Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 18:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe
-
Size
453KB
-
MD5
49fcec3b74248fb90a3bafd624b1ce3e
-
SHA1
9b4995b8f2c37ae3f7d92eb8b02e9b18ae7a5b41
-
SHA256
8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4
-
SHA512
447555d32fd7af15827a6df5ec67a272b16d3e72936ac0b0f62a9ab81de04f5d8aa51cc287df16b7aaab5254cda7783ba276d95c76fceed6e125e249719da078
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4036-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-1589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4036 9rllllf.exe 3780 thnhhb.exe 4240 4244666.exe 2140 bbnttn.exe 1368 46208.exe 4268 hnnhtb.exe 368 3rlxrlf.exe 1484 frrlxxl.exe 3916 lflfrrl.exe 624 4468640.exe 3752 jpdvp.exe 3288 frlfxrl.exe 1640 084848.exe 4816 tbtnhb.exe 4932 88886.exe 1420 6488084.exe 3468 dppdv.exe 2364 llfxlfr.exe 396 pjvpd.exe 4484 426426.exe 924 ththhb.exe 1540 ppvjv.exe 4692 02224.exe 2788 644208.exe 780 dvpdv.exe 1956 860804.exe 3940 66642.exe 4312 nhtnnh.exe 516 4600882.exe 4868 c288226.exe 1920 22844.exe 1980 xrrlfxx.exe 3660 nhhbbt.exe 4548 2648446.exe 5108 60244.exe 3136 i848800.exe 4904 62822.exe 1528 lxllffx.exe 2292 fxxxrfx.exe 4424 3vjjd.exe 2116 0666022.exe 1500 0400000.exe 4372 tnbbhh.exe 4352 nhthnh.exe 4416 8266044.exe 4036 rxxrrrr.exe 5048 w80088.exe 4044 lllxrfx.exe 4728 tttnnh.exe 5040 40486.exe 4504 488262.exe 3168 nthtnh.exe 2480 2822088.exe 3732 8026480.exe 3140 jvpdp.exe 2572 dvjdp.exe 1484 jvjvp.exe 4956 m0042.exe 4468 hhhttn.exe 4848 08428.exe 628 0026044.exe 4764 hbhbhh.exe 4620 pdjjd.exe 3704 64260.exe -
resource yara_rule behavioral2/memory/4036-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-748-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6008422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8626000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4062260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o060608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o626004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422640.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 4036 4992 8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe 85 PID 4992 wrote to memory of 4036 4992 8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe 85 PID 4992 wrote to memory of 4036 4992 8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe 85 PID 4036 wrote to memory of 3780 4036 9rllllf.exe 86 PID 4036 wrote to memory of 3780 4036 9rllllf.exe 86 PID 4036 wrote to memory of 3780 4036 9rllllf.exe 86 PID 3780 wrote to memory of 4240 3780 thnhhb.exe 87 PID 3780 wrote to memory of 4240 3780 thnhhb.exe 87 PID 3780 wrote to memory of 4240 3780 thnhhb.exe 87 PID 4240 wrote to memory of 2140 4240 4244666.exe 88 PID 4240 wrote to memory of 2140 4240 4244666.exe 88 PID 4240 wrote to memory of 2140 4240 4244666.exe 88 PID 2140 wrote to memory of 1368 2140 bbnttn.exe 89 PID 2140 wrote to memory of 1368 2140 bbnttn.exe 89 PID 2140 wrote to memory of 1368 2140 bbnttn.exe 89 PID 1368 wrote to memory of 4268 1368 46208.exe 90 PID 1368 wrote to memory of 4268 1368 46208.exe 90 PID 1368 wrote to memory of 4268 1368 46208.exe 90 PID 4268 wrote to