Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 18:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe
-
Size
454KB
-
MD5
12577743f62fe1dc2e6a08fe92ad2360
-
SHA1
940ab737ec3cebeec2d59b4f107c89f13ad7c1ea
-
SHA256
705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22
-
SHA512
abcd8083032490788d2f23045a558b669fee18c8d231165a1b24db5433656ab86d961fd92f0dc2c6c2a6061193c6deda5f1d349f8edfdc30b8c3298218405e95
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4028-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4068 u008866.exe 4388 lrlxxrl.exe 4536 24246.exe 2704 dppdp.exe 3428 pjddd.exe 3900 68848.exe 876 484260.exe 4944 08040.exe 1660 lrrrrrr.exe 2140 hbnhnh.exe 4872 m8204.exe 2568 vvvpj.exe 1996 vjvpp.exe 4704 ttnhtn.exe 5084 6484282.exe 4400 2082040.exe 1340 886662.exe 4724 fffrllf.exe 1008 60042.exe 4088 5vpjd.exe 2460 4022048.exe 2992 c020240.exe 388 1btnbb.exe 3564 66264.exe 2472 42264.exe 2340 282680.exe 1164 a8082.exe 2964 4264428.exe 3396 6460666.exe 528 2064040.exe 928 266604.exe 5008 22604.exe 1992 3nhbnn.exe 4972 lrffxrr.exe 4804 g8820.exe 3548 jppdv.exe 4736 000224.exe 3036 1lfxllx.exe 5100 e88204.exe 3680 lxrxrlf.exe 2232 22426.exe 1856 0002642.exe 4592 jdvpv.exe 3060 9hthbn.exe 4556 0664260.exe 4196 nnbtnh.exe 4232 lfrlxxr.exe 4548 o408660.exe 2076 82242.exe 3796 48860.exe 1376 rfffffx.exe 2984 ddvpd.exe 2324 bhnbth.exe 4540 04222.exe 5080 bhnhtn.exe 3808 ttbtbt.exe 4988 xllxlfr.exe 5088 hnhthb.exe 4732 200448.exe 4284 600426.exe 5112 486426.exe 3312 pddvp.exe 728 nnbbnn.exe 3756 thbtbh.exe -
resource yara_rule behavioral2/memory/4028-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2284226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o020448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 686620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8444888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c668260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0228262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o408660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c448604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4068 4028 705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe 85 PID 4028 wrote to memory of 4068 4028 705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe 85 PID 4028 wrote to memory of 4068 4028 705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe 85 PID 4068 wrote to memory of 4388 4068 u008866.exe 86 PID 4068 wrote to memory of 4388 4068 u008866.exe 86 PID 4068 wrote to memory of 4388 4068 u008866.exe 86 PID 4388 wrote to memory of 4536 4388 lrlxxrl.exe 87 PID 4388 wrote to memory of 4536 4388 lrlxxrl.exe 87 PID 4388 wrote to memory of 4536 4388 lrlxxrl.exe 87 PID 4536 wrote to memory of 2704 4536 24246.exe 88 PID 4536 wrote to memory of 2704 4536 24246.exe 88 PID 4536 wrote to memory of 2704 4536 24246.exe 88 PID 2704 wrote to memory of 3428 2704 dppdp.exe 89 PID 2704 wrote to memory of 3428 2704 dppdp.exe 89 PID 2704 wrote to memory of 3428 2704 dppdp.exe 89 PID 3428 wrote to memory of 3900 3428 pjddd.exe 90 PID 3428 wrote to memory of 3900 3428 pjddd.exe 90 PID 3428 wrote to memory of 3900 3428 pjddd.exe 90 PID 3900 wrote to memory of 876 3900 68848.exe 91 