Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 07:27
Behavioral task
behavioral1
Sample
8e1b89113f9b091071ca7f44eb82f1c0N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
8e1b89113f9b091071ca7f44eb82f1c0N.exe
-
Size
69KB
-
MD5
8e1b89113f9b091071ca7f44eb82f1c0
-
SHA1
fac0ec38fa977490214902569ec35c5e7c67a0fc
-
SHA256
f6ac656d474ac57be788845f91a556da4f5a81f552c952b66aa374aad3a280bb
-
SHA512
475154e44c3b7cb0d503ccd951bbfd74579bf99bf68478b3170567d29fc54cf3e24915f32d3e3d88620dd885473a4205446cd18679233d7880b478448c586d03
-
SSDEEP
1536:CvQBeOGtrYS3srx93UBWfwC6Ggnouy8Aey:ChOmTsF93UYfwC6GIoutAey
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3632-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2032-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4080-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1080-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3528-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4860-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2528-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2144-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3332-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1128-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2988-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4676-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4888-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1668-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4132-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2184-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4800-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1084-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1040-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2976-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4944-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2752-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1836-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2300-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2092-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/836-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2144-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4728-223-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4236-227-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4888-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2188-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2488-273-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2004-278-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5032-293-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4316-306-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1228-310-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1376-314-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4928-324-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2264-340-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1672-341-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4528-345-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1448-356-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2876-365-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3212-387-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4604-394-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3156-399-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1376-426-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/632-442-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/972-517-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2092-527-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/672-534-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2668-570-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1192-599-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4352-615-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2400-625-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1088-647-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/768-672-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4420-733-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4960-880-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3608-893-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4232-1081-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3528 