memory of 368 4268 hnnhtb.exe 91 PID 4268 wrote to memory of 368 4268 hnnhtb.exe 91 PID 4268 wrote to memory of 368 4268 hnnhtb.exe 91 PID 368 wrote to memory of 1484 368 3rlxrlf.exe 92 PID 368 wrote to memory of 1484 368 3rlxrlf.exe 92 PID 368 wrote to memory of 1484 368 3rlxrlf.exe 92 PID 1484 wrote to memory of 3916 1484 frrlxxl.exe 93 PID 1484 wrote to memory of 3916 1484 frrlxxl.exe 93 PID 1484 wrote to memory of 3916 1484 frrlxxl.exe 93 PID 3916 wrote to memory of 624 3916 lflfrrl.exe 94 PID 3916 wrote to memory of 624 3916 lflfrrl.exe 94 PID 3916 wrote to memory of 624 3916 lflfrrl.exe 94 PID 624 wrote to memory of 3752 624 4468640.exe 95 PID 624 wrote to memory of 3752 624 4468640.exe 95 PID 624 wrote to memory of 3752 624 4468640.exe 95 PID 3752 wrote to memory of 3288 3752 jpdvp.exe 96 PID 3752 wrote to memory of 3288 3752 jpdvp.exe 96 PID 3752 wrote to memory of 3288 3752 jpdvp.exe 96 PID 3288 wrote to memory of 1640 3288 frlfxrl.exe 97 PID 3288 wrote to memory of 1640 3288 frlfxrl.exe 97 PID 3288 wrote to memory of 1640 3288 frlfxrl.exe 97 PID 1640 wrote to memory of 4816 1640 084848.exe 98 PID 1640 wrote to memory of 4816 1640 084848.exe 98 PID 1640 wrote to memory of 4816 1640 084848.exe 98 PID 4816 wrote to memory of 4932 4816 tbtnhb.exe 99 PID 4816 wrote to memory of 4932 4816 tbtnhb.exe 99 PID 4816 wrote to memory of 4932 4816 tbtnhb.exe 99 PID 4932 wrote to memory of 1420 4932 88886.exe 100 PID 4932 wrote to memory of 1420 4932 88886.exe 100 PID 4932 wrote to memory of 1420 4932 88886.exe 100 PID 1420 wrote to memory of 3468 1420 6488084.exe 101 PID 1420 wrote to memory of 3468 1420 6488084.exe 101 PID 1420 wrote to memory of 3468 1420 6488084.exe 101 PID 3468 wrote to memory of 2364 3468 dppdv.exe 102 PID 3468 wrote to memory of 2364 3468 dppdv.exe 102 PID 3468 wrote to memory of 2364 3468 dppdv.exe 102 PID 2364 wrote to memory of 396 2364 llfxlfr.exe 103 PID 2364 wrote to memory of 396 2364 llfxlfr.exe 103 PID 2364 wrote to memory of 396 2364 llfxlfr.exe 103 PID 396 wrote to memory of 4484 396 pjvpd.exe 104 PID 396 wrote to memory of 4484 396 pjvpd.exe 104 PID 396 wrote to memory of 4484 396 pjvpd.exe 104 PID 4484 wrote to memory of 924 4484 426426.exe 105 PID 4484 wrote to memory of 924 4484 426426.exe 105 PID 4484 wrote to memory of 924 4484 426426.exe 105 PID 924 wrote to memory of 1540 924 ththhb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe"C:\Users\Admin\AppData\Local\Temp\8f6c38ff8af09b756bcfe6534c627b9d568d0b1b729d47c6965c77162161f2a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\9rllllf.exec:\9rllllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\thnhhb.exec:\thnhhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\4244666.exec:\4244666.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\bbnttn.exec:\bbnttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\46208.exec:\46208.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\hnnhtb.exec:\hnnhtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\3rlxrlf.exec:\3rlxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\frrlxxl.exec:\frrlxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\lflfrrl.exec:\lflfrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\4468640.exec:\4468640.