Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 13:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe
-
Size
454KB
-
MD5
d7aab856e4bd64936a1088a688dcfed6
-
SHA1
6a09edc8f6675ef7d5e1b82b58cda6d7e99c2165
-
SHA256
baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1
-
SHA512
99171a60807dd13d63065dd0e488cc2da5b92f8e17a2e8822189f1654a89983b596042683dc452b0ab9ec8642a34effb0a776e1d84edec277d5f54875de8b4df
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2512-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2008 llflrrf.exe 1832 00200.exe 1476 3ttnhb.exe 4688 vvjdj.exe 3972 42626.exe 3408 8888606.exe 4876 820400.exe 3472 ddvvp.exe 1356 dvdjj.exe 3984 lxfxrrr.exe 1120 thhhbb.exe 2900 c682266.exe 2888 i228204.exe 2172 28260.exe 1052 hbnhbb.exe 3520 624826.exe 1500 c004482.exe 1516 48482.exe 3592 rrxrxrx.exe 1208 260004.exe 4792 xfllfrr.exe 1576 i060448.exe 4584 dvvpp.exe 1156 60804.exe 5036 80220.exe 3676 4406646.exe 692 068822.exe 3176 s6206.exe 2856 62448.exe 2892 vjvvp.exe 184 m6226.exe 992 k42262.exe 2300 e24266.exe 2640 nhbbbb.exe 1864 u848222.exe 1696 08lxrl.exe 720 s0660.exe 4484 068866.exe 4732 0400004.exe 2424 e60600.exe 4368 a6428.exe 2032 4622222.exe 2456 rffrfxr.exe 2904 k46000.exe 744 602860.exe 4720 bnhthb.exe 3504 0688228.exe 4332 8060004.exe 2684 226046.exe 1448 vpvvv.exe 4304 vpvpp.exe 840 tthnnh.exe 4616 0404882.exe 2212 688222.exe 2144 btbtnn.exe 396 082480.exe 3964 xlxrfrl.exe 3408 0404000.exe 2996 28488.exe 4412 jvdpj.exe 5076 84004.exe 4880 066426.exe 4320 thhtnn.exe 4548 002600.exe -
resource yara_rule behavioral2/memory/2512-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2008 2512 baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe 83 PID 2512 wrote to memory of 2008 2512 baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe 83 PID 2512 wrote to memory of 2008 2512 baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe 83 PID 2008 wrote to memory of 1832 2008 llflrrf.exe 84 PID 2008 wrote to memory of 1832 2008 llflrrf.exe 84 PID 2008 wrote to memory of 1832 2008 llflrrf.exe 84 PID 1832 wrote to memory of 1476 1832 00200.exe 85 PID 1832 wrote to memory of 1476 1832 00200.exe 85 PID 1832 wrote to memory of 1476 1832 00200.exe 85 PID 1476 wrote to memory of 4688 1476 3ttnhb.exe 86 PID 1476 wrote to memory of 4688 1476 3ttnhb.exe 86 PID 1476 wrote to memory of 4688 1476 3ttnhb.exe 86 PID 4688 wrote to memory of 3972 4688 vvjdj.exe 87 PID 4688 wrote to memory of 3972 4688 vvjdj.exe 87 PID 4688 wrote to memory of 3972 4688 vvjdj.exe 87 PID 3972 wrote to memory of 3408 3972 42626.exe 88 PID 3972 wrote to memory of 3408 3972 42626.exe 88 PID 3972 wrote to memory of 3408 3972 42626.exe 88 PID 3408 wrote to memory of 4876 3408 8888606.exe 89 PID 3408 wrote to memory of 4876 3408 8888606.exe 89 PID 3408 wrote to memory of 4876 3408 8888606.exe 89 PID 4876 wrote to memory of 3472 4876 820400.exe 90 PID 4876 wrote to memory of 3472 4876 820400.exe 90 PID 4876 wrote to memory of 3472 4876 820400.exe 90 PID 3472 wrote to memory of 1356 3472 ddvvp.exe 91 PID 3472 wrote to memory of 1356 3472 ddvvp.exe 91 PID 3472 