Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe
-
Size
454KB
-
MD5
142781dfefbfce562adc6c69705cfe40
-
SHA1
2497072efe163965a01fc7791068a3f80983f1e3
-
SHA256
611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdeb
-
SHA512
437c3f73231032bde19be472a5eef3577689225849d1980254d715fdf55b1a44e5142b2074fb48d16dbe28f1844200a9e7c624e2dcfd63ca499d96782b01d0d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2876-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-1157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1644 m0086.exe 2828 002200.exe 4848 m2800.exe 3936 btbttt.exe 2348 42044.exe 4164 ntbtnn.exe 1136 lxlfxxx.exe 1084 806060.exe 1892 044484.exe 2320 26644.exe 5016 llrlrrf.exe 1756 ddjdd.exe 220 hbbbtt.exe 3328 46660.exe 4596 llfxxxx.exe 636 jjdvv.exe 3720 i826482.exe 1440 djvpp.exe 2020 064488.exe 4952 1jjdv.exe 4764 264848.exe 3044 bbbbbh.exe 780 g4600.exe 1192 djvvp.exe 1712 jdvpj.exe 4820 244488.exe 4932 jjjdd.exe 4904 a8460.exe 5088 0448222.exe 2524 64088.exe 4824 4288242.exe 4036 686426.exe 5104 bbbnhn.exe 4640 428886.exe 1096 tntttb.exe 4404 4806268.exe 984 vjpjj.exe 2180 644484.exe 232 vjdpj.exe 3788 4024024.exe 4460 2084260.exe 3616 04220.exe 2072 88264.exe 2384 2620820.exe 4348 0886266.exe 3488 1hhbnn.exe 5080 6064860.exe 4292 xfxlfxr.exe 1848 62000.exe 2876 224482.exe 1628 c488648.exe 4756 22482.exe 3824 dpjvp.exe 4364 20420.exe 1448 frxfrxl.exe 3900 684860.exe 2192 djpvd.exe 4164 rllrffx.exe 324 4600826.exe 3964 662486.exe 1084 ddpvp.exe 3988 004826.exe 208 04666.exe 4488 o886042.exe -
resource yara_rule behavioral2/memory/2876-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-631-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2226660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8220048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o800660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6064860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1644 2876 611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe 83 PID 2876 wrote to memory of 1644 2876 611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe 83 PID 2876 wrote to memory of 1644 2876 611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe 83 PID 1644 wrote to memory of 2828 1644 m0086.exe 84 PID 1644 wrote to memory of 2828 1644 m0086.exe 84 PID 1644 wrote to memory of 2828 1644 m0086.exe 84 PID 2828 wrote to memory of 4848 2828 002200.exe 85 PID 2828 wrote to memory of 4848 2828 002200.exe 85 PID 2828 wrote to memory of 4848 2828 002200.exe 85 PID 4848 wrote to memory of 3936 4848 m2800.exe 86 PID 4848 wrote to memory of 3936 4848 m2800.exe 86 PID 4848 wrote to memory of 3936 4848 m2800.exe 86 PID 3936 wrote to memory of 2348 3936 btbttt.exe 87 PID 3936 wrote to memory of 2348 3936 btbttt.exe 87 PID 3936 wrote to memory of 2348 3936 btbttt.exe 87 PID 2348 wrote to memory of 4164 2348 42044.exe 88 PID 2348 wrote to memory of 4164 2348 42044.exe 88 PID 2348 wrote to memory of 4164 2348 42044.exe 88 PID 4164 wrote to memory of 1136 4164 ntbtnn.exe 89 PID 4164 wrote to memory of 1136 4164 ntbtnn.exe 89 PID 4164 wrote to memory of 1136 