Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 06:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe
-
Size
453KB
-
MD5
c31c82689bfd832165f324cd0fe7680b
-
SHA1
ec50b33342ec64f8d92eebbc351ac74449671d36
-
SHA256
82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba
-
SHA512
4125e4dbaed9a2282d222b45f3c7039d91f9f7c581afb9516e3e1e6f745c369257d3c8feacf74497a397766739402f2168f476decf31befea014202f37af58f4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1956-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-1100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-1165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-1375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-1533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 9vvpp.exe 3472 nhnhbb.exe 552 04802.exe 2680 2248226.exe 5060 60048.exe 3036 u064484.exe 2040 tbbttn.exe 4248 6882626.exe 4068 204260.exe 2856 btbtbt.exe 3524 848082.exe 1228 5jdvp.exe 4400 pvppj.exe 4788 228260.exe 4048 w66860.exe 4904 lrlxfxl.exe 2392 644260.exe 3228 q24666.exe 1800 lrlxlfr.exe 2648 60086.exe 1196 k44864.exe 3012 8226482.exe 1708 xllfxrl.exe 4492 8442000.exe 1580 ntbtnh.exe 1064 1xxrllf.exe 3292 jjddv.exe 1424 222266.exe 800 w24866.exe 2940 1jjdp.exe 4960 3lfxrll.exe 4724 c466228.exe 3200 24060.exe 1724 xllfrlf.exe 512 48888.exe 1928 66082.exe 4624 ddppj.exe 4872 20662.exe 3708 446666.exe 3268 pdjdd.exe 2764 484424.exe 4012 3rrlxxr.exe 1192 2404882.exe 4708 84448.exe 4168 4246448.exe 1924 a2828.exe 4524 i888664.exe 1468 26484.exe 2304 k02222.exe 4868 04606.exe 2108 62482.exe 1376 a8442.exe 3616 llfxllf.exe 1888 pdjpj.exe 3204 020488.exe 3552 9ddvj.exe 396 7vdvj.exe 3480 flllllr.exe 460 u286884.exe 4316 0666222.exe 2584 7pjdv.exe 1968 62482.exe 2592 22826.exe 4248 xxrfrlf.exe -
resource yara_rule behavioral2/memory/1956-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-928-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-1100-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8686206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2042020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0826260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e88888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2042044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2804608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c408608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1720 1956 82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe 85 PID 1956 wrote to memory of 1720 1956 82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe 85 PID 1956 wrote to memory of 1720 1956 82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe 85 PID 1720 wrote to memory of 3472 1720 9vvpp.exe 86 PID 1720 wrote to memory of 3472 1720 9vvpp.exe 86 PID 1720 wrote to memory of 3472 1720 9vvpp.exe 86 PID 3472 wrote to memory of 552 3472 nhnhbb.exe 87 PID 3472 wrote to memory of 552 3472 nhnhbb.exe 87 PID 3472 wrote to memory of 552 3472 nhnhbb.exe 87 PID 552 wrote to memory of 2680 552 04802.exe 88 PID 552 wrote to memory of 2680 552 04802.exe 88 PID 552 wrote to memory of 2680 552 04802.exe 88 PID 2680 wrote to memory of 5060 2680 2248226.exe 89 PID 2680 wrote to memory of 5060 2680 2248226.exe 89 PID 2680 wrote to memory of 5060 2680 2248226.exe 89 PID 5060 wrote to memory