Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe
-
Size
455KB
-
MD5
0042c616ac02c252f3d9f66c735a74b0
-
SHA1
f5d4cb2bfb519b2d1dccad3563cef4bfb8d7dbee
-
SHA256
ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546
-
SHA512
af84ea18b44625f64dc664317cad41a33b0ce1af0b3fd1075dc992074f233480959a4f6a9e5e47d7acc5690c6b341509a632853da954ffacdd80c4c9c358d598
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR+:q7Tc2NYHUrAwfMp3CDR+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4224-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-1163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-1548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1796 lfllfff.exe 4740 28448.exe 2300 868604.exe 3760 84626.exe 3340 fxxrlff.exe 2448 fxfxrrr.exe 4460 284822.exe 4584 8020084.exe 4464 nbhtbn.exe 2552 822068.exe 2824 644404.exe 1688 5dvvp.exe 4944 86204.exe 212 g0200.exe 3880 4406004.exe 3304 646862.exe 1648 02826.exe 4180 hbttbb.exe 1068 xrfxrff.exe 3608 00868.exe 1908 822660.exe 216 480600.exe 1972 60848.exe 4952 frxllfx.exe 3484 200460.exe 3476 ddvvp.exe 2420 rrfxffl.exe 3808 82484.exe 2848 802266.exe 4440 hhhbhb.exe 720 bntnhb.exe 3176 w46042.exe 2716 0464400.exe 3388 ppdpj.exe 4860 9nbnht.exe 4604 5btnhn.exe 964 280422.exe 4760 5xxrxxl.exe 4360 7flfxrl.exe 2676 804066.exe 384 pppjd.exe 2016 9jdpj.exe 4844 88066.exe 3432 hbbtnn.exe 3780 pvjjd.exe 2948 xxflxfx.exe 3660 440060.exe 2896 466044.exe 3976 3vvdp.exe 4388 24044.exe 316 pdjjd.exe 1980 rlfxxxr.exe 1844 040448.exe 4740 2022006.exe 1828 bbbhbb.exe 1520 9nbtth.exe 4244 a8482.exe 2968 1tnhtt.exe 3300 1lrlrrr.exe 1000 642662.exe 3088 0684888.exe 3264 i804282.exe 1996 640488.exe 3696 htbtbb.exe -
resource yara_rule behavioral2/memory/4224-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-678-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 022648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2286048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2226086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c808220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o882004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4224 wrote to memory of 1796 4224 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 82 PID 4224 wrote to memory of 1796 4224 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 82 PID 4224 wrote to memory of 1796 4224 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 82 PID 1796 wrote to memory of 4740 1796 lfllfff.exe 83 PID 1796 wrote to memory of 4740 1796 lfllfff.exe 83 PID 1796 wrote to memory of 4740 1796 lfllfff.exe 83 PID 4740 wrote to memory of 2300 4740 28448.exe 84 PID 4740 wrote to memory of 2300 4740 28448.exe 84 PID 4740 wrote to memory of 2300 4740 28448.exe 84 PID 2300 wrote to memory of 3760 2300 868604.exe 85 PID 2300 wrote to memory of 3760 2300 868604.exe 85 PID 2300 wrote to memory of 3760 2300 868604.exe 85 PID 3760 wrote to memory of 3340 3760 84626.exe 86 PID 3760 wrote to memory of 3340 3760 84626.exe 86 PID 3760 wrote to memory of 3340 3760 84626.exe 86 PID 3340 wrote to memory of 2448 3340 fxxrlff.exe 87 PID 3340 wrote to memory of 2448 3340 fxxrlff.exe 87 PID 3340 wrote to memory of 