flrfxff.exe 4080 dppjd.exe 1760 jppjp.exe 2032 k48648.exe 3632 82600.exe 4860 g6486.exe 4432 jdjvp.exe 2528 xrlfxlf.exe 2144 26220.exe 3332 0026082.exe 1128 hnhbtn.exe 1692 42086.exe 2988 rxflffr.exe 4676 g4026.exe 4888 08860.exe 5036 djdvj.exe 1668 pddvp.exe 4132 dpvjv.exe 4684 dpvpj.exe 2764 406244.exe 2184 lxxrffx.exe 4800 lffrrxf.exe 1084 8460826.exe 1040 044420.exe 2976 pjdvv.exe 1112 5hbnbt.exe 4944 6868024.exe 2752 u882660.exe 1836 4404886.exe 3968 e40428.exe 3616 rxrlxxr.exe 2300 800486.exe 4880 02282.exe 4876 2286082.exe 916 1frrlll.exe 2092 8682048.exe 4432 2888262.exe 836 ntbtnn.exe 2144 800084.exe 2676 0666044.exe 2952 846044.exe 4728 3tnntt.exe 4236 9dvpd.exe 4896 tbthtn.exe 1432 1hnhhb.exe 4888 46400.exe 3092 20224.exe 3168 i660486.exe 704 882600.exe 4132 nthbtn.exe 4684 08862.exe 2852 00060.exe 2184 bhbthb.exe 4800 g8264.exe 2188 3djvj.exe 2592 bnnhnh.exe 2488 1rfrxrr.exe 1888 xlrrlfx.exe 2004 tbtntn.exe 1260 tttnhb.exe 4344 tnttnn.exe 388 600426.exe 5032 4008664.exe 2276 rfxrxff.exe -
resource yara_rule behavioral2/memory/1080-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0009000000023631-4.dat upx behavioral2/files/0x0007000000023639-12.dat upx behavioral2/files/0x000700000002363a-23.dat upx behavioral2/files/0x000700000002363b-28.dat upx behavioral2/files/0x000700000002363c-34.dat upx behavioral2/memory/3632-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4860-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2032-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023638-11.dat upx behavioral2/memory/4080-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1080-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3528-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002363d-40.dat upx behavioral2/memory/4860-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002363e-46.dat upx behavioral2/memory/4432-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2528-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002363f-53.dat upx behavioral2/files/0x0007000000023640-59.dat upx behavioral2/memory/2144-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3332-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023641-65.dat upx behavioral2/memory/3332-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023642-74.dat upx behavioral2/memory/1128-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023643-77.dat upx behavioral2/files/0x0007000000023644-82.dat upx behavioral2/memory/2988-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4676-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023645-88.dat upx behavioral2/memory/4888-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023646-94.dat upx behavioral2/files/0x0007000000023647-99.dat upx behavioral2/files/0x0007000000023648-104.dat upx behavioral2/memory/1668-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4132-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002364b-123.dat upx behavioral2/files/0x000700000002364a-117.dat upx behavioral2/files/0x0007000000023649-111.dat upx behavioral2/files/0x000700000002364c-127.dat upx behavioral2/memory/2184-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002364d-134.dat upx behavioral2/memory/4800-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002364e-138.dat upx behavioral2/memory/1084-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000700000002364f-143.dat upx behavioral2/memory/1040-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0008000000023635-148.dat