Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 10:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe
-
Size
454KB
-
MD5
fb7132c15e90a437c001fa54fab55ba0
-
SHA1
71153c0b3691fd17e16965ff917db41128a09418
-
SHA256
5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68
-
SHA512
26aa3ba02c8f1140cfb30c52b2a76ef68a936d603e615c83c58ca7bcc7f91f23ff2ed292899c34ecf9b2beb7c512885ff08e137548c8058e7201180fe05bbd60
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1764-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-1614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2672 llfrrlf.exe 4740 68864.exe 1848 4022048.exe 3464 42220.exe 2408 6244622.exe 3284 nhnhnn.exe 2076 pjdvp.exe 4532 9dpvj.exe 4012 84426.exe 2904 240640.exe 3308 k06826.exe 1612 dpdvv.exe 3592 vddpj.exe 2164 btbttb.exe 2368 e40088.exe 2520 ppddp.exe 3648 8066044.exe 2964 66266.exe 1780 pdddv.exe 100 4282262.exe 4148 pppjv.exe 2820 80882.exe 3020 htbtnh.exe 1992 ddjdd.exe 1252 pjpjd.exe 1244 42886.exe 4352 002622.exe 3012 82882.exe 1352 fffxrlf.exe 3548 rffxrll.exe 3588 xrrrrrx.exe 560 606604.exe 1428 hnbtnn.exe 4944 2666444.exe 1940 thhbtn.exe 3928 xlfxlfl.exe 5076 02882.exe 1852 60604.exe 4788 84004.exe 64 8862086.exe 1916 680488.exe 1820 rllrxff.exe 2380 rxlffxx.exe 2204 pdjjd.exe 2268 240600.exe 1692 48020.exe 4080 hnnhbn.exe 2580 02244.exe 2804 djjdv.exe 4772 646882.exe 4924 w86048.exe 5072 fxfxllf.exe 4796 vjdvp.exe 3008 pjpjd.exe 2664 fxfxxlf.exe 4748 8284828.exe 532 4626048.exe 3968 hbnnht.exe 4896 66260.exe 548 xlrlrrl.exe 3904 pddvp.exe 4476 640660.exe 492 o222666.exe 1840 vvppp.exe -
resource yara_rule behavioral2/memory/1764-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-1370-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i622600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8288822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o222666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2672 1764 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 83 PID 1764 wrote to memory of 2672 1764 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 83 PID 1764 wrote to memory of 2672 1764 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 83 PID 2672 wrote to memory of 4740 2672 llfrrlf.exe 84 PID 2672 wrote to memory of 4740 2672 llfrrlf.exe 84 PID 2672 wrote to memory of 4740 2672 llfrrlf.exe 84 PID 4740 wrote to memory of 1848 4740 68864.exe 85 PID 4740 wrote to memory of 1848 4740 68864.exe 85 PID 4740 wrote to memory of 1848 4740 68864.exe 85 PID 1848 wrote to memory of 3464 1848 4022048.exe 86 PID 1848 wrote to memory of 3464 1848 4022048.exe 86 PID 1848 wrote to memory of 3464 1848 4022048.exe 86 PID 3464 wrote to memory of 2408 3464 42220.exe 87 PID 3464 wrote to memory of 2408 3464 42220.exe 87 PID 3464 wrote to memory of 2408 3464 42220.exe 87 PID 2408 wrote to memory of 3284 2408 6244622.exe 88 PID 2408 wrote to memory of 3284 2408 6244622.exe 88 PID 2408 wrote to memory of 3284 2408 6244622.exe 88 PID 3284 wrote to memory of 2076 3284 nhnhnn.exe 89 PID 3284 wrote to memory of 2076 3284 nhnhnn.exe 89 PID 3284 wrote to memory of 2076 3284 nhnhnn.exe 89 PID 2076 wrote to memory of 