Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe
-
Size
455KB
-
MD5
c32fb4b5c8b7eb2ccfcfdb0b81e7495d
-
SHA1
706fb9bbf421211619d15cd3507eae7d07026923
-
SHA256
018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43
-
SHA512
b0d33c8a8fd653f66954c21a583d7cb152322011f641c90a1019a922ea03882448b65f6c6eb7cdf308c162bc2336da73fb62ef879901bcd72029a60fe4a12eeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4760-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-1351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-1756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2708 6204066.exe 4940 hnnhtt.exe 1920 dvpdv.exe 2612 bhhnhb.exe 1856 662482.exe 3940 rlrrxxr.exe 1988 jpvjv.exe 1984 vvjvp.exe 1612 m6660.exe 4372 20642.exe 1620 xllxlfr.exe 2424 dppdj.exe 4484 a4004.exe 3612 1ffxrxr.exe 4236 48826.exe 3176 9flxrrl.exe 3628 00660.exe 3960 xllk862.exe 1476 64060.exe 1884 5bthbb.exe 1096 424060.exe 3980 2064220.exe 4252 pvvjv.exe 2976 4286600.exe 4080 bnnhth.exe 3768 64464.exe 1804 006600.exe 2956 1xfrlfx.exe 2440 882664.exe 3868 jvdvp.exe 3468 644222.exe 3604 4204480.exe 3324 frxrxrl.exe 5052 04884.exe 4584 vvjpj.exe 760 s4286.exe 2204 60660.exe 1452 jvvpj.exe 2460 6466048.exe 1616 nbtbbt.exe 452 rrllllf.exe 1660 nthbtn.exe 4316 1dvpj.exe 4708 8248606.exe 2920 644204.exe 1652 vdjpd.exe 4820 8820662.exe 2304 7ntntn.exe 2852 rrxlllf.exe 2876 846488.exe 2684 thbbbt.exe 1676 ffrlffx.exe 3124 e86660.exe 4720 248082.exe 4780 88860.exe 2044 86604.exe 2148 6088206.exe 1700 llllxlx.exe 2320 jvdvp.exe 2120 426064.exe 4248 ppjdv.exe 5068 4848484.exe 4368 djvpp.exe 1328 fffllfx.exe -
resource yara_rule behavioral2/memory/4760-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6620424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2408244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0064204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c220428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8464226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4760 wrote to memory of 2708 4760 018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe 83 PID 4760 wrote to memory of 2708 4760 018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe 83 PID 4760 wrote to memory of 2708 4760 018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe 83 PID 2708 wrote to memory of 4940 2708 6204066.exe 84 PID 2708 wrote to memory of 4940 2708 6204066.exe 84 PID 2708 wrote to memory of 4940 2708 6204066.exe 84 PID 4940 wrote to memory of 1920 4940 hnnhtt.exe 85 PID 4940 wrote to memory of 1920 4940 hnnhtt.exe 85 PID 4940 wrote to memory of 1920 4940 hnnhtt.exe 85 PID 1920 wrote to memory of 2612 1920 dvpdv.exe 86 PID 1920 wrote to memory of 2612 1920 dvpdv.exe 86 PID 1920 wrote to memory of 2612 1920 dvpdv.exe 86 PID 2612 wrote to memory of 1856 2612 bhhnhb.exe 87 PID 2612 wrote to memory of 1856 2612 bhhnhb.exe 87 PID 2612 wrote to memory of 1856 2612 bhhnhb.exe 87 PID 1856 wrote to memory of 3940 1856 662482.exe 88 PID 1856 wrote to memory of 3940 1856 662482.exe 88 PID 1856 wrote to memory of 3940 1856 662482.exe 88 PID 3940 wrote to memory of 1988 3940 rlrrxxr.exe 89 PID 3940 wrote to memory of 1988 3940 rlrrxxr.exe 89 PID 3940 wrote to memory of 1988 3940 rlrrxxr.exe 