Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 01:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe
-
Size
453KB
-
MD5
01192db0f5c37a4d3c38362be137cba0
-
SHA1
239f7f3d2988f1800f2f7f530380922dbbe1d61a
-
SHA256
1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506ad
-
SHA512
40a4b0f92d6553177b6f934a1c114266c161778bbfa07761caed8c4f84903f9f10b8dcb18b9028c7a53126e1529ee148d301c0c5996c077ac7f5cbaa4300830c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4128-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-1418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4604 m2040.exe 412 3tttnt.exe 4288 hnhhnh.exe 3744 bbbtth.exe 3116 fxxrrrr.exe 4180 lxxxrrr.exe 2768 frxlrlx.exe 2740 bttnhb.exe 4080 dvvvp.exe 712 e20004.exe 1856 5xffllr.exe 3472 pvvpd.exe 3256 66266.exe 2748 fllllff.exe 1180 pdpjp.exe 2972 rlfxrrl.exe 3336 622666.exe 3724 462048.exe 4084 fflfrrx.exe 2084 nthbbt.exe 996 0082226.exe 2604 5bhbnn.exe 2804 40282.exe 4620 nntnht.exe 468 622266.exe 4316 62488.exe 2316 xxrlllr.exe 972 28886.exe 1124 u648806.exe 2308 604488.exe 1052 24488.exe 928 0486248.exe 4348 288066.exe 752 7fxxrrr.exe 2916 2848282.exe 2716 tntntt.exe 2992 2888822.exe 4788 m2666.exe 800 htbbnn.exe 2668 xlxrlrl.exe 960 llxlfrl.exe 652 xrfxrxx.exe 2000 6686022.exe 2752 vddjp.exe 1132 w86288.exe 4412 rlrlrrx.exe 3308 8222626.exe 1340 flrfxlf.exe 544 rrrrrlx.exe 3800 xxxrlxr.exe 4988 rlrlxxx.exe 532 808880.exe 1508 000644.exe 2676 thbhth.exe 2872 4844046.exe 4896 s2448.exe 3192 3jpjj.exe 4900 pdjjj.exe 3252 hbntbb.exe 1084 xxfrlfr.exe 1584 pvjdv.exe 908 4622266.exe 1700 3jvpp.exe 2144 q08200.exe -
resource yara_rule behavioral2/memory/4128-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-738-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w40484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0048260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o464448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o460846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 4604 4128 1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe 83 PID 4128 wrote to memory of 4604 4128 1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe 83 PID 4128 wrote to memory of 4604 4128 1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe 83 PID 4604 wrote to memory of 412 4604 m2040.exe 84 PID 4604 wrote to memory of 412 4604 m2040.exe 84 PID 4604 wrote to memory of 412 4604 m2040.exe 84 PID 412 wrote to memory of 4288 412 3tttnt.exe 85 PID 412 wrote to memory of 4288 412 3tttnt.exe 85 PID 412 wrote to memory of 4288 412 3tttnt.exe 85 PID 4288 wrote to memory of 3744 4288 hnhhnh.exe 86 PID 4288 wrote to memory of 3744 4288 hnhhnh.exe 86 PID 4288 wrote to memory of 3744 4288 hnhhnh.exe 86 PID 3744 wrote to memory of 3116 3744 bbbtth.exe 87 PID 3744 wrote to memory of 3116 3744 bbbtth.exe 87 PID 3744 wrote to memory of 3116 3744 bbbtth.exe 87 PID 3116 wrote to memory of 4180 3116 fxxrrrr.exe 88 PID 3116 wrote to memory of 4180 3116 fxxrrrr.exe 88 PID 3116 wrote to memory of 4180 3116 fxxrrrr.exe 88 PID 4180 wrote to memory of 2768 4180 lxxxrrr.exe 89 PID 4180 wrote to memory of 2768 4180 lxxxrrr.exe 89 PID 