 -
\??\c:\lfrlllr.exec:\lfrlllr.exe52⤵
- Executes dropped EXE
PID:2568 -
\??\c:\lffrxlr.exec:\lffrxlr.exe53⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hhbbtb.exec:\hhbbtb.exe54⤵
- Executes dropped EXE
PID:492 -
\??\c:\hhbhnt.exec:\hhbhnt.exe55⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ppvvd.exec:\ppvvd.exe56⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jppvv.exec:\jppvv.exe57⤵
- Executes dropped EXE
PID:1196 -
\??\c:\lfxxxfx.exec:\lfxxxfx.exe58⤵
- Executes dropped EXE
PID:2172 -
\??\c:\lfllrxx.exec:\lfllrxx.exe59⤵
- Executes dropped EXE
PID:988 -
\??\c:\tnhhhn.exec:\tnhhhn.exe60⤵
- Executes dropped EXE
PID:2096 -
\??\c:\btbhhn.exec:\btbhhn.exe61⤵
- Executes dropped EXE
PID:2548 -
\??\c:\vpvpv.exec:\vpvpv.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\3frlxfr.exec:\3frlxfr.exe63⤵
- Executes dropped EXE
PID:1804 -
\??\c:\3llxrrx.exec:\3llxrrx.exe64⤵
- Executes dropped EXE
PID:2456 -
\??\c:\tnbnbn.exec:\tnbnbn.exe65⤵
- Executes dropped EXE
PID:760 -
\??\c:\tbbhbn.exec:\tbbhbn.exe66⤵PID:1696
-
\??\c:\dvppd.exec:\dvppd.exe67⤵PID:1584
-
\??\c:\fxrrrfr.exec:\fxrrrfr.exe68⤵PID:2284
-
\??\c:\5rxxllx.exec:\5rxxllx.exe69⤵PID:1544
-
\??\c:\frxxlfl.exec:\frxxlfl.exe70⤵PID:2432
-
\??\c:\hbhnhh.exec:\hbhnhh.exe71⤵PID:2448
-
\??\c:\nhnnhh.exec:\nhnnhh.exe72⤵PID:840
-
\??\c:\1vjpv.exec:\1vjpv.exe73⤵PID:1752
-
\??\c:\pjvvv.exec:\pjvvv.exe74⤵PID:2084
-
\??\c:\lfrxllr.exec:\lfrxllr.exe75⤵PID:2544
-
\??\c:\xxxfxfl.exec:\xxxfxfl.exe76⤵PID:2372
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe77⤵PID:2508
-
\??\c:\hbhntt.exec:\hbhntt.exe78⤵PID:2392
-
\??\c:\btnthh.exec:\btnthh.exe79⤵PID:2116
-
\??\c:\3pjpd.exec:\3pjpd.exe80⤵PID:1748
-
\??\c:\9dvdv.exec:\9dvdv.exe81⤵PID:2240
-
\??\c:\lfxxffr.exec:\lfxxffr.exe82⤵PID:2336
-
\??\c:\rrllxxl.exec:\rrllxxl.exe83⤵PID:2864
-
\??\c:\7hbnbb.exec:\7hbnbb.exe84⤵PID:2880
-
\??\c:\nhhnbb.exec:\nhhnbb.exe85⤵PID:2904
-
\??\c:\ppjjj.exec:\ppjjj.exe86⤵PID:2604
-
\??\c:\9dvvp.exec:\9dvvp.exe87⤵PID:2744
-
\??\c:\7rlflrf.exec:\7rlflrf.exe88⤵PID:2936
-
\??\c:\ffrfxlr.exec:\ffrfxlr.exe89⤵PID:2580
-
\??\c:\hbtthh.exec:\hbtthh.exe90⤵PID:2612
-
\??\c:\nbnnbn.exec:\nbnnbn.exe91⤵PID:1344
-
\??\c:\dvvvj.exec:\dvvvj.exe92⤵PID:2764
-
\??\c:\1vjpd.exec:\1vjpd.exe93⤵PID:2288
-
\??\c:\lxlllrx.exec:\lxlllrx.exe94⤵PID:1216
-
\??\c:\rfrxrxl.exec:\rfrxrxl.exe95⤵PID:2800
-
\??\c:\nbttbb.exec:\nbttbb.exe96⤵PID:2792
-
\??\c:\3nhhhh.exec:\3nhhhh.exe97⤵PID:2760
-
\??\c:\pdppj.exec:\pdppj.exe98⤵PID:1240
-
\??\c:\dvjvp.exec:\dvjvp.exe99⤵PID:2032
-
\??\c:\5xxxxxx.exec:\5xxxxxx.exe100⤵PID:1756
-
\??\c:\9xrffrr.exec:\9xrffrr.exe101⤵PID:2308
-
\??\c:\bnbbhh.exec:\bnbbhh.exe102⤵PID:768
-
\??\c:\hbbbnh.exec:\hbbbnh.exe103⤵PID:2244
-
\??\c:\3ddvv.exec:\3ddvv.exe104⤵PID:1816
-
\??\c:\dpjdp.exec:\dpjdp.exe105⤵PID:580
-
\??\c:\rlllrxl.exec:\rlllrxl.exe106⤵PID:2024
-
\??\c:\rlxxllf.exec:\rlxxllf.exe107⤵PID:1528
-
\??\c:\3hthtb.exec:\3hthtb.exe108⤵PID:572
-
\??\c:\tnhhhh.exec:\tnhhhh.exe109⤵PID:940
-
\??\c:\1jdpv.exec:\1jdpv.exe110⤵PID:1932
-
\??\c:\vppjp.exec:\vppjp.exe111⤵PID:1948
-
\??\c:\rfxflll.exec:\rfxflll.exe112⤵PID:2140
-
\??\c:\3rxrffl.exec:\3rxrffl.exe113⤵PID:2512
-
\??\c:\7hbhtt.exec:\7hbhtt.exe114⤵PID:1684
-
\??\c:\bthnnn.exec:\bthnnn.exe115⤵PID:2012
-
\??\c:\djdpj.exec:\djdpj.exe116⤵PID:2452
-
\??\c:\jdjvd.exec:\jdjvd.exe117⤵PID:2436
-
\??\c:\fxlxllr.exec:\fxlxllr.exe118⤵PID:2132
-
\??\c:\rlxfffl.exec:\rlxfffl.exe119⤵PID:2344
-
\??\c:\hbnhnn.exec:\hbnhnn.exe120⤵PID:1708
-
\??\c:\1htnbb.exec:\1htnbb.exe121⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-