Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 06:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe
-
Size
332KB
-
MD5
2aeeefeadf5037a74f1c550df65c73d0
-
SHA1
d9e3d971c406b56a538a79aac5acdc56ebf8b167
-
SHA256
0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4
-
SHA512
7fef9665fa3a3070f37fcead438ad08ee4793c35a5bf2b94750d512e9f9f75cbf5af7240cb8746ffb486cf67ead461fa9fef69d8f4d5c00fd15aee4e01aaeda5
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhQ:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTg
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/436-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-1200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-1511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2856 3xxxrlf.exe 440 ppdvp.exe 1828 hhnhbb.exe 1836 200688.exe 4288 686260.exe 4972 0226400.exe 3392 4286844.exe 3408 9rxrlff.exe 2984 86800.exe 1324 62266.exe 2528 o860444.exe 2996 846006.exe 4560 7lrllll.exe 884 62266.exe 5076 pjjvp.exe 1628 4400000.exe 1852 0628288.exe 4368 u860440.exe 4528 408200.exe 1400 4666604.exe 1772 8288882.exe 704 htntnn.exe 456 4666666.exe 3944 1tnhbh.exe 4600 840022.exe 2652 5tbthh.exe 1556 5lrfllf.exe 4900 rfrxxlr.exe 2668 djddd.exe 4084 4622666.exe 116 jjvdv.exe 3244 nhttnn.exe 4336 vppjv.exe 4016 q28866.exe 3436 9thbtt.exe 3932 662822.exe 812 6800448.exe 388 rxflfff.exe 4284 68026.exe 5032 bnnhtt.exe 4376 lllfrlf.exe 2244 vpddv.exe 1332 xlllffx.exe 3044 82828.exe 3408 k06600.exe 1080 44648.exe 3736 btbbnn.exe 1908 i264006.exe 3060 3tnntt.exe 3040 22226.exe 3332 fxxrllf.exe 4772 9lrlfff.exe 1692 i626004.exe 4588 040044.exe 2212 846604.exe 3376 1flxrrl.exe 2988 ppppj.exe 2472 5vvpd.exe 4500 8460882.exe 3756 i684662.exe 2288 28448.exe 3164 xrrxfll.exe 3240 2400004.exe 3168 bbhhbh.exe -
resource yara_rule behavioral2/memory/436-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-753-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6804222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4886440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 436 wrote to memory of 2856 436 0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe 89 PID 436 wrote to memory of 2856 436 0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe 89 PID 436 wrote to memory of 2856 436 0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe 89 PID 2856 wrote to memory of 440 2856 3xxxrlf.exe 90 PID 2856 wrote to memory of 440 2856 3xxxrlf.exe 90 PID 2856 wrote to memory of 440 2856 3xxxrlf.exe 90 PID 440 wrote to memory of 1828 440 ppdvp.exe 91 PID 440 wrote to memory of 1828 440 ppdvp.exe 91 PID 440 wrote to memory of 1828 440 ppdvp.exe 91 PID 1828 wrote to memory of 1836 1828 hhnhbb.exe 92 PID 1828 wrote to memory of 1836 1828 hhnhbb.exe 92 PID 1828 wrote to memory of 1836 1828 hhnhbb.exe 92 PID 1836 wrote to memory of 4288 1836 200688.exe 93 PID 1836 wrote to memory of 4288 1836 200688.exe 93 PID 1836 wrote to memory of 4288 1836 200688.exe 93 PID 4288 wrote to memory of 4972 4288 686260.exe 94 PID 4288 wrote to memory of 4972 4288 686260.exe 94 PID 4288 wrote to memory of 4972 4288 686260.exe 94 PID 4972 wrote to memory of 3392 4972 0226400.exe 95 PID 4972 wrote to memory of 3392 4972 0226400.exe 95 PID 4972 wrote