Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe
-
Size
454KB
-
MD5
cce554fed4c9f0af46846315bf5ca25e
-
SHA1
68413056d683711c1101a252bb35f583f5ff6608
-
SHA256
be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a
-
SHA512
fc75cc3fb22720434a8f7200e5e70ab5ce87ae6a48dafecdec0b07060cc21519de810131228b0f6cabe75131692970af929129ce9f80d359e84d6fa3ee315f50
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1952-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-846-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-1020-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-1353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2044 vjvvj.exe 3932 8260044.exe 4120 82068.exe 4896 xrxlfxx.exe 3620 xrrlfxl.exe 4640 ffrrlll.exe 1968 64448.exe 4764 04602.exe 1592 8268226.exe 4616 hhnhbb.exe 5080 4824640.exe 2308 nthnhb.exe 4432 044482.exe 3384 xrrxlfr.exe 4548 1pdpj.exe 1828 084004.exe 112 xlfrlxr.exe 1596 888648.exe 4180 4444822.exe 2848 lrrfrxl.exe 3472 vpdpj.exe 2960 08608.exe 2844 nhbnhb.exe 1144 284800.exe 212 ththth.exe 4092 3rfrfxl.exe 5108 tbbtnh.exe 2796 tnbthb.exe 2596 8642864.exe 4840 8222004.exe 4280 64662.exe 1672 80260.exe 1776 jdjdv.exe 876 0402668.exe 772 8220664.exe 3312 xrxrlll.exe 5032 ddjpp.exe 4600 848602.exe 3156 7xlxrll.exe 1540 8688262.exe 3908 822442.exe 2440 lfxrrrl.exe 4060 04826.exe 4784 44204.exe 2800 pjppj.exe 1588 nntnnn.exe 3432 84604.exe 1728 3vddj.exe 2284 bnhbbb.exe 1952 088222.exe 1856 ntnntn.exe 4584 bbbhbb.exe 4864 rflfxxl.exe 4480 42826.exe 1564 62822.exe 4896 3djdd.exe 3568 3tbbtt.exe 3748 bhnbhb.exe 3028 06882.exe 2076 nhnhhh.exe 3936 lxxlffx.exe 4000 nhhhbb.exe 1692 tttttt.exe 436 28882.exe -
resource yara_rule behavioral2/memory/1952-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-767-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c226448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6400626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4660882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8444260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2044 1952 be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe 85 PID 1952 wrote to memory of 2044 1952 be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe 85 PID 1952 wrote to memory of 2044 1952 be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe 85 PID 2044 wrote to memory of 3932 2044 vjvvj.exe 86 PID 2044 wrote to memory of 3932 2044 vjvvj.exe 86 PID 2044 wrote to memory of 3932 2044 vjvvj.exe 86 PID 3932 wrote to memory of 4120 3932 8260044.exe 87 PID 3932 wrote to memory of 4120 3932 8260044.exe 87 PID 3932 wrote to memory of 4120 3932 8260044.exe 87 PID 4120 wrote to memory of 4896 4120 82068.exe 88 PID 4120 wrote to memory of 4896 4120 82068.exe 88 PID 4120 wrote to memory of 4896 4120 82068.exe 88 PID 4896 wrote to memory of 3620 4896 xrxlfxx.exe 89 PID 4896 wrote to memory of 3620 4896 xrxlfxx.exe 89 PID 4896 wrote to memory of 3620 4896 xrxlfxx.exe 89 PID 3620 wrote to memory of 4640 3620 xrrlfxl.exe 90 PID 3620 wrote to memory of 4640 3620 xrrlfxl.exe 90 PID 3620 wrote to memory of 4640 3620 xrrlfxl.exe 90 PID 4640 wrote to memory of 1968 4640 ffrrlll.exe 91 PID 4640 wrote to memory of 1968 4640 ffrrlll.exe 91 PID 