Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe
-
Size
453KB
-
MD5
545093a51fee83dc08841c4c33813e8c
-
SHA1
4996b0649cb4047506c27b53557d4ff60af7f7cb
-
SHA256
90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc
-
SHA512
ca6a1a78e67df4bbbc7e279496477e6b9ed540ef93568a9d28aaba6f96f6abd0e20afd69caad120775621b9a7dbb73b74f6d30f37fda7313bd0426c0134bb3d7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN4:q7Tc2NYHUrAwfMp3CDN4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1596-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-26-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2060-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-530-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1576-558-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2752-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-661-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1944-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-749-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2000-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-955-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-1028-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-1027-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2732 hhbbtb.exe 2680 8028682.exe 2904 k48082.exe 2892 8684406.exe 2852 ththbh.exe 2636 20840.exe 2564 llfrrfl.exe 2980 842480.exe 2004 bhtbhh.exe 2776 0422840.exe 2844 hbbbnn.exe 1348 lfllrxf.exe 2496 7dvpp.exe 1956 rlxxxrx.exe 1644 48006.exe 1704 s6002.exe 1416 828046.exe 1836 2088040.exe 2052 484684.exe 2120 6646844.exe 2924 ffxrrll.exe 1708 flfrffl.exe 1540 3flrxrx.exe 2152 1nbhth.exe 2340 e26628.exe 1680 fllxlfr.exe 1268 tnnnbh.exe 1720 pvvvv.exe 652 24846.exe 2388 6206802.exe 2432 u488280.exe 2608 bntbnn.exe 1412 s4842.exe 748 484844.exe 1480 468842.exe 828 600246.exe 2072 fxfrxxf.exe 2648 0006280.exe 2808 7fxlrfr.exe 2836 lfrflxl.exe 2716 s4424.exe 2576 c406624.exe 2660 7ppjp.exe 2692 2640228.exe 2360 9pjjv.exe 1952 8268004.exe 1920 208462.exe 2812 xlxxxfx.exe 2840 xxrrflr.exe 1220 djdjp.exe 1340 w60200.exe 1908 8644880.exe 1112 btnbnn.exe 2036 268400.exe 1940 9btthn.exe 1760 9pvjv.exe 1828 rlrlrxr.exe 1560 426288.exe 2124 2268668.exe 2336 482220.exe 2040 pdvvd.exe 2920 rxlrxxl.exe 2912 824622.exe 2060 06006.exe -
resource yara_rule behavioral1/memory/1596-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-498-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2060-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-955-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2740-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1027-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2416-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1063-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o644002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w44404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2732 1596 90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe 28 PID 1596 wrote to memory of 2732 1596 90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe 28 PID 1596 wrote to memory of 2732 1596 90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe 28 PID 1596 wrote to memory of 2732 1596 90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe 28 PID 2732 wrote to memory of 2680 2732 hhbbtb.exe 29 PID 2732 wrote to memory of 2680 2732 hhbbtb.exe 29 PID 2732 wrote to memory of 2680 2732 