Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 11:13
Behavioral task
behavioral1
Sample
8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe
-
Size
66KB
-
MD5
a078da0526331894b183eeea15ffc350
-
SHA1
a6495ed91c1edb436366a3b3b94b8bf4b23227f3
-
SHA256
8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289
-
SHA512
2abb02022ab53fe10fe49be4698f0a3209753ec1573e8e73f74d62d9fa3d8cf8468c611c04dccc4e6e8b13ad43d9cc636b5e5059ad60df0dbbf896cb12484249
-
SSDEEP
1536:/vQBeOGtrYS3srx93UBWfwC6Ggnouy8jb5DiLKrb0d:/hOmTsF93UYfwC6GIoutcKbi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4272-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1260-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/436-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-611-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-742-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-746-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-750-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-805-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-911-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-2043-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1384 6404884.exe 3444 rrrrxxf.exe 388 djvpd.exe 3996 htbhhh.exe 3484 tttbtt.exe 2204 22822.exe 4496 8402822.exe 3648 lxfxxrl.exe 2172 4408480.exe 1224 0608826.exe 3920 flxrrrl.exe 4008 0048260.exe 1756 lxxrlfr.exe 3700 llrxxrr.exe 2236 rfffrrr.exe 3952 20648.exe 3968 vpjjd.exe 4864 lxlfrlf.exe 4156 bnhthn.exe 2312 206484.exe 4404 604440.exe 4484 4800662.exe 3212 6800004.exe 1416 nbhntb.exe 3520 xrrllll.exe 4748 xfxrlll.exe 3388 68888.exe 948 btbbhh.exe 904 lfffrrf.exe 4148 428848.exe 1284 9dvpj.exe 4304 lrrlrrl.exe 1832 fxxrrlf.exe 4400 60024.exe 2528 86448.exe 4364 lxlfxxx.exe 1984 862266.exe 1068 fxxrlxx.exe 3476 tnnnnn.exe 1080 8402682.exe 1520 80226.exe 3228 82848.exe 1748 3dvvp.exe 908 e48404.exe 516 848060.exe 2812 tnnhbb.exe 3336 nhhbtt.exe 228 248204.exe 4044 8866442.exe 4144 i004866.exe 4276 u022044.exe 2304 284060.exe 532 lrrlxxr.exe 4732 044422.exe 1516 646666.exe 3760 60600.exe 3604 jjppj.exe 1260 626662.exe 3588 44620.exe 5088 044822.exe 1804 fxxxllf.exe 2436 bhbbtb.exe 4496 nhhnhb.exe 1200 hbbthh.exe -
resource yara_rule behavioral2/memory/4272-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c94-3.dat upx behavioral2/memory/4272-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c97-8.dat upx behavioral2/memory/1384-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-11.dat upx behavioral2/memory/388-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-21.dat upx behavioral2/memory/3996-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3444-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-27.dat upx behavioral2/files/0x0007000000023c9e-35.dat upx behavioral2/memory/2204-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3484-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9f-40.dat upx behavioral2/files/0x0007000000023ca0-44.dat upx behavioral2/memory/4496-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3648-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-52.dat upx behavioral2/files/0x0007000000023ca3-55.dat upx behavioral2/memory/2172-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-60.dat