Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 21:37
Behavioral task
behavioral1
Sample
d13189b20b276dc9d6e461b0db49ccf0N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
d13189b20b276dc9d6e461b0db49ccf0N.exe
-
Size
529KB
-
MD5
d13189b20b276dc9d6e461b0db49ccf0
-
SHA1
8000e58cb14eace04e24194228bf333ada707ddf
-
SHA256
22b57fc92c9711a3fb22dad8e2d6e476453f3c5c82a6adf90a814f48b45a02ca
-
SHA512
e19a96fb8cbc0d23531a2bd9dfdebd62b121a9514adc660ff5078a857a4cb081d53141c402af1447c900fe8a2f7815db4dea1261ccb2b295f97012415f033fdc
-
SSDEEP
12288:y4wFHoS3eFp3IDvSbh5nP+UbGTHoSouKs8N0u/D6vIZS:HFp3lzZbGa5soS
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/232-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/348-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-556-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-654-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-686-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-714-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2812-733-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-848-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/820-1065-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-1198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-2101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 232 xrrfxrl.exe 4044 1rrrfxr.exe 4700 6004804.exe 1564 dppjj.exe 1524 xrxrllf.exe 4548 002604.exe 3056 1vvpj.exe 3876 5hnhnn.exe 3340 g4420.exe 4840 00280.exe 4968 dvvvv.exe 448 40484.exe 4532 26260.exe 1940 8226044.exe 3580 fxlflll.exe 3508 bthbhh.exe 4412 4800882.exe 5036 0604826.exe 428 80266.exe 2192 xlxrfll.exe 4836 846488.exe 4904 268206.exe 456 484666.exe 1160 lffrllf.exe 3492 httbht.exe 4964 60604.exe 4148 w00482.exe 2280 m4048.exe 2584 5jvpj.exe 4512 044826.exe 2760 6282666.exe 4056 62064.exe 2084 4806048.exe 4280 6242048.exe 4956 66286.exe 3808 84642.exe 3876 e84822.exe 2396 o460606.exe 1452 6848664.exe 2260 vpppp.exe 3596 2808642.exe 2984 bbthth.exe 448 bbnhnh.exe 4532 86226.exe 4796 dvvjd.exe 348 66248.exe 2820 rllxlfx.exe 2664 vdvpv.exe 2572 thhttn.exe 3664 s4004.exe 3692 8008208.exe 2172 hntnhb.exe 4904 fxrfllx.exe 3424 86808.exe 1308 btnthh.exe 4108 tbbtnh.exe 5000 86642.exe 3948 3nbbtn.exe 4848 nbbtht.exe 404 jpvdv.exe 2628 k02648.exe 4344 w00804.exe 4148 g0082.exe 2584 5hhtnh.exe -
resource yara_rule behavioral2/memory/2144-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/232-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023598-4.dat upx behavioral2/memory/2144-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000800000002359b-12.dat upx behavioral2/memory/4044-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002359f-14.dat upx behavioral2/files/0x00070000000235a0-23.dat upx behavioral2/files/0x00070000000235a1-29.dat upx behavioral2/memory/1524-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1564-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4700-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235a2-35.dat upx behavioral2/files/0x000800000002359c-42.dat upx behavioral2/memory/4548-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235a4-45.dat upx behavioral2/memory/3056-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235a5-51.dat upx behavioral2/memory/3876-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235a6-57.dat