hhbbtb.exe 29 PID 2732 wrote to memory of 2680 2732 hhbbtb.exe 29 PID 2680 wrote to memory of 2904 2680 8028682.exe 30 PID 2680 wrote to memory of 2904 2680 8028682.exe 30 PID 2680 wrote to memory of 2904 2680 8028682.exe 30 PID 2680 wrote to memory of 2904 2680 8028682.exe 30 PID 2904 wrote to memory of 2892 2904 k48082.exe 31 PID 2904 wrote to memory of 2892 2904 k48082.exe 31 PID 2904 wrote to memory of 2892 2904 k48082.exe 31 PID 2904 wrote to memory of 2892 2904 k48082.exe 31 PID 2892 wrote to memory of 2852 2892 8684406.exe 32 PID 2892 wrote to memory of 2852 2892 8684406.exe 32 PID 2892 wrote to memory of 2852 2892 8684406.exe 32 PID 2892 wrote to memory of 2852 2892 8684406.exe 32 PID 2852 wrote to memory of 2636 2852 ththbh.exe 33 PID 2852 wrote to memory of 2636 2852 ththbh.exe 33 PID 2852 wrote to memory of 2636 2852 ththbh.exe 33 PID 2852 wrote to memory of 2636 2852 ththbh.exe 33 PID 2636 wrote to memory of 2564 2636 20840.exe 34 PID 2636 wrote to memory of 2564 2636 20840.exe 34 PID 2636 wrote to memory of 2564 2636 20840.exe 34 PID 2636 wrote to memory of 2564 2636 20840.exe 34 PID 2564 wrote to memory of 2980 2564 llfrrfl.exe 35 PID 2564 wrote to memory of 2980 2564 llfrrfl.exe 35 PID 2564 wrote to memory of 2980 2564 llfrrfl.exe 35 PID 2564 wrote to memory of 2980 2564 llfrrfl.exe 35 PID 2980 wrote to memory of 2004 2980 842480.exe 36 PID 2980 wrote to memory of 2004 2980 842480.exe 36 PID 2980 wrote to memory of 2004 2980 842480.exe 36 PID 2980 wrote to memory of 2004 2980 842480.exe 36 PID 2004 wrote to memory of 2776 2004 bhtbhh.exe 37 PID 2004 wrote to memory of 2776 2004 bhtbhh.exe 37 PID 2004 wrote to memory of 2776 2004 bhtbhh.exe 37 PID 2004 wrote to memory of 2776 2004 bhtbhh.exe 37 PID 2776 wrote to memory of 2844 2776 0422840.exe 38 PID 2776 wrote to memory of 2844 2776 0422840.exe 38 PID 2776 wrote to memory of 2844 2776 0422840.exe 38 PID 2776 wrote to memory of 2844 2776 0422840.exe 38 PID 2844 wrote to memory of 1348 2844 hbbbnn.exe 39 PID 2844 wrote to memory of 1348 2844 hbbbnn.exe 39 PID 2844 wrote to memory of 1348 2844 hbbbnn.exe 39 PID 2844 wrote to memory of 1348 2844 hbbbnn.exe 39 PID 1348 wrote to memory of 2496 1348 lfllrxf.exe 40 PID 1348 wrote to memory of 2496 1348 lfllrxf.exe 40 PID 1348 wrote to memory of 2496 1348 lfllrxf.exe 40 PID 1348 wrote to memory of 2496 1348 lfllrxf.exe 40 PID 2496 wrote to memory of 1956 2496 7dvpp.exe 41 PID 2496 wrote to memory of 1956 2496 7dvpp.exe 41 PID 2496 wrote to memory of 1956 2496 7dvpp.exe 41 PID 2496 wrote to memory of 1956 2496 7dvpp.exe 41 PID 1956 wrote to memory of 1644 1956 rlxxxrx.exe 42 PID 1956 wrote to memory of 1644 1956 rlxxxrx.exe 42 PID 1956 wrote to memory of 1644 1956 rlxxxrx.exe 42 PID 1956 wrote to memory of 1644 1956 rlxxxrx.exe 42 PID 1644 wrote to memory of 1704 1644 48006.exe 43 PID 1644 wrote to memory of 1704 1644 48006.exe 43 PID 1644 wrote to memory of 1704 1644 48006.exe 43 PID 1644 wrote to memory of 1704 1644 48006.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe"C:\Users\Admin\AppData\Local\Temp\90c459b6e6bf27d604defeec44a97df11cbbff6564adef843da5b44e7858a4cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\hhbbtb.exec:\hhbbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\8028682.exec:\8028682.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\k48082.exec:\k48082.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\8684406.exec:\8684406.