upx behavioral2/files/0x0007000000023ca5-65.dat upx behavioral2/memory/3920-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-71.dat upx behavioral2/memory/4008-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-77.dat upx behavioral2/files/0x0007000000023ca9-82.dat upx behavioral2/memory/3700-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-87.dat upx behavioral2/memory/3952-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-96.dat upx behavioral2/memory/3952-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-100.dat upx behavioral2/files/0x0007000000023cad-104.dat upx behavioral2/files/0x0007000000023cae-109.dat upx behavioral2/memory/4156-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-115.dat upx behavioral2/files/0x0008000000023c98-120.dat upx behavioral2/files/0x0007000000023cb0-125.dat upx behavioral2/memory/4484-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-133.dat upx behavioral2/memory/3212-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-137.dat upx behavioral2/files/0x0007000000023cb3-142.dat upx behavioral2/memory/3520-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-148.dat upx behavioral2/memory/3388-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-154.dat upx behavioral2/files/0x0007000000023cb6-159.dat upx behavioral2/memory/948-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/904-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-167.dat upx behavioral2/files/0x0007000000023cb8-171.dat upx behavioral2/files/0x0007000000023cb9-176.dat upx behavioral2/memory/1284-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4304-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1832-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4400-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1984-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1068-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1080-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1520-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/228-236-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0028862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2846000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2806662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i844882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1384 4272 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 83 PID 4272 wrote to memory of 1384 4272 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 83 PID 4272 wrote to memory of 1384 4272 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 83 PID 1384 wrote to memory of 3444 1384 6404884.exe 84 PID 1384 wrote to memory of 3444 1384 6404884.exe 84 PID 1384 wrote to memory of 3444 1384 6404884.exe 84 PID 3444 wrote to memory of 388 3444 rrrrxxf.exe 85 PID 3444 wrote to memory of 388 3444 rrrrxxf.exe 85 PID 3444 wrote to memory of 388 3444 rrrrxxf.exe 85 PID 388 wrote to memory of 3996 388 djvpd.exe 86 PID 388 wrote to memory of 3996 388 djvpd.exe 86 PID 388 wrote to memory of 3996 388 djvpd.exe 86 PID 3996 wrote to memory of 3484 3996 htbhhh.exe 87 PID 3996 wrote to memory of 3484 3996 htbhhh.exe 87 PID 3996 wrote to memory of 3484 