Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:31
Behavioral task
behavioral1
Sample
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
-
Size
332KB
-
MD5
557ed787bced7e444ccf6021227a8ce7
-
SHA1
6ea7f7320f3ba030684e9d43f93f296ca0385f44
-
SHA256
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6
-
SHA512
719708aaf8303f4a08f06960bbcf3bca67699d9c006af778eb6f293b074e318c227c0fdcd591872f7b2407fe095c8138f3c9933f2e3b179373574f63ba8566de
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeHN:R4wFHoSHYHUrAwfMp3CDHN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2372-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1012-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-508-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-581-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-920-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-1004-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4528 fxxrlrl.exe 3920 dvppd.exe 2968 262620.exe 5072 468444.exe 4224 vdpjj.exe 4900 xfrrrrf.exe 4160 068828.exe 1540 462822.exe 2112 4824440.exe 3264 42480.exe 2224 2460666.exe 2600 a2426.exe 2016 tnttnt.exe 3256 0622662.exe 4584 7lrrlrr.exe 1180 1rxfflr.exe 548 066004.exe 4152 2400448.exe 216 i026004.exe 964 djvpj.exe 1488 o884888.exe 2868 2428288.exe 3084 84624.exe 1956 6066004.exe 2276 jpdvv.exe 4332 vpddj.exe 1292 lflfffx.exe 4416 pvddv.exe 3156 68888.exe 2316 82606.exe 972 5flfflf.exe 2168 lflfffr.exe 3576 pdjdd.exe 4600 nbnhnh.exe 1012 62486.exe 740 frfxxff.exe 940 00842.exe 1004 6066026.exe 2596 6264068.exe 3764 m4460.exe 1780 rffrfxl.exe 1496 84042.exe 4860 nnhthn.exe 1008 8468686.exe 800 80042.exe 2668 08824.exe 1500 886600.exe 448 hnhbnh.exe 2692 dvjpd.exe 4948 k06000.exe 1076 4288640.exe 2660 48420.exe 4932 rxxlrrl.exe 1368 frrlxrf.exe 2004 rrfrlfr.exe 112 0006826.exe 3104 84488.exe 4452 lrrlfxr.exe 1848 062262.exe 1432 s8060.exe 2892 m0822.exe 3304 w64882.exe 640 tnnhbt.exe 756 0022222.exe -
resource yara_rule behavioral2/memory/2372-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c99-3.dat upx behavioral2/memory/2372-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-8.dat upx behavioral2/memory/4528-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-11.dat upx behavioral2/memory/2968-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3920-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9f-19.dat upx behavioral2/memory/2968-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-24.dat upx behavioral2/memory/5072-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-30.dat upx behavioral2/memory/4900-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-36.dat upx behavioral2/memory/4224-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-39.dat upx behavioral2/memory/4160-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-44.dat upx behavioral2/memory/1540-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2112-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-56.dat upx behavioral2/memory/2224-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3264-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-49.dat upx behavioral2/files/0x0008000000023c9a-60.dat upx behavioral2/memory/2224-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-66.dat upx behavioral2/memory/2600-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-70.dat upx behavioral2/files/0x0007000000023caa-75.dat upx behavioral2/memory/4584-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-79.dat upx behavioral2/files/0x0007000000023cac-83.dat upx behavioral2/memory/548-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1180-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-89.dat upx behavioral2/memory/4152-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-94.dat upx behavioral2/memory/216-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-99.dat upx behavioral2/files/0x0007000000023cb1-104.dat upx