Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe
-
Size
454KB
-
MD5
5f4ef7421aec98ac002ea9afab6051c3
-
SHA1
8e86a14d1e75d83b484b85dec3a898f8abf61552
-
SHA256
00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35
-
SHA512
423b567a4a2425df73f4dc33562c5f4685498213f3d5a95c325be2580ee294560b26334dbb5faa9a1e81b48077f5eabfead4d4e442a82147d5a529dde6c9823e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4324-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-1162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-1334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-1501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-1521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-1800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4296 jvvvd.exe 4484 2244864.exe 1780 204860.exe 4036 1nbnnh.exe 1976 pjdpd.exe 3076 bhhthb.exe 3112 jvjdv.exe 3564 thtnnn.exe 4700 xrrlllr.exe 2636 q24822.exe 4004 pddvp.exe 536 424040.exe 2256 7nttth.exe 460 20626.exe 1192 dvvvp.exe 4564 22260.exe 2720 rflxrfx.exe 1560 3tttnb.exe 1480 6684228.exe 5052 6044826.exe 1348 vjvjv.exe 2808 9vvjv.exe 4072 a4068.exe 3696 6844820.exe 1900 0400864.exe 2092 httbbt.exe 1316 bnbttn.exe 2324 280448.exe 848 vddvv.exe 2364 lllfxxr.exe 3524 4248440.exe 4868 4626066.exe 3096 260046.exe 1504 00660.exe 1840 0880482.exe 652 20440.exe 3980 264848.exe 2272 jddvp.exe 1036 046044.exe 1816 620426.exe 1924 ffxrfxr.exe 1632 628244.exe 3088 lfrrrxx.exe 1608 4442266.exe 3024 thhbbb.exe 2804 022600.exe 3984 84864.exe 4332 vddpd.exe 4120 s0644.exe 540 262046.exe 3656 nbbnbb.exe 4016 q00040.exe 4212 xxfrlfr.exe 4484 44082.exe 684 pjpdj.exe 1964 22486.exe 4640 i060046.exe 1792 pdjdv.exe 2892 rflxllx.exe 2416 00048.exe 3592 frlfrlr.exe 3672 thbnht.exe 3104 vvpdv.exe 4700 2042026.exe -
resource yara_rule behavioral2/memory/4324-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-1162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-1334-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i060046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6804488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4324 wrote to memory of 4296 4324 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 83 PID 4324 wrote to memory of 4296 4324 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 83 PID 4324 wrote to memory of 4296 4324 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 83 PID 4296 wrote to memory of 4484 4296 jvvvd.exe 84 PID 4296 wrote to memory of 4484 4296 jvvvd.exe 84 PID 4296 wrote to memory of 4484 4296 jvvvd.exe 84 PID 4484 wrote to memory of 1780 4484 2244864.exe 85 PID 4484 wrote to memory of 1780 4484 2244864.exe 85 PID 4484 wrote to memory of 1780 4484 2244864.exe 85 PID 1780 wrote to memory of 4036 1780 204860.exe 86 PID 1780 wrote to memory of 4036 1780 204860.exe 86 PID 1780 wrote to memory of 4036 1780 204860.exe 86 PID 4036 wrote to memory of 1976 4036 1nbnnh.exe 87 PID 4036 wrote to memory of 1976 4036 1nbnnh.exe 87 PID 4036 wrote to memory of 1976 4036 1nbnnh.exe 87 PID 1976 wrote to memory of 3076 1976 pjdpd.exe 88 PID 1976 wrote to memory of 3076 1976 pjdpd.exe 88 PID 1976 wrote to memory of 3076 1976 pjdpd.exe 88 PID 3076 wrote to memory