upx behavioral2/memory/3340-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235a7-64.dat upx behavioral2/memory/4840-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235a8-70.dat upx behavioral2/files/0x00070000000235a9-75.dat upx behavioral2/files/0x00070000000235aa-81.dat upx behavioral2/memory/1940-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235ad-97.dat upx behavioral2/files/0x00070000000235ae-103.dat upx behavioral2/files/0x00070000000235af-110.dat upx behavioral2/memory/428-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5036-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235b3-133.dat upx behavioral2/memory/4904-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235b2-126.dat upx behavioral2/files/0x00070000000235b1-122.dat upx behavioral2/memory/2192-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235b0-116.dat upx behavioral2/memory/4412-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3508-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235ac-92.dat upx behavioral2/files/0x00070000000235ab-87.dat upx behavioral2/memory/4532-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235b4-137.dat upx behavioral2/files/0x00070000000235b6-142.dat upx behavioral2/files/0x00070000000235b7-148.dat upx behavioral2/files/0x00070000000235b8-154.dat upx behavioral2/memory/4148-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235b9-160.dat upx behavioral2/memory/2584-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235bb-169.dat upx behavioral2/files/0x00070000000235ba-164.dat upx behavioral2/files/0x00070000000235bc-175.dat upx behavioral2/memory/4056-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2760-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000235bd-180.dat upx behavioral2/memory/4956-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2396-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1452-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2260-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3596-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4532-228-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/348-235-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2572-245-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2460446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4886042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlw4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 404648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2800448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c682262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 232 2144 d13189b20b276dc9d6e461b0db49ccf0N.exe 91 PID 2144 wrote to memory of 232 2144 d13189b20b276dc9d6e461b0db49ccf0N.exe 91 PID 2144 wrote to memory of 232 2144 d13189b20b276dc9d6e461b0db49ccf0N.exe 91 PID 232 wrote to memory of 4044 232 xrrfxrl.exe 92 PID 232 wrote to memory of 4044 232 xrrfxrl.exe 92 PID 232 wrote to memory of 4044 232 xrrfxrl.exe 92 PID 4044 wrote to memory of 4700 4044 1rrrfxr.exe 93 PID 4044 wrote to memory of 4700 4044 1rrrfxr.exe 93 PID 4044 wrote to memory of 4700 4044 1rrrfxr.exe 93 PID 4700 wrote to memory of 1564 4700 6004804.exe 94 PID 4700 wrote to memory of 1564 4700 6004804.exe 94 PID 4700 wrote to memory of 1564 4700 6004804.exe 