Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2024, 00:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe
-
Size
453KB
-
MD5
c62a7499aca2c54cb3f372c42c28861c
-
SHA1
db514b565f7e4bd8055a0edf90c7f075a51d1952
-
SHA256
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005
-
SHA512
6b1c7856961e5371691605b64b3299663f11e5a7a49d1b2a5d68cff3a9d5bdfb235ad2c795e879d58b74996d44f82f2777c4c04344161076a0b514f3d05b77f3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2808-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/352-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1804 hnnnhh.exe 4276 62848.exe 4672 pppjj.exe 4652 rxfrlfx.exe 872 8222664.exe 3236 fflxlff.exe 1940 e02082.exe 1672 66264.exe 2924 42886.exe 460 hbnnnh.exe 4804 5hhtnh.exe 3592 rxxrrrr.exe 2104 llrlffx.exe 4076 rxfxrfx.exe 2308 xflfxxr.exe 1152 8804882.exe 700 xxlfxrl.exe 2440 1tnhbb.exe 4812 6282660.exe 4764 20420.exe 5036 flrlllf.exe 1740 rxxxxlf.exe 2664 flrlffx.exe 4844 c442682.exe 1888 080000.exe 4644 rffxrll.exe 4032 46642.exe 696 vpjjp.exe 2140 44660.exe 888 vpjjv.exe 5008 rxfxrrf.exe 3304 lflxrrf.exe 3980 a0482.exe 5000 ppdvd.exe 2992 040482.exe 2116 vjpjv.exe 1320 06864.exe 1276 vjvjd.exe 2468 djdvp.exe 5028 8666060.exe 4468 q84400.exe 1216 2800444.exe 3772 40028.exe 1516 g8082.exe 3232 lrxxxrr.exe 4820 1jpdv.exe 4656 0466048.exe 728 i082082.exe 4448 hhnbnn.exe 4236 1bbthh.exe 3884 422082.exe 1068 2688260.exe 4648 86206.exe 4940 vdjjd.exe 544 4448266.exe 2268 jdvpd.exe 3720 42242.exe 3336 u400006.exe 2220 04662.exe 1284 9dvjv.exe 3592 406662.exe 648 hbtbnb.exe 2076 22826.exe 4316 ffrlrrr.exe -
resource yara_rule behavioral2/memory/2808-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/352-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-919-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2282086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e00488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 1804 2808 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 85 PID 2808 wrote to memory of 1804 2808 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 85 PID 2808 wrote to memory of 1804 2808 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 85 PID 1804 wrote to memory of 4276 1804 hnnnhh.exe 86 PID 1804 wrote to memory of 4276 1804 hnnnhh.exe 86 PID 1804 wrote to memory of 4276 1804 hnnnhh.exe 86 PID 4276 wrote to memory of 4672 4276 62848.exe 87 PID 4276 wrote to memory of 4672 4276 62848.exe 87 PID 4276 wrote to memory of 4672 4276 62848.exe 87 PID 4672 wrote to memory of 4652 4672 pppjj.exe 88 PID 4672 wrote to memory of 4652 4672 pppjj.exe 88 PID 4672 wrote to memory of 4652 4672 pppjj.exe 88 PID 4652 wrote to memory of 872 4652 rxfrlfx.exe 89 PID 4652 wrote to memory of 872 4652 rxfrlfx.exe 89 PID 4652 wrote to memory of 872 4652 rxfrlfx.exe 89 PID 872 wrote to memory of 3236 872 8222664.exe 90 PID 872 wrote to memory of 3236 872 8222664.exe 90 PID 872 wrote to memory of 3236 872 8222664.exe 90 PID 3236 wrote to memory of 1940 3236 fflxlff.exe 91 PID 3236 wrote to memory of 1940 3236 fflxlff.exe 91 PID 3236 wrote to memory