2448 3340 fxxrlff.exe 87 PID 2448 wrote to memory of 4460 2448 fxfxrrr.exe 88 PID 2448 wrote to memory of 4460 2448 fxfxrrr.exe 88 PID 2448 wrote to memory of 4460 2448 fxfxrrr.exe 88 PID 4460 wrote to memory of 4584 4460 284822.exe 89 PID 4460 wrote to memory of 4584 4460 284822.exe 89 PID 4460 wrote to memory of 4584 4460 284822.exe 89 PID 4584 wrote to memory of 4464 4584 8020084.exe 90 PID 4584 wrote to memory of 4464 4584 8020084.exe 90 PID 4584 wrote to memory of 4464 4584 8020084.exe 90 PID 4464 wrote to memory of 2552 4464 nbhtbn.exe 91 PID 4464 wrote to memory of 2552 4464 nbhtbn.exe 91 PID 4464 wrote to memory of 2552 4464 nbhtbn.exe 91 PID 2552 wrote to memory of 2824 2552 822068.exe 92 PID 2552 wrote to memory of 2824 2552 822068.exe 92 PID 2552 wrote to memory of 2824 2552 822068.exe 92 PID 2824 wrote to memory of 1688 2824 644404.exe 93 PID 2824 wrote to memory of 1688 2824 644404.exe 93 PID 2824 wrote to memory of 1688 2824 644404.exe 93 PID 1688 wrote to memory of 4944 1688 5dvvp.exe 94 PID 1688 wrote to memory of 4944 1688 5dvvp.exe 94 PID 1688 wrote to memory of 4944 1688 5dvvp.exe 94 PID 4944 wrote to memory of 212 4944 86204.exe 95 PID 4944 wrote to memory of 212 4944 86204.exe 95 PID 4944 wrote to memory of 212 4944 86204.exe 95 PID 212 wrote to memory of 3880 212 g0200.exe 96 PID 212 wrote to memory of 3880 212 g0200.exe 96 PID 212 wrote to memory of 3880 212 g0200.exe 96 PID 3880 wrote to memory of 3304 3880 4406004.exe 97 PID 3880 wrote to memory of 3304 3880 4406004.exe 97 PID 3880 wrote to memory of 3304 3880 4406004.exe 97 PID 3304 wrote to memory of 1648 3304 646862.exe 98 PID 3304 wrote to memory of 1648 3304 646862.exe 98 PID 3304 wrote to memory of 1648 3304 646862.exe 98 PID 1648 wrote to memory of 4180 1648 02826.exe 99 PID 1648 wrote to memory of 4180 1648 02826.exe 99 PID 1648 wrote to memory of 4180 1648 02826.exe 99 PID 4180 wrote to memory of 1068 4180 hbttbb.exe 100 PID 4180 wrote to memory of 1068 4180 hbttbb.exe 100 PID 4180 wrote to memory of 1068 4180 hbttbb.exe 100 PID 1068 wrote to memory of 3608 1068 xrfxrff.exe 101 PID 1068 wrote to memory of 3608 1068 xrfxrff.exe 101 PID 1068 wrote to memory of 3608 1068 xrfxrff.exe 101 PID 3608 wrote to memory of 1908 3608 00868.exe 102 PID 3608 wrote to memory of 1908 3608 00868.exe 102 PID 3608 wrote to memory of 1908 3608 00868.exe 102 PID 1908 wrote to memory of 216 1908 822660.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe"C:\Users\Admin\AppData\Local\Temp\ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\lfllfff.exec:\lfllfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\28448.exec:\28448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\868604.exec:\868604.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\84626.exec:\84626.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\fxxrlff.exec:\fxxrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\284822.exec:\284822.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\8020084.exec:\8020084.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\nbhtbn.exec:\nbhtbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\822068.exec:\822068.