Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe
-
Size
454KB
-
MD5
98a36b6efbadfb162c9385dd15051be9
-
SHA1
946f0af36c66a31e3c22bfe16a90c57a667eb0e1
-
SHA256
814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c
-
SHA512
f43b3c058475550871e80983f675d30fba1e39980a035727d19c9dc8fae34de311040cca6b95ad4ab368f0dcbed29dfaa9d0ad23ff511682702929f3f86f3989
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3492-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-1384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-1469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4864 w44260.exe 4736 0688842.exe 2724 888204.exe 4364 400006.exe 920 6828686.exe 2524 bnthnh.exe 1788 20042.exe 976 8644260.exe 1544 202264.exe 3664 8686486.exe 1296 4480044.exe 2232 tnbbnn.exe 2152 jdppv.exe 5064 2480486.exe 3096 jdjvv.exe 3148 xlrfrfr.exe 4720 4028226.exe 4548 42044.exe 1160 42046.exe 4724 42848.exe 2204 8226048.exe 3896 5rrrxxr.exe 2500 0886082.exe 3480 dvdpd.exe 2060 266026.exe 5008 022266.exe 3996 pvdvv.exe 5028 htnhtn.exe 4188 5nntnt.exe 1816 686228.exe 60 fxfffrr.exe 64 800044.exe 2320 0448882.exe 4796 bbhhbb.exe 216 604448.exe 2216 e40482.exe 3632 822222.exe 836 tnbhtn.exe 4516 006040.exe 1520 lxxxrrl.exe 1056 e68826.exe 2652 8446644.exe 4408 nbhhbb.exe 808 4262424.exe 2284 0400460.exe 4508 jdvvd.exe 4400 2060820.exe 3428 hhtntn.exe 4520 flxflxr.exe 972 o808888.exe 3968 44882.exe 2836 fxxrxxx.exe 1480 68200.exe 3228 4682660.exe 4748 frxxxxx.exe 1504 8044882.exe 2612 lxxfllr.exe 4824 ddjdj.exe 4456 0400662.exe 3888 3xlxrlf.exe 944 08222.exe 3384 c408204.exe 2976 tbtttt.exe 2476 vpddv.exe -
resource yara_rule behavioral2/memory/3492-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-681-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8044882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u040440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 446082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u860860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q06426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4864 3492 814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe 84 PID 3492 wrote to memory of 4864 3492 814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe 84 PID 3492 wrote to memory of 4864 3492 814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe 84 PID 4864 wrote to memory of 4736 4864 w44260.exe 85 PID 4864 wrote to memory of 4736 4864 w44260.exe 85 PID 4864 wrote to memory of 4736 4864 w44260.exe 85 PID 4736 wrote to memory of 2724 4736 0688842.exe 86 PID 4736 wrote to memory of 2724 4736 0688842.exe 86 PID 4736 wrote to memory of 2724 4736 0688842.exe 86 PID 2724 wrote to memory of 4364 2724 888204.exe 87 PID 2724 wrote to memory of 4364 2724 888204.exe 87 PID 2724 wrote to memory of 4364 2724 888204.exe 87 PID 4364 wrote to memory of 920 4364 400006.exe 88 PID 4364 wrote to memory of 920 4364 400006.exe 88 PID 4364 wrote to memory of 920 4364 400006.exe 88 PID 920 wrote to memory of 2524 920 6828686.exe 89 PID 920 wrote to memory of 2524 920 6828686.exe 89 PID 920 wrote to memory of 2524 920 6828686.exe 89 PID 2524 wrote to memory of 1788 2524 bnthnh.exe 90 PID 2524 wrote to memory