Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 23:35
Behavioral task
behavioral1
Sample
863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe
-
Size
248KB
-
MD5
c8872e0300df5927add0bb1848f3fc87
-
SHA1
7384ddad5c342c8d2563965da08ca04e9628cdcb
-
SHA256
863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0
-
SHA512
48a710c20cfdd0af87451ff7e20eb3b3736af7610ff1c2b9cc956da608500e63ab6de25d44620e5a4c6c873a22ee37fc906d8bd8f40be508923f9d2aca41afcc
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yLpcgDE4JBuItR8pTsgZ9WT4iaz+6u:ccm4FmowdHoSi9EIBftapTs4WZazm
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1496-6-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2440-19-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2848-15-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2680-13-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4744-29-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4792-36-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4816-42-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3896-50-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4660-60-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/820-68-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4272-65-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5072-77-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4324-105-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4508-139-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2280-219-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2264-258-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3664-266-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/820-262-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3076-254-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3896-247-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1928-240-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4472-236-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2340-226-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4412-203-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1692-193-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3572-187-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2880-181-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4428-175-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2416-169-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1756-162-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4904-157-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1948-150-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3180-145-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3548-128-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/704-123-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2220-121-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4016-111-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1704-100-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1864-93-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/816-88-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3816-87-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/876-285-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1764-295-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/624-305-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3888-312-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3180-316-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1112-320-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3104-336-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5044-343-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1496-353-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5024-357-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/220-388-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2596-407-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2816-432-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1740-439-