4180 wrote to memory of 2768 4180 lxxxrrr.exe 89 PID 2768 wrote to memory of 2740 2768 frxlrlx.exe 90 PID 2768 wrote to memory of 2740 2768 frxlrlx.exe 90 PID 2768 wrote to memory of 2740 2768 frxlrlx.exe 90 PID 2740 wrote to memory of 4080 2740 bttnhb.exe 91 PID 2740 wrote to memory of 4080 2740 bttnhb.exe 91 PID 2740 wrote to memory of 4080 2740 bttnhb.exe 91 PID 4080 wrote to memory of 712 4080 dvvvp.exe 92 PID 4080 wrote to memory of 712 4080 dvvvp.exe 92 PID 4080 wrote to memory of 712 4080 dvvvp.exe 92 PID 712 wrote to memory of 1856 712 e20004.exe 93 PID 712 wrote to memory of 1856 712 e20004.exe 93 PID 712 wrote to memory of 1856 712 e20004.exe 93 PID 1856 wrote to memory of 3472 1856 5xffllr.exe 94 PID 1856 wrote to memory of 3472 1856 5xffllr.exe 94 PID 1856 wrote to memory of 3472 1856 5xffllr.exe 94 PID 3472 wrote to memory of 3256 3472 pvvpd.exe 95 PID 3472 wrote to memory of 3256 3472 pvvpd.exe 95 PID 3472 wrote to memory of 3256 3472 pvvpd.exe 95 PID 3256 wrote to memory of 2748 3256 66266.exe 96 PID 3256 wrote to memory of 2748 3256 66266.exe 96 PID 3256 wrote to memory of 2748 3256 66266.exe 96 PID 2748 wrote to memory of 1180 2748 fllllff.exe 97 PID 2748 wrote to memory of 1180 2748 fllllff.exe 97 PID 2748 wrote to memory of 1180 2748 fllllff.exe 97 PID 1180 wrote to memory of 2972 1180 pdpjp.exe 98 PID 1180 wrote to memory of 2972 1180 pdpjp.exe 98 PID 1180 wrote to memory of 2972 1180 pdpjp.exe 98 PID 2972 wrote to memory of 3336 2972 rlfxrrl.exe 99 PID 2972 wrote to memory of 3336 2972 rlfxrrl.exe 99 PID 2972 wrote to memory of 3336 2972 rlfxrrl.exe 99 PID 3336 wrote to memory of 3724 3336 622666.exe 100 PID 3336 wrote to memory of 3724 3336 622666.exe 100 PID 3336 wrote to memory of 3724 3336 622666.exe 100 PID 3724 wrote to memory of 4084 3724 462048.exe 101 PID 3724 wrote to memory of 4084 3724 462048.exe 101 PID 3724 wrote to memory of 4084 3724 462048.exe 101 PID 4084 wrote to memory of 2084 4084 fflfrrx.exe 102 PID 4084 wrote to memory of 2084 4084 fflfrrx.exe 102 PID 4084 wrote to memory of 2084 4084 fflfrrx.exe 102 PID 2084 wrote to memory of 996 2084 nthbbt.exe 103 PID 2084 wrote to memory of 996 2084 nthbbt.exe 103 PID 2084 wrote to memory of 996 2084 nthbbt.exe 103 PID 996 wrote to memory of 2604 996 0082226.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe"C:\Users\Admin\AppData\Local\Temp\1f660920cd302abbc8e0e6a386be1cf199938db5ad5fea51c75a6376ad6506adN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\m2040.exec:\m2040.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\3tttnt.exec:\3tttnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\hnhhnh.exec:\hnhhnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\bbbtth.exec:\bbbtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\frxlrlx.exec:\frxlrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\bttnhb.exec:\bttnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\dvvvp.exec:\dvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\e20004.exec:\e20004.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\5xffllr.exec:\5xffllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\pvvpd.exec:\pvvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\66266.exec:\66266.