of 3036 5060 60048.exe 90 PID 5060 wrote to memory of 3036 5060 60048.exe 90 PID 5060 wrote to memory of 3036 5060 60048.exe 90 PID 3036 wrote to memory of 2040 3036 u064484.exe 91 PID 3036 wrote to memory of 2040 3036 u064484.exe 91 PID 3036 wrote to memory of 2040 3036 u064484.exe 91 PID 2040 wrote to memory of 4248 2040 tbbttn.exe 148 PID 2040 wrote to memory of 4248 2040 tbbttn.exe 148 PID 2040 wrote to memory of 4248 2040 tbbttn.exe 148 PID 4248 wrote to memory of 4068 4248 6882626.exe 93 PID 4248 wrote to memory of 4068 4248 6882626.exe 93 PID 4248 wrote to memory of 4068 4248 6882626.exe 93 PID 4068 wrote to memory of 2856 4068 204260.exe 94 PID 4068 wrote to memory of 2856 4068 204260.exe 94 PID 4068 wrote to memory of 2856 4068 204260.exe 94 PID 2856 wrote to memory of 3524 2856 btbtbt.exe 95 PID 2856 wrote to memory of 3524 2856 btbtbt.exe 95 PID 2856 wrote to memory of 3524 2856 btbtbt.exe 95 PID 3524 wrote to memory of 1228 3524 848082.exe 96 PID 3524 wrote to memory of 1228 3524 848082.exe 96 PID 3524 wrote to memory of 1228 3524 848082.exe 96 PID 1228 wrote to memory of 4400 1228 5jdvp.exe 97 PID 1228 wrote to memory of 4400 1228 5jdvp.exe 97 PID 1228 wrote to memory of 4400 1228 5jdvp.exe 97 PID 4400 wrote to memory of 4788 4400 pvppj.exe 98 PID 4400 wrote to memory of 4788 4400 pvppj.exe 98 PID 4400 wrote to memory of 4788 4400 pvppj.exe 98 PID 4788 wrote to memory of 4048 4788 228260.exe 99 PID 4788 wrote to memory of 4048 4788 228260.exe 99 PID 4788 wrote to memory of 4048 4788 228260.exe 99 PID 4048 wrote to memory of 4904 4048 w66860.exe 100 PID 4048 wrote to memory of 4904 4048 w66860.exe 100 PID 4048 wrote to memory of 4904 4048 w66860.exe 100 PID 4904 wrote to memory of 2392 4904 lrlxfxl.exe 101 PID 4904 wrote to memory of 2392 4904 lrlxfxl.exe 101 PID 4904 wrote to memory of 2392 4904 lrlxfxl.exe 101 PID 2392 wrote to memory of 3228 2392 644260.exe 102 PID 2392 wrote to memory of 3228 2392 644260.exe 102 PID 2392 wrote to memory of 3228 2392 644260.exe 102 PID 3228 wrote to memory of 1800 3228 q24666.exe 103 PID 3228 wrote to memory of 1800 3228 q24666.exe 103 PID 3228 wrote to memory of 1800 3228 q24666.exe 103 PID 1800 wrote to memory of 2648 1800 lrlxlfr.exe 104 PID 1800 wrote to memory of 2648 1800 lrlxlfr.exe 104 PID 1800 wrote to memory of 2648 1800 lrlxlfr.exe 104 PID 2648 wrote to memory of 1196 2648 60086.exe 105 PID 2648 wrote to memory of 1196 2648 60086.exe 105 PID 2648 wrote to memory of 1196 2648 60086.exe 105 PID 1196 wrote to memory of 3012 1196 k44864.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe"C:\Users\Admin\AppData\Local\Temp\82e0289334bdbeaaa422b046ef8e78070a82cc6037a096276b80d4a4f9441eba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\9vvpp.exec:\9vvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\nhnhbb.exec:\nhnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\04802.exec:\04802.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\2248226.exec:\2248226.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\60048.exec:\60048.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\u064484.exec:\u064484.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\tbbttn.exec:\tbbttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\6882626.exec:\6882626.