Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:12
Behavioral task
behavioral1
Sample
7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe
-
Size
332KB
-
MD5
3d7ba968fdad32d7c4ebf3f5d2d5df00
-
SHA1
30d35bc9b5e5589b52b09f8a2319fdaec95479bd
-
SHA256
7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cec
-
SHA512
cb14ff7f97f88a77930a30c4b7bae49f5292ab474fa63b32c198e5916f2ca8fabc448f99811adb4b971fe96c2a1b519b74556eaf97a19dcfdd39e409346f4a05
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeJ:R4wFHoSHYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3396-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2292-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3064-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2832-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/684-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4164-564-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-679-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-752-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-781-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-872-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-1271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3520 48262.exe 2476 640820.exe 4356 bhtbbb.exe 2488 s0204.exe 1468 llls600.exe 5084 8226660.exe 1128 jddvv.exe 1900 rlxrxxr.exe 1440 24044.exe 3612 200444.exe 4796 7bbnhb.exe 4764 022286.exe 3312 hthntn.exe 4964 5vvdp.exe 3532 40222.exe 3808 48042.exe 4008 hnnhbt.exe 1612 vpjvp.exe 2324 lrlfxxr.exe 3784 26260.exe 4528 2488884.exe 3884 htbtnh.exe 2672 jvpjd.exe 4900 q40426.exe 4012 44006.exe 4024 9nthbt.exe 1736 llffflr.exe 3440 lffrfxl.exe 936 xxrlfff.exe 4684 ffrfffl.exe 4480 280868.exe 532 824484.exe 2804 tnnbbt.exe 4772 dpvpv.exe 4904 46444.exe 2688 440444.exe 4896 8044662.exe 688 q48064.exe 2148 686044.exe 1280 4066666.exe 3376 u260006.exe 2280 dvvdd.exe 4892 c804080.exe 3848 bhnnhh.exe 4072 200488.exe 3572 88440.exe 844 rxxlflf.exe 3552 c642840.exe 3692 6206064.exe 2360 djjvp.exe 3516 bbbbtt.exe 4384 a2886.exe 1180 flxflxx.exe 2488 q80622.exe 1468 dvpvd.exe 5084 lfflxff.exe 3688 9fxrllf.exe 3540 406626.exe 1260 4682600.exe 4712 q28222.exe 2520 lxrxlfr.exe 1396 844822.exe 4664 hbtnnn.exe 1164 9ffxrrl.exe -
resource yara_rule behavioral2/memory/3396-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3396-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b0b-3.dat upx behavioral2/files/0x000e000000023b56-8.dat upx behavioral2/memory/3520-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b5f-11.dat upx behavioral2/memory/2476-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b60-18.dat upx behavioral2/memory/4356-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b61-23.dat upx behavioral2/files/0x000a000000023b63-28.dat upx behavioral2/memory/1468-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-32.dat upx behavioral2/files/0x000a000000023b65-36.dat upx behavioral2/memory/1128-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b66-41.dat upx behavioral2/memory/1900-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b67-47.dat upx behavioral2/memory/1440-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b68-52.dat upx