Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 20:32 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe
-
Size
454KB
-
MD5
ae56846ea334b9da4d29e64ee3657f20
-
SHA1
48bfb42c918fdb0c8073474603dd1b0c5c0a4c3d
-
SHA256
22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e
-
SHA512
ac3113845ceb49d1c8e4ba69362b5ab49590677f0186dd1ac74aa4ab8ee2a753f39c528171b8f41e67112426745d3b1bede6f21f28d218619558a670c2703dc2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4508-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4856 ttbtnn.exe 672 ddjvj.exe 3832 xxfxlfr.exe 4080 frfrlxl.exe 1584 thnbtn.exe 632 dppdp.exe 2256 djpjd.exe 3040 lflxlfr.exe 4564 hhtbbn.exe 736 ddjdd.exe 2324 fxfrfff.exe 1920 fxfllrr.exe 4260 nthbhh.exe 764 pppjd.exe 1676 7djjv.exe 4616 fxxrlll.exe 4360 ffrfxxx.exe 2748 hhhtnn.exe 1696 pdvvv.exe 2448 vjvjd.exe 1744 lfrlfrr.exe 4752 7hhbtt.exe 3800 3bhbtt.exe 2744 7jpjd.exe 1788 1fxrfff.exe 1848 frffffr.exe 1400 bbtnnn.exe 2436 thnhbb.exe 1580 vpdvp.exe 2076 xflfxxr.exe 4004 lffrlfl.exe 4452 nthttn.exe 1912 dpvpv.exe 4916 jdjdd.exe 4016 xlfxlll.exe 2236 lrfxrrx.exe 4656 bhtnhh.exe 2344 dvdjv.exe 1648 lfxxfrr.exe 1072 hhtnnb.exe 3428 jdpjj.exe 2576 3lrrrfx.exe 3976 tnbbhb.exe 1844 nthbnn.exe 4952 vppvp.exe 616 xrrlffr.exe 1660 tnbtnb.exe 4292 nntnhb.exe 4276 ppvjj.exe 4508 lrxrfff.exe 556 bthtnn.exe 672 7nnhbb.exe 3616 pvjdv.exe 2556 3xfflfl.exe 4080 rflfxlx.exe 3500 tttnhh.exe 1044 jppjd.exe 4712 jvddp.exe 3064 frrlffx.exe 2660 hbnbbt.exe 4800 bbnhbb.exe 2120 jdjvp.exe 752 xlrlffx.exe 1920 5fffxxx.exe -
resource yara_rule behavioral2/memory/4508-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-1264-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 4856 4508 22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe 83 PID 4508 wrote to memory of 4856 4508 22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe 83 PID 4508 wrote to memory of 4856 4508 22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe 83 PID 4856 wrote to memory of 672 4856 ttbtnn.exe 134 PID 4856 wrote to memory of 672 4856 ttbtnn.exe 134 PID 4856 wrote to memory of 672 4856 ttbtnn.exe 134 PID 672 wrote to memory of 3832 672 ddjvj.exe 85 PID 672 wrote to memory of 3832 672 ddjvj.exe 85 PID 672 wrote to memory of 3832 672 ddjvj.exe 85 PID 3832 wrote to memory of 4080 3832 xxfxlfr.exe 86 PID 3832 wrote to memory of 4080 3832 xxfxlfr.exe 86 PID 3832 wrote to memory of 4080 3832 xxfxlfr.exe 86 PID 4080 wrote to memory of 1584 4080 frfrlxl.exe 87 PID 4080 wrote to memory of 1584 4080 frfrlxl.exe 87 PID 4080 wrote to memory of 1584 4080 frfrlxl.exe 87 PID 1584 wrote to memory of 632 1584 thnbtn.exe 88 PID 1584 wrote to memory of 632 1584 thnbtn.exe 88 PID 1584 wrote to memory of 632 1584 thnbtn.exe 88 PID 632 wrote to memory of 2256 632 dppdp.exe 89 PID 632 wrote to memory of 2256 632 dppdp.exe 89 PID 632 wrote to memory of 2256 632 dppdp.exe 89 PID 2256 wrote to memory of 3040 2256 djpjd.exe 90 PID 2256 