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\204260.exec:\204260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\btbtbt.exec:\btbtbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\848082.exec:\848082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\5jdvp.exec:\5jdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\pvppj.exec:\pvppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\228260.exec:\228260.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\w66860.exec:\w66860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\lrlxfxl.exec:\lrlxfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\644260.exec:\644260.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\q24666.exec:\q24666.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\lrlxlfr.exec:\lrlxlfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\60086.exec:\60086.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\k44864.exec:\k44864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\8226482.exec:\8226482.exe23⤵
- Executes dropped EXE
PID:3012 -
\??\c:\xllfxrl.exec:\xllfxrl.exe24⤵
- Executes dropped EXE
PID:1708 -
\??\c:\8442000.exec:\8442000.exe25⤵
- Executes dropped EXE
PID:4492 -
\??\c:\ntbtnh.exec:\ntbtnh.exe26⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1xxrllf.exec:\1xxrllf.exe27⤵
- Executes dropped EXE
PID:1064 -
\??\c:\jjddv.exec:\jjddv.exe28⤵
- Executes dropped EXE
PID:3292 -
\??\c:\222266.exec:\222266.exe29⤵
- Executes dropped EXE
PID:1424 -
\??\c:\w24866.exec:\w24866.exe30⤵
- Executes dropped EXE
PID:800 -
\??\c:\1jjdp.exec:\1jjdp.exe31⤵
- Executes dropped EXE
PID:2940 -
\??\c:\3lfxrll.exec:\3lfxrll.exe32⤵
- Executes dropped EXE
PID:4960 -
\??\c:\c466228.exec:\c466228.exe33⤵
- Executes dropped EXE
PID:4724 -
\??\c:\24060.exec:\24060.exe34⤵
- Executes dropped EXE
PID:3200 -
\??\c:\xllfrlf.exec:\xllfrlf.exe35⤵
- Executes dropped EXE
PID:1724 -
\??\c:\48888.exec:\48888.exe36⤵
- Executes dropped EXE
PID:512 -
\??\c:\66082.exec:\66082.exe37⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ddppj.exec:\ddppj.exe38⤵
- Executes dropped EXE
PID:4624 -
\??\c:\20662.exec:\20662.exe39⤵
- Executes dropped EXE
PID:4872 -
\??\c:\446666.exec:\446666.exe40⤵
- Executes dropped EXE
PID:3708 -
\??\c:\pdjdd.exec:\pdjdd.exe41⤵
- Executes dropped EXE
PID:3268 -
\??\c:\484424.exec:\484424.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\3rrlxxr.exec:\3rrlxxr.exe43⤵
- Executes dropped EXE
PID:4012 -
\??\c:\2404882.exec:\2404882.exe44⤵
- Executes dropped EXE
PID:1192 -
\??\c:\84448.exec:\84448.exe45⤵
- Executes dropped EXE
PID:4708 -
\??\c:\4246448.exec:\4246448.exe46⤵
- Executes dropped EXE
PID:4168 -
\??\c:\a2828.exec:\a2828.exe47⤵
- Executes dropped EXE
PID:1924 -
\??\c:\i888664.exec:\i888664.exe48⤵
- Executes dropped EXE
PID:4524 -
\??\c:\26484.exec:\26484.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
\??\c:\k02222.exec:\k02222.exe50⤵
- Executes dropped EXE
PID:2304 -
\??\c:\04606.exec:\04606.exe51⤵
- Executes dropped EXE
PID:4868 -
\??\c:\62482.exec:\62482.exe52⤵
- Executes dropped EXE
PID:2108 -
\??\c:\a8442.exec:\a8442.exe53⤵
- Executes dropped EXE
PID:1376 -
\??\c:\llfxllf.exec:\llfxllf.exe54⤵
- Executes dropped EXE
PID:3616 -
\??\c:\pdjpj.exec:\pdjpj.exe55⤵
- Executes dropped EXE
PID:1888 -
\??\c:\020488.exec:\020488.exe56⤵
- Executes dropped EXE
PID:3204 -
