Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 22:53
Behavioral task
behavioral1
Sample
466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe
-
Size
254KB
-
MD5
ffa4325a3ad4f104ebdb9e41491f29f0
-
SHA1
8ab87968da4fcc59608bae089b8b81d4cd9c846e
-
SHA256
466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5
-
SHA512
7605b2b77a642b462d8185c7b46bf4af30f081f85c04cc387e4d3ad0aeeef6b251c7b38e9d4076e0e6d1c102de2c9d369ce06006e534fbd4e25bd6d26126a7b9
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpolTjZXvEQo9dfBP/e:y4wFHoS3eFaKHpKT9XvEhdfBP/e
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/768-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1660-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3080-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3764-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-525-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-581-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-654-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/664-673-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1020-710-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-729-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-736-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-791-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-867-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-964-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-1835-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5072 26266.exe 1428 xxxlxlx.exe 2648 22044.exe 2140 02820.exe 1252 864426.exe 3092 lflxxxf.exe 1456 hhbhbn.exe 2236 8260860.exe 2572 828682.exe 2320 2244264.exe 2828 fffrfxl.exe 4976 6422228.exe 1640 9frlxxx.exe 632 5hbthh.exe 1548 26024.exe 3720 88824.exe 4248 nnnhht.exe 4788 c068648.exe 1044 428482.exe 2248 o848260.exe 1152 pdvjd.exe 3484 5hbthb.exe 2580 hnnbnh.exe 4152 662260.exe 2232 7lfrfxr.exe 2612 rfxfxxr.exe 4584 8226482.exe 4456 btnhbb.exe 1216 0244824.exe 1660 428664.exe 1108 04488.exe 2176 82482.exe 3472 3vjdj.exe 2732 02882.exe 1724 6282600.exe 1332 422044.exe 1128 djvpp.exe 4176 1btnhh.exe 1396 860666.exe 2596 8226666.exe 3620 xrrlllr.exe 4060 jdpjj.exe 4428 bbbnhb.exe 3552 xrfxxll.exe 4500 jddjd.exe 4876 5bnnnn.exe 4752 2002266.exe 2964 k68448.exe 2272 dpvpj.exe 1792 264848.exe 1760 5hbbtn.exe 1504 842268.exe 3144 dppdv.exe 2092 fffxrlf.exe 4684 rfxxrrr.exe 4984 08826.exe 1372 lxrfrll.exe 3020 tttthb.exe 2088 422082.exe 2320 628682.exe 2828 044860.exe 2620 44040.exe 4976 088604.exe 3120 288648.exe -
resource yara_rule behavioral2/memory/768-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b82-3.dat upx behavioral2/memory/768-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c71-9.dat upx behavioral2/memory/1428-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5072-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c79-14.dat upx behavioral2/memory/1428-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7a-22.dat upx behavioral2/memory/2648-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2140-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7b-30.dat upx behavioral2/files/0x0007000000023c7c-34.dat upx behavioral2/files/0x0007000000023c7d-39.dat upx behavioral2/memory/3092-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-45.dat upx