of 3112 3076 bhhthb.exe 89 PID 3076 wrote to memory of 3112 3076 bhhthb.exe 89 PID 3076 wrote to memory of 3112 3076 bhhthb.exe 89 PID 3112 wrote to memory of 3564 3112 jvjdv.exe 90 PID 3112 wrote to memory of 3564 3112 jvjdv.exe 90 PID 3112 wrote to memory of 3564 3112 jvjdv.exe 90 PID 3564 wrote to memory of 4700 3564 thtnnn.exe 91 PID 3564 wrote to memory of 4700 3564 thtnnn.exe 91 PID 3564 wrote to memory of 4700 3564 thtnnn.exe 91 PID 4700 wrote to memory of 2636 4700 xrrlllr.exe 92 PID 4700 wrote to memory of 2636 4700 xrrlllr.exe 92 PID 4700 wrote to memory of 2636 4700 xrrlllr.exe 92 PID 2636 wrote to memory of 4004 2636 q24822.exe 93 PID 2636 wrote to memory of 4004 2636 q24822.exe 93 PID 2636 wrote to memory of 4004 2636 q24822.exe 93 PID 4004 wrote to memory of 536 4004 pddvp.exe 94 PID 4004 wrote to memory of 536 4004 pddvp.exe 94 PID 4004 wrote to memory of 536 4004 pddvp.exe 94 PID 536 wrote to memory of 2256 536 424040.exe 95 PID 536 wrote to memory of 2256 536 424040.exe 95 PID 536 wrote to memory of 2256 536 424040.exe 95 PID 2256 wrote to memory of 460 2256 7nttth.exe 96 PID 2256 wrote to memory of 460 2256 7nttth.exe 96 PID 2256 wrote to memory of 460 2256 7nttth.exe 96 PID 460 wrote to memory of 1192 460 20626.exe 97 PID 460 wrote to memory of 1192 460 20626.exe 97 PID 460 wrote to memory of 1192 460 20626.exe 97 PID 1192 wrote to memory of 4564 1192 dvvvp.exe 98 PID 1192 wrote to memory of 4564 1192 dvvvp.exe 98 PID 1192 wrote to memory of 4564 1192 dvvvp.exe 98 PID 4564 wrote to memory of 2720 4564 22260.exe 99 PID 4564 wrote to memory of 2720 4564 22260.exe 99 PID 4564 wrote to memory of 2720 4564 22260.exe 99 PID 2720 wrote to memory of 1560 2720 rflxrfx.exe 100 PID 2720 wrote to memory of 1560 2720 rflxrfx.exe 100 PID 2720 wrote to memory of 1560 2720 rflxrfx.exe 100 PID 1560 wrote to memory of 1480 1560 3tttnb.exe 101 PID 1560 wrote to memory of 1480 1560 3tttnb.exe 101 PID 1560 wrote to memory of 1480 1560 3tttnb.exe 101 PID 1480 wrote to memory of 5052 1480 6684228.exe 102 PID 1480 wrote to memory of 5052 1480 6684228.exe 102 PID 1480 wrote to memory of 5052 1480 6684228.exe 102 PID 5052 wrote to memory of 1348 5052 6044826.exe 103 PID 5052 wrote to memory of 1348 5052 6044826.exe 103 PID 5052 wrote to memory of 1348 5052 6044826.exe 103 PID 1348 wrote to memory of 2808 1348 vjvjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe"C:\Users\Admin\AppData\Local\Temp\00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\jvvvd.exec:\jvvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\2244864.exec:\2244864.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\204860.exec:\204860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\1nbnnh.exec:\1nbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\pjdpd.exec:\pjdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\bhhthb.exec:\bhhthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\jvjdv.exec:\jvjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\thtnnn.exec:\thtnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\xrrlllr.exec:\xrrlllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\q24822.exec:\q24822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\pddvp.exec:\pddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\424040.exec:\424040.