Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 23:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe
-
Size
454KB
-
MD5
7b9ab2f2ba6bdddc4f45aefbbae03058
-
SHA1
aa640eda1100d192f273007698bef2a0bd7ec993
-
SHA256
5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657
-
SHA512
7acce99ce7fa63991c964463b790908c2cc8c49ff57141699ac2b8385bd278e83fc2a73437963625bed0d87f2ee1635c3cdacddbcb97f6dc0be9b73b34ef4f98
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe13:q7Tc2NYHUrAwfMp3CD13
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4028-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-1102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-1887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4756 9hntnb.exe 4232 7hbnbh.exe 5068 rffllxx.exe 2488 dppdp.exe 3428 244826.exe 3436 frlfxxl.exe 4216 frfxrlf.exe 2536 bnthtn.exe 1320 28068.exe 2036 204264.exe 4768 lxfxrll.exe 4428 02280.exe 3544 860488.exe 60 rflffff.exe 3704 2844468.exe 1396 pjjdp.exe 2060 g8048.exe 1720 62644.exe 644 ppddj.exe 868 vjpjd.exe 3868 vpjdv.exe 3308 7hnntt.exe 1048 022882.exe 920 jvjdd.exe 4064 i408644.exe 2524 lfxrffr.exe 4900 nhbtnn.exe 2628 68204.exe 1532 088266.exe 3948 424444.exe 1608 vpdjd.exe 2844 6808868.exe 1632 08208.exe 1860 fllfxxr.exe 4040 fflxrll.exe 1368 644600.exe 1080 vvdvj.exe 4852 00608.exe 1208 jjpvd.exe 2616 a8044.exe 4788 0202024.exe 972 ffxlxrf.exe 2920 m4826.exe 4036 xrxrfxr.exe 236 0064820.exe 1688 08426.exe 4388 7ttnnn.exe 4752 5bnhhb.exe 2672 pddvp.exe 4548 o626826.exe 1384 frxrlfx.exe 4540 20220.exe 3428 dvpdd.exe 1196 84004.exe 2704 thbbbh.exe 8 m4420.exe 4988 8848648.exe 2140 862660.exe 2332 646008.exe 2996 s6828.exe 1996 082420.exe 3916 fxlrlrr.exe 648 lrrfrlx.exe 4184 0842604.exe -
resource yara_rule behavioral2/memory/4028-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-866-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4064646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0442042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o460448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4756 4028 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 85 PID 4028 wrote to memory of 4756 4028 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 85 PID 4028 wrote to memory of 4756 4028 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 85 PID 4756 wrote to memory of 4232 4756 9hntnb.exe 86 PID 4756 wrote to memory of 4232 4756 9hntnb.exe 86 PID 4756 wrote to memory of 4232 4756 9hntnb.exe 86 PID 4232 wrote to memory of 5068 4232 7hbnbh.exe 87 PID 4232 wrote to memory of 5068 4232 7hbnbh.exe 87 PID 4232 wrote to memory of 5068 4232 7hbnbh.exe 87 PID 5068 wrote to memory of 2488 5068 rffllxx.exe 88 PID 5068 wrote to memory of 2488 5068 rffllxx.exe 88 PID 5068 wrote to memory of 2488 5068 rffllxx.exe 88 PID 2488 wrote to memory of 3428 2488 dppdp.exe 89 PID 2488 wrote to memory of 3428 2488 dppdp.exe 89 PID 2488 wrote to memory of 3428 2488 dppdp.exe 89 PID 3428 wrote to memory of 3436 3428 244826.exe 90 PID 3428 wrote to memory of 3436 3428 244826.exe 90 PID 3428 wrote to memory of 3436 3428 244826.exe 90 PID 3436 wrote to memory of 4216 3436 frlfxxl.exe 91 PID 3436 wrote to