of 1940 3236 fflxlff.exe 91 PID 1940 wrote to memory of 1672 1940 e02082.exe 92 PID 1940 wrote to memory of 1672 1940 e02082.exe 92 PID 1940 wrote to memory of 1672 1940 e02082.exe 92 PID 1672 wrote to memory of 2924 1672 66264.exe 93 PID 1672 wrote to memory of 2924 1672 66264.exe 93 PID 1672 wrote to memory of 2924 1672 66264.exe 93 PID 2924 wrote to memory of 460 2924 42886.exe 94 PID 2924 wrote to memory of 460 2924 42886.exe 94 PID 2924 wrote to memory of 460 2924 42886.exe 94 PID 460 wrote to memory of 4804 460 hbnnnh.exe 95 PID 460 wrote to memory of 4804 460 hbnnnh.exe 95 PID 460 wrote to memory of 4804 460 hbnnnh.exe 95 PID 4804 wrote to memory of 3592 4804 5hhtnh.exe 96 PID 4804 wrote to memory of 3592 4804 5hhtnh.exe 96 PID 4804 wrote to memory of 3592 4804 5hhtnh.exe 96 PID 3592 wrote to memory of 2104 3592 rxxrrrr.exe 97 PID 3592 wrote to memory of 2104 3592 rxxrrrr.exe 97 PID 3592 wrote to memory of 2104 3592 rxxrrrr.exe 97 PID 2104 wrote to memory of 4076 2104 llrlffx.exe 98 PID 2104 wrote to memory of 4076 2104 llrlffx.exe 98 PID 2104 wrote to memory of 4076 2104 llrlffx.exe 98 PID 4076 wrote to memory of 2308 4076 rxfxrfx.exe 99 PID 4076 wrote to memory of 2308 4076 rxfxrfx.exe 99 PID 4076 wrote to memory of 2308 4076 rxfxrfx.exe 99 PID 2308 wrote to memory of 1152 2308 xflfxxr.exe 100 PID 2308 wrote to memory of 1152 2308 xflfxxr.exe 100 PID 2308 wrote to memory of 1152 2308 xflfxxr.exe 100 PID 1152 wrote to memory of 700 1152 8804882.exe 101 PID 1152 wrote to memory of 700 1152 8804882.exe 101 PID 1152 wrote to memory of 700 1152 8804882.exe 101 PID 700 wrote to memory of 2440 700 xxlfxrl.exe 102 PID 700 wrote to memory of 2440 700 xxlfxrl.exe 102 PID 700 wrote to memory of 2440 700 xxlfxrl.exe 102 PID 2440 wrote to memory of 4812 2440 1tnhbb.exe 103 PID 2440 wrote to memory of 4812 2440 1tnhbb.exe 103 PID 2440 wrote to memory of 4812 2440 1tnhbb.exe 103 PID 4812 wrote to memory of 4764 4812 6282660.exe 104 PID 4812 wrote to memory of 4764 4812 6282660.exe 104 PID 4812 wrote to memory of 4764 4812 6282660.exe 104 PID 4764 wrote to memory of 5036 4764 20420.exe 105 PID 4764 wrote to memory of 5036 4764 20420.exe 105 PID 4764 wrote to memory of 5036 4764 20420.exe 105 PID 5036 wrote to memory of 1740 5036 flrlllf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe"C:\Users\Admin\AppData\Local\Temp\ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\hnnnhh.exec:\hnnnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\62848.exec:\62848.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\pppjj.exec:\pppjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\8222664.exec:\8222664.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\fflxlff.exec:\fflxlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\e02082.exec:\e02082.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\66264.exec:\66264.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\42886.exec:\42886.