4164 ntbtnn.exe 89 PID 1136 wrote to memory of 1084 1136 lxlfxxx.exe 90 PID 1136 wrote to memory of 1084 1136 lxlfxxx.exe 90 PID 1136 wrote to memory of 1084 1136 lxlfxxx.exe 90 PID 1084 wrote to memory of 1892 1084 806060.exe 91 PID 1084 wrote to memory of 1892 1084 806060.exe 91 PID 1084 wrote to memory of 1892 1084 806060.exe 91 PID 1892 wrote to memory of 2320 1892 044484.exe 92 PID 1892 wrote to memory of 2320 1892 044484.exe 92 PID 1892 wrote to memory of 2320 1892 044484.exe 92 PID 2320 wrote to memory of 5016 2320 26644.exe 93 PID 2320 wrote to memory of 5016 2320 26644.exe 93 PID 2320 wrote to memory of 5016 2320 26644.exe 93 PID 5016 wrote to memory of 1756 5016 llrlrrf.exe 94 PID 5016 wrote to memory of 1756 5016 llrlrrf.exe 94 PID 5016 wrote to memory of 1756 5016 llrlrrf.exe 94 PID 1756 wrote to memory of 220 1756 ddjdd.exe 95 PID 1756 wrote to memory of 220 1756 ddjdd.exe 95 PID 1756 wrote to memory of 220 1756 ddjdd.exe 95 PID 220 wrote to memory of 3328 220 hbbbtt.exe 96 PID 220 wrote to memory of 3328 220 hbbbtt.exe 96 PID 220 wrote to memory of 3328 220 hbbbtt.exe 96 PID 3328 wrote to memory of 4596 3328 46660.exe 97 PID 3328 wrote to memory of 4596 3328 46660.exe 97 PID 3328 wrote to memory of 4596 3328 46660.exe 97 PID 4596 wrote to memory of 636 4596 llfxxxx.exe 98 PID 4596 wrote to memory of 636 4596 llfxxxx.exe 98 PID 4596 wrote to memory of 636 4596 llfxxxx.exe 98 PID 636 wrote to memory of 3720 636 jjdvv.exe 99 PID 636 wrote to memory of 3720 636 jjdvv.exe 99 PID 636 wrote to memory of 3720 636 jjdvv.exe 99 PID 3720 wrote to memory of 1440 3720 i826482.exe 100 PID 3720 wrote to memory of 1440 3720 i826482.exe 100 PID 3720 wrote to memory of 1440 3720 i826482.exe 100 PID 1440 wrote to memory of 2020 1440 djvpp.exe 101 PID 1440 wrote to memory of 2020 1440 djvpp.exe 101 PID 1440 wrote to memory of 2020 1440 djvpp.exe 101 PID 2020 wrote to memory of 4952 2020 064488.exe 102 PID 2020 wrote to memory of 4952 2020 064488.exe 102 PID 2020 wrote to memory of 4952 2020 064488.exe 102 PID 4952 wrote to memory of 4764 4952 1jjdv.exe 103 PID 4952 wrote to memory of 4764 4952 1jjdv.exe 103 PID 4952 wrote to memory of 4764 4952 1jjdv.exe 103 PID 4764 wrote to memory of 3044 4764 264848.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe"C:\Users\Admin\AppData\Local\Temp\611fdbbf9fe6dcc79b5dd38517d8a4a216ab76bf282d03073fa62333e5f2cdebN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\m0086.exec:\m0086.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\002200.exec:\002200.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\m2800.exec:\m2800.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\btbttt.exec:\btbttt.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\42044.exec:\42044.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\ntbtnn.exec:\ntbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\806060.exec:\806060.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\044484.exec:\044484.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\26644.exec:\26644.