Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 04:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe
-
Size
454KB
-
MD5
4034b385004094cd16f35b32388b6b45
-
SHA1
e5b5fbf5d22e8a9b03140742e51dcb2276d2c67d
-
SHA256
cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986
-
SHA512
07cde2254f8f24ec238456384c6200cf98e87b2108670691b05f98a23e0e953b4ad36e988a67b90065863e23e345050c0f85eb90ff9484e927c2178e5db4972c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2564-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-62-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-67-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2912-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-224-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1776-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-288-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1792-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-383-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2904-381-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2120-408-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1820-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-499-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1920-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-628-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2660-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-734-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/896-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-868-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2496-875-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2212-884-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1764-1265-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/492-1315-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/900-1322-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/900-1323-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1236-1362-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2564 042804.exe 2604 jvpvv.exe 2552 s2602.exe 2248 1nbbbt.exe 2520 64228.exe 2860 c288400.exe 2808 u022222.exe 2912 o244482.exe 2936 2062886.exe 1708 028242.exe 2668 vpjvd.exe 2120 dpppp.exe 1660 dpvpp.exe 1924 g0840.exe 2304 bhtnnh.exe 1088 xrfxfxf.exe 2960 806004.exe 1848 604466.exe 536 8646624.exe 568 02044.exe 2956 9pjpp.exe 1568 m8000.exe 1740 u244484.exe 1868 o262862.exe 864 nnttth.exe 3016 q46282.exe 1776 ntbhnh.exe 2484 8866268.exe 2068 hthbbh.exe 2628 m2488.exe 2452 008840.exe 1792 e08882.exe 2140 4282222.exe 2568 o028422.exe 2592 dpvvv.exe 2308 nbhhnn.exe 2324 s2068.exe 2480 frffflr.exe 2400 thnnhh.exe 2800 428400.exe 2876 5httbb.exe 2784 dpdvp.exe 2992 3thbbb.exe 2684 20266.exe 2832 644004.exe 2904 7jjjj.exe 2664 6440668.exe 2668 20628.exe 1192 hbhbbb.exe 2120 208848.exe 1820 6648446.exe 1280 2466600.exe 1692 hnnbnt.exe 1904 vjvdd.exe 2952 40840.exe 2932 9hhbhb.exe 2636 a2406.exe 1872 lfrrffl.exe 1628 4800006.exe 1300 3djjp.exe 632 g0462.exe 2244 pjppv.exe 1960 4806824.exe 1624 428804.exe -
resource yara_rule behavioral1/memory/2564-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-222-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1776-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-381-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1820-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-734-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/896-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-1163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-1222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-1302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-1330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-1362-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c604662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0462884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6440668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2564 