Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe
-
Size
453KB
-
MD5
23e813baed57efd7093feb5451cdeec0
-
SHA1
724cf2591a013a9ba57352f0dfff54099f93a6a3
-
SHA256
8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40
-
SHA512
826fbce7f0b5cdb09a8a3923a3e05b5b3db6d178e30e50772e14da193c2f87973ee042204c8635659f5693e4063e0f82976ae82649c90a0906b8082585ef7269
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/448-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-1060-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-1235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-1930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2612 44488.exe 3296 thbtnt.exe 3100 xrxlflx.exe 4392 0448604.exe 4676 9vvpp.exe 3944 6286848.exe 4312 3hhthb.exe 1136 pjjvj.exe 3452 flllfxr.exe 620 k28260.exe 2428 5vjdp.exe 4596 vjjjv.exe 3004 s2260.exe 4880 lfflfll.exe 4584 9xrfxxr.exe 3120 xxfxrlf.exe 3900 xrxlxrr.exe 4740 004826.exe 3496 nntbht.exe 4220 a8480.exe 4580 llflrxf.exe 1964 20808.exe 3052 lfxxrrr.exe 3724 xrxlrlr.exe 2308 dppdv.exe 4952 7ddjv.exe 996 lrfrllf.exe 2260 080448.exe 3412 g0642.exe 3456 8804264.exe 3996 m0604.exe 1236 88864.exe 1856 7fxrlfl.exe 2664 rrrfrlf.exe 660 1xrlxfr.exe 3140 lrrlfxr.exe 2860 dddvp.exe 2600 6406248.exe 1612 tbtntt.exe 5012 tnbthb.exe 1900 hhnnnh.exe 4492 428260.exe 2636 lxlrxfl.exe 676 5hnhnn.exe 368 0802082.exe 2420 jvpjv.exe 1916 w00204.exe 4636 406426.exe 4156 08042.exe 4456 4442282.exe 4816 ntbtnb.exe 3008 20482.exe 3844 q80422.exe 2304 flfxlxr.exe 372 c848820.exe 4904 nhnbnt.exe 3924 i664048.exe 4912 htbnhb.exe 4392 884260.exe 4628 rlrlllf.exe 3148 084860.exe 1136 1ddvd.exe 2364 444204.exe 1488 08426.exe -
resource yara_rule behavioral2/memory/2612-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-814-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2282608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q60408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6884828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6404400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 448 wrote to memory of 2612 448 8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe 83 PID 448 wrote to memory of 2612 448 8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe 83 PID 448 wrote to memory of 2612 448 8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe 83 PID 2612 wrote to memory of 3296 2612 44488.exe 84 PID 2612 wrote to memory of 3296 2612 44488.exe 84 PID 2612 wrote to memory of 3296 2612 44488.exe 84 PID 3296 wrote to memory of 3100 3296 thbtnt.exe 85 PID 3296 wrote to memory of 3100 3296 thbtnt.exe 85 PID 3296 wrote to memory of 3100 3296 thbtnt.exe 85 PID 3100 wrote to memory of 4392 3100 xrxlflx.exe 86 PID 3100 wrote to memory of 4392 3100 xrxlflx.exe 86 PID 3100 wrote to memory of 4392 3100 xrxlflx.exe 86 PID 4392 wrote to memory of 4676 4392 0448604.exe 87 PID 4392 wrote to memory of 4676 4392 0448604.exe 87 PID 4392 wrote to memory of 4676 4392 0448604.exe 87 PID 4676 wrote to memory of 3944 4676 9vvpp.exe 88 PID 4676 wrote to memory of 3944 4676 9vvpp.exe 88 PID 4676 wrote to memory of 3944 4676 9vvpp.exe 88 PID 3944 wrote to memory of 4312 3944 6286848.exe 89 PID 3944 wrote to memory of 4312 3944 