behavioral2/memory/1488-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/964-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-109.dat upx behavioral2/files/0x0007000000023cb3-113.dat upx behavioral2/files/0x0007000000023cb4-117.dat upx behavioral2/files/0x0007000000023cb5-122.dat upx behavioral2/memory/1956-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2276-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-127.dat upx behavioral2/memory/4332-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-141.dat upx behavioral2/memory/3156-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2316-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-147.dat upx behavioral2/files/0x0007000000023cb8-137.dat upx behavioral2/memory/1292-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-133.dat upx behavioral2/files/0x0007000000023cbb-151.dat upx behavioral2/memory/2316-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-156.dat upx behavioral2/memory/3576-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4600-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0684882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4844006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 4528 2372 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 83 PID 2372 wrote to memory of 4528 2372 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 83 PID 2372 wrote to memory of 4528 2372 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 83 PID 4528 wrote to memory of 3920 4528 fxxrlrl.exe 84 PID 4528 wrote to memory of 3920 4528 fxxrlrl.exe 84 PID 4528 wrote to memory of 3920 4528 fxxrlrl.exe 84 PID 3920 wrote to memory of 2968 3920 dvppd.exe 85 PID 3920 wrote to memory of 2968 3920 dvppd.exe 85 PID 3920 wrote to memory of 2968 3920 dvppd.exe 85 PID 2968 wrote to memory of 5072 2968 262620.exe 86 PID 2968 wrote to memory of 5072 2968 262620.exe 86 PID 2968 wrote to memory of 5072 2968 262620.exe 86 PID 5072 wrote to memory of 4224 5072 468444.exe 87 PID 5072 wrote to memory of 4224 5072 468444.exe 87 PID 5072 wrote to memory of 4224 5072 468444.exe 87 PID 4224 wrote to memory of 4900 4224 vdpjj.exe 88 PID 4224 wrote to memory of 4900 4224 vdpjj.exe 88 PID 4224 wrote to memory of 4900 4224 vdpjj.exe 88 PID 4900 wrote to memory of 4160 4900 xfrrrrf.exe 89 PID 4900 wrote to memory of 4160 4900 xfrrrrf.exe 89 PID 4900 wrote to memory of 4160 4900 xfrrrrf.exe 89 PID 4160 wrote to memory of 1540 4160 068828.exe 90 PID 4160 wrote to memory of 1540 4160 068828.exe 90 PID 4160 wrote to memory of 1540 4160 068828.exe 90 PID 1540 wrote to memory of 2112 1540 462822.exe 91 PID 1540 wrote to memory of 2112 1540 462822.exe 91 PID 1540 wrote to memory of 2112 1540 462822.exe 91 PID 2112 wrote to memory of 3264 2112 4824440.exe 92 PID 2112 wrote to memory of 3264 2112 4824440.exe 92 PID 2112 wrote to memory of 3264 2112 4824440.exe 92 PID 3264 wrote to memory of 2224 3264 42480.exe 93 PID 3264 wrote to memory of 2224 3264 42480.exe 93 PID 3264 wrote to memory of 2224 3264 42480.exe 93 PID 2224 wrote to memory of 2600 2224 2460666.exe 94 PID 2224 wrote to memory of 2600 2224 2460666.exe 94 PID 2224 wrote to memory of 2600 2224 2460666.exe 94 PID 2600 wrote to memory of 2016 2600 a2426.exe 95 PID 2600 wrote to memory of 2016 2600 a2426.exe 95 PID 2600 wrote to memory of 2016 2600 a2426.exe 95 PID 2016 wrote to memory of 3256 2016 tnttnt.exe 96 PID 2016 wrote to memory of 3256 2016 tnttnt.exe 96 PID 2016 wrote to memory of 3256 2016 tnttnt.exe 96 PID 3256 wrote to memory of 4584 3256 0622662.exe 97 PID 3256 wrote to memory of 4584 3256 0622662.exe 97 PID 3256 wrote to memory of 4584 3256 0622662.exe 97 PID 4584 wrote to memory of 1180 4584 7lrrlrr.exe 98 PID 4584 wrote to memory of 1180 4584 7lrrlrr.exe 98 PID 4584 wrote to memory of 1180 4584 7lrrlrr.exe 98 PID 1180 wrote to memory of 548 1180 1rxfflr.exe 99 PID 1180 wrote to memory of 548 1180 1rxfflr.exe 99 PID 1180 