behavioral2/memory/1456-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-52.dat upx behavioral2/memory/2572-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c80-56.dat upx behavioral2/files/0x0007000000023c81-61.dat upx behavioral2/memory/2320-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-68.dat upx behavioral2/memory/4976-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-75.dat upx behavioral2/files/0x0007000000023c84-78.dat upx behavioral2/memory/632-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c75-85.dat upx behavioral2/files/0x0007000000023c85-89.dat upx behavioral2/memory/1548-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c86-96.dat upx behavioral2/memory/3720-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-101.dat upx behavioral2/memory/4248-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4788-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-109.dat upx behavioral2/memory/1044-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-116.dat upx behavioral2/memory/2248-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-120.dat upx behavioral2/memory/2248-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1152-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-128.dat upx behavioral2/files/0x0007000000023c8d-133.dat upx behavioral2/memory/3484-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-140.dat upx behavioral2/memory/4152-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-145.dat upx behavioral2/memory/4152-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2232-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2580-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-152.dat upx behavioral2/memory/2612-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-158.dat upx behavioral2/files/0x0007000000023c92-165.dat upx behavioral2/memory/4584-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4456-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-170.dat upx behavioral2/files/0x0007000000023c94-175.dat upx behavioral2/files/0x0007000000023c95-180.dat upx behavioral2/memory/1660-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-186.dat upx behavioral2/memory/2176-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2732-199-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o628888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6666448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 408844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6842666.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 768 wrote to memory of 5072 768 466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe 85 PID 768 wrote to memory of 5072 768 466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe 85 PID 768 wrote to memory of 5072 768 466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe 85 PID 5072 wrote to memory of 1428 5072 26266.exe 86 PID 5072 wrote to memory of 1428 5072 26266.exe 86 PID 5072 wrote to memory of 1428 5072 26266.exe 86 PID 1428 wrote to memory of 2648 1428 xxxlxlx.exe 87 PID 1428 wrote to memory of 2648 1428 xxxlxlx.exe 87 PID 1428 wrote to memory of 2648 1428 xxxlxlx.exe 87 PID 2648 wrote to memory of 2140 2648 22044.exe 88 PID 2648 wrote to memory of 2140 2648 22044.exe 88 PID 2648 wrote to memory of 2140 2648 22044.exe 88 PID 2140 wrote to memory of 1252 2140 