Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 03:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe
-
Size
456KB
-
MD5
53a9ad231bec6142a4da58c197433f60
-
SHA1
f9d86c91c6f4c4ac49fd92484e77c4d015e23447
-
SHA256
acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701
-
SHA512
357b0c380f675508a5ada860d6a29bdb999b6d3a640569807e750829facd74b2c9567686d0e5b44a09e8607ce3804b0b59e1c1e35a61bcc812e44f7243082b32
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/844-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/604-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-1134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 844 482626.exe 616 8228204.exe 748 jdvdj.exe 3104 frfrrll.exe 4900 bhnbbt.exe 3208 486260.exe 536 440422.exe 3720 c842688.exe 532 bnhbbh.exe 2440 062226.exe 1884 dvdvd.exe 3412 nhtntn.exe 220 vjjdd.exe 3028 jdjdd.exe 3280 ttnbbt.exe 4060 q88266.exe 2708 880002.exe 2028 rffxxxr.exe 4208 ttbtnh.exe 2492 80660.exe 1952 c842260.exe 1868 062048.exe 1556 c408840.exe 3328 i682489.exe 2360 2882048.exe 1608 dvvpp.exe 3552 3htnhb.exe 4196 42208.exe 5024 0460860.exe 2424 m8026.exe 960 64600.exe 3992 fxffllx.exe 4660 20042.exe 3624 bthnhb.exe 3436 bbbtnn.exe 1880 08004.exe 1928 dppjd.exe 2076 hbntht.exe 1572 60020.exe 2552 9pjdv.exe 1224 040882.exe 4988 0626048.exe 4488 2060804.exe 2288 600482.exe 4388 fxfxxxr.exe 2988 hbbbtn.exe 264 5flfrrl.exe 4260 dddpv.exe 4448 64606.exe 4072 484804.exe 3008 1ddvp.exe 1436 jvddp.exe 2696 hhtttt.exe 3796 82428.exe 3252 bnbthh.exe 3892 446048.exe 3596 4004826.exe 4028 1ttnhh.exe 3204 g4660.exe 3396 86828.exe 4124 42682.exe 536 2866082.exe 2528 e64220.exe 4872 880866.exe -
resource yara_rule behavioral2/memory/844-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/604-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-706-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c224848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u866448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 466482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8242884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q84264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8404882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24004.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 844 4948 acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe 82 PID 4948 wrote to memory of 844 4948 acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe 82 PID 4948 wrote to memory of 844 4948 acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe 82 PID 844 wrote to memory of 616 844 482626.exe 83 PID 844 wrote to memory of 616 844 482626.exe 83 PID 844 wrote to memory of 616 844 482626.exe 83 PID 616 wrote to memory of 748 616 8228204.exe 84 PID 616 wrote to memory of 748 616 8228204.exe 84 PID 616 wrote to memory of 748 616 8228204.exe 84 PID 748 wrote to memory of 3104 748 jdvdj.exe 85 PID 748 wrote to memory of 3104 748 jdvdj.exe 85 PID 748 wrote to memory of 3104 748 jdvdj.exe 85 PID 3104 wrote to memory of 4900 3104 frfrrll.exe 86 PID 3104 wrote to memory of 4900 3104 frfrrll.exe 86 PID 3104 wrote to memory of 4900 3104 frfrrll.exe 86 PID 4900 wrote to memory of 3208 4900 bhnbbt.exe 87 PID 4900 wrote to memory of 