to memory of 3392 4972 0226400.exe 95 PID 3392 wrote to memory of 3408 3392 4286844.exe 96 PID 3392 wrote to memory of 3408 3392 4286844.exe 96 PID 3392 wrote to memory of 3408 3392 4286844.exe 96 PID 3408 wrote to memory of 2984 3408 9rxrlff.exe 97 PID 3408 wrote to memory of 2984 3408 9rxrlff.exe 97 PID 3408 wrote to memory of 2984 3408 9rxrlff.exe 97 PID 2984 wrote to memory of 1324 2984 86800.exe 98 PID 2984 wrote to memory of 1324 2984 86800.exe 98 PID 2984 wrote to memory of 1324 2984 86800.exe 98 PID 1324 wrote to memory of 2528 1324 62266.exe 99 PID 1324 wrote to memory of 2528 1324 62266.exe 99 PID 1324 wrote to memory of 2528 1324 62266.exe 99 PID 2528 wrote to memory of 2996 2528 o860444.exe 100 PID 2528 wrote to memory of 2996 2528 o860444.exe 100 PID 2528 wrote to memory of 2996 2528 o860444.exe 100 PID 2996 wrote to memory of 4560 2996 846006.exe 101 PID 2996 wrote to memory of 4560 2996 846006.exe 101 PID 2996 wrote to memory of 4560 2996 846006.exe 101 PID 4560 wrote to memory of 884 4560 7lrllll.exe 102 PID 4560 wrote to memory of 884 4560 7lrllll.exe 102 PID 4560 wrote to memory of 884 4560 7lrllll.exe 102 PID 884 wrote to memory of 5076 884 62266.exe 103 PID 884 wrote to memory of 5076 884 62266.exe 103 PID 884 wrote to memory of 5076 884 62266.exe 103 PID 5076 wrote to memory of 1628 5076 pjjvp.exe 104 PID 5076 wrote to memory of 1628 5076 pjjvp.exe 104 PID 5076 wrote to memory of 1628 5076 pjjvp.exe 104 PID 1628 wrote to memory of 1852 1628 4400000.exe 105 PID 1628 wrote to memory of 1852 1628 4400000.exe 105 PID 1628 wrote to memory of 1852 1628 4400000.exe 105 PID 1852 wrote to memory of 4368 1852 0628288.exe 106 PID 1852 wrote to memory of 4368 1852 0628288.exe 106 PID 1852 wrote to memory of 4368 1852 0628288.exe 106 PID 4368 wrote to memory of 4528 4368 u860440.exe 107 PID 4368 wrote to memory of 4528 4368 u860440.exe 107 PID 4368 wrote to memory of 4528 4368 u860440.exe 107 PID 4528 wrote to memory of 1400 4528 408200.exe 108 PID 4528 wrote to memory of 1400 4528 408200.exe 108 PID 4528 wrote to memory of 1400 4528 408200.exe 108 PID 1400 wrote to memory of 1772 1400 4666604.exe 109 PID 1400 wrote to memory of 1772 1400 4666604.exe 109 PID 1400 wrote to memory of 1772 1400 4666604.exe 109 PID 1772 wrote to memory of 704 1772 8288882.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe"C:\Users\Admin\AppData\Local\Temp\0f69373643b345c714492d31904e72a0e3cfb052fa4ae1f8718369d44e1e0ef4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\3xxxrlf.exec:\3xxxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\ppdvp.exec:\ppdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\hhnhbb.exec:\hhnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\200688.exec:\200688.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\686260.exec:\686260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\0226400.exec:\0226400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\4286844.exec:\4286844.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\9rxrlff.exec:\9rxrlff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\86800.exec:\86800.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\62266.exec:\62266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\o860444.exec:\o860444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\846006.exec:\846006.