Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe
-
Size
454KB
-
MD5
06c767e27f659dae548a928352426708
-
SHA1
f4ff5035542d868489d3e206e6b82a53519308e5
-
SHA256
97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97
-
SHA512
d3f99fa78ce97a2a55bcb568c2577969506f1bb2d7278c6e76a411d8b19e872cde8e2deeeb69acbd6293064de6a85ce63e6f61b1df58fc60135eb4633403dd4a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1228-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4940 20042.exe 1228 9xfxrrl.exe 2888 lllfrxf.exe 212 tnhbhb.exe 1324 pddpd.exe 2352 6620048.exe 320 htnbnh.exe 4316 82888.exe 1172 rrxlxrl.exe 1696 648484.exe 2500 frrrlfx.exe 4124 fxrlfxr.exe 4272 rflrfrl.exe 2780 vjpdj.exe 4636 jvpjv.exe 2020 xllfrlf.exe 4468 084222.exe 5016 04486.exe 2432 nhtnnh.exe 2388 60266.exe 312 288648.exe 3124 frxrlfx.exe 1476 bbbtnh.exe 2588 nbthbt.exe 2948 68208.exe 5044 hthbnh.exe 3792 lffrlfr.exe 836 2886082.exe 1384 4442660.exe 4640 nbhbnn.exe 3828 jppdp.exe 4024 nhhbnn.exe 1960 lrxrlfr.exe 1376 dddvp.exe 1084 2008264.exe 1680 rffrlfr.exe 1728 2648608.exe 2664 82488.exe 2012 bnbnnh.exe 3448 frxrlff.exe 3728 888208.exe 3224 lxrfrlx.exe 3588 pjpdp.exe 4220 rfrrfff.exe 3460 djpdv.exe 5048 9hhbnh.exe 4864 rxfrffx.exe 4392 tbhtnh.exe 4408 bhnnhb.exe 1248 620820.exe 4940 xrlxlfx.exe 4136 646060.exe 2888 44486.exe 5092 68826.exe 4760 vvdvj.exe 2108 602828.exe 2504 a4482.exe 396 lfxrlfx.exe 880 9ffrlrf.exe 3936 btthnh.exe 1580 o660482.exe 60 22448.exe 1512 lflfrlx.exe 116 00486.exe -
resource yara_rule behavioral2/memory/1228-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-765-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8026604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8262284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4288668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48604.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 4940 1248 97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe 83 PID 1248 wrote to memory of 4940 1248 97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe 83 PID 1248 wrote to memory of 4940 1248 97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe 83 PID 4940 wrote to memory of 1228 4940 20042.exe 84 PID 4940 wrote to memory of 1228 4940 20042.exe 84 PID 4940 wrote to memory of 1228 4940 20042.exe 84 PID 1228 wrote to memory of 2888 1228 9xfxrrl.exe 85 PID 1228 wrote to memory of 2888 1228 9xfxrrl.exe 85 PID 1228 wrote to memory of 2888 1228 9xfxrrl.exe 85 PID 2888 wrote to memory of 212 2888 lllfrxf.exe 86 PID 2888 wrote to memory of 212 2888 lllfrxf.exe 86 PID 2888 wrote to memory of 212 2888 lllfrxf.exe 86 PID 212 wrote to memory of 1324 212 tnhbhb.exe 87 PID 212 wrote to memory of 1324 212 tnhbhb.exe 87 PID 212 wrote to memory of 1324 212 tnhbhb.exe 87 PID 1324 wrote to memory of 2352 1324 pddpd.exe 88 PID 1324 wrote to memory of 2352 1324 pddpd.exe 88 PID 1324 wrote to memory of 2352 1324 pddpd.exe 88 PID 2352 wrote to memory of 320 2352 6620048.exe 89 PID 2352 wrote to memory of 320 2352 6620048.exe 89 PID 2352 wrote to memory of 320 2352 6620048.exe 89 PID 320 wrote to memory of 