Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe
-
Size
454KB
-
MD5
3544bd24433cf4d1011efdb9a30bff00
-
SHA1
a7d91411e8569e1b5de61628ec2964795fffa201
-
SHA256
55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42
-
SHA512
ecb56028daa1571f194aed33fe5d2ef76de81fad07a90ba9512454f83b26c1314412e2b5e3159e45f8f74421eede94a1ce01c3742b5995864e5be1ba524978ef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3692-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-1099-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-1359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4932 86264.exe 5008 u680842.exe 4504 i882048.exe 4436 bbntht.exe 4960 806020.exe 4196 9lfrffr.exe 2428 2442080.exe 4692 w84208.exe 1424 866086.exe 1048 q00488.exe 5056 thbnhh.exe 2588 4248486.exe 3820 426822.exe 1964 1ffrrrr.exe 3132 xffxrxf.exe 2996 26082.exe 3376 dppdv.exe 728 m8208.exe 5032 nhbnbt.exe 2128 400820.exe 4064 2848604.exe 3528 3tbnbt.exe 1932 644882.exe 920 rxrflfr.exe 1532 428606.exe 1124 frrfxrf.exe 2056 hbnbhb.exe 220 pdvpj.exe 1468 a0688.exe 1392 xlffrfr.exe 1308 fxfrlff.exe 636 pvpvj.exe 2072 82426.exe 956 3rfrxxf.exe 4820 40048.exe 3200 9nbthh.exe 4396 1lfrllf.exe 2132 1pjjv.exe 1936 2600024.exe 4556 vvjpj.exe 3544 8682206.exe 4584 o004264.exe 4880 80606.exe 1844 460826.exe 4828 086082.exe 3236 00424.exe 3064 g6208.exe 4916 dvppd.exe 1028 26204.exe 1732 0886082.exe 2716 vjdvp.exe 3448 3bhnnt.exe 1052 3rxfffl.exe 2344 5tnbnh.exe 3356 3ffrxrx.exe 3480 62686.exe 3732 dvjdv.exe 4832 jppdp.exe 2912 04644.exe 4724 084620.exe 2592 vdvjv.exe 4844 bhnhtn.exe 4504 00460.exe 3436 httnbt.exe -
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-710-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8604264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i426228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k86644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3692 wrote to memory of 4932 3692 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 83 PID 3692 wrote to memory of 4932 3692 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 83 PID 3692 wrote to memory of 4932 3692 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 83 PID 4932 wrote to memory of 5008 4932 86264.exe 84 PID 4932 wrote to memory of 5008 4932 86264.exe 84 PID 4932 wrote to memory of 5008 4932 86264.exe 84 PID 5008 wrote to memory of 4504 5008 u680842.exe 85 PID 5008 wrote to memory of 4504 5008 u680842.exe 85 PID 5008 wrote to memory of 4504 5008 u680842.exe 85 PID 4504 wrote to memory of 4436 4504 i882048.exe 86 PID 4504 wrote to memory of 4436 4504 i882048.exe 86 PID 4504 wrote to memory of 4436 4504 i882048.exe 86 PID 4436 wrote to memory of 4960 4436 bbntht.exe 87 PID 4436 wrote to memory of 4960 4436 bbntht.exe 87 PID 4436 wrote to memory of 4960 4436 bbntht.exe 87 PID 4960 wrote to memory of 4196 4960 806020.exe 88 PID 4960 wrote to memory of 4196 4960 806020.exe 88 PID 4960 wrote to memory of 4196 4960 806020.exe 88 PID 4196 wrote to memory of 2428 4196 9lfrffr.exe 89 PID 4196 wrote to memory of 2428 4196 9lfrffr.exe 89 PID 4196 wrote to memory of 2428 4196 9lfrffr.exe 89 PID 2428 wrote to memory of 4692 