4640 wrote to memory of 1968 4640 ffrrlll.exe 91 PID 1968 wrote to memory of 4764 1968 64448.exe 92 PID 1968 wrote to memory of 4764 1968 64448.exe 92 PID 1968 wrote to memory of 4764 1968 64448.exe 92 PID 4764 wrote to memory of 1592 4764 04602.exe 93 PID 4764 wrote to memory of 1592 4764 04602.exe 93 PID 4764 wrote to memory of 1592 4764 04602.exe 93 PID 1592 wrote to memory of 4616 1592 8268226.exe 94 PID 1592 wrote to memory of 4616 1592 8268226.exe 94 PID 1592 wrote to memory of 4616 1592 8268226.exe 94 PID 4616 wrote to memory of 5080 4616 hhnhbb.exe 95 PID 4616 wrote to memory of 5080 4616 hhnhbb.exe 95 PID 4616 wrote to memory of 5080 4616 hhnhbb.exe 95 PID 5080 wrote to memory of 2308 5080 4824640.exe 96 PID 5080 wrote to memory of 2308 5080 4824640.exe 96 PID 5080 wrote to memory of 2308 5080 4824640.exe 96 PID 2308 wrote to memory of 4432 2308 nthnhb.exe 97 PID 2308 wrote to memory of 4432 2308 nthnhb.exe 97 PID 2308 wrote to memory of 4432 2308 nthnhb.exe 97 PID 4432 wrote to memory of 3384 4432 044482.exe 98 PID 4432 wrote to memory of 3384 4432 044482.exe 98 PID 4432 wrote to memory of 3384 4432 044482.exe 98 PID 3384 wrote to memory of 4548 3384 xrrxlfr.exe 99 PID 3384 wrote to memory of 4548 3384 xrrxlfr.exe 99 PID 3384 wrote to memory of 4548 3384 xrrxlfr.exe 99 PID 4548 wrote to memory of 1828 4548 1pdpj.exe 100 PID 4548 wrote to memory of 1828 4548 1pdpj.exe 100 PID 4548 wrote to memory of 1828 4548 1pdpj.exe 100 PID 1828 wrote to memory of 112 1828 084004.exe 101 PID 1828 wrote to memory of 112 1828 084004.exe 101 PID 1828 wrote to memory of 112 1828 084004.exe 101 PID 112 wrote to memory of 1596 112 xlfrlxr.exe 102 PID 112 wrote to memory of 1596 112 xlfrlxr.exe 102 PID 112 wrote to memory of 1596 112 xlfrlxr.exe 102 PID 1596 wrote to memory of 4180 1596 888648.exe 103 PID 1596 wrote to memory of 4180 1596 888648.exe 103 PID 1596 wrote to memory of 4180 1596 888648.exe 103 PID 4180 wrote to memory of 2848 4180 4444822.exe 104 PID 4180 wrote to memory of 2848 4180 4444822.exe 104 PID 4180 wrote to memory of 2848 4180 4444822.exe 104 PID 2848 wrote to memory of 3472 2848 lrrfrxl.exe 105 PID 2848 wrote to memory of 3472 2848 lrrfrxl.exe 105 PID 2848 wrote to memory of 3472 2848 lrrfrxl.exe 105 PID 3472 wrote to memory of 2960 3472 vpdpj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe"C:\Users\Admin\AppData\Local\Temp\be0410a0f07686fd96d0f7f080f3df092da689a10046d079e6f6676e6ca7375a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\vjvvj.exec:\vjvvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\8260044.exec:\8260044.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\82068.exec:\82068.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\xrxlfxx.exec:\xrxlfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\xrrlfxl.exec:\xrrlfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\ffrrlll.exec:\ffrrlll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\64448.exec:\64448.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\04602.exec:\04602.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\8268226.exec:\8268226.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\hhnhbb.exec:\hhnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\4824640.exec:\4824640.