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\llrlrrf.exec:\llrlrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\ddjdd.exec:\ddjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\hbbbtt.exec:\hbbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\46660.exec:\46660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\llfxxxx.exec:\llfxxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\jjdvv.exec:\jjdvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\i826482.exec:\i826482.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\djvpp.exec:\djvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\064488.exec:\064488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\1jjdv.exec:\1jjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\264848.exec:\264848.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\bbbbbh.exec:\bbbbbh.exe23⤵
- Executes dropped EXE
PID:3044 -
\??\c:\g4600.exec:\g4600.exe24⤵
- Executes dropped EXE
PID:780 -
\??\c:\djvvp.exec:\djvvp.exe25⤵
- Executes dropped EXE
PID:1192 -
\??\c:\jdvpj.exec:\jdvpj.exe26⤵
- Executes dropped EXE
PID:1712 -
\??\c:\244488.exec:\244488.exe27⤵
- Executes dropped EXE
PID:4820 -
\??\c:\jjjdd.exec:\jjjdd.exe28⤵
- Executes dropped EXE
PID:4932 -
\??\c:\a8460.exec:\a8460.exe29⤵
- Executes dropped EXE
PID:4904 -
\??\c:\0448222.exec:\0448222.exe30⤵
- Executes dropped EXE
PID:5088 -
\??\c:\64088.exec:\64088.exe31⤵
- Executes dropped EXE
PID:2524 -
\??\c:\4288242.exec:\4288242.exe32⤵
- Executes dropped EXE
PID:4824 -
\??\c:\686426.exec:\686426.exe33⤵
- Executes dropped EXE
PID:4036 -
\??\c:\bbbnhn.exec:\bbbnhn.exe34⤵
- Executes dropped EXE
PID:5104 -
\??\c:\428886.exec:\428886.exe35⤵
- Executes dropped EXE
PID:4640 -
\??\c:\tntttb.exec:\tntttb.exe36⤵
- Executes dropped EXE
PID:1096 -
\??\c:\4806268.exec:\4806268.exe37⤵
- Executes dropped EXE
PID:4404 -
\??\c:\vjpjj.exec:\vjpjj.exe38⤵
- Executes dropped EXE
PID:984 -
\??\c:\644484.exec:\644484.exe39⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vjdpj.exec:\vjdpj.exe40⤵
- Executes dropped EXE
PID:232 -
\??\c:\4024024.exec:\4024024.exe41⤵
- Executes dropped EXE
PID:3788 -
\??\c:\2084260.exec:\2084260.exe42⤵
- Executes dropped EXE
PID:4460 -
\??\c:\04220.exec:\04220.exe43⤵
- Executes dropped EXE
PID:3616 -
\??\c:\88264.exec:\88264.exe44⤵
- Executes dropped EXE
PID:2072 -
\??\c:\2620820.exec:\2620820.exe45⤵
- Executes dropped EXE
PID:2384 -
\??\c:\0886266.exec:\0886266.exe46⤵
- Executes dropped EXE
PID:4348 -
\??\c:\1hhbnn.exec:\1hhbnn.exe47⤵
- Executes dropped EXE
PID:3488 -
\??\c:\6064860.exec:\6064860.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe49⤵
- Executes dropped EXE
PID:4292 -
\??\c:\62000.exec:\62000.exe50⤵
- Executes dropped EXE
PID:1848 -
\??\c:\224482.exec:\224482.exe51⤵
- Executes dropped EXE
PID:2876 -
\??\c:\c488648.exec:\c488648.exe52⤵
- Executes dropped EXE
PID:1628 -
\??\c:\22482.exec:\22482.exe53⤵
- Executes dropped EXE
PID:4756 -
\??\c:\dpjvp.exec:\dpjvp.exe54⤵
- Executes dropped EXE
PID:3824 -
\??\c:\20420.exec:\20420.exe55⤵
- Executes dropped EXE
PID:4364 -
\??\c:\frxfrxl.exec:\frxfrxl.exe56⤵
- Executes dropped EXE
PID:1448 -
\??\c:\684860.exec:\684860.exe57⤵
- Executes dropped EXE