memory of 4216 3436 frlfxxl.exe 91 PID 3436 wrote to memory of 4216 3436 frlfxxl.exe 91 PID 4216 wrote to memory of 2536 4216 frfxrlf.exe 92 PID 4216 wrote to memory of 2536 4216 frfxrlf.exe 92 PID 4216 wrote to memory of 2536 4216 frfxrlf.exe 92 PID 2536 wrote to memory of 1320 2536 bnthtn.exe 93 PID 2536 wrote to memory of 1320 2536 bnthtn.exe 93 PID 2536 wrote to memory of 1320 2536 bnthtn.exe 93 PID 1320 wrote to memory of 2036 1320 28068.exe 94 PID 1320 wrote to memory of 2036 1320 28068.exe 94 PID 1320 wrote to memory of 2036 1320 28068.exe 94 PID 2036 wrote to memory of 4768 2036 204264.exe 95 PID 2036 wrote to memory of 4768 2036 204264.exe 95 PID 2036 wrote to memory of 4768 2036 204264.exe 95 PID 4768 wrote to memory of 4428 4768 lxfxrll.exe 96 PID 4768 wrote to memory of 4428 4768 lxfxrll.exe 96 PID 4768 wrote to memory of 4428 4768 lxfxrll.exe 96 PID 4428 wrote to memory of 3544 4428 02280.exe 97 PID 4428 wrote to memory of 3544 4428 02280.exe 97 PID 4428 wrote to memory of 3544 4428 02280.exe 97 PID 3544 wrote to memory of 60 3544 860488.exe 98 PID 3544 wrote to memory of 60 3544 860488.exe 98 PID 3544 wrote to memory of 60 3544 860488.exe 98 PID 60 wrote to memory of 3704 60 rflffff.exe 99 PID 60 wrote to memory of 3704 60 rflffff.exe 99 PID 60 wrote to memory of 3704 60 rflffff.exe 99 PID 3704 wrote to memory of 1396 3704 2844468.exe 100 PID 3704 wrote to memory of 1396 3704 2844468.exe 100 PID 3704 wrote to memory of 1396 3704 2844468.exe 100 PID 1396 wrote to memory of 2060 1396 pjjdp.exe 101 PID 1396 wrote to memory of 2060 1396 pjjdp.exe 101 PID 1396 wrote to memory of 2060 1396 pjjdp.exe 101 PID 2060 wrote to memory of 1720 2060 g8048.exe 102 PID 2060 wrote to memory of 1720 2060 g8048.exe 102 PID 2060 wrote to memory of 1720 2060 g8048.exe 102 PID 1720 wrote to memory of 644 1720 62644.exe 103 PID 1720 wrote to memory of 644 1720 62644.exe 103 PID 1720 wrote to memory of 644 1720 62644.exe 103 PID 644 wrote to memory of 868 644 ppddj.exe 104 PID 644 wrote to memory of 868 644 ppddj.exe 104 PID 644 wrote to memory of 868 644 ppddj.exe 104 PID 868 wrote to memory of 3868 868 vjpjd.exe 105 PID 868 wrote to memory of 3868 868 vjpjd.exe 105 PID 868 wrote to memory of 3868 868 vjpjd.exe 105 PID 3868 wrote to memory of 3308 3868 vpjdv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe"C:\Users\Admin\AppData\Local\Temp\5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\9hntnb.exec:\9hntnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\7hbnbh.exec:\7hbnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\rffllxx.exec:\rffllxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\dppdp.exec:\dppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\244826.exec:\244826.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\frlfxxl.exec:\frlfxxl.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\frfxrlf.exec:\frfxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\bnthtn.exec:\bnthtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\28068.exec:\28068.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\204264.exec:\204264.