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\644404.exec:\644404.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\5dvvp.exec:\5dvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\86204.exec:\86204.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\g0200.exec:\g0200.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\4406004.exec:\4406004.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\646862.exec:\646862.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\02826.exec:\02826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\hbttbb.exec:\hbttbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\xrfxrff.exec:\xrfxrff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\00868.exec:\00868.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\822660.exec:\822660.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\480600.exec:\480600.exe23⤵
- Executes dropped EXE
PID:216 -
\??\c:\60848.exec:\60848.exe24⤵
- Executes dropped EXE
PID:1972 -
\??\c:\frxllfx.exec:\frxllfx.exe25⤵
- Executes dropped EXE
PID:4952 -
\??\c:\200460.exec:\200460.exe26⤵
- Executes dropped EXE
PID:3484 -
\??\c:\ddvvp.exec:\ddvvp.exe27⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rrfxffl.exec:\rrfxffl.exe28⤵
- Executes dropped EXE
PID:2420 -
\??\c:\82484.exec:\82484.exe29⤵
- Executes dropped EXE
PID:3808 -
\??\c:\802266.exec:\802266.exe30⤵
- Executes dropped EXE
PID:2848 -
\??\c:\hhhbhb.exec:\hhhbhb.exe31⤵
- Executes dropped EXE
PID:4440 -
\??\c:\bntnhb.exec:\bntnhb.exe32⤵
- Executes dropped EXE
PID:720 -
\??\c:\w46042.exec:\w46042.exe33⤵
- Executes dropped EXE
PID:3176 -
\??\c:\0464400.exec:\0464400.exe34⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ppdpj.exec:\ppdpj.exe35⤵
- Executes dropped EXE
PID:3388 -
\??\c:\9nbnht.exec:\9nbnht.exe36⤵
- Executes dropped EXE
PID:4860 -
\??\c:\5btnhn.exec:\5btnhn.exe37⤵
- Executes dropped EXE
PID:4604 -
\??\c:\280422.exec:\280422.exe38⤵
- Executes dropped EXE
PID:964 -
\??\c:\5xxrxxl.exec:\5xxrxxl.exe39⤵
- Executes dropped EXE
PID:4760 -
\??\c:\7flfxrl.exec:\7flfxrl.exe40⤵
- Executes dropped EXE
PID:4360 -
\??\c:\804066.exec:\804066.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\pppjd.exec:\pppjd.exe42⤵
- Executes dropped EXE
PID:384 -
\??\c:\9jdpj.exec:\9jdpj.exe43⤵
- Executes dropped EXE
PID:2016 -
\??\c:\88066.exec:\88066.exe44⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hbbtnn.exec:\hbbtnn.exe45⤵
- Executes dropped EXE
PID:3432 -
\??\c:\pvjjd.exec:\pvjjd.exe46⤵
- Executes dropped EXE
PID:3780 -
\??\c:\xxflxfx.exec:\xxflxfx.exe47⤵
- Executes dropped EXE
PID:2948 -
\??\c:\440060.exec:\440060.exe48⤵
- Executes dropped EXE
PID:3660 -
\??\c:\466044.exec:\466044.exe49⤵
- Executes dropped EXE
PID:2896 -
\??\c:\3vvdp.exec:\3vvdp.exe50⤵
- Executes dropped EXE
PID:3976 -
\??\c:\24044.exec:\24044.exe51⤵
- Executes dropped EXE
PID:4388 -
\??\c:\pdjjd.exec:\pdjjd.exe52⤵
- Executes dropped EXE
PID:316 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe53⤵
- Executes dropped EXE
PID:1980 -
\??\c:\040448.exec:\040448.exe54⤵
- Executes dropped EXE
PID:1844 -
\??\c:\2022006.exec:\2022006.exe55⤵
- Executes dropped EXE
PID:4740 -
\??\c:\bbbhbb.exec:\bbbhbb.exe56⤵
