Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 22:42
Behavioral task
behavioral1
Sample
4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe
-
Size
345KB
-
MD5
c8d9b8efb236e3e4afcb4bb4e9d55f80
-
SHA1
8b0f6bb9486add6a3ff825a67ea3960bc8523d06
-
SHA256
4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761
-
SHA512
0237d50c7039818367b89640793fa1af7c8382d534395bfaaa7fbb4622c8821d6d3dcc52092fcfc206791944cbb38423d203e9aad5ec8762037986597d27361a
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAo:R4wFHoS3WXZshJX2VGdo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3096-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/384-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2568-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1412-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1732-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/896-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2856-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3224-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2832-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-591-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 80226.exe 3948 bbbttt.exe 3920 00608.exe 2344 28826.exe 4176 0682660.exe 2820 0288226.exe 4900 688800.exe 4964 jvjpv.exe 1116 ntbnbt.exe 1800 244860.exe 4120 60026.exe 4372 bnnhtt.exe 384 000000.exe 4944 vvjjj.exe 1804 9rxrlrl.exe 4928 640448.exe 2476 ttthtn.exe 2212 jjjjp.exe 3652 42262.exe 2024 pvjdd.exe 3528 826466.exe 816 9bbnbt.exe 4052 40860.exe 4592 nhhnhh.exe 3668 4060048.exe 1336 428480.exe 2832 2228642.exe 2760 frflrfx.exe 2748 rrxlxxr.exe 3876 08486.exe 3500 w66082.exe 4564 nbthbb.exe 3660 04046.exe 3936 040804.exe 3224 424266.exe 2384 w46886.exe 3468 nbhtnb.exe 2568 000826.exe 1320 20080.exe 436 0442620.exe 4696 nnnbtn.exe 2392 xrrlxrl.exe 2232 nbnbnh.exe 3772 44420.exe 4292 222008.exe 2816 08422.exe 2908 s2642.exe 4296 q44882.exe 1412 q82088.exe 3680 rfrfrfr.exe 4112 46608.exe 1028 jdddd.exe 4216 22844.exe 3492 pvvdd.exe 4568 q04860.exe 2856 ppjdp.exe 4320 04048.exe 2840 222086.exe 4748 246086.exe 2176 q80864.exe 3648 000428.exe 4436 0848042.exe 2504 8802086.exe 2700 lxllfff.exe -
resource yara_rule behavioral2/memory/3096-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0018000000023c3b-3.dat upx behavioral2/memory/3096-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3004-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023cb5-9.dat upx behavioral2/files/0x0007000000023cb9-11.dat upx behavioral2/memory/3948-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-19.dat upx behavioral2/memory/3920-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-38.dat upx behavioral2/memory/4964-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-34.dat upx behavioral2/memory/2820-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2344-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-29.dat upx behavioral2/files/0x0007000000023cbc-24.dat upx behavioral2/files/0x0007000000023cc0-42.dat upx behavioral2/memory/1116-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1800-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-51.dat upx behavioral2/memory/4120-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-63.dat upx behavioral2/files/0x0007000000023cc5-66.dat upx behavioral2/memory/384-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-71.dat upx behavioral2/memory/4372-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-77.dat upx behavioral2/memory/1804-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-81.dat upx behavioral2/files/0x0008000000023cb6-90.dat upx behavioral2/memory/2024-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-96.dat upx behavioral2/memory/3652-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-101.dat upx behavioral2/files/0x0007000000023ccc-104.dat upx behavioral2/files/0x0007000000023ccd-111.dat upx behavioral2/memory/816-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-115.dat upx behavioral2/files/0x0007000000023ccf-119.dat upx behavioral2/memory/3668-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-128.dat