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\lxfxrll.exec:\lxfxrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\02280.exec:\02280.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\860488.exec:\860488.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\rflffff.exec:\rflffff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\2844468.exec:\2844468.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\pjjdp.exec:\pjjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\g8048.exec:\g8048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\62644.exec:\62644.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\ppddj.exec:\ppddj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\vjpjd.exec:\vjpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\vpjdv.exec:\vpjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\7hnntt.exec:\7hnntt.exe23⤵
- Executes dropped EXE
PID:3308 -
\??\c:\022882.exec:\022882.exe24⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jvjdd.exec:\jvjdd.exe25⤵
- Executes dropped EXE
PID:920 -
\??\c:\i408644.exec:\i408644.exe26⤵
- Executes dropped EXE
PID:4064 -
\??\c:\lfxrffr.exec:\lfxrffr.exe27⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nhbtnn.exec:\nhbtnn.exe28⤵
- Executes dropped EXE
PID:4900 -
\??\c:\68204.exec:\68204.exe29⤵
- Executes dropped EXE
PID:2628 -
\??\c:\088266.exec:\088266.exe30⤵
- Executes dropped EXE
PID:1532 -
\??\c:\424444.exec:\424444.exe31⤵
- Executes dropped EXE
PID:3948 -
\??\c:\vpdjd.exec:\vpdjd.exe32⤵
- Executes dropped EXE
PID:1608 -
\??\c:\6808868.exec:\6808868.exe33⤵
- Executes dropped EXE
PID:2844 -
\??\c:\08208.exec:\08208.exe34⤵
- Executes dropped EXE
PID:1632 -
\??\c:\fllfxxr.exec:\fllfxxr.exe35⤵
- Executes dropped EXE
PID:1860 -
\??\c:\fflxrll.exec:\fflxrll.exe36⤵
- Executes dropped EXE
PID:4040 -
\??\c:\644600.exec:\644600.exe37⤵
- Executes dropped EXE
PID:1368 -
\??\c:\vvdvj.exec:\vvdvj.exe38⤵
- Executes dropped EXE
PID:1080 -
\??\c:\00608.exec:\00608.exe39⤵
- Executes dropped EXE
PID:4852 -
\??\c:\jjpvd.exec:\jjpvd.exe40⤵
- Executes dropped EXE
PID:1208 -
\??\c:\a8044.exec:\a8044.exe41⤵
- Executes dropped EXE
PID:2616 -
\??\c:\0202024.exec:\0202024.exe42⤵
- Executes dropped EXE
PID:4788 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe43⤵
- Executes dropped EXE
PID:972 -
\??\c:\m4826.exec:\m4826.exe44⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xrxrfxr.exec:\xrxrfxr.exe45⤵
- Executes dropped EXE
PID:4036 -
\??\c:\0064820.exec:\0064820.exe46⤵
- Executes dropped EXE
PID:236 -
\??\c:\08426.exec:\08426.exe47⤵
- Executes dropped EXE
PID:1688 -
\??\c:\7ttnnn.exec:\7ttnnn.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4388 -
\??\c:\5bnhhb.exec:\5bnhhb.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4752 -
\??\c:\pddvp.exec:\pddvp.exe50⤵
- Executes dropped EXE
PID:2672 -
\??\c:\o626826.exec:\o626826.exe51⤵
- Executes dropped EXE
PID:4548 -
\??\c:\frxrlfx.exec:\frxrlfx.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
\??\c:\20220.exec:\20220.exe53⤵
- Executes dropped EXE
PID:4540 -
\??\c:\dvpdd.exec:\dvpdd.exe54⤵
- Executes dropped EXE
PID:3428 -
\??\c:\84004.exec:\84004.exe55⤵
- Executes dropped EXE
PID:1196 -
\??\c:\thbbbh.exec:\thbbbh.exe56⤵
- Executes dropped EXE
PID:2704 -