94 PID 1564 wrote to memory of 1524 1564 dppjj.exe 95 PID 1564 wrote to memory of 1524 1564 dppjj.exe 95 PID 1564 wrote to memory of 1524 1564 dppjj.exe 95 PID 1524 wrote to memory of 4548 1524 xrxrllf.exe 96 PID 1524 wrote to memory of 4548 1524 xrxrllf.exe 96 PID 1524 wrote to memory of 4548 1524 xrxrllf.exe 96 PID 4548 wrote to memory of 3056 4548 002604.exe 97 PID 4548 wrote to memory of 3056 4548 002604.exe 97 PID 4548 wrote to memory of 3056 4548 002604.exe 97 PID 3056 wrote to memory of 3876 3056 1vvpj.exe 98 PID 3056 wrote to memory of 3876 3056 1vvpj.exe 98 PID 3056 wrote to memory of 3876 3056 1vvpj.exe 98 PID 3876 wrote to memory of 3340 3876 5hnhnn.exe 99 PID 3876 wrote to memory of 3340 3876 5hnhnn.exe 99 PID 3876 wrote to memory of 3340 3876 5hnhnn.exe 99 PID 3340 wrote to memory of 4840 3340 g4420.exe 101 PID 3340 wrote to memory of 4840 3340 g4420.exe 101 PID 3340 wrote to memory of 4840 3340 g4420.exe 101 PID 4840 wrote to memory of 4968 4840 00280.exe 102 PID 4840 wrote to memory of 4968 4840 00280.exe 102 PID 4840 wrote to memory of 4968 4840 00280.exe 102 PID 4968 wrote to memory of 448 4968 dvvvv.exe 103 PID 4968 wrote to memory of 448 4968 dvvvv.exe 103 PID 4968 wrote to memory of 448 4968 dvvvv.exe 103 PID 448 wrote to memory of 4532 448 40484.exe 104 PID 448 wrote to memory of 4532 448 40484.exe 104 PID 448 wrote to memory of 4532 448 40484.exe 104 PID 4532 wrote to memory of 1940 4532 26260.exe 106 PID 4532 wrote to memory of 1940 4532 26260.exe 106 PID 4532 wrote to memory of 1940 4532 26260.exe 106 PID 1940 wrote to memory of 3580 1940 8226044.exe 107 PID 1940 wrote to memory of 3580 1940 8226044.exe 107 PID 1940 wrote to memory of 3580 1940 8226044.exe 107 PID 3580 wrote to memory of 3508 3580 fxlflll.exe 108 PID 3580 wrote to memory of 3508 3580 fxlflll.exe 108 PID 3580 wrote to memory of 3508 3580 fxlflll.exe 108 PID 3508 wrote to memory of 4412 3508 bthbhh.exe 109 PID 3508 wrote to memory of 4412 3508 bthbhh.exe 109 PID 3508 wrote to memory of 4412 3508 bthbhh.exe 109 PID 4412 wrote to memory of 5036 4412 4800882.exe 110 PID 4412 wrote to memory of 5036 4412 4800882.exe 110 PID 4412 wrote to memory of 5036 4412 4800882.exe 110 PID 5036 wrote to memory of 428 5036 0604826.exe 111 PID 5036 wrote to memory of 428 5036 0604826.exe 111 PID 5036 wrote to memory of 428 5036 0604826.exe 111 PID 428 wrote to memory of 2192 428 80266.exe 112 PID 428 wrote to memory of 2192 428 80266.exe 112 PID 428 wrote to memory of 2192 428 80266.exe 112 PID 2192 wrote to memory of 4836 2192 xlxrfll.exe 113 PID 2192 wrote to memory of 4836 2192 xlxrfll.exe 113 PID 2192 wrote to memory of 4836 2192 xlxrfll.exe 113 PID 4836 wrote to memory of 4904 4836 846488.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\d13189b20b276dc9d6e461b0db49ccf0N.exe"C:\Users\Admin\AppData\Local\Temp\d13189b20b276dc9d6e461b0db49ccf0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\1rrrfxr.exec:\1rrrfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\6004804.exec:\6004804.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\dppjj.exec:\dppjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\xrxrllf.exec:\xrxrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\002604.exec:\002604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\1vvpj.exec:\1vvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\5hnhnn.exec:\5hnhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\g4420.exec:\g4420.