6286848.exe 89 PID 3944 wrote to memory of 4312 3944 6286848.exe 89 PID 4312 wrote to memory of 1136 4312 3hhthb.exe 90 PID 4312 wrote to memory of 1136 4312 3hhthb.exe 90 PID 4312 wrote to memory of 1136 4312 3hhthb.exe 90 PID 1136 wrote to memory of 3452 1136 pjjvj.exe 91 PID 1136 wrote to memory of 3452 1136 pjjvj.exe 91 PID 1136 wrote to memory of 3452 1136 pjjvj.exe 91 PID 3452 wrote to memory of 620 3452 flllfxr.exe 92 PID 3452 wrote to memory of 620 3452 flllfxr.exe 92 PID 3452 wrote to memory of 620 3452 flllfxr.exe 92 PID 620 wrote to memory of 2428 620 k28260.exe 93 PID 620 wrote to memory of 2428 620 k28260.exe 93 PID 620 wrote to memory of 2428 620 k28260.exe 93 PID 2428 wrote to memory of 4596 2428 5vjdp.exe 94 PID 2428 wrote to memory of 4596 2428 5vjdp.exe 94 PID 2428 wrote to memory of 4596 2428 5vjdp.exe 94 PID 4596 wrote to memory of 3004 4596 vjjjv.exe 95 PID 4596 wrote to memory of 3004 4596 vjjjv.exe 95 PID 4596 wrote to memory of 3004 4596 vjjjv.exe 95 PID 3004 wrote to memory of 4880 3004 s2260.exe 96 PID 3004 wrote to memory of 4880 3004 s2260.exe 96 PID 3004 wrote to memory of 4880 3004 s2260.exe 96 PID 4880 wrote to memory of 4584 4880 lfflfll.exe 97 PID 4880 wrote to memory of 4584 4880 lfflfll.exe 97 PID 4880 wrote to memory of 4584 4880 lfflfll.exe 97 PID 4584 wrote to memory of 3120 4584 9xrfxxr.exe 98 PID 4584 wrote to memory of 3120 4584 9xrfxxr.exe 98 PID 4584 wrote to memory of 3120 4584 9xrfxxr.exe 98 PID 3120 wrote to memory of 3900 3120 xxfxrlf.exe 99 PID 3120 wrote to memory of 3900 3120 xxfxrlf.exe 99 PID 3120 wrote to memory of 3900 3120 xxfxrlf.exe 99 PID 3900 wrote to memory of 4740 3900 xrxlxrr.exe 100 PID 3900 wrote to memory of 4740 3900 xrxlxrr.exe 100 PID 3900 wrote to memory of 4740 3900 xrxlxrr.exe 100 PID 4740 wrote to memory of 3496 4740 004826.exe 101 PID 4740 wrote to memory of 3496 4740 004826.exe 101 PID 4740 wrote to memory of 3496 4740 004826.exe 101 PID 3496 wrote to memory of 4220 3496 nntbht.exe 102 PID 3496 wrote to memory of 4220 3496 nntbht.exe 102 PID 3496 wrote to memory of 4220 3496 nntbht.exe 102 PID 4220 wrote to memory of 4580 4220 a8480.exe 103 PID 4220 wrote to memory of 4580 4220 a8480.exe 103 PID 4220 wrote to memory of 4580 4220 a8480.exe 103 PID 4580 wrote to memory of 1964 4580 llflrxf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe"C:\Users\Admin\AppData\Local\Temp\8a7bed5d0a00d32141f4f104af12df14745b33b1c28f93105ca4776670bc5e40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\44488.exec:\44488.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\thbtnt.exec:\thbtnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\xrxlflx.exec:\xrxlflx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\0448604.exec:\0448604.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\9vvpp.exec:\9vvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\6286848.exec:\6286848.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\3hhthb.exec:\3hhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\pjjvj.exec:\pjjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\flllfxr.exec:\flllfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\k28260.exec:\k28260.