PID:3900 -
\??\c:\djpvd.exec:\djpvd.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rllrffx.exec:\rllrffx.exe59⤵
- Executes dropped EXE
PID:4164 -
\??\c:\4600826.exec:\4600826.exe60⤵
- Executes dropped EXE
PID:324 -
\??\c:\662486.exec:\662486.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3964 -
\??\c:\ddpvp.exec:\ddpvp.exe62⤵
- Executes dropped EXE
PID:1084 -
\??\c:\004826.exec:\004826.exe63⤵
- Executes dropped EXE
PID:3988 -
\??\c:\04666.exec:\04666.exe64⤵
- Executes dropped EXE
PID:208 -
\??\c:\o886042.exec:\o886042.exe65⤵
- Executes dropped EXE
PID:4488 -
\??\c:\82624.exec:\82624.exe66⤵PID:2768
-
\??\c:\ntnbtn.exec:\ntnbtn.exe67⤵PID:2752
-
\??\c:\vdvpd.exec:\vdvpd.exe68⤵PID:2244
-
\??\c:\xxxrxxl.exec:\xxxrxxl.exe69⤵PID:220
-
\??\c:\thnntb.exec:\thnntb.exe70⤵PID:3380
-
\??\c:\dpvjj.exec:\dpvjj.exe71⤵PID:2716
-
\??\c:\hnnbtt.exec:\hnnbtt.exe72⤵PID:3728
-
\??\c:\k00082.exec:\k00082.exe73⤵PID:2892
-
\??\c:\btnhth.exec:\btnhth.exe74⤵PID:2208
-
\??\c:\3jpdd.exec:\3jpdd.exe75⤵PID:1940
-
\??\c:\44048.exec:\44048.exe76⤵PID:2272
-
\??\c:\26886.exec:\26886.exe77⤵PID:2020
-
\??\c:\xrrflfl.exec:\xrrflfl.exe78⤵PID:4952
-
\??\c:\vppjd.exec:\vppjd.exe79⤵PID:1332
-
\??\c:\422648.exec:\422648.exe80⤵PID:4764
-
\??\c:\280244.exec:\280244.exe81⤵PID:3128
-
\??\c:\9dvjd.exec:\9dvjd.exe82⤵PID:3120
-
\??\c:\hnhtnh.exec:\hnhtnh.exe83⤵PID:1684
-
\??\c:\w66448.exec:\w66448.exe84⤵PID:2304
-
\??\c:\jjvvp.exec:\jjvvp.exe85⤵PID:2676
-
\??\c:\04662.exec:\04662.exe86⤵PID:1172
-
\??\c:\408682.exec:\408682.exe87⤵PID:4440
-
\??\c:\20266.exec:\20266.exe88⤵PID:2468
-
\??\c:\08208.exec:\08208.exe89⤵PID:744
-
\??\c:\7lllrrr.exec:\7lllrrr.exe90⤵PID:1504
-
\??\c:\pdjdp.exec:\pdjdp.exe91⤵PID:2216
-
\??\c:\06204.exec:\06204.exe92⤵PID:3716
-
\??\c:\htbnnh.exec:\htbnnh.exe93⤵PID:1640
-
\??\c:\5xxlxxl.exec:\5xxlxxl.exe94⤵PID:4656
-
\??\c:\btnbtn.exec:\btnbtn.exe95⤵PID:1404
-
\??\c:\0804408.exec:\0804408.exe96⤵PID:2364
-
\??\c:\pvddp.exec:\pvddp.exe97⤵PID:4520
-
\??\c:\4064482.exec:\4064482.exe98⤵PID:1480
-
\??\c:\4242266.exec:\4242266.exe99⤵PID:4404
-
\??\c:\60082.exec:\60082.exe100⤵PID:4852
-
\??\c:\7hhtnh.exec:\7hhtnh.exe101⤵PID:3816
-
\??\c:\0826448.exec:\0826448.exe102⤵PID:232
-
\??\c:\ntnhbt.exec:\ntnhbt.exe103⤵PID:760
-
\??\c:\hbhbbt.exec:\hbhbbt.exe104⤵PID:1748
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe105⤵PID:32
-
\??\c:\5dvpd.exec:\5dvpd.exe106⤵PID:3100
-
\??\c:\2260422.exec:\2260422.exe107⤵PID:228
-
\??\c:\u408208.exec:\u408208.exe108⤵PID:1620
-
\??\c:\40642.exec:\40642.exe109⤵PID:4368
-
\??\c:\ntthtt.exec:\ntthtt.exe110⤵PID:4300
-
\??\c:\3ttnhb.exec:\3ttnhb.exe111⤵PID:4504
-
\??\c:\4226040.exec:\4226040.exe112⤵PID:536
-
\??\c:\84482.exec:\84482.exe113⤵PID:1296
-
\??\c:\4888204.exec:\4888204.exe114⤵PID:1644
-
\??\c:\42608.exec:\42608.exe115⤵PID:1628
-
\??\c:\htnhbb.exec:\htnhbb.exe116⤵PID:4856
-
\??\c:\rllllll.exec:\rllllll.exe117⤵PID:3640
-
\??\c:\668888.exec:\668888.exe118⤵PID:3652
-
\??\c:\6460082.exec:\6460082.exe119⤵PID:5112
-
\??\c:\84660.exec:\84660.exe120⤵PID:1796
-
\??\c:\668048.exec:\668048.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-