behavioral2/memory/3612-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-58.dat upx behavioral2/files/0x000a000000023b6a-63.dat upx behavioral2/memory/4764-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-72.dat upx behavioral2/memory/3532-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-77.dat upx behavioral2/memory/4964-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6b-68.dat upx behavioral2/files/0x000a000000023b6e-82.dat upx behavioral2/memory/3808-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4008-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-87.dat upx behavioral2/memory/1612-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-91.dat upx behavioral2/files/0x000a000000023b71-97.dat upx behavioral2/memory/2324-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3784-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-102.dat upx behavioral2/files/0x000a000000023b73-106.dat upx behavioral2/memory/3884-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-112.dat upx behavioral2/files/0x000a000000023b75-116.dat upx behavioral2/memory/2672-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-121.dat upx behavioral2/memory/4012-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-125.dat upx behavioral2/files/0x000a000000023b78-129.dat upx behavioral2/files/0x000a000000023b79-133.dat upx behavioral2/files/0x000a000000023b7a-137.dat upx behavioral2/files/0x000a000000023b7b-141.dat upx behavioral2/memory/4684-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-146.dat upx behavioral2/files/0x000a000000023b7d-150.dat upx behavioral2/memory/4480-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/532-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4772-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4896-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2148-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2280-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4892-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3848-185-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k06044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 022286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3396 wrote to memory of 3520 3396 7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe 83 PID 3396 wrote to memory of 3520 3396 7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe 83 PID 3396 wrote to memory of 3520 3396 7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe 83 PID 3520 wrote to memory of 2476 3520 48262.exe 84 PID 3520 wrote to memory of 2476 3520 48262.exe 84 PID 3520 wrote to memory of 2476 3520 48262.exe 84 PID 2476 wrote to memory of 4356 2476 640820.exe 85 PID 2476 wrote to memory of 4356 2476 640820.exe 85 PID 2476 wrote to memory of 4356 2476 640820.exe 85 PID 4356 wrote to memory of 2488 4356 bhtbbb.exe 86 PID 4356 wrote to memory of 2488 4356 bhtbbb.exe 86 PID 4356 wrote to memory of 2488 4356 bhtbbb.exe 86 PID 2488 wrote to memory of 1468 2488 s0204.exe 87 PID 2488 wrote to memory of 1468 2488 s0204.exe 87 PID 2488 wrote to memory of 1468 2488 s0204.exe 87 PID 1468 wrote to memory of 5084 1468 llls600.exe 88 PID 1468 wrote to memory of 5084 1468 llls600.exe 88 PID 1468 wrote to memory of 5084 1468 llls600.exe 88 