- Executes dropped EXE
PID:1828 -
\??\c:\9nbtth.exec:\9nbtth.exe57⤵
- Executes dropped EXE
PID:1520 -
\??\c:\a8482.exec:\a8482.exe58⤵
- Executes dropped EXE
PID:4244 -
\??\c:\1tnhtt.exec:\1tnhtt.exe59⤵
- Executes dropped EXE
PID:2968 -
\??\c:\1lrlrrr.exec:\1lrlrrr.exe60⤵
- Executes dropped EXE
PID:3300 -
\??\c:\642662.exec:\642662.exe61⤵
- Executes dropped EXE
PID:1000 -
\??\c:\0684888.exec:\0684888.exe62⤵
- Executes dropped EXE
PID:3088 -
\??\c:\i804282.exec:\i804282.exe63⤵
- Executes dropped EXE
PID:3264 -
\??\c:\640488.exec:\640488.exe64⤵
- Executes dropped EXE
PID:1996 -
\??\c:\htbtbb.exec:\htbtbb.exe65⤵
- Executes dropped EXE
PID:3696 -
\??\c:\262200.exec:\262200.exe66⤵PID:3716
-
\??\c:\2682228.exec:\2682228.exe67⤵PID:2440
-
\??\c:\tbnhbb.exec:\tbnhbb.exe68⤵PID:4624
-
\??\c:\m0260.exec:\m0260.exe69⤵PID:3768
-
\??\c:\6408264.exec:\6408264.exe70⤵PID:3228
-
\??\c:\jvvpd.exec:\jvvpd.exe71⤵PID:208
-
\??\c:\26466.exec:\26466.exe72⤵PID:2408
-
\??\c:\bhhbnh.exec:\bhhbnh.exe73⤵PID:3576
-
\??\c:\jpdvv.exec:\jpdvv.exe74⤵PID:1220
-
\??\c:\8480864.exec:\8480864.exe75⤵PID:4072
-
\??\c:\84226.exec:\84226.exe76⤵PID:1516
-
\??\c:\646088.exec:\646088.exe77⤵PID:4180
-
\??\c:\3rfrfrl.exec:\3rfrfrl.exe78⤵PID:4652
-
\??\c:\06882.exec:\06882.exe79⤵PID:2728
-
\??\c:\hhtnhb.exec:\hhtnhb.exe80⤵PID:5012
-
\??\c:\26648.exec:\26648.exe81⤵PID:2996
-
\??\c:\460826.exec:\460826.exe82⤵PID:3752
-
\??\c:\e28682.exec:\e28682.exe83⤵PID:4516
-
\??\c:\vdjdv.exec:\vdjdv.exe84⤵PID:1016
-
\??\c:\266002.exec:\266002.exe85⤵PID:3180
-
\??\c:\rrrfxlx.exec:\rrrfxlx.exe86⤵PID:1988
-
\??\c:\nhbnbt.exec:\nhbnbt.exe87⤵PID:1292
-
\??\c:\pvdpd.exec:\pvdpd.exe88⤵PID:4968
-
\??\c:\62864.exec:\62864.exe89⤵PID:4956
-
\??\c:\i408648.exec:\i408648.exe90⤵PID:3932
-
\??\c:\fllxfrr.exec:\fllxfrr.exe91⤵PID:3548
-
\??\c:\8066464.exec:\8066464.exe92⤵PID:3244
-
\??\c:\ppvdp.exec:\ppvdp.exe93⤵PID:4440
-
\??\c:\o882026.exec:\o882026.exe94⤵PID:3268
-
\??\c:\040860.exec:\040860.exe95⤵PID:3672
-
\??\c:\rffrxrf.exec:\rffrxrf.exe96⤵PID:3636
-
\??\c:\vjvjv.exec:\vjvjv.exe97⤵PID:4828
-
\??\c:\2064600.exec:\2064600.exe98⤵PID:2052
-
\??\c:\htbnnh.exec:\htbnnh.exe99⤵PID:4860
-
\??\c:\jddjj.exec:\jddjj.exe100⤵PID:4884
-
\??\c:\0020226.exec:\0020226.exe101⤵PID:964
-
\??\c:\pjpjd.exec:\pjpjd.exe102⤵PID:4760
-
\??\c:\284822.exec:\284822.exe103⤵PID:3024
-
\??\c:\lllfxxr.exec:\lllfxxr.exe104⤵PID:3192
-
\??\c:\262660.exec:\262660.exe105⤵PID:772
-
\??\c:\3hnbhb.exec:\3hnbhb.exe106⤵PID:2016
-
\??\c:\2244826.exec:\2244826.exe107⤵PID:1064
-
\??\c:\tntttt.exec:\tntttt.exe108⤵PID:1420
-
\??\c:\8440864.exec:\8440864.exe109⤵PID:4608
-
\??\c:\48004.exec:\48004.exe110⤵PID:1644
-
\??\c:\nbntbn.exec:\nbntbn.exe111⤵PID:4588
-
\??\c:\k48260.exec:\k48260.exe112⤵PID:2972
-
\??\c:\bbbtnh.exec:\bbbtnh.exe113⤵PID:5020
-
\??\c:\xflxrlf.exec:\xflxrlf.exe114⤵PID:4372
-
\??\c:\284000.exec:\284000.exe115⤵PID:2564
-
\??\c:\284422.exec:\284422.exe116⤵PID:2148
-
\??\c:\pjddp.exec:\pjddp.exe117⤵PID:4748
-
\??\c:\jjjdd.exec:\jjjdd.exe118⤵PID:3012
-
\??\c:\pvdvv.exec:\pvdvv.exe119⤵PID:4384
-
\??\c:\1ddvp.exec:\1ddvp.exe120⤵PID:2940
-
\??\c:\lxlfffx.exec:\lxlfffx.exe121⤵PID:4740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-