Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 08:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe
-
Size
456KB
-
MD5
e3bebd5248980c4b3181392de3867535
-
SHA1
eddefbbb87e6e6cf2f9f870aae130a07369c489c
-
SHA256
c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965
-
SHA512
e17595173bda3392c361e22b91318118f91b752f08df509d89436080719fdc3cb5f5511985bc1d8af0a6bde158fc63c510c9958bf7d5c9605b8bb9e9a4d3bbe6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR5:q7Tc2NYHUrAwfMp3CDR5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1620-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-912-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-1042-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-1540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4212 20860.exe 3296 668604.exe 4852 82648.exe 2728 g2004.exe 5040 nbthbh.exe 772 1dpjv.exe 4504 c842042.exe 4776 846486.exe 3164 lrxlxfr.exe 904 5nhbtt.exe 4532 jdpjv.exe 2324 06220.exe 3080 9rlxlfr.exe 2936 0064860.exe 3668 8626084.exe 3880 4288260.exe 4112 tthbtt.exe 1624 ntbnhb.exe 1128 24206.exe 5116 s8422.exe 3588 jjddj.exe 2656 e22426.exe 2448 m6084.exe 3584 444848.exe 2212 4280086.exe 2200 66660.exe 4128 1thbbb.exe 5080 thtnbn.exe 116 0420646.exe 1520 jpdjj.exe 3136 488444.exe 1568 26822.exe 1732 1rrfxrf.exe 3496 462004.exe 3892 lxllrrr.exe 3836 nhhhbb.exe 3840 3vvpj.exe 4568 3lxrrlr.exe 1644 nhnhhb.exe 1436 ddjjd.exe 3744 pjvpv.exe 3508 48426.exe 1940 xfrlrrl.exe 5000 6446420.exe 1284 lrlxlff.exe 4340 o482042.exe 4180 40086.exe 4360 2648826.exe 4052 bhhtht.exe 2700 e66882.exe 1748 42664.exe 3944 6222604.exe 4940 u446486.exe 4448 240804.exe 1944 4226826.exe 3468 thbttt.exe 1968 88264.exe 2228 nnnbth.exe 1844 1dvdp.exe 2580 044804.exe 4484 ntbnbn.exe 2556 048266.exe 2312 4600008.exe 5056 24864.exe -
resource yara_rule behavioral2/memory/1620-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-1042-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-1126-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8664826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u220264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2220220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8466282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6482048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8602666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4644688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0426228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4212 1620 c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe 83 PID 1620 wrote to memory of 4212 1620 c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe 83 PID 1620 wrote to memory of 4212 1620 c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe 83 PID 4212 wrote to memory of 3296 4212 20860.exe 84 PID 4212 wrote to memory of 3296 4212 20860.exe 84 PID 4212 wrote to memory of 3296 4212 20860.exe 84 PID 3296 wrote to memory of 4852 3296 668604.exe 85 PID 3296 wrote to memory of 4852 3296 668604.exe 85 PID 3296 wrote to memory of 4852 3296 668604.exe 85 PID 4852 wrote to memory of 2728 4852 82648.exe 86 PID 4852 wrote to memory of 2728 4852 82648.exe 86 PID 4852 wrote to memory of 2728 4852 82648.exe 86 PID 2728 wrote to memory of 5040 2728 g2004.exe 87 PID 2728 wrote to memory of 5040 2728 g2004.exe 87 