89 PID 1988 wrote to memory of 1984 1988 jpvjv.exe 90 PID 1988 wrote to memory of 1984 1988 jpvjv.exe 90 PID 1988 wrote to memory of 1984 1988 jpvjv.exe 90 PID 1984 wrote to memory of 1612 1984 vvjvp.exe 91 PID 1984 wrote to memory of 1612 1984 vvjvp.exe 91 PID 1984 wrote to memory of 1612 1984 vvjvp.exe 91 PID 1612 wrote to memory of 4372 1612 m6660.exe 92 PID 1612 wrote to memory of 4372 1612 m6660.exe 92 PID 1612 wrote to memory of 4372 1612 m6660.exe 92 PID 4372 wrote to memory of 1620 4372 20642.exe 93 PID 4372 wrote to memory of 1620 4372 20642.exe 93 PID 4372 wrote to memory of 1620 4372 20642.exe 93 PID 1620 wrote to memory of 2424 1620 xllxlfr.exe 94 PID 1620 wrote to memory of 2424 1620 xllxlfr.exe 94 PID 1620 wrote to memory of 2424 1620 xllxlfr.exe 94 PID 2424 wrote to memory of 4484 2424 dppdj.exe 95 PID 2424 wrote to memory of 4484 2424 dppdj.exe 95 PID 2424 wrote to memory of 4484 2424 dppdj.exe 95 PID 4484 wrote to memory of 3612 4484 a4004.exe 96 PID 4484 wrote to memory of 3612 4484 a4004.exe 96 PID 4484 wrote to memory of 3612 4484 a4004.exe 96 PID 3612 wrote to memory of 4236 3612 1ffxrxr.exe 97 PID 3612 wrote to memory of 4236 3612 1ffxrxr.exe 97 PID 3612 wrote to memory of 4236 3612 1ffxrxr.exe 97 PID 4236 wrote to memory of 3176 4236 48826.exe 98 PID 4236 wrote to memory of 3176 4236 48826.exe 98 PID 4236 wrote to memory of 3176 4236 48826.exe 98 PID 3176 wrote to memory of 3628 3176 9flxrrl.exe 99 PID 3176 wrote to memory of 3628 3176 9flxrrl.exe 99 PID 3176 wrote to memory of 3628 3176 9flxrrl.exe 99 PID 3628 wrote to memory of 3960 3628 00660.exe 100 PID 3628 wrote to memory of 3960 3628 00660.exe 100 PID 3628 wrote to memory of 3960 3628 00660.exe 100 PID 3960 wrote to memory of 1476 3960 xllk862.exe 101 PID 3960 wrote to memory of 1476 3960 xllk862.exe 101 PID 3960 wrote to memory of 1476 3960 xllk862.exe 101 PID 1476 wrote to memory of 1884 1476 64060.exe 102 PID 1476 wrote to memory of 1884 1476 64060.exe 102 PID 1476 wrote to memory of 1884 1476 64060.exe 102 PID 1884 wrote to memory of 1096 1884 5bthbb.exe 103 PID 1884 wrote to memory of 1096 1884 5bthbb.exe 103 PID 1884 wrote to memory of 1096 1884 5bthbb.exe 103 PID 1096 wrote to memory of 3980 1096 424060.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe"C:\Users\Admin\AppData\Local\Temp\018e5e6b5cef18f26168dd6eac13fcd64028d1c03fe7ceae1aac7c02a521ce43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\6204066.exec:\6204066.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\hnnhtt.exec:\hnnhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\dvpdv.exec:\dvpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\bhhnhb.exec:\bhhnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\662482.exec:\662482.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\rlrrxxr.exec:\rlrrxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\jpvjv.exec:\jpvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\vvjvp.exec:\vvjvp.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\m6660.exec:\m6660.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\20642.exec:\20642.