3208 4900 bhnbbt.exe 87 PID 4900 wrote to memory of 3208 4900 bhnbbt.exe 87 PID 3208 wrote to memory of 536 3208 486260.exe 88 PID 3208 wrote to memory of 536 3208 486260.exe 88 PID 3208 wrote to memory of 536 3208 486260.exe 88 PID 536 wrote to memory of 3720 536 440422.exe 89 PID 536 wrote to memory of 3720 536 440422.exe 89 PID 536 wrote to memory of 3720 536 440422.exe 89 PID 3720 wrote to memory of 532 3720 c842688.exe 90 PID 3720 wrote to memory of 532 3720 c842688.exe 90 PID 3720 wrote to memory of 532 3720 c842688.exe 90 PID 532 wrote to memory of 2440 532 bnhbbh.exe 91 PID 532 wrote to memory of 2440 532 bnhbbh.exe 91 PID 532 wrote to memory of 2440 532 bnhbbh.exe 91 PID 2440 wrote to memory of 1884 2440 062226.exe 92 PID 2440 wrote to memory of 1884 2440 062226.exe 92 PID 2440 wrote to memory of 1884 2440 062226.exe 92 PID 1884 wrote to memory of 3412 1884 dvdvd.exe 93 PID 1884 wrote to memory of 3412 1884 dvdvd.exe 93 PID 1884 wrote to memory of 3412 1884 dvdvd.exe 93 PID 3412 wrote to memory of 220 3412 nhtntn.exe 94 PID 3412 wrote to memory of 220 3412 nhtntn.exe 94 PID 3412 wrote to memory of 220 3412 nhtntn.exe 94 PID 220 wrote to memory of 3028 220 vjjdd.exe 95 PID 220 wrote to memory of 3028 220 vjjdd.exe 95 PID 220 wrote to memory of 3028 220 vjjdd.exe 95 PID 3028 wrote to memory of 3280 3028 jdjdd.exe 96 PID 3028 wrote to memory of 3280 3028 jdjdd.exe 96 PID 3028 wrote to memory of 3280 3028 jdjdd.exe 96 PID 3280 wrote to memory of 4060 3280 ttnbbt.exe 97 PID 3280 wrote to memory of 4060 3280 ttnbbt.exe 97 PID 3280 wrote to memory of 4060 3280 ttnbbt.exe 97 PID 4060 wrote to memory of 2708 4060 q88266.exe 98 PID 4060 wrote to memory of 2708 4060 q88266.exe 98 PID 4060 wrote to memory of 2708 4060 q88266.exe 98 PID 2708 wrote to memory of 2028 2708 880002.exe 99 PID 2708 wrote to memory of 2028 2708 880002.exe 99 PID 2708 wrote to memory of 2028 2708 880002.exe 99 PID 2028 wrote to memory of 4208 2028 rffxxxr.exe 100 PID 2028 wrote to memory of 4208 2028 rffxxxr.exe 100 PID 2028 wrote to memory of 4208 2028 rffxxxr.exe 100 PID 4208 wrote to memory of 2492 4208 ttbtnh.exe 101 PID 4208 wrote to memory of 2492 4208 ttbtnh.exe 101 PID 4208 wrote to memory of 2492 4208 ttbtnh.exe 101 PID 2492 wrote to memory of 1952 2492 80660.exe 102 PID 2492 wrote to memory of 1952 2492 80660.exe 102 PID 2492 wrote to memory of 1952 2492 80660.exe 102 PID 1952 wrote to memory of 1868 1952 c842260.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe"C:\Users\Admin\AppData\Local\Temp\acbd911dc571c1941f864db554f136f299d244c8063e17920a29116354b8b701N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\482626.exec:\482626.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\8228204.exec:\8228204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\jdvdj.exec:\jdvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\frfrrll.exec:\frfrrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\bhnbbt.exec:\bhnbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\486260.exec:\486260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\440422.exec:\440422.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\c842688.exec:\c842688.