Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 01:16
Behavioral task
behavioral1
Sample
2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe
-
Size
334KB
-
MD5
110175f070cd0ff0983d94b3aaa4f9f7
-
SHA1
bdea063c8efdcc25587746af3d1545634bdba50b
-
SHA256
2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda
-
SHA512
6692e9a86dcdde691e4d1a38e9878009649980cfc8db74c7ed50b178d976b06375f861229fcf8aa5bc0ccff7aedaf676a99ed03d725e7b625d182e7bfa516a08
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR4:R4wFHoSHYHUrAwfMp3CDR4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1832-3-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2500-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1240-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1000-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-720-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-1156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-1343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4540 bbhbtt.exe 1120 hnnnhb.exe 4716 2006040.exe 3620 rxfllrx.exe 1736 4628260.exe 1452 42480.exe 2500 3vjjj.exe 3260 0222262.exe 5100 fffrrll.exe 2232 lfllrxx.exe 3316 lfllllf.exe 3964 6804444.exe 1240 hnhnhh.exe 4200 rlxxfxx.exe 3992 246000.exe 3548 5jvpv.exe 1508 82006.exe 3192 4800002.exe 2960 26806.exe 1640 xlxfrfr.exe 3132 3ttnhb.exe 4864 htbhhh.exe 3272 860422.exe 3416 7xlxlfr.exe 2212 o408604.exe 4060 5vvpp.exe 2444 g6608.exe 4496 844860.exe 1860 dpjdj.exe 972 0604822.exe 3144 3hhtnh.exe 3768 a2042.exe 3960 20040.exe 2452 a0482.exe 5116 ntbnbh.exe 4972 e20046.exe 4916 04086.exe 3312 8682884.exe 4536 00608.exe 3732 8008440.exe 4244 660264.exe 3016 1lffxlx.exe 1828 2022042.exe 3348 2448660.exe 2936 bnhtbn.exe 1448 9rxrlll.exe 1316 488044.exe 3188 82822.exe 4424 9dvvv.exe 4692 ddjjv.exe 1832 s2868.exe 1820 64622.exe 4452 1fffrxr.exe 1000 jvvvd.exe 3584 q42266.exe 3572 w64008.exe 3472 426408.exe 2532 bntnhh.exe 1488 060004.exe 4828 62048.exe 3588 vvvpp.exe 3260 24622.exe 1280 28408.exe 1584 btbthh.exe -
resource yara_rule behavioral2/memory/1832-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0032000000023b5c-5.dat upx behavioral2/memory/1832-3-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b5f-8.dat upx behavioral2/memory/4540-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b63-11.dat upx behavioral2/memory/1120-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b64-18.dat upx behavioral2/memory/4716-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b66-23.dat upx behavioral2/memory/3620-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b67-28.dat upx behavioral2/memory/1736-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1452-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b68-33.dat upx behavioral2/files/0x000a000000023b69-38.dat upx behavioral2/memory/2500-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3260-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6a-43.dat upx behavioral2/files/0x000a000000023b6b-48.dat upx behavioral2/memory/5100-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-53.dat upx behavioral2/memory/2232-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-58.dat upx behavioral2/memory/3316-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b60-64.dat