upx behavioral2/files/0x0007000000023cd3-132.dat upx behavioral2/memory/4564-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2384-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2568-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4292-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4296-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1412-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4568-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4748-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3648-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1732-237-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2452-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4732-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3368-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/896-242-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4436-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2856-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4112-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2908-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3660-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4696-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1320-172-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6682608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q06600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i686266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u028624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3096 wrote to memory of 3004 3096 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 83 PID 3096 wrote to memory of 3004 3096 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 83 PID 3096 wrote to memory of 3004 3096 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 83 PID 3004 wrote to memory of 3948 3004 80226.exe 84 PID 3004 wrote to memory of 3948 3004 80226.exe 84 PID 3004 wrote to memory of 3948 3004 80226.exe 84 PID 3948 wrote to memory of 3920 3948 bbbttt.exe 85 PID 3948 wrote to memory of 3920 3948 bbbttt.exe 85 PID 3948 wrote to memory of 3920 3948 bbbttt.exe 85 PID 3920 wrote to memory of 2344 3920 00608.exe 86 PID 3920 wrote to memory of 2344 3920 00608.exe 86 PID 3920 wrote to memory of 2344 3920 00608.exe 86 PID 2344 wrote to memory of 4176 2344 28826.exe 87 PID 2344 wrote to memory of 4176 2344 28826.exe 87 PID 2344 wrote to memory of 4176 2344 28826.exe 87 PID 4176 wrote to memory of 2820 4176 0682660.exe 88 PID 4176 wrote to memory of 2820 4176 0682660.exe 88 PID 4176 wrote to memory of 2820 4176 0682660.exe 88 PID 2820 wrote to memory of 4900 2820 0288226.exe 89 PID 2820 wrote to memory of 4900 2820 0288226.exe 89 PID 2820 wrote to memory of 4900 2820 0288226.exe 89 PID 4900 wrote to memory of 4964 4900 688800.exe 90 PID 4900 wrote to memory of 4964 4900 688800.exe 90 PID 4900 wrote to memory of 4964 4900 688800.exe 90 PID 4964 wrote to memory of 1116 4964 jvjpv.exe 91 PID 4964 wrote to memory of 1116 4964 jvjpv.exe 91 PID 4964 wrote to memory of 1116 4964 jvjpv.exe 91 PID 1116 wrote to memory of 1800 1116 ntbnbt.exe 92 PID 1116 wrote to memory of 1800 1116 ntbnbt.exe 92 PID 1116 wrote to memory of 1800 1116 ntbnbt.exe 92 PID 1800 wrote to memory of 4120 1800 244860.exe 93 PID 1800 wrote to memory of 4120 1800 244860.exe 93 PID 1800 wrote to memory of 4120 1800 244860.exe 93 PID 4120 wrote to memory of 4372 4120 60026.exe 94 PID 4120 wrote to memory of 4372 4120 60026.exe 94 PID 4120 wrote to memory of 4372 4120 60026.exe 94 PID 4372 wrote to memory of 384 4372 bnnhtt.exe 95 PID 4372 wrote to memory of 384 4372 bnnhtt.exe 95 PID 4372 wrote to memory of 384 4372 bnnhtt.exe 95 PID 384 wrote to memory of 4944 384 000000.exe 96 PID 384 wrote to memory of 4944 384 000000.exe 96 PID 384 wrote to memory of 4944 384 000000.exe 96 PID 4944 wrote to memory of 1804 4944 vvjjj.exe 97 PID 4944 wrote to memory of 1804 4944 vvjjj.exe 97 PID 4944 wrote to memory of 1804 4944 vvjjj.exe 97 PID 1804 wrote to memory of 4928 1804 