2140 cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe 30 PID 2140 wrote to memory of 2564 2140 cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe 30 PID 2140 wrote to memory of 2564 2140 cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe 30 PID 2140 wrote to memory of 2564 2140 cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe 30 PID 2564 wrote to memory of 2604 2564 042804.exe 31 PID 2564 wrote to memory of 2604 2564 042804.exe 31 PID 2564 wrote to memory of 2604 2564 042804.exe 31 PID 2564 wrote to memory of 2604 2564 042804.exe 31 PID 2604 wrote to memory of 2552 2604 jvpvv.exe 32 PID 2604 wrote to memory of 2552 2604 jvpvv.exe 32 PID 2604 wrote to memory of 2552 2604 jvpvv.exe 32 PID 2604 wrote to memory of 2552 2604 jvpvv.exe 32 PID 2552 wrote to memory of 2248 2552 s2602.exe 33 PID 2552 wrote to memory of 2248 2552 s2602.exe 33 PID 2552 wrote to memory of 2248 2552 s2602.exe 33 PID 2552 wrote to memory of 2248 2552 s2602.exe 33 PID 2248 wrote to memory of 2520 2248 1nbbbt.exe 34 PID 2248 wrote to memory of 2520 2248 1nbbbt.exe 34 PID 2248 wrote to memory of 2520 2248 1nbbbt.exe 34 PID 2248 wrote to memory of 2520 2248 1nbbbt.exe 34 PID 2520 wrote to memory of 2860 2520 64228.exe 35 PID 2520 wrote to memory of 2860 2520 64228.exe 35 PID 2520 wrote to memory of 2860 2520 64228.exe 35 PID 2520 wrote to memory of 2860 2520 64228.exe 35 PID 2860 wrote to memory of 2808 2860 c288400.exe 36 PID 2860 wrote to memory of 2808 2860 c288400.exe 36 PID 2860 wrote to memory of 2808 2860 c288400.exe 36 PID 2860 wrote to memory of 2808 2860 c288400.exe 36 PID 2808 wrote to memory of 2912 2808 u022222.exe 37 PID 2808 wrote to memory of 2912 2808 u022222.exe 37 PID 2808 wrote to memory of 2912 2808 u022222.exe 37 PID 2808 wrote to memory of 2912 2808 u022222.exe 37 PID 2912 wrote to memory of 2936 2912 o244482.exe 38 PID 2912 wrote to memory of 2936 2912 o244482.exe 38 PID 2912 wrote to memory of 2936 2912 o244482.exe 38 PID 2912 wrote to memory of 2936 2912 o244482.exe 38 PID 2936 wrote to memory of 1708 2936 2062886.exe 39 PID 2936 wrote to memory of 1708 2936 2062886.exe 39 PID 2936 wrote to memory of 1708 2936 2062886.exe 39 PID 2936 wrote to memory of 1708 2936 2062886.exe 39 PID 1708 wrote to memory of 2668 1708 028242.exe 40 PID 1708 wrote to memory of 2668 1708 028242.exe 40 PID 1708 wrote to memory of 2668 1708 028242.exe 40 PID 1708 wrote to memory of 2668 1708 028242.exe 40 PID 2668 wrote to memory of 2120 2668 vpjvd.exe 41 PID 2668 wrote to memory of 2120 2668 vpjvd.exe 41 PID 2668 wrote to memory of 2120 2668 vpjvd.exe 41 PID 2668 wrote to memory of 2120 2668 vpjvd.exe 41 PID 2120 wrote to memory of 1660 2120 dpppp.exe 42 PID 2120 wrote to memory of 1660 2120 dpppp.exe 42 PID 2120 wrote to memory of 1660 2120 dpppp.exe 42 PID 2120 wrote to memory of 1660 2120 dpppp.exe 42 PID 1660 wrote to memory of 1924 1660 dpvpp.exe 43 PID 1660 wrote to memory of 1924 1660 dpvpp.exe 43 PID 1660 wrote to memory of 1924 1660 dpvpp.exe 43 PID 1660 wrote to memory of 1924 1660 dpvpp.exe 43 PID 1924 wrote to memory of 2304 1924 g0840.exe 44 PID 1924 wrote to memory of 2304 1924 g0840.exe 44 PID 1924 wrote to memory of 2304 1924 g0840.exe 44 PID 1924 wrote to memory of 2304 1924 g0840.exe 44 PID 2304 wrote to memory of 1088 2304 bhtnnh.exe 45 PID 2304 wrote to memory of 1088 2304 bhtnnh.exe 45 PID 2304 wrote to memory of 1088 2304 bhtnnh.exe 45 PID 2304 wrote to memory of 1088 2304 bhtnnh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe"C:\Users\Admin\AppData\Local\Temp\cc805f4c644150141e4ae326fa753ecc3334bd36c796de7f99be63ef86831986.