of 1788 2524 bnthnh.exe 90 PID 2524 wrote to memory of 1788 2524 bnthnh.exe 90 PID 1788 wrote to memory of 976 1788 20042.exe 91 PID 1788 wrote to memory of 976 1788 20042.exe 91 PID 1788 wrote to memory of 976 1788 20042.exe 91 PID 976 wrote to memory of 1544 976 8644260.exe 92 PID 976 wrote to memory of 1544 976 8644260.exe 92 PID 976 wrote to memory of 1544 976 8644260.exe 92 PID 1544 wrote to memory of 3664 1544 202264.exe 93 PID 1544 wrote to memory of 3664 1544 202264.exe 93 PID 1544 wrote to memory of 3664 1544 202264.exe 93 PID 3664 wrote to memory of 1296 3664 8686486.exe 94 PID 3664 wrote to memory of 1296 3664 8686486.exe 94 PID 3664 wrote to memory of 1296 3664 8686486.exe 94 PID 1296 wrote to memory of 2232 1296 4480044.exe 95 PID 1296 wrote to memory of 2232 1296 4480044.exe 95 PID 1296 wrote to memory of 2232 1296 4480044.exe 95 PID 2232 wrote to memory of 2152 2232 tnbbnn.exe 96 PID 2232 wrote to memory of 2152 2232 tnbbnn.exe 96 PID 2232 wrote to memory of 2152 2232 tnbbnn.exe 96 PID 2152 wrote to memory of 5064 2152 jdppv.exe 97 PID 2152 wrote to memory of 5064 2152 jdppv.exe 97 PID 2152 wrote to memory of 5064 2152 jdppv.exe 97 PID 5064 wrote to memory of 3096 5064 2480486.exe 98 PID 5064 wrote to memory of 3096 5064 2480486.exe 98 PID 5064 wrote to memory of 3096 5064 2480486.exe 98 PID 3096 wrote to memory of 3148 3096 jdjvv.exe 99 PID 3096 wrote to memory of 3148 3096 jdjvv.exe 99 PID 3096 wrote to memory of 3148 3096 jdjvv.exe 99 PID 3148 wrote to memory of 4720 3148 xlrfrfr.exe 100 PID 3148 wrote to memory of 4720 3148 xlrfrfr.exe 100 PID 3148 wrote to memory of 4720 3148 xlrfrfr.exe 100 PID 4720 wrote to memory of 4548 4720 4028226.exe 101 PID 4720 wrote to memory of 4548 4720 4028226.exe 101 PID 4720 wrote to memory of 4548 4720 4028226.exe 101 PID 4548 wrote to memory of 1160 4548 42044.exe 102 PID 4548 wrote to memory of 1160 4548 42044.exe 102 PID 4548 wrote to memory of 1160 4548 42044.exe 102 PID 1160 wrote to memory of 4724 1160 42046.exe 103 PID 1160 wrote to memory of 4724 1160 42046.exe 103 PID 1160 wrote to memory of 4724 1160 42046.exe 103 PID 4724 wrote to memory of 2204 4724 42848.exe 104 PID 4724 wrote to memory of 2204 4724 42848.exe 104 PID 4724 wrote to memory of 2204 4724 42848.exe 104 PID 2204 wrote to memory of 3896 2204 8226048.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe"C:\Users\Admin\AppData\Local\Temp\814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\w44260.exec:\w44260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\0688842.exec:\0688842.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\888204.exec:\888204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\400006.exec:\400006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\6828686.exec:\6828686.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\bnthnh.exec:\bnthnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\20042.exec:\20042.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\8644260.exec:\8644260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\202264.exec:\202264.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\8686486.exec:\8686486.