Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe
-
Size
456KB
-
MD5
d17cb72a06af14a37de251fd11a040b7
-
SHA1
b51c640a3e55dbe1d3a7443a10c3c2be60fb6eb1
-
SHA256
9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed
-
SHA512
6eed4447a383766e6f682dbadbca8aaf8ae76362e199b5361246de0234767d66ba398f2ad78c9391c77e9c4b89ca225e56f46c4c4a6b275ff2e23e2b7c6df8d5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3000-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2872 68888.exe 3652 24222.exe 4592 vpvjj.exe 3260 666442.exe 1844 xlllfxl.exe 3728 vdjjj.exe 2012 ttnbbh.exe 2428 dpjdp.exe 2172 vjvdd.exe 4092 4464200.exe 1492 42860.exe 3240 a6282.exe 1968 jpjvj.exe 4360 fxxxxxx.exe 2760 vpvvv.exe 228 rrflflf.exe 4708 i082260.exe 4940 26000.exe 4632 4264404.exe 3768 4226044.exe 4840 6066420.exe 2344 4488888.exe 2128 ddppp.exe 4148 rflrrlr.exe 4588 ntbhhh.exe 2800 s8600.exe 4660 0088844.exe 3484 bhnntt.exe 916 2486806.exe 3152 04604.exe 748 a8048.exe 2456 httnnn.exe 1652 5pvpp.exe 452 tnnnhn.exe 3856 hbhbbn.exe 1000 httnth.exe 2484 5thbhh.exe 3424 bbhnnt.exe 664 jjppd.exe 2568 442622.exe 3676 xlxxxff.exe 1600 3vddd.exe 336 84686.exe 4416 8282660.exe 3032 60888.exe 4488 268246.exe 2424 vjpjj.exe 2268 vpdvp.exe 4744 i862002.exe 4948 pddjd.exe 1332 pdddj.exe 4468 604288.exe 2084 dpvvv.exe 808 3frxllr.exe 4704 200202.exe 3940 lrfrlrr.exe 4880 nthhbh.exe 4248 688882.exe 2136 rfflfff.exe 4196 2606064.exe 212 002006.exe 956 nbhhhh.exe 1392 6404826.exe 1228 6848222.exe -
resource yara_rule behavioral2/memory/3000-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-644-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4046808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k62626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u808222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0248824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2872 3000 9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe 83 PID 3000 wrote to memory of 2872 3000 9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe 83 PID 3000 wrote to memory of 2872 3000 9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe 83 PID 2872 wrote to memory of 3652 2872 68888.exe 84 PID 2872 wrote to memory of 3652 2872 68888.exe 84 PID 2872 wrote to memory of 3652 2872 68888.exe 84 PID 3652 wrote to memory of 4592 3652 24222.exe 85 PID 3652 wrote to memory of 4592 3652 24222.exe 85 PID 3652 wrote to memory of 4592 3652 24222.exe 85 PID 4592 wrote to memory of 3260 4592 vpvjj.exe 86 PID 4592 wrote to memory of 3260 4592 vpvjj.exe 86 PID 4592 wrote to memory of 3260 4592 vpvjj.exe 86 PID 3260 wrote to memory of 1844 3260 666442.exe 87 PID 3260 wrote to memory of 1844 3260 666442.exe 87 PID 3260 wrote to memory of 1844 3260 666442.exe 87 PID 1844 wrote to memory of 3728 1844 xlllfxl.exe 88 PID 1844 wrote to memory of 3728 1844 xlllfxl.exe 88 PID 1844 wrote to memory of 3728 1844 xlllfxl.exe 88 PID 3728 wrote to memory of 2012 3728 vdjjj.exe 89 PID 3728 wrote to memory of 2012 3728 vdjjj.exe 89 PID 3728 wrote to memory of 2012 3728 vdjjj.exe 89 PID 2012 wrote to memory of 2428 2012 ttnbbh.exe 90 PID 2012 wrote to memory of 2428 2012 