Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 03:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe
-
Size
454KB
-
MD5
de5c08d30ffc3d71b3f752517686fd50
-
SHA1
2dda48bc45bde07e993fbcf51ec71405b74588fc
-
SHA256
c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7
-
SHA512
9e25ab1e3a03cf77d1fc72a29c23d3f0466358721467ec5b7064bf0f878ad540f77cd861147527795b7784e51378c337f3824e78f24b770b038eeaec5112a518
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/768-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-1337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-1458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-1867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 220 hthhnn.exe 2948 4848448.exe 224 xrrxi44.exe 4144 6608646.exe 3168 o488882.exe 3732 lxxrllf.exe 3528 fffxffl.exe 1120 jjpjp.exe 4756 q42066.exe 4476 lflfxxr.exe 4468 44048.exe 2620 flrrllf.exe 3240 vppjj.exe 380 nhtbhn.exe 2884 20082.exe 3112 48048.exe 1820 vpvpj.exe 2364 5vpjj.exe 396 fxlrlfr.exe 2248 ththtn.exe 1020 hnnbtn.exe 2836 822608.exe 3608 42822.exe 3176 lrrfxlf.exe 780 o466428.exe 1804 lxrflfr.exe 3572 jjjdv.exe 4580 600866.exe 3172 00220.exe 1608 02260.exe 4632 4008260.exe 1136 600480.exe 1748 84004.exe 4548 662044.exe 5108 xrxrxrx.exe 3216 xllxrlx.exe 2660 1ffxrlf.exe 4364 djdvp.exe 4232 c886486.exe 4912 7xxxffx.exe 828 1ffxfxl.exe 2116 vvvjj.exe 1072 lxxlxlx.exe 3080 jdjpj.exe 5048 rxxrrll.exe 1428 a8482.exe 4504 rllxrlr.exe 2616 vvdvv.exe 216 btnhhb.exe 4740 m8448.exe 1368 c886604.exe 4268 jpjdp.exe 404 pvvpj.exe 5000 6680220.exe 2824 66622.exe 3528 nthnth.exe 3916 46266.exe 4756 bhhtht.exe 3752 xlxrlfr.exe 3084 6660608.exe 4452 ddjvp.exe 2828 86046.exe 2620 hnnhbb.exe 5092 xrlfxxr.exe -
resource yara_rule behavioral2/memory/768-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-711-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i020662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c000000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o026040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 768 wrote to memory of 220 768 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 85 PID 768 wrote to memory of 220 768 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 85 PID 768 wrote to memory of 220 768 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 85 PID 220 wrote to memory of 2948 220 hthhnn.exe 86 PID 220 wrote to memory of 2948 220 hthhnn.exe 86 PID 220 wrote to memory of 2948 220 hthhnn.exe 86 PID 2948 wrote to memory of 224 2948 4848448.exe 87 PID 2948 wrote to memory of 224 2948 4848448.exe 87 PID 2948 wrote to memory of 224 2948 4848448.exe 87 PID 224 wrote to memory of 4144 224 xrrxi44.exe 88 PID 224 wrote to memory of 4144 224 xrrxi44.exe 88 PID 224 wrote to memory of 4144 224 xrrxi44.exe 88 PID 4144 wrote to memory of 3168 4144 6608646.exe 89 PID 4144 wrote to memory of 3168 4144 6608646.exe 89 PID 4144 wrote to memory of 3168 4144 6608646.exe 89 PID 3168 wrote to memory of 3732 3168 o488882.exe 90 PID 3168 wrote to memory of 3732 3168 o488882.exe 90 PID 3168 wrote to memory of 3732 3168 o488882.exe 90 PID 3732 wrote to memory of 3528 3732 lxxrllf.exe 91 PID 3732 wrote