2428 2442080.exe 90 PID 2428 wrote to memory of 4692 2428 2442080.exe 90 PID 2428 wrote to memory of 4692 2428 2442080.exe 90 PID 4692 wrote to memory of 1424 4692 w84208.exe 91 PID 4692 wrote to memory of 1424 4692 w84208.exe 91 PID 4692 wrote to memory of 1424 4692 w84208.exe 91 PID 1424 wrote to memory of 1048 1424 866086.exe 92 PID 1424 wrote to memory of 1048 1424 866086.exe 92 PID 1424 wrote to memory of 1048 1424 866086.exe 92 PID 1048 wrote to memory of 5056 1048 q00488.exe 93 PID 1048 wrote to memory of 5056 1048 q00488.exe 93 PID 1048 wrote to memory of 5056 1048 q00488.exe 93 PID 5056 wrote to memory of 2588 5056 thbnhh.exe 94 PID 5056 wrote to memory of 2588 5056 thbnhh.exe 94 PID 5056 wrote to memory of 2588 5056 thbnhh.exe 94 PID 2588 wrote to memory of 3820 2588 4248486.exe 95 PID 2588 wrote to memory of 3820 2588 4248486.exe 95 PID 2588 wrote to memory of 3820 2588 4248486.exe 95 PID 3820 wrote to memory of 1964 3820 426822.exe 96 PID 3820 wrote to memory of 1964 3820 426822.exe 96 PID 3820 wrote to memory of 1964 3820 426822.exe 96 PID 1964 wrote to memory of 3132 1964 1ffrrrr.exe 97 PID 1964 wrote to memory of 3132 1964 1ffrrrr.exe 97 PID 1964 wrote to memory of 3132 1964 1ffrrrr.exe 97 PID 3132 wrote to memory of 2996 3132 xffxrxf.exe 98 PID 3132 wrote to memory of 2996 3132 xffxrxf.exe 98 PID 3132 wrote to memory of 2996 3132 xffxrxf.exe 98 PID 2996 wrote to memory of 3376 2996 26082.exe 99 PID 2996 wrote to memory of 3376 2996 26082.exe 99 PID 2996 wrote to memory of 3376 2996 26082.exe 99 PID 3376 wrote to memory of 728 3376 dppdv.exe 100 PID 3376 wrote to memory of 728 3376 dppdv.exe 100 PID 3376 wrote to memory of 728 3376 dppdv.exe 100 PID 728 wrote to memory of 5032 728 m8208.exe 101 PID 728 wrote to memory of 5032 728 m8208.exe 101 PID 728 wrote to memory of 5032 728 m8208.exe 101 PID 5032 wrote to memory of 2128 5032 nhbnbt.exe 102 PID 5032 wrote to memory of 2128 5032 nhbnbt.exe 102 PID 5032 wrote to memory of 2128 5032 nhbnbt.exe 102 PID 2128 wrote to memory of 4064 2128 400820.exe 103 PID 2128 wrote to memory of 4064 2128 400820.exe 103 PID 2128 wrote to memory of 4064 2128 400820.exe 103 PID 4064 wrote to memory of 3528 4064 2848604.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe"C:\Users\Admin\AppData\Local\Temp\55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\86264.exec:\86264.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\u680842.exec:\u680842.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\i882048.exec:\i882048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\bbntht.exec:\bbntht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\806020.exec:\806020.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\9lfrffr.exec:\9lfrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\2442080.exec:\2442080.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\w84208.exec:\w84208.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\866086.exec:\866086.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\q00488.exec:\q00488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\thbnhh.exec:\thbnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\4248486.exec:\4248486.