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\xllxlfr.exec:\xllxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\dppdj.exec:\dppdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\a4004.exec:\a4004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\1ffxrxr.exec:\1ffxrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\48826.exec:\48826.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\9flxrrl.exec:\9flxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\00660.exec:\00660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\xllk862.exec:\xllk862.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\64060.exec:\64060.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\5bthbb.exec:\5bthbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\424060.exec:\424060.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\2064220.exec:\2064220.exe23⤵
- Executes dropped EXE
PID:3980 -
\??\c:\pvvjv.exec:\pvvjv.exe24⤵
- Executes dropped EXE
PID:4252 -
\??\c:\4286600.exec:\4286600.exe25⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bnnhth.exec:\bnnhth.exe26⤵
- Executes dropped EXE
PID:4080 -
\??\c:\64464.exec:\64464.exe27⤵
- Executes dropped EXE
PID:3768 -
\??\c:\006600.exec:\006600.exe28⤵
- Executes dropped EXE
PID:1804 -
\??\c:\1xfrlfx.exec:\1xfrlfx.exe29⤵
- Executes dropped EXE
PID:2956 -
\??\c:\882664.exec:\882664.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
\??\c:\jvdvp.exec:\jvdvp.exe31⤵
- Executes dropped EXE
PID:3868 -
\??\c:\644222.exec:\644222.exe32⤵
- Executes dropped EXE
PID:3468 -
\??\c:\4204480.exec:\4204480.exe33⤵
- Executes dropped EXE
PID:3604 -
\??\c:\frxrxrl.exec:\frxrxrl.exe34⤵
- Executes dropped EXE
PID:3324 -
\??\c:\04884.exec:\04884.exe35⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vvjpj.exec:\vvjpj.exe36⤵
- Executes dropped EXE
PID:4584 -
\??\c:\s4286.exec:\s4286.exe37⤵
- Executes dropped EXE
PID:760 -
\??\c:\60660.exec:\60660.exe38⤵
- Executes dropped EXE
PID:2204 -
\??\c:\jvvpj.exec:\jvvpj.exe39⤵
- Executes dropped EXE
PID:1452 -
\??\c:\6466048.exec:\6466048.exe40⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nbtbbt.exec:\nbtbbt.exe41⤵
- Executes dropped EXE
PID:1616 -
\??\c:\rrllllf.exec:\rrllllf.exe42⤵
- Executes dropped EXE
PID:452 -
\??\c:\nthbtn.exec:\nthbtn.exe43⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1dvpj.exec:\1dvpj.exe44⤵
- Executes dropped EXE
PID:4316 -
\??\c:\8248606.exec:\8248606.exe45⤵
- Executes dropped EXE
PID:4708 -
\??\c:\644204.exec:\644204.exe46⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vdjpd.exec:\vdjpd.exe47⤵
- Executes dropped EXE
PID:1652 -
\??\c:\8820662.exec:\8820662.exe48⤵
- Executes dropped EXE
PID:4820 -
\??\c:\7ntntn.exec:\7ntntn.exe49⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rrxlllf.exec:\rrxlllf.exe50⤵
- Executes dropped EXE
PID:2852 -
\??\c:\846488.exec:\846488.exe51⤵
- Executes dropped EXE
PID:2876 -
\??\c:\thbbbt.exec:\thbbbt.exe52⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ffrlffx.exec:\ffrlffx.exe53⤵
- Executes dropped EXE
PID:1676 -
\??\c:\e86660.exec:\e86660.exe54⤵
- Executes dropped EXE
PID:3124 -
\??\c:\248082.exec:\248082.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4720 -
\??\c:\88860.exec:\88860.exe56⤵
- Executes dropped EXE
PID:4780 -
\??\c:\86604.exec:\86604.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\6088206.exec:\6088206.exe58⤵