02820.exe 89 PID 2140 wrote to memory of 1252 2140 02820.exe 89 PID 2140 wrote to memory of 1252 2140 02820.exe 89 PID 1252 wrote to memory of 3092 1252 864426.exe 90 PID 1252 wrote to memory of 3092 1252 864426.exe 90 PID 1252 wrote to memory of 3092 1252 864426.exe 90 PID 3092 wrote to memory of 1456 3092 lflxxxf.exe 91 PID 3092 wrote to memory of 1456 3092 lflxxxf.exe 91 PID 3092 wrote to memory of 1456 3092 lflxxxf.exe 91 PID 1456 wrote to memory of 2236 1456 hhbhbn.exe 92 PID 1456 wrote to memory of 2236 1456 hhbhbn.exe 92 PID 1456 wrote to memory of 2236 1456 hhbhbn.exe 92 PID 2236 wrote to memory of 2572 2236 8260860.exe 93 PID 2236 wrote to memory of 2572 2236 8260860.exe 93 PID 2236 wrote to memory of 2572 2236 8260860.exe 93 PID 2572 wrote to memory of 2320 2572 828682.exe 94 PID 2572 wrote to memory of 2320 2572 828682.exe 94 PID 2572 wrote to memory of 2320 2572 828682.exe 94 PID 2320 wrote to memory of 2828 2320 2244264.exe 95 PID 2320 wrote to memory of 2828 2320 2244264.exe 95 PID 2320 wrote to memory of 2828 2320 2244264.exe 95 PID 2828 wrote to memory of 4976 2828 fffrfxl.exe 96 PID 2828 wrote to memory of 4976 2828 fffrfxl.exe 96 PID 2828 wrote to memory of 4976 2828 fffrfxl.exe 96 PID 4976 wrote to memory of 1640 4976 6422228.exe 97 PID 4976 wrote to memory of 1640 4976 6422228.exe 97 PID 4976 wrote to memory of 1640 4976 6422228.exe 97 PID 1640 wrote to memory of 632 1640 9frlxxx.exe 98 PID 1640 wrote to memory of 632 1640 9frlxxx.exe 98 PID 1640 wrote to memory of 632 1640 9frlxxx.exe 98 PID 632 wrote to memory of 1548 632 5hbthh.exe 99 PID 632 wrote to memory of 1548 632 5hbthh.exe 99 PID 632 wrote to memory of 1548 632 5hbthh.exe 99 PID 1548 wrote to memory of 3720 1548 26024.exe 100 PID 1548 wrote to memory of 3720 1548 26024.exe 100 PID 1548 wrote to memory of 3720 1548 26024.exe 100 PID 3720 wrote to memory of 4248 3720 88824.exe 101 PID 3720 wrote to memory of 4248 3720 88824.exe 101 PID 3720 wrote to memory of 4248 3720 88824.exe 101 PID 4248 wrote to memory of 4788 4248 nnnhht.exe 102 PID 4248 wrote to memory of 4788 4248 nnnhht.exe 102 PID 4248 wrote to memory of 4788 4248 nnnhht.exe 102 PID 4788 wrote to memory of 1044 4788 c068648.exe 103 PID 4788 wrote to memory of 1044 4788 c068648.exe 103 PID 4788 wrote to memory of 1044 4788 c068648.exe 103 PID 1044 wrote to memory of 2248 1044 428482.exe 104 PID 1044 wrote to memory of 2248 1044 428482.exe 104 PID 1044 wrote to memory of 2248 1044 428482.exe 104 PID 2248 wrote to memory of 1152 2248 o848260.exe 105 PID 2248 wrote to memory of 1152 2248 o848260.exe 105 PID 2248 wrote to memory of 1152 2248 o848260.exe 105 PID 1152 wrote to memory of 3484 1152 pdvjd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe"C:\Users\Admin\AppData\Local\Temp\466e506bdb901c41a6db1bae2dc97a899c8d016aef38e0515d103c2a71a103c5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\26266.exec:\26266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\xxxlxlx.exec:\xxxlxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\22044.exec:\22044.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\02820.exec:\02820.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\864426.exec:\864426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\lflxxxf.exec:\lflxxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\hhbhbn.exec:\hhbhbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\8260860.exec:\8260860.