PID 3900 wrote to memory of 876 3900 68848.exe 91 PID 3900 wrote to memory of 876 3900 68848.exe 91 PID 876 wrote to memory of 4944 876 484260.exe 92 PID 876 wrote to memory of 4944 876 484260.exe 92 PID 876 wrote to memory of 4944 876 484260.exe 92 PID 4944 wrote to memory of 1660 4944 08040.exe 93 PID 4944 wrote to memory of 1660 4944 08040.exe 93 PID 4944 wrote to memory of 1660 4944 08040.exe 93 PID 1660 wrote to memory of 2140 1660 lrrrrrr.exe 94 PID 1660 wrote to memory of 2140 1660 lrrrrrr.exe 94 PID 1660 wrote to memory of 2140 1660 lrrrrrr.exe 94 PID 2140 wrote to memory of 4872 2140 hbnhnh.exe 95 PID 2140 wrote to memory of 4872 2140 hbnhnh.exe 95 PID 2140 wrote to memory of 4872 2140 hbnhnh.exe 95 PID 4872 wrote to memory of 2568 4872 m8204.exe 96 PID 4872 wrote to memory of 2568 4872 m8204.exe 96 PID 4872 wrote to memory of 2568 4872 m8204.exe 96 PID 2568 wrote to memory of 1996 2568 vvvpj.exe 97 PID 2568 wrote to memory of 1996 2568 vvvpj.exe 97 PID 2568 wrote to memory of 1996 2568 vvvpj.exe 97 PID 1996 wrote to memory of 4704 1996 vjvpp.exe 98 PID 1996 wrote to memory of 4704 1996 vjvpp.exe 98 PID 1996 wrote to memory of 4704 1996 vjvpp.exe 98 PID 4704 wrote to memory of 5084 4704 ttnhtn.exe 99 PID 4704 wrote to memory of 5084 4704 ttnhtn.exe 99 PID 4704 wrote to memory of 5084 4704 ttnhtn.exe 99 PID 5084 wrote to memory of 4400 5084 6484282.exe 100 PID 5084 wrote to memory of 4400 5084 6484282.exe 100 PID 5084 wrote to memory of 4400 5084 6484282.exe 100 PID 4400 wrote to memory of 1340 4400 2082040.exe 101 PID 4400 wrote to memory of 1340 4400 2082040.exe 101 PID 4400 wrote to memory of 1340 4400 2082040.exe 101 PID 1340 wrote to memory of 4724 1340 886662.exe 102 PID 1340 wrote to memory of 4724 1340 886662.exe 102 PID 1340 wrote to memory of 4724 1340 886662.exe 102 PID 4724 wrote to memory of 1008 4724 fffrllf.exe 103 PID 4724 wrote to memory of 1008 4724 fffrllf.exe 103 PID 4724 wrote to memory of 1008 4724 fffrllf.exe 103 PID 1008 wrote to memory of 4088 1008 60042.exe 104 PID 1008 wrote to memory of 4088 1008 60042.exe 104 PID 1008 wrote to memory of 4088 1008 60042.exe 104 PID 4088 wrote to memory of 2460 4088 5vpjd.exe 105 PID 4088 wrote to memory of 2460 4088 5vpjd.exe 105 PID 4088 wrote to memory of 2460 4088 5vpjd.exe 105 PID 2460 wrote to memory of 2992 2460 4022048.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe"C:\Users\Admin\AppData\Local\Temp\705e40a047aa3c5536cf350b58cc2e61cdac262e997b6b4c6cf64267f1285b22N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\u008866.exec:\u008866.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\lrlxxrl.exec:\lrlxxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\24246.exec:\24246.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\dppdp.exec:\dppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\pjddd.exec:\pjddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\68848.exec:\68848.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\484260.exec:\484260.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\08040.exec:\08040.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\lrrrrrr.exec:\lrrrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\hbnhnh.exec:\hbnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\m8204.exec:\m8204.