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\fllllff.exec:\fllllff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\pdpjp.exec:\pdpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\622666.exec:\622666.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\462048.exec:\462048.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\fflfrrx.exec:\fflfrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\nthbbt.exec:\nthbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\0082226.exec:\0082226.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\5bhbnn.exec:\5bhbnn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
\??\c:\40282.exec:\40282.exe24⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nntnht.exec:\nntnht.exe25⤵
- Executes dropped EXE
PID:4620 -
\??\c:\622266.exec:\622266.exe26⤵
- Executes dropped EXE
PID:468 -
\??\c:\62488.exec:\62488.exe27⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xxrlllr.exec:\xxrlllr.exe28⤵
- Executes dropped EXE
PID:2316 -
\??\c:\28886.exec:\28886.exe29⤵
- Executes dropped EXE
PID:972 -
\??\c:\u648806.exec:\u648806.exe30⤵
- Executes dropped EXE
PID:1124 -
\??\c:\604488.exec:\604488.exe31⤵
- Executes dropped EXE
PID:2308 -
\??\c:\24488.exec:\24488.exe32⤵
- Executes dropped EXE
PID:1052 -
\??\c:\0486248.exec:\0486248.exe33⤵
- Executes dropped EXE
PID:928 -
\??\c:\288066.exec:\288066.exe34⤵
- Executes dropped EXE
PID:4348 -
\??\c:\7fxxrrr.exec:\7fxxrrr.exe35⤵
- Executes dropped EXE
PID:752 -
\??\c:\2848282.exec:\2848282.exe36⤵
- Executes dropped EXE
PID:2916 -
\??\c:\tntntt.exec:\tntntt.exe37⤵
- Executes dropped EXE
PID:2716 -
\??\c:\2888822.exec:\2888822.exe38⤵
- Executes dropped EXE
PID:2992 -
\??\c:\m2666.exec:\m2666.exe39⤵
- Executes dropped EXE
PID:4788 -
\??\c:\htbbnn.exec:\htbbnn.exe40⤵
- Executes dropped EXE
PID:800 -
\??\c:\xlxrlrl.exec:\xlxrlrl.exe41⤵
- Executes dropped EXE
PID:2668 -
\??\c:\llxlfrl.exec:\llxlfrl.exe42⤵
- Executes dropped EXE
PID:960 -
\??\c:\xrfxrxx.exec:\xrfxrxx.exe43⤵
- Executes dropped EXE
PID:652 -
\??\c:\6686022.exec:\6686022.exe44⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vddjp.exec:\vddjp.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\w86288.exec:\w86288.exe46⤵
- Executes dropped EXE
PID:1132 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe47⤵
- Executes dropped EXE
PID:4412 -
\??\c:\8222626.exec:\8222626.exe48⤵
- Executes dropped EXE
PID:3308 -
\??\c:\flrfxlf.exec:\flrfxlf.exe49⤵
- Executes dropped EXE
PID:1340 -
\??\c:\rrrrrlx.exec:\rrrrrlx.exe50⤵
- Executes dropped EXE
PID:544 -
\??\c:\xxxrlxr.exec:\xxxrlxr.exe51⤵
- Executes dropped EXE
PID:3800 -
\??\c:\rlrlxxx.exec:\rlrlxxx.exe52⤵
- Executes dropped EXE
PID:4988 -
\??\c:\808880.exec:\808880.exe53⤵
- Executes dropped EXE
PID:532 -
\??\c:\000644.exec:\000644.exe54⤵
- Executes dropped EXE
PID:1508 -
\??\c:\thbhth.exec:\thbhth.exe55⤵
- Executes dropped EXE
PID:2676 -
\??\c:\4844046.exec:\4844046.exe56⤵
- Executes dropped EXE
PID:2872 -
\??\c:\s2448.exec:\s2448.exe57⤵
- Executes dropped EXE
PID:4896 -
\??\c:\3jpjj.exec:\3jpjj.exe58⤵
- Executes dropped EXE