upx behavioral2/memory/2976-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023650-154.dat upx behavioral2/memory/4944-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023651-159.dat upx behavioral2/memory/2752-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1836-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023652-168.dat upx behavioral2/files/0x0007000000023653-173.dat upx behavioral2/files/0x0007000000023655-177.dat upx behavioral2/files/0x0007000000023656-183.dat upx behavioral2/memory/2300-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2092-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/836-209-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2888262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u882660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i008226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2262084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3528 1080 8e1b89113f9b091071ca7f44eb82f1c0N.exe 91 PID 1080 wrote to memory of 3528 1080 8e1b89113f9b091071ca7f44eb82f1c0N.exe 91 PID 1080 wrote to memory of 3528 1080 8e1b89113f9b091071ca7f44eb82f1c0N.exe 91 PID 3528 wrote to memory of 4080 3528 flrfxff.exe 92 PID 3528 wrote to memory of 4080 3528 flrfxff.exe 92 PID 3528 wrote to memory of 4080 3528 flrfxff.exe 92 PID 4080 wrote to memory of 1760 4080 dppjd.exe 93 PID 4080 wrote to memory of 1760 4080 dppjd.exe 93 PID 4080 wrote to memory of 1760 4080 dppjd.exe 93 PID 1760 wrote to memory of 2032 1760 jppjp.exe 94 PID 1760 wrote to memory of 2032 1760 jppjp.exe 94 PID 1760 wrote to memory of 2032 1760 jppjp.exe 94 PID 2032 wrote to memory of 3632 2032 k48648.exe 95 PID 2032 wrote to memory of 3632 2032 k48648.exe 95 PID 2032 wrote to memory of 3632 2032 k48648.exe 95 PID 3632 wrote to memory of 4860 3632 82600.exe 96 PID 3632 wrote to memory of 4860 3632 82600.exe 96 PID 3632 wrote to memory of 4860 3632 82600.exe 96 PID 4860 wrote to memory of 4432 4860 g6486.exe 97 PID 4860 wrote to memory of 4432 4860 g6486.exe 97 PID 4860 wrote to memory of 4432 4860 g6486.exe 97 PID 4432 wrote to memory of 2528 4432 jdjvp.exe 98 PID 4432 wrote to memory of 2528 4432 jdjvp.exe 98 PID 4432 wrote to memory of 2528 4432 jdjvp.exe 98 PID 2528 wrote to memory of 2144 2528 xrlfxlf.exe 99 PID 2528 wrote to memory of 2144 2528 xrlfxlf.exe 99 PID 2528 wrote to memory of 2144 2528 xrlfxlf.exe 99 PID 2144 wrote to memory of 3332 2144 26220.exe 100 PID 2144 wrote to memory of 3332 2144 26220.exe 100 PID 2144 wrote to memory of 3332 2144 26220.exe 100 PID 3332 wrote to memory of 1128 3332 0026082.exe 101 PID 3332 wrote to memory of 1128 3332 0026082.exe 101 PID 3332 wrote to memory of 1128 3332 0026082.exe 101 PID 1128 wrote to memory of 1692 1128 hnhbtn.exe 102 PID 1128 wrote to memory of 1692 1128 hnhbtn.exe 102 PID 1128 wrote to memory of 1692 1128 hnhbtn.exe 102 PID 1692 wrote to memory of 2988 1692 42086.exe 104 PID 1692 wrote to memory of 2988 1692 42086.exe 104 PID 1692 wrote to memory of 2988 1692 42086.exe 104 PID 2988 wrote to memory of 4676 2988 rxflffr.exe 105 PID 2988 wrote to memory of 4676 2988 rxflffr.exe 105 PID 2988 wrote to memory of 4676 2988 rxflffr.exe 105 PID 4676 wrote to memory of 4888 4676 g4026.exe 139 PID 4676 wrote to memory of 4888 4676 g4026.exe 139 PID 4676 wrote to memory of 4888 4676 g4026.exe 139 PID 4888 wrote to memory of 5036 4888 08860.exe 107 PID 4888 wrote to memory of 5036 4888 08860.exe 107 PID 4888 wrote to memory of 5036 4888 08860.exe 107 PID 5036 wrote to memory of 1668 5036 djdvj.exe 108 PID 5036 wrote to memory of 1668 5036 djdvj.exe 108 PID 5036 wrote to memory of 1668 5036 djdvj.exe 108 PID 1668 wrote to memory of 4132 1668 pddvp.exe 143 PID 1668 wrote to memory of 4132 1668 pddvp.exe 143 PID 1668 wrote to memory of 4132 1668 pddvp.exe 143 PID 4132 wrote to memory of 4684 4132 dpvjv.exe 144 PID 4132 wrote to memory of 4684 4132 dpvjv.exe 144 PID 4132 wrote to memory of 4684 4132 dpvjv.exe 144 PID 4684 wrote to memory of 2764 4684 dpvpj.exe 111 PID 4684 wrote to memory of 2764 4684 dpvpj.exe 111 PID 4684 wrote to memory of 2764 4684 dpvpj.exe 111 PID 2764 wrote to memory of 2184 2764 406244.exe 146 PID 2764 wrote to memory of 2184 2764 406244.exe 146 PID 2764 wrote to memory of 2184 2764 406244.exe 146 PID 2184 wrote to memory of 4800 2184 lxxrffx.