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\042804.exec:\042804.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\jvpvv.exec:\jvpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\s2602.exec:\s2602.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\1nbbbt.exec:\1nbbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\64228.exec:\64228.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\c288400.exec:\c288400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\u022222.exec:\u022222.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\o244482.exec:\o244482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\2062886.exec:\2062886.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\028242.exec:\028242.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\vpjvd.exec:\vpjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\dpppp.exec:\dpppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\dpvpp.exec:\dpvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\g0840.exec:\g0840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\bhtnnh.exec:\bhtnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe17⤵
- Executes dropped EXE
PID:1088 -
\??\c:\806004.exec:\806004.exe18⤵
- Executes dropped EXE
PID:2960 -
\??\c:\604466.exec:\604466.exe19⤵
- Executes dropped EXE
PID:1848 -
\??\c:\8646624.exec:\8646624.exe20⤵
- Executes dropped EXE
PID:536 -
\??\c:\02044.exec:\02044.exe21⤵
- Executes dropped EXE
PID:568 -
\??\c:\9pjpp.exec:\9pjpp.exe22⤵
- Executes dropped EXE
PID:2956 -
\??\c:\m8000.exec:\m8000.exe23⤵
- Executes dropped EXE
PID:1568 -
\??\c:\u244484.exec:\u244484.exe24⤵
- Executes dropped EXE
PID:1740 -
\??\c:\o262862.exec:\o262862.exe25⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nnttth.exec:\nnttth.exe26⤵
- Executes dropped EXE
PID:864 -
\??\c:\q46282.exec:\q46282.exe27⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ntbhnh.exec:\ntbhnh.exe28⤵
- Executes dropped EXE
PID:1776 -
\??\c:\8866268.exec:\8866268.exe29⤵
- Executes dropped EXE
PID:2484 -
\??\c:\hthbbh.exec:\hthbbh.exe30⤵
- Executes dropped EXE
PID:2068 -
\??\c:\m2488.exec:\m2488.exe31⤵
- Executes dropped EXE
PID:2628 -
\??\c:\008840.exec:\008840.exe32⤵
- Executes dropped EXE
PID:2452 -
\??\c:\e08882.exec:\e08882.exe33⤵
- Executes dropped EXE
PID:1792 -
\??\c:\4282222.exec:\4282222.exe34⤵
- Executes dropped EXE
PID:2140 -
\??\c:\o028422.exec:\o028422.exe35⤵
- Executes dropped EXE
PID:2568 -
\??\c:\dpvvv.exec:\dpvvv.exe36⤵
- Executes dropped EXE
PID:2592 -
\??\c:\nbhhnn.exec:\nbhhnn.exe37⤵
- Executes dropped EXE
PID:2308 -
\??\c:\s2068.exec:\s2068.exe38⤵
- Executes dropped EXE
PID:2324 -
\??\c:\frffflr.exec:\frffflr.exe39⤵
- Executes dropped EXE
PID:2480 -
\??\c:\thnnhh.exec:\thnnhh.exe40⤵
- Executes dropped EXE
PID:2400 -
\??\c:\428400.exec:\428400.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5httbb.exec:\5httbb.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\dpdvp.exec:\dpdvp.exe43⤵
- Executes dropped EXE
PID:2784 -
\??\c:\3thbbb.exec:\3thbbb.exe44⤵
- Executes dropped EXE
PID:2992 -
\??\c:\20266.exec:\20266.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\644004.exec:\644004.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\7jjjj.exec:\7jjjj.exe47⤵
- Executes dropped EXE
PID:2904 -
\??\c:\6440668.exec:\6440668.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
\??\c:\20628.exec:\20628.exe49⤵
- Executes dropped EXE
PID:2668 -
\??\c:\hbhbbb.exec:\hbhbbb.exe50⤵
- Executes dropped EXE