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\00280.exec:\00280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\dvvvv.exec:\dvvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\40484.exec:\40484.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\26260.exec:\26260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\8226044.exec:\8226044.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\fxlflll.exec:\fxlflll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\bthbhh.exec:\bthbhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\4800882.exec:\4800882.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\0604826.exec:\0604826.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\80266.exec:\80266.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\xlxrfll.exec:\xlxrfll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\846488.exec:\846488.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\268206.exec:\268206.exe23⤵
- Executes dropped EXE
PID:4904 -
\??\c:\484666.exec:\484666.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
\??\c:\lffrllf.exec:\lffrllf.exe25⤵
- Executes dropped EXE
PID:1160 -
\??\c:\httbht.exec:\httbht.exe26⤵
- Executes dropped EXE
PID:3492 -
\??\c:\60604.exec:\60604.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
\??\c:\w00482.exec:\w00482.exe28⤵
- Executes dropped EXE
PID:4148 -
\??\c:\m4048.exec:\m4048.exe29⤵
- Executes dropped EXE
PID:2280 -
\??\c:\5jvpj.exec:\5jvpj.exe30⤵
- Executes dropped EXE
PID:2584 -
\??\c:\044826.exec:\044826.exe31⤵
- Executes dropped EXE
PID:4512 -
\??\c:\6282666.exec:\6282666.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
\??\c:\62064.exec:\62064.exe33⤵
- Executes dropped EXE
PID:4056 -
\??\c:\4806048.exec:\4806048.exe34⤵
- Executes dropped EXE
PID:2084 -
\??\c:\6242048.exec:\6242048.exe35⤵
- Executes dropped EXE
PID:4280 -
\??\c:\66286.exec:\66286.exe36⤵
- Executes dropped EXE
PID:4956 -
\??\c:\84642.exec:\84642.exe37⤵
- Executes dropped EXE
PID:3808 -
\??\c:\e84822.exec:\e84822.exe38⤵
- Executes dropped EXE
PID:3876 -
\??\c:\o460606.exec:\o460606.exe39⤵
- Executes dropped EXE
PID:2396 -
\??\c:\6848664.exec:\6848664.exe40⤵
- Executes dropped EXE
PID:1452 -
\??\c:\vpppp.exec:\vpppp.exe41⤵
- Executes dropped EXE
PID:2260 -
\??\c:\2808642.exec:\2808642.exe42⤵
- Executes dropped EXE
PID:3596 -
\??\c:\bbthth.exec:\bbthth.exe43⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bbnhnh.exec:\bbnhnh.exe44⤵
- Executes dropped EXE
PID:448 -
\??\c:\86226.exec:\86226.exe45⤵
- Executes dropped EXE
PID:4532 -
\??\c:\dvvjd.exec:\dvvjd.exe46⤵
- Executes dropped EXE
PID:4796 -
\??\c:\66248.exec:\66248.exe47⤵
- Executes dropped EXE
PID:348 -
\??\c:\rllxlfx.exec:\rllxlfx.exe48⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vdvpv.exec:\vdvpv.exe49⤵
- Executes dropped EXE
PID:2664 -
\??\c:\thhttn.exec:\thhttn.exe50⤵
- Executes dropped EXE
PID:2572 -
\??\c:\s4004.exec:\s4004.exe51⤵
- Executes dropped EXE
PID:3664 -
\??\c:\8008208.exec:\8008208.exe52⤵
- Executes dropped EXE
PID:3692 -
\??\c:\hntnhb.exec:\hntnhb.exe53⤵
- Executes dropped EXE
PID:2172 -
\??\c:\fxrfllx.exec:\fxrfllx.exe54⤵
- Executes dropped EXE
PID:4904 -