wrote to memory of 548 1180 1rxfflr.exe 99 PID 548 wrote to memory of 4152 548 066004.exe 100 PID 548 wrote to memory of 4152 548 066004.exe 100 PID 548 wrote to memory of 4152 548 066004.exe 100 PID 4152 wrote to memory of 216 4152 2400448.exe 101 PID 4152 wrote to memory of 216 4152 2400448.exe 101 PID 4152 wrote to memory of 216 4152 2400448.exe 101 PID 216 wrote to memory of 964 216 i026004.exe 102 PID 216 wrote to memory of 964 216 i026004.exe 102 PID 216 wrote to memory of 964 216 i026004.exe 102 PID 964 wrote to memory of 1488 964 djvpj.exe 103 PID 964 wrote to memory of 1488 964 djvpj.exe 103 PID 964 wrote to memory of 1488 964 djvpj.exe 103 PID 1488 wrote to memory of 2868 1488 o884888.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\fxxrlrl.exec:\fxxrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\dvppd.exec:\dvppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\262620.exec:\262620.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\468444.exec:\468444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\vdpjj.exec:\vdpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\xfrrrrf.exec:\xfrrrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\068828.exec:\068828.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\462822.exec:\462822.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\4824440.exec:\4824440.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\42480.exec:\42480.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\2460666.exec:\2460666.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\a2426.exec:\a2426.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\tnttnt.exec:\tnttnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\0622662.exec:\0622662.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\7lrrlrr.exec:\7lrrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\1rxfflr.exec:\1rxfflr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\066004.exec:\066004.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\2400448.exec:\2400448.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\i026004.exec:\i026004.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\djvpj.exec:\djvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\o884888.exec:\o884888.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\2428288.exec:\2428288.exe23⤵
- Executes dropped EXE
PID:2868 -
\??\c:\84624.exec:\84624.exe24⤵
- Executes dropped EXE
PID:3084 -
\??\c:\6066004.exec:\6066004.exe25⤵
- Executes dropped EXE
PID:1956 -
\??\c:\jpdvv.exec:\jpdvv.exe26⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vpddj.exec:\vpddj.exe27⤵
- Executes dropped EXE
PID:4332 -
\??\c:\lflfffx.exec:\lflfffx.exe28⤵
- Executes dropped EXE
PID:1292 -
\??\c:\pvddv.exec:\pvddv.exe29⤵
- Executes dropped EXE
PID:4416 -
\??\c:\68888.exec:\68888.exe30⤵
- Executes dropped EXE
PID:3156 -
\??\c:\82606.exec:\82606.exe31⤵
- Executes dropped EXE
PID:2316 -
\??\c:\5flfflf.exec:\5flfflf.exe32⤵
- Executes dropped EXE
PID:972 -
\??\c:\lflfffr.exec:\lflfffr.exe33⤵
- Executes dropped EXE
PID:2168 -
\??\c:\pdjdd.exec:\pdjdd.exe34⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nbnhnh.exec:\nbnhnh.exe35⤵
- Executes dropped EXE
PID:4600 -
\??\c:\62486.exec:\62486.exe36⤵
- Executes dropped EXE
PID:1012 -
\??\c:\frfxxff.exec:\frfxxff.exe37⤵
- Executes dropped EXE
PID:740 -
\??\c:\00842.exec:\00842.exe38⤵
- Executes dropped EXE
PID:940 -
\??\c:\6066026.exec:\6066026.exe39⤵
- Executes dropped EXE
PID:1004 -
\??\c:\6264068.exec:\6264068.exe40⤵
- Executes dropped EXE
PID:2596 -
\??\c:\m4460.exec:\m4460.exe41⤵
- Executes dropped EXE
PID:3764 -
\??\c:\rffrfxl.exec:\rffrfxl.exe42⤵
- Executes dropped EXE
PID:1780 -
\??\c:\84042.exec:\84042.exe43⤵
- Executes dropped EXE
PID:1496 -
\??\c:\nnhthn.exec:\nnhthn.exe44⤵
- Executes dropped EXE
PID:4860 -
\??\c:\8468686.exec:\8468686.exe45⤵
- Executes dropped EXE
PID:1008 -
\??\c:\80042.exec:\80042.exe46⤵
- Executes dropped EXE