ttnbbh.exe 90 PID 2012 wrote to memory of 2428 2012 ttnbbh.exe 90 PID 2428 wrote to memory of 2172 2428 dpjdp.exe 91 PID 2428 wrote to memory of 2172 2428 dpjdp.exe 91 PID 2428 wrote to memory of 2172 2428 dpjdp.exe 91 PID 2172 wrote to memory of 4092 2172 vjvdd.exe 92 PID 2172 wrote to memory of 4092 2172 vjvdd.exe 92 PID 2172 wrote to memory of 4092 2172 vjvdd.exe 92 PID 4092 wrote to memory of 1492 4092 4464200.exe 93 PID 4092 wrote to memory of 1492 4092 4464200.exe 93 PID 4092 wrote to memory of 1492 4092 4464200.exe 93 PID 1492 wrote to memory of 3240 1492 42860.exe 94 PID 1492 wrote to memory of 3240 1492 42860.exe 94 PID 1492 wrote to memory of 3240 1492 42860.exe 94 PID 3240 wrote to memory of 1968 3240 a6282.exe 95 PID 3240 wrote to memory of 1968 3240 a6282.exe 95 PID 3240 wrote to memory of 1968 3240 a6282.exe 95 PID 1968 wrote to memory of 4360 1968 jpjvj.exe 96 PID 1968 wrote to memory of 4360 1968 jpjvj.exe 96 PID 1968 wrote to memory of 4360 1968 jpjvj.exe 96 PID 4360 wrote to memory of 2760 4360 fxxxxxx.exe 97 PID 4360 wrote to memory of 2760 4360 fxxxxxx.exe 97 PID 4360 wrote to memory of 2760 4360 fxxxxxx.exe 97 PID 2760 wrote to memory of 228 2760 vpvvv.exe 98 PID 2760 wrote to memory of 228 2760 vpvvv.exe 98 PID 2760 wrote to memory of 228 2760 vpvvv.exe 98 PID 228 wrote to memory of 4708 228 rrflflf.exe 99 PID 228 wrote to memory of 4708 228 rrflflf.exe 99 PID 228 wrote to memory of 4708 228 rrflflf.exe 99 PID 4708 wrote to memory of 4940 4708 i082260.exe 100 PID 4708 wrote to memory of 4940 4708 i082260.exe 100 PID 4708 wrote to memory of 4940 4708 i082260.exe 100 PID 4940 wrote to memory of 4632 4940 26000.exe 101 PID 4940 wrote to memory of 4632 4940 26000.exe 101 PID 4940 wrote to memory of 4632 4940 26000.exe 101 PID 4632 wrote to memory of 3768 4632 4264404.exe 102 PID 4632 wrote to memory of 3768 4632 4264404.exe 102 PID 4632 wrote to memory of 3768 4632 4264404.exe 102 PID 3768 wrote to memory of 4840 3768 4226044.exe 103 PID 3768 wrote to memory of 4840 3768 4226044.exe 103 PID 3768 wrote to memory of 4840 3768 4226044.exe 103 PID 4840 wrote to memory of 2344 4840 6066420.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe"C:\Users\Admin\AppData\Local\Temp\9ee289939d251496071047870dccbc3a3f69ecd75729920db65335d7d7179eed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\68888.exec:\68888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\24222.exec:\24222.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\vpvjj.exec:\vpvjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\666442.exec:\666442.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\xlllfxl.exec:\xlllfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\vdjjj.exec:\vdjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\ttnbbh.exec:\ttnbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\dpjdp.exec:\dpjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\vjvdd.exec:\vjvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\4464200.exec:\4464200.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\42860.exec:\42860.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\a6282.exec:\a6282.