\??\c:\86808.exec:\86808.exe55⤵
- Executes dropped EXE
PID:3424 -
\??\c:\btnthh.exec:\btnthh.exe56⤵
- Executes dropped EXE
PID:1308 -
\??\c:\tbbtnh.exec:\tbbtnh.exe57⤵
- Executes dropped EXE
PID:4108 -
\??\c:\86642.exec:\86642.exe58⤵
- Executes dropped EXE
PID:5000 -
\??\c:\3nbbtn.exec:\3nbbtn.exe59⤵
- Executes dropped EXE
PID:3948 -
\??\c:\nbbtht.exec:\nbbtht.exe60⤵
- Executes dropped EXE
PID:4848 -
\??\c:\jpvdv.exec:\jpvdv.exe61⤵
- Executes dropped EXE
PID:404 -
\??\c:\k02648.exec:\k02648.exe62⤵
- Executes dropped EXE
PID:2628 -
\??\c:\w00804.exec:\w00804.exe63⤵
- Executes dropped EXE
PID:4344 -
\??\c:\g0082.exec:\g0082.exe64⤵
- Executes dropped EXE
PID:4148 -
\??\c:\5hhtnh.exec:\5hhtnh.exe65⤵
- Executes dropped EXE
PID:2584 -
\??\c:\4042086.exec:\4042086.exe66⤵PID:4216
-
\??\c:\pjjvp.exec:\pjjvp.exe67⤵PID:2088
-
\??\c:\0068648.exec:\0068648.exe68⤵PID:2632
-
\??\c:\0808208.exec:\0808208.exe69⤵PID:3404
-
\??\c:\5frfrfr.exec:\5frfrfr.exe70⤵PID:2256
-
\??\c:\402646.exec:\402646.exe71⤵PID:960
-
\??\c:\djdvj.exec:\djdvj.exe72⤵PID:3980
-
\??\c:\tbbnbb.exec:\tbbnbb.exe73⤵PID:3056
-
\??\c:\06048.exec:\06048.exe74⤵PID:3212
-
\??\c:\1nthbt.exec:\1nthbt.exe75⤵PID:4960
-
\??\c:\482082.exec:\482082.exe76⤵PID:2528
-
\??\c:\rlfxffx.exec:\rlfxffx.exe77⤵PID:920
-
\??\c:\c064864.exec:\c064864.exe78⤵PID:1544
-
\??\c:\406648.exec:\406648.exe79⤵PID:60
-
\??\c:\bbbnhb.exec:\bbbnhb.exe80⤵PID:4936
-
\??\c:\lllfxrl.exec:\lllfxrl.exe81⤵PID:2548
-
\??\c:\hntnhh.exec:\hntnhh.exe82⤵PID:1632
-
\??\c:\7rlxrxr.exec:\7rlxrxr.exe83⤵PID:1940
-
\??\c:\1lfrfxl.exec:\1lfrfxl.exe84⤵PID:3580
-
\??\c:\40406.exec:\40406.exe85⤵PID:4132
-
\??\c:\i682262.exec:\i682262.exe86⤵PID:880
-
\??\c:\c660000.exec:\c660000.exe87⤵PID:1740
-
\??\c:\2064886.exec:\2064886.exe88⤵PID:3692
-
\??\c:\622826.exec:\622826.exe89⤵PID:2172
-
\??\c:\82022.exec:\82022.exe90⤵PID:3060
-
\??\c:\pdjdd.exec:\pdjdd.exe91⤵PID:5060
-
\??\c:\46222.exec:\46222.exe92⤵PID:5000
-
\??\c:\vvjdv.exec:\vvjdv.exe93⤵PID:3168
-
\??\c:\bbhtnn.exec:\bbhtnn.exe94⤵PID:3284
-
\??\c:\dppjd.exec:\dppjd.exe95⤵PID:1568
-
\??\c:\k28604.exec:\k28604.exe96⤵PID:2448
-
\??\c:\nhbthb.exec:\nhbthb.exe97⤵PID:2312
-
\??\c:\068262.exec:\068262.exe98⤵PID:4044
-
\??\c:\9tntnt.exec:\9tntnt.exe99⤵PID:1888
-
\??\c:\i060880.exec:\i060880.exe100⤵PID:2076
-
\??\c:\nhbtnn.exec:\nhbtnn.exe101⤵PID:4524
-
\??\c:\w06260.exec:\w06260.exe102⤵PID:2760
-
\??\c:\8260004.exec:\8260004.exe103⤵PID:1524
-
\??\c:\fxxrlll.exec:\fxxrlll.exe104⤵PID:4440
-
\??\c:\1vjjp.exec:\1vjjp.exe105⤵PID:4548
-
\??\c:\2648044.exec:\2648044.exe106⤵PID:3628
-
\??\c:\dvjjd.exec:\dvjjd.exe107⤵PID:2788
-
\??\c:\0482660.exec:\0482660.exe108⤵PID:2140
-
\??\c:\0440482.exec:\0440482.exe109⤵PID:4008
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe110⤵PID:4840
-
\??\c:\06226.exec:\06226.exe111⤵PID:4860
-
\??\c:\s4640.exec:\s4640.exe112⤵PID:2752
-
\??\c:\tbnhbt.exec:\tbnhbt.exe113⤵PID:4164
-
\??\c:\xrrllll.exec:\xrrllll.exe114⤵PID:2676
-
\??\c:\42044.exec:\42044.exe115⤵PID:2356
-
\??\c:\4026002.exec:\4026002.exe116⤵PID:3760
-
\??\c:\3pjjv.exec:\3pjjv.exe117⤵PID:1940
-
\??\c:\4862660.exec:\4862660.exe118⤵PID:3432
-
\??\c:\3fxlfrl.exec:\3fxlfrl.exe119⤵PID:2900
-
\??\c:\6004882.exec:\6004882.exe120⤵PID:4904
-
\??\c:\a6226.exec:\a6226.exe121⤵PID:1532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-