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\7nttth.exec:\7nttth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\20626.exec:\20626.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\dvvvp.exec:\dvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\22260.exec:\22260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\rflxrfx.exec:\rflxrfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\3tttnb.exec:\3tttnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\6684228.exec:\6684228.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\6044826.exec:\6044826.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\vjvjv.exec:\vjvjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\9vvjv.exec:\9vvjv.exe23⤵
- Executes dropped EXE
PID:2808 -
\??\c:\a4068.exec:\a4068.exe24⤵
- Executes dropped EXE
PID:4072 -
\??\c:\6844820.exec:\6844820.exe25⤵
- Executes dropped EXE
PID:3696 -
\??\c:\0400864.exec:\0400864.exe26⤵
- Executes dropped EXE
PID:1900 -
\??\c:\httbbt.exec:\httbbt.exe27⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bnbttn.exec:\bnbttn.exe28⤵
- Executes dropped EXE
PID:1316 -
\??\c:\280448.exec:\280448.exe29⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vddvv.exec:\vddvv.exe30⤵
- Executes dropped EXE
PID:848 -
\??\c:\lllfxxr.exec:\lllfxxr.exe31⤵
- Executes dropped EXE
PID:2364 -
\??\c:\4248440.exec:\4248440.exe32⤵
- Executes dropped EXE
PID:3524 -
\??\c:\4626066.exec:\4626066.exe33⤵
- Executes dropped EXE
PID:4868 -
\??\c:\260046.exec:\260046.exe34⤵
- Executes dropped EXE
PID:3096 -
\??\c:\00660.exec:\00660.exe35⤵
- Executes dropped EXE
PID:1504 -
\??\c:\0880482.exec:\0880482.exe36⤵
- Executes dropped EXE
PID:1840 -
\??\c:\20440.exec:\20440.exe37⤵
- Executes dropped EXE
PID:652 -
\??\c:\264848.exec:\264848.exe38⤵
- Executes dropped EXE
PID:3980 -
\??\c:\jddvp.exec:\jddvp.exe39⤵
- Executes dropped EXE
PID:2272 -
\??\c:\046044.exec:\046044.exe40⤵
- Executes dropped EXE
PID:1036 -
\??\c:\620426.exec:\620426.exe41⤵
- Executes dropped EXE
PID:1816 -
\??\c:\ffxrfxr.exec:\ffxrfxr.exe42⤵
- Executes dropped EXE
PID:1924 -
\??\c:\628244.exec:\628244.exe43⤵
- Executes dropped EXE
PID:1632 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe44⤵
- Executes dropped EXE
PID:3088 -
\??\c:\4442266.exec:\4442266.exe45⤵
- Executes dropped EXE
PID:1608 -
\??\c:\thhbbb.exec:\thhbbb.exe46⤵
- Executes dropped EXE
PID:3024 -
\??\c:\022600.exec:\022600.exe47⤵
- Executes dropped EXE
PID:2804 -
\??\c:\84864.exec:\84864.exe48⤵
- Executes dropped EXE
PID:3984 -
\??\c:\vddpd.exec:\vddpd.exe49⤵
- Executes dropped EXE
PID:4332 -
\??\c:\s0644.exec:\s0644.exe50⤵
- Executes dropped EXE
PID:4120 -
\??\c:\262046.exec:\262046.exe51⤵
- Executes dropped EXE
PID:540 -
\??\c:\nbbnbb.exec:\nbbnbb.exe52⤵
- Executes dropped EXE
PID:3656 -
\??\c:\q00040.exec:\q00040.exe53⤵
- Executes dropped EXE
PID:4016 -
\??\c:\xxfrlfr.exec:\xxfrlfr.exe54⤵
- Executes dropped EXE
PID:4212 -
\??\c:\44082.exec:\44082.exe55⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pjpdj.exec:\pjpdj.exe56⤵
- Executes dropped EXE
PID:684 -
\??\c:\22486.exec:\22486.exe57⤵