upx behavioral2/memory/3964-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3964-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6e-69.dat upx behavioral2/memory/1240-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-74.dat upx behavioral2/memory/4200-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-79.dat upx behavioral2/files/0x000a000000023b71-83.dat upx behavioral2/memory/3548-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3192-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1508-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-89.dat upx behavioral2/files/0x000a000000023b74-95.dat upx behavioral2/files/0x000a000000023b75-98.dat upx behavioral2/memory/1640-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2960-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-104.dat upx behavioral2/files/0x000a000000023b77-108.dat upx behavioral2/memory/3132-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-113.dat upx behavioral2/memory/4864-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-118.dat upx behavioral2/memory/3272-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-123.dat upx behavioral2/memory/2212-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-128.dat upx behavioral2/files/0x000a000000023b7c-132.dat upx behavioral2/files/0x000a000000023b7d-137.dat upx behavioral2/files/0x000a000000023b7e-139.dat upx behavioral2/files/0x000a000000023b7f-144.dat upx behavioral2/memory/972-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-149.dat upx behavioral2/files/0x000a000000023b81-152.dat upx behavioral2/memory/3768-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2452-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4972-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3312-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4244-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4226004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6286082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2628868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 4540 1832 2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe 83 PID 1832 wrote to memory of 4540 1832 2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe 83 PID 1832 wrote to memory of 4540 1832 2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe 83 PID 4540 wrote to memory of 1120 4540 bbhbtt.exe 84 PID 4540 wrote to memory of 1120 4540 bbhbtt.exe 84 PID 4540 wrote to memory of 1120 4540 bbhbtt.exe 84 PID 1120 wrote to memory of 4716 1120 hnnnhb.exe 85 PID 1120 wrote to memory of 4716 1120 hnnnhb.exe 85 PID 1120 wrote to memory of 4716 1120 hnnnhb.exe 85 PID 4716 wrote to memory of 3620 4716 2006040.exe 86 PID 4716 wrote to memory of 3620 4716 2006040.exe 86 PID 4716 wrote to memory of 3620 4716 2006040.exe 86 PID 3620 wrote to memory of 1736 3620 rxfllrx.exe 87 PID 3620 wrote to memory of 1736 3620 rxfllrx.exe 87 PID 3620 wrote to memory of 1736 3620 rxfllrx.exe 87 PID 1736 wrote to memory of 1452 1736 4628260.exe 88 PID 1736 wrote to memory of 1452 1736 4628260.exe 88 PID 1736 wrote to memory of 1452 1736 4628260.exe 88 PID 1452 wrote to memory of 2500 1452 42480.exe 89 PID 1452 wrote