PID:3192 -
\??\c:\pdjjj.exec:\pdjjj.exe59⤵
- Executes dropped EXE
PID:4900 -
\??\c:\hbntbb.exec:\hbntbb.exe60⤵
- Executes dropped EXE
PID:3252 -
\??\c:\xxfrlfr.exec:\xxfrlfr.exe61⤵
- Executes dropped EXE
PID:1084 -
\??\c:\pvjdv.exec:\pvjdv.exe62⤵
- Executes dropped EXE
PID:1584 -
\??\c:\4622266.exec:\4622266.exe63⤵
- Executes dropped EXE
PID:908 -
\??\c:\3jvpp.exec:\3jvpp.exe64⤵
- Executes dropped EXE
PID:1700 -
\??\c:\q08200.exec:\q08200.exe65⤵
- Executes dropped EXE
PID:2144 -
\??\c:\2808226.exec:\2808226.exe66⤵PID:4552
-
\??\c:\280006.exec:\280006.exe67⤵PID:864
-
\??\c:\k86066.exec:\k86066.exe68⤵PID:2016
-
\??\c:\q28266.exec:\q28266.exe69⤵PID:1356
-
\??\c:\hbbttb.exec:\hbbttb.exe70⤵PID:4460
-
\??\c:\646600.exec:\646600.exe71⤵PID:2748
-
\??\c:\c682668.exec:\c682668.exe72⤵PID:3148
-
\??\c:\0260444.exec:\0260444.exe73⤵PID:4780
-
\??\c:\2442004.exec:\2442004.exe74⤵PID:2972
-
\??\c:\hntntt.exec:\hntntt.exe75⤵PID:3504
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe76⤵PID:4436
-
\??\c:\3vpjj.exec:\3vpjj.exe77⤵
- System Location Discovery: System Language Discovery
PID:4084 -
\??\c:\jvpjv.exec:\jvpjv.exe78⤵PID:1216
-
\??\c:\nhnbht.exec:\nhnbht.exe79⤵PID:2084
-
\??\c:\04022.exec:\04022.exe80⤵PID:1704
-
\??\c:\06608.exec:\06608.exe81⤵PID:1956
-
\??\c:\2226448.exec:\2226448.exe82⤵PID:3716
-
\??\c:\02820.exec:\02820.exe83⤵PID:1128
-
\??\c:\lllfxxl.exec:\lllfxxl.exe84⤵PID:4432
-
\??\c:\nbtnhb.exec:\nbtnhb.exe85⤵PID:3156
-
\??\c:\pppjv.exec:\pppjv.exe86⤵PID:3624
-
\??\c:\nnnbtn.exec:\nnnbtn.exe87⤵PID:8
-
\??\c:\w84204.exec:\w84204.exe88⤵PID:4884
-
\??\c:\2482246.exec:\2482246.exe89⤵PID:4776
-
\??\c:\w28642.exec:\w28642.exe90⤵PID:1648
-
\??\c:\5nhthh.exec:\5nhthh.exe91⤵PID:2340
-
\??\c:\7btnhh.exec:\7btnhh.exe92⤵PID:4672
-
\??\c:\pppjd.exec:\pppjd.exe93⤵PID:4680
-
\??\c:\64846.exec:\64846.exe94⤵PID:916
-
\??\c:\2886822.exec:\2886822.exe95⤵PID:2560
-
\??\c:\lxlxlfr.exec:\lxlxlfr.exe96⤵PID:1984
-
\??\c:\7pvjv.exec:\7pvjv.exe97⤵PID:3764
-
\??\c:\3jvjv.exec:\3jvjv.exe98⤵PID:2940
-
\??\c:\84008.exec:\84008.exe99⤵PID:3896
-
\??\c:\666082.exec:\666082.exe100⤵PID:1008
-
\??\c:\bbbnbt.exec:\bbbnbt.exe101⤵PID:4788
-
\??\c:\6682826.exec:\6682826.exe102⤵PID:800
-
\??\c:\jpdjp.exec:\jpdjp.exe103⤵PID:2668
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe104⤵PID:4240
-
\??\c:\s0086.exec:\s0086.exe105⤵PID:4976
-
\??\c:\flfxrlf.exec:\flfxrlf.exe106⤵PID:3596
-
\??\c:\60484.exec:\60484.exe107⤵PID:2328
-
\??\c:\ppjjp.exec:\ppjjp.exe108⤵PID:4704
-
\??\c:\2820480.exec:\2820480.exe109⤵PID:3152
-
\??\c:\lrxlxlf.exec:\lrxlxlf.exe110⤵PID:5016
-
\??\c:\2286864.exec:\2286864.exe111⤵PID:1412
-
\??\c:\rffrrll.exec:\rffrrll.exe112⤵PID:804
-
\??\c:\6848828.exec:\6848828.exe113⤵PID:4360
-
\??\c:\m8442.exec:\m8442.exe114⤵PID:3720
-
\??\c:\flfrxxl.exec:\flfrxxl.exe115⤵PID:1212
-
\??\c:\86606.exec:\86606.exe116⤵
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\s2422.exec:\s2422.exe117⤵PID:3228
-
\??\c:\0844000.exec:\0844000.exe118⤵PID:4920
-
\??\c:\thbnbn.exec:\thbnbn.exe119⤵PID:4288
-
\??\c:\028604.exec:\028604.exe120⤵PID:4760
-
\??\c:\244204.exec:\244204.exe121⤵PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-