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\jpdvp.exec:\jpdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\frlfxrl.exec:\frlfxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\084848.exec:\084848.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\tbtnhb.exec:\tbtnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\88886.exec:\88886.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\6488084.exec:\6488084.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\dppdv.exec:\dppdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\llfxlfr.exec:\llfxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\pjvpd.exec:\pjvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\426426.exec:\426426.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\ththhb.exec:\ththhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\ppvjv.exec:\ppvjv.exe23⤵
- Executes dropped EXE
PID:1540 -
\??\c:\02224.exec:\02224.exe24⤵
- Executes dropped EXE
PID:4692 -
\??\c:\644208.exec:\644208.exe25⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dvpdv.exec:\dvpdv.exe26⤵
- Executes dropped EXE
PID:780 -
\??\c:\860804.exec:\860804.exe27⤵
- Executes dropped EXE
PID:1956 -
\??\c:\66642.exec:\66642.exe28⤵
- Executes dropped EXE
PID:3940 -
\??\c:\nhtnnh.exec:\nhtnnh.exe29⤵
- Executes dropped EXE
PID:4312 -
\??\c:\4600882.exec:\4600882.exe30⤵
- Executes dropped EXE
PID:516 -
\??\c:\c288226.exec:\c288226.exe31⤵
- Executes dropped EXE
PID:4868 -
\??\c:\22844.exec:\22844.exe32⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe33⤵
- Executes dropped EXE
PID:1980 -
\??\c:\nhhbbt.exec:\nhhbbt.exe34⤵
- Executes dropped EXE
PID:3660 -
\??\c:\2648446.exec:\2648446.exe35⤵
- Executes dropped EXE
PID:4548 -
\??\c:\60244.exec:\60244.exe36⤵
- Executes dropped EXE
PID:5108 -
\??\c:\i848800.exec:\i848800.exe37⤵
- Executes dropped EXE
PID:3136 -
\??\c:\62822.exec:\62822.exe38⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lxllffx.exec:\lxllffx.exe39⤵
- Executes dropped EXE
PID:1528 -
\??\c:\fxxxrfx.exec:\fxxxrfx.exe40⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3vjjd.exec:\3vjjd.exe41⤵
- Executes dropped EXE
PID:4424 -
\??\c:\0666022.exec:\0666022.exe42⤵
- Executes dropped EXE
PID:2116 -
\??\c:\0400000.exec:\0400000.exe43⤵
- Executes dropped EXE
PID:1500 -
\??\c:\tnbbhh.exec:\tnbbhh.exe44⤵
- Executes dropped EXE
PID:4372 -
\??\c:\nhthnh.exec:\nhthnh.exe45⤵
- Executes dropped EXE
PID:4352 -
\??\c:\8266044.exec:\8266044.exe46⤵
- Executes dropped EXE
PID:4416 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe47⤵
- Executes dropped EXE
PID:4036 -
\??\c:\w80088.exec:\w80088.exe48⤵
- Executes dropped EXE
PID:5048 -
\??\c:\lllxrfx.exec:\lllxrfx.exe49⤵
- Executes dropped EXE
PID:4044 -
\??\c:\tttnnh.exec:\tttnnh.exe50⤵
- Executes dropped EXE
PID:4728 -
\??\c:\40486.exec:\40486.exe51⤵
- Executes dropped EXE
PID:5040 -
\??\c:\488262.exec:\488262.exe52⤵
- Executes dropped EXE
PID:4504 -
\??\c:\nthtnh.exec:\nthtnh.exe53⤵
- Executes dropped EXE
PID:3168 -
\??\c:\2822088.exec:\2822088.exe54⤵
- Executes dropped EXE
PID:2480 -
\??\c:\8026480.exec:\8026480.exe55⤵
- Executes dropped EXE
PID:3732 -