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\jpjvj.exec:\jpjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\vpvvv.exec:\vpvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\rrflflf.exec:\rrflflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\i082260.exec:\i082260.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\26000.exec:\26000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\4264404.exec:\4264404.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\4226044.exec:\4226044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\6066420.exec:\6066420.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\4488888.exec:\4488888.exe23⤵
- Executes dropped EXE
PID:2344 -
\??\c:\ddppp.exec:\ddppp.exe24⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rflrrlr.exec:\rflrrlr.exe25⤵
- Executes dropped EXE
PID:4148 -
\??\c:\ntbhhh.exec:\ntbhhh.exe26⤵
- Executes dropped EXE
PID:4588 -
\??\c:\s8600.exec:\s8600.exe27⤵
- Executes dropped EXE
PID:2800 -
\??\c:\0088844.exec:\0088844.exe28⤵
- Executes dropped EXE
PID:4660 -
\??\c:\bhnntt.exec:\bhnntt.exe29⤵
- Executes dropped EXE
PID:3484 -
\??\c:\2486806.exec:\2486806.exe30⤵
- Executes dropped EXE
PID:916 -
\??\c:\04604.exec:\04604.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3152 -
\??\c:\a8048.exec:\a8048.exe32⤵
- Executes dropped EXE
PID:748 -
\??\c:\httnnn.exec:\httnnn.exe33⤵
- Executes dropped EXE
PID:2456 -
\??\c:\5pvpp.exec:\5pvpp.exe34⤵
- Executes dropped EXE
PID:1652 -
\??\c:\tnnnhn.exec:\tnnnhn.exe35⤵
- Executes dropped EXE
PID:452 -
\??\c:\hbhbbn.exec:\hbhbbn.exe36⤵
- Executes dropped EXE
PID:3856 -
\??\c:\httnth.exec:\httnth.exe37⤵
- Executes dropped EXE
PID:1000 -
\??\c:\5thbhh.exec:\5thbhh.exe38⤵
- Executes dropped EXE
PID:2484 -
\??\c:\bbhnnt.exec:\bbhnnt.exe39⤵
- Executes dropped EXE
PID:3424 -
\??\c:\jjppd.exec:\jjppd.exe40⤵
- Executes dropped EXE
PID:664 -
\??\c:\442622.exec:\442622.exe41⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xlxxxff.exec:\xlxxxff.exe42⤵
- Executes dropped EXE
PID:3676 -
\??\c:\3vddd.exec:\3vddd.exe43⤵
- Executes dropped EXE
PID:1600 -
\??\c:\84686.exec:\84686.exe44⤵
- Executes dropped EXE
PID:336 -
\??\c:\8282660.exec:\8282660.exe45⤵
- Executes dropped EXE
PID:4416 -
\??\c:\60888.exec:\60888.exe46⤵
- Executes dropped EXE
PID:3032 -
\??\c:\268246.exec:\268246.exe47⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vjpjj.exec:\vjpjj.exe48⤵
- Executes dropped EXE
PID:2424 -
\??\c:\vpdvp.exec:\vpdvp.exe49⤵
- Executes dropped EXE
PID:2268 -
\??\c:\i862002.exec:\i862002.exe50⤵
- Executes dropped EXE
PID:4744 -
\??\c:\pddjd.exec:\pddjd.exe51⤵
- Executes dropped EXE
PID:4948 -
\??\c:\pdddj.exec:\pdddj.exe52⤵
- Executes dropped EXE
PID:1332 -
\??\c:\604288.exec:\604288.exe53⤵
- Executes dropped EXE
PID:4468 -
\??\c:\dpvvv.exec:\dpvvv.exe54⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3frxllr.exec:\3frxllr.exe55⤵
- Executes dropped EXE
PID:808 -
\??\c:\200202.exec:\200202.exe56⤵
- Executes dropped EXE
PID:4704 -
\??\c:\lrfrlrr.exec:\lrfrlrr.exe57⤵
- Executes dropped EXE
PID:3940 -
\??\c:\nthhbh.exec:\nthhbh.exe58⤵
- Executes dropped EXE
PID:4880 -
\??\c:\688882.exec:\688882.exe59⤵
