Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 18:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe
-
Size
454KB
-
MD5
7d4ebd5ae003a4a43d927176ae155a30
-
SHA1
ab3c5d79e3c40de432f6863224b51537e4a49df4
-
SHA256
ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221
-
SHA512
8c137a39072cb1518e48acde3a22b68989d624d96440f0e8e9a76cc12a565ae492a5de1eeca9f52d862160643855d12ac07841ffc36ec51a67955718170b1244
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4460-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2344 1rxxxxr.exe 1872 404482.exe 1580 4242086.exe 3492 8886426.exe 1624 bhtbtb.exe 4152 5tnbnb.exe 3704 668604.exe 1828 022648.exe 708 ppdpp.exe 4496 44864.exe 3844 pvpdj.exe 4956 xllxlff.exe 4192 42864.exe 3968 w00804.exe 1916 0060868.exe 4832 xlxlrlx.exe 1620 20600.exe 2968 4842082.exe 3204 7lflxfx.exe 996 3jdjv.exe 652 g6046.exe 4448 rfxlrfr.exe 1904 2220860.exe 3948 04864.exe 4568 nnntbt.exe 216 vvpvj.exe 4172 xfrrfll.exe 2528 1rflxrf.exe 2640 tbthnh.exe 1812 lllxrlx.exe 4588 bbhtnb.exe 3436 60046.exe 3172 5xlrfrf.exe 3696 i608608.exe 3440 44480.exe 4816 bnhthn.exe 4672 vppdp.exe 4428 vddpd.exe 2780 xrxxflx.exe 4652 404204.exe 3940 422682.exe 4084 9xxlfrr.exe 2012 2242082.exe 2660 nhhthb.exe 788 e82604.exe 2868 9xlfrxr.exe 4940 dddpd.exe 2848 1jjpv.exe 1744 8660266.exe 5096 pddpj.exe 4148 vdvvj.exe 4912 dvpdp.exe 4064 2826482.exe 1580 68864.exe 4844 2286446.exe 2288 tbbnbb.exe 3628 86086.exe 1992 066480.exe 4280 64420.exe 1084 026084.exe 2452 60426.exe 1096 bbbbtn.exe 548 64082.exe 636 62646.exe -
resource yara_rule behavioral2/memory/4460-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0064286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0226448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2048608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4460 wrote to memory of 2344 4460 ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe 83 PID 4460 wrote to memory of 2344 4460 ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe 83 PID 4460 wrote to memory of 2344 4460 ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe 83 PID 2344 wrote to memory of 1872 2344 1rxxxxr.exe 84 PID 2344 wrote to memory of 1872 2344 1rxxxxr.exe 84 PID 2344 wrote to memory of 1872 2344 1rxxxxr.exe 84 PID 1872 wrote to memory of 1580 1872 404482.exe 136 PID 1872 wrote to memory of 1580 1872 404482.exe 136 PID 1872 wrote to memory of 1580 1872 404482.exe 136 PID 1580 wrote to memory of 3492 1580 4242086.exe 86 PID 1580 wrote to memory of 3492 1580 4242086.exe 86 PID 1580 wrote to memory of 3492 1580 4242086.exe 86 PID 3492 wrote to memory of 1624 3492 8886426.exe 87 PID 3492 wrote to memory of 1624 3492 8886426.exe 87 PID 3492 wrote to memory of 1624 3492 8886426.exe 87 PID 1624 wrote to memory of 4152 1624 bhtbtb.exe 88 PID 1624 wrote to memory of 4152 1624 bhtbtb.exe 88 PID 1624 wrote to memory of 4152 1624 bhtbtb.exe 88 PID 4152 wrote to memory of 3704 4152 5tnbnb.exe 89 PID 4152 wrote to memory of 3704 4152 5tnbnb.exe 89 PID 4152 wrote to memory of 3704 4152 5tnbnb.exe 89 PID 3704 wrote to memory of 1828 3704 668604.exe 90 PID 3704 wrote to memory of 1828 3704 