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\nthnhb.exec:\nthnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\044482.exec:\044482.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\xrrxlfr.exec:\xrrxlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\1pdpj.exec:\1pdpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\084004.exec:\084004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\xlfrlxr.exec:\xlfrlxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\888648.exec:\888648.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\4444822.exec:\4444822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\lrrfrxl.exec:\lrrfrxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\vpdpj.exec:\vpdpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\08608.exec:\08608.exe23⤵
- Executes dropped EXE
PID:2960 -
\??\c:\nhbnhb.exec:\nhbnhb.exe24⤵
- Executes dropped EXE
PID:2844 -
\??\c:\284800.exec:\284800.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\ththth.exec:\ththth.exe26⤵
- Executes dropped EXE
PID:212 -
\??\c:\3rfrfxl.exec:\3rfrfxl.exe27⤵
- Executes dropped EXE
PID:4092 -
\??\c:\tbbtnh.exec:\tbbtnh.exe28⤵
- Executes dropped EXE
PID:5108 -
\??\c:\tnbthb.exec:\tnbthb.exe29⤵
- Executes dropped EXE
PID:2796 -
\??\c:\8642864.exec:\8642864.exe30⤵
- Executes dropped EXE
PID:2596 -
\??\c:\8222004.exec:\8222004.exe31⤵
- Executes dropped EXE
PID:4840 -
\??\c:\64662.exec:\64662.exe32⤵
- Executes dropped EXE
PID:4280 -
\??\c:\80260.exec:\80260.exe33⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jdjdv.exec:\jdjdv.exe34⤵
- Executes dropped EXE
PID:1776 -
\??\c:\0402668.exec:\0402668.exe35⤵
- Executes dropped EXE
PID:876 -
\??\c:\8220664.exec:\8220664.exe36⤵
- Executes dropped EXE
PID:772 -
\??\c:\xrxrlll.exec:\xrxrlll.exe37⤵
- Executes dropped EXE
PID:3312 -
\??\c:\ddjpp.exec:\ddjpp.exe38⤵
- Executes dropped EXE
PID:5032 -
\??\c:\848602.exec:\848602.exe39⤵
- Executes dropped EXE
PID:4600 -
\??\c:\7xlxrll.exec:\7xlxrll.exe40⤵
- Executes dropped EXE
PID:3156 -
\??\c:\8688262.exec:\8688262.exe41⤵
- Executes dropped EXE
PID:1540 -
\??\c:\822442.exec:\822442.exe42⤵
- Executes dropped EXE
PID:3908 -
\??\c:\lfxrrrl.exec:\lfxrrrl.exe43⤵
- Executes dropped EXE
PID:2440 -
\??\c:\04826.exec:\04826.exe44⤵
- Executes dropped EXE
PID:4060 -
\??\c:\44204.exec:\44204.exe45⤵
- Executes dropped EXE
PID:4784 -
\??\c:\pjppj.exec:\pjppj.exe46⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nntnnn.exec:\nntnnn.exe47⤵
- Executes dropped EXE
PID:1588 -
\??\c:\84604.exec:\84604.exe48⤵
- Executes dropped EXE
PID:3432 -
\??\c:\3vddj.exec:\3vddj.exe49⤵
- Executes dropped EXE
PID:1728 -
\??\c:\606688.exec:\606688.exe50⤵PID:1608
-
\??\c:\bnhbbb.exec:\bnhbbb.exe51⤵
- Executes dropped EXE
PID:2284 -
\??\c:\088222.exec:\088222.exe52⤵
- Executes dropped EXE
PID:1952 -
\??\c:\ntnntn.exec:\ntnntn.exe53⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bbbhbb.exec:\bbbhbb.exe54⤵
- Executes dropped EXE
PID:4584 -
\??\c:\rflfxxl.exec:\rflfxxl.exe55⤵
- Executes dropped EXE
PID:4864 -
\??\c:\42826.exec:\42826.exe56⤵
- Executes dropped EXE
PID:4480 -
\??\c:\62822.exec:\62822.exe57⤵
- Executes dropped EXE
PID:1564 -
\??\c:\3djdd.exec:\3djdd.exe58⤵