to memory of 3528 3732 lxxrllf.exe 91 PID 3732 wrote to memory of 3528 3732 lxxrllf.exe 91 PID 3528 wrote to memory of 1120 3528 fffxffl.exe 92 PID 3528 wrote to memory of 1120 3528 fffxffl.exe 92 PID 3528 wrote to memory of 1120 3528 fffxffl.exe 92 PID 1120 wrote to memory of 4756 1120 jjpjp.exe 93 PID 1120 wrote to memory of 4756 1120 jjpjp.exe 93 PID 1120 wrote to memory of 4756 1120 jjpjp.exe 93 PID 4756 wrote to memory of 4476 4756 q42066.exe 94 PID 4756 wrote to memory of 4476 4756 q42066.exe 94 PID 4756 wrote to memory of 4476 4756 q42066.exe 94 PID 4476 wrote to memory of 4468 4476 lflfxxr.exe 95 PID 4476 wrote to memory of 4468 4476 lflfxxr.exe 95 PID 4476 wrote to memory of 4468 4476 lflfxxr.exe 95 PID 4468 wrote to memory of 2620 4468 44048.exe 96 PID 4468 wrote to memory of 2620 4468 44048.exe 96 PID 4468 wrote to memory of 2620 4468 44048.exe 96 PID 2620 wrote to memory of 3240 2620 flrrllf.exe 97 PID 2620 wrote to memory of 3240 2620 flrrllf.exe 97 PID 2620 wrote to memory of 3240 2620 flrrllf.exe 97 PID 3240 wrote to memory of 380 3240 vppjj.exe 98 PID 3240 wrote to memory of 380 3240 vppjj.exe 98 PID 3240 wrote to memory of 380 3240 vppjj.exe 98 PID 380 wrote to memory of 2884 380 nhtbhn.exe 99 PID 380 wrote to memory of 2884 380 nhtbhn.exe 99 PID 380 wrote to memory of 2884 380 nhtbhn.exe 99 PID 2884 wrote to memory of 3112 2884 20082.exe 100 PID 2884 wrote to memory of 3112 2884 20082.exe 100 PID 2884 wrote to memory of 3112 2884 20082.exe 100 PID 3112 wrote to memory of 1820 3112 48048.exe 101 PID 3112 wrote to memory of 1820 3112 48048.exe 101 PID 3112 wrote to memory of 1820 3112 48048.exe 101 PID 1820 wrote to memory of 2364 1820 vpvpj.exe 102 PID 1820 wrote to memory of 2364 1820 vpvpj.exe 102 PID 1820 wrote to memory of 2364 1820 vpvpj.exe 102 PID 2364 wrote to memory of 396 2364 5vpjj.exe 103 PID 2364 wrote to memory of 396 2364 5vpjj.exe 103 PID 2364 wrote to memory of 396 2364 5vpjj.exe 103 PID 396 wrote to memory of 2248 396 fxlrlfr.exe 104 PID 396 wrote to memory of 2248 396 fxlrlfr.exe 104 PID 396 wrote to memory of 2248 396 fxlrlfr.exe 104 PID 2248 wrote to memory of 1020 2248 ththtn.exe 105 PID 2248 wrote to memory of 1020 2248 ththtn.exe 105 PID 2248 wrote to memory of 1020 2248 ththtn.exe 105 PID 1020 wrote to memory of 2836 1020 hnnbtn.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe"C:\Users\Admin\AppData\Local\Temp\c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\hthhnn.exec:\hthhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\4848448.exec:\4848448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\xrrxi44.exec:\xrrxi44.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\6608646.exec:\6608646.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\o488882.exec:\o488882.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\lxxrllf.exec:\lxxrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\fffxffl.exec:\fffxffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\jjpjp.exec:\jjpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\q42066.exec:\q42066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\lflfxxr.exec:\lflfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\44048.exec:\44048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\flrrllf.exec:\flrrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\vppjj.exec:\vppjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\nhtbhn.exec:\nhtbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\20082.exec:\20082.