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\ththbh.exec:\ththbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\20840.exec:\20840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\llfrrfl.exec:\llfrrfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\842480.exec:\842480.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\bhtbhh.exec:\bhtbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\0422840.exec:\0422840.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\hbbbnn.exec:\hbbbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\lfllrxf.exec:\lfllrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\7dvpp.exec:\7dvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\rlxxxrx.exec:\rlxxxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\48006.exec:\48006.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\s6002.exec:\s6002.exe17⤵
- Executes dropped EXE
PID:1704 -
\??\c:\828046.exec:\828046.exe18⤵
- Executes dropped EXE
PID:1416 -
\??\c:\2088040.exec:\2088040.exe19⤵
- Executes dropped EXE
PID:1836 -
\??\c:\484684.exec:\484684.exe20⤵
- Executes dropped EXE
PID:2052 -
\??\c:\6646844.exec:\6646844.exe21⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ffxrrll.exec:\ffxrrll.exe22⤵
- Executes dropped EXE
PID:2924 -
\??\c:\flfrffl.exec:\flfrffl.exe23⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3flrxrx.exec:\3flrxrx.exe24⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1nbhth.exec:\1nbhth.exe25⤵
- Executes dropped EXE
PID:2152 -
\??\c:\e26628.exec:\e26628.exe26⤵
- Executes dropped EXE
PID:2340 -
\??\c:\fllxlfr.exec:\fllxlfr.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\tnnnbh.exec:\tnnnbh.exe28⤵
- Executes dropped EXE
PID:1268 -
\??\c:\pvvvv.exec:\pvvvv.exe29⤵
- Executes dropped EXE
PID:1720 -
\??\c:\24846.exec:\24846.exe30⤵
- Executes dropped EXE
PID:652 -
\??\c:\6206802.exec:\6206802.exe31⤵
- Executes dropped EXE
PID:2388 -
\??\c:\u488280.exec:\u488280.exe32⤵
- Executes dropped EXE
PID:2432 -
\??\c:\bntbnn.exec:\bntbnn.exe33⤵
- Executes dropped EXE
PID:2608 -
\??\c:\s4842.exec:\s4842.exe34⤵
- Executes dropped EXE
PID:1412 -
\??\c:\484844.exec:\484844.exe35⤵
- Executes dropped EXE
PID:748 -
\??\c:\468842.exec:\468842.exe36⤵
- Executes dropped EXE
PID:1480 -
\??\c:\600246.exec:\600246.exe37⤵
- Executes dropped EXE
PID:828 -
\??\c:\fxfrxxf.exec:\fxfrxxf.exe38⤵
- Executes dropped EXE
PID:2072 -
\??\c:\0006280.exec:\0006280.exe39⤵
- Executes dropped EXE
PID:2648 -
\??\c:\7fxlrfr.exec:\7fxlrfr.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\lfrflxl.exec:\lfrflxl.exe41⤵
- Executes dropped EXE
PID:2836 -
\??\c:\s4424.exec:\s4424.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\c406624.exec:\c406624.exe43⤵
- Executes dropped EXE
PID:2576 -
\??\c:\7ppjp.exec:\7ppjp.exe44⤵
- Executes dropped EXE
PID:2660 -
\??\c:\2640228.exec:\2640228.exe45⤵
- Executes dropped EXE
PID:2692 -
\??\c:\9pjjv.exec:\9pjjv.exe46⤵
- Executes dropped EXE
PID:2360 -
\??\c:\8268004.exec:\8268004.exe47⤵
- Executes dropped EXE
PID:1952 -
\??\c:\208462.exec:\208462.exe48⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xlxxxfx.exec:\xlxxxfx.exe49⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xxrrflr.exec:\xxrrflr.exe50⤵
- Executes dropped EXE
PID:2840 -
\??\c:\djdjp.exec:\djdjp.exe51⤵
- Executes dropped EXE
PID:1220 -
\??\c:\w60200.exec:\w60200.exe52⤵
- Executes dropped EXE
PID:1340 -