9rxrlrl.exe 98 PID 1804 wrote to memory of 4928 1804 9rxrlrl.exe 98 PID 1804 wrote to memory of 4928 1804 9rxrlrl.exe 98 PID 4928 wrote to memory of 2476 4928 640448.exe 99 PID 4928 wrote to memory of 2476 4928 640448.exe 99 PID 4928 wrote to memory of 2476 4928 640448.exe 99 PID 2476 wrote to memory of 2212 2476 ttthtn.exe 100 PID 2476 wrote to memory of 2212 2476 ttthtn.exe 100 PID 2476 wrote to memory of 2212 2476 ttthtn.exe 100 PID 2212 wrote to memory of 3652 2212 jjjjp.exe 101 PID 2212 wrote to memory of 3652 2212 jjjjp.exe 101 PID 2212 wrote to memory of 3652 2212 jjjjp.exe 101 PID 3652 wrote to memory of 2024 3652 42262.exe 102 PID 3652 wrote to memory of 2024 3652 42262.exe 102 PID 3652 wrote to memory of 2024 3652 42262.exe 102 PID 2024 wrote to memory of 3528 2024 pvjdd.exe 169 PID 2024 wrote to memory of 3528 2024 pvjdd.exe 169 PID 2024 wrote to memory of 3528 2024 pvjdd.exe 169 PID 3528 wrote to memory of 816 3528 826466.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe"C:\Users\Admin\AppData\Local\Temp\4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\80226.exec:\80226.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\bbbttt.exec:\bbbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\00608.exec:\00608.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\28826.exec:\28826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\0682660.exec:\0682660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\0288226.exec:\0288226.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\688800.exec:\688800.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\jvjpv.exec:\jvjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\ntbnbt.exec:\ntbnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\244860.exec:\244860.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\60026.exec:\60026.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\bnnhtt.exec:\bnnhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\000000.exec:\000000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\vvjjj.exec:\vvjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\9rxrlrl.exec:\9rxrlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\640448.exec:\640448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\ttthtn.exec:\ttthtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\jjjjp.exec:\jjjjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\42262.exec:\42262.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\pvjdd.exec:\pvjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\826466.exec:\826466.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\9bbnbt.exec:\9bbnbt.exe23⤵
- Executes dropped EXE
PID:816 -
\??\c:\40860.exec:\40860.exe24⤵
- Executes dropped EXE
PID:4052 -
\??\c:\nhhnhh.exec:\nhhnhh.exe25⤵
- Executes dropped EXE
PID:4592 -
\??\c:\4060048.exec:\4060048.exe26⤵
- Executes dropped EXE
PID:3668 -
\??\c:\428480.exec:\428480.exe27⤵
- Executes dropped EXE
PID:1336 -
\??\c:\2228642.exec:\2228642.exe28⤵
- Executes dropped EXE
PID:2832 -
\??\c:\frflrfx.exec:\frflrfx.exe29⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rrxlxxr.exec:\rrxlxxr.exe30⤵
- Executes dropped EXE
PID:2748 -
\??\c:\08486.exec:\08486.exe31⤵
- Executes dropped EXE
PID:3876 -
\??\c:\w66082.exec:\w66082.exe32⤵
- Executes dropped EXE
PID:3500 -
\??\c:\nbthbb.exec:\nbthbb.exe33⤵
- Executes dropped EXE
PID:4564 -
\??\c:\04046.exec:\04046.exe34⤵
- Executes dropped EXE
PID:3660 -
\??\c:\040804.exec:\040804.exe35⤵
- Executes dropped EXE
PID:3936 -
\??\c:\424266.exec:\424266.exe36⤵
- Executes dropped EXE
PID:3224 -
\??\c:\w46886.exec:\w46886.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\nbhtnb.exec:\nbhtnb.exe38⤵
- Executes dropped EXE
PID:3468 -
\??\c:\000826.exec:\000826.exe39⤵
- Executes dropped EXE
PID:2568 -
\??\c:\20080.exec:\20080.exe40⤵
- Executes dropped EXE
PID:1320 -
\??\c:\0442620.exec:\0442620.exe41⤵
- Executes dropped EXE
PID:436 -
\??\c:\nnnbtn.exec:\nnnbtn.exe42⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe43⤵
- Executes dropped EXE
PID:2392 -
\??\c:\nbnbnh.exec:\nbnbnh.exe44⤵