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\48048.exec:\48048.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\vpvpj.exec:\vpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\5vpjj.exec:\5vpjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\fxlrlfr.exec:\fxlrlfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\ththtn.exec:\ththtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\hnnbtn.exec:\hnnbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\822608.exec:\822608.exe23⤵
- Executes dropped EXE
PID:2836 -
\??\c:\42822.exec:\42822.exe24⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lrrfxlf.exec:\lrrfxlf.exe25⤵
- Executes dropped EXE
PID:3176 -
\??\c:\o466428.exec:\o466428.exe26⤵
- Executes dropped EXE
PID:780 -
\??\c:\lxrflfr.exec:\lxrflfr.exe27⤵
- Executes dropped EXE
PID:1804 -
\??\c:\jjjdv.exec:\jjjdv.exe28⤵
- Executes dropped EXE
PID:3572 -
\??\c:\600866.exec:\600866.exe29⤵
- Executes dropped EXE
PID:4580 -
\??\c:\00220.exec:\00220.exe30⤵
- Executes dropped EXE
PID:3172 -
\??\c:\02260.exec:\02260.exe31⤵
- Executes dropped EXE
PID:1608 -
\??\c:\4008260.exec:\4008260.exe32⤵
- Executes dropped EXE
PID:4632 -
\??\c:\600480.exec:\600480.exe33⤵
- Executes dropped EXE
PID:1136 -
\??\c:\84004.exec:\84004.exe34⤵
- Executes dropped EXE
PID:1748 -
\??\c:\662044.exec:\662044.exe35⤵
- Executes dropped EXE
PID:4548 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe36⤵
- Executes dropped EXE
PID:5108 -
\??\c:\xllxrlx.exec:\xllxrlx.exe37⤵
- Executes dropped EXE
PID:3216 -
\??\c:\1ffxrlf.exec:\1ffxrlf.exe38⤵
- Executes dropped EXE
PID:2660 -
\??\c:\djdvp.exec:\djdvp.exe39⤵
- Executes dropped EXE
PID:4364 -
\??\c:\c886486.exec:\c886486.exe40⤵
- Executes dropped EXE
PID:4232 -
\??\c:\7xxxffx.exec:\7xxxffx.exe41⤵
- Executes dropped EXE
PID:4912 -
\??\c:\1ffxfxl.exec:\1ffxfxl.exe42⤵
- Executes dropped EXE
PID:828 -
\??\c:\vvvjj.exec:\vvvjj.exe43⤵
- Executes dropped EXE
PID:2116 -
\??\c:\lxxlxlx.exec:\lxxlxlx.exe44⤵
- Executes dropped EXE
PID:1072 -
\??\c:\jdjpj.exec:\jdjpj.exe45⤵
- Executes dropped EXE
PID:3080 -
\??\c:\rxxrrll.exec:\rxxrrll.exe46⤵
- Executes dropped EXE
PID:5048 -
\??\c:\a8482.exec:\a8482.exe47⤵
- Executes dropped EXE
PID:1428 -
\??\c:\rllxrlr.exec:\rllxrlr.exe48⤵
- Executes dropped EXE
PID:4504 -
\??\c:\vvdvv.exec:\vvdvv.exe49⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btnhhb.exec:\btnhhb.exe50⤵
- Executes dropped EXE
PID:216 -
\??\c:\m8448.exec:\m8448.exe51⤵
- Executes dropped EXE
PID:4740 -
\??\c:\c886604.exec:\c886604.exe52⤵
- Executes dropped EXE
PID:1368 -
\??\c:\jpjdp.exec:\jpjdp.exe53⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pvvpj.exec:\pvvpj.exe54⤵
- Executes dropped EXE
PID:404 -
\??\c:\6680220.exec:\6680220.exe55⤵
- Executes dropped EXE
PID:5000 -
\??\c:\66622.exec:\66622.exe56⤵
- Executes dropped EXE
PID:2824 -