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\7lrllll.exec:\7lrllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\62266.exec:\62266.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\pjjvp.exec:\pjjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\4400000.exec:\4400000.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\0628288.exec:\0628288.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\u860440.exec:\u860440.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\408200.exec:\408200.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\4666604.exec:\4666604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\8288882.exec:\8288882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\htntnn.exec:\htntnn.exe23⤵
- Executes dropped EXE
PID:704 -
\??\c:\4666666.exec:\4666666.exe24⤵
- Executes dropped EXE
PID:456 -
\??\c:\1tnhbh.exec:\1tnhbh.exe25⤵
- Executes dropped EXE
PID:3944 -
\??\c:\840022.exec:\840022.exe26⤵
- Executes dropped EXE
PID:4600 -
\??\c:\5tbthh.exec:\5tbthh.exe27⤵
- Executes dropped EXE
PID:2652 -
\??\c:\5lrfllf.exec:\5lrfllf.exe28⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rfrxxlr.exec:\rfrxxlr.exe29⤵
- Executes dropped EXE
PID:4900 -
\??\c:\djddd.exec:\djddd.exe30⤵
- Executes dropped EXE
PID:2668 -
\??\c:\4622666.exec:\4622666.exe31⤵
- Executes dropped EXE
PID:4084 -
\??\c:\jjvdv.exec:\jjvdv.exe32⤵
- Executes dropped EXE
PID:116 -
\??\c:\nhttnn.exec:\nhttnn.exe33⤵
- Executes dropped EXE
PID:3244 -
\??\c:\vppjv.exec:\vppjv.exe34⤵
- Executes dropped EXE
PID:4336 -
\??\c:\q28866.exec:\q28866.exe35⤵
- Executes dropped EXE
PID:4016 -
\??\c:\9thbtt.exec:\9thbtt.exe36⤵
- Executes dropped EXE
PID:3436 -
\??\c:\662822.exec:\662822.exe37⤵
- Executes dropped EXE
PID:3932 -
\??\c:\6800448.exec:\6800448.exe38⤵
- Executes dropped EXE
PID:812 -
\??\c:\rxflfff.exec:\rxflfff.exe39⤵
- Executes dropped EXE
PID:388 -
\??\c:\68026.exec:\68026.exe40⤵
- Executes dropped EXE
PID:4284 -
\??\c:\bnnhtt.exec:\bnnhtt.exe41⤵
- Executes dropped EXE
PID:5032 -
\??\c:\lllfrlf.exec:\lllfrlf.exe42⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vpddv.exec:\vpddv.exe43⤵
- Executes dropped EXE
PID:2244 -
\??\c:\xlllffx.exec:\xlllffx.exe44⤵
- Executes dropped EXE
PID:1332 -
\??\c:\82828.exec:\82828.exe45⤵
- Executes dropped EXE
PID:3044 -
\??\c:\k06600.exec:\k06600.exe46⤵
- Executes dropped EXE
PID:3408 -
\??\c:\44648.exec:\44648.exe47⤵
- Executes dropped EXE
PID:1080 -
\??\c:\btbbnn.exec:\btbbnn.exe48⤵
- Executes dropped EXE
PID:3736 -
\??\c:\i264006.exec:\i264006.exe49⤵
- Executes dropped EXE
PID:1908 -
\??\c:\3tnntt.exec:\3tnntt.exe50⤵
- Executes dropped EXE
PID:3060 -
\??\c:\22226.exec:\22226.exe51⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fxxrllf.exec:\fxxrllf.exe52⤵
- Executes dropped EXE
PID:3332 -
\??\c:\9lrlfff.exec:\9lrlfff.exe53⤵
- Executes dropped EXE
PID:4772 -
\??\c:\i626004.exec:\i626004.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\040044.exec:\040044.exe55⤵
- Executes dropped EXE
PID:4588 -
\??\c:\846604.exec:\846604.exe56⤵
- Executes dropped EXE
PID:2212 -
\??\c:\1flxrrl.exec:\1flxrrl.exe57⤵
- Executes dropped EXE
PID:3376 -