668604.exe 90 PID 3704 wrote to memory of 1828 3704 668604.exe 90 PID 1828 wrote to memory of 708 1828 022648.exe 91 PID 1828 wrote to memory of 708 1828 022648.exe 91 PID 1828 wrote to memory of 708 1828 022648.exe 91 PID 708 wrote to memory of 4496 708 ppdpp.exe 92 PID 708 wrote to memory of 4496 708 ppdpp.exe 92 PID 708 wrote to memory of 4496 708 ppdpp.exe 92 PID 4496 wrote to memory of 3844 4496 44864.exe 93 PID 4496 wrote to memory of 3844 4496 44864.exe 93 PID 4496 wrote to memory of 3844 4496 44864.exe 93 PID 3844 wrote to memory of 4956 3844 pvpdj.exe 94 PID 3844 wrote to memory of 4956 3844 pvpdj.exe 94 PID 3844 wrote to memory of 4956 3844 pvpdj.exe 94 PID 4956 wrote to memory of 4192 4956 xllxlff.exe 95 PID 4956 wrote to memory of 4192 4956 xllxlff.exe 95 PID 4956 wrote to memory of 4192 4956 xllxlff.exe 95 PID 4192 wrote to memory of 3968 4192 42864.exe 96 PID 4192 wrote to memory of 3968 4192 42864.exe 96 PID 4192 wrote to memory of 3968 4192 42864.exe 96 PID 3968 wrote to memory of 1916 3968 w00804.exe 97 PID 3968 wrote to memory of 1916 3968 w00804.exe 97 PID 3968 wrote to memory of 1916 3968 w00804.exe 97 PID 1916 wrote to memory of 4832 1916 0060868.exe 98 PID 1916 wrote to memory of 4832 1916 0060868.exe 98 PID 1916 wrote to memory of 4832 1916 0060868.exe 98 PID 4832 wrote to memory of 1620 4832 xlxlrlx.exe 99 PID 4832 wrote to memory of 1620 4832 xlxlrlx.exe 99 PID 4832 wrote to memory of 1620 4832 xlxlrlx.exe 99 PID 1620 wrote to memory of 2968 1620 20600.exe 100 PID 1620 wrote to memory of 2968 1620 20600.exe 100 PID 1620 wrote to memory of 2968 1620 20600.exe 100 PID 2968 wrote to memory of 3204 2968 4842082.exe 101 PID 2968 wrote to memory of 3204 2968 4842082.exe 101 PID 2968 wrote to memory of 3204 2968 4842082.exe 101 PID 3204 wrote to memory of 996 3204 7lflxfx.exe 102 PID 3204 wrote to memory of 996 3204 7lflxfx.exe 102 PID 3204 wrote to memory of 996 3204 7lflxfx.exe 102 PID 996 wrote to memory of 652 996 3jdjv.exe 103 PID 996 wrote to memory of 652 996 3jdjv.exe 103 PID 996 wrote to memory of 652 996 3jdjv.exe 103 PID 652 wrote to memory of 4448 652 g6046.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe"C:\Users\Admin\AppData\Local\Temp\ce34436056850ed4eeffdb715a390b796839ef1899fb914a9fe7220881576221N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\1rxxxxr.exec:\1rxxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\404482.exec:\404482.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\4242086.exec:\4242086.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\8886426.exec:\8886426.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\bhtbtb.exec:\bhtbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\5tnbnb.exec:\5tnbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\668604.exec:\668604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\022648.exec:\022648.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\ppdpp.exec:\ppdpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\44864.exec:\44864.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\pvpdj.exec:\pvpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\xllxlff.exec:\xllxlff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\42864.exec:\42864.