PID 5084 wrote to memory of 1128 5084 8226660.exe 89 PID 5084 wrote to memory of 1128 5084 8226660.exe 89 PID 5084 wrote to memory of 1128 5084 8226660.exe 89 PID 1128 wrote to memory of 1900 1128 jddvv.exe 90 PID 1128 wrote to memory of 1900 1128 jddvv.exe 90 PID 1128 wrote to memory of 1900 1128 jddvv.exe 90 PID 1900 wrote to memory of 1440 1900 rlxrxxr.exe 91 PID 1900 wrote to memory of 1440 1900 rlxrxxr.exe 91 PID 1900 wrote to memory of 1440 1900 rlxrxxr.exe 91 PID 1440 wrote to memory of 3612 1440 24044.exe 92 PID 1440 wrote to memory of 3612 1440 24044.exe 92 PID 1440 wrote to memory of 3612 1440 24044.exe 92 PID 3612 wrote to memory of 4796 3612 200444.exe 93 PID 3612 wrote to memory of 4796 3612 200444.exe 93 PID 3612 wrote to memory of 4796 3612 200444.exe 93 PID 4796 wrote to memory of 4764 4796 7bbnhb.exe 94 PID 4796 wrote to memory of 4764 4796 7bbnhb.exe 94 PID 4796 wrote to memory of 4764 4796 7bbnhb.exe 94 PID 4764 wrote to memory of 3312 4764 022286.exe 95 PID 4764 wrote to memory of 3312 4764 022286.exe 95 PID 4764 wrote to memory of 3312 4764 022286.exe 95 PID 3312 wrote to memory of 4964 3312 hthntn.exe 96 PID 3312 wrote to memory of 4964 3312 hthntn.exe 96 PID 3312 wrote to memory of 4964 3312 hthntn.exe 96 PID 4964 wrote to memory of 3532 4964 5vvdp.exe 97 PID 4964 wrote to memory of 3532 4964 5vvdp.exe 97 PID 4964 wrote to memory of 3532 4964 5vvdp.exe 97 PID 3532 wrote to memory of 3808 3532 40222.exe 98 PID 3532 wrote to memory of 3808 3532 40222.exe 98 PID 3532 wrote to memory of 3808 3532 40222.exe 98 PID 3808 wrote to memory of 4008 3808 48042.exe 99 PID 3808 wrote to memory of 4008 3808 48042.exe 99 PID 3808 wrote to memory of 4008 3808 48042.exe 99 PID 4008 wrote to memory of 1612 4008 hnnhbt.exe 100 PID 4008 wrote to memory of 1612 4008 hnnhbt.exe 100 PID 4008 wrote to memory of 1612 4008 hnnhbt.exe 100 PID 1612 wrote to memory of 2324 1612 vpjvp.exe 101 PID 1612 wrote to memory of 2324 1612 vpjvp.exe 101 PID 1612 wrote to memory of 2324 1612 vpjvp.exe 101 PID 2324 wrote to memory of 3784 2324 lrlfxxr.exe 102 PID 2324 wrote to memory of 3784 2324 lrlfxxr.exe 102 PID 2324 wrote to memory of 3784 2324 lrlfxxr.exe 102 PID 3784 wrote to memory of 4528 3784 26260.exe 103 PID 3784 wrote to memory of 4528 3784 26260.exe 103 PID 3784 wrote to memory of 4528 3784 26260.exe 103 PID 4528 wrote to memory of 3884 4528 2488884.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe"C:\Users\Admin\AppData\Local\Temp\7201162228735e3a8cd907800c32a8d92f626afb2763e0d32b4f7dec98120cecN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\48262.exec:\48262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\640820.exec:\640820.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\bhtbbb.exec:\bhtbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\s0204.exec:\s0204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\llls600.exec:\llls600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\8226660.exec:\8226660.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\jddvv.exec:\jddvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\rlxrxxr.exec:\rlxrxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\24044.exec:\24044.