Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe
-
Size
454KB
-
MD5
537259eef678b74f5196e3621a6e4e3e
-
SHA1
6715cffb0d83c948e90d9d85028869e9c8a908a1
-
SHA256
ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb
-
SHA512
c98dbc71dfa75be4acb7233cdcf0c7555e9fac66d6ce0852493bbcc6d8f8748630f441b9f7b9b83c48f72a270bdc9d58aa07070e387603e98b53693e18645068
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2668-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-846-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-1354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-1367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1304 642866.exe 1936 0648884.exe 3060 5frlrff.exe 1408 htbttn.exe 3036 828262.exe 4756 3nbttt.exe 1300 24006.exe 1628 tnbthh.exe 1112 668006.exe 2456 8226686.exe 4116 846000.exe 4988 dpddv.exe 4356 3lrllxx.exe 3352 vpppj.exe 2016 8842660.exe 3964 04004.exe 1488 888888.exe 5108 rxxxxlx.exe 3496 dppjp.exe 5016 840448.exe 2312 20884.exe 4084 64644.exe 1104 802600.exe 3968 hbbtnn.exe 2856 pjpjp.exe 3872 jjjdv.exe 1232 042284.exe 4464 068226.exe 936 5djvp.exe 3188 g2266.exe 3936 rrffllr.exe 1668 2448844.exe 1784 lflflfl.exe 1432 2644448.exe 4640 pjdpp.exe 996 djdpj.exe 1088 46206.exe 4788 hnbtbt.exe 404 htbbhb.exe 4660 tbnhbt.exe 3576 bnnnhh.exe 2056 tntnnn.exe 2112 9nnbnh.exe 2632 dvdvp.exe 1224 ppvpj.exe 4528 nntnhb.exe 4764 822600.exe 1524 2808844.exe 4304 dpvpj.exe 4412 1lrlffl.exe 4800 084826.exe 1892 btbttb.exe 1136 pjvpj.exe 2432 m8048.exe 3492 fxxfxrr.exe 1144 k42800.exe 220 bntbhn.exe 4060 4628080.exe 4712 828026.exe 2880 606044.exe 4796 82888.exe 1628 628446.exe 1900 2626442.exe 2124 w04460.exe -
resource yara_rule behavioral2/memory/2668-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2808226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 1304 2668 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 83 PID 2668 wrote to memory of 1304 2668 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 83 PID 2668 wrote to memory of 1304 2668 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 83 PID 1304 wrote to memory of 1936 1304 642866.exe 84 PID 1304 wrote to memory of 1936 1304 642866.exe 84 PID 1304 wrote to memory of 1936 1304 642866.exe 84 PID 1936 wrote to memory of 3060 1936 0648884.exe 85 PID 1936 wrote to memory of 3060 1936 0648884.exe 85 PID 1936 wrote to memory of 3060 1936 0648884.exe 85 PID 3060 wrote to memory of 1408 3060 5frlrff.exe 86 PID 3060 wrote to memory of 1408 3060 5frlrff.exe 86 PID 3060 wrote to memory of 1408 3060 5frlrff.exe 86 PID 1408 wrote to memory of 3036 1408 htbttn.exe 87 PID 1408 wrote to memory of 3036 1408 htbttn.exe 87 PID 1408 wrote to memory of 3036 1408 htbttn.exe 87 PID 3036 wrote to memory of 4756 3036 828262.exe 88 PID 3036 wrote to memory of 4756 3036 828262.exe 88 PID 3036 wrote to memory of 4756 3036 828262.exe 88 PID 4756 wrote to memory of 1300 4756 3nbttt.exe 89 PID 4756 wrote to memory of 1300 4756 3nbttt.exe 89 PID 4756 wrote to memory of 1300 4756 3nbttt.exe 89 PID 1300 wrote to memory of 1628 1300 24006.exe 90 PID 1300 wrote to memory of 1628 1300 