wrote to memory of 1356 3472 ddvvp.exe 91 PID 1356 wrote to memory of 3984 1356 dvdjj.exe 92 PID 1356 wrote to memory of 3984 1356 dvdjj.exe 92 PID 1356 wrote to memory of 3984 1356 dvdjj.exe 92 PID 3984 wrote to memory of 1120 3984 lxfxrrr.exe 93 PID 3984 wrote to memory of 1120 3984 lxfxrrr.exe 93 PID 3984 wrote to memory of 1120 3984 lxfxrrr.exe 93 PID 1120 wrote to memory of 2900 1120 thhhbb.exe 94 PID 1120 wrote to memory of 2900 1120 thhhbb.exe 94 PID 1120 wrote to memory of 2900 1120 thhhbb.exe 94 PID 2900 wrote to memory of 2888 2900 c682266.exe 95 PID 2900 wrote to memory of 2888 2900 c682266.exe 95 PID 2900 wrote to memory of 2888 2900 c682266.exe 95 PID 2888 wrote to memory of 2172 2888 i228204.exe 96 PID 2888 wrote to memory of 2172 2888 i228204.exe 96 PID 2888 wrote to memory of 2172 2888 i228204.exe 96 PID 2172 wrote to memory of 1052 2172 28260.exe 97 PID 2172 wrote to memory of 1052 2172 28260.exe 97 PID 2172 wrote to memory of 1052 2172 28260.exe 97 PID 1052 wrote to memory of 3520 1052 hbnhbb.exe 98 PID 1052 wrote to memory of 3520 1052 hbnhbb.exe 98 PID 1052 wrote to memory of 3520 1052 hbnhbb.exe 98 PID 3520 wrote to memory of 1500 3520 624826.exe 99 PID 3520 wrote to memory of 1500 3520 624826.exe 99 PID 3520 wrote to memory of 1500 3520 624826.exe 99 PID 1500 wrote to memory of 1516 1500 c004482.exe 100 PID 1500 wrote to memory of 1516 1500 c004482.exe 100 PID 1500 wrote to memory of 1516 1500 c004482.exe 100 PID 1516 wrote to memory of 3592 1516 48482.exe 101 PID 1516 wrote to memory of 3592 1516 48482.exe 101 PID 1516 wrote to memory of 3592 1516 48482.exe 101 PID 3592 wrote to memory of 1208 3592 rrxrxrx.exe 102 PID 3592 wrote to memory of 1208 3592 rrxrxrx.exe 102 PID 3592 wrote to memory of 1208 3592 rrxrxrx.exe 102 PID 1208 wrote to memory of 4792 1208 260004.exe 103 PID 1208 wrote to memory of 4792 1208 260004.exe 103 PID 1208 wrote to memory of 4792 1208 260004.exe 103 PID 4792 wrote to memory of 1576 4792 xfllfrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe"C:\Users\Admin\AppData\Local\Temp\baf23d7ef9a539733a9e14c70d4c659c859442591312f55f88c8b901c6ade7a1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\llflrrf.exec:\llflrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\00200.exec:\00200.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\3ttnhb.exec:\3ttnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\vvjdj.exec:\vvjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\42626.exec:\42626.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\8888606.exec:\8888606.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\820400.exec:\820400.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\ddvvp.exec:\ddvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\dvdjj.exec:\dvdjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\thhhbb.exec:\thhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\c682266.exec:\c682266.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\i228204.exec:\i228204.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\28260.exec:\28260.