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\bnhbbh.exec:\bnhbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\062226.exec:\062226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\dvdvd.exec:\dvdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\nhtntn.exec:\nhtntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\vjjdd.exec:\vjjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\jdjdd.exec:\jdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\ttnbbt.exec:\ttnbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\q88266.exec:\q88266.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\880002.exec:\880002.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\rffxxxr.exec:\rffxxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\ttbtnh.exec:\ttbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\80660.exec:\80660.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\c842260.exec:\c842260.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\062048.exec:\062048.exe23⤵
- Executes dropped EXE
PID:1868 -
\??\c:\c408840.exec:\c408840.exe24⤵
- Executes dropped EXE
PID:1556 -
\??\c:\i682489.exec:\i682489.exe25⤵
- Executes dropped EXE
PID:3328 -
\??\c:\2882048.exec:\2882048.exe26⤵
- Executes dropped EXE
PID:2360 -
\??\c:\dvvpp.exec:\dvvpp.exe27⤵
- Executes dropped EXE
PID:1608 -
\??\c:\3htnhb.exec:\3htnhb.exe28⤵
- Executes dropped EXE
PID:3552 -
\??\c:\42208.exec:\42208.exe29⤵
- Executes dropped EXE
PID:4196 -
\??\c:\0460860.exec:\0460860.exe30⤵
- Executes dropped EXE
PID:5024 -
\??\c:\m8026.exec:\m8026.exe31⤵
- Executes dropped EXE
PID:2424 -
\??\c:\64600.exec:\64600.exe32⤵
- Executes dropped EXE
PID:960 -
\??\c:\fxffllx.exec:\fxffllx.exe33⤵
- Executes dropped EXE
PID:3992 -
\??\c:\20042.exec:\20042.exe34⤵
- Executes dropped EXE
PID:4660 -
\??\c:\bthnhb.exec:\bthnhb.exe35⤵
- Executes dropped EXE
PID:3624 -
\??\c:\bbbtnn.exec:\bbbtnn.exe36⤵
- Executes dropped EXE
PID:3436 -
\??\c:\08004.exec:\08004.exe37⤵
- Executes dropped EXE
PID:1880 -
\??\c:\dppjd.exec:\dppjd.exe38⤵
- Executes dropped EXE
PID:1928 -
\??\c:\hbntht.exec:\hbntht.exe39⤵
- Executes dropped EXE
PID:2076 -
\??\c:\60020.exec:\60020.exe40⤵
- Executes dropped EXE
PID:1572 -
\??\c:\9pjdv.exec:\9pjdv.exe41⤵
- Executes dropped EXE
PID:2552 -
\??\c:\040882.exec:\040882.exe42⤵
- Executes dropped EXE
PID:1224 -
\??\c:\0626048.exec:\0626048.exe43⤵
- Executes dropped EXE
PID:4988 -
\??\c:\2060804.exec:\2060804.exe44⤵
- Executes dropped EXE
PID:4488 -
\??\c:\600482.exec:\600482.exe45⤵
- Executes dropped EXE
PID:2288 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe46⤵
- Executes dropped EXE
PID:4388 -
\??\c:\hbbbtn.exec:\hbbbtn.exe47⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5flfrrl.exec:\5flfrrl.exe48⤵
- Executes dropped EXE
PID:264 -
\??\c:\dddpv.exec:\dddpv.exe49⤵
- Executes dropped EXE
PID:4260 -
\??\c:\64606.exec:\64606.exe50⤵
- Executes dropped EXE
PID:4448 -
\??\c:\484804.exec:\484804.exe51⤵
- Executes dropped EXE
PID:4072 -
\??\c:\1ddvp.exec:\1ddvp.exe52⤵
- Executes dropped EXE
PID:3008 -
\??\c:\jvddp.exec:\jvddp.exe53⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hhtttt.exec:\hhtttt.exe54⤵
- Executes dropped EXE
PID:2696 -
\??\c:\82428.exec:\82428.exe55⤵
- Executes dropped EXE
PID:3796 -
\??\c:\bnbthh.exec:\bnbthh.exe56⤵