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\w00804.exec:\w00804.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\0060868.exec:\0060868.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\xlxlrlx.exec:\xlxlrlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\20600.exec:\20600.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\4842082.exec:\4842082.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\7lflxfx.exec:\7lflxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\3jdjv.exec:\3jdjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\g6046.exec:\g6046.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\rfxlrfr.exec:\rfxlrfr.exe23⤵
- Executes dropped EXE
PID:4448 -
\??\c:\2220860.exec:\2220860.exe24⤵
- Executes dropped EXE
PID:1904 -
\??\c:\04864.exec:\04864.exe25⤵
- Executes dropped EXE
PID:3948 -
\??\c:\nnntbt.exec:\nnntbt.exe26⤵
- Executes dropped EXE
PID:4568 -
\??\c:\vvpvj.exec:\vvpvj.exe27⤵
- Executes dropped EXE
PID:216 -
\??\c:\xfrrfll.exec:\xfrrfll.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172 -
\??\c:\1rflxrf.exec:\1rflxrf.exe29⤵
- Executes dropped EXE
PID:2528 -
\??\c:\tbthnh.exec:\tbthnh.exe30⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lllxrlx.exec:\lllxrlx.exe31⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bbhtnb.exec:\bbhtnb.exe32⤵
- Executes dropped EXE
PID:4588 -
\??\c:\60046.exec:\60046.exe33⤵
- Executes dropped EXE
PID:3436 -
\??\c:\5xlrfrf.exec:\5xlrfrf.exe34⤵
- Executes dropped EXE
PID:3172 -
\??\c:\i608608.exec:\i608608.exe35⤵
- Executes dropped EXE
PID:3696 -
\??\c:\44480.exec:\44480.exe36⤵
- Executes dropped EXE
PID:3440 -
\??\c:\bnhthn.exec:\bnhthn.exe37⤵
- Executes dropped EXE
PID:4816 -
\??\c:\vppdp.exec:\vppdp.exe38⤵
- Executes dropped EXE
PID:4672 -
\??\c:\vddpd.exec:\vddpd.exe39⤵
- Executes dropped EXE
PID:4428 -
\??\c:\xrxxflx.exec:\xrxxflx.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\404204.exec:\404204.exe41⤵
- Executes dropped EXE
PID:4652 -
\??\c:\422682.exec:\422682.exe42⤵
- Executes dropped EXE
PID:3940 -
\??\c:\9xxlfrr.exec:\9xxlfrr.exe43⤵
- Executes dropped EXE
PID:4084 -
\??\c:\2242082.exec:\2242082.exe44⤵
- Executes dropped EXE
PID:2012 -
\??\c:\nhhthb.exec:\nhhthb.exe45⤵
- Executes dropped EXE
PID:2660 -
\??\c:\e82604.exec:\e82604.exe46⤵
- Executes dropped EXE
PID:788 -
\??\c:\9xlfrxr.exec:\9xlfrxr.exe47⤵
- Executes dropped EXE
PID:2868 -
\??\c:\dddpd.exec:\dddpd.exe48⤵
- Executes dropped EXE
PID:4940 -
\??\c:\1jjpv.exec:\1jjpv.exe49⤵
- Executes dropped EXE
PID:2848 -
\??\c:\8660266.exec:\8660266.exe50⤵
- Executes dropped EXE
PID:1744 -
\??\c:\pddpj.exec:\pddpj.exe51⤵
- Executes dropped EXE
PID:5096 -
\??\c:\vdvvj.exec:\vdvvj.exe52⤵
- Executes dropped EXE
PID:4148 -
\??\c:\dvpdp.exec:\dvpdp.exe53⤵
- Executes dropped EXE
PID:4912 -
\??\c:\2826482.exec:\2826482.exe54⤵
- Executes dropped EXE
PID:4064 -
\??\c:\68864.exec:\68864.exe55⤵
- Executes dropped EXE
PID:1580 -
\??\c:\2286446.exec:\2286446.exe56⤵
- Executes dropped EXE
PID:4844 -
\??\c:\tbbnbb.exec:\tbbnbb.exe57⤵
- Executes dropped EXE
PID:2288 -
