Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 01:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe
-
Size
454KB
-
MD5
a283e376125e3a47c88b2e7c1d5f6c4e
-
SHA1
ead8f9437a61757c2da005fcc3570ea1c36e30e2
-
SHA256
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c
-
SHA512
14b4f957f96c71423ab2c757e12a9cc5342d9c9eeaa6e13458efb2284c868a463e0b0a09b133f4e28c32cf97268be81e5e7734d39df652e62387dcb6e7ba468d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1R:q7Tc2NYHUrAwfMp3CD1R
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1860-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4880 1djjd.exe 4476 vvpjj.exe 2164 884842.exe 2316 tbhbtt.exe 4536 26044.exe 856 frxrrrr.exe 4176 82048.exe 2088 ppjdd.exe 3704 lxxlffr.exe 4184 022082.exe 1924 62226.exe 2864 fxxxlll.exe 432 ppjjd.exe 3128 fxfxrxx.exe 2624 vpvpj.exe 4980 424448.exe 4988 btbhtb.exe 4612 jvddv.exe 1052 06660.exe 1940 nnhbtt.exe 4372 428282.exe 4876 42244.exe 1620 3flfrrr.exe 224 xllfrll.exe 2096 8222222.exe 2248 lfxrxrr.exe 4948 dpdvp.exe 1352 06820.exe 2960 llrllfl.exe 2320 80260.exe 4072 48082.exe 4400 00826.exe 4200 jpjjv.exe 4140 9nhthb.exe 3212 8042608.exe 4496 dpvpj.exe 4660 o060482.exe 1016 bhtthb.exe 3416 hbtnbt.exe 4984 m4228.exe 1716 nhhtbb.exe 2988 llrffxr.exe 2900 k88082.exe 1300 622644.exe 1228 hhnntt.exe 1212 0648484.exe 3512 0048282.exe 840 djpjv.exe 1252 bbthhb.exe 4424 8848226.exe 2428 20824.exe 1860 04246.exe 764 006082.exe 1096 rrxlxrr.exe 3472 djppj.exe 4492 266222.exe 2380 7ddvp.exe 5052 jvjdd.exe 1512 68862.exe 4696 u020426.exe 4404 pvpdv.exe 876 822644.exe 4264 i808822.exe 4184 bhhhhn.exe -
resource yara_rule behavioral2/memory/1860-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-946-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-989-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2842608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 4880 1860 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 83 PID 1860 wrote to memory of 4880 1860 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 83 PID 1860 wrote to memory of 4880 1860 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 83 PID 4880 wrote to memory of 4476 4880 1djjd.exe 84 PID 4880 wrote to memory of 4476 4880 1djjd.exe 84 PID 4880 wrote to memory of 4476 4880 1djjd.exe 84 PID 4476 wrote to memory of 2164 4476 vvpjj.exe 85 PID 4476 wrote to memory of 2164 4476 vvpjj.exe 85 PID 4476 wrote to memory of 2164 4476 vvpjj.exe 85 PID 2164 wrote to memory of 2316 2164 884842.exe 86 PID 2164 wrote to memory of 2316 2164 884842.exe 86 PID 2164 wrote to memory of 2316 2164 884842.exe 86 PID 2316 wrote to memory of 4536 2316 tbhbtt.exe 87 PID 2316 wrote to memory of 4536 2316 tbhbtt.exe 87 PID 2316 wrote to memory of 4536 2316 tbhbtt.exe 87 PID 4536 wrote to memory of 856 4536 26044.exe 88 PID 4536 wrote to memory of 856 4536 26044.exe 88 PID 4536 wrote to memory of 856 4536 26044.exe 88 PID 856 wrote to memory of 4176 856 frxrrrr.exe 89 PID 856 wrote to memory of 4176 856 frxrrrr.exe 89 PID 856 wrote to memory of 4176 856 frxrrrr.exe 89 PID 4176 wrote to memory of 2088 4176 82048.exe 90 PID 