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\hbnhbb.exec:\hbnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\624826.exec:\624826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\c004482.exec:\c004482.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\48482.exec:\48482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\rrxrxrx.exec:\rrxrxrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\260004.exec:\260004.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\xfllfrr.exec:\xfllfrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\i060448.exec:\i060448.exe23⤵
- Executes dropped EXE
PID:1576 -
\??\c:\dvvpp.exec:\dvvpp.exe24⤵
- Executes dropped EXE
PID:4584 -
\??\c:\60804.exec:\60804.exe25⤵
- Executes dropped EXE
PID:1156 -
\??\c:\80220.exec:\80220.exe26⤵
- Executes dropped EXE
PID:5036 -
\??\c:\4406646.exec:\4406646.exe27⤵
- Executes dropped EXE
PID:3676 -
\??\c:\068822.exec:\068822.exe28⤵
- Executes dropped EXE
PID:692 -
\??\c:\s6206.exec:\s6206.exe29⤵
- Executes dropped EXE
PID:3176 -
\??\c:\62448.exec:\62448.exe30⤵
- Executes dropped EXE
PID:2856 -
\??\c:\vjvvp.exec:\vjvvp.exe31⤵
- Executes dropped EXE
PID:2892 -
\??\c:\m6226.exec:\m6226.exe32⤵
- Executes dropped EXE
PID:184 -
\??\c:\k42262.exec:\k42262.exe33⤵
- Executes dropped EXE
PID:992 -
\??\c:\e24266.exec:\e24266.exe34⤵
- Executes dropped EXE
PID:2300 -
\??\c:\nhbbbb.exec:\nhbbbb.exe35⤵
- Executes dropped EXE
PID:2640 -
\??\c:\u848222.exec:\u848222.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\08lxrl.exec:\08lxrl.exe37⤵
- Executes dropped EXE
PID:1696 -
\??\c:\s0660.exec:\s0660.exe38⤵
- Executes dropped EXE
PID:720 -
\??\c:\068866.exec:\068866.exe39⤵
- Executes dropped EXE
PID:4484 -
\??\c:\0400004.exec:\0400004.exe40⤵
- Executes dropped EXE
PID:4732 -
\??\c:\e60600.exec:\e60600.exe41⤵
- Executes dropped EXE
PID:2424 -
\??\c:\a6428.exec:\a6428.exe42⤵
- Executes dropped EXE
PID:4368 -
\??\c:\4622222.exec:\4622222.exe43⤵
- Executes dropped EXE
PID:2032 -
\??\c:\rffrfxr.exec:\rffrfxr.exe44⤵
- Executes dropped EXE
PID:2456 -
\??\c:\k46000.exec:\k46000.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
\??\c:\602860.exec:\602860.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:744 -
\??\c:\bnhthb.exec:\bnhthb.exe47⤵
- Executes dropped EXE
PID:4720 -
\??\c:\0688228.exec:\0688228.exe48⤵
- Executes dropped EXE
PID:3504 -
\??\c:\8060004.exec:\8060004.exe49⤵
- Executes dropped EXE
PID:4332 -
\??\c:\226046.exec:\226046.exe50⤵
- Executes dropped EXE
PID:2684 -
\??\c:\vpvvv.exec:\vpvvv.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
\??\c:\vpvpp.exec:\vpvpp.exe52⤵
- Executes dropped EXE
PID:4304 -
\??\c:\tthnnh.exec:\tthnnh.exe53⤵
- Executes dropped EXE
PID:840 -
\??\c:\0404882.exec:\0404882.exe54⤵
- Executes dropped EXE
PID:4616 -
\??\c:\688222.exec:\688222.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\btbtnn.exec:\btbtnn.exe56⤵
- Executes dropped EXE
PID:2144 -
\??\c:\082480.exec:\082480.exe57⤵
- Executes dropped EXE
PID:396 -
\??\c:\xlxrfrl.exec:\xlxrfrl.exe58⤵
- Executes dropped EXE
PID:3964 -
\??\c:\0404000.exec:\0404000.exe59⤵
- Executes dropped EXE
PID:3408 -