\??\c:\m4420.exec:\m4420.exe57⤵
- Executes dropped EXE
PID:8 -
\??\c:\8848648.exec:\8848648.exe58⤵
- Executes dropped EXE
PID:4988 -
\??\c:\862660.exec:\862660.exe59⤵
- Executes dropped EXE
PID:2140 -
\??\c:\646008.exec:\646008.exe60⤵
- Executes dropped EXE
PID:2332 -
\??\c:\s6828.exec:\s6828.exe61⤵
- Executes dropped EXE
PID:2996 -
\??\c:\082420.exec:\082420.exe62⤵
- Executes dropped EXE
PID:1996 -
\??\c:\fxlrlrr.exec:\fxlrlrr.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3916 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe64⤵
- Executes dropped EXE
PID:648 -
\??\c:\0842604.exec:\0842604.exe65⤵
- Executes dropped EXE
PID:4184 -
\??\c:\2048264.exec:\2048264.exe66⤵PID:3696
-
\??\c:\4288662.exec:\4288662.exe67⤵PID:1952
-
\??\c:\088642.exec:\088642.exe68⤵PID:1144
-
\??\c:\00602.exec:\00602.exe69⤵PID:2212
-
\??\c:\jdjvj.exec:\jdjvj.exe70⤵PID:4564
-
\??\c:\2282648.exec:\2282648.exe71⤵PID:3352
-
\??\c:\1ppdv.exec:\1ppdv.exe72⤵PID:1340
-
\??\c:\lffxxrl.exec:\lffxxrl.exe73⤵PID:1192
-
\??\c:\vvvpd.exec:\vvvpd.exe74⤵PID:868
-
\??\c:\64428.exec:\64428.exe75⤵PID:3700
-
\??\c:\9jvjd.exec:\9jvjd.exe76⤵PID:5032
-
\??\c:\8624260.exec:\8624260.exe77⤵PID:2044
-
\??\c:\42024.exec:\42024.exe78⤵PID:388
-
\??\c:\4064826.exec:\4064826.exe79⤵PID:3100
-
\??\c:\ttbbbh.exec:\ttbbbh.exe80⤵PID:3908
-
\??\c:\a6202.exec:\a6202.exe81⤵PID:4584
-
\??\c:\w28264.exec:\w28264.exe82⤵PID:5048
-
\??\c:\lffrfxr.exec:\lffrfxr.exe83⤵PID:3332
-
\??\c:\688204.exec:\688204.exe84⤵PID:2492
-
\??\c:\e48204.exec:\e48204.exe85⤵PID:1748
-
\??\c:\jddpd.exec:\jddpd.exe86⤵PID:4440
-
\??\c:\o286048.exec:\o286048.exe87⤵PID:4076
-
\??\c:\3rfrfxx.exec:\3rfrfxx.exe88⤵PID:444
-
\??\c:\jddvj.exec:\jddvj.exe89⤵PID:2432
-
\??\c:\7bbnht.exec:\7bbnht.exe90⤵PID:2820
-
\??\c:\g6664.exec:\g6664.exe91⤵PID:4436
-
\??\c:\200442.exec:\200442.exe92⤵PID:3000
-
\??\c:\42482.exec:\42482.exe93⤵PID:4824
-
\??\c:\hnthth.exec:\hnthth.exe94⤵PID:3548
-
\??\c:\8888608.exec:\8888608.exe95⤵PID:116
-
\??\c:\vpjvp.exec:\vpjvp.exe96⤵PID:556
-
\??\c:\9hnbbt.exec:\9hnbbt.exe97⤵PID:4648
-
\??\c:\vpvpj.exec:\vpvpj.exe98⤵PID:4560
-
\??\c:\frxlxxl.exec:\frxlxxl.exe99⤵PID:4444
-
\??\c:\48448.exec:\48448.exe100⤵PID:1536
-
\??\c:\5vvpd.exec:\5vvpd.exe101⤵PID:4360
-
\??\c:\1bthbt.exec:\1bthbt.exe102⤵PID:4412
-
\??\c:\k68248.exec:\k68248.exe103⤵PID:4572
-
\??\c:\88486.exec:\88486.exe104⤵PID:3212
-
\??\c:\2626000.exec:\2626000.exe105⤵PID:3984
-
\??\c:\c482266.exec:\c482266.exe106⤵PID:3404
-
\??\c:\llllllf.exec:\llllllf.exe107⤵PID:2276
-
\??\c:\24226.exec:\24226.exe108⤵PID:3048
-
\??\c:\2844222.exec:\2844222.exe109⤵PID:3440
-
\??\c:\7rfxrrr.exec:\7rfxrrr.exe110⤵PID:5068
-
\??\c:\xfxxrlr.exec:\xfxxrlr.exe111⤵PID:2068
-
\??\c:\3hnhbt.exec:\3hnhbt.exe112⤵PID:4984
-
\??\c:\jdvpp.exec:\jdvpp.exe113⤵PID:4420
-
\??\c:\c682660.exec:\c682660.exe114⤵PID:2900
-
\??\c:\828222.exec:\828222.exe115⤵PID:3988
-
\??\c:\jjdjv.exec:\jjdjv.exe116⤵PID:5036
-
\??\c:\e40422.exec:\e40422.exe117⤵PID:4216
-
\??\c:\9jppp.exec:\9jppp.exe118⤵PID:8
-
\??\c:\q68604.exec:\q68604.exe119⤵PID:4988
-
\??\c:\1rxrrrx.exec:\1rxrrrx.exe120⤵PID:4504
-
\??\c:\480060.exec:\480060.exe121⤵PID:3452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-