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\hbnnnh.exec:\hbnnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\5hhtnh.exec:\5hhtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\llrlffx.exec:\llrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\rxfxrfx.exec:\rxfxrfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\xflfxxr.exec:\xflfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\8804882.exec:\8804882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\1tnhbb.exec:\1tnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\6282660.exec:\6282660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\20420.exec:\20420.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\flrlllf.exec:\flrlllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\rxxxxlf.exec:\rxxxxlf.exe23⤵
- Executes dropped EXE
PID:1740 -
\??\c:\flrlffx.exec:\flrlffx.exe24⤵
- Executes dropped EXE
PID:2664 -
\??\c:\c442682.exec:\c442682.exe25⤵
- Executes dropped EXE
PID:4844 -
\??\c:\080000.exec:\080000.exe26⤵
- Executes dropped EXE
PID:1888 -
\??\c:\rffxrll.exec:\rffxrll.exe27⤵
- Executes dropped EXE
PID:4644 -
\??\c:\46642.exec:\46642.exe28⤵
- Executes dropped EXE
PID:4032 -
\??\c:\vpjjp.exec:\vpjjp.exe29⤵
- Executes dropped EXE
PID:696 -
\??\c:\44660.exec:\44660.exe30⤵
- Executes dropped EXE
PID:2140 -
\??\c:\vpjjv.exec:\vpjjv.exe31⤵
- Executes dropped EXE
PID:888 -
\??\c:\rxfxrrf.exec:\rxfxrrf.exe32⤵
- Executes dropped EXE
PID:5008 -
\??\c:\lflxrrf.exec:\lflxrrf.exe33⤵
- Executes dropped EXE
PID:3304 -
\??\c:\a0482.exec:\a0482.exe34⤵
- Executes dropped EXE
PID:3980 -
\??\c:\ppdvd.exec:\ppdvd.exe35⤵
- Executes dropped EXE
PID:5000 -
\??\c:\040482.exec:\040482.exe36⤵
- Executes dropped EXE
PID:2992 -
\??\c:\vjpjv.exec:\vjpjv.exe37⤵
- Executes dropped EXE
PID:2116 -
\??\c:\06864.exec:\06864.exe38⤵
- Executes dropped EXE
PID:1320 -
\??\c:\vjvjd.exec:\vjvjd.exe39⤵
- Executes dropped EXE
PID:1276 -
\??\c:\djdvp.exec:\djdvp.exe40⤵
- Executes dropped EXE
PID:2468 -
\??\c:\8666060.exec:\8666060.exe41⤵
- Executes dropped EXE
PID:5028 -
\??\c:\q84400.exec:\q84400.exe42⤵
- Executes dropped EXE
PID:4468 -
\??\c:\2800444.exec:\2800444.exe43⤵
- Executes dropped EXE
PID:1216 -
\??\c:\40028.exec:\40028.exe44⤵
- Executes dropped EXE
PID:3772 -
\??\c:\g8082.exec:\g8082.exe45⤵
- Executes dropped EXE
PID:1516 -
\??\c:\lrxxxrr.exec:\lrxxxrr.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232 -
\??\c:\1jpdv.exec:\1jpdv.exe47⤵
- Executes dropped EXE
PID:4820 -
\??\c:\0466048.exec:\0466048.exe48⤵
- Executes dropped EXE
PID:4656 -
\??\c:\i082082.exec:\i082082.exe49⤵
- Executes dropped EXE
PID:728 -
\??\c:\hhnbnn.exec:\hhnbnn.exe50⤵
- Executes dropped EXE
PID:4448 -
\??\c:\1bbthh.exec:\1bbthh.exe51⤵
- Executes dropped EXE
PID:4236 -
\??\c:\422082.exec:\422082.exe52⤵
- Executes dropped EXE
PID:3884 -
\??\c:\2688260.exec:\2688260.exe53⤵
- Executes dropped EXE
PID:1068 -
\??\c:\86206.exec:\86206.exe54⤵
- Executes dropped EXE
PID:4648 -
\??\c:\vdjjd.exec:\vdjjd.exe55⤵
- Executes dropped EXE
PID:4940 -
\??\c:\4448266.exec:\4448266.exe56⤵
- Executes dropped EXE
PID:544 -
\??\c:\jdvpd.exec:\jdvpd.exe57⤵
- Executes dropped EXE
PID:2268 -
\??\c:\42242.exec:\42242.exe58⤵
- Executes dropped EXE
PID:3720 -
\??\c:\u400006.exec:\u400006.exe59⤵