4176 wrote to memory of 2088 4176 82048.exe 90 PID 4176 wrote to memory of 2088 4176 82048.exe 90 PID 2088 wrote to memory of 3704 2088 ppjdd.exe 91 PID 2088 wrote to memory of 3704 2088 ppjdd.exe 91 PID 2088 wrote to memory of 3704 2088 ppjdd.exe 91 PID 3704 wrote to memory of 4184 3704 lxxlffr.exe 92 PID 3704 wrote to memory of 4184 3704 lxxlffr.exe 92 PID 3704 wrote to memory of 4184 3704 lxxlffr.exe 92 PID 4184 wrote to memory of 1924 4184 022082.exe 93 PID 4184 wrote to memory of 1924 4184 022082.exe 93 PID 4184 wrote to memory of 1924 4184 022082.exe 93 PID 1924 wrote to memory of 2864 1924 62226.exe 94 PID 1924 wrote to memory of 2864 1924 62226.exe 94 PID 1924 wrote to memory of 2864 1924 62226.exe 94 PID 2864 wrote to memory of 432 2864 fxxxlll.exe 95 PID 2864 wrote to memory of 432 2864 fxxxlll.exe 95 PID 2864 wrote to memory of 432 2864 fxxxlll.exe 95 PID 432 wrote to memory of 3128 432 ppjjd.exe 96 PID 432 wrote to memory of 3128 432 ppjjd.exe 96 PID 432 wrote to memory of 3128 432 ppjjd.exe 96 PID 3128 wrote to memory of 2624 3128 fxfxrxx.exe 97 PID 3128 wrote to memory of 2624 3128 fxfxrxx.exe 97 PID 3128 wrote to memory of 2624 3128 fxfxrxx.exe 97 PID 2624 wrote to memory of 4980 2624 vpvpj.exe 98 PID 2624 wrote to memory of 4980 2624 vpvpj.exe 98 PID 2624 wrote to memory of 4980 2624 vpvpj.exe 98 PID 4980 wrote to memory of 4988 4980 424448.exe 99 PID 4980 wrote to memory of 4988 4980 424448.exe 99 PID 4980 wrote to memory of 4988 4980 424448.exe 99 PID 4988 wrote to memory of 4612 4988 btbhtb.exe 100 PID 4988 wrote to memory of 4612 4988 btbhtb.exe 100 PID 4988 wrote to memory of 4612 4988 btbhtb.exe 100 PID 4612 wrote to memory of 1052 4612 jvddv.exe 101 PID 4612 wrote to memory of 1052 4612 jvddv.exe 101 PID 4612 wrote to memory of 1052 4612 jvddv.exe 101 PID 1052 wrote to memory of 1940 1052 06660.exe 102 PID 1052 wrote to memory of 1940 1052 06660.exe 102 PID 1052 wrote to memory of 1940 1052 06660.exe 102 PID 1940 wrote to memory of 4372 1940 nnhbtt.exe 103 PID 1940 wrote to memory of 4372 1940 nnhbtt.exe 103 PID 1940 wrote to memory of 4372 1940 nnhbtt.exe 103 PID 4372 wrote to memory of 4876 4372 428282.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe"C:\Users\Admin\AppData\Local\Temp\abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\1djjd.exec:\1djjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\vvpjj.exec:\vvpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\884842.exec:\884842.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\tbhbtt.exec:\tbhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\26044.exec:\26044.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\frxrrrr.exec:\frxrrrr.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\82048.exec:\82048.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\ppjdd.exec:\ppjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\lxxlffr.exec:\lxxlffr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\022082.exec:\022082.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\62226.exec:\62226.