- Executes dropped EXE
PID:2232 -
\??\c:\44420.exec:\44420.exe45⤵
- Executes dropped EXE
PID:3772 -
\??\c:\222008.exec:\222008.exe46⤵
- Executes dropped EXE
PID:4292 -
\??\c:\08422.exec:\08422.exe47⤵
- Executes dropped EXE
PID:2816 -
\??\c:\s2642.exec:\s2642.exe48⤵
- Executes dropped EXE
PID:2908 -
\??\c:\q44882.exec:\q44882.exe49⤵
- Executes dropped EXE
PID:4296 -
\??\c:\q82088.exec:\q82088.exe50⤵
- Executes dropped EXE
PID:1412 -
\??\c:\rfrfrfr.exec:\rfrfrfr.exe51⤵
- Executes dropped EXE
PID:3680 -
\??\c:\46608.exec:\46608.exe52⤵
- Executes dropped EXE
PID:4112 -
\??\c:\jdddd.exec:\jdddd.exe53⤵
- Executes dropped EXE
PID:1028 -
\??\c:\22844.exec:\22844.exe54⤵
- Executes dropped EXE
PID:4216 -
\??\c:\pvvdd.exec:\pvvdd.exe55⤵
- Executes dropped EXE
PID:3492 -
\??\c:\q04860.exec:\q04860.exe56⤵
- Executes dropped EXE
PID:4568 -
\??\c:\ppjdp.exec:\ppjdp.exe57⤵
- Executes dropped EXE
PID:2856 -
\??\c:\04048.exec:\04048.exe58⤵
- Executes dropped EXE
PID:4320 -
\??\c:\222086.exec:\222086.exe59⤵
- Executes dropped EXE
PID:2840 -
\??\c:\246086.exec:\246086.exe60⤵
- Executes dropped EXE
PID:4748 -
\??\c:\q80864.exec:\q80864.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\000428.exec:\000428.exe62⤵
- Executes dropped EXE
PID:3648 -
\??\c:\0848042.exec:\0848042.exe63⤵
- Executes dropped EXE
PID:4436 -
\??\c:\8802086.exec:\8802086.exe64⤵
- Executes dropped EXE
PID:2504 -
\??\c:\lxllfff.exec:\lxllfff.exe65⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1rlfrxr.exec:\1rlfrxr.exe66⤵PID:1732
-
\??\c:\3lxlxlx.exec:\3lxlxlx.exe67⤵PID:1672
-
\??\c:\82260.exec:\82260.exe68⤵PID:896
-
\??\c:\vjvjp.exec:\vjvjp.exe69⤵PID:2452
-
\??\c:\44820.exec:\44820.exe70⤵PID:3368
-
\??\c:\6400404.exec:\6400404.exe71⤵PID:2808
-
\??\c:\bhnbtn.exec:\bhnbtn.exe72⤵PID:4732
-
\??\c:\htnbnh.exec:\htnbnh.exe73⤵PID:3040
-
\??\c:\84246.exec:\84246.exe74⤵PID:2240
-
\??\c:\jvvjv.exec:\jvvjv.exe75⤵PID:4312
-
\??\c:\08642.exec:\08642.exe76⤵PID:3344
-
\??\c:\8686048.exec:\8686048.exe77⤵PID:1564
-
\??\c:\0848060.exec:\0848060.exe78⤵PID:1948
-
\??\c:\7xfrxlx.exec:\7xfrxlx.exe79⤵PID:3804
-
\??\c:\5lffrll.exec:\5lffrll.exe80⤵PID:4980
-
\??\c:\88822.exec:\88822.exe81⤵PID:2356
-
\??\c:\thnbth.exec:\thnbth.exe82⤵PID:2524
-
\??\c:\pddpd.exec:\pddpd.exe83⤵PID:3544
-
\??\c:\240426.exec:\240426.exe84⤵PID:3464
-
\??\c:\2620826.exec:\2620826.exe85⤵PID:3404
-
\??\c:\pjjvj.exec:\pjjvj.exe86⤵PID:2124
-
\??\c:\pvdpj.exec:\pvdpj.exe87⤵PID:4840
-
\??\c:\ntthtn.exec:\ntthtn.exe88⤵PID:3528
-
\??\c:\ntbhhh.exec:\ntbhhh.exe89⤵PID:5064
-
\??\c:\086426.exec:\086426.exe90⤵PID:1700
-
\??\c:\a6208.exec:\a6208.exe91⤵PID:472
-
\??\c:\nhbtht.exec:\nhbtht.exe92⤵PID:4504
-
\??\c:\rfxrffr.exec:\rfxrffr.exe93⤵PID:3288
-
\??\c:\64482.exec:\64482.exe94⤵PID:3592
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe95⤵PID:1040
-
\??\c:\662260.exec:\662260.exe96⤵PID:4664
-
\??\c:\fxrfrlx.exec:\fxrfrlx.exe97⤵PID:3252
-
\??\c:\xflxlrl.exec:\xflxlrl.exe98⤵PID:2748
-
\??\c:\9llfxxr.exec:\9llfxxr.exe99⤵PID:3876
-
\??\c:\w00426.exec:\w00426.exe100⤵PID:2056
-
\??\c:\frxxlfr.exec:\frxxlfr.exe101⤵PID:2780
-
\??\c:\204486.exec:\204486.exe102⤵PID:4348
-
\??\c:\jjpdv.exec:\jjpdv.exe103⤵PID:2164
-
\??\c:\q66082.exec:\q66082.exe104⤵PID:1136
-
\??\c:\rlrxflf.exec:\rlrxflf.exe105⤵PID:1620
-
\??\c:\u028624.exec:\u028624.exe106⤵
- System Location Discovery: System Language Discovery
PID:1400 -
\??\c:\2242044.exec:\2242044.exe107⤵PID:3468
-
\??\c:\vjjdp.exec:\vjjdp.exe108⤵PID:3896
-
\??\c:\628260.exec:\628260.exe109⤵PID:1048
-
\??\c:\7pdvj.exec:\7pdvj.exe110⤵PID:3684
-
\??\c:\60082.exec:\60082.exe111⤵PID:4512
-
\??\c:\jppdp.exec:\jppdp.exe112⤵PID:2360
-
\??\c:\pdvpd.exec:\pdvpd.exe113⤵PID:1616
-
\??\c:\ppdvp.exec:\ppdvp.exe114⤵PID:4816
-
\??\c:\0882260.exec:\0882260.exe115⤵PID:3440
-
\??\c:\vvpjv.exec:\vvpjv.exe116⤵PID:4812
-
\??\c:\86608.exec:\86608.exe117⤵PID:2584
-
\??\c:\8622004.exec:\8622004.exe118⤵PID:4792
-
\??\c:\9vdvj.exec:\9vdvj.exe119⤵PID:5048
-
\??\c:\288260.exec:\288260.exe120⤵PID:1876
-
\??\c:\48264.exec:\48264.exe121⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-