\??\c:\jvpdp.exec:\jvpdp.exe56⤵
- Executes dropped EXE
PID:3140 -
\??\c:\dvjdp.exec:\dvjdp.exe57⤵
- Executes dropped EXE
PID:2572 -
\??\c:\jvjvp.exec:\jvjvp.exe58⤵
- Executes dropped EXE
PID:1484 -
\??\c:\m0042.exec:\m0042.exe59⤵
- Executes dropped EXE
PID:4956 -
\??\c:\hhhttn.exec:\hhhttn.exe60⤵
- Executes dropped EXE
PID:4468 -
\??\c:\08428.exec:\08428.exe61⤵
- Executes dropped EXE
PID:4848 -
\??\c:\0026044.exec:\0026044.exe62⤵
- Executes dropped EXE
PID:628 -
\??\c:\hbhbhh.exec:\hbhbhh.exe63⤵
- Executes dropped EXE
PID:4764 -
\??\c:\pdjjd.exec:\pdjjd.exe64⤵
- Executes dropped EXE
PID:4620 -
\??\c:\64260.exec:\64260.exe65⤵
- Executes dropped EXE
PID:3704 -
\??\c:\vvdpv.exec:\vvdpv.exe66⤵PID:2544
-
\??\c:\fxxxlxr.exec:\fxxxlxr.exe67⤵PID:4932
-
\??\c:\xfrllrr.exec:\xfrllrr.exe68⤵PID:2168
-
\??\c:\ntthtn.exec:\ntthtn.exe69⤵PID:4836
-
\??\c:\5hnhbh.exec:\5hnhbh.exe70⤵PID:4732
-
\??\c:\q84488.exec:\q84488.exe71⤵PID:2656
-
\??\c:\6222660.exec:\6222660.exe72⤵PID:2248
-
\??\c:\hbbtnn.exec:\hbbtnn.exe73⤵PID:4020
-
\??\c:\8460004.exec:\8460004.exe74⤵PID:4680
-
\??\c:\o804226.exec:\o804226.exe75⤵PID:5012
-
\??\c:\hhthht.exec:\hhthht.exe76⤵PID:3608
-
\??\c:\k88866.exec:\k88866.exe77⤵PID:3628
-
\??\c:\88048.exec:\88048.exe78⤵PID:4692
-
\??\c:\pjppj.exec:\pjppj.exe79⤵PID:3132
-
\??\c:\thnhbb.exec:\thnhbb.exe80⤵PID:5020
-
\??\c:\xrxllrx.exec:\xrxllrx.exe81⤵PID:3404
-
\??\c:\vjvpj.exec:\vjvpj.exe82⤵PID:1620
-
\??\c:\8200666.exec:\8200666.exe83⤵PID:3300
-
\??\c:\02888.exec:\02888.exe84⤵PID:1132
-
\??\c:\g2820.exec:\g2820.exe85⤵PID:1800
-
\??\c:\thnhhh.exec:\thnhhh.exe86⤵PID:832
-
\??\c:\6040882.exec:\6040882.exe87⤵PID:3312
-
\??\c:\thhbbt.exec:\thhbbt.exe88⤵PID:4868
-
\??\c:\8660826.exec:\8660826.exe89⤵PID:2032
-
\??\c:\020284.exec:\020284.exe90⤵PID:1980
-
\??\c:\284048.exec:\284048.exe91⤵PID:2732
-
\??\c:\608828.exec:\608828.exe92⤵PID:4204
-
\??\c:\m2888.exec:\m2888.exe93⤵PID:3248
-
\??\c:\40008.exec:\40008.exe94⤵PID:4988
-
\??\c:\dvdvj.exec:\dvdvj.exe95⤵PID:4364
-
\??\c:\62888.exec:\62888.exe96⤵PID:436
-
\??\c:\62822.exec:\62822.exe97⤵PID:4952
-
\??\c:\vvdjv.exec:\vvdjv.exe98⤵PID:2292
-
\??\c:\6020006.exec:\6020006.exe99⤵PID:872
-
\??\c:\1fflxrl.exec:\1fflxrl.exe100⤵PID:3280
-
\??\c:\thbnbn.exec:\thbnbn.exe101⤵PID:4260
-
\??\c:\vvvpd.exec:\vvvpd.exe102⤵PID:4284
-
\??\c:\htbthh.exec:\htbthh.exe103⤵PID:4900
-
\??\c:\o022228.exec:\o022228.exe104⤵PID:3972
-
\??\c:\1lxfxll.exec:\1lxfxll.exe105⤵PID:2244
-
\??\c:\1jvvp.exec:\1jvvp.exe106⤵PID:1184
-
\??\c:\4882426.exec:\4882426.exe107⤵PID:2616
-
\??\c:\20842.exec:\20842.exe108⤵PID:4288
-
\??\c:\844866.exec:\844866.exe109⤵PID:224
-
\??\c:\pvvjd.exec:\pvvjd.exe110⤵PID:4232
-
\??\c:\e80428.exec:\e80428.exe111⤵PID:2568
-
\??\c:\46400.exec:\46400.exe112⤵PID:3092
-
\??\c:\rrxlrfx.exec:\rrxlrfx.exe113⤵PID:1412
-
\??\c:\rfrlrlx.exec:\rfrlrlx.exe114⤵PID:4628
-
\??\c:\88626.exec:\88626.exe115⤵PID:3732
-
\??\c:\4446482.exec:\4446482.exe116⤵PID:4700
-
\??\c:\thnttb.exec:\thnttb.exe117⤵PID:448
-
\??\c:\nhthtn.exec:\nhthtn.exe118⤵PID:3084
-
\??\c:\jdpvj.exec:\jdpvj.exe119⤵PID:1248
-
\??\c:\jddjp.exec:\jddjp.exe120⤵PID:664
-
\??\c:\ddppd.exec:\ddppd.exe121⤵PID:620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-