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\200444.exec:\200444.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\7bbnhb.exec:\7bbnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\022286.exec:\022286.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\hthntn.exec:\hthntn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\5vvdp.exec:\5vvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\40222.exec:\40222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\48042.exec:\48042.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\hnnhbt.exec:\hnnhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\vpjvp.exec:\vpjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\lrlfxxr.exec:\lrlfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\26260.exec:\26260.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\2488884.exec:\2488884.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\htbtnh.exec:\htbtnh.exe23⤵
- Executes dropped EXE
PID:3884 -
\??\c:\jvpjd.exec:\jvpjd.exe24⤵
- Executes dropped EXE
PID:2672 -
\??\c:\q40426.exec:\q40426.exe25⤵
- Executes dropped EXE
PID:4900 -
\??\c:\44006.exec:\44006.exe26⤵
- Executes dropped EXE
PID:4012 -
\??\c:\9nthbt.exec:\9nthbt.exe27⤵
- Executes dropped EXE
PID:4024 -
\??\c:\llffflr.exec:\llffflr.exe28⤵
- Executes dropped EXE
PID:1736 -
\??\c:\lffrfxl.exec:\lffrfxl.exe29⤵
- Executes dropped EXE
PID:3440 -
\??\c:\xxrlfff.exec:\xxrlfff.exe30⤵
- Executes dropped EXE
PID:936 -
\??\c:\ffrfffl.exec:\ffrfffl.exe31⤵
- Executes dropped EXE
PID:4684 -
\??\c:\280868.exec:\280868.exe32⤵
- Executes dropped EXE
PID:4480 -
\??\c:\824484.exec:\824484.exe33⤵
- Executes dropped EXE
PID:532 -
\??\c:\tnnbbt.exec:\tnnbbt.exe34⤵
- Executes dropped EXE
PID:2804 -
\??\c:\dpvpv.exec:\dpvpv.exe35⤵
- Executes dropped EXE
PID:4772 -
\??\c:\46444.exec:\46444.exe36⤵
- Executes dropped EXE
PID:4904 -
\??\c:\440444.exec:\440444.exe37⤵
- Executes dropped EXE
PID:2688 -
\??\c:\8044662.exec:\8044662.exe38⤵
- Executes dropped EXE
PID:4896 -
\??\c:\q48064.exec:\q48064.exe39⤵
- Executes dropped EXE
PID:688 -
\??\c:\686044.exec:\686044.exe40⤵
- Executes dropped EXE
PID:2148 -
\??\c:\4066666.exec:\4066666.exe41⤵
- Executes dropped EXE
PID:1280 -
\??\c:\u260006.exec:\u260006.exe42⤵
- Executes dropped EXE
PID:3376 -
\??\c:\dvvdd.exec:\dvvdd.exe43⤵
- Executes dropped EXE
PID:2280 -
\??\c:\c804080.exec:\c804080.exe44⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bhnnhh.exec:\bhnnhh.exe45⤵
- Executes dropped EXE
PID:3848 -
\??\c:\200488.exec:\200488.exe46⤵
- Executes dropped EXE
PID:4072 -
\??\c:\88440.exec:\88440.exe47⤵
- Executes dropped EXE
PID:3572 -
\??\c:\rxxlflf.exec:\rxxlflf.exe48⤵
- Executes dropped EXE
PID:844 -
\??\c:\lfffxxx.exec:\lfffxxx.exe49⤵PID:4508
-
\??\c:\c642840.exec:\c642840.exe50⤵
- Executes dropped EXE
PID:3552 -
\??\c:\6206064.exec:\6206064.exe51⤵
- Executes dropped EXE
PID:3692 -
\??\c:\djjvp.exec:\djjvp.exe52⤵
- Executes dropped EXE
PID:2360 -
\??\c:\bbbbtt.exec:\bbbbtt.exe53⤵
- Executes dropped EXE
PID:3516 -
\??\c:\a2886.exec:\a2886.exe54⤵
- Executes dropped EXE
PID:4384 -
\??\c:\flxflxx.exec:\flxflxx.exe55⤵
- Executes dropped EXE
PID:1180 -
\??\c:\q80622.exec:\q80622.exe56⤵
- Executes dropped EXE
PID:2488 -
\??\c:\dvpvd.exec:\dvpvd.exe57⤵