\??\c:\ppppj.exec:\ppppj.exe58⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5vvpd.exec:\5vvpd.exe59⤵
- Executes dropped EXE
PID:2472 -
\??\c:\8460882.exec:\8460882.exe60⤵
- Executes dropped EXE
PID:4500 -
\??\c:\i684662.exec:\i684662.exe61⤵
- Executes dropped EXE
PID:3756 -
\??\c:\28448.exec:\28448.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
\??\c:\xrrxfll.exec:\xrrxfll.exe63⤵
- Executes dropped EXE
PID:3164 -
\??\c:\2400004.exec:\2400004.exe64⤵
- Executes dropped EXE
PID:3240 -
\??\c:\bbhhbh.exec:\bbhhbh.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168 -
\??\c:\djvpj.exec:\djvpj.exe66⤵PID:1956
-
\??\c:\3ttntt.exec:\3ttntt.exe67⤵PID:4312
-
\??\c:\c404220.exec:\c404220.exe68⤵PID:2340
-
\??\c:\2684048.exec:\2684048.exe69⤵PID:3360
-
\??\c:\3nttbb.exec:\3nttbb.exe70⤵PID:4600
-
\??\c:\66260.exec:\66260.exe71⤵PID:2564
-
\??\c:\hhhbtb.exec:\hhhbtb.exe72⤵PID:2976
-
\??\c:\442822.exec:\442822.exe73⤵PID:1556
-
\??\c:\nnttnt.exec:\nnttnt.exe74⤵PID:3212
-
\??\c:\26282.exec:\26282.exe75⤵PID:4476
-
\??\c:\4886440.exec:\4886440.exe76⤵
- System Location Discovery: System Language Discovery
PID:692 -
\??\c:\624888.exec:\624888.exe77⤵PID:1644
-
\??\c:\xlfrxrf.exec:\xlfrxrf.exe78⤵PID:4460
-
\??\c:\frrlfrr.exec:\frrlfrr.exe79⤵
- System Location Discovery: System Language Discovery
PID:392 -
\??\c:\k80048.exec:\k80048.exe80⤵PID:3316
-
\??\c:\rfxrffx.exec:\rfxrffx.exe81⤵PID:1948
-
\??\c:\tntnhh.exec:\tntnhh.exe82⤵PID:4984
-
\??\c:\28626.exec:\28626.exe83⤵PID:1756
-
\??\c:\66042.exec:\66042.exe84⤵PID:3528
-
\??\c:\60666.exec:\60666.exe85⤵PID:3156
-
\??\c:\vpdvp.exec:\vpdvp.exe86⤵PID:2276
-
\??\c:\62882.exec:\62882.exe87⤵PID:4724
-
\??\c:\tnnhht.exec:\tnnhht.exe88⤵PID:860
-
\??\c:\8626448.exec:\8626448.exe89⤵PID:3672
-
\??\c:\2282042.exec:\2282042.exe90⤵PID:3236
-
\??\c:\86446.exec:\86446.exe91⤵PID:768
-
\??\c:\9tnbnt.exec:\9tnbnt.exe92⤵PID:1332
-
\??\c:\6660266.exec:\6660266.exe93⤵PID:3044
-
\??\c:\u880482.exec:\u880482.exe94⤵PID:4432
-
\??\c:\jvpjv.exec:\jvpjv.exe95⤵PID:2092
-
\??\c:\m8860.exec:\m8860.exe96⤵PID:1324
-
\??\c:\068804.exec:\068804.exe97⤵PID:2780
-
\??\c:\frxrrlx.exec:\frxrrlx.exe98⤵PID:3724
-
\??\c:\1tnbnn.exec:\1tnbnn.exe99⤵PID:2728
-
\??\c:\djpdp.exec:\djpdp.exe100⤵PID:2152
-
\??\c:\lxlfllf.exec:\lxlfllf.exe101⤵PID:4772
-
\??\c:\7xrfrxl.exec:\7xrfrxl.exe102⤵PID:5076
-
\??\c:\bntbtn.exec:\bntbtn.exe103⤵PID:4408
-
\??\c:\2022444.exec:\2022444.exe104⤵PID:3376
-
\??\c:\tnthhb.exec:\tnthhb.exe105⤵PID:4644
-
\??\c:\m6044.exec:\m6044.exe106⤵PID:1864
-
\??\c:\80822.exec:\80822.exe107⤵PID:5036
-
\??\c:\ntnnnn.exec:\ntnnnn.exe108⤵PID:1668
-
\??\c:\o404822.exec:\o404822.exe109⤵PID:4760
-
\??\c:\bnbntn.exec:\bnbntn.exe110⤵PID:1448
-
\??\c:\vdjjd.exec:\vdjjd.exe111⤵PID:2644
-
\??\c:\22486.exec:\22486.exe112⤵PID:704
-
\??\c:\240422.exec:\240422.exe113⤵PID:4064
-
\??\c:\9djvp.exec:\9djvp.exe114⤵PID:428
-
\??\c:\424882.exec:\424882.exe115⤵PID:228
-
\??\c:\o820808.exec:\o820808.exe116⤵PID:2080
-
\??\c:\4808488.exec:\4808488.exe117⤵PID:2652
-
\??\c:\flllxxr.exec:\flllxxr.exe118⤵PID:2336
-
\??\c:\848608.exec:\848608.exe119⤵PID:512
-
\??\c:\200044.exec:\200044.exe120⤵PID:876
-
\??\c:\rllxlll.exec:\rllxlll.exe121⤵PID:1260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-