PID:1192 -
\??\c:\208848.exec:\208848.exe51⤵
- Executes dropped EXE
PID:2120 -
\??\c:\6648446.exec:\6648446.exe52⤵
- Executes dropped EXE
PID:1820 -
\??\c:\2466600.exec:\2466600.exe53⤵
- Executes dropped EXE
PID:1280 -
\??\c:\hnnbnt.exec:\hnnbnt.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\vjvdd.exec:\vjvdd.exe55⤵
- Executes dropped EXE
PID:1904 -
\??\c:\40840.exec:\40840.exe56⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9hhbhb.exec:\9hhbhb.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\a2406.exec:\a2406.exe58⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lfrrffl.exec:\lfrrffl.exe59⤵
- Executes dropped EXE
PID:1872 -
\??\c:\4800006.exec:\4800006.exe60⤵
- Executes dropped EXE
PID:1628 -
\??\c:\3djjp.exec:\3djjp.exe61⤵
- Executes dropped EXE
PID:1300 -
\??\c:\g0462.exec:\g0462.exe62⤵
- Executes dropped EXE
PID:632 -
\??\c:\pjppv.exec:\pjppv.exe63⤵
- Executes dropped EXE
PID:2244 -
\??\c:\4806824.exec:\4806824.exe64⤵
- Executes dropped EXE
PID:1960 -
\??\c:\428804.exec:\428804.exe65⤵
- Executes dropped EXE
PID:1624 -
\??\c:\8260628.exec:\8260628.exe66⤵PID:780
-
\??\c:\o026222.exec:\o026222.exe67⤵PID:2044
-
\??\c:\3vdpp.exec:\3vdpp.exe68⤵PID:1732
-
\??\c:\2640622.exec:\2640622.exe69⤵PID:1772
-
\??\c:\7bbbbt.exec:\7bbbbt.exe70⤵PID:1776
-
\??\c:\9htbhb.exec:\9htbhb.exe71⤵PID:2504
-
\??\c:\202404.exec:\202404.exe72⤵PID:1388
-
\??\c:\4848262.exec:\4848262.exe73⤵PID:836
-
\??\c:\tntnnn.exec:\tntnnn.exe74⤵PID:2312
-
\??\c:\8262228.exec:\8262228.exe75⤵PID:2440
-
\??\c:\8684662.exec:\8684662.exe76⤵PID:1516
-
\??\c:\206622.exec:\206622.exe77⤵PID:1612
-
\??\c:\1vvdv.exec:\1vvdv.exe78⤵PID:1712
-
\??\c:\vjdpv.exec:\vjdpv.exe79⤵PID:1920
-
\??\c:\8288488.exec:\8288488.exe80⤵PID:2604
-
\??\c:\862804.exec:\862804.exe81⤵PID:2512
-
\??\c:\w08222.exec:\w08222.exe82⤵PID:2576
-
\??\c:\7tbhnt.exec:\7tbhnt.exe83⤵PID:2480
-
\??\c:\7bnnnn.exec:\7bnnnn.exe84⤵PID:2844
-
\??\c:\7lxxfff.exec:\7lxxfff.exe85⤵PID:2780
-
\??\c:\k60244.exec:\k60244.exe86⤵PID:2880
-
\??\c:\o044284.exec:\o044284.exe87⤵PID:2784
-
\??\c:\rfflrrf.exec:\rfflrrf.exe88⤵PID:2912
-
\??\c:\602628.exec:\602628.exe89⤵PID:2736
-
\??\c:\64684.exec:\64684.exe90⤵PID:2652
-
\??\c:\xrlrflr.exec:\xrlrflr.exe91⤵
- System Location Discovery: System Language Discovery
PID:2660 -
\??\c:\hhbnbh.exec:\hhbnbh.exe92⤵PID:2364
-
\??\c:\lrfflrf.exec:\lrfflrf.exe93⤵PID:2016
-
\??\c:\1thntb.exec:\1thntb.exe94⤵PID:1856
-
\??\c:\g0268.exec:\g0268.exe95⤵PID:1304
-
\??\c:\08624.exec:\08624.exe96⤵PID:1144
-
\??\c:\xxlrxff.exec:\xxlrxff.exe97⤵PID:2012
-
\??\c:\6488446.exec:\6488446.exe98⤵PID:2716
-
\??\c:\i424284.exec:\i424284.exe99⤵PID:2196
-
\??\c:\hnbhtb.exec:\hnbhtb.exe100⤵PID:1620
-
\??\c:\4264402.exec:\4264402.exe101⤵PID:1496
-
\??\c:\tntbbh.exec:\tntbbh.exe102⤵PID:2124
-
\??\c:\pdvdv.exec:\pdvdv.exe103⤵PID:2228
-
\??\c:\nnntbh.exec:\nnntbh.exe104⤵PID:1600
-
\??\c:\0862840.exec:\0862840.exe105⤵PID:1412
-
\??\c:\26840.exec:\26840.exe106⤵PID:896
-
\??\c:\8644046.exec:\8644046.exe107⤵PID:1364
-
\??\c:\64224.exec:\64224.exe108⤵PID:1724
-
\??\c:\7bttbb.exec:\7bttbb.exe109⤵PID:2216
-
\??\c:\5jdvv.exec:\5jdvv.exe110⤵PID:1780
-
\??\c:\s4886.exec:\s4886.exe111⤵PID:880
-
\??\c:\860026.exec:\860026.exe112⤵PID:2632
-
\??\c:\80884.exec:\80884.exe113⤵PID:1048
-
\??\c:\080600.exec:\080600.exe114⤵PID:1776
-
\??\c:\llfrxrf.exec:\llfrxrf.exe115⤵PID:1532
-
\??\c:\flrxffr.exec:\flrxffr.exe116⤵PID:2444
-
\??\c:\bnbhnn.exec:\bnbhnn.exe117⤵PID:624
-
\??\c:\i240228.exec:\i240228.exe118⤵PID:2220
-
\??\c:\u088006.exec:\u088006.exe119⤵PID:2556
-
\??\c:\5jpjp.exec:\5jpjp.exe120⤵PID:872
-
\??\c:\vvppp.exec:\vvppp.exe121⤵PID:2564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-