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\426822.exec:\426822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\1ffrrrr.exec:\1ffrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\xffxrxf.exec:\xffxrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\26082.exec:\26082.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\dppdv.exec:\dppdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\m8208.exec:\m8208.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\nhbnbt.exec:\nhbnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\400820.exec:\400820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\2848604.exec:\2848604.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\3tbnbt.exec:\3tbnbt.exe23⤵
- Executes dropped EXE
PID:3528 -
\??\c:\644882.exec:\644882.exe24⤵
- Executes dropped EXE
PID:1932 -
\??\c:\rxrflfr.exec:\rxrflfr.exe25⤵
- Executes dropped EXE
PID:920 -
\??\c:\428606.exec:\428606.exe26⤵
- Executes dropped EXE
PID:1532 -
\??\c:\frrfxrf.exec:\frrfxrf.exe27⤵
- Executes dropped EXE
PID:1124 -
\??\c:\hbnbhb.exec:\hbnbhb.exe28⤵
- Executes dropped EXE
PID:2056 -
\??\c:\pdvpj.exec:\pdvpj.exe29⤵
- Executes dropped EXE
PID:220 -
\??\c:\a0688.exec:\a0688.exe30⤵
- Executes dropped EXE
PID:1468 -
\??\c:\xlffrfr.exec:\xlffrfr.exe31⤵
- Executes dropped EXE
PID:1392 -
\??\c:\fxfrlff.exec:\fxfrlff.exe32⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pvpvj.exec:\pvpvj.exe33⤵
- Executes dropped EXE
PID:636 -
\??\c:\82426.exec:\82426.exe34⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3rfrxxf.exec:\3rfrxxf.exe35⤵
- Executes dropped EXE
PID:956 -
\??\c:\40048.exec:\40048.exe36⤵
- Executes dropped EXE
PID:4820 -
\??\c:\9nbthh.exec:\9nbthh.exe37⤵
- Executes dropped EXE
PID:3200 -
\??\c:\1lfrllf.exec:\1lfrllf.exe38⤵
- Executes dropped EXE
PID:4396 -
\??\c:\1pjjv.exec:\1pjjv.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\2600024.exec:\2600024.exe40⤵
- Executes dropped EXE
PID:1936 -
\??\c:\vvjpj.exec:\vvjpj.exe41⤵
- Executes dropped EXE
PID:4556 -
\??\c:\8682206.exec:\8682206.exe42⤵
- Executes dropped EXE
PID:3544 -
\??\c:\o004264.exec:\o004264.exe43⤵
- Executes dropped EXE
PID:4584 -
\??\c:\80606.exec:\80606.exe44⤵
- Executes dropped EXE
PID:4880 -
\??\c:\460826.exec:\460826.exe45⤵
- Executes dropped EXE
PID:1844 -
\??\c:\086082.exec:\086082.exe46⤵
- Executes dropped EXE
PID:4828 -
\??\c:\00424.exec:\00424.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3236 -
\??\c:\g6208.exec:\g6208.exe48⤵
- Executes dropped EXE
PID:3064 -
\??\c:\dvppd.exec:\dvppd.exe49⤵
- Executes dropped EXE
PID:4916 -
\??\c:\26204.exec:\26204.exe50⤵
- Executes dropped EXE
PID:1028 -
\??\c:\0886082.exec:\0886082.exe51⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vjdvp.exec:\vjdvp.exe52⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3bhnnt.exec:\3bhnnt.exe53⤵
- Executes dropped EXE
PID:3448 -
\??\c:\3rxfffl.exec:\3rxfffl.exe54⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5tnbnh.exec:\5tnbnh.exe55⤵
- Executes dropped EXE
PID:2344 -
\??\c:\3ffrxrx.exec:\3ffrxrx.exe56⤵
- Executes dropped EXE
PID:3356 -
\??\c:\62686.exec:\62686.exe57⤵
- Executes dropped EXE