\??\c:\9ddvj.exec:\9ddvj.exe57⤵
- Executes dropped EXE
PID:3552 -
\??\c:\7vdvj.exec:\7vdvj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\flllllr.exec:\flllllr.exe59⤵
- Executes dropped EXE
PID:3480 -
\??\c:\u286884.exec:\u286884.exe60⤵
- Executes dropped EXE
PID:460 -
\??\c:\0666222.exec:\0666222.exe61⤵
- Executes dropped EXE
PID:4316 -
\??\c:\7pjdv.exec:\7pjdv.exe62⤵
- Executes dropped EXE
PID:2584 -
\??\c:\62482.exec:\62482.exe63⤵
- Executes dropped EXE
PID:1968 -
\??\c:\22826.exec:\22826.exe64⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xxrfrlf.exec:\xxrfrlf.exe65⤵
- Executes dropped EXE
PID:4248 -
\??\c:\u604608.exec:\u604608.exe66⤵PID:4896
-
\??\c:\s8040.exec:\s8040.exe67⤵PID:2404
-
\??\c:\ttbnbt.exec:\ttbnbt.exe68⤵PID:624
-
\??\c:\dppdv.exec:\dppdv.exe69⤵PID:4064
-
\??\c:\m2264.exec:\m2264.exe70⤵PID:5064
-
\??\c:\400062.exec:\400062.exe71⤵PID:3108
-
\??\c:\4664260.exec:\4664260.exe72⤵PID:4400
-
\??\c:\nbbthh.exec:\nbbthh.exe73⤵PID:3276
-
\??\c:\vdvpj.exec:\vdvpj.exe74⤵PID:796
-
\??\c:\lflxxrr.exec:\lflxxrr.exe75⤵PID:2540
-
\??\c:\06642.exec:\06642.exe76⤵PID:2392
-
\??\c:\3lxrxrl.exec:\3lxrxrl.exe77⤵PID:4072
-
\??\c:\xflxxrf.exec:\xflxxrf.exe78⤵PID:2664
-
\??\c:\vddpj.exec:\vddpj.exe79⤵PID:4512
-
\??\c:\nhnbhb.exec:\nhnbhb.exe80⤵
- System Location Discovery: System Language Discovery
PID:4804 -
\??\c:\bhnbnh.exec:\bhnbnh.exe81⤵PID:4600
-
\??\c:\028886.exec:\028886.exe82⤵PID:1452
-
\??\c:\2042044.exec:\2042044.exe83⤵
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\260482.exec:\260482.exe84⤵PID:2472
-
\??\c:\08844.exec:\08844.exe85⤵PID:856
-
\??\c:\6228860.exec:\6228860.exe86⤵PID:800
-
\??\c:\484860.exec:\484860.exe87⤵PID:3164
-
\??\c:\q40004.exec:\q40004.exe88⤵PID:1824
-
\??\c:\pvvjv.exec:\pvvjv.exe89⤵PID:3200
-
\??\c:\bnhhhb.exec:\bnhhhb.exe90⤵PID:4760
-
\??\c:\608420.exec:\608420.exe91⤵PID:1756
-
\??\c:\jdvjd.exec:\jdvjd.exe92⤵PID:4424
-
\??\c:\bhhbtn.exec:\bhhbtn.exe93⤵PID:2484
-
\??\c:\20866.exec:\20866.exe94⤵PID:5000
-
\??\c:\4260860.exec:\4260860.exe95⤵PID:4660
-
\??\c:\9hbthb.exec:\9hbthb.exe96⤵PID:4684
-
\??\c:\3hbnbt.exec:\3hbnbt.exe97⤵PID:1556
-
\??\c:\bbbthb.exec:\bbbthb.exe98⤵PID:2336
-
\??\c:\206482.exec:\206482.exe99⤵PID:1548
-
\??\c:\vjjdp.exec:\vjjdp.exe100⤵PID:4168
-
\??\c:\044860.exec:\044860.exe101⤵PID:1924
-
\??\c:\ddvjv.exec:\ddvjv.exe102⤵PID:2736
-
\??\c:\2464088.exec:\2464088.exe103⤵PID:1468
-
\??\c:\42822.exec:\42822.exe104⤵PID:5024
-
\??\c:\pvvjd.exec:\pvvjd.exe105⤵PID:3940
-
\??\c:\dvpjd.exec:\dvpjd.exe106⤵PID:4312
-
\??\c:\7dvdp.exec:\7dvdp.exe107⤵PID:2152
-
\??\c:\2804608.exec:\2804608.exe108⤵
- System Location Discovery: System Language Discovery
PID:4796 -
\??\c:\xfxrrll.exec:\xfxrrll.exe109⤵PID:3360
-
\??\c:\lfrfrlx.exec:\lfrfrlx.exe110⤵PID:5044
-
\??\c:\2048486.exec:\2048486.exe111⤵PID:4948
-
\??\c:\xlrlrrr.exec:\xlrlrrr.exe112⤵PID:1716
-
\??\c:\6804226.exec:\6804226.exe113⤵PID:4668
-
\??\c:\0406604.exec:\0406604.exe114⤵PID:2680
-
\??\c:\9vdvv.exec:\9vdvv.exe115⤵PID:2396
-
\??\c:\pdjvp.exec:\pdjvp.exe116⤵PID:3884
-
\??\c:\5xlxfxr.exec:\5xlxfxr.exe117⤵PID:3032
-
\??\c:\5vvjv.exec:\5vvjv.exe118⤵PID:3992
-
\??\c:\6060220.exec:\6060220.exe119⤵PID:2604
-
\??\c:\242644.exec:\242644.exe120⤵PID:1868
-
\??\c:\hnbnbt.exec:\hnbnbt.exe121⤵PID:1272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-