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\vvvpj.exec:\vvvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\vjvpp.exec:\vjvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\ttnhtn.exec:\ttnhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\6484282.exec:\6484282.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\2082040.exec:\2082040.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\886662.exec:\886662.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\fffrllf.exec:\fffrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\60042.exec:\60042.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\5vpjd.exec:\5vpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\4022048.exec:\4022048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\c020240.exec:\c020240.exe23⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1btnbb.exec:\1btnbb.exe24⤵
- Executes dropped EXE
PID:388 -
\??\c:\66264.exec:\66264.exe25⤵
- Executes dropped EXE
PID:3564 -
\??\c:\42264.exec:\42264.exe26⤵
- Executes dropped EXE
PID:2472 -
\??\c:\282680.exec:\282680.exe27⤵
- Executes dropped EXE
PID:2340 -
\??\c:\a8082.exec:\a8082.exe28⤵
- Executes dropped EXE
PID:1164 -
\??\c:\4264428.exec:\4264428.exe29⤵
- Executes dropped EXE
PID:2964 -
\??\c:\6460666.exec:\6460666.exe30⤵
- Executes dropped EXE
PID:3396 -
\??\c:\2064040.exec:\2064040.exe31⤵
- Executes dropped EXE
PID:528 -
\??\c:\266604.exec:\266604.exe32⤵
- Executes dropped EXE
PID:928 -
\??\c:\22604.exec:\22604.exe33⤵
- Executes dropped EXE
PID:5008 -
\??\c:\3nhbnn.exec:\3nhbnn.exe34⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lrffxrr.exec:\lrffxrr.exe35⤵
- Executes dropped EXE
PID:4972 -
\??\c:\g8820.exec:\g8820.exe36⤵
- Executes dropped EXE
PID:4804 -
\??\c:\jppdv.exec:\jppdv.exe37⤵
- Executes dropped EXE
PID:3548 -
\??\c:\000224.exec:\000224.exe38⤵
- Executes dropped EXE
PID:4736 -
\??\c:\1lfxllx.exec:\1lfxllx.exe39⤵
- Executes dropped EXE
PID:3036 -
\??\c:\e88204.exec:\e88204.exe40⤵
- Executes dropped EXE
PID:5100 -
\??\c:\lxrxrlf.exec:\lxrxrlf.exe41⤵
- Executes dropped EXE
PID:3680 -
\??\c:\22426.exec:\22426.exe42⤵
- Executes dropped EXE
PID:2232 -
\??\c:\0002642.exec:\0002642.exe43⤵
- Executes dropped EXE
PID:1856 -
\??\c:\jdvpv.exec:\jdvpv.exe44⤵
- Executes dropped EXE
PID:4592 -
\??\c:\9hthbn.exec:\9hthbn.exe45⤵
- Executes dropped EXE
PID:3060 -
\??\c:\0664260.exec:\0664260.exe46⤵
- Executes dropped EXE
PID:4556 -
\??\c:\nnbtnh.exec:\nnbtnh.exe47⤵
- Executes dropped EXE
PID:4196 -
\??\c:\lfrlxxr.exec:\lfrlxxr.exe48⤵
- Executes dropped EXE
PID:4232 -
\??\c:\o408660.exec:\o408660.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548 -
\??\c:\82242.exec:\82242.exe50⤵
- Executes dropped EXE
PID:2076 -
\??\c:\48860.exec:\48860.exe51⤵
- Executes dropped EXE
PID:3796 -
\??\c:\rfffffx.exec:\rfffffx.exe52⤵
- Executes dropped EXE
PID:1376 -
\??\c:\ddvpd.exec:\ddvpd.exe53⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bhnbth.exec:\bhnbth.exe54⤵
- Executes dropped EXE
PID:2324 -
\??\c:\04222.exec:\04222.exe55⤵
- Executes dropped EXE
PID:4540 -
\??\c:\bhnhtn.exec:\bhnhtn.exe56⤵
- Executes dropped EXE
PID:5080 -
\??\c:\ttbtbt.exec:\ttbtbt.exe57⤵