to memory of 2500 1452 42480.exe 89 PID 1452 wrote to memory of 2500 1452 42480.exe 89 PID 2500 wrote to memory of 3260 2500 3vjjj.exe 90 PID 2500 wrote to memory of 3260 2500 3vjjj.exe 90 PID 2500 wrote to memory of 3260 2500 3vjjj.exe 90 PID 3260 wrote to memory of 5100 3260 0222262.exe 91 PID 3260 wrote to memory of 5100 3260 0222262.exe 91 PID 3260 wrote to memory of 5100 3260 0222262.exe 91 PID 5100 wrote to memory of 2232 5100 fffrrll.exe 92 PID 5100 wrote to memory of 2232 5100 fffrrll.exe 92 PID 5100 wrote to memory of 2232 5100 fffrrll.exe 92 PID 2232 wrote to memory of 3316 2232 lfllrxx.exe 93 PID 2232 wrote to memory of 3316 2232 lfllrxx.exe 93 PID 2232 wrote to memory of 3316 2232 lfllrxx.exe 93 PID 3316 wrote to memory of 3964 3316 lfllllf.exe 94 PID 3316 wrote to memory of 3964 3316 lfllllf.exe 94 PID 3316 wrote to memory of 3964 3316 lfllllf.exe 94 PID 3964 wrote to memory of 1240 3964 6804444.exe 95 PID 3964 wrote to memory of 1240 3964 6804444.exe 95 PID 3964 wrote to memory of 1240 3964 6804444.exe 95 PID 1240 wrote to memory of 4200 1240 hnhnhh.exe 96 PID 1240 wrote to memory of 4200 1240 hnhnhh.exe 96 PID 1240 wrote to memory of 4200 1240 hnhnhh.exe 96 PID 4200 wrote to memory of 3992 4200 rlxxfxx.exe 97 PID 4200 wrote to memory of 3992 4200 rlxxfxx.exe 97 PID 4200 wrote to memory of 3992 4200 rlxxfxx.exe 97 PID 3992 wrote to memory of 3548 3992 246000.exe 98 PID 3992 wrote to memory of 3548 3992 246000.exe 98 PID 3992 wrote to memory of 3548 3992 246000.exe 98 PID 3548 wrote to memory of 1508 3548 5jvpv.exe 99 PID 3548 wrote to memory of 1508 3548 5jvpv.exe 99 PID 3548 wrote to memory of 1508 3548 5jvpv.exe 99 PID 1508 wrote to memory of 3192 1508 82006.exe 100 PID 1508 wrote to memory of 3192 1508 82006.exe 100 PID 1508 wrote to memory of 3192 1508 82006.exe 100 PID 3192 wrote to memory of 2960 3192 4800002.exe 101 PID 3192 wrote to memory of 2960 3192 4800002.exe 101 PID 3192 wrote to memory of 2960 3192 4800002.exe 101 PID 2960 wrote to memory of 1640 2960 26806.exe 102 PID 2960 wrote to memory of 1640 2960 26806.exe 102 PID 2960 wrote to memory of 1640 2960 26806.exe 102 PID 1640 wrote to memory of 3132 1640 xlxfrfr.exe 103 PID 1640 wrote to memory of 3132 1640 xlxfrfr.exe 103 PID 1640 wrote to memory of 3132 1640 xlxfrfr.exe 103 PID 3132 wrote to memory of 4864 3132 3ttnhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe"C:\Users\Admin\AppData\Local\Temp\2c869ba75101c8c383d68c4bab685c07a5a5436a6152c13c51936d2e7f3ddfda.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\bbhbtt.exec:\bbhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\hnnnhb.exec:\hnnnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\2006040.exec:\2006040.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\rxfllrx.exec:\rxfllrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\4628260.exec:\4628260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\42480.exec:\42480.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\3vjjj.exec:\3vjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\0222262.exec:\0222262.