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e1b89113f9b091071ca7f44eb82f1c0N.exe"C:\Users\Admin\AppData\Local\Temp\8e1b89113f9b091071ca7f44eb82f1c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\flrfxff.exec:\flrfxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\dppjd.exec:\dppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\jppjp.exec:\jppjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\k48648.exec:\k48648.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\82600.exec:\82600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\g6486.exec:\g6486.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\jdjvp.exec:\jdjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\xrlfxlf.exec:\xrlfxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\26220.exec:\26220.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\0026082.exec:\0026082.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\hnhbtn.exec:\hnhbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\42086.exec:\42086.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\rxflffr.exec:\rxflffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\g4026.exec:\g4026.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\08860.exec:\08860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\djdvj.exec:\djdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\pddvp.exec:\pddvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\dpvjv.exec:\dpvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\dpvpj.exec:\dpvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\406244.exec:\406244.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\lxxrffx.exec:\lxxrffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\lffrrxf.exec:\lffrrxf.exe23⤵
- Executes dropped EXE
PID:4800 -
\??\c:\8460826.exec:\8460826.exe24⤵
- Executes dropped EXE
PID:1084 -
\??\c:\044420.exec:\044420.exe25⤵
- Executes dropped EXE
PID:1040 -
\??\c:\pjdvv.exec:\pjdvv.exe26⤵
- Executes dropped EXE
PID:2976 -
\??\c:\5hbnbt.exec:\5hbnbt.exe27⤵
- Executes dropped EXE
PID:1112 -
\??\c:\6868024.exec:\6868024.exe28⤵
- Executes dropped EXE
PID:4944 -
\??\c:\u882660.exec:\u882660.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
\??\c:\4404886.exec:\4404886.exe30⤵
- Executes dropped EXE
PID:1836 -
\??\c:\e40428.exec:\e40428.exe31⤵
- Executes dropped EXE
PID:3968 -
\??\c:\rxrlxxr.exec:\rxrlxxr.exe32⤵
- Executes dropped EXE
PID:3616 -
\??\c:\800486.exec:\800486.exe33⤵
- Executes dropped EXE
PID:2300 -
\??\c:\02282.exec:\02282.exe34⤵
- Executes dropped EXE
PID:4880 -
\??\c:\2286082.exec:\2286082.exe35⤵
- Executes dropped EXE
PID:4876 -
\??\c:\1frrlll.exec:\1frrlll.exe36⤵
- Executes dropped EXE
PID:916 -
\??\c:\8682048.exec:\8682048.exe37⤵
- Executes dropped EXE
PID:2092 -
\??\c:\2888262.exec:\2888262.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432 -
\??\c:\ntbtnn.exec:\ntbtnn.exe39⤵
- Executes dropped EXE
PID:836 -
\??\c:\800084.exec:\800084.exe40⤵
- Executes dropped EXE
PID:2144 -
\??\c:\0666044.exec:\0666044.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\846044.exec:\846044.exe42⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3tnntt.exec:\3tnntt.exe43⤵
- Executes dropped EXE
PID:4728 -
\??\c:\9dvpd.exec:\9dvpd.exe44⤵
- Executes dropped EXE
PID:4236 -
\??\c:\tbthtn.exec:\tbthtn.exe45⤵
- Executes dropped EXE
PID:4896 -
\??\c:\1hnhhb.exec:\1hnhhb.exe46⤵
- Executes dropped EXE
PID:1432 -
\??\c:\46400.exec:\46400.exe47⤵