wrote to memory of 3040 2256 djpjd.exe 90 PID 2256 wrote to memory of 3040 2256 djpjd.exe 90 PID 3040 wrote to memory of 4564 3040 lflxlfr.exe 91 PID 3040 wrote to memory of 4564 3040 lflxlfr.exe 91 PID 3040 wrote to memory of 4564 3040 lflxlfr.exe 91 PID 4564 wrote to memory of 736 4564 hhtbbn.exe 92 PID 4564 wrote to memory of 736 4564 hhtbbn.exe 92 PID 4564 wrote to memory of 736 4564 hhtbbn.exe 92 PID 736 wrote to memory of 2324 736 ddjdd.exe 93 PID 736 wrote to memory of 2324 736 ddjdd.exe 93 PID 736 wrote to memory of 2324 736 ddjdd.exe 93 PID 2324 wrote to memory of 1920 2324 fxfrfff.exe 146 PID 2324 wrote to memory of 1920 2324 fxfrfff.exe 146 PID 2324 wrote to memory of 1920 2324 fxfrfff.exe 146 PID 1920 wrote to memory of 4260 1920 fxfllrr.exe 95 PID 1920 wrote to memory of 4260 1920 fxfllrr.exe 95 PID 1920 wrote to memory of 4260 1920 fxfllrr.exe 95 PID 4260 wrote to memory of 764 4260 nthbhh.exe 96 PID 4260 wrote to memory of 764 4260 nthbhh.exe 96 PID 4260 wrote to memory of 764 4260 nthbhh.exe 96 PID 764 wrote to memory of 1676 764 pppjd.exe 97 PID 764 wrote to memory of 1676 764 pppjd.exe 97 PID 764 wrote to memory of 1676 764 pppjd.exe 97 PID 1676 wrote to memory of 4616 1676 7djjv.exe 98 PID 1676 wrote to memory of 4616 1676 7djjv.exe 98 PID 1676 wrote to memory of 4616 1676 7djjv.exe 98 PID 4616 wrote to memory of 4360 4616 fxxrlll.exe 99 PID 4616 wrote to memory of 4360 4616 fxxrlll.exe 99 PID 4616 wrote to memory of 4360 4616 fxxrlll.exe 99 PID 4360 wrote to memory of 2748 4360 ffrfxxx.exe 100 PID 4360 wrote to memory of 2748 4360 ffrfxxx.exe 100 PID 4360 wrote to memory of 2748 4360 ffrfxxx.exe 100 PID 2748 wrote to memory of 1696 2748 hhhtnn.exe 101 PID 2748 wrote to memory of 1696 2748 hhhtnn.exe 101 PID 2748 wrote to memory of 1696 2748 hhhtnn.exe 101 PID 1696 wrote to memory of 2448 1696 pdvvv.exe 102 PID 1696 wrote to memory of 2448 1696 pdvvv.exe 102 PID 1696 wrote to memory of 2448 1696 pdvvv.exe 102 PID 2448 wrote to memory of 1744 2448 vjvjd.exe 154 PID 2448 wrote to memory of 1744 2448 vjvjd.exe 154 PID 2448 wrote to memory of 1744 2448 vjvjd.exe 154 PID 1744 wrote to memory of 4752 1744 lfrlfrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe"C:\Users\Admin\AppData\Local\Temp\22a4cacbdfac7f39519c8c22c63a1221567378952e8694a306e0a952f53cc62e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\ttbtnn.exec:\ttbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\ddjvj.exec:\ddjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\xxfxlfr.exec:\xxfxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\frfrlxl.exec:\frfrlxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\thnbtn.exec:\thnbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\dppdp.exec:\dppdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\djpjd.exec:\djpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\lflxlfr.exec:\lflxlfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\hhtbbn.exec