- Executes dropped EXE
PID:2148 -
\??\c:\llllxlx.exec:\llllxlx.exe59⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jvdvp.exec:\jvdvp.exe60⤵
- Executes dropped EXE
PID:2320 -
\??\c:\426064.exec:\426064.exe61⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ppjdv.exec:\ppjdv.exe62⤵
- Executes dropped EXE
PID:4248 -
\??\c:\4848484.exec:\4848484.exe63⤵
- Executes dropped EXE
PID:5068 -
\??\c:\djvpp.exec:\djvpp.exe64⤵
- Executes dropped EXE
PID:4368 -
\??\c:\fffllfx.exec:\fffllfx.exe65⤵
- Executes dropped EXE
PID:1328 -
\??\c:\htbhbt.exec:\htbhbt.exe66⤵PID:5096
-
\??\c:\dpdvp.exec:\dpdvp.exe67⤵PID:3104
-
\??\c:\ntbbbt.exec:\ntbbbt.exe68⤵PID:3144
-
\??\c:\u222840.exec:\u222840.exe69⤵PID:5040
-
\??\c:\822428.exec:\822428.exe70⤵PID:1180
-
\??\c:\lxrrlrr.exec:\lxrrlrr.exe71⤵PID:4388
-
\??\c:\lffxllf.exec:\lffxllf.exe72⤵PID:4880
-
\??\c:\ntthtn.exec:\ntthtn.exe73⤵PID:1476
-
\??\c:\k00462.exec:\k00462.exe74⤵PID:1884
-
\??\c:\bhthbt.exec:\bhthbt.exe75⤵PID:4148
-
\??\c:\dvjvd.exec:\dvjvd.exe76⤵PID:2924
-
\??\c:\flrlxrr.exec:\flrlxrr.exe77⤵PID:380
-
\??\c:\bbthbt.exec:\bbthbt.exe78⤵PID:1428
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe79⤵PID:1720
-
\??\c:\1xxrllf.exec:\1xxrllf.exe80⤵PID:3460
-
\??\c:\0466042.exec:\0466042.exe81⤵PID:4916
-
\??\c:\lxrfxrf.exec:\lxrfxrf.exe82⤵PID:3328
-
\??\c:\nnhbth.exec:\nnhbth.exe83⤵PID:3768
-
\??\c:\jjjvv.exec:\jjjvv.exe84⤵PID:2340
-
\??\c:\ntbnbb.exec:\ntbnbb.exe85⤵PID:1992
-
\??\c:\lfrlrll.exec:\lfrlrll.exe86⤵PID:4952
-
\??\c:\644866.exec:\644866.exe87⤵PID:3384
-
\??\c:\28082.exec:\28082.exe88⤵PID:4840
-
\??\c:\8206626.exec:\8206626.exe89⤵PID:396
-
\??\c:\k66662.exec:\k66662.exe90⤵PID:3468
-
\??\c:\s4062.exec:\s4062.exe91⤵PID:2236
-
\??\c:\426468.exec:\426468.exe92⤵PID:2444
-
\??\c:\lrfxxlf.exec:\lrfxxlf.exe93⤵PID:5052
-
\??\c:\bnnhbh.exec:\bnnhbh.exe94⤵PID:2184
-
\??\c:\40602.exec:\40602.exe95⤵PID:3256
-
\??\c:\2844826.exec:\2844826.exe96⤵PID:2608
-
\??\c:\pvppj.exec:\pvppj.exe97⤵
- System Location Discovery: System Language Discovery
PID:4556 -
\??\c:\628226.exec:\628226.exe98⤵PID:2460
-
\??\c:\m0604.exec:\m0604.exe99⤵PID:3652
-
\??\c:\8242682.exec:\8242682.exe100⤵PID:2228
-
\??\c:\djpjd.exec:\djpjd.exe101⤵PID:4420
-
\??\c:\460466.exec:\460466.exe102⤵PID:4608
-
\??\c:\pdjvv.exec:\pdjvv.exe103⤵PID:740
-
\??\c:\428666.exec:\428666.exe104⤵PID:2584
-
\??\c:\vjppj.exec:\vjppj.exe105⤵PID:224
-
\??\c:\tnnbtn.exec:\tnnbtn.exe106⤵PID:4356
-
\??\c:\48046.exec:\48046.exe107⤵PID:4164
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe108⤵
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\26824.exec:\26824.exe109⤵PID:4296
-
\??\c:\260482.exec:\260482.exe110⤵PID:1584
-
\??\c:\684606.exec:\684606.exe111⤵PID:2496
-
\??\c:\dvvpd.exec:\dvvpd.exe112⤵PID:4636
-
\??\c:\c404282.exec:\c404282.exe113⤵PID:1808
-
\??\c:\004482.exec:\004482.exe114⤵PID:2556
-
\??\c:\rllrxff.exec:\rllrxff.exe115⤵PID:2284
-
\??\c:\8886442.exec:\8886442.exe116⤵PID:2680
-
\??\c:\pjjdp.exec:\pjjdp.exe117⤵PID:2352
-
\??\c:\e40488.exec:\e40488.exe118⤵PID:2148
-
\??\c:\88888.exec:\88888.exe119⤵PID:3200
-
\??\c:\ffrfrxx.exec:\ffrfrxx.exe120⤵PID:2652
-
\??\c:\i868866.exec:\i868866.exe121⤵PID:1124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-