- Executes dropped EXE
PID:4888 -
\??\c:\20224.exec:\20224.exe48⤵
- Executes dropped EXE
PID:3092 -
\??\c:\i660486.exec:\i660486.exe49⤵
- Executes dropped EXE
PID:3168 -
\??\c:\882600.exec:\882600.exe50⤵
- Executes dropped EXE
PID:704 -
\??\c:\nthbtn.exec:\nthbtn.exe51⤵
- Executes dropped EXE
PID:4132 -
\??\c:\08862.exec:\08862.exe52⤵
- Executes dropped EXE
PID:4684 -
\??\c:\00060.exec:\00060.exe53⤵
- Executes dropped EXE
PID:2852 -
\??\c:\bhbthb.exec:\bhbthb.exe54⤵
- Executes dropped EXE
PID:2184 -
\??\c:\g8264.exec:\g8264.exe55⤵
- Executes dropped EXE
PID:4800 -
\??\c:\3djvj.exec:\3djvj.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bnnhnh.exec:\bnnhnh.exe57⤵
- Executes dropped EXE
PID:2592 -
\??\c:\1rfrxrr.exec:\1rfrxrr.exe58⤵
- Executes dropped EXE
PID:2488 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe59⤵
- Executes dropped EXE
PID:1888 -
\??\c:\tbtntn.exec:\tbtntn.exe60⤵
- Executes dropped EXE
PID:2004 -
\??\c:\tttnhb.exec:\tttnhb.exe61⤵
- Executes dropped EXE
PID:1260 -
\??\c:\tnttnn.exec:\tnttnn.exe62⤵
- Executes dropped EXE
PID:4344 -
\??\c:\600426.exec:\600426.exe63⤵
- Executes dropped EXE
PID:388 -
\??\c:\4008664.exec:\4008664.exe64⤵
- Executes dropped EXE
PID:5032 -
\??\c:\rfxrxff.exec:\rfxrxff.exe65⤵
- Executes dropped EXE
PID:2276 -
\??\c:\bhbhtn.exec:\bhbhtn.exe66⤵PID:1192
-
\??\c:\002628.exec:\002628.exe67⤵PID:4112
-
\??\c:\84046.exec:\84046.exe68⤵PID:4316
-
\??\c:\04004.exec:\04004.exe69⤵PID:1228
-
\??\c:\00660.exec:\00660.exe70⤵PID:1376
-
\??\c:\1lrrlrf.exec:\1lrrlrf.exe71⤵PID:2092
-
\??\c:\2204204.exec:\2204204.exe72⤵PID:872
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe73⤵PID:4928
-
\??\c:\jvpjd.exec:\jvpjd.exe74⤵PID:868
-
\??\c:\xxfxllx.exec:\xxfxllx.exe75⤵PID:3300
-
\??\c:\vjpdv.exec:\vjpdv.exe76⤵PID:1160
-
\??\c:\8404264.exec:\8404264.exe77⤵PID:5076
-
\??\c:\88486.exec:\88486.exe78⤵PID:2264
-
\??\c:\i628248.exec:\i628248.exe79⤵PID:1672
-
\??\c:\42826.exec:\42826.exe80⤵PID:4528
-
\??\c:\nbthhb.exec:\nbthhb.exe81⤵PID:1400
-
\??\c:\28402.exec:\28402.exe82⤵PID:1772
-
\??\c:\484860.exec:\484860.exe83⤵PID:1448
-
\??\c:\k44860.exec:\k44860.exe84⤵PID:3112
-
\??\c:\2026040.exec:\2026040.exe85⤵PID:2876
-
\??\c:\vjjdp.exec:\vjjdp.exe86⤵PID:4600
-
\??\c:\xffxlfx.exec:\xffxlfx.exe87⤵PID:3360
-
\??\c:\i882626.exec:\i882626.exe88⤵PID:3192
-
\??\c:\q40406.exec:\q40406.exe89⤵PID:2652
-
\??\c:\c606000.exec:\c606000.exe90⤵PID:1500
-
\??\c:\202244.exec:\202244.exe91⤵PID:3484
-
\??\c:\2840440.exec:\2840440.exe92⤵PID:3212
-
\??\c:\5nhbtn.exec:\5nhbtn.exe93⤵PID:1112
-
\??\c:\hbhhnb.exec:\hbhhnb.exe94⤵PID:4604
-
\??\c:\6000824.exec:\6000824.exe95⤵PID:4460
-
\??\c:\08864.exec:\08864.exe96⤵PID:3156
-
\??\c:\406026.exec:\406026.exe97⤵PID:4004
-
\??\c:\k28208.exec:\k28208.exe98⤵PID:4024
-
\??\c:\8626886.exec:\8626886.exe99⤵PID:2276
-
\??\c:\844826.exec:\844826.exe100⤵PID:1192
-
\??\c:\bhbthh.exec:\bhbthh.exe101⤵PID:3392
-
\??\c:\c060200.exec:\c060200.exe102⤵PID:4876
-
\??\c:\0844204.exec:\0844204.exe103⤵PID:916
-
\??\c:\5lfxrlf.exec:\5lfxrlf.exe104⤵PID:1376
-
\??\c:\20604.exec:\20604.exe105⤵PID:4352
-
\??\c:\08420.exec:\08420.exe106⤵PID:2528
-
\??\c:\400422.exec:\400422.exe107⤵PID:800
-
\??\c:\nbtntn.exec:\nbtntn.exe108⤵PID:3956
-
\??\c:\w24426.exec:\w24426.exe109⤵PID:632
-
\??\c:\7rxllrr.exec:\7rxllrr.exe110⤵
- System Location Discovery: System Language Discovery
PID:1852 -
\??\c:\7xxrfxx.exec:\7xxrfxx.exe111⤵PID:2252
-
\??\c:\1nthbt.exec:\1nthbt.exe112⤵PID:1672
-
\??\c:\k26242.exec:\k26242.exe113⤵PID:4524
-
\??\c:\ddvjv.exec:\ddvjv.exe114⤵PID:1400
-
\??\c:\e04860.exec:\e04860.exe115⤵PID:1772
-
\??\c:\hhhhbt.exec:\hhhhbt.exe116⤵PID:2580
-
\??\c:\pdvjd.exec:\pdvjd.exe117⤵PID:4000
-
\??\c:\8848008.exec:\8848008.exe118⤵PID:4788
-
\??\c:\jjjdp.exec:\jjjdp.exe119⤵PID:4960
-
\??\c:\24666.exec:\24666.exe120⤵PID:2184
-
\??\c:\20844.exec:\20844.exe121⤵PID:2564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-