\??\c:\86086.exec:\86086.exe58⤵
- Executes dropped EXE
PID:3628 -
\??\c:\066480.exec:\066480.exe59⤵
- Executes dropped EXE
PID:1992 -
\??\c:\64420.exec:\64420.exe60⤵
- Executes dropped EXE
PID:4280 -
\??\c:\026084.exec:\026084.exe61⤵
- Executes dropped EXE
PID:1084 -
\??\c:\60426.exec:\60426.exe62⤵
- Executes dropped EXE
PID:2452 -
\??\c:\bbbbtn.exec:\bbbbtn.exe63⤵
- Executes dropped EXE
PID:1096 -
\??\c:\64082.exec:\64082.exe64⤵
- Executes dropped EXE
PID:548 -
\??\c:\62646.exec:\62646.exe65⤵
- Executes dropped EXE
PID:636 -
\??\c:\ttnbnh.exec:\ttnbnh.exe66⤵PID:968
-
\??\c:\7llxlff.exec:\7llxlff.exe67⤵PID:3328
-
\??\c:\02000.exec:\02000.exe68⤵PID:3576
-
\??\c:\nnhtht.exec:\nnhtht.exe69⤵PID:4740
-
\??\c:\7nnbhb.exec:\7nnbhb.exe70⤵PID:996
-
\??\c:\9vjjp.exec:\9vjjp.exe71⤵PID:2176
-
\??\c:\004204.exec:\004204.exe72⤵PID:3724
-
\??\c:\m4820.exec:\m4820.exe73⤵PID:3088
-
\??\c:\8642608.exec:\8642608.exe74⤵PID:4904
-
\??\c:\xfffxxr.exec:\xfffxxr.exe75⤵PID:4468
-
\??\c:\rlllxrf.exec:\rlllxrf.exe76⤵PID:1932
-
\??\c:\200848.exec:\200848.exe77⤵PID:4960
-
\??\c:\640826.exec:\640826.exe78⤵PID:2640
-
\??\c:\3jjvd.exec:\3jjvd.exe79⤵PID:3620
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe80⤵PID:1684
-
\??\c:\xlxllfl.exec:\xlxllfl.exe81⤵PID:4880
-
\??\c:\24042.exec:\24042.exe82⤵PID:3172
-
\??\c:\9tthbt.exec:\9tthbt.exe83⤵PID:4476
-
\??\c:\jpjvd.exec:\jpjvd.exe84⤵PID:396
-
\??\c:\46208.exec:\46208.exe85⤵PID:3012
-
\??\c:\nbthtn.exec:\nbthtn.exe86⤵PID:4796
-
\??\c:\c220820.exec:\c220820.exe87⤵PID:972
-
\??\c:\k44808.exec:\k44808.exe88⤵PID:1416
-
\??\c:\044286.exec:\044286.exe89⤵
- System Location Discovery: System Language Discovery
PID:3500 -
\??\c:\4020246.exec:\4020246.exe90⤵PID:1100
-
\??\c:\q82082.exec:\q82082.exe91⤵PID:5040
-
\??\c:\c804624.exec:\c804624.exe92⤵PID:2012
-
\??\c:\3nnnbh.exec:\3nnnbh.exe93⤵PID:2372
-
\??\c:\q28048.exec:\q28048.exe94⤵PID:2280
-
\??\c:\dpdjp.exec:\dpdjp.exe95⤵PID:1460
-
\??\c:\lflfxrf.exec:\lflfxrf.exe96⤵PID:4048
-
\??\c:\llfxlff.exec:\llfxlff.exe97⤵PID:3032
-
\??\c:\0848608.exec:\0848608.exe98⤵PID:2788
-
\??\c:\xllllfr.exec:\xllllfr.exe99⤵PID:4020
-
\??\c:\64042.exec:\64042.exe100⤵PID:2164
-
\??\c:\7vdpj.exec:\7vdpj.exe101⤵PID:4044
-
\??\c:\266048.exec:\266048.exe102⤵PID:1580
-
\??\c:\46822.exec:\46822.exe103⤵PID:1536
-
\??\c:\0846204.exec:\0846204.exe104⤵PID:3040
-
\??\c:\hbnnbh.exec:\hbnnbh.exe105⤵PID:4356
-
\??\c:\3llxllf.exec:\3llxllf.exe106⤵PID:1232
-
\??\c:\xllfxxx.exec:\xllfxxx.exe107⤵PID:1140
-
\??\c:\646844.exec:\646844.exe108⤵PID:3212
-
\??\c:\m4426.exec:\m4426.exe109⤵PID:4012
-
\??\c:\u622000.exec:\u622000.exe110⤵PID:4036
-
\??\c:\4066004.exec:\4066004.exe111⤵PID:4800
-
\??\c:\s8466.exec:\s8466.exe112⤵PID:4952
-
\??\c:\882082.exec:\882082.exe113⤵PID:968
-
\??\c:\9bbnhb.exec:\9bbnhb.exe114⤵PID:1076
-
\??\c:\vppdp.exec:\vppdp.exe115⤵PID:3704
-
\??\c:\86824.exec:\86824.exe116⤵PID:4664
-
\??\c:\nhhbhb.exec:\nhhbhb.exe117⤵PID:1548
-
\??\c:\i046420.exec:\i046420.exe118⤵PID:1708
-
\??\c:\8626642.exec:\8626642.exe119⤵PID:4616
-
\??\c:\4608604.exec:\4608604.exe120⤵PID:468
-
\??\c:\3lfxlfr.exec:\3lfxlfr.exe121⤵PID:4304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-