4316 320 htnbnh.exe 90 PID 320 wrote to memory of 4316 320 htnbnh.exe 90 PID 320 wrote to memory of 4316 320 htnbnh.exe 90 PID 4316 wrote to memory of 1172 4316 82888.exe 91 PID 4316 wrote to memory of 1172 4316 82888.exe 91 PID 4316 wrote to memory of 1172 4316 82888.exe 91 PID 1172 wrote to memory of 1696 1172 rrxlxrl.exe 92 PID 1172 wrote to memory of 1696 1172 rrxlxrl.exe 92 PID 1172 wrote to memory of 1696 1172 rrxlxrl.exe 92 PID 1696 wrote to memory of 2500 1696 648484.exe 93 PID 1696 wrote to memory of 2500 1696 648484.exe 93 PID 1696 wrote to memory of 2500 1696 648484.exe 93 PID 2500 wrote to memory of 4124 2500 frrrlfx.exe 94 PID 2500 wrote to memory of 4124 2500 frrrlfx.exe 94 PID 2500 wrote to memory of 4124 2500 frrrlfx.exe 94 PID 4124 wrote to memory of 4272 4124 fxrlfxr.exe 95 PID 4124 wrote to memory of 4272 4124 fxrlfxr.exe 95 PID 4124 wrote to memory of 4272 4124 fxrlfxr.exe 95 PID 4272 wrote to memory of 2780 4272 rflrfrl.exe 96 PID 4272 wrote to memory of 2780 4272 rflrfrl.exe 96 PID 4272 wrote to memory of 2780 4272 rflrfrl.exe 96 PID 2780 wrote to memory of 4636 2780 vjpdj.exe 97 PID 2780 wrote to memory of 4636 2780 vjpdj.exe 97 PID 2780 wrote to memory of 4636 2780 vjpdj.exe 97 PID 4636 wrote to memory of 2020 4636 jvpjv.exe 98 PID 4636 wrote to memory of 2020 4636 jvpjv.exe 98 PID 4636 wrote to memory of 2020 4636 jvpjv.exe 98 PID 2020 wrote to memory of 4468 2020 xllfrlf.exe 99 PID 2020 wrote to memory of 4468 2020 xllfrlf.exe 99 PID 2020 wrote to memory of 4468 2020 xllfrlf.exe 99 PID 4468 wrote to memory of 5016 4468 084222.exe 100 PID 4468 wrote to memory of 5016 4468 084222.exe 100 PID 4468 wrote to memory of 5016 4468 084222.exe 100 PID 5016 wrote to memory of 2432 5016 04486.exe 101 PID 5016 wrote to memory of 2432 5016 04486.exe 101 PID 5016 wrote to memory of 2432 5016 04486.exe 101 PID 2432 wrote to memory of 2388 2432 nhtnnh.exe 102 PID 2432 wrote to memory of 2388 2432 nhtnnh.exe 102 PID 2432 wrote to memory of 2388 2432 nhtnnh.exe 102 PID 2388 wrote to memory of 312 2388 60266.exe 103 PID 2388 wrote to memory of 312 2388 60266.exe 103 PID 2388 wrote to memory of 312 2388 60266.exe 103 PID 312 wrote to memory of 3124 312 288648.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe"C:\Users\Admin\AppData\Local\Temp\97edfb0b7d56f30679dcd1f6f7f51c84aebe5b03a77f3f5a3dfb1cc23150cf97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\20042.exec:\20042.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\lllfrxf.exec:\lllfrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\tnhbhb.exec:\tnhbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\pddpd.exec:\pddpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\6620048.exec:\6620048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\htnbnh.exec:\htnbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\82888.exec:\82888.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\648484.exec:\648484.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\frrrlfx.exec:\frrrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\rflrfrl.exec:\rflrfrl.