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\fxxxlll.exec:\fxxxlll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\ppjjd.exec:\ppjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\fxfxrxx.exec:\fxfxrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\vpvpj.exec:\vpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\424448.exec:\424448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\btbhtb.exec:\btbhtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\jvddv.exec:\jvddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\06660.exec:\06660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\nnhbtt.exec:\nnhbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\428282.exec:\428282.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\42244.exec:\42244.exe23⤵
- Executes dropped EXE
PID:4876 -
\??\c:\3flfrrr.exec:\3flfrrr.exe24⤵
- Executes dropped EXE
PID:1620 -
\??\c:\xllfrll.exec:\xllfrll.exe25⤵
- Executes dropped EXE
PID:224 -
\??\c:\8222222.exec:\8222222.exe26⤵
- Executes dropped EXE
PID:2096 -
\??\c:\lfxrxrr.exec:\lfxrxrr.exe27⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dpdvp.exec:\dpdvp.exe28⤵
- Executes dropped EXE
PID:4948 -
\??\c:\06820.exec:\06820.exe29⤵
- Executes dropped EXE
PID:1352 -
\??\c:\llrllfl.exec:\llrllfl.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\80260.exec:\80260.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\48082.exec:\48082.exe32⤵
- Executes dropped EXE
PID:4072 -
\??\c:\00826.exec:\00826.exe33⤵
- Executes dropped EXE
PID:4400 -
\??\c:\jpjjv.exec:\jpjjv.exe34⤵
- Executes dropped EXE
PID:4200 -
\??\c:\9nhthb.exec:\9nhthb.exe35⤵
- Executes dropped EXE
PID:4140 -
\??\c:\8042608.exec:\8042608.exe36⤵
- Executes dropped EXE
PID:3212 -
\??\c:\dpvpj.exec:\dpvpj.exe37⤵
- Executes dropped EXE
PID:4496 -
\??\c:\o060482.exec:\o060482.exe38⤵
- Executes dropped EXE
PID:4660 -
\??\c:\bhtthb.exec:\bhtthb.exe39⤵
- Executes dropped EXE
PID:1016 -
\??\c:\hbtnbt.exec:\hbtnbt.exe40⤵
- Executes dropped EXE
PID:3416 -
\??\c:\m4228.exec:\m4228.exe41⤵
- Executes dropped EXE
PID:4984 -
\??\c:\nhhtbb.exec:\nhhtbb.exe42⤵
- Executes dropped EXE
PID:1716 -
\??\c:\llrffxr.exec:\llrffxr.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\k88082.exec:\k88082.exe44⤵
- Executes dropped EXE
PID:2900 -
\??\c:\622644.exec:\622644.exe45⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hhnntt.exec:\hhnntt.exe46⤵
- Executes dropped EXE
PID:1228 -
\??\c:\0648484.exec:\0648484.exe47⤵
- Executes dropped EXE
PID:1212 -
\??\c:\0048282.exec:\0048282.exe48⤵
- Executes dropped EXE
PID:3512 -
\??\c:\djpjv.exec:\djpjv.exe49⤵
- Executes dropped EXE
PID:840 -
\??\c:\bbthhb.exec:\bbthhb.exe50⤵
- Executes dropped EXE
PID:1252 -
\??\c:\8848226.exec:\8848226.exe51⤵
- Executes dropped EXE
PID:4424 -
\??\c:\20824.exec:\20824.exe52⤵
- Executes dropped EXE
PID:2428 -
\??\c:\04246.exec:\04246.exe53⤵
- Executes dropped EXE
PID:1860 -
\??\c:\006082.exec:\006082.exe54⤵
- Executes dropped EXE
PID:764 -
\??\c:\rrxlxrr.exec:\rrxlxrr.exe55⤵
- Executes dropped EXE
PID:1096 -
\??\c:\djppj.exec:\djppj.exe56⤵
- Executes dropped EXE
PID:3472 -
\??\c:\266222.exec:\266222.exe57⤵
- Executes dropped EXE
PID:4492 -