PID 2728 wrote to memory of 5040 2728 g2004.exe 87 PID 5040 wrote to memory of 772 5040 nbthbh.exe 88 PID 5040 wrote to memory of 772 5040 nbthbh.exe 88 PID 5040 wrote to memory of 772 5040 nbthbh.exe 88 PID 772 wrote to memory of 4504 772 1dpjv.exe 89 PID 772 wrote to memory of 4504 772 1dpjv.exe 89 PID 772 wrote to memory of 4504 772 1dpjv.exe 89 PID 4504 wrote to memory of 4776 4504 c842042.exe 90 PID 4504 wrote to memory of 4776 4504 c842042.exe 90 PID 4504 wrote to memory of 4776 4504 c842042.exe 90 PID 4776 wrote to memory of 3164 4776 846486.exe 91 PID 4776 wrote to memory of 3164 4776 846486.exe 91 PID 4776 wrote to memory of 3164 4776 846486.exe 91 PID 3164 wrote to memory of 904 3164 lrxlxfr.exe 92 PID 3164 wrote to memory of 904 3164 lrxlxfr.exe 92 PID 3164 wrote to memory of 904 3164 lrxlxfr.exe 92 PID 904 wrote to memory of 4532 904 5nhbtt.exe 93 PID 904 wrote to memory of 4532 904 5nhbtt.exe 93 PID 904 wrote to memory of 4532 904 5nhbtt.exe 93 PID 4532 wrote to memory of 2324 4532 jdpjv.exe 94 PID 4532 wrote to memory of 2324 4532 jdpjv.exe 94 PID 4532 wrote to memory of 2324 4532 jdpjv.exe 94 PID 2324 wrote to memory of 3080 2324 06220.exe 95 PID 2324 wrote to memory of 3080 2324 06220.exe 95 PID 2324 wrote to memory of 3080 2324 06220.exe 95 PID 3080 wrote to memory of 2936 3080 9rlxlfr.exe 96 PID 3080 wrote to memory of 2936 3080 9rlxlfr.exe 96 PID 3080 wrote to memory of 2936 3080 9rlxlfr.exe 96 PID 2936 wrote to memory of 3668 2936 0064860.exe 97 PID 2936 wrote to memory of 3668 2936 0064860.exe 97 PID 2936 wrote to memory of 3668 2936 0064860.exe 97 PID 3668 wrote to memory of 3880 3668 8626084.exe 98 PID 3668 wrote to memory of 3880 3668 8626084.exe 98 PID 3668 wrote to memory of 3880 3668 8626084.exe 98 PID 3880 wrote to memory of 4112 3880 4288260.exe 99 PID 3880 wrote to memory of 4112 3880 4288260.exe 99 PID 3880 wrote to memory of 4112 3880 4288260.exe 99 PID 4112 wrote to memory of 1624 4112 tthbtt.exe 100 PID 4112 wrote to memory of 1624 4112 tthbtt.exe 100 PID 4112 wrote to memory of 1624 4112 tthbtt.exe 100 PID 1624 wrote to memory of 1128 1624 ntbnhb.exe 101 PID 1624 wrote to memory of 1128 1624 ntbnhb.exe 101 PID 1624 wrote to memory of 1128 1624 ntbnhb.exe 101 PID 1128 wrote to memory of 5116 1128 24206.exe 102 PID 1128 wrote to memory of 5116 1128 24206.exe 102 PID 1128 wrote to memory of 5116 1128 24206.exe 102 PID 5116 wrote to memory of 3588 5116 s8422.exe 103 PID 5116 wrote to memory of 3588 5116 s8422.exe 103 PID 5116 wrote to memory of 3588 5116 s8422.exe 103 PID 3588 wrote to memory of 2656 3588 jjddj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe"C:\Users\Admin\AppData\Local\Temp\c48adbaf41588c967a227cb4527ac1ad3112f48bf525e76d5b314369fb8ed965.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\20860.exec:\20860.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\668604.exec:\668604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\82648.exec:\82648.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\g2004.exec:\g2004.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\nbthbh.exec:\nbthbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\1dpjv.exec:\1dpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\c842042.exec:\c842042.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\846486.exec:\846486.