24006.exe 90 PID 1300 wrote to memory of 1628 1300 24006.exe 90 PID 1628 wrote to memory of 1112 1628 tnbthh.exe 91 PID 1628 wrote to memory of 1112 1628 tnbthh.exe 91 PID 1628 wrote to memory of 1112 1628 tnbthh.exe 91 PID 1112 wrote to memory of 2456 1112 668006.exe 92 PID 1112 wrote to memory of 2456 1112 668006.exe 92 PID 1112 wrote to memory of 2456 1112 668006.exe 92 PID 2456 wrote to memory of 4116 2456 8226686.exe 93 PID 2456 wrote to memory of 4116 2456 8226686.exe 93 PID 2456 wrote to memory of 4116 2456 8226686.exe 93 PID 4116 wrote to memory of 4988 4116 846000.exe 94 PID 4116 wrote to memory of 4988 4116 846000.exe 94 PID 4116 wrote to memory of 4988 4116 846000.exe 94 PID 4988 wrote to memory of 4356 4988 dpddv.exe 95 PID 4988 wrote to memory of 4356 4988 dpddv.exe 95 PID 4988 wrote to memory of 4356 4988 dpddv.exe 95 PID 4356 wrote to memory of 3352 4356 3lrllxx.exe 96 PID 4356 wrote to memory of 3352 4356 3lrllxx.exe 96 PID 4356 wrote to memory of 3352 4356 3lrllxx.exe 96 PID 3352 wrote to memory of 2016 3352 vpppj.exe 97 PID 3352 wrote to memory of 2016 3352 vpppj.exe 97 PID 3352 wrote to memory of 2016 3352 vpppj.exe 97 PID 2016 wrote to memory of 3964 2016 8842660.exe 98 PID 2016 wrote to memory of 3964 2016 8842660.exe 98 PID 2016 wrote to memory of 3964 2016 8842660.exe 98 PID 3964 wrote to memory of 1488 3964 04004.exe 99 PID 3964 wrote to memory of 1488 3964 04004.exe 99 PID 3964 wrote to memory of 1488 3964 04004.exe 99 PID 1488 wrote to memory of 5108 1488 888888.exe 100 PID 1488 wrote to memory of 5108 1488 888888.exe 100 PID 1488 wrote to memory of 5108 1488 888888.exe 100 PID 5108 wrote to memory of 3496 5108 rxxxxlx.exe 101 PID 5108 wrote to memory of 3496 5108 rxxxxlx.exe 101 PID 5108 wrote to memory of 3496 5108 rxxxxlx.exe 101 PID 3496 wrote to memory of 5016 3496 dppjp.exe 102 PID 3496 wrote to memory of 5016 3496 dppjp.exe 102 PID 3496 wrote to memory of 5016 3496 dppjp.exe 102 PID 5016 wrote to memory of 2312 5016 840448.exe 103 PID 5016 wrote to memory of 2312 5016 840448.exe 103 PID 5016 wrote to memory of 2312 5016 840448.exe 103 PID 2312 wrote to memory of 4084 2312 20884.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe"C:\Users\Admin\AppData\Local\Temp\ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\642866.exec:\642866.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\0648884.exec:\0648884.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\5frlrff.exec:\5frlrff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\htbttn.exec:\htbttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\828262.exec:\828262.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\3nbttt.exec:\3nbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\24006.exec:\24006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\tnbthh.exec:\tnbthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\668006.exec:\668006.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\8226686.exec:\8226686.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\846000.exec:\846000.