PID:800 -
\??\c:\08824.exec:\08824.exe47⤵
- Executes dropped EXE
PID:2668 -
\??\c:\886600.exec:\886600.exe48⤵
- Executes dropped EXE
PID:1500 -
\??\c:\hnhbnh.exec:\hnhbnh.exe49⤵
- Executes dropped EXE
PID:448 -
\??\c:\dvjpd.exec:\dvjpd.exe50⤵
- Executes dropped EXE
PID:2692 -
\??\c:\k06000.exec:\k06000.exe51⤵
- Executes dropped EXE
PID:4948 -
\??\c:\4288640.exec:\4288640.exe52⤵
- Executes dropped EXE
PID:1076 -
\??\c:\48420.exec:\48420.exe53⤵
- Executes dropped EXE
PID:2660 -
\??\c:\rxxlrrl.exec:\rxxlrrl.exe54⤵
- Executes dropped EXE
PID:4932 -
\??\c:\frrlxrf.exec:\frrlxrf.exe55⤵
- Executes dropped EXE
PID:1368 -
\??\c:\rrfrlfr.exec:\rrfrlfr.exe56⤵
- Executes dropped EXE
PID:2004 -
\??\c:\0006826.exec:\0006826.exe57⤵
- Executes dropped EXE
PID:112 -
\??\c:\84488.exec:\84488.exe58⤵
- Executes dropped EXE
PID:3104 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe59⤵
- Executes dropped EXE
PID:4452 -
\??\c:\84486.exec:\84486.exe60⤵PID:4988
-
\??\c:\062262.exec:\062262.exe61⤵
- Executes dropped EXE
PID:1848 -
\??\c:\s8060.exec:\s8060.exe62⤵
- Executes dropped EXE
PID:1432 -
\??\c:\m0822.exec:\m0822.exe63⤵
- Executes dropped EXE
PID:2892 -
\??\c:\w64882.exec:\w64882.exe64⤵
- Executes dropped EXE
PID:3304 -
\??\c:\tnnhbt.exec:\tnnhbt.exe65⤵
- Executes dropped EXE
PID:640 -
\??\c:\0022222.exec:\0022222.exe66⤵
- Executes dropped EXE
PID:756 -
\??\c:\64008.exec:\64008.exe67⤵PID:5072
-
\??\c:\w60828.exec:\w60828.exe68⤵PID:4224
-
\??\c:\jvvpj.exec:\jvvpj.exe69⤵PID:2956
-
\??\c:\bhbthb.exec:\bhbthb.exe70⤵PID:1096
-
\??\c:\llrlrrl.exec:\llrlrrl.exe71⤵PID:4052
-
\??\c:\rrffxxx.exec:\rrffxxx.exe72⤵PID:5092
-
\??\c:\bhtnhh.exec:\bhtnhh.exe73⤵PID:1528
-
\??\c:\062226.exec:\062226.exe74⤵PID:1084
-
\??\c:\846200.exec:\846200.exe75⤵PID:864
-
\??\c:\2600422.exec:\2600422.exe76⤵PID:532
-
\??\c:\008204.exec:\008204.exe77⤵PID:4540
-
\??\c:\dvdvv.exec:\dvdvv.exe78⤵PID:2344
-
\??\c:\820444.exec:\820444.exe79⤵PID:2600
-
\??\c:\24044.exec:\24044.exe80⤵PID:1936
-
\??\c:\vdjjd.exec:\vdjjd.exe81⤵PID:3256
-
\??\c:\hntnhb.exec:\hntnhb.exe82⤵PID:3180
-
\??\c:\8888288.exec:\8888288.exe83⤵PID:2708
-
\??\c:\g4044.exec:\g4044.exe84⤵PID:4952
-
\??\c:\648400.exec:\648400.exe85⤵PID:4832
-
\??\c:\2688446.exec:\2688446.exe86⤵
- System Location Discovery: System Language Discovery
PID:3540 -
\??\c:\rlrlfff.exec:\rlrlfff.exe87⤵PID:1676
-
\??\c:\4622606.exec:\4622606.exe88⤵PID:4616
-
\??\c:\lxfrrlf.exec:\lxfrrlf.exe89⤵PID:3832
-
\??\c:\lfxrffl.exec:\lfxrffl.exe90⤵PID:3812
-
\??\c:\4420448.exec:\4420448.exe91⤵PID:2084
-
\??\c:\tbnhbb.exec:\tbnhbb.exe92⤵PID:512
-
\??\c:\nbbbtn.exec:\nbbbtn.exe93⤵PID:4856
-
\??\c:\frlxffl.exec:\frlxffl.exe94⤵PID:2604
-
\??\c:\6280444.exec:\6280444.exe95⤵PID:4612
-
\??\c:\28400.exec:\28400.exe96⤵PID:2032
-
\??\c:\o444006.exec:\o444006.exe97⤵PID:2804
-
\??\c:\44448.exec:\44448.exe98⤵PID:1868
-
\??\c:\hntttt.exec:\hntttt.exe99⤵PID:4416
-
\??\c:\xrrrlff.exec:\xrrrlff.exe100⤵PID:2652
-
\??\c:\pdpjj.exec:\pdpjj.exe101⤵PID:2684
-
\??\c:\e08026.exec:\e08026.exe102⤵PID:5096
-
\??\c:\66826.exec:\66826.exe103⤵PID:2268
-
\??\c:\9ffrlff.exec:\9ffrlff.exe104⤵PID:4628
-
\??\c:\vddpj.exec:\vddpj.exe105⤵PID:1124
-
\??\c:\dpvvj.exec:\dpvvj.exe106⤵PID:2308
-
\??\c:\pdjdp.exec:\pdjdp.exe107⤵PID:836
-
\??\c:\8282000.exec:\8282000.exe108⤵PID:1504
-
\??\c:\2844882.exec:\2844882.exe109⤵PID:4680
-
\??\c:\28882.exec:\28882.exe110⤵PID:1012
-
\??\c:\68442.exec:\68442.exe111⤵PID:740
-
\??\c:\8226044.exec:\8226044.exe112⤵PID:2560
-
\??\c:\rflllff.exec:\rflllff.exe113⤵PID:1984
-
\??\c:\k24440.exec:\k24440.exe114⤵PID:2596
-
\??\c:\086288.exec:\086288.exe115⤵PID:3764
-
\??\c:\nhnnnn.exec:\nhnnnn.exe116⤵PID:1780
-
\??\c:\vdddv.exec:\vdddv.exe117⤵PID:1496
-
\??\c:\886082.exec:\886082.exe118⤵PID:3868
-
\??\c:\hhhhtt.exec:\hhhhtt.exe119⤵PID:4592
-
\??\c:\q40044.exec:\q40044.exe120⤵PID:4636
-
\??\c:\2626000.exec:\2626000.exe121⤵PID:4796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-