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\lrxlxfr.exec:\lrxlxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\5nhbtt.exec:\5nhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\jdpjv.exec:\jdpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\06220.exec:\06220.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\9rlxlfr.exec:\9rlxlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\0064860.exec:\0064860.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\8626084.exec:\8626084.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\4288260.exec:\4288260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\tthbtt.exec:\tthbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\ntbnhb.exec:\ntbnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\24206.exec:\24206.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\s8422.exec:\s8422.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\jjddj.exec:\jjddj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\e22426.exec:\e22426.exe23⤵
- Executes dropped EXE
PID:2656 -
\??\c:\m6084.exec:\m6084.exe24⤵
- Executes dropped EXE
PID:2448 -
\??\c:\444848.exec:\444848.exe25⤵
- Executes dropped EXE
PID:3584 -
\??\c:\4280086.exec:\4280086.exe26⤵
- Executes dropped EXE
PID:2212 -
\??\c:\66660.exec:\66660.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\1thbbb.exec:\1thbbb.exe28⤵
- Executes dropped EXE
PID:4128 -
\??\c:\thtnbn.exec:\thtnbn.exe29⤵
- Executes dropped EXE
PID:5080 -
\??\c:\0420646.exec:\0420646.exe30⤵
- Executes dropped EXE
PID:116 -
\??\c:\jpdjj.exec:\jpdjj.exe31⤵
- Executes dropped EXE
PID:1520 -
\??\c:\488444.exec:\488444.exe32⤵
- Executes dropped EXE
PID:3136 -
\??\c:\26822.exec:\26822.exe33⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1rrfxrf.exec:\1rrfxrf.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\462004.exec:\462004.exe35⤵
- Executes dropped EXE
PID:3496 -
\??\c:\lxllrrr.exec:\lxllrrr.exe36⤵
- Executes dropped EXE
PID:3892 -
\??\c:\nhhhbb.exec:\nhhhbb.exe37⤵
- Executes dropped EXE
PID:3836 -
\??\c:\3vvpj.exec:\3vvpj.exe38⤵
- Executes dropped EXE
PID:3840 -
\??\c:\3lxrrlr.exec:\3lxrrlr.exe39⤵
- Executes dropped EXE
PID:4568 -
\??\c:\nhnhhb.exec:\nhnhhb.exe40⤵
- Executes dropped EXE
PID:1644 -
\??\c:\ddjjd.exec:\ddjjd.exe41⤵
- Executes dropped EXE
PID:1436 -
\??\c:\pjvpv.exec:\pjvpv.exe42⤵
- Executes dropped EXE
PID:3744 -
\??\c:\48426.exec:\48426.exe43⤵
- Executes dropped EXE
PID:3508 -
\??\c:\xfrlrrl.exec:\xfrlrrl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\6446420.exec:\6446420.exe45⤵
- Executes dropped EXE
PID:5000 -
\??\c:\lrlxlff.exec:\lrlxlff.exe46⤵
- Executes dropped EXE
PID:1284 -
\??\c:\o482042.exec:\o482042.exe47⤵
- Executes dropped EXE
PID:4340 -
\??\c:\40086.exec:\40086.exe48⤵
- Executes dropped EXE
PID:4180 -
\??\c:\2648826.exec:\2648826.exe49⤵
- Executes dropped EXE
PID:4360 -
\??\c:\bhhtht.exec:\bhhtht.exe50⤵
- Executes dropped EXE
PID:4052 -
\??\c:\e66882.exec:\e66882.exe51⤵
- Executes dropped EXE
PID:2700 -
\??\c:\42664.exec:\42664.exe52⤵
- Executes dropped EXE
PID:1748 -
\??\c:\6222604.exec:\6222604.exe53⤵
- Executes dropped EXE
PID:3944 -
\??\c:\u446486.exec:\u446486.exe54⤵
- Executes dropped EXE
PID:4940 -
\??\c:\240804.exec:\240804.exe55⤵
- Executes dropped EXE
PID:4448 -
\??\c:\4226826.exec:\4226826.exe56⤵
- Executes dropped EXE