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\dpddv.exec:\dpddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\3lrllxx.exec:\3lrllxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\vpppj.exec:\vpppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\8842660.exec:\8842660.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\04004.exec:\04004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\888888.exec:\888888.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\rxxxxlx.exec:\rxxxxlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\dppjp.exec:\dppjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\840448.exec:\840448.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\20884.exec:\20884.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\64644.exec:\64644.exe23⤵
- Executes dropped EXE
PID:4084 -
\??\c:\802600.exec:\802600.exe24⤵
- Executes dropped EXE
PID:1104 -
\??\c:\hbbtnn.exec:\hbbtnn.exe25⤵
- Executes dropped EXE
PID:3968 -
\??\c:\pjpjp.exec:\pjpjp.exe26⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jjjdv.exec:\jjjdv.exe27⤵
- Executes dropped EXE
PID:3872 -
\??\c:\042284.exec:\042284.exe28⤵
- Executes dropped EXE
PID:1232 -
\??\c:\068226.exec:\068226.exe29⤵
- Executes dropped EXE
PID:4464 -
\??\c:\5djvp.exec:\5djvp.exe30⤵
- Executes dropped EXE
PID:936 -
\??\c:\g2266.exec:\g2266.exe31⤵
- Executes dropped EXE
PID:3188 -
\??\c:\rrffllr.exec:\rrffllr.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3936 -
\??\c:\2448844.exec:\2448844.exe33⤵
- Executes dropped EXE
PID:1668 -
\??\c:\lflflfl.exec:\lflflfl.exe34⤵
- Executes dropped EXE
PID:1784 -
\??\c:\2644448.exec:\2644448.exe35⤵
- Executes dropped EXE
PID:1432 -
\??\c:\pjdpp.exec:\pjdpp.exe36⤵
- Executes dropped EXE
PID:4640 -
\??\c:\djdpj.exec:\djdpj.exe37⤵
- Executes dropped EXE
PID:996 -
\??\c:\46206.exec:\46206.exe38⤵
- Executes dropped EXE
PID:1088 -
\??\c:\hnbtbt.exec:\hnbtbt.exe39⤵
- Executes dropped EXE
PID:4788 -
\??\c:\htbbhb.exec:\htbbhb.exe40⤵
- Executes dropped EXE
PID:404 -
\??\c:\tbnhbt.exec:\tbnhbt.exe41⤵
- Executes dropped EXE
PID:4660 -
\??\c:\bnnnhh.exec:\bnnnhh.exe42⤵
- Executes dropped EXE
PID:3576 -
\??\c:\tntnnn.exec:\tntnnn.exe43⤵
- Executes dropped EXE
PID:2056 -
\??\c:\9nnbnh.exec:\9nnbnh.exe44⤵
- Executes dropped EXE
PID:2112 -
\??\c:\dvdvp.exec:\dvdvp.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ppvpj.exec:\ppvpj.exe46⤵
- Executes dropped EXE
PID:1224 -
\??\c:\nntnhb.exec:\nntnhb.exe47⤵
- Executes dropped EXE
PID:4528 -
\??\c:\822600.exec:\822600.exe48⤵
- Executes dropped EXE
PID:4764 -
\??\c:\2808844.exec:\2808844.exe49⤵
- Executes dropped EXE
PID:1524 -
\??\c:\dpvpj.exec:\dpvpj.exe50⤵
- Executes dropped EXE
PID:4304 -
\??\c:\1lrlffl.exec:\1lrlffl.exe51⤵
- Executes dropped EXE
PID:4412 -
\??\c:\084826.exec:\084826.exe52⤵
- Executes dropped EXE
PID:4800 -
\??\c:\btbttb.exec:\btbttb.exe53⤵
- Executes dropped EXE
PID:1892 -
\??\c:\pjvpj.exec:\pjvpj.exe54⤵
- Executes dropped EXE
PID:1136 -
\??\c:\m8048.exec:\m8048.exe55⤵
- Executes dropped EXE
PID:2432 -
\??\c:\fxxfxrr.exec:\fxxfxrr.exe56⤵
- Executes dropped EXE
PID:3492 -
\??\c:\k42800.exec:\k42800.exe57⤵
- Executes dropped EXE
PID:1144 -