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\vjpdj.exec:\vjpdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\jvpjv.exec:\jvpjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\xllfrlf.exec:\xllfrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\084222.exec:\084222.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\04486.exec:\04486.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\nhtnnh.exec:\nhtnnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\60266.exec:\60266.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\288648.exec:\288648.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\frxrlfx.exec:\frxrlfx.exe23⤵
- Executes dropped EXE
PID:3124 -
\??\c:\bbbtnh.exec:\bbbtnh.exe24⤵
- Executes dropped EXE
PID:1476 -
\??\c:\nbthbt.exec:\nbthbt.exe25⤵
- Executes dropped EXE
PID:2588 -
\??\c:\68208.exec:\68208.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\hthbnh.exec:\hthbnh.exe27⤵
- Executes dropped EXE
PID:5044 -
\??\c:\lffrlfr.exec:\lffrlfr.exe28⤵
- Executes dropped EXE
PID:3792 -
\??\c:\2886082.exec:\2886082.exe29⤵
- Executes dropped EXE
PID:836 -
\??\c:\4442660.exec:\4442660.exe30⤵
- Executes dropped EXE
PID:1384 -
\??\c:\nbhbnn.exec:\nbhbnn.exe31⤵
- Executes dropped EXE
PID:4640 -
\??\c:\jppdp.exec:\jppdp.exe32⤵
- Executes dropped EXE
PID:3828 -
\??\c:\nhhbnn.exec:\nhhbnn.exe33⤵
- Executes dropped EXE
PID:4024 -
\??\c:\lrxrlfr.exec:\lrxrlfr.exe34⤵
- Executes dropped EXE
PID:1960 -
\??\c:\dddvp.exec:\dddvp.exe35⤵
- Executes dropped EXE
PID:1376 -
\??\c:\2008264.exec:\2008264.exe36⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rffrlfr.exec:\rffrlfr.exe37⤵
- Executes dropped EXE
PID:1680 -
\??\c:\2648608.exec:\2648608.exe38⤵
- Executes dropped EXE
PID:1728 -
\??\c:\82488.exec:\82488.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\bnbnnh.exec:\bnbnnh.exe40⤵
- Executes dropped EXE
PID:2012 -
\??\c:\frxrlff.exec:\frxrlff.exe41⤵
- Executes dropped EXE
PID:3448 -
\??\c:\888208.exec:\888208.exe42⤵
- Executes dropped EXE
PID:3728 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe43⤵
- Executes dropped EXE
PID:3224 -
\??\c:\pjpdp.exec:\pjpdp.exe44⤵
- Executes dropped EXE
PID:3588 -
\??\c:\rfrrfff.exec:\rfrrfff.exe45⤵
- Executes dropped EXE
PID:4220 -
\??\c:\djpdv.exec:\djpdv.exe46⤵
- Executes dropped EXE
PID:3460 -
\??\c:\9hhbnh.exec:\9hhbnh.exe47⤵
- Executes dropped EXE
PID:5048 -
\??\c:\rxfrffx.exec:\rxfrffx.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864 -
\??\c:\tbhtnh.exec:\tbhtnh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392 -
\??\c:\bhnnhb.exec:\bhnnhb.exe50⤵
- Executes dropped EXE
PID:4408 -
\??\c:\620820.exec:\620820.exe51⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xrlxlfx.exec:\xrlxlfx.exe52⤵
- Executes dropped EXE
PID:4940 -
\??\c:\646060.exec:\646060.exe53⤵
- Executes dropped EXE
PID:4136 -
\??\c:\44486.exec:\44486.exe54⤵
- Executes dropped EXE
PID:2888 -
\??\c:\68826.exec:\68826.exe55⤵
- Executes dropped EXE
PID:5092 -
\??\c:\vvdvj.exec:\vvdvj.exe56⤵
- Executes dropped EXE
PID:4760 -
\??\c:\602828.exec:\602828.exe57⤵
- Executes dropped EXE
PID:2108 -
\??\c:\a4482.exec:\a4482.exe58⤵