4532 2076 pjdvp.exe 90 PID 2076 wrote to memory of 4532 2076 pjdvp.exe 90 PID 2076 wrote to memory of 4532 2076 pjdvp.exe 90 PID 4532 wrote to memory of 4012 4532 9dpvj.exe 91 PID 4532 wrote to memory of 4012 4532 9dpvj.exe 91 PID 4532 wrote to memory of 4012 4532 9dpvj.exe 91 PID 4012 wrote to memory of 2904 4012 84426.exe 92 PID 4012 wrote to memory of 2904 4012 84426.exe 92 PID 4012 wrote to memory of 2904 4012 84426.exe 92 PID 2904 wrote to memory of 3308 2904 240640.exe 93 PID 2904 wrote to memory of 3308 2904 240640.exe 93 PID 2904 wrote to memory of 3308 2904 240640.exe 93 PID 3308 wrote to memory of 1612 3308 k06826.exe 94 PID 3308 wrote to memory of 1612 3308 k06826.exe 94 PID 3308 wrote to memory of 1612 3308 k06826.exe 94 PID 1612 wrote to memory of 3592 1612 dpdvv.exe 95 PID 1612 wrote to memory of 3592 1612 dpdvv.exe 95 PID 1612 wrote to memory of 3592 1612 dpdvv.exe 95 PID 3592 wrote to memory of 2164 3592 vddpj.exe 96 PID 3592 wrote to memory of 2164 3592 vddpj.exe 96 PID 3592 wrote to memory of 2164 3592 vddpj.exe 96 PID 2164 wrote to memory of 2368 2164 btbttb.exe 97 PID 2164 wrote to memory of 2368 2164 btbttb.exe 97 PID 2164 wrote to memory of 2368 2164 btbttb.exe 97 PID 2368 wrote to memory of 2520 2368 e40088.exe 98 PID 2368 wrote to memory of 2520 2368 e40088.exe 98 PID 2368 wrote to memory of 2520 2368 e40088.exe 98 PID 2520 wrote to memory of 3648 2520 ppddp.exe 99 PID 2520 wrote to memory of 3648 2520 ppddp.exe 99 PID 2520 wrote to memory of 3648 2520 ppddp.exe 99 PID 3648 wrote to memory of 2964 3648 8066044.exe 100 PID 3648 wrote to memory of 2964 3648 8066044.exe 100 PID 3648 wrote to memory of 2964 3648 8066044.exe 100 PID 2964 wrote to memory of 1780 2964 66266.exe 101 PID 2964 wrote to memory of 1780 2964 66266.exe 101 PID 2964 wrote to memory of 1780 2964 66266.exe 101 PID 1780 wrote to memory of 100 1780 pdddv.exe 102 PID 1780 wrote to memory of 100 1780 pdddv.exe 102 PID 1780 wrote to memory of 100 1780 pdddv.exe 102 PID 100 wrote to memory of 4148 100 4282262.exe 103 PID 100 wrote to memory of 4148 100 4282262.exe 103 PID 100 wrote to memory of 4148 100 4282262.exe 103 PID 4148 wrote to memory of 2820 4148 pppjv.exe 158
Processes
-
C:\Users\Admin\AppData\Local\Temp\5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe"C:\Users\Admin\AppData\Local\Temp\5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\llfrrlf.exec:\llfrrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\68864.exec:\68864.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\4022048.exec:\4022048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\42220.exec:\42220.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\6244622.exec:\6244622.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nhnhnn.exec:\nhnhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\pjdvp.exec:\pjdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\9dpvj.exec:\9dpvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\84426.exec:\84426.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\240640.exec:\240640.