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2540-449-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3888-468-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3740-535-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2564-572-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1756-625-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/340-662-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/220-687-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5004-833-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4560-1095-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2848 dvvpv.exe 2680 tbbtht.exe 2440 080008.exe 4744 86486.exe 4792 i266802.exe 4816 1bhnhb.exe 3896 5xxrllf.exe 4328 4044006.exe 4660 q42600.exe 820 2248282.exe 4272 g6226.exe 5072 822604.exe 3816 e46604.exe 816 626002.exe 1864 jpdvj.exe 1704 7bbbtb.exe 4324 dpppj.exe 4016 280044.exe 704 9fxrflf.exe 2220 3bhbbb.exe 3548 22260.exe 1208 2460444.exe 4508 q46666.exe 3180 1rxrrrx.exe 1948 82444.exe 4904 tbntnt.exe 1756 o466004.exe 2416 s6882.exe 4428 jddvp.exe 2880 a2440.exe 3572 ttbhht.exe 1692 xrxffff.exe 5044 tnhhbb.exe 1808 1pppd.exe 4412 0686004.exe 2852 e48262.exe 3032 9djdd.exe 3784 tttnht.exe 2884 lflfxrr.exe 2280 fxlrlll.exe 1680 ttnbnb.exe 2340 68488.exe 4476 tnnhnn.exe 4112 rlrlxxf.exe 4472 thhbtt.exe 1928 1jjdv.exe 1132 7fxrlll.exe 3896 hbbttn.exe 5000 w80826.exe 3076 284048.exe 2264 fxrlllf.exe 820 640044.exe 3664 9fxxrlx.exe 4952 488226.exe 752 ppvvp.exe 3816 2622622.exe 1864 7xrrlrr.exe 876 rxfxrrl.exe 1608 28806.exe 2208 hbhbtt.exe 1764 0848226.exe 2800 00286.exe 1820 lfrlrxf.exe 624 c840044.exe -
resource yara_rule behavioral2/memory/1496-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00090000000235c1-3.dat upx behavioral2/memory/2848-8-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1496-6-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235c8-18.dat upx behavioral2/memory/2440-19-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2848-15-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2680-13-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00080000000235c4-11.dat upx behavioral2/files/0x00070000000235ca-24.dat upx behavioral2/files/0x00070000000235cb-31.dat upx behavioral2/memory/4744-29-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235cc-34.dat upx behavioral2/memory/4792-36-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235cd-40.dat upx behavioral2/memory/4816-42-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235ce-47.dat upx behavioral2/memory/3896-50-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235cf-52.dat upx behavioral2/files/0x00070000000235d0-57.dat upx behavioral2/memory/4660-60-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235d1-63.dat upx behavioral2/memory/820-68-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235d2-72.dat upx behavioral2/memory/5072-73-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4272-65-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235d4-78.dat upx behavioral2/memory/5072-77-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235d5-83.dat upx behavioral2/files/0x00070000000235d6-90.dat upx behavioral2/files/0x00080000000235c5-95.dat upx behavioral2/files/0x00070000000235d7-101.dat upx behavioral2/memory/4324-105-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235d9-114.dat upx behavioral2/memory/4508-139-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235de-143.dat upx behavioral2/files/0x00070000000235e1-161.dat upx behavioral2/files/0x00070000000235e2-167.dat upx behavioral2/files/0x00070000000235e4-179.dat upx behavioral2/files/0x00070000000235e6-191.dat upx