\??\c:\7ddvp.exec:\7ddvp.exe58⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jvjdd.exec:\jvjdd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5052 -
\??\c:\68862.exec:\68862.exe60⤵
- Executes dropped EXE
PID:1512 -
\??\c:\u020426.exec:\u020426.exe61⤵
- Executes dropped EXE
PID:4696 -
\??\c:\pvpdv.exec:\pvpdv.exe62⤵
- Executes dropped EXE
PID:4404 -
\??\c:\822644.exec:\822644.exe63⤵
- Executes dropped EXE
PID:876 -
\??\c:\i808822.exec:\i808822.exe64⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bhhhhn.exec:\bhhhhn.exe65⤵
- Executes dropped EXE
PID:4184 -
\??\c:\0226262.exec:\0226262.exe66⤵PID:1924
-
\??\c:\u826048.exec:\u826048.exe67⤵PID:4508
-
\??\c:\0040886.exec:\0040886.exe68⤵PID:2028
-
\??\c:\nbnnnt.exec:\nbnnnt.exe69⤵PID:536
-
\??\c:\dvdpd.exec:\dvdpd.exe70⤵PID:3192
-
\??\c:\006460.exec:\006460.exe71⤵PID:4528
-
\??\c:\q22206.exec:\q22206.exe72⤵PID:3420
-
\??\c:\dvpdj.exec:\dvpdj.exe73⤵PID:2504
-
\??\c:\660860.exec:\660860.exe74⤵PID:1204
-
\??\c:\o404204.exec:\o404204.exe75⤵PID:4592
-
\??\c:\g0204.exec:\g0204.exe76⤵PID:880
-
\??\c:\hbbhtt.exec:\hbbhtt.exe77⤵PID:3016
-
\??\c:\26648.exec:\26648.exe78⤵PID:1700
-
\??\c:\rfxrllf.exec:\rfxrllf.exe79⤵PID:2248
-
\??\c:\6800482.exec:\6800482.exe80⤵PID:2936
-
\??\c:\jvdvp.exec:\jvdvp.exe81⤵PID:1060
-
\??\c:\4226084.exec:\4226084.exe82⤵PID:4180
-
\??\c:\fllffll.exec:\fllffll.exe83⤵PID:4080
-
\??\c:\jvvpj.exec:\jvvpj.exe84⤵PID:3656
-
\??\c:\2262004.exec:\2262004.exe85⤵PID:1680
-
\??\c:\dvjjj.exec:\dvjjj.exe86⤵PID:1184
-
\??\c:\hnbhhh.exec:\hnbhhh.exe87⤵PID:2068
-
\??\c:\rllrxlx.exec:\rllrxlx.exe88⤵PID:5008
-
\??\c:\ttntbt.exec:\ttntbt.exe89⤵PID:5000
-
\??\c:\1ttnhb.exec:\1ttnhb.exe90⤵PID:4660
-
\??\c:\dvdvp.exec:\dvdvp.exe91⤵PID:2548
-
\??\c:\vddpj.exec:\vddpj.exe92⤵PID:4984
-
\??\c:\k82426.exec:\k82426.exe93⤵PID:1872
-
\??\c:\rrrlxxl.exec:\rrrlxxl.exe94⤵PID:1440
-
\??\c:\86200.exec:\86200.exe95⤵PID:4296
-
\??\c:\0282048.exec:\0282048.exe96⤵PID:3712
-
\??\c:\vjppd.exec:\vjppd.exe97⤵PID:632
-
\??\c:\206426.exec:\206426.exe98⤵PID:4172
-
\??\c:\42604.exec:\42604.exe99⤵PID:692
-
\??\c:\u622284.exec:\u622284.exe100⤵PID:3568
-
\??\c:\ddjvp.exec:\ddjvp.exe101⤵PID:4448
-
\??\c:\w40826.exec:\w40826.exe102⤵PID:4308
-
\??\c:\u842266.exec:\u842266.exe103⤵PID:4596
-
\??\c:\88260.exec:\88260.exe104⤵PID:4740
-
\??\c:\5dvdp.exec:\5dvdp.exe105⤵
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\vvdvv.exec:\vvdvv.exe106⤵PID:4548
-
\??\c:\a8486.exec:\a8486.exe107⤵PID:1124
-
\??\c:\i048484.exec:\i048484.exe108⤵PID:5044
-
\??\c:\hbbthb.exec:\hbbthb.exe109⤵PID:4492
-
\??\c:\5pjjv.exec:\5pjjv.exe110⤵PID:2584
-
\??\c:\3pjvp.exec:\3pjvp.exe111⤵PID:2784
-
\??\c:\c280486.exec:\c280486.exe112⤵PID:4064
-
\??\c:\c000820.exec:\c000820.exe113⤵PID:1028
-
\??\c:\dpjdv.exec:\dpjdv.exe114⤵PID:1832
-
\??\c:\xfffffr.exec:\xfffffr.exe115⤵PID:3808
-
\??\c:\9dpdv.exec:\9dpdv.exe116⤵PID:2060
-
\??\c:\84486.exec:\84486.exe117⤵PID:2348
-
\??\c:\rflfxxr.exec:\rflfxxr.exe118⤵PID:2316
-
\??\c:\22860.exec:\22860.exe119⤵PID:1528
-
\??\c:\nnnbtt.exec:\nnnbtt.exe120⤵PID:3208
-
\??\c:\846482.exec:\846482.exe121⤵PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-