- Executes dropped EXE
PID:1468 -
\??\c:\lfflxff.exec:\lfflxff.exe58⤵
- Executes dropped EXE
PID:5084 -
\??\c:\9fxrllf.exec:\9fxrllf.exe59⤵
- Executes dropped EXE
PID:3688 -
\??\c:\406626.exec:\406626.exe60⤵
- Executes dropped EXE
PID:3540 -
\??\c:\4682600.exec:\4682600.exe61⤵
- Executes dropped EXE
PID:1260 -
\??\c:\q28222.exec:\q28222.exe62⤵
- Executes dropped EXE
PID:4712 -
\??\c:\lxrxlfr.exec:\lxrxlfr.exe63⤵
- Executes dropped EXE
PID:2520 -
\??\c:\844822.exec:\844822.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396 -
\??\c:\hbtnnn.exec:\hbtnnn.exe65⤵
- Executes dropped EXE
PID:4664 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe66⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hnbbbh.exec:\hnbbbh.exe67⤵PID:2228
-
\??\c:\fflrrlr.exec:\fflrrlr.exe68⤵PID:2164
-
\??\c:\o626666.exec:\o626666.exe69⤵PID:1564
-
\??\c:\llrlfxx.exec:\llrlfxx.exe70⤵PID:3616
-
\??\c:\5jjdj.exec:\5jjdj.exe71⤵PID:3680
-
\??\c:\224866.exec:\224866.exe72⤵PID:1552
-
\??\c:\862044.exec:\862044.exe73⤵PID:3172
-
\??\c:\664840.exec:\664840.exe74⤵PID:4556
-
\??\c:\406860.exec:\406860.exe75⤵PID:4008
-
\??\c:\frlxxlx.exec:\frlxxlx.exe76⤵PID:1612
-
\??\c:\xlfrllf.exec:\xlfrllf.exe77⤵PID:512
-
\??\c:\82222.exec:\82222.exe78⤵PID:2324
-
\??\c:\40226.exec:\40226.exe79⤵PID:4768
-
\??\c:\482266.exec:\482266.exe80⤵PID:4784
-
\??\c:\tbhhhh.exec:\tbhhhh.exe81⤵PID:1996
-
\??\c:\jvjdj.exec:\jvjdj.exe82⤵PID:2236
-
\??\c:\2020464.exec:\2020464.exe83⤵PID:1116
-
\??\c:\64864.exec:\64864.exe84⤵PID:5072
-
\??\c:\bbnnhh.exec:\bbnnhh.exe85⤵PID:2292
-
\??\c:\66660.exec:\66660.exe86⤵PID:3344
-
\??\c:\3xxxrrr.exec:\3xxxrrr.exe87⤵PID:4092
-
\??\c:\2846008.exec:\2846008.exe88⤵PID:916
-
\??\c:\802884.exec:\802884.exe89⤵PID:4164
-
\??\c:\06882.exec:\06882.exe90⤵PID:744
-
\??\c:\2448608.exec:\2448608.exe91⤵PID:3144
-
\??\c:\006082.exec:\006082.exe92⤵PID:1028
-
\??\c:\rflxlfl.exec:\rflxlfl.exe93⤵PID:4684
-
\??\c:\rrlxfxf.exec:\rrlxfxf.exe94⤵PID:4908
-
\??\c:\7bthhn.exec:\7bthhn.exe95⤵PID:4480
-
\??\c:\7hhnbt.exec:\7hhnbt.exe96⤵PID:1100
-
\??\c:\dvvjd.exec:\dvvjd.exe97⤵PID:4680
-
\??\c:\1frlrlf.exec:\1frlrlf.exe98⤵PID:3024
-
\??\c:\7xrlffr.exec:\7xrlffr.exe99⤵PID:1296
-
\??\c:\jvdpj.exec:\jvdpj.exe100⤵PID:4296
-
\??\c:\0804204.exec:\0804204.exe101⤵
- System Location Discovery: System Language Discovery
PID:5116 -
\??\c:\2426660.exec:\2426660.exe102⤵PID:3248
-
\??\c:\46608.exec:\46608.exe103⤵PID:232
-
\??\c:\bhnbhh.exec:\bhnbhh.exe104⤵PID:4052
-
\??\c:\9tbtnn.exec:\9tbtnn.exe105⤵PID:2708
-
\??\c:\64442.exec:\64442.exe106⤵PID:1252
-
\??\c:\djpjv.exec:\djpjv.exe107⤵PID:3780
-
\??\c:\5nnhhb.exec:\5nnhhb.exe108⤵PID:1816
-
\??\c:\thbtnh.exec:\thbtnh.exe109⤵PID:2800
-
\??\c:\g0200.exec:\g0200.exe110⤵PID:756
-
\??\c:\08440.exec:\08440.exe111⤵PID:3372
-
\??\c:\20080.exec:\20080.exe112⤵PID:3064
-
\??\c:\22846.exec:\22846.exe113⤵PID:2832
-
\??\c:\3ddvj.exec:\3ddvj.exe114⤵PID:3432
-
\??\c:\9jpjv.exec:\9jpjv.exe115⤵PID:3684
-
\??\c:\20882.exec:\20882.exe116⤵PID:3516
-
\??\c:\nnhbbb.exec:\nnhbbb.exe117⤵PID:2820
-
\??\c:\jjddd.exec:\jjddd.exe118⤵PID:4384
-
\??\c:\xrfrlll.exec:\xrfrlll.exe119⤵PID:4400
-
\??\c:\402286.exec:\402286.exe120⤵PID:3676
-
\??\c:\600000.exec:\600000.exe121⤵PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-