3996 htbhhh.exe 87 PID 3484 wrote to memory of 2204 3484 tttbtt.exe 88 PID 3484 wrote to memory of 2204 3484 tttbtt.exe 88 PID 3484 wrote to memory of 2204 3484 tttbtt.exe 88 PID 2204 wrote to memory of 4496 2204 22822.exe 89 PID 2204 wrote to memory of 4496 2204 22822.exe 89 PID 2204 wrote to memory of 4496 2204 22822.exe 89 PID 4496 wrote to memory of 3648 4496 8402822.exe 90 PID 4496 wrote to memory of 3648 4496 8402822.exe 90 PID 4496 wrote to memory of 3648 4496 8402822.exe 90 PID 3648 wrote to memory of 2172 3648 lxfxxrl.exe 91 PID 3648 wrote to memory of 2172 3648 lxfxxrl.exe 91 PID 3648 wrote to memory of 2172 3648 lxfxxrl.exe 91 PID 2172 wrote to memory of 1224 2172 4408480.exe 92 PID 2172 wrote to memory of 1224 2172 4408480.exe 92 PID 2172 wrote to memory of 1224 2172 4408480.exe 92 PID 1224 wrote to memory of 3920 1224 0608826.exe 93 PID 1224 wrote to memory of 3920 1224 0608826.exe 93 PID 1224 wrote to memory of 3920 1224 0608826.exe 93 PID 3920 wrote to memory of 4008 3920 flxrrrl.exe 94 PID 3920 wrote to memory of 4008 3920 flxrrrl.exe 94 PID 3920 wrote to memory of 4008 3920 flxrrrl.exe 94 PID 4008 wrote to memory of 1756 4008 0048260.exe 95 PID 4008 wrote to memory of 1756 4008 0048260.exe 95 PID 4008 wrote to memory of 1756 4008 0048260.exe 95 PID 1756 wrote to memory of 3700 1756 lxxrlfr.exe 96 PID 1756 wrote to memory of 3700 1756 lxxrlfr.exe 96 PID 1756 wrote to memory of 3700 1756 lxxrlfr.exe 96 PID 3700 wrote to memory of 2236 3700 llrxxrr.exe 97 PID 3700 wrote to memory of 2236 3700 llrxxrr.exe 97 PID 3700 wrote to memory of 2236 3700 llrxxrr.exe 97 PID 2236 wrote to memory of 3952 2236 rfffrrr.exe 98 PID 2236 wrote to memory of 3952 2236 rfffrrr.exe 98 PID 2236 wrote to memory of 3952 2236 rfffrrr.exe 98 PID 3952 wrote to memory of 3968 3952 20648.exe 99 PID 3952 wrote to memory of 3968 3952 20648.exe 99 PID 3952 wrote to memory of 3968 3952 20648.exe 99 PID 3968 wrote to memory of 4864 3968 vpjjd.exe 100 PID 3968 wrote to memory of 4864 3968 vpjjd.exe 100 PID 3968 wrote to memory of 4864 3968 vpjjd.exe 100 PID 4864 wrote to memory of 4156 4864 lxlfrlf.exe 101 PID 4864 wrote to memory of 4156 4864 lxlfrlf.exe 101 PID 4864 wrote to memory of 4156 4864 lxlfrlf.exe 101 PID 4156 wrote to memory of 2312 4156 bnhthn.exe 102 PID 4156 wrote to memory of 2312 4156 bnhthn.exe 102 PID 4156 wrote to memory of 2312 4156 bnhthn.exe 102 PID 2312 wrote to memory of 4404 2312 206484.exe 103 PID 2312 wrote to memory of 4404 2312 206484.exe 103 PID 2312 wrote to memory of 4404 2312 206484.exe 103 PID 4404 wrote to memory of 4484 4404 604440.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe"C:\Users\Admin\AppData\Local\Temp\8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\6404884.exec:\6404884.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\rrrrxxf.exec:\rrrrxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\djvpd.exec:\djvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\htbhhh.exec:\htbhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\tttbtt.exec:\tttbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\22822.exec:\22822.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\8402822.exec:\8402822.