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\828682.exec:\828682.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\2244264.exec:\2244264.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\fffrfxl.exec:\fffrfxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\6422228.exec:\6422228.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\9frlxxx.exec:\9frlxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\5hbthh.exec:\5hbthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\26024.exec:\26024.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\88824.exec:\88824.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\nnnhht.exec:\nnnhht.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\c068648.exec:\c068648.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\428482.exec:\428482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\o848260.exec:\o848260.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\pdvjd.exec:\pdvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\5hbthb.exec:\5hbthb.exe23⤵
- Executes dropped EXE
PID:3484 -
\??\c:\hnnbnh.exec:\hnnbnh.exe24⤵
- Executes dropped EXE
PID:2580 -
\??\c:\662260.exec:\662260.exe25⤵
- Executes dropped EXE
PID:4152 -
\??\c:\7lfrfxr.exec:\7lfrfxr.exe26⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rfxfxxr.exec:\rfxfxxr.exe27⤵
- Executes dropped EXE
PID:2612 -
\??\c:\8226482.exec:\8226482.exe28⤵
- Executes dropped EXE
PID:4584 -
\??\c:\btnhbb.exec:\btnhbb.exe29⤵
- Executes dropped EXE
PID:4456 -
\??\c:\0244824.exec:\0244824.exe30⤵
- Executes dropped EXE
PID:1216 -
\??\c:\428664.exec:\428664.exe31⤵
- Executes dropped EXE
PID:1660 -
\??\c:\04488.exec:\04488.exe32⤵
- Executes dropped EXE
PID:1108 -
\??\c:\82482.exec:\82482.exe33⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3vjdj.exec:\3vjdj.exe34⤵
- Executes dropped EXE
PID:3472 -
\??\c:\02882.exec:\02882.exe35⤵
- Executes dropped EXE
PID:2732 -
\??\c:\6282600.exec:\6282600.exe36⤵
- Executes dropped EXE
PID:1724 -
\??\c:\422044.exec:\422044.exe37⤵
- Executes dropped EXE
PID:1332 -
\??\c:\djvpp.exec:\djvpp.exe38⤵
- Executes dropped EXE
PID:1128 -
\??\c:\1btnhh.exec:\1btnhh.exe39⤵
- Executes dropped EXE
PID:4176 -
\??\c:\860666.exec:\860666.exe40⤵
- Executes dropped EXE
PID:1396 -
\??\c:\8226666.exec:\8226666.exe41⤵
- Executes dropped EXE
PID:2596 -
\??\c:\xrrlllr.exec:\xrrlllr.exe42⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jdpjj.exec:\jdpjj.exe43⤵
- Executes dropped EXE
PID:4060 -
\??\c:\bbbnhb.exec:\bbbnhb.exe44⤵
- Executes dropped EXE
PID:4428 -
\??\c:\xrfxxll.exec:\xrfxxll.exe45⤵
- Executes dropped EXE
PID:3552 -
\??\c:\vjjjd.exec:\vjjjd.exe46⤵PID:4352
-
\??\c:\jddjd.exec:\jddjd.exe47⤵
- Executes dropped EXE
PID:4500 -
\??\c:\5bnnnn.exec:\5bnnnn.exe48⤵
- Executes dropped EXE
PID:4876 -
\??\c:\2002266.exec:\2002266.exe49⤵
- Executes dropped EXE
PID:4752 -
\??\c:\k68448.exec:\k68448.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dpvpj.exec:\dpvpj.exe51⤵
- Executes dropped EXE
PID:2272 -
\??\c:\264848.exec:\264848.exe52⤵
- Executes dropped EXE
PID:1792 -
\??\c:\5hbbtn.exec:\5hbbtn.exe53⤵
- Executes dropped EXE
PID:1760 -
\??\c:\842268.exec:\842268.exe54⤵
- Executes dropped EXE
PID:1504 -