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\fffrrll.exec:\fffrrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\lfllrxx.exec:\lfllrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\lfllllf.exec:\lfllllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\6804444.exec:\6804444.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\hnhnhh.exec:\hnhnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\rlxxfxx.exec:\rlxxfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\246000.exec:\246000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\5jvpv.exec:\5jvpv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\82006.exec:\82006.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\4800002.exec:\4800002.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\26806.exec:\26806.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\xlxfrfr.exec:\xlxfrfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\3ttnhb.exec:\3ttnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\htbhhh.exec:\htbhhh.exe23⤵
- Executes dropped EXE
PID:4864 -
\??\c:\860422.exec:\860422.exe24⤵
- Executes dropped EXE
PID:3272 -
\??\c:\7xlxlfr.exec:\7xlxlfr.exe25⤵
- Executes dropped EXE
PID:3416 -
\??\c:\o408604.exec:\o408604.exe26⤵
- Executes dropped EXE
PID:2212 -
\??\c:\5vvpp.exec:\5vvpp.exe27⤵
- Executes dropped EXE
PID:4060 -
\??\c:\g6608.exec:\g6608.exe28⤵
- Executes dropped EXE
PID:2444 -
\??\c:\844860.exec:\844860.exe29⤵
- Executes dropped EXE
PID:4496 -
\??\c:\dpjdj.exec:\dpjdj.exe30⤵
- Executes dropped EXE
PID:1860 -
\??\c:\0604822.exec:\0604822.exe31⤵
- Executes dropped EXE
PID:972 -
\??\c:\3hhtnh.exec:\3hhtnh.exe32⤵
- Executes dropped EXE
PID:3144 -
\??\c:\a2042.exec:\a2042.exe33⤵
- Executes dropped EXE
PID:3768 -
\??\c:\20040.exec:\20040.exe34⤵
- Executes dropped EXE
PID:3960 -
\??\c:\a0482.exec:\a0482.exe35⤵
- Executes dropped EXE
PID:2452 -
\??\c:\ntbnbh.exec:\ntbnbh.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116 -
\??\c:\e20046.exec:\e20046.exe37⤵
- Executes dropped EXE
PID:4972 -
\??\c:\04086.exec:\04086.exe38⤵
- Executes dropped EXE
PID:4916 -
\??\c:\8682884.exec:\8682884.exe39⤵
- Executes dropped EXE
PID:3312 -
\??\c:\00608.exec:\00608.exe40⤵
- Executes dropped EXE
PID:4536 -
\??\c:\8008440.exec:\8008440.exe41⤵
- Executes dropped EXE
PID:3732 -
\??\c:\660264.exec:\660264.exe42⤵
- Executes dropped EXE
PID:4244 -
\??\c:\1lffxlx.exec:\1lffxlx.exe43⤵
- Executes dropped EXE
PID:3016 -
\??\c:\2022042.exec:\2022042.exe44⤵
- Executes dropped EXE
PID:1828 -
\??\c:\2448660.exec:\2448660.exe45⤵
- Executes dropped EXE
PID:3348 -
\??\c:\bnhtbn.exec:\bnhtbn.exe46⤵
- Executes dropped EXE
PID:2936 -
\??\c:\9rxrlll.exec:\9rxrlll.exe47⤵
- Executes dropped EXE
PID:1448 -
\??\c:\488044.exec:\488044.exe48⤵
- Executes dropped EXE
PID:1316 -
\??\c:\82822.exec:\82822.exe49⤵
- Executes dropped EXE
PID:3188 -
\??\c:\9dvvv.exec:\9dvvv.exe50⤵
- Executes dropped EXE
PID:4424 -
\??\c:\ddjjv.exec:\ddjjv.exe51⤵
- Executes dropped EXE
PID:4692 -
\??\c:\s2868.exec:\s2868.exe52⤵
- Executes dropped EXE
PID:1832 -
\??\c:\64622.exec:\64622.exe53⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1fffrxr.exec:\1fffrxr.exe54⤵
- Executes dropped EXE
PID:4452 -
\??\c:\jvvvd.exec:\jvvvd.exe55⤵
- Executes dropped EXE
PID:1000 -
\??\c:\q42266.exec:\q42266.exe56⤵
- Executes dropped EXE
PID:3584 -
\??\c:\w64008.exec:\w64008.exe57⤵