\??\c:\nthnth.exec:\nthnth.exe57⤵
- Executes dropped EXE
PID:3528 -
\??\c:\46266.exec:\46266.exe58⤵
- Executes dropped EXE
PID:3916 -
\??\c:\bhhtht.exec:\bhhtht.exe59⤵
- Executes dropped EXE
PID:4756 -
\??\c:\xlxrlfr.exec:\xlxrlfr.exe60⤵
- Executes dropped EXE
PID:3752 -
\??\c:\6660608.exec:\6660608.exe61⤵
- Executes dropped EXE
PID:3084 -
\??\c:\ddjvp.exec:\ddjvp.exe62⤵
- Executes dropped EXE
PID:4452 -
\??\c:\86046.exec:\86046.exe63⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hnnhbb.exec:\hnnhbb.exe64⤵
- Executes dropped EXE
PID:2620 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe65⤵
- Executes dropped EXE
PID:5092 -
\??\c:\222226.exec:\222226.exe66⤵PID:2800
-
\??\c:\ddjdp.exec:\ddjdp.exe67⤵PID:4972
-
\??\c:\ddjdp.exec:\ddjdp.exe68⤵PID:4616
-
\??\c:\20826.exec:\20826.exe69⤵PID:3112
-
\??\c:\64088.exec:\64088.exe70⤵PID:4932
-
\??\c:\pvvjv.exec:\pvvjv.exe71⤵PID:784
-
\??\c:\tnnttn.exec:\tnnttn.exe72⤵PID:2484
-
\??\c:\628044.exec:\628044.exe73⤵PID:2248
-
\??\c:\bhnhth.exec:\bhnhth.exe74⤵PID:4316
-
\??\c:\5bhbhb.exec:\5bhbhb.exe75⤵PID:4020
-
\??\c:\dddvv.exec:\dddvv.exe76⤵PID:4324
-
\??\c:\bntnhb.exec:\bntnhb.exe77⤵PID:4412
-
\??\c:\ttbtnh.exec:\ttbtnh.exe78⤵PID:4152
-
\??\c:\20822.exec:\20822.exe79⤵PID:3328
-
\??\c:\20666.exec:\20666.exe80⤵PID:2580
-
\??\c:\86424.exec:\86424.exe81⤵
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\60084.exec:\60084.exe82⤵PID:1348
-
\??\c:\tnbntt.exec:\tnbntt.exe83⤵PID:4544
-
\??\c:\nhbthb.exec:\nhbthb.exe84⤵PID:3300
-
\??\c:\xxxlrlf.exec:\xxxlrlf.exe85⤵PID:516
-
\??\c:\djvvv.exec:\djvvv.exe86⤵PID:1660
-
\??\c:\260466.exec:\260466.exe87⤵PID:832
-
\??\c:\8226606.exec:\8226606.exe88⤵PID:1108
-
\??\c:\rrrflfr.exec:\rrrflfr.exe89⤵PID:1980
-
\??\c:\9tbtth.exec:\9tbtth.exe90⤵PID:4632
-
\??\c:\fffrxrl.exec:\fffrxrl.exe91⤵PID:4736
-
\??\c:\4882660.exec:\4882660.exe92⤵PID:1864
-
\??\c:\42260.exec:\42260.exe93⤵PID:1524
-
\??\c:\nhtbnb.exec:\nhtbnb.exe94⤵PID:4444
-
\??\c:\80424.exec:\80424.exe95⤵PID:4988
-
\??\c:\088608.exec:\088608.exe96⤵PID:1528
-
\??\c:\0008608.exec:\0008608.exe97⤵PID:400
-
\??\c:\26648.exec:\26648.exe98⤵PID:1232
-
\??\c:\5bhntn.exec:\5bhntn.exe99⤵PID:4232
-
\??\c:\a4480.exec:\a4480.exe100⤵PID:4912
-
\??\c:\888680.exec:\888680.exe101⤵PID:828
-
\??\c:\fxfrfxx.exec:\fxfrfxx.exe102⤵PID:2116
-
\??\c:\rrlffrf.exec:\rrlffrf.exe103⤵PID:4284
-
\??\c:\httnbt.exec:\httnbt.exe104⤵PID:3080
-
\??\c:\9flffff.exec:\9flffff.exe105⤵PID:3088
-
\??\c:\lllfxlf.exec:\lllfxlf.exe106⤵PID:220
-
\??\c:\w84208.exec:\w84208.exe107⤵PID:2964
-
\??\c:\64860.exec:\64860.exe108⤵PID:2140
-
\??\c:\httbnb.exec:\httbnb.exe109⤵PID:2272
-
\??\c:\nbhtnb.exec:\nbhtnb.exe110⤵PID:2864
-
\??\c:\hnnhtn.exec:\hnnhtn.exe111⤵PID:3156
-
\??\c:\4048260.exec:\4048260.exe112⤵PID:4060
-
\??\c:\ntbthb.exec:\ntbthb.exe113⤵PID:5100
-
\??\c:\vjjvd.exec:\vjjvd.exe114⤵PID:4996
-
\??\c:\648828.exec:\648828.exe115⤵PID:5000
-
\??\c:\c260824.exec:\c260824.exe116⤵PID:2236
-
\??\c:\e60426.exec:\e60426.exe117⤵PID:1912
-
\??\c:\426826.exec:\426826.exe118⤵PID:1036
-
\??\c:\tbhbnh.exec:\tbhbnh.exe119⤵PID:4824
-
\??\c:\s0042.exec:\s0042.exe120⤵PID:628
-
\??\c:\xrlxrfx.exec:\xrlxrfx.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-