- Executes dropped EXE
PID:4896 -
\??\c:\3tbbtt.exec:\3tbbtt.exe59⤵
- Executes dropped EXE
PID:3568 -
\??\c:\bhnbhb.exec:\bhnbhb.exe60⤵
- Executes dropped EXE
PID:3748 -
\??\c:\06882.exec:\06882.exe61⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nhnhhh.exec:\nhnhhh.exe62⤵
- Executes dropped EXE
PID:2076 -
\??\c:\lxxlffx.exec:\lxxlffx.exe63⤵
- Executes dropped EXE
PID:3936 -
\??\c:\nhhhbb.exec:\nhhhbb.exe64⤵
- Executes dropped EXE
PID:4000 -
\??\c:\tttttt.exec:\tttttt.exe65⤵
- Executes dropped EXE
PID:1692 -
\??\c:\28882.exec:\28882.exe66⤵
- Executes dropped EXE
PID:436 -
\??\c:\7jpjj.exec:\7jpjj.exe67⤵PID:5080
-
\??\c:\84884.exec:\84884.exe68⤵PID:4372
-
\??\c:\hbbbbb.exec:\hbbbbb.exe69⤵PID:3836
-
\??\c:\bttttt.exec:\bttttt.exe70⤵PID:616
-
\??\c:\08826.exec:\08826.exe71⤵PID:1944
-
\??\c:\0026048.exec:\0026048.exe72⤵PID:3628
-
\??\c:\tntnhh.exec:\tntnhh.exe73⤵PID:4496
-
\??\c:\3lfxxfx.exec:\3lfxxfx.exe74⤵PID:4952
-
\??\c:\lllfxxr.exec:\lllfxxr.exe75⤵PID:4716
-
\??\c:\2248884.exec:\2248884.exe76⤵PID:2608
-
\??\c:\frrlllf.exec:\frrlllf.exe77⤵PID:3860
-
\??\c:\3rrlflf.exec:\3rrlflf.exe78⤵PID:2128
-
\??\c:\u860000.exec:\u860000.exe79⤵PID:4484
-
\??\c:\0248888.exec:\0248888.exe80⤵PID:2848
-
\??\c:\rffrllx.exec:\rffrllx.exe81⤵PID:3472
-
\??\c:\btbtnn.exec:\btbtnn.exe82⤵PID:2960
-
\??\c:\3rfrrll.exec:\3rfrrll.exe83⤵PID:2040
-
\??\c:\68804.exec:\68804.exe84⤵PID:1400
-
\??\c:\rrlfxxl.exec:\rrlfxxl.exe85⤵PID:4936
-
\??\c:\40642.exec:\40642.exe86⤵PID:2028
-
\??\c:\046004.exec:\046004.exe87⤵PID:4988
-
\??\c:\4226044.exec:\4226044.exe88⤵PID:4532
-
\??\c:\6060448.exec:\6060448.exe89⤵PID:1432
-
\??\c:\a6264.exec:\a6264.exe90⤵PID:1884
-
\??\c:\62426.exec:\62426.exe91⤵PID:3008
-
\??\c:\i242604.exec:\i242604.exe92⤵PID:5112
-
\??\c:\00224.exec:\00224.exe93⤵PID:936
-
\??\c:\pjddd.exec:\pjddd.exe94⤵PID:1272
-
\??\c:\6288822.exec:\6288822.exe95⤵PID:4428
-
\??\c:\7rrfxrl.exec:\7rrfxrl.exe96⤵PID:2404
-
\??\c:\66044.exec:\66044.exe97⤵
- System Location Discovery: System Language Discovery
PID:1832 -
\??\c:\2048204.exec:\2048204.exe98⤵PID:876
-
\??\c:\2886048.exec:\2886048.exe99⤵PID:3856
-
\??\c:\08408.exec:\08408.exe100⤵PID:64
-
\??\c:\4664264.exec:\4664264.exe101⤵PID:3400
-
\??\c:\406260.exec:\406260.exe102⤵PID:2452
-
\??\c:\htnnhb.exec:\htnnhb.exe103⤵PID:4608
-
\??\c:\2826042.exec:\2826042.exe104⤵PID:208
-
\??\c:\rfxrrlr.exec:\rfxrrlr.exe105⤵PID:644
-
\??\c:\200222.exec:\200222.exe106⤵PID:1584
-
\??\c:\4642046.exec:\4642046.exe107⤵PID:4580
-
\??\c:\djjvj.exec:\djjvj.exe108⤵PID:1228
-
\??\c:\08246.exec:\08246.exe109⤵
- System Location Discovery: System Language Discovery
PID:2264 -
\??\c:\bbhhbb.exec:\bbhhbb.exe110⤵PID:1588
-
\??\c:\08000.exec:\08000.exe111⤵PID:3116
-
\??\c:\248648.exec:\248648.exe112⤵PID:1504
-
\??\c:\q44268.exec:\q44268.exe113⤵PID:3088
-
\??\c:\846426.exec:\846426.exe114⤵PID:4360
-
\??\c:\hbbtnh.exec:\hbbtnh.exe115⤵PID:1440
-
\??\c:\08484.exec:\08484.exe116⤵PID:2044
-
\??\c:\6844886.exec:\6844886.exe117⤵PID:3616
-
\??\c:\fxxxrll.exec:\fxxxrll.exe118⤵PID:3728
-
\??\c:\2266044.exec:\2266044.exe119⤵PID:4120
-
\??\c:\440000.exec:\440000.exe120⤵PID:4480
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe121⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-