\??\c:\28488.exec:\28488.exe60⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jvdpj.exec:\jvdpj.exe61⤵
- Executes dropped EXE
PID:4412 -
\??\c:\84004.exec:\84004.exe62⤵
- Executes dropped EXE
PID:5076 -
\??\c:\066426.exec:\066426.exe63⤵
- Executes dropped EXE
PID:4880 -
\??\c:\thhtnn.exec:\thhtnn.exe64⤵
- Executes dropped EXE
PID:4320 -
\??\c:\002600.exec:\002600.exe65⤵
- Executes dropped EXE
PID:4548 -
\??\c:\flrffrf.exec:\flrffrf.exe66⤵PID:2068
-
\??\c:\rrxrfxr.exec:\rrxrfxr.exe67⤵PID:1372
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe68⤵PID:1412
-
\??\c:\rflfxrf.exec:\rflfxrf.exe69⤵PID:2780
-
\??\c:\ppvjp.exec:\ppvjp.exe70⤵PID:1224
-
\??\c:\vjjvj.exec:\vjjvj.exe71⤵PID:2464
-
\??\c:\o826826.exec:\o826826.exe72⤵PID:5056
-
\??\c:\w00644.exec:\w00644.exe73⤵PID:3068
-
\??\c:\w06066.exec:\w06066.exe74⤵PID:2772
-
\??\c:\lrffrrf.exec:\lrffrrf.exe75⤵PID:1564
-
\??\c:\0060606.exec:\0060606.exe76⤵PID:3932
-
\??\c:\2004820.exec:\2004820.exe77⤵PID:4708
-
\??\c:\1xlfffx.exec:\1xlfffx.exe78⤵PID:2580
-
\??\c:\20866.exec:\20866.exe79⤵PID:4176
-
\??\c:\1jdvp.exec:\1jdvp.exe80⤵PID:1020
-
\??\c:\dpppj.exec:\dpppj.exe81⤵PID:1988
-
\??\c:\3tbtbb.exec:\3tbtbb.exe82⤵PID:1184
-
\??\c:\3tnhnn.exec:\3tnhnn.exe83⤵PID:4432
-
\??\c:\44424.exec:\44424.exe84⤵PID:2760
-
\??\c:\djjdp.exec:\djjdp.exe85⤵PID:3244
-
\??\c:\rflxrlr.exec:\rflxrlr.exe86⤵PID:4604
-
\??\c:\htthbt.exec:\htthbt.exe87⤵PID:2460
-
\??\c:\268224.exec:\268224.exe88⤵PID:4900
-
\??\c:\bhhbnh.exec:\bhhbnh.exe89⤵
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\hhnhtn.exec:\hhnhtn.exe90⤵PID:4864
-
\??\c:\2048446.exec:\2048446.exe91⤵PID:4376
-
\??\c:\xrxllxr.exec:\xrxllxr.exe92⤵PID:2704
-
\??\c:\hhbtnh.exec:\hhbtnh.exe93⤵PID:4296
-
\??\c:\vjjvp.exec:\vjjvp.exe94⤵PID:184
-
\??\c:\484888.exec:\484888.exe95⤵PID:1216
-
\??\c:\3rrfllr.exec:\3rrfllr.exe96⤵PID:684
-
\??\c:\22448.exec:\22448.exe97⤵
- System Location Discovery: System Language Discovery
PID:772 -
\??\c:\s4004.exec:\s4004.exe98⤵PID:2640
-
\??\c:\08044.exec:\08044.exe99⤵PID:1536
-
\??\c:\04426.exec:\04426.exe100⤵PID:2880
-
\??\c:\vdjdv.exec:\vdjdv.exe101⤵PID:2028
-
\??\c:\frlxrlx.exec:\frlxrlx.exe102⤵PID:4136
-
\??\c:\3jdvv.exec:\3jdvv.exe103⤵PID:1396
-
\??\c:\jjjvp.exec:\jjjvp.exe104⤵PID:2744
-
\??\c:\jvjvv.exec:\jvjvv.exe105⤵PID:3952
-
\??\c:\q02264.exec:\q02264.exe106⤵PID:1548
-
\??\c:\hhbtnh.exec:\hhbtnh.exe107⤵PID:1528
-
\??\c:\06840.exec:\06840.exe108⤵PID:3640
-
\??\c:\thnnbb.exec:\thnnbb.exe109⤵PID:1984
-
\??\c:\tbbnbt.exec:\tbbnbt.exe110⤵PID:4324
-
\??\c:\nbbnhh.exec:\nbbnhh.exe111⤵PID:4048
-
\??\c:\frlfxll.exec:\frlfxll.exe112⤵
- System Location Discovery: System Language Discovery
PID:2452 -
\??\c:\4204826.exec:\4204826.exe113⤵PID:232
-
\??\c:\rflfffl.exec:\rflfffl.exe114⤵PID:1688
-
\??\c:\xxrlxxr.exec:\xxrlxxr.exe115⤵PID:4892
-
\??\c:\40608.exec:\40608.exe116⤵PID:4476
-
\??\c:\062648.exec:\062648.exe117⤵PID:4908
-
\??\c:\c226482.exec:\c226482.exe118⤵PID:4688
-
\??\c:\1ttnbb.exec:\1ttnbb.exe119⤵PID:4352
-
\??\c:\4226482.exec:\4226482.exe120⤵PID:4336
-
\??\c:\7bbthb.exec:\7bbthb.exe121⤵PID:3384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-