\??\c:\dppdv.exec:\dppdv.exe55⤵
- Executes dropped EXE
PID:3144 -
\??\c:\fffxrlf.exec:\fffxrlf.exe56⤵
- Executes dropped EXE
PID:2092 -
\??\c:\rfxxrrr.exec:\rfxxrrr.exe57⤵
- Executes dropped EXE
PID:4684 -
\??\c:\08826.exec:\08826.exe58⤵
- Executes dropped EXE
PID:4984 -
\??\c:\lxrfrll.exec:\lxrfrll.exe59⤵
- Executes dropped EXE
PID:1372 -
\??\c:\tttthb.exec:\tttthb.exe60⤵
- Executes dropped EXE
PID:3020 -
\??\c:\422082.exec:\422082.exe61⤵
- Executes dropped EXE
PID:2088 -
\??\c:\628682.exec:\628682.exe62⤵
- Executes dropped EXE
PID:2320 -
\??\c:\044860.exec:\044860.exe63⤵
- Executes dropped EXE
PID:2828 -
\??\c:\44040.exec:\44040.exe64⤵
- Executes dropped EXE
PID:2620 -
\??\c:\088604.exec:\088604.exe65⤵
- Executes dropped EXE
PID:4976 -
\??\c:\288648.exec:\288648.exe66⤵
- Executes dropped EXE
PID:3120 -
\??\c:\dpdpj.exec:\dpdpj.exe67⤵PID:3060
-
\??\c:\pvjvp.exec:\pvjvp.exe68⤵PID:2168
-
\??\c:\6026420.exec:\6026420.exe69⤵PID:1416
-
\??\c:\64008.exec:\64008.exe70⤵PID:3720
-
\??\c:\6628424.exec:\6628424.exe71⤵PID:4248
-
\??\c:\lllfxrr.exec:\lllfxrr.exe72⤵PID:2840
-
\??\c:\flrxfxx.exec:\flrxfxx.exe73⤵PID:648
-
\??\c:\080886.exec:\080886.exe74⤵PID:640
-
\??\c:\lrlfxrf.exec:\lrlfxrf.exe75⤵PID:2820
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe76⤵PID:2836
-
\??\c:\2206068.exec:\2206068.exe77⤵PID:1984
-
\??\c:\jvpdp.exec:\jvpdp.exe78⤵PID:4412
-
\??\c:\40626.exec:\40626.exe79⤵PID:928
-
\??\c:\6626484.exec:\6626484.exe80⤵PID:4380
-
\??\c:\5lxrxrx.exec:\5lxrxrx.exe81⤵PID:3984
-
\??\c:\88842.exec:\88842.exe82⤵PID:1804
-
\??\c:\thhtbt.exec:\thhtbt.exe83⤵PID:3776
-
\??\c:\rxllxrr.exec:\rxllxrr.exe84⤵PID:2612
-
\??\c:\06086.exec:\06086.exe85⤵PID:3300
-
\??\c:\0660604.exec:\0660604.exe86⤵PID:740
-
\??\c:\c288226.exec:\c288226.exe87⤵PID:3172
-
\??\c:\hnhhhb.exec:\hnhhhb.exe88⤵PID:1216
-
\??\c:\1bhhnn.exec:\1bhhnn.exe89⤵PID:3312
-
\??\c:\6448484.exec:\6448484.exe90⤵PID:1980
-
\??\c:\6226042.exec:\6226042.exe91⤵PID:64
-
\??\c:\pvjvd.exec:\pvjvd.exe92⤵PID:1256
-
\??\c:\0060002.exec:\0060002.exe93⤵PID:4736
-
\??\c:\7lxlrfl.exec:\7lxlrfl.exe94⤵PID:1864
-
\??\c:\1djvv.exec:\1djvv.exe95⤵PID:2516
-
\??\c:\hbntbn.exec:\hbntbn.exe96⤵PID:3248
-
\??\c:\nbnhtn.exec:\nbnhtn.exe97⤵PID:2660
-
\??\c:\644820.exec:\644820.exe98⤵PID:4364
-
\??\c:\lxxrfxx.exec:\lxxrfxx.exe99⤵PID:1072
-
\??\c:\vjpdp.exec:\vjpdp.exe100⤵PID:4424
-
\??\c:\bnthtb.exec:\bnthtb.exe101⤵PID:2116
-
\??\c:\7ppjd.exec:\7ppjd.exe102⤵PID:4320
-
\??\c:\64420.exec:\64420.exe103⤵PID:4060
-
\??\c:\ddpdd.exec:\ddpdd.exe104⤵PID:4428
-
\??\c:\3vdpp.exec:\3vdpp.exe105⤵PID:3080
-
\??\c:\40482.exec:\40482.exe106⤵PID:2244
-
\??\c:\628264.exec:\628264.exe107⤵PID:1428
-
\??\c:\2686660.exec:\2686660.exe108⤵PID:3588
-
\??\c:\8660882.exec:\8660882.exe109⤵PID:4144
-
\??\c:\lxxrlfl.exec:\lxxrlfl.exe110⤵PID:2648
-
\??\c:\6468484.exec:\6468484.exe111⤵PID:2864
-
\??\c:\djdvj.exec:\djdvj.exe112⤵PID:2480
-
\??\c:\1tnbnn.exec:\1tnbnn.exe113⤵PID:368
-
\??\c:\64604.exec:\64604.exe114⤵PID:3840
-
\??\c:\bhnhtn.exec:\bhnhtn.exe115⤵PID:2616
-
\??\c:\jdvpv.exec:\jdvpv.exe116⤵PID:3764
-
\??\c:\hbbbtn.exec:\hbbbtn.exe117⤵PID:4700
-
\??\c:\662264.exec:\662264.exe118⤵PID:3508
-
\??\c:\pvdvd.exec:\pvdvd.exe119⤵PID:4864
-
\??\c:\vdpdp.exec:\vdpdp.exe120⤵PID:2020
-
\??\c:\688648.exec:\688648.exe121⤵PID:1264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-