- Executes dropped EXE
PID:1964 -
\??\c:\i060046.exec:\i060046.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640 -
\??\c:\pdjdv.exec:\pdjdv.exe59⤵
- Executes dropped EXE
PID:1792 -
\??\c:\rflxllx.exec:\rflxllx.exe60⤵
- Executes dropped EXE
PID:2892 -
\??\c:\00048.exec:\00048.exe61⤵
- Executes dropped EXE
PID:2416 -
\??\c:\frlfrlr.exec:\frlfrlr.exe62⤵
- Executes dropped EXE
PID:3592 -
\??\c:\thbnht.exec:\thbnht.exe63⤵
- Executes dropped EXE
PID:3672 -
\??\c:\vvpdv.exec:\vvpdv.exe64⤵
- Executes dropped EXE
PID:3104 -
\??\c:\2042026.exec:\2042026.exe65⤵
- Executes dropped EXE
PID:4700 -
\??\c:\6448822.exec:\6448822.exe66⤵PID:3940
-
\??\c:\44486.exec:\44486.exe67⤵PID:4644
-
\??\c:\2242604.exec:\2242604.exe68⤵PID:3584
-
\??\c:\400860.exec:\400860.exe69⤵PID:1440
-
\??\c:\ttthth.exec:\ttthth.exe70⤵
- System Location Discovery: System Language Discovery
PID:3400 -
\??\c:\42248.exec:\42248.exe71⤵PID:3132
-
\??\c:\rlrflfr.exec:\rlrflfr.exe72⤵PID:4656
-
\??\c:\7648882.exec:\7648882.exe73⤵PID:1192
-
\??\c:\6408484.exec:\6408484.exe74⤵PID:2312
-
\??\c:\2866240.exec:\2866240.exe75⤵PID:3588
-
\??\c:\8460460.exec:\8460460.exe76⤵PID:2168
-
\??\c:\82202.exec:\82202.exe77⤵PID:1872
-
\??\c:\ttbttn.exec:\ttbttn.exe78⤵PID:2000
-
\??\c:\vdddv.exec:\vdddv.exe79⤵PID:1120
-
\??\c:\8882048.exec:\8882048.exe80⤵PID:1224
-
\??\c:\602622.exec:\602622.exe81⤵PID:1228
-
\??\c:\46226.exec:\46226.exe82⤵PID:2752
-
\??\c:\5vdvp.exec:\5vdvp.exe83⤵PID:3912
-
\??\c:\vjpjv.exec:\vjpjv.exe84⤵PID:4208
-
\??\c:\bttnhb.exec:\bttnhb.exe85⤵PID:3056
-
\??\c:\rlrrxxx.exec:\rlrrxxx.exe86⤵PID:3576
-
\??\c:\0404822.exec:\0404822.exe87⤵PID:2292
-
\??\c:\bbbtnn.exec:\bbbtnn.exe88⤵PID:3388
-
\??\c:\c682260.exec:\c682260.exe89⤵PID:5056
-
\??\c:\u244488.exec:\u244488.exe90⤵PID:2912
-
\??\c:\4880060.exec:\4880060.exe91⤵PID:3860
-
\??\c:\26260.exec:\26260.exe92⤵PID:864
-
\??\c:\fxxlrrx.exec:\fxxlrrx.exe93⤵PID:916
-
\??\c:\i068226.exec:\i068226.exe94⤵PID:2364
-
\??\c:\lfllfxx.exec:\lfllfxx.exe95⤵PID:4624
-
\??\c:\jdvpj.exec:\jdvpj.exe96⤵PID:412
-
\??\c:\ffrllrf.exec:\ffrllrf.exe97⤵PID:4704
-
\??\c:\460488.exec:\460488.exe98⤵PID:1508
-
\??\c:\26666.exec:\26666.exe99⤵PID:3780
-
\??\c:\hhtnnn.exec:\hhtnnn.exe100⤵PID:2340
-
\??\c:\pppjv.exec:\pppjv.exe101⤵PID:4440
-
\??\c:\tntthh.exec:\tntthh.exe102⤵PID:5048
-
\??\c:\nbntnn.exec:\nbntnn.exe103⤵PID:3344
-
\??\c:\08242.exec:\08242.exe104⤵PID:1036
-
\??\c:\pvjdd.exec:\pvjdd.exe105⤵PID:2792
-
\??\c:\66848.exec:\66848.exe106⤵PID:3988
-
\??\c:\pppdj.exec:\pppdj.exe107⤵PID:1632
-
\??\c:\dpvpd.exec:\dpvpd.exe108⤵PID:2004
-
\??\c:\w46048.exec:\w46048.exe109⤵PID:4748
-
\??\c:\g6822.exec:\g6822.exe110⤵PID:2928
-
\??\c:\frlxrlf.exec:\frlxrlf.exe111⤵PID:1420
-
\??\c:\ttbtnn.exec:\ttbtnn.exe112⤵PID:1492
-
\??\c:\a0688.exec:\a0688.exe113⤵PID:3544
-
\??\c:\268482.exec:\268482.exe114⤵PID:4496
-
\??\c:\tntnbb.exec:\tntnbb.exe115⤵PID:628
-
\??\c:\ddjjj.exec:\ddjjj.exe116⤵PID:2600
-
\??\c:\o224264.exec:\o224264.exe117⤵PID:4420
-
\??\c:\w62266.exec:\w62266.exe118⤵PID:4016
-
\??\c:\pdjdp.exec:\pdjdp.exe119⤵PID:4212
-
\??\c:\jjvjv.exec:\jjvjv.exe120⤵PID:1960
-
\??\c:\606260.exec:\606260.exe121⤵PID:4192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-