\??\c:\8644880.exec:\8644880.exe53⤵
- Executes dropped EXE
PID:1908 -
\??\c:\btnbnn.exec:\btnbnn.exe54⤵
- Executes dropped EXE
PID:1112 -
\??\c:\268400.exec:\268400.exe55⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9btthn.exec:\9btthn.exe56⤵
- Executes dropped EXE
PID:1940 -
\??\c:\9pvjv.exec:\9pvjv.exe57⤵
- Executes dropped EXE
PID:1760 -
\??\c:\rlrlrxr.exec:\rlrlrxr.exe58⤵
- Executes dropped EXE
PID:1828 -
\??\c:\426288.exec:\426288.exe59⤵
- Executes dropped EXE
PID:1560 -
\??\c:\2268668.exec:\2268668.exe60⤵
- Executes dropped EXE
PID:2124 -
\??\c:\482220.exec:\482220.exe61⤵
- Executes dropped EXE
PID:2336 -
\??\c:\pdvvd.exec:\pdvvd.exe62⤵
- Executes dropped EXE
PID:2040 -
\??\c:\rxlrxxl.exec:\rxlrxxl.exe63⤵
- Executes dropped EXE
PID:2920 -
\??\c:\824622.exec:\824622.exe64⤵
- Executes dropped EXE
PID:2912 -
\??\c:\06006.exec:\06006.exe65⤵
- Executes dropped EXE
PID:2060 -
\??\c:\26086.exec:\26086.exe66⤵PID:684
-
\??\c:\06202.exec:\06202.exe67⤵PID:1084
-
\??\c:\608428.exec:\608428.exe68⤵PID:2152
-
\??\c:\vjvvj.exec:\vjvvj.exe69⤵PID:2340
-
\??\c:\ppdjd.exec:\ppdjd.exe70⤵PID:2300
-
\??\c:\9ddpj.exec:\9ddpj.exe71⤵PID:1576
-
\??\c:\frlxffl.exec:\frlxffl.exe72⤵PID:1712
-
\??\c:\dvpvj.exec:\dvpvj.exe73⤵PID:944
-
\??\c:\nnbhbh.exec:\nnbhbh.exe74⤵PID:2400
-
\??\c:\lfrrffl.exec:\lfrrffl.exe75⤵PID:2448
-
\??\c:\482244.exec:\482244.exe76⤵PID:2008
-
\??\c:\rxlrxxl.exec:\rxlrxxl.exe77⤵PID:292
-
\??\c:\260646.exec:\260646.exe78⤵PID:1224
-
\??\c:\k82862.exec:\k82862.exe79⤵PID:1412
-
\??\c:\9pjpd.exec:\9pjpd.exe80⤵PID:832
-
\??\c:\u862446.exec:\u862446.exe81⤵PID:2616
-
\??\c:\vjddd.exec:\vjddd.exe82⤵PID:2260
-
\??\c:\7nbhtn.exec:\7nbhtn.exe83⤵PID:2800
-
\??\c:\bbtbhh.exec:\bbtbhh.exe84⤵PID:2656
-
\??\c:\822688.exec:\822688.exe85⤵PID:2904
-
\??\c:\5xrrxfr.exec:\5xrrxfr.exe86⤵PID:2752
-
\??\c:\264068.exec:\264068.exe87⤵PID:2560
-
\??\c:\lfrrffx.exec:\lfrrffx.exe88⤵PID:2688
-
\??\c:\vpdjp.exec:\vpdjp.exe89⤵PID:2588
-
\??\c:\hhtnhh.exec:\hhtnhh.exe90⤵PID:3028
-
\??\c:\pddpd.exec:\pddpd.exe91⤵PID:2472
-
\??\c:\bnhhhn.exec:\bnhhhn.exe92⤵PID:764
-
\??\c:\nnbhnb.exec:\nnbhnb.exe93⤵PID:1008
-
\??\c:\4484280.exec:\4484280.exe94⤵PID:2828
-
\??\c:\rfrflll.exec:\rfrflll.exe95⤵PID:2860
-
\??\c:\0620086.exec:\0620086.exe96⤵PID:2840
-
\??\c:\o862480.exec:\o862480.exe97⤵PID:1348
-
\??\c:\20846.exec:\20846.exe98⤵PID:1944
-
\??\c:\4860802.exec:\4860802.exe99⤵PID:1908
-
\??\c:\1bnnnt.exec:\1bnnnt.exe100⤵PID:1112
-
\??\c:\1rxffll.exec:\1rxffll.exe101⤵PID:3000
-
\??\c:\424062.exec:\424062.exe102⤵PID:1904
-
\??\c:\04262.exec:\04262.exe103⤵PID:2188
-
\??\c:\pjppd.exec:\pjppd.exe104⤵PID:1544
-
\??\c:\086246.exec:\086246.exe105⤵PID:1752
-
\??\c:\9vpjv.exec:\9vpjv.exe106⤵PID:1852
-
\??\c:\lfrxlfx.exec:\lfrxlfx.exe107⤵PID:2336
-
\??\c:\1xxflfr.exec:\1xxflfr.exe108⤵PID:1656
-
\??\c:\hthntt.exec:\hthntt.exe109⤵PID:2324
-
\??\c:\1vppp.exec:\1vppp.exe110⤵PID:2912
-
\??\c:\pdvjv.exec:\pdvjv.exe111⤵PID:2408
-
\??\c:\488428.exec:\488428.exe112⤵PID:2296
-
\??\c:\djvdj.exec:\djvdj.exe113⤵PID:444
-
\??\c:\lflrrll.exec:\lflrrll.exe114⤵PID:2000
-
\??\c:\fxrlrxf.exec:\fxrlrxf.exe115⤵PID:2064
-
\??\c:\6420606.exec:\6420606.exe116⤵PID:1764
-
\??\c:\e22428.exec:\e22428.exe117⤵PID:2300
-
\??\c:\0862862.exec:\0862862.exe118⤵PID:1720
-
\??\c:\dppjv.exec:\dppjv.exe119⤵PID:1456
-
\??\c:\486284.exec:\486284.exe120⤵PID:600
-
\??\c:\xxrxrxr.exec:\xxrxrxr.exe121⤵PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-