PID:1944 -
\??\c:\thbttt.exec:\thbttt.exe57⤵
- Executes dropped EXE
PID:3468 -
\??\c:\88264.exec:\88264.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\nnnbth.exec:\nnnbth.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
\??\c:\1dvdp.exec:\1dvdp.exe60⤵
- Executes dropped EXE
PID:1844 -
\??\c:\044804.exec:\044804.exe61⤵
- Executes dropped EXE
PID:2580 -
\??\c:\ntbnbn.exec:\ntbnbn.exe62⤵
- Executes dropped EXE
PID:4484 -
\??\c:\048266.exec:\048266.exe63⤵
- Executes dropped EXE
PID:2556 -
\??\c:\4600008.exec:\4600008.exe64⤵
- Executes dropped EXE
PID:2312 -
\??\c:\24864.exec:\24864.exe65⤵
- Executes dropped EXE
PID:5056 -
\??\c:\262086.exec:\262086.exe66⤵PID:3052
-
\??\c:\6842866.exec:\6842866.exe67⤵PID:2324
-
\??\c:\vpvjd.exec:\vpvjd.exe68⤵PID:3104
-
\??\c:\fllxlfr.exec:\fllxlfr.exe69⤵PID:4548
-
\??\c:\40048.exec:\40048.exe70⤵PID:5072
-
\??\c:\0488664.exec:\0488664.exe71⤵PID:5104
-
\??\c:\088260.exec:\088260.exe72⤵PID:1476
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe73⤵PID:4112
-
\??\c:\c846086.exec:\c846086.exe74⤵PID:3824
-
\??\c:\046648.exec:\046648.exe75⤵PID:3060
-
\??\c:\44826.exec:\44826.exe76⤵PID:1128
-
\??\c:\0484260.exec:\0484260.exe77⤵PID:5116
-
\??\c:\jddpd.exec:\jddpd.exe78⤵PID:3976
-
\??\c:\nhbnbt.exec:\nhbnbt.exe79⤵PID:4736
-
\??\c:\xlrffxr.exec:\xlrffxr.exe80⤵PID:1196
-
\??\c:\60642.exec:\60642.exe81⤵PID:3532
-
\??\c:\4220804.exec:\4220804.exe82⤵PID:3436
-
\??\c:\840488.exec:\840488.exe83⤵PID:4104
-
\??\c:\0868826.exec:\0868826.exe84⤵PID:3472
-
\??\c:\btbttn.exec:\btbttn.exe85⤵PID:3708
-
\??\c:\s8246.exec:\s8246.exe86⤵PID:2156
-
\??\c:\9nnbtt.exec:\9nnbtt.exe87⤵PID:344
-
\??\c:\lflflfl.exec:\lflflfl.exe88⤵PID:876
-
\??\c:\1ffxlfr.exec:\1ffxlfr.exe89⤵PID:5052
-
\??\c:\6064826.exec:\6064826.exe90⤵PID:3412
-
\??\c:\hbhthb.exec:\hbhthb.exe91⤵PID:1680
-
\??\c:\m4246.exec:\m4246.exe92⤵PID:836
-
\??\c:\lxlfxrf.exec:\lxlfxrf.exe93⤵PID:4036
-
\??\c:\064822.exec:\064822.exe94⤵PID:2368
-
\??\c:\dvdvj.exec:\dvdvj.exe95⤵PID:2488
-
\??\c:\3lxxxxx.exec:\3lxxxxx.exe96⤵PID:740
-
\??\c:\62822.exec:\62822.exe97⤵PID:3388
-
\??\c:\jvdpp.exec:\jvdpp.exe98⤵PID:2796
-
\??\c:\nbbttt.exec:\nbbttt.exe99⤵PID:3548
-
\??\c:\pdvdp.exec:\pdvdp.exe100⤵PID:1776
-
\??\c:\082266.exec:\082266.exe101⤵PID:2840
-
\??\c:\0882604.exec:\0882604.exe102⤵PID:5096
-
\??\c:\bbnbth.exec:\bbnbth.exe103⤵PID:3652
-
\??\c:\jdvjj.exec:\jdvjj.exe104⤵PID:628
-
\??\c:\206822.exec:\206822.exe105⤵PID:4516
-
\??\c:\840444.exec:\840444.exe106⤵PID:4772
-
\??\c:\40086.exec:\40086.exe107⤵
- System Location Discovery: System Language Discovery
PID:1284 -
\??\c:\088082.exec:\088082.exe108⤵PID:4368
-
\??\c:\dpdvv.exec:\dpdvv.exe109⤵PID:4324
-
\??\c:\vjvpd.exec:\vjvpd.exe110⤵PID:1988
-
\??\c:\088226.exec:\088226.exe111⤵PID:2444
-
\??\c:\rxxrffx.exec:\rxxrffx.exe112⤵PID:4212
-
\??\c:\06260.exec:\06260.exe113⤵PID:4688
-
\??\c:\4644688.exec:\4644688.exe114⤵
- System Location Discovery: System Language Discovery
PID:1556 -
\??\c:\jjpdd.exec:\jjpdd.exe115⤵PID:2888
-
\??\c:\4842008.exec:\4842008.exe116⤵PID:2728
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe117⤵PID:4268
-
\??\c:\pjjdv.exec:\pjjdv.exe118⤵PID:864
-
\??\c:\c242600.exec:\c242600.exe119⤵PID:4792
-
\??\c:\dpvvp.exec:\dpvvp.exe120⤵PID:2284
-
\??\c:\e46082.exec:\e46082.exe121⤵PID:4776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-