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\5vjdp.exec:\5vjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\vjjjv.exec:\vjjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\s2260.exec:\s2260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\lfflfll.exec:\lfflfll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\9xrfxxr.exec:\9xrfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\xrxlxrr.exec:\xrxlxrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\004826.exec:\004826.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\nntbht.exec:\nntbht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\a8480.exec:\a8480.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\llflrxf.exec:\llflrxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\20808.exec:\20808.exe23⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lfxxrrr.exec:\lfxxrrr.exe24⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xrxlrlr.exec:\xrxlrlr.exe25⤵
- Executes dropped EXE
PID:3724 -
\??\c:\dppdv.exec:\dppdv.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308 -
\??\c:\7ddjv.exec:\7ddjv.exe27⤵
- Executes dropped EXE
PID:4952 -
\??\c:\lrfrllf.exec:\lrfrllf.exe28⤵
- Executes dropped EXE
PID:996 -
\??\c:\080448.exec:\080448.exe29⤵
- Executes dropped EXE
PID:2260 -
\??\c:\g0642.exec:\g0642.exe30⤵
- Executes dropped EXE
PID:3412 -
\??\c:\8804264.exec:\8804264.exe31⤵
- Executes dropped EXE
PID:3456 -
\??\c:\m0604.exec:\m0604.exe32⤵
- Executes dropped EXE
PID:3996 -
\??\c:\88864.exec:\88864.exe33⤵
- Executes dropped EXE
PID:1236 -
\??\c:\7fxrlfl.exec:\7fxrlfl.exe34⤵
- Executes dropped EXE
PID:1856 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe35⤵
- Executes dropped EXE
PID:2664 -
\??\c:\1xrlxfr.exec:\1xrlxfr.exe36⤵
- Executes dropped EXE
PID:660 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe37⤵
- Executes dropped EXE
PID:3140 -
\??\c:\dddvp.exec:\dddvp.exe38⤵
- Executes dropped EXE
PID:2860 -
\??\c:\6406248.exec:\6406248.exe39⤵
- Executes dropped EXE
PID:2600 -
\??\c:\tbtntt.exec:\tbtntt.exe40⤵
- Executes dropped EXE
PID:1612 -
\??\c:\tnbthb.exec:\tnbthb.exe41⤵
- Executes dropped EXE
PID:5012 -
\??\c:\hhnnnh.exec:\hhnnnh.exe42⤵
- Executes dropped EXE
PID:1900 -
\??\c:\428260.exec:\428260.exe43⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lxlrxfl.exec:\lxlrxfl.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\5hnhnn.exec:\5hnhnn.exe45⤵
- Executes dropped EXE
PID:676 -
\??\c:\0802082.exec:\0802082.exe46⤵
- Executes dropped EXE
PID:368 -
\??\c:\jvpjv.exec:\jvpjv.exe47⤵
- Executes dropped EXE
PID:2420 -
\??\c:\w00204.exec:\w00204.exe48⤵
- Executes dropped EXE
PID:1916 -
\??\c:\406426.exec:\406426.exe49⤵
- Executes dropped EXE
PID:4636 -
\??\c:\08042.exec:\08042.exe50⤵
- Executes dropped EXE
PID:4156 -
\??\c:\4442282.exec:\4442282.exe51⤵
- Executes dropped EXE
PID:4456 -
\??\c:\ntbtnb.exec:\ntbtnb.exe52⤵
- Executes dropped EXE
PID:4816 -
\??\c:\20482.exec:\20482.exe53⤵
- Executes dropped EXE
PID:3008 -
\??\c:\q80422.exec:\q80422.exe54⤵
- Executes dropped EXE
PID:3844 -
\??\c:\flfxlxr.exec:\flfxlxr.exe55⤵
- Executes dropped EXE
PID:2304 -
\??\c:\c848820.exec:\c848820.exe56⤵
- Executes dropped EXE
PID:372 -
\??\c:\nhnbnt.exec:\nhnbnt.exe57⤵
- Executes dropped EXE
PID:4904 -