PID:3480 -
\??\c:\dvjdv.exec:\dvjdv.exe58⤵
- Executes dropped EXE
PID:3732 -
\??\c:\jppdp.exec:\jppdp.exe59⤵
- Executes dropped EXE
PID:4832 -
\??\c:\04644.exec:\04644.exe60⤵
- Executes dropped EXE
PID:2912 -
\??\c:\084620.exec:\084620.exe61⤵
- Executes dropped EXE
PID:4724 -
\??\c:\vdvjv.exec:\vdvjv.exe62⤵
- Executes dropped EXE
PID:2592 -
\??\c:\bhnhtn.exec:\bhnhtn.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\00460.exec:\00460.exe64⤵
- Executes dropped EXE
PID:4504 -
\??\c:\httnbt.exec:\httnbt.exe65⤵
- Executes dropped EXE
PID:3436 -
\??\c:\u442086.exec:\u442086.exe66⤵PID:1460
-
\??\c:\ttbthb.exec:\ttbthb.exe67⤵
- System Location Discovery: System Language Discovery
PID:3364 -
\??\c:\bntnnh.exec:\bntnnh.exe68⤵PID:2332
-
\??\c:\206000.exec:\206000.exe69⤵PID:1696
-
\??\c:\2824246.exec:\2824246.exe70⤵PID:2608
-
\??\c:\7btbhb.exec:\7btbhb.exe71⤵PID:2944
-
\??\c:\llllxrf.exec:\llllxrf.exe72⤵PID:1048
-
\??\c:\864402.exec:\864402.exe73⤵PID:4084
-
\??\c:\w22426.exec:\w22426.exe74⤵PID:2488
-
\??\c:\fxrflfr.exec:\fxrflfr.exe75⤵PID:2232
-
\??\c:\26682.exec:\26682.exe76⤵PID:1964
-
\??\c:\hnnhnh.exec:\hnnhnh.exe77⤵PID:4072
-
\??\c:\048086.exec:\048086.exe78⤵PID:2996
-
\??\c:\dddpj.exec:\dddpj.exe79⤵PID:3700
-
\??\c:\0608626.exec:\0608626.exe80⤵PID:1828
-
\??\c:\xrlxrll.exec:\xrlxrll.exe81⤵PID:1560
-
\??\c:\282648.exec:\282648.exe82⤵PID:440
-
\??\c:\7xrfxrf.exec:\7xrfxrf.exe83⤵PID:4064
-
\??\c:\66684.exec:\66684.exe84⤵PID:3204
-
\??\c:\o448648.exec:\o448648.exe85⤵PID:3320
-
\??\c:\88864.exec:\88864.exe86⤵PID:3616
-
\??\c:\3rlfrrf.exec:\3rlfrrf.exe87⤵PID:1388
-
\??\c:\bntnhb.exec:\bntnhb.exe88⤵PID:1072
-
\??\c:\02002.exec:\02002.exe89⤵PID:1620
-
\??\c:\8648204.exec:\8648204.exe90⤵PID:1392
-
\??\c:\lxfxxrl.exec:\lxfxxrl.exe91⤵PID:636
-
\??\c:\frlfrlf.exec:\frlfrlf.exe92⤵PID:452
-
\??\c:\m4088.exec:\m4088.exe93⤵PID:548
-
\??\c:\22082.exec:\22082.exe94⤵PID:2632
-
\??\c:\0682262.exec:\0682262.exe95⤵PID:2412
-
\??\c:\vpppd.exec:\vpppd.exe96⤵PID:2132
-
\??\c:\8408660.exec:\8408660.exe97⤵PID:1936
-
\??\c:\jjdvj.exec:\jjdvj.exe98⤵PID:3544
-
\??\c:\7ddvv.exec:\7ddvv.exe99⤵PID:2036
-
\??\c:\tbbnbt.exec:\tbbnbt.exe100⤵PID:3684
-
\??\c:\828648.exec:\828648.exe101⤵PID:2812
-
\??\c:\llfxrlx.exec:\llfxrlx.exe102⤵PID:3496
-
\??\c:\222204.exec:\222204.exe103⤵PID:908
-
\??\c:\i226042.exec:\i226042.exe104⤵PID:2208
-
\??\c:\pdpjv.exec:\pdpjv.exe105⤵PID:4140
-
\??\c:\ppvdv.exec:\ppvdv.exe106⤵PID:2260
-
\??\c:\nbbnhb.exec:\nbbnhb.exe107⤵PID:2124
-
\??\c:\e48804.exec:\e48804.exe108⤵PID:2748
-
\??\c:\dvvvd.exec:\dvvvd.exe109⤵PID:4500
-
\??\c:\thnhhb.exec:\thnhhb.exe110⤵PID:2392
-
\??\c:\24464.exec:\24464.exe111⤵PID:3324
-
\??\c:\686868.exec:\686868.exe112⤵PID:4956
-
\??\c:\0620642.exec:\0620642.exe113⤵PID:4428
-
\??\c:\dpjvj.exec:\dpjvj.exe114⤵PID:2912
-
\??\c:\422082.exec:\422082.exe115⤵PID:3300
-
\??\c:\rrlxffr.exec:\rrlxffr.exe116⤵PID:4724
-
\??\c:\204204.exec:\204204.exe117⤵PID:2592
-
\??\c:\8644848.exec:\8644848.exe118⤵PID:1640
-
\??\c:\3pjdp.exec:\3pjdp.exe119⤵PID:3436
-
\??\c:\64864.exec:\64864.exe120⤵PID:3232
-
\??\c:\hbhthb.exec:\hbhthb.exe121⤵PID:960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-