- Executes dropped EXE
PID:4248 -
\??\c:\rfflfff.exec:\rfflfff.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\2606064.exec:\2606064.exe61⤵
- Executes dropped EXE
PID:4196 -
\??\c:\002006.exec:\002006.exe62⤵
- Executes dropped EXE
PID:212 -
\??\c:\nbhhhh.exec:\nbhhhh.exe63⤵
- Executes dropped EXE
PID:956 -
\??\c:\6404826.exec:\6404826.exe64⤵
- Executes dropped EXE
PID:1392 -
\??\c:\6848222.exec:\6848222.exe65⤵
- Executes dropped EXE
PID:1228 -
\??\c:\1fffxxr.exec:\1fffxxr.exe66⤵PID:5116
-
\??\c:\bnhbbb.exec:\bnhbbb.exe67⤵PID:8
-
\??\c:\820666.exec:\820666.exe68⤵PID:5072
-
\??\c:\m6424.exec:\m6424.exe69⤵PID:2024
-
\??\c:\9ddvj.exec:\9ddvj.exe70⤵PID:624
-
\??\c:\9xxlffx.exec:\9xxlffx.exe71⤵PID:2620
-
\??\c:\62482.exec:\62482.exe72⤵PID:228
-
\??\c:\k82480.exec:\k82480.exe73⤵PID:4736
-
\??\c:\pvvdp.exec:\pvvdp.exe74⤵PID:4612
-
\??\c:\u448448.exec:\u448448.exe75⤵PID:4512
-
\??\c:\84204.exec:\84204.exe76⤵PID:4408
-
\??\c:\hnhtbh.exec:\hnhtbh.exe77⤵PID:2828
-
\??\c:\0660482.exec:\0660482.exe78⤵PID:1920
-
\??\c:\48826.exec:\48826.exe79⤵PID:2816
-
\??\c:\vjpdd.exec:\vjpdd.exe80⤵PID:2764
-
\??\c:\002440.exec:\002440.exe81⤵PID:4352
-
\??\c:\3ttnhh.exec:\3ttnhh.exe82⤵PID:3788
-
\??\c:\u406000.exec:\u406000.exe83⤵PID:1584
-
\??\c:\628882.exec:\628882.exe84⤵PID:2128
-
\??\c:\04068.exec:\04068.exe85⤵PID:1668
-
\??\c:\tttnhh.exec:\tttnhh.exe86⤵PID:4520
-
\??\c:\26648.exec:\26648.exe87⤵
- System Location Discovery: System Language Discovery
PID:4820 -
\??\c:\jjddd.exec:\jjddd.exe88⤵PID:1904
-
\??\c:\frffflr.exec:\frffflr.exe89⤵PID:3184
-
\??\c:\nbtntn.exec:\nbtntn.exe90⤵PID:4012
-
\??\c:\nnbbnn.exec:\nnbbnn.exe91⤵PID:1576
-
\??\c:\lxrfxrr.exec:\lxrfxrr.exe92⤵PID:552
-
\??\c:\268060.exec:\268060.exe93⤵
- System Location Discovery: System Language Discovery
PID:1372 -
\??\c:\xrxrlll.exec:\xrxrlll.exe94⤵PID:3096
-
\??\c:\806060.exec:\806060.exe95⤵PID:3968
-
\??\c:\668822.exec:\668822.exe96⤵PID:2040
-
\??\c:\ffrxxxl.exec:\ffrxxxl.exe97⤵PID:2456
-
\??\c:\dpppv.exec:\dpppv.exe98⤵PID:1652
-
\??\c:\vpppj.exec:\vpppj.exe99⤵PID:4932
-
\??\c:\dvjjp.exec:\dvjjp.exe100⤵PID:1180
-
\??\c:\086622.exec:\086622.exe101⤵PID:2596
-
\??\c:\488266.exec:\488266.exe102⤵PID:536
-
\??\c:\1dvjd.exec:\1dvjd.exe103⤵PID:3376
-
\??\c:\0682604.exec:\0682604.exe104⤵PID:2400
-
\??\c:\i682268.exec:\i682268.exe105⤵PID:3116
-
\??\c:\pjjdv.exec:\pjjdv.exe106⤵PID:3608
-
\??\c:\nbnhhb.exec:\nbnhhb.exe107⤵PID:4560
-
\??\c:\q46404.exec:\q46404.exe108⤵PID:1036
-
\??\c:\bhtnnn.exec:\bhtnnn.exe109⤵PID:2788
-
\??\c:\220044.exec:\220044.exe110⤵PID:2100
-
\??\c:\862226.exec:\862226.exe111⤵PID:4652
-
\??\c:\0242880.exec:\0242880.exe112⤵PID:5112
-
\??\c:\006000.exec:\006000.exe113⤵PID:3488
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe114⤵PID:4728
-
\??\c:\60664.exec:\60664.exe115⤵PID:1660
-
\??\c:\644848.exec:\644848.exe116⤵
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\664620.exec:\664620.exe117⤵PID:3524
-
\??\c:\pdddj.exec:\pdddj.exe118⤵PID:968
-
\??\c:\fflfffl.exec:\fflfffl.exe119⤵PID:4896
-
\??\c:\42648.exec:\42648.exe120⤵PID:3728
-
\??\c:\486080.exec:\486080.exe121⤵PID:5036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-