- Executes dropped EXE
PID:3336 -
\??\c:\04662.exec:\04662.exe60⤵
- Executes dropped EXE
PID:2220 -
\??\c:\9dvjv.exec:\9dvjv.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1284 -
\??\c:\406662.exec:\406662.exe62⤵
- Executes dropped EXE
PID:3592 -
\??\c:\hbtbnb.exec:\hbtbnb.exe63⤵
- Executes dropped EXE
PID:648 -
\??\c:\22826.exec:\22826.exe64⤵
- Executes dropped EXE
PID:2076 -
\??\c:\ffrlrrr.exec:\ffrlrrr.exe65⤵
- Executes dropped EXE
PID:4316 -
\??\c:\260860.exec:\260860.exe66⤵PID:3056
-
\??\c:\nntthh.exec:\nntthh.exe67⤵
- System Location Discovery: System Language Discovery
PID:5040 -
\??\c:\httnbt.exec:\httnbt.exe68⤵PID:1328
-
\??\c:\rlrflxr.exec:\rlrflxr.exe69⤵PID:3556
-
\??\c:\w40442.exec:\w40442.exe70⤵PID:1424
-
\??\c:\5llfrlf.exec:\5llfrlf.exe71⤵PID:3536
-
\??\c:\flllxrl.exec:\flllxrl.exe72⤵PID:756
-
\??\c:\dppjp.exec:\dppjp.exe73⤵PID:1104
-
\??\c:\9tnbnb.exec:\9tnbnb.exe74⤵PID:560
-
\??\c:\062644.exec:\062644.exe75⤵PID:2200
-
\??\c:\xlfrffr.exec:\xlfrffr.exe76⤵PID:3452
-
\??\c:\m6208.exec:\m6208.exe77⤵PID:4980
-
\??\c:\9frlxrl.exec:\9frlxrl.exe78⤵PID:2252
-
\??\c:\80488.exec:\80488.exe79⤵PID:1888
-
\??\c:\3ppdv.exec:\3ppdv.exe80⤵PID:4988
-
\??\c:\hhtnbt.exec:\hhtnbt.exe81⤵PID:5092
-
\??\c:\thhbnn.exec:\thhbnn.exe82⤵PID:4864
-
\??\c:\lllxrlf.exec:\lllxrlf.exe83⤵PID:2272
-
\??\c:\thnbbn.exec:\thnbbn.exe84⤵PID:5096
-
\??\c:\q80460.exec:\q80460.exe85⤵PID:3320
-
\??\c:\o408642.exec:\o408642.exe86⤵PID:532
-
\??\c:\c226486.exec:\c226486.exe87⤵PID:4872
-
\??\c:\vppdp.exec:\vppdp.exe88⤵PID:3456
-
\??\c:\88420.exec:\88420.exe89⤵PID:3304
-
\??\c:\btbtnn.exec:\btbtnn.exe90⤵PID:4436
-
\??\c:\6244220.exec:\6244220.exe91⤵PID:3144
-
\??\c:\llrlffx.exec:\llrlffx.exe92⤵PID:1272
-
\??\c:\08860.exec:\08860.exe93⤵PID:2900
-
\??\c:\9jdvj.exec:\9jdvj.exe94⤵PID:3712
-
\??\c:\xrxlfxf.exec:\xrxlfxf.exe95⤵PID:2824
-
\??\c:\lxxrfxl.exec:\lxxrfxl.exe96⤵PID:352
-
\??\c:\g8260.exec:\g8260.exe97⤵PID:4400
-
\??\c:\frfrlfl.exec:\frfrlfl.exe98⤵PID:1984
-
\??\c:\rfxrfxl.exec:\rfxrfxl.exe99⤵PID:2808
-
\??\c:\422082.exec:\422082.exe100⤵PID:3308
-
\??\c:\3hbnbt.exec:\3hbnbt.exe101⤵PID:3252
-
\??\c:\lrrfrrl.exec:\lrrfrrl.exe102⤵PID:3000
-
\??\c:\628226.exec:\628226.exe103⤵PID:2064
-
\??\c:\604426.exec:\604426.exe104⤵PID:4180
-
\??\c:\lrrllfx.exec:\lrrllfx.exe105⤵PID:4744
-
\??\c:\6848822.exec:\6848822.exe106⤵PID:980
-
\??\c:\vppjj.exec:\vppjj.exe107⤵PID:1304
-
\??\c:\2026666.exec:\2026666.exe108⤵PID:2756
-
\??\c:\02882.exec:\02882.exe109⤵PID:4616
-
\??\c:\6008822.exec:\6008822.exe110⤵PID:3016
-
\??\c:\vdjdd.exec:\vdjdd.exe111⤵PID:2616
-
\??\c:\tbbnbt.exec:\tbbnbt.exe112⤵PID:1940
-
\??\c:\08864.exec:\08864.exe113⤵
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\246044.exec:\246044.exe114⤵PID:3664
-
\??\c:\thhbnh.exec:\thhbnh.exe115⤵PID:2268
-
\??\c:\tbhthb.exec:\tbhthb.exe116⤵PID:2148
-
\??\c:\vvdvj.exec:\vvdvj.exe117⤵PID:4804
-
\??\c:\m2608.exec:\m2608.exe118⤵PID:3792
-
\??\c:\nhhthh.exec:\nhhthh.exe119⤵PID:4996
-
\??\c:\6208664.exec:\6208664.exe120⤵PID:2360
-
\??\c:\828840.exec:\828840.exe121⤵PID:2904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-