behavioral2/memory/2280-219-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2264-258-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3664-266-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/820-262-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3076-254-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3896-247-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1928-240-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4472-236-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2340-226-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4412-203-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1692-193-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3572-187-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235e5-185.dat upx behavioral2/memory/2880-181-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4428-175-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235e3-173.dat upx behavioral2/memory/2416-169-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1756-162-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4904-157-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235e0-155.dat upx behavioral2/memory/1948-150-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235df-149.dat upx behavioral2/memory/3180-145-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00070000000235dd-137.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6226604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c840044.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 2848 1496 863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe 89 PID 1496 wrote to memory of 2848 1496 863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe 89 PID 1496 wrote to memory of 2848 1496 863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe 89 PID 2848 wrote to memory of 2680 2848 dvvpv.exe 90 PID 2848 wrote to memory of 2680 2848 dvvpv.exe 90 PID 2848 wrote to memory of 2680 2848 dvvpv.exe 90 PID 2680 wrote to memory of 2440 2680 tbbtht.exe 91 PID 2680 wrote to memory of 2440 2680 tbbtht.exe 91 PID 2680 wrote to memory of 2440 2680 tbbtht.exe 91 PID 2440 wrote to memory of 4744 2440 080008.exe 92 PID 2440 wrote to memory of 4744 2440 080008.exe 92 PID 2440 wrote to memory of 4744 2440 080008.exe 92 PID 4744 wrote to memory of 4792 4744 86486.exe 93 PID 4744 wrote to memory of 4792 4744 86486.exe 93 PID 4744 wrote to memory of 4792 4744 86486.exe 93 PID 4792 wrote to memory of 4816 4792 i266802.exe 94 PID 4792 wrote to memory of 4816 4792 i266802.exe 94 PID 4792 wrote to memory of 4816 4792 i266802.exe 94 PID 4816 wrote to memory of 3896 4816 1bhnhb.exe 136 PID 4816 wrote to memory of 3896 4816 1bhnhb.exe 136 PID 4816 wrote to memory of 3896 4816 1bhnhb.exe 136 PID 3896 wrote to memory of 4328 3896 5xxrllf.exe 96 PID 3896 wrote to memory of 4328 3896 5xxrllf.exe 96 PID 3896 wrote to memory of 4328 3896 5xxrllf.exe 96 PID 4328 wrote to memory of 4660 4328 4044006.exe 97 PID 4328 wrote to memory of 4660 4328 4044006.exe 97 PID 4328 wrote to memory of 4660 4328 4044006.exe 97 PID 4660 wrote to memory of 820 4660 q42600.exe 140 PID 4660 wrote to memory of 820 4660 q42600.exe 140 PID 4660 wrote to memory of 820 4660 q42600.exe 140 PID 820 wrote to memory of 4272 820 2248282.exe 99 PID 820 wrote to memory of 4272 820 2248282.exe 99 PID 820 wrote to memory of 4272 820 2248282.exe 99 PID 4272 wrote to memory of 5072 4272 g6226.exe 100 PID 4272 wrote to memory of 5072 4272 g6226.exe 100 PID 4272 wrote to memory of 5072 4272 g6226.exe 100 PID 5072 wrote to memory of 3816 5072 822604.exe 144 PID 5072 wrote to memory of 3816 5072 822604.exe 144 PID 5072 wrote to memory of 3816 5072 822604.exe 144 PID 3816 wrote to memory of 816 3816 e46604.exe 102 PID 3816 wrote to memory of 816 3816 e46604.exe 102 PID 3816 wrote to memory of 816 3816 e46604.exe 102 PID 816 wrote to memory of 1864 816 626002.exe 145 PID 816 wrote to memory of 1864 816 626002.exe 145 PID 816 wrote to memory of 1864 816 626002.exe 145 PID 1864 wrote to memory of 1704 1864 jpdvj.exe 104 PID 1864 wrote to memory of 1704 1864 jpdvj.exe 104 PID 1864 wrote to memory of 1704 1864 jpdvj.exe 104 PID 1704 wrote to memory of 4324 1704 7bbbtb.exe 105 PID 1704 wrote to memory of 4324 1704 7bbbtb.exe 105 PID 1704 wrote to memory of 4324 1704 7bbbtb.exe 105 