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\k06826.exec:\k06826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\dpdvv.exec:\dpdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\vddpj.exec:\vddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\btbttb.exec:\btbttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\e40088.exec:\e40088.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\ppddp.exec:\ppddp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\8066044.exec:\8066044.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\66266.exec:\66266.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\pdddv.exec:\pdddv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\4282262.exec:\4282262.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\pppjv.exec:\pppjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\80882.exec:\80882.exe23⤵
- Executes dropped EXE
PID:2820 -
\??\c:\htbtnh.exec:\htbtnh.exe24⤵
- Executes dropped EXE
PID:3020 -
\??\c:\ddjdd.exec:\ddjdd.exe25⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pjpjd.exec:\pjpjd.exe26⤵
- Executes dropped EXE
PID:1252 -
\??\c:\42886.exec:\42886.exe27⤵
- Executes dropped EXE
PID:1244 -
\??\c:\002622.exec:\002622.exe28⤵
- Executes dropped EXE
PID:4352 -
\??\c:\82882.exec:\82882.exe29⤵
- Executes dropped EXE
PID:3012 -
\??\c:\fffxrlf.exec:\fffxrlf.exe30⤵
- Executes dropped EXE
PID:1352 -
\??\c:\rffxrll.exec:\rffxrll.exe31⤵
- Executes dropped EXE
PID:3548 -
\??\c:\xrrrrrx.exec:\xrrrrrx.exe32⤵
- Executes dropped EXE
PID:3588 -
\??\c:\606604.exec:\606604.exe33⤵
- Executes dropped EXE
PID:560 -
\??\c:\hnbtnn.exec:\hnbtnn.exe34⤵
- Executes dropped EXE
PID:1428 -
\??\c:\2666444.exec:\2666444.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\thhbtn.exec:\thhbtn.exe36⤵
- Executes dropped EXE
PID:1940 -
\??\c:\xlfxlfl.exec:\xlfxlfl.exe37⤵
- Executes dropped EXE
PID:3928 -
\??\c:\02882.exec:\02882.exe38⤵
- Executes dropped EXE
PID:5076 -
\??\c:\60604.exec:\60604.exe39⤵
- Executes dropped EXE
PID:1852 -
\??\c:\84004.exec:\84004.exe40⤵
- Executes dropped EXE
PID:4788 -
\??\c:\8862086.exec:\8862086.exe41⤵
- Executes dropped EXE
PID:64 -
\??\c:\680488.exec:\680488.exe42⤵
- Executes dropped EXE
PID:1916 -
\??\c:\rllrxff.exec:\rllrxff.exe43⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rxlffxx.exec:\rxlffxx.exe44⤵
- Executes dropped EXE
PID:2380 -
\??\c:\pdjjd.exec:\pdjjd.exe45⤵
- Executes dropped EXE
PID:2204 -
\??\c:\240600.exec:\240600.exe46⤵
- Executes dropped EXE
PID:2268 -
\??\c:\48020.exec:\48020.exe47⤵
- Executes dropped EXE
PID:1692 -
\??\c:\hnnhbn.exec:\hnnhbn.exe48⤵
- Executes dropped EXE
PID:4080 -
\??\c:\02244.exec:\02244.exe49⤵
- Executes dropped EXE
PID:2580 -
\??\c:\djjdv.exec:\djjdv.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
\??\c:\646882.exec:\646882.exe51⤵
- Executes dropped EXE
PID:4772 -
\??\c:\w86048.exec:\w86048.exe52⤵
- Executes dropped EXE
PID:4924 -
\??\c:\fxfxllf.exec:\fxfxllf.exe53⤵
- Executes dropped EXE
PID:5072 -
\??\c:\vjdvp.exec:\vjdvp.exe54⤵
- Executes dropped EXE
PID:4796 -
\??\c:\pjpjd.exec:\pjpjd.exe55⤵
- Executes dropped EXE
PID:3008 -
\??\c:\fxfxxlf.exec:\fxfxxlf.exe56⤵
- Executes dropped EXE
PID:2664 -
\??\c:\8284828.exec:\8284828.exe57⤵
- Executes dropped EXE
PID:4748 -