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\4408480.exec:\4408480.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\0608826.exec:\0608826.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\flxrrrl.exec:\flxrrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\0048260.exec:\0048260.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\llrxxrr.exec:\llrxxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\rfffrrr.exec:\rfffrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\20648.exec:\20648.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\vpjjd.exec:\vpjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\lxlfrlf.exec:\lxlfrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\bnhthn.exec:\bnhthn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\206484.exec:\206484.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\604440.exec:\604440.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\4800662.exec:\4800662.exe23⤵
- Executes dropped EXE
PID:4484 -
\??\c:\6800004.exec:\6800004.exe24⤵
- Executes dropped EXE
PID:3212 -
\??\c:\nbhntb.exec:\nbhntb.exe25⤵
- Executes dropped EXE
PID:1416 -
\??\c:\xrrllll.exec:\xrrllll.exe26⤵
- Executes dropped EXE
PID:3520 -
\??\c:\xfxrlll.exec:\xfxrlll.exe27⤵
- Executes dropped EXE
PID:4748 -
\??\c:\68888.exec:\68888.exe28⤵
- Executes dropped EXE
PID:3388 -
\??\c:\btbbhh.exec:\btbbhh.exe29⤵
- Executes dropped EXE
PID:948 -
\??\c:\lfffrrf.exec:\lfffrrf.exe30⤵
- Executes dropped EXE
PID:904 -
\??\c:\428848.exec:\428848.exe31⤵
- Executes dropped EXE
PID:4148 -
\??\c:\9dvpj.exec:\9dvpj.exe32⤵
- Executes dropped EXE
PID:1284 -
\??\c:\lrrlrrl.exec:\lrrlrrl.exe33⤵
- Executes dropped EXE
PID:4304 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe34⤵
- Executes dropped EXE
PID:1832 -
\??\c:\60024.exec:\60024.exe35⤵
- Executes dropped EXE
PID:4400 -
\??\c:\86448.exec:\86448.exe36⤵
- Executes dropped EXE
PID:2528 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe37⤵
- Executes dropped EXE
PID:4364 -
\??\c:\862266.exec:\862266.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\fxxrlxx.exec:\fxxrlxx.exe39⤵
- Executes dropped EXE
PID:1068 -
\??\c:\tnnnnn.exec:\tnnnnn.exe40⤵
- Executes dropped EXE
PID:3476 -
\??\c:\8402682.exec:\8402682.exe41⤵
- Executes dropped EXE
PID:1080 -
\??\c:\80226.exec:\80226.exe42⤵
- Executes dropped EXE
PID:1520 -
\??\c:\82848.exec:\82848.exe43⤵
- Executes dropped EXE
PID:3228 -
\??\c:\3dvvp.exec:\3dvvp.exe44⤵
- Executes dropped EXE
PID:1748 -
\??\c:\e48404.exec:\e48404.exe45⤵
- Executes dropped EXE
PID:908 -
\??\c:\848060.exec:\848060.exe46⤵
- Executes dropped EXE
PID:516 -
\??\c:\tnnhbb.exec:\tnnhbb.exe47⤵
- Executes dropped EXE
PID:2812 -
\??\c:\nhhbtt.exec:\nhhbtt.exe48⤵
- Executes dropped EXE
PID:3336 -
\??\c:\248204.exec:\248204.exe49⤵
- Executes dropped EXE
PID:228 -
\??\c:\8866442.exec:\8866442.exe50⤵
- Executes dropped EXE
PID:4044 -
\??\c:\i004866.exec:\i004866.exe51⤵
- Executes dropped EXE
PID:4144 -
\??\c:\u022044.exec:\u022044.exe52⤵
- Executes dropped EXE
PID:4276 -
\??\c:\284060.exec:\284060.exe53⤵
- Executes dropped EXE
PID:2304 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe54⤵
- Executes dropped EXE
PID:532 -
\??\c:\044422.exec:\044422.exe55⤵
- Executes dropped EXE
PID:4732 -