- Executes dropped EXE
PID:3252 -
\??\c:\446048.exec:\446048.exe57⤵
- Executes dropped EXE
PID:3892 -
\??\c:\4004826.exec:\4004826.exe58⤵
- Executes dropped EXE
PID:3596 -
\??\c:\1ttnhh.exec:\1ttnhh.exe59⤵
- Executes dropped EXE
PID:4028 -
\??\c:\g4660.exec:\g4660.exe60⤵
- Executes dropped EXE
PID:3204 -
\??\c:\86828.exec:\86828.exe61⤵
- Executes dropped EXE
PID:3396 -
\??\c:\42682.exec:\42682.exe62⤵
- Executes dropped EXE
PID:4124 -
\??\c:\2866082.exec:\2866082.exe63⤵
- Executes dropped EXE
PID:536 -
\??\c:\e64220.exec:\e64220.exe64⤵
- Executes dropped EXE
PID:2528 -
\??\c:\880866.exec:\880866.exe65⤵
- Executes dropped EXE
PID:4872 -
\??\c:\m2602.exec:\m2602.exe66⤵PID:1496
-
\??\c:\1rlrffl.exec:\1rlrffl.exe67⤵PID:532
-
\??\c:\rlxrlxr.exec:\rlxrlxr.exe68⤵PID:5116
-
\??\c:\nhtnhh.exec:\nhtnhh.exe69⤵PID:4112
-
\??\c:\44604.exec:\44604.exe70⤵PID:2972
-
\??\c:\22826.exec:\22826.exe71⤵PID:1628
-
\??\c:\84222.exec:\84222.exe72⤵PID:3936
-
\??\c:\tbnhtn.exec:\tbnhtn.exe73⤵PID:3672
-
\??\c:\pjppd.exec:\pjppd.exe74⤵PID:116
-
\??\c:\hthbbt.exec:\hthbbt.exe75⤵PID:3136
-
\??\c:\1ddvp.exec:\1ddvp.exe76⤵PID:3420
-
\??\c:\bbbbnh.exec:\bbbbnh.exe77⤵PID:4624
-
\??\c:\42242.exec:\42242.exe78⤵PID:2936
-
\??\c:\8648884.exec:\8648884.exe79⤵PID:1624
-
\??\c:\5hnbnn.exec:\5hnbnn.exe80⤵PID:4344
-
\??\c:\02822.exec:\02822.exe81⤵PID:3056
-
\??\c:\42260.exec:\42260.exe82⤵PID:3000
-
\??\c:\20662.exec:\20662.exe83⤵PID:4208
-
\??\c:\w68282.exec:\w68282.exe84⤵PID:3068
-
\??\c:\0820466.exec:\0820466.exe85⤵PID:1952
-
\??\c:\vvjdv.exec:\vvjdv.exe86⤵PID:1016
-
\??\c:\vddpj.exec:\vddpj.exe87⤵PID:4148
-
\??\c:\284866.exec:\284866.exe88⤵PID:2124
-
\??\c:\228604.exec:\228604.exe89⤵PID:4316
-
\??\c:\dpvjj.exec:\dpvjj.exe90⤵PID:4372
-
\??\c:\ddpdp.exec:\ddpdp.exe91⤵PID:3272
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe92⤵PID:1608
-
\??\c:\822604.exec:\822604.exe93⤵PID:604
-
\??\c:\840482.exec:\840482.exe94⤵PID:1932
-
\??\c:\thnhbh.exec:\thnhbh.exe95⤵PID:4568
-
\??\c:\664862.exec:\664862.exe96⤵
- System Location Discovery: System Language Discovery
PID:4116 -
\??\c:\204600.exec:\204600.exe97⤵PID:1812
-
\??\c:\7xlrffx.exec:\7xlrffx.exe98⤵PID:2560
-
\??\c:\228482.exec:\228482.exe99⤵PID:1352
-
\??\c:\m4004.exec:\m4004.exe100⤵PID:4104
-
\??\c:\bttnhb.exec:\bttnhb.exe101⤵PID:3992
-
\??\c:\bthbtn.exec:\bthbtn.exe102⤵PID:5056
-
\??\c:\5pvjd.exec:\5pvjd.exe103⤵PID:3624
-
\??\c:\lxrrrxr.exec:\lxrrrxr.exe104⤵PID:4800
-
\??\c:\e26604.exec:\e26604.exe105⤵PID:1548
-
\??\c:\022200.exec:\022200.exe106⤵PID:580
-
\??\c:\0860668.exec:\0860668.exe107⤵PID:1280
-
\??\c:\ffllrrx.exec:\ffllrrx.exe108⤵PID:1672
-
\??\c:\828828.exec:\828828.exe109⤵PID:1848
-
\??\c:\fxrfxrf.exec:\fxrfxrf.exe110⤵PID:4472
-
\??\c:\g4646.exec:\g4646.exe111⤵PID:2944
-
\??\c:\5llfrrl.exec:\5llfrrl.exe112⤵PID:4832
-
\??\c:\24204.exec:\24204.exe113⤵PID:3508
-
\??\c:\2648828.exec:\2648828.exe114⤵PID:4976
-
\??\c:\9bhtnh.exec:\9bhtnh.exe115⤵PID:4848
-
\??\c:\ffxrrfx.exec:\ffxrrfx.exe116⤵PID:4924
-
\??\c:\pjpjv.exec:\pjpjv.exe117⤵PID:4456
-
\??\c:\2008264.exec:\2008264.exe118⤵PID:4704
-
\??\c:\9xxrrrl.exec:\9xxrrrl.exe119⤵PID:3952
-
\??\c:\ttbtbb.exec:\ttbtbb.exe120⤵PID:772
-
\??\c:\frxlxrl.exec:\frxlxrl.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-