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\4480044.exec:\4480044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\tnbbnn.exec:\tnbbnn.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jdppv.exec:\jdppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\2480486.exec:\2480486.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\jdjvv.exec:\jdjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\xlrfrfr.exec:\xlrfrfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\4028226.exec:\4028226.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\42044.exec:\42044.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\42046.exec:\42046.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\42848.exec:\42848.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\8226048.exec:\8226048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\5rrrxxr.exec:\5rrrxxr.exe23⤵
- Executes dropped EXE
PID:3896 -
\??\c:\0886082.exec:\0886082.exe24⤵
- Executes dropped EXE
PID:2500 -
\??\c:\dvdpd.exec:\dvdpd.exe25⤵
- Executes dropped EXE
PID:3480 -
\??\c:\266026.exec:\266026.exe26⤵
- Executes dropped EXE
PID:2060 -
\??\c:\022266.exec:\022266.exe27⤵
- Executes dropped EXE
PID:5008 -
\??\c:\pvdvv.exec:\pvdvv.exe28⤵
- Executes dropped EXE
PID:3996 -
\??\c:\htnhtn.exec:\htnhtn.exe29⤵
- Executes dropped EXE
PID:5028 -
\??\c:\5nntnt.exec:\5nntnt.exe30⤵
- Executes dropped EXE
PID:4188 -
\??\c:\686228.exec:\686228.exe31⤵
- Executes dropped EXE
PID:1816 -
\??\c:\fxfffrr.exec:\fxfffrr.exe32⤵
- Executes dropped EXE
PID:60 -
\??\c:\800044.exec:\800044.exe33⤵
- Executes dropped EXE
PID:64 -
\??\c:\0448882.exec:\0448882.exe34⤵
- Executes dropped EXE
PID:2320 -
\??\c:\bbhhbb.exec:\bbhhbb.exe35⤵
- Executes dropped EXE
PID:4796 -
\??\c:\604448.exec:\604448.exe36⤵
- Executes dropped EXE
PID:216 -
\??\c:\e40482.exec:\e40482.exe37⤵
- Executes dropped EXE
PID:2216 -
\??\c:\822222.exec:\822222.exe38⤵
- Executes dropped EXE
PID:3632 -
\??\c:\tnbhtn.exec:\tnbhtn.exe39⤵
- Executes dropped EXE
PID:836 -
\??\c:\006040.exec:\006040.exe40⤵
- Executes dropped EXE
PID:4516 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe41⤵
- Executes dropped EXE
PID:1520 -
\??\c:\e68826.exec:\e68826.exe42⤵
- Executes dropped EXE
PID:1056 -
\??\c:\8446644.exec:\8446644.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\nbhhbb.exec:\nbhhbb.exe44⤵
- Executes dropped EXE
PID:4408 -
\??\c:\4262424.exec:\4262424.exe45⤵
- Executes dropped EXE
PID:808 -
\??\c:\0400460.exec:\0400460.exe46⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jdvvd.exec:\jdvvd.exe47⤵
- Executes dropped EXE
PID:4508 -
\??\c:\2060820.exec:\2060820.exe48⤵
- Executes dropped EXE
PID:4400 -
\??\c:\hhtntn.exec:\hhtntn.exe49⤵
- Executes dropped EXE
PID:3428 -
\??\c:\flxflxr.exec:\flxflxr.exe50⤵
- Executes dropped EXE
PID:4520 -
\??\c:\o808888.exec:\o808888.exe51⤵
- Executes dropped EXE
PID:972 -
\??\c:\44882.exec:\44882.exe52⤵
- Executes dropped EXE
PID:3968 -
\??\c:\fxxrxxx.exec:\fxxrxxx.exe53⤵
- Executes dropped EXE
PID:2836 -
\??\c:\68200.exec:\68200.exe54⤵
- Executes dropped EXE
PID:1480 -
\??\c:\4682660.exec:\4682660.exe55⤵
- Executes dropped EXE
PID:3228 -
\??\c:\frxxxxx.exec:\frxxxxx.exe56⤵
- Executes dropped EXE
PID:4748 -