- Executes dropped EXE
PID:2504 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe59⤵
- Executes dropped EXE
PID:396 -
\??\c:\9ffrlrf.exec:\9ffrlrf.exe60⤵
- Executes dropped EXE
PID:880 -
\??\c:\btthnh.exec:\btthnh.exe61⤵
- Executes dropped EXE
PID:3936 -
\??\c:\o660482.exec:\o660482.exe62⤵
- Executes dropped EXE
PID:1580 -
\??\c:\22448.exec:\22448.exe63⤵
- Executes dropped EXE
PID:60 -
\??\c:\lflfrlx.exec:\lflfrlx.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
\??\c:\00486.exec:\00486.exe65⤵
- Executes dropped EXE
PID:116 -
\??\c:\8802488.exec:\8802488.exe66⤵PID:4296
-
\??\c:\62046.exec:\62046.exe67⤵PID:4300
-
\??\c:\ntnnbn.exec:\ntnnbn.exe68⤵PID:528
-
\??\c:\lxxrlfr.exec:\lxxrlfr.exe69⤵PID:2556
-
\??\c:\frrlxfr.exec:\frrlxfr.exe70⤵PID:2004
-
\??\c:\0882824.exec:\0882824.exe71⤵PID:3304
-
\??\c:\dvvdv.exec:\dvvdv.exe72⤵PID:2260
-
\??\c:\08008.exec:\08008.exe73⤵PID:3784
-
\??\c:\246462.exec:\246462.exe74⤵PID:464
-
\??\c:\4448048.exec:\4448048.exe75⤵PID:2044
-
\??\c:\862640.exec:\862640.exe76⤵PID:4428
-
\??\c:\a6642.exec:\a6642.exe77⤵PID:4800
-
\??\c:\frlfxxr.exec:\frlfxxr.exe78⤵PID:3376
-
\??\c:\44420.exec:\44420.exe79⤵PID:3088
-
\??\c:\frrrfxr.exec:\frrrfxr.exe80⤵PID:536
-
\??\c:\dvdvp.exec:\dvdvp.exe81⤵PID:1528
-
\??\c:\rlrlllf.exec:\rlrlllf.exe82⤵PID:3260
-
\??\c:\44224.exec:\44224.exe83⤵PID:1116
-
\??\c:\7vpdj.exec:\7vpdj.exe84⤵PID:3044
-
\??\c:\84666.exec:\84666.exe85⤵PID:2628
-
\??\c:\2604260.exec:\2604260.exe86⤵PID:4064
-
\??\c:\024828.exec:\024828.exe87⤵PID:2860
-
\??\c:\62420.exec:\62420.exe88⤵PID:1740
-
\??\c:\m4448.exec:\m4448.exe89⤵PID:3344
-
\??\c:\8660848.exec:\8660848.exe90⤵PID:3428
-
\??\c:\lxxlxxr.exec:\lxxlxxr.exe91⤵PID:2572
-
\??\c:\2404260.exec:\2404260.exe92⤵PID:3032
-
\??\c:\1vpjd.exec:\1vpjd.exe93⤵PID:2880
-
\??\c:\vdpjj.exec:\vdpjj.exe94⤵PID:1908
-
\??\c:\244482.exec:\244482.exe95⤵PID:4156
-
\??\c:\w80660.exec:\w80660.exe96⤵PID:1020
-
\??\c:\6886042.exec:\6886042.exe97⤵PID:5112
-
\??\c:\5nhbnn.exec:\5nhbnn.exe98⤵PID:3884
-
\??\c:\flxlxrl.exec:\flxlxrl.exe99⤵PID:1728
-
\??\c:\c260820.exec:\c260820.exe100⤵PID:2664
-
\??\c:\k44646.exec:\k44646.exe101⤵PID:2940
-
\??\c:\bnnhbt.exec:\bnnhbt.exe102⤵PID:2332
-
\??\c:\tththb.exec:\tththb.exe103⤵PID:1472
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe104⤵PID:2964
-
\??\c:\i404824.exec:\i404824.exe105⤵PID:952
-
\??\c:\i468822.exec:\i468822.exe106⤵PID:5084
-
\??\c:\c282266.exec:\c282266.exe107⤵PID:3980
-
\??\c:\xllxrlf.exec:\xllxrlf.exe108⤵PID:5048
-
\??\c:\tbbhtn.exec:\tbbhtn.exe109⤵PID:4864
-
\??\c:\6264264.exec:\6264264.exe110⤵PID:4852
-
\??\c:\062048.exec:\062048.exe111⤵PID:1104
-
\??\c:\lflfxxr.exec:\lflfxxr.exe112⤵PID:1836
-
\??\c:\8400000.exec:\8400000.exe113⤵PID:544
-
\??\c:\nbbtnh.exec:\nbbtnh.exe114⤵PID:4756
-
\??\c:\q66088.exec:\q66088.exe115⤵PID:4564
-
\??\c:\vjdvv.exec:\vjdvv.exe116⤵PID:1752
-
\??\c:\2642206.exec:\2642206.exe117⤵PID:2508
-
\??\c:\xllflfr.exec:\xllflfr.exe118⤵PID:1688
-
\??\c:\0228664.exec:\0228664.exe119⤵PID:4404
-
\??\c:\djpdv.exec:\djpdv.exe120⤵PID:3144
-
\??\c:\tbnhhh.exec:\tbnhhh.exe121⤵PID:968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-