PID 4324 wrote to memory of 4016 4324 dpppj.exe 106 PID 4324 wrote to memory of 4016 4324 dpppj.exe 106 PID 4324 wrote to memory of 4016 4324 dpppj.exe 106 PID 4016 wrote to memory of 704 4016 280044.exe 107 PID 4016 wrote to memory of 704 4016 280044.exe 107 PID 4016 wrote to memory of 704 4016 280044.exe 107 PID 704 wrote to memory of 2220 704 9fxrflf.exe 108 PID 704 wrote to memory of 2220 704 9fxrflf.exe 108 PID 704 wrote to memory of 2220 704 9fxrflf.exe 108 PID 2220 wrote to memory of 3548 2220 3bhbbb.exe 109 PID 2220 wrote to memory of 3548 2220 3bhbbb.exe 109 PID 2220 wrote to memory of 3548 2220 3bhbbb.exe 109 PID 3548 wrote to memory of 1208 3548 22260.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe"C:\Users\Admin\AppData\Local\Temp\863635bcc114b61385065bcf9d5c23d886db181056b32b2804ed7ecb8ffe72e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\dvvpv.exec:\dvvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\tbbtht.exec:\tbbtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\080008.exec:\080008.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\86486.exec:\86486.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\i266802.exec:\i266802.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\1bhnhb.exec:\1bhnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\5xxrllf.exec:\5xxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\4044006.exec:\4044006.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\q42600.exec:\q42600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\2248282.exec:\2248282.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\g6226.exec:\g6226.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\822604.exec:\822604.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\e46604.exec:\e46604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\626002.exec:\626002.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\jpdvj.exec:\jpdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\7bbbtb.exec:\7bbbtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\dpppj.exec:\dpppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\280044.exec:\280044.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\9fxrflf.exec:\9fxrflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\3bhbbb.exec:\3bhbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\22260.exec:\22260.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\2460444.exec:\2460444.exe23⤵
- Executes dropped EXE
PID:1208 -
\??\c:\q46666.exec:\q46666.exe24⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1rxrrrx.exec:\1rxrrrx.exe25⤵
- Executes dropped EXE
PID:3180 -
\??\c:\82444.exec:\82444.exe26⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tbntnt.exec:\tbntnt.exe27⤵
- Executes dropped EXE
PID:4904 -
\??\c:\o466004.exec:\o466004.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\s6882.exec:\s6882.exe29⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jddvp.exec:\jddvp.exe30⤵
- Executes dropped EXE
PID:4428 -
\??\c:\a2440.exec:\a2440.exe31⤵
- Executes dropped EXE
PID:2880 -
\??\c:\ttbhht.exec:\ttbhht.exe32⤵
- Executes dropped EXE
PID:3572 -
\??\c:\xrxffff.exec:\xrxffff.exe33⤵
- Executes dropped EXE
PID:1692 -
\??\c:\tnhhbb.exec:\tnhhbb.exe34⤵
- Executes dropped EXE
PID:5044 -
\??\c:\1pppd.exec:\1pppd.exe35⤵
- Executes dropped EXE
PID:1808 -
\??\c:\0686004.exec:\0686004.exe36⤵
- Executes dropped EXE
PID:4412 -
\??\c:\e48262.exec:\e48262.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\9djdd.exec:\9djdd.exe38⤵
- Executes dropped EXE
PID:3032 -
\??\c:\tttnht.exec:\tttnht.exe39⤵
- Executes dropped EXE
PID:3784 -
\??\c:\lflfxrr.exec:\lflfxrr.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\fxlrlll.exec:\fxlrlll.exe41⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ttnbnb.exec:\ttnbnb.exe42⤵
- Executes dropped EXE
PID:1680 -
\??\c:\68488.exec:\68488.exe43⤵
- Executes dropped EXE
PID:2340 -
\??\c:\tnnhnn.exec:\tnnhnn.exe44⤵
- Executes dropped EXE
PID:4476 -
\??\c:\rlrlxxf.exec:\rlrlxxf.exe45⤵