\??\c:\4626048.exec:\4626048.exe58⤵
- Executes dropped EXE
PID:532 -
\??\c:\hbnnht.exec:\hbnnht.exe59⤵
- Executes dropped EXE
PID:3968 -
\??\c:\66260.exec:\66260.exe60⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xlrlrrl.exec:\xlrlrrl.exe61⤵
- Executes dropped EXE
PID:548 -
\??\c:\pddvp.exec:\pddvp.exe62⤵
- Executes dropped EXE
PID:3904 -
\??\c:\640660.exec:\640660.exe63⤵
- Executes dropped EXE
PID:4476 -
\??\c:\o222666.exec:\o222666.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:492 -
\??\c:\vvppp.exec:\vvppp.exe65⤵
- Executes dropped EXE
PID:1840 -
\??\c:\llxrxfx.exec:\llxrxfx.exe66⤵PID:4012
-
\??\c:\tnnhnn.exec:\tnnhnn.exe67⤵PID:4388
-
\??\c:\hhtnhh.exec:\hhtnhh.exe68⤵PID:3244
-
\??\c:\2804826.exec:\2804826.exe69⤵PID:2152
-
\??\c:\486060.exec:\486060.exe70⤵PID:2956
-
\??\c:\2604826.exec:\2604826.exe71⤵PID:2612
-
\??\c:\jddpj.exec:\jddpj.exe72⤵PID:4500
-
\??\c:\q28600.exec:\q28600.exe73⤵PID:3500
-
\??\c:\26048.exec:\26048.exe74⤵PID:4928
-
\??\c:\o880066.exec:\o880066.exe75⤵PID:4312
-
\??\c:\0428664.exec:\0428664.exe76⤵PID:2052
-
\??\c:\048226.exec:\048226.exe77⤵PID:2820
-
\??\c:\rlfffxx.exec:\rlfffxx.exe78⤵PID:404
-
\??\c:\ppppj.exec:\ppppj.exe79⤵PID:1992
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe80⤵PID:4440
-
\??\c:\dddjp.exec:\dddjp.exe81⤵PID:2532
-
\??\c:\4648222.exec:\4648222.exe82⤵PID:3444
-
\??\c:\202660.exec:\202660.exe83⤵PID:4952
-
\??\c:\88060.exec:\88060.exe84⤵PID:3392
-
\??\c:\i244444.exec:\i244444.exe85⤵PID:2508
-
\??\c:\ffflfrr.exec:\ffflfrr.exe86⤵PID:1556
-
\??\c:\606044.exec:\606044.exe87⤵PID:4224
-
\??\c:\42260.exec:\42260.exe88⤵PID:1272
-
\??\c:\624866.exec:\624866.exe89⤵PID:2848
-
\??\c:\2268442.exec:\2268442.exe90⤵PID:2712
-
\??\c:\flxrlff.exec:\flxrlff.exe91⤵PID:2940
-
\??\c:\0448888.exec:\0448888.exe92⤵PID:5076
-
\??\c:\020664.exec:\020664.exe93⤵PID:2748
-
\??\c:\26282.exec:\26282.exe94⤵PID:4676
-
\??\c:\bhnbtt.exec:\bhnbtt.exe95⤵PID:1620
-
\??\c:\hthbbh.exec:\hthbbh.exe96⤵PID:3564
-
\??\c:\m8486.exec:\m8486.exe97⤵PID:2380
-
\??\c:\rflfxxf.exec:\rflfxxf.exe98⤵PID:1592
-
\??\c:\pjjjd.exec:\pjjjd.exe99⤵PID:1988
-
\??\c:\ddjvj.exec:\ddjvj.exe100⤵PID:5000
-
\??\c:\0660448.exec:\0660448.exe101⤵PID:3892
-
\??\c:\6808826.exec:\6808826.exe102⤵PID:4336
-
\??\c:\606048.exec:\606048.exe103⤵PID:652
-
\??\c:\hhbttt.exec:\hhbttt.exe104⤵PID:2804
-
\??\c:\0288226.exec:\0288226.exe105⤵PID:1512
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe106⤵PID:1340
-
\??\c:\26660.exec:\26660.exe107⤵PID:4408
-
\??\c:\5frfffx.exec:\5frfffx.exe108⤵PID:1540
-
\??\c:\26884.exec:\26884.exe109⤵PID:2704
-
\??\c:\hthbtt.exec:\hthbtt.exe110⤵PID:3604
-
\??\c:\u662660.exec:\u662660.exe111⤵PID:1196
-
\??\c:\42462.exec:\42462.exe112⤵PID:4748
-
\??\c:\0480448.exec:\0480448.exe113⤵PID:2328
-
\??\c:\rlffxxf.exec:\rlffxxf.exe114⤵PID:764
-
\??\c:\u808226.exec:\u808226.exe115⤵PID:4108
-
\??\c:\3vvdv.exec:\3vvdv.exe116⤵PID:2896
-
\??\c:\04608.exec:\04608.exe117⤵PID:2608
-
\??\c:\vdvpp.exec:\vdvpp.exe118⤵PID:3088
-
\??\c:\426888.exec:\426888.exe119⤵PID:1080
-
\??\c:\nhthht.exec:\nhthht.exe120⤵PID:2408
-
\??\c:\nnnhth.exec:\nnnhth.exe121⤵PID:3284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-