- Executes dropped EXE
PID:3572 -
\??\c:\426408.exec:\426408.exe58⤵
- Executes dropped EXE
PID:3472 -
\??\c:\bntnhh.exec:\bntnhh.exe59⤵
- Executes dropped EXE
PID:2532 -
\??\c:\060004.exec:\060004.exe60⤵
- Executes dropped EXE
PID:1488 -
\??\c:\62048.exec:\62048.exe61⤵
- Executes dropped EXE
PID:4828 -
\??\c:\vvvpp.exec:\vvvpp.exe62⤵
- Executes dropped EXE
PID:3588 -
\??\c:\24622.exec:\24622.exe63⤵
- Executes dropped EXE
PID:3260 -
\??\c:\28408.exec:\28408.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\btbthh.exec:\btbthh.exe65⤵
- Executes dropped EXE
PID:1584 -
\??\c:\440868.exec:\440868.exe66⤵PID:5100
-
\??\c:\6004226.exec:\6004226.exe67⤵PID:3944
-
\??\c:\e68822.exec:\e68822.exe68⤵PID:1948
-
\??\c:\4028666.exec:\4028666.exe69⤵PID:4796
-
\??\c:\jdjjd.exec:\jdjjd.exe70⤵
- System Location Discovery: System Language Discovery
PID:1704 -
\??\c:\g2882.exec:\g2882.exe71⤵PID:1664
-
\??\c:\8222666.exec:\8222666.exe72⤵PID:2428
-
\??\c:\1hnhhh.exec:\1hnhhh.exe73⤵PID:4200
-
\??\c:\0664822.exec:\0664822.exe74⤵PID:3296
-
\??\c:\9hbhtt.exec:\9hbhtt.exe75⤵PID:812
-
\??\c:\9lxrffx.exec:\9lxrffx.exe76⤵PID:3548
-
\??\c:\bntntn.exec:\bntntn.exe77⤵PID:1508
-
\??\c:\424226.exec:\424226.exe78⤵PID:2496
-
\??\c:\nbthtn.exec:\nbthtn.exe79⤵PID:4804
-
\??\c:\1rrlffr.exec:\1rrlffr.exe80⤵PID:4564
-
\??\c:\42686.exec:\42686.exe81⤵PID:1104
-
\??\c:\nthnbt.exec:\nthnbt.exe82⤵PID:5036
-
\??\c:\bthttt.exec:\bthttt.exe83⤵PID:1064
-
\??\c:\llrrrff.exec:\llrrrff.exe84⤵PID:4432
-
\??\c:\26604.exec:\26604.exe85⤵PID:876
-
\??\c:\7jjvj.exec:\7jjvj.exe86⤵PID:2924
-
\??\c:\vvpjd.exec:\vvpjd.exe87⤵PID:1084
-
\??\c:\0606284.exec:\0606284.exe88⤵PID:744
-
\??\c:\hbhbhb.exec:\hbhbhb.exe89⤵PID:816
-
\??\c:\k82264.exec:\k82264.exe90⤵PID:3276
-
\??\c:\1rlfxxf.exec:\1rlfxxf.exe91⤵PID:3228
-
\??\c:\w46004.exec:\w46004.exe92⤵PID:2044
-
\??\c:\8882260.exec:\8882260.exe93⤵PID:1624
-
\??\c:\nhhbtn.exec:\nhhbtn.exe94⤵PID:3108
-
\??\c:\28048.exec:\28048.exe95⤵PID:316
-
\??\c:\i660260.exec:\i660260.exe96⤵PID:1652
-
\??\c:\1lllxrl.exec:\1lllxrl.exe97⤵PID:5056
-
\??\c:\s2084.exec:\s2084.exe98⤵PID:4012
-
\??\c:\a2448.exec:\a2448.exe99⤵PID:3960
-
\??\c:\6088600.exec:\6088600.exe100⤵PID:2692
-
\??\c:\0288222.exec:\0288222.exe101⤵PID:5116
-
\??\c:\rfllxxr.exec:\rfllxxr.exe102⤵PID:1960
-
\??\c:\3btnnh.exec:\3btnnh.exe103⤵PID:2408
-
\??\c:\266600.exec:\266600.exe104⤵PID:4836
-
\??\c:\nbbthn.exec:\nbbthn.exe105⤵PID:1776
-
\??\c:\pvdvv.exec:\pvdvv.exe106⤵PID:4336
-
\??\c:\lffxlfx.exec:\lffxlfx.exe107⤵PID:2028
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe108⤵PID:1984
-
\??\c:\tntbtn.exec:\tntbtn.exe109⤵PID:4736
-
\??\c:\xflfrlr.exec:\xflfrlr.exe110⤵PID:4184
-
\??\c:\hbtnhb.exec:\hbtnhb.exe111⤵PID:1620
-
\??\c:\00666.exec:\00666.exe112⤵PID:556
-
\??\c:\ntbtnn.exec:\ntbtnn.exe113⤵PID:1752
-
\??\c:\btnnhn.exec:\btnnhn.exe114⤵PID:4380
-
\??\c:\6408826.exec:\6408826.exe115⤵PID:4312
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe116⤵PID:3940
-
\??\c:\pdvjd.exec:\pdvjd.exe117⤵PID:4192
-
\??\c:\7xrrfrx.exec:\7xrrfrx.exe118⤵PID:1428
-
\??\c:\i668066.exec:\i668066.exe119⤵PID:3984
-
\??\c:\k40262.exec:\k40262.exe120⤵PID:1964
-
\??\c:\26626.exec:\26626.exe121⤵PID:3912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-