\??\c:\646666.exec:\646666.exe56⤵
- Executes dropped EXE
PID:1516 -
\??\c:\60600.exec:\60600.exe57⤵
- Executes dropped EXE
PID:3760 -
\??\c:\jjppj.exec:\jjppj.exe58⤵
- Executes dropped EXE
PID:3604 -
\??\c:\626662.exec:\626662.exe59⤵
- Executes dropped EXE
PID:1260 -
\??\c:\44620.exec:\44620.exe60⤵
- Executes dropped EXE
PID:3588 -
\??\c:\044822.exec:\044822.exe61⤵
- Executes dropped EXE
PID:5088 -
\??\c:\fxxxllf.exec:\fxxxllf.exe62⤵
- Executes dropped EXE
PID:1804 -
\??\c:\bhbbtb.exec:\bhbbtb.exe63⤵
- Executes dropped EXE
PID:2436 -
\??\c:\nhhnhb.exec:\nhhnhb.exe64⤵
- Executes dropped EXE
PID:4496 -
\??\c:\hbbthh.exec:\hbbthh.exe65⤵
- Executes dropped EXE
PID:1200 -
\??\c:\hhhtnh.exec:\hhhtnh.exe66⤵PID:1696
-
\??\c:\fxxxlfx.exec:\fxxxlfx.exe67⤵PID:1736
-
\??\c:\llllrlr.exec:\llllrlr.exe68⤵PID:3920
-
\??\c:\64006.exec:\64006.exe69⤵PID:5064
-
\??\c:\28688.exec:\28688.exe70⤵PID:1476
-
\??\c:\dvpjp.exec:\dvpjp.exe71⤵PID:1992
-
\??\c:\62684.exec:\62684.exe72⤵PID:1064
-
\??\c:\206864.exec:\206864.exe73⤵PID:2960
-
\??\c:\xfllffx.exec:\xfllffx.exe74⤵PID:1084
-
\??\c:\66682.exec:\66682.exe75⤵PID:1584
-
\??\c:\rrllfxf.exec:\rrllfxf.exe76⤵PID:3376
-
\??\c:\htbttt.exec:\htbttt.exe77⤵PID:4616
-
\??\c:\460822.exec:\460822.exe78⤵PID:3608
-
\??\c:\66268.exec:\66268.exe79⤵PID:536
-
\??\c:\8620822.exec:\8620822.exe80⤵PID:1728
-
\??\c:\4260486.exec:\4260486.exe81⤵PID:2720
-
\??\c:\00266.exec:\00266.exe82⤵PID:2136
-
\??\c:\8404266.exec:\8404266.exe83⤵PID:5036
-
\??\c:\thttnh.exec:\thttnh.exe84⤵PID:3212
-
\??\c:\42482.exec:\42482.exe85⤵PID:1416
-
\??\c:\66886.exec:\66886.exe86⤵PID:912
-
\??\c:\xrrlxll.exec:\xrrlxll.exe87⤵PID:4004
-
\??\c:\66260.exec:\66260.exe88⤵PID:4660
-
\??\c:\thtttn.exec:\thtttn.exe89⤵PID:5028
-
\??\c:\62624.exec:\62624.exe90⤵PID:3264
-
\??\c:\nbnhtt.exec:\nbnhtt.exe91⤵PID:904
-
\??\c:\fllxfxr.exec:\fllxfxr.exe92⤵PID:3572
-
\??\c:\0022660.exec:\0022660.exe93⤵PID:2188
-
\??\c:\pjjdv.exec:\pjjdv.exe94⤵PID:4184
-
\??\c:\u662006.exec:\u662006.exe95⤵PID:2216
-
\??\c:\48448.exec:\48448.exe96⤵PID:748
-
\??\c:\ntnnhb.exec:\ntnnhb.exe97⤵PID:1556
-
\??\c:\jvppp.exec:\jvppp.exe98⤵PID:4720
-
\??\c:\3nhthn.exec:\3nhthn.exe99⤵PID:2528
-
\??\c:\i008226.exec:\i008226.exe100⤵PID:4364
-
\??\c:\20044.exec:\20044.exe101⤵PID:4300
-
\??\c:\2848688.exec:\2848688.exe102⤵PID:1068
-
\??\c:\c600486.exec:\c600486.exe103⤵PID:4328
-
\??\c:\fflrxll.exec:\fflrxll.exe104⤵PID:548
-
\??\c:\64260.exec:\64260.exe105⤵PID:1016
-
\??\c:\o664882.exec:\o664882.exe106⤵PID:2220
-
\??\c:\080644.exec:\080644.exe107⤵PID:3100
-
\??\c:\rfxrlff.exec:\rfxrlff.exe108⤵PID:400
-
\??\c:\ddvvj.exec:\ddvvj.exe109⤵PID:4620
-
\??\c:\6460886.exec:\6460886.exe110⤵PID:2812
-
\??\c:\4226448.exec:\4226448.exe111⤵PID:3336
-
\??\c:\4280022.exec:\4280022.exe112⤵PID:228
-
\??\c:\lffxxxx.exec:\lffxxxx.exe113⤵PID:348
-
\??\c:\hntntt.exec:\hntntt.exe114⤵PID:4144
-
\??\c:\vvjjp.exec:\vvjjp.exe115⤵PID:4744
-
\??\c:\26440.exec:\26440.exe116⤵PID:436
-
\??\c:\rfrlllf.exec:\rfrlllf.exe117⤵PID:3452
-
\??\c:\c800466.exec:\c800466.exe118⤵PID:4324
-
\??\c:\llxxflr.exec:\llxxflr.exe119⤵PID:3828
-
\??\c:\68888.exec:\68888.exe120⤵PID:3480
-
\??\c:\vpjdp.exec:\vpjdp.exe121⤵PID:3884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-