\??\c:\bntbhn.exec:\bntbhn.exe58⤵
- Executes dropped EXE
PID:220 -
\??\c:\4628080.exec:\4628080.exe59⤵
- Executes dropped EXE
PID:4060 -
\??\c:\828026.exec:\828026.exe60⤵
- Executes dropped EXE
PID:4712 -
\??\c:\606044.exec:\606044.exe61⤵
- Executes dropped EXE
PID:2880 -
\??\c:\82888.exec:\82888.exe62⤵
- Executes dropped EXE
PID:4796 -
\??\c:\628446.exec:\628446.exe63⤵
- Executes dropped EXE
PID:1628 -
\??\c:\2626442.exec:\2626442.exe64⤵
- Executes dropped EXE
PID:1900 -
\??\c:\w04460.exec:\w04460.exe65⤵
- Executes dropped EXE
PID:2124 -
\??\c:\0848260.exec:\0848260.exe66⤵PID:4548
-
\??\c:\202222.exec:\202222.exe67⤵PID:1484
-
\??\c:\ntbbtb.exec:\ntbbtb.exe68⤵PID:4972
-
\??\c:\o062244.exec:\o062244.exe69⤵PID:32
-
\??\c:\268266.exec:\268266.exe70⤵PID:3112
-
\??\c:\lfffxrr.exec:\lfffxrr.exe71⤵PID:228
-
\??\c:\vpdvp.exec:\vpdvp.exe72⤵PID:2308
-
\??\c:\2244600.exec:\2244600.exe73⤵PID:3780
-
\??\c:\u888226.exec:\u888226.exe74⤵PID:4088
-
\??\c:\dpvpj.exec:\dpvpj.exe75⤵PID:768
-
\??\c:\6604884.exec:\6604884.exe76⤵PID:4628
-
\??\c:\dddvp.exec:\dddvp.exe77⤵PID:5108
-
\??\c:\w42666.exec:\w42666.exe78⤵PID:2084
-
\??\c:\260824.exec:\260824.exe79⤵PID:4500
-
\??\c:\g4444.exec:\g4444.exe80⤵PID:3720
-
\??\c:\600444.exec:\600444.exe81⤵PID:2036
-
\??\c:\pppjj.exec:\pppjj.exe82⤵PID:4732
-
\??\c:\446000.exec:\446000.exe83⤵PID:4048
-
\??\c:\a2080.exec:\a2080.exe84⤵PID:2536
-
\??\c:\nhnhtt.exec:\nhnhtt.exe85⤵PID:4620
-
\??\c:\nhnhbt.exec:\nhnhbt.exe86⤵PID:3504
-
\??\c:\08000.exec:\08000.exe87⤵PID:4428
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe88⤵PID:1004
-
\??\c:\xflfxlf.exec:\xflfxlf.exe89⤵PID:3536
-
\??\c:\tttnhh.exec:\tttnhh.exe90⤵PID:3272
-
\??\c:\vddvj.exec:\vddvj.exe91⤵PID:4396
-
\??\c:\8288000.exec:\8288000.exe92⤵PID:1172
-
\??\c:\6620482.exec:\6620482.exe93⤵PID:3356
-
\??\c:\1hntbb.exec:\1hntbb.exe94⤵PID:1712
-
\??\c:\646004.exec:\646004.exe95⤵PID:664
-
\??\c:\dpppp.exec:\dpppp.exe96⤵PID:2380
-
\??\c:\tnhthb.exec:\tnhthb.exe97⤵PID:1784
-
\??\c:\8840400.exec:\8840400.exe98⤵PID:4292
-
\??\c:\8804848.exec:\8804848.exe99⤵PID:3448
-
\??\c:\7ttnhh.exec:\7ttnhh.exe100⤵PID:1052
-
\??\c:\dvvdv.exec:\dvvdv.exe101⤵PID:4868
-
\??\c:\nnbttn.exec:\nnbttn.exe102⤵PID:2244
-
\??\c:\tnntnn.exec:\tnntnn.exe103⤵PID:2620
-
\??\c:\84088.exec:\84088.exe104⤵PID:3180
-
\??\c:\hbbhbt.exec:\hbbhbt.exe105⤵PID:4660
-
\??\c:\jvjdv.exec:\jvjdv.exe106⤵PID:3576
-
\??\c:\602660.exec:\602660.exe107⤵PID:2056
-
\??\c:\444822.exec:\444822.exe108⤵PID:2112
-
\??\c:\6466262.exec:\6466262.exe109⤵PID:2632
-
\??\c:\rffrlfx.exec:\rffrlfx.exe110⤵PID:1120
-
\??\c:\jvdvp.exec:\jvdvp.exe111⤵PID:4724
-
\??\c:\4880482.exec:\4880482.exe112⤵PID:3912
-
\??\c:\0842048.exec:\0842048.exe113⤵PID:3328
-
\??\c:\4820440.exec:\4820440.exe114⤵PID:4524
-
\??\c:\m0848.exec:\m0848.exe115⤵PID:4560
-
\??\c:\2460044.exec:\2460044.exe116⤵PID:452
-
\??\c:\06288.exec:\06288.exe117⤵PID:1008
-
\??\c:\48422.exec:\48422.exe118⤵PID:4128
-
\??\c:\rrxflrx.exec:\rrxflrx.exe119⤵PID:244
-
\??\c:\8460004.exec:\8460004.exe120⤵PID:64
-
\??\c:\828008.exec:\828008.exe121⤵PID:376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-