\??\c:\8044882.exec:\8044882.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\lxxfllr.exec:\lxxfllr.exe58⤵
- Executes dropped EXE
PID:2612 -
\??\c:\ddjdj.exec:\ddjdj.exe59⤵
- Executes dropped EXE
PID:4824 -
\??\c:\0400662.exec:\0400662.exe60⤵
- Executes dropped EXE
PID:4456 -
\??\c:\3xlxrlf.exec:\3xlxrlf.exe61⤵
- Executes dropped EXE
PID:3888 -
\??\c:\08222.exec:\08222.exe62⤵
- Executes dropped EXE
PID:944 -
\??\c:\c408204.exec:\c408204.exe63⤵
- Executes dropped EXE
PID:3384 -
\??\c:\tbtttt.exec:\tbtttt.exe64⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vpddv.exec:\vpddv.exe65⤵
- Executes dropped EXE
PID:2476 -
\??\c:\i826442.exec:\i826442.exe66⤵PID:2152
-
\??\c:\4888222.exec:\4888222.exe67⤵PID:1124
-
\??\c:\dppjd.exec:\dppjd.exe68⤵PID:5076
-
\??\c:\bthtnh.exec:\bthtnh.exe69⤵PID:1152
-
\??\c:\646862.exec:\646862.exe70⤵PID:2212
-
\??\c:\u682660.exec:\u682660.exe71⤵PID:3920
-
\??\c:\tbhthb.exec:\tbhthb.exe72⤵PID:4176
-
\??\c:\20844.exec:\20844.exe73⤵PID:2736
-
\??\c:\jdjdv.exec:\jdjdv.exe74⤵PID:2664
-
\??\c:\44042.exec:\44042.exe75⤵PID:1588
-
\??\c:\282622.exec:\282622.exe76⤵PID:4992
-
\??\c:\686266.exec:\686266.exe77⤵PID:4524
-
\??\c:\68448.exec:\68448.exe78⤵PID:4984
-
\??\c:\00080.exec:\00080.exe79⤵PID:4204
-
\??\c:\s8842.exec:\s8842.exe80⤵PID:5020
-
\??\c:\lfflxxx.exec:\lfflxxx.exe81⤵PID:2500
-
\??\c:\02826.exec:\02826.exe82⤵PID:2056
-
\??\c:\5vvjd.exec:\5vvjd.exe83⤵PID:652
-
\??\c:\frrrrrl.exec:\frrrrrl.exe84⤵PID:4152
-
\??\c:\082604.exec:\082604.exe85⤵PID:2608
-
\??\c:\482222.exec:\482222.exe86⤵PID:1804
-
\??\c:\w40448.exec:\w40448.exe87⤵PID:4476
-
\??\c:\rlrlffx.exec:\rlrlffx.exe88⤵PID:5028
-
\??\c:\rfrrrff.exec:\rfrrrff.exe89⤵PID:1488
-
\??\c:\ttbttn.exec:\ttbttn.exe90⤵PID:3184
-
\??\c:\0448400.exec:\0448400.exe91⤵PID:676
-
\??\c:\3djdj.exec:\3djdj.exe92⤵PID:60
-
\??\c:\thhtnt.exec:\thhtnt.exe93⤵PID:2564
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe94⤵PID:1764
-
\??\c:\i066000.exec:\i066000.exe95⤵PID:1256
-
\??\c:\vvppj.exec:\vvppj.exe96⤵PID:3916
-
\??\c:\m2006.exec:\m2006.exe97⤵PID:768
-
\??\c:\7pjpd.exec:\7pjpd.exe98⤵PID:3876
-
\??\c:\u040440.exec:\u040440.exe99⤵
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\5rlfflr.exec:\5rlfflr.exe100⤵PID:4516
-
\??\c:\88826.exec:\88826.exe101⤵PID:3672
-
\??\c:\04088.exec:\04088.exe102⤵PID:4812
-
\??\c:\btbhhh.exec:\btbhhh.exe103⤵PID:2928
-
\??\c:\e62648.exec:\e62648.exe104⤵PID:4880
-
\??\c:\8622266.exec:\8622266.exe105⤵PID:3380
-
\??\c:\jjjvp.exec:\jjjvp.exe106⤵PID:3376
-
\??\c:\s4860.exec:\s4860.exe107⤵PID:4460
-
\??\c:\804884.exec:\804884.exe108⤵PID:1440
-
\??\c:\fxfxxlx.exec:\fxfxxlx.exe109⤵PID:1696
-
\??\c:\7lfxfff.exec:\7lfxfff.exe110⤵PID:2644
-
\??\c:\hbbttt.exec:\hbbttt.exe111⤵PID:228
-
\??\c:\llffxxr.exec:\llffxxr.exe112⤵PID:4716
-
\??\c:\4288226.exec:\4288226.exe113⤵PID:2724
-
\??\c:\826444.exec:\826444.exe114⤵PID:5044
-
\??\c:\m6640.exec:\m6640.exe115⤵PID:3932
-
\??\c:\hnnbtt.exec:\hnnbtt.exe116⤵PID:3784
-
\??\c:\4802626.exec:\4802626.exe117⤵PID:2276
-
\??\c:\5rrlffx.exec:\5rrlffx.exe118⤵PID:5072
-
\??\c:\pdddv.exec:\pdddv.exe119⤵PID:1968
-
\??\c:\xflxxrl.exec:\xflxxrl.exe120⤵PID:2468
-
\??\c:\60606.exec:\60606.exe121⤵PID:1516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-