\??\c:\i664048.exec:\i664048.exe58⤵
- Executes dropped EXE
PID:3924 -
\??\c:\htbnhb.exec:\htbnhb.exe59⤵
- Executes dropped EXE
PID:4912 -
\??\c:\884260.exec:\884260.exe60⤵
- Executes dropped EXE
PID:4392 -
\??\c:\rlrlllf.exec:\rlrlllf.exe61⤵
- Executes dropped EXE
PID:4628 -
\??\c:\084860.exec:\084860.exe62⤵
- Executes dropped EXE
PID:3148 -
\??\c:\1ddvd.exec:\1ddvd.exe63⤵
- Executes dropped EXE
PID:1136 -
\??\c:\444204.exec:\444204.exe64⤵
- Executes dropped EXE
PID:2364 -
\??\c:\08426.exec:\08426.exe65⤵
- Executes dropped EXE
PID:1488 -
\??\c:\8842048.exec:\8842048.exe66⤵PID:1984
-
\??\c:\7hhtnh.exec:\7hhtnh.exe67⤵PID:2156
-
\??\c:\c426048.exec:\c426048.exe68⤵PID:2332
-
\??\c:\1xxlfxf.exec:\1xxlfxf.exe69⤵PID:4532
-
\??\c:\86608.exec:\86608.exe70⤵PID:3684
-
\??\c:\2004828.exec:\2004828.exe71⤵PID:5056
-
\??\c:\68226.exec:\68226.exe72⤵PID:4204
-
\??\c:\q44820.exec:\q44820.exe73⤵PID:1828
-
\??\c:\pjvpj.exec:\pjvpj.exe74⤵PID:1668
-
\??\c:\hntnbt.exec:\hntnbt.exe75⤵PID:3900
-
\??\c:\hhbtnh.exec:\hhbtnh.exe76⤵PID:4748
-
\??\c:\g0604.exec:\g0604.exe77⤵PID:4384
-
\??\c:\2282608.exec:\2282608.exe78⤵
- System Location Discovery: System Language Discovery
PID:3496 -
\??\c:\s2866.exec:\s2866.exe79⤵PID:4220
-
\??\c:\7thbbb.exec:\7thbbb.exe80⤵PID:1628
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe81⤵PID:3184
-
\??\c:\i422000.exec:\i422000.exe82⤵PID:1964
-
\??\c:\02866.exec:\02866.exe83⤵PID:3052
-
\??\c:\lxxfllf.exec:\lxxfllf.exe84⤵PID:3724
-
\??\c:\260066.exec:\260066.exe85⤵PID:2328
-
\??\c:\lffxrxr.exec:\lffxrxr.exe86⤵PID:2492
-
\??\c:\684488.exec:\684488.exe87⤵PID:1324
-
\??\c:\002644.exec:\002644.exe88⤵PID:2020
-
\??\c:\e80488.exec:\e80488.exe89⤵PID:1544
-
\??\c:\m6260.exec:\m6260.exe90⤵PID:3412
-
\??\c:\2460444.exec:\2460444.exe91⤵PID:3456
-
\??\c:\vpjpj.exec:\vpjpj.exe92⤵PID:1920
-
\??\c:\q88480.exec:\q88480.exe93⤵PID:1192
-
\??\c:\ppvvp.exec:\ppvvp.exe94⤵PID:1064
-
\??\c:\bntnhh.exec:\bntnhh.exe95⤵PID:1096
-
\??\c:\1hbtnh.exec:\1hbtnh.exe96⤵PID:384
-
\??\c:\xllxxxf.exec:\xllxxxf.exe97⤵PID:3960
-
\??\c:\g8426.exec:\g8426.exe98⤵PID:1580
-
\??\c:\26626.exec:\26626.exe99⤵PID:1768
-
\??\c:\bnttnn.exec:\bnttnn.exe100⤵PID:772
-
\??\c:\68888.exec:\68888.exe101⤵PID:2160
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe102⤵PID:4136
-
\??\c:\628422.exec:\628422.exe103⤵PID:1764
-
\??\c:\80882.exec:\80882.exe104⤵PID:1160
-
\??\c:\jppdd.exec:\jppdd.exe105⤵PID:1848
-
\??\c:\60622.exec:\60622.exe106⤵
- System Location Discovery: System Language Discovery
PID:1744 -
\??\c:\bttntn.exec:\bttntn.exe107⤵PID:1684
-
\??\c:\3dvvd.exec:\3dvvd.exe108⤵PID:5016
-
\??\c:\llfrlfl.exec:\llfrlfl.exe109⤵PID:3976
-
\??\c:\6240444.exec:\6240444.exe110⤵PID:3288
-
\??\c:\60044.exec:\60044.exe111⤵PID:688
-
\??\c:\hbnhbb.exec:\hbnhbb.exe112⤵PID:4636
-
\??\c:\g0660.exec:\g0660.exe113⤵PID:2608
-
\??\c:\04004.exec:\04004.exe114⤵PID:4456
-
\??\c:\1ddpd.exec:\1ddpd.exe115⤵PID:4816
-
\??\c:\hhhhbb.exec:\hhhhbb.exe116⤵PID:3008
-
\??\c:\3hhhhh.exec:\3hhhhh.exe117⤵PID:5108
-
\??\c:\68444.exec:\68444.exe118⤵PID:2304
-
\??\c:\3rrlfff.exec:\3rrlfff.exe119⤵PID:2088
-
\??\c:\0446004.exec:\0446004.exe120⤵PID:3332
-
\??\c:\2422660.exec:\2422660.exe121⤵PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-