- Executes dropped EXE
PID:4112 -
\??\c:\thhbtt.exec:\thhbtt.exe46⤵
- Executes dropped EXE
PID:4472 -
\??\c:\1jjdv.exec:\1jjdv.exe47⤵
- Executes dropped EXE
PID:1928 -
\??\c:\7fxrlll.exec:\7fxrlll.exe48⤵
- Executes dropped EXE
PID:1132 -
\??\c:\hbbttn.exec:\hbbttn.exe49⤵
- Executes dropped EXE
PID:3896 -
\??\c:\w80826.exec:\w80826.exe50⤵
- Executes dropped EXE
PID:5000 -
\??\c:\284048.exec:\284048.exe51⤵
- Executes dropped EXE
PID:3076 -
\??\c:\fxrlllf.exec:\fxrlllf.exe52⤵
- Executes dropped EXE
PID:2264 -
\??\c:\640044.exec:\640044.exe53⤵
- Executes dropped EXE
PID:820 -
\??\c:\9fxxrlx.exec:\9fxxrlx.exe54⤵
- Executes dropped EXE
PID:3664 -
\??\c:\488226.exec:\488226.exe55⤵
- Executes dropped EXE
PID:4952 -
\??\c:\ppvvp.exec:\ppvvp.exe56⤵
- Executes dropped EXE
PID:752 -
\??\c:\2622622.exec:\2622622.exe57⤵
- Executes dropped EXE
PID:3816 -
\??\c:\7xrrlrr.exec:\7xrrlrr.exe58⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe59⤵
- Executes dropped EXE
PID:876 -
\??\c:\28806.exec:\28806.exe60⤵
- Executes dropped EXE
PID:1608 -
\??\c:\hbhbtt.exec:\hbhbtt.exe61⤵
- Executes dropped EXE
PID:2208 -
\??\c:\0848226.exec:\0848226.exe62⤵
- Executes dropped EXE
PID:1764 -
\??\c:\00286.exec:\00286.exe63⤵
- Executes dropped EXE
PID:2800 -
\??\c:\lfrlrxf.exec:\lfrlrxf.exe64⤵
- Executes dropped EXE
PID:1820 -
\??\c:\c840044.exec:\c840044.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:624 -
\??\c:\9ffxxxr.exec:\9ffxxxr.exe66⤵PID:1556
-
\??\c:\6800004.exec:\6800004.exe67⤵PID:3888
-
\??\c:\vpvvp.exec:\vpvvp.exe68⤵PID:3180
-
\??\c:\jvddv.exec:\jvddv.exe69⤵PID:1112
-
\??\c:\k40042.exec:\k40042.exe70⤵PID:1656
-
\??\c:\jjvvv.exec:\jjvvv.exe71⤵PID:4520
-
\??\c:\q80042.exec:\q80042.exe72⤵PID:2972
-
\??\c:\hhbhnn.exec:\hhbhnn.exe73⤵PID:1744
-
\??\c:\dddvv.exec:\dddvv.exe74⤵PID:3104
-
\??\c:\jjvpp.exec:\jjvpp.exe75⤵PID:3832
-
\??\c:\rxffxxx.exec:\rxffxxx.exe76⤵PID:5044
-
\??\c:\26440.exec:\26440.exe77⤵PID:3940
-
\??\c:\806262.exec:\806262.exe78⤵PID:2848
-
\??\c:\462600.exec:\462600.exe79⤵PID:1496
-
\??\c:\thhhbb.exec:\thhhbb.exe80⤵PID:5024
-
\??\c:\u866660.exec:\u866660.exe81⤵PID:3268
-
\??\c:\6466888.exec:\6466888.exe82⤵PID:3372
-
\??\c:\1lrlfxl.exec:\1lrlfxl.exe83⤵PID:3512
-
\??\c:\nthhbh.exec:\nthhbh.exe84⤵PID:4792
-
\??\c:\xffflxf.exec:\xffflxf.exe85⤵PID:2716
-
\??\c:\g2826.exec:\g2826.exe86⤵PID:4748
-
\??\c:\8800660.exec:\8800660.exe87⤵PID:4476
-
\??\c:\46226.exec:\46226.exe88⤵PID:2500
-
\??\c:\fffrlll.exec:\fffrlll.exe89⤵PID:428
-
\??\c:\0244882.exec:\0244882.exe90⤵PID:220
-
\??\c:\60600.exec:\60600.exe91⤵PID:32
-
\??\c:\rrrlxxf.exec:\rrrlxxf.exe92⤵PID:2336
-
\??\c:\xrrrlll.exec:\xrrrlll.exe93⤵PID:3744
-
\??\c:\tnnhbb.exec:\tnnhbb.exe94⤵PID:2984
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe95⤵PID:1048
-
\??\c:\i020004.exec:\i020004.exe96⤵PID:2596
-
\??\c:\xfrxxxr.exec:\xfrxxxr.exe97⤵PID:4648
-
\??\c:\5nbtnn.exec:\5nbtnn.exe98⤵PID:2944
-
\??\c:\284488.exec:\284488.exe99⤵PID:4736
-
\??\c:\606022.exec:\606022.exe100⤵PID:640
-
\??\c:\5bbnbh.exec:\5bbnbh.exe101⤵PID:1220
-
\??\c:\jpppv.exec:\jpppv.exe102⤵PID:4588
-
\??\c:\s6660.exec:\s6660.exe103⤵PID:1004
-
\??\c:\xxrrfrx.exec:\xxrrfrx.exe104⤵PID:2816
-
\??\c:\frfxxxr.exec:\frfxxxr.exe105⤵PID:692
-
\??\c:\xrrrrrx.exec:\xrrrrrx.exe106⤵PID:1740
-
\??\c:\pvdvv.exec:\pvdvv.exe107⤵PID:4664
-
\??\c:\tbtnbb.exec:\tbtnbb.exe108⤵PID:1480
-
\??\c:\2602048.exec:\2602048.exe109⤵PID:2540
-
\??\c:\224444.exec:\224444.exe110⤵PID:1932
-
\??\c:\80620.exec:\80620.exe111⤵PID:3712
-
\??\c:\g6828.exec:\g6828.exe112⤵PID:2412
-
\??\c:\hbhtnn.exec:\hbhtnn.exe113⤵PID:2236
-
\??\c:\82004.exec:\82004.exe114⤵PID:1556
-
\??\c:\5btthh.exec:\5btthh.exe115⤵PID:3888
-
\??\c:\8026604.exec:\8026604.exe116⤵PID:456
-
\??\c:\042222.exec:\042222.exe117⤵PID:1112
-
\??\c:\264826.exec:\264826.exe118⤵PID:4912
-
\??\c:\4022224.exec:\4022224.exe119⤵PID:2416
-
\??\c:\i426600.exec:\i426600.exe120⤵PID:2792
-
\??\c:\684822.exec:\684822.exe121⤵PID:4860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-