- Executes dropped EXE
PID:3808 -
\??\c:\xllxlfr.exec:\xllxlfr.exe58⤵
- Executes dropped EXE
PID:4988 -
\??\c:\hnhthb.exec:\hnhthb.exe59⤵
- Executes dropped EXE
PID:5088 -
\??\c:\200448.exec:\200448.exe60⤵
- Executes dropped EXE
PID:4732 -
\??\c:\600426.exec:\600426.exe61⤵
- Executes dropped EXE
PID:4284 -
\??\c:\486426.exec:\486426.exe62⤵
- Executes dropped EXE
PID:5112 -
\??\c:\pddvp.exec:\pddvp.exe63⤵
- Executes dropped EXE
PID:3312 -
\??\c:\nnbbnn.exec:\nnbbnn.exe64⤵
- Executes dropped EXE
PID:728 -
\??\c:\thbtbh.exec:\thbtbh.exe65⤵
- Executes dropped EXE
PID:3756 -
\??\c:\22206.exec:\22206.exe66⤵PID:2968
-
\??\c:\hhhbtb.exec:\hhhbtb.exe67⤵PID:344
-
\??\c:\080664.exec:\080664.exe68⤵PID:4456
-
\??\c:\680644.exec:\680644.exe69⤵PID:1340
-
\??\c:\q26426.exec:\q26426.exe70⤵PID:404
-
\??\c:\7pjdv.exec:\7pjdv.exe71⤵PID:4712
-
\??\c:\806088.exec:\806088.exe72⤵PID:1008
-
\??\c:\24880.exec:\24880.exe73⤵PID:868
-
\??\c:\xrlxrrf.exec:\xrlxrrf.exe74⤵PID:600
-
\??\c:\7xrfxrr.exec:\7xrfxrr.exe75⤵PID:2752
-
\??\c:\0206448.exec:\0206448.exe76⤵PID:3748
-
\??\c:\tttnnh.exec:\tttnnh.exe77⤵PID:3560
-
\??\c:\nhhbbt.exec:\nhhbbt.exe78⤵PID:3908
-
\??\c:\644860.exec:\644860.exe79⤵PID:3332
-
\??\c:\nnnbnh.exec:\nnnbnh.exe80⤵PID:2524
-
\??\c:\68448.exec:\68448.exe81⤵PID:1132
-
\??\c:\7bbnhb.exec:\7bbnhb.exe82⤵PID:2268
-
\??\c:\426482.exec:\426482.exe83⤵PID:4276
-
\??\c:\fxxrffr.exec:\fxxrffr.exe84⤵PID:4976
-
\??\c:\466082.exec:\466082.exe85⤵PID:4916
-
\??\c:\6004826.exec:\6004826.exe86⤵PID:3396
-
\??\c:\jjvvp.exec:\jjvvp.exe87⤵PID:4924
-
\??\c:\7ppjv.exec:\7ppjv.exe88⤵PID:2432
-
\??\c:\lxxlfxx.exec:\lxxlfxx.exe89⤵PID:4436
-
\??\c:\66062.exec:\66062.exe90⤵PID:2116
-
\??\c:\llrffxf.exec:\llrffxf.exe91⤵PID:4364
-
\??\c:\jvdpd.exec:\jvdpd.exe92⤵PID:4972
-
\??\c:\8060040.exec:\8060040.exe93⤵PID:3304
-
\??\c:\lflffxf.exec:\lflffxf.exe94⤵PID:1080
-
\??\c:\422604.exec:\422604.exe95⤵PID:4780
-
\??\c:\fxrllfx.exec:\fxrllfx.exe96⤵PID:3036
-
\??\c:\400488.exec:\400488.exe97⤵PID:3752
-
\??\c:\q44260.exec:\q44260.exe98⤵PID:3960
-
\??\c:\262204.exec:\262204.exe99⤵PID:4352
-
\??\c:\nhnhhh.exec:\nhnhhh.exe100⤵PID:4812
-
\??\c:\1hnnbb.exec:\1hnnbb.exe101⤵PID:4036
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe102⤵
- System Location Discovery: System Language Discovery
PID:3952 -
\??\c:\tbhbtn.exec:\tbhbtn.exe103⤵PID:3048
-
\??\c:\82862.exec:\82862.exe104⤵PID:2208
-
\??\c:\w80046.exec:\w80046.exe105⤵PID:4752
-
\??\c:\282604.exec:\282604.exe106⤵PID:5072
-
\??\c:\a0046.exec:\a0046.exe107⤵PID:220
-
\??\c:\60080.exec:\60080.exe108⤵PID:3292
-
\??\c:\a4648.exec:\a4648.exe109⤵PID:3900
-
\??\c:\pjpdv.exec:\pjpdv.exe110⤵
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\jvvpj.exec:\jvvpj.exe111⤵PID:2172
-
\??\c:\480460.exec:\480460.exe112⤵PID:2324
-
\??\c:\4060822.exec:\4060822.exe113⤵PID:4240
-
\??\c:\g0042.exec:\g0042.exe114⤵PID:5080
-
\??\c:\pvjpv.exec:\pvjpv.exe115⤵PID:3808
-
\??\c:\84642.exec:\84642.exe116⤵PID:1768
-
\??\c:\62208.exec:\62208.exe117⤵PID:2332
-
\??\c:\4026400.exec:\4026400.exe118⤵PID:4640
-
\??\c:\26824.exec:\26824.exe119⤵PID:64
-
\??\c:\9llxxxr.exec:\9llxxxr.exe120⤵PID:2996
-
\??\c:\vpjdp.exec:\vpjdp.exe121⤵PID:732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-