:\hhtbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\ddjdd.exec:\ddjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\fxfrfff.exec:\fxfrfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\fxfllrr.exec:\fxfllrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\nthbhh.exec:\nthbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\pppjd.exec:\pppjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\7djjv.exec:\7djjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\fxxrlll.exec:\fxxrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\ffrfxxx.exec:\ffrfxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\hhhtnn.exec:\hhhtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\pdvvv.exec:\pdvvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\vjvjd.exec:\vjvjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\lfrlfrr.exec:\lfrlfrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\7hhbtt.exec:\7hhbtt.exe23⤵
- Executes dropped EXE
PID:4752 -
\??\c:\3bhbtt.exec:\3bhbtt.exe24⤵
- Executes dropped EXE
PID:3800 -
\??\c:\7jpjd.exec:\7jpjd.exe25⤵
- Executes dropped EXE
PID:2744 -
\??\c:\1fxrfff.exec:\1fxrfff.exe26⤵
- Executes dropped EXE
PID:1788 -
\??\c:\frffffr.exec:\frffffr.exe27⤵
- Executes dropped EXE
PID:1848 -
\??\c:\bbtnnn.exec:\bbtnnn.exe28⤵
- Executes dropped EXE
PID:1400 -
\??\c:\thnhbb.exec:\thnhbb.exe29⤵
- Executes dropped EXE
PID:2436 -
\??\c:\vpdvp.exec:\vpdvp.exe30⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xflfxxr.exec:\xflfxxr.exe31⤵
- Executes dropped EXE
PID:2076 -
\??\c:\lffrlfl.exec:\lffrlfl.exe32⤵
- Executes dropped EXE
PID:4004 -
\??\c:\nthttn.exec:\nthttn.exe33⤵
- Executes dropped EXE
PID:4452 -
\??\c:\dpvpv.exec:\dpvpv.exe34⤵
- Executes dropped EXE
PID:1912 -
\??\c:\jdjdd.exec:\jdjdd.exe35⤵
- Executes dropped EXE
PID:4916 -
\??\c:\xlfxlll.exec:\xlfxlll.exe36⤵
- Executes dropped EXE
PID:4016 -
\??\c:\lrfxrrx.exec:\lrfxrrx.exe37⤵
- Executes dropped EXE
PID:2236 -
\??\c:\bhtnhh.exec:\bhtnhh.exe38⤵
- Executes dropped EXE
PID:4656 -
\??\c:\dvdjv.exec:\dvdjv.exe39⤵
- Executes dropped EXE
PID:2344 -
\??\c:\lfxxfrr.exec:\lfxxfrr.exe40⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hhtnnb.exec:\hhtnnb.exe41⤵
- Executes dropped EXE
PID:1072 -
\??\c:\jdpjj.exec:\jdpjj.exe42⤵
- Executes dropped EXE
PID:3428 -
\??\c:\3lrrrfx.exec:\3lrrrfx.exe43⤵
- Executes dropped EXE
PID:2576 -
\??\c:\tnbbhb.exec:\tnbbhb.exe44⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nthbnn.exec:\nthbnn.exe45⤵
- Executes dropped EXE
PID:1844 -
\??\c:\vppvp.exec:\vppvp.exe46⤵
- Executes dropped EXE
PID:4952 -
\??\c:\xrrlffr.exec:\xrrlffr.exe47⤵
- Executes dropped EXE
PID:616 -
\??\c:\tnbtnb.exec:\tnbtnb.exe48⤵
- Executes dropped EXE
PID:1660 -
\??\c:\nntnhb.exec:\nntnhb.exe49⤵
- Executes dropped EXE
PID:4292 -
\??\c:\ppvjj.exec:\ppvjj.exe50⤵
- Executes dropped EXE
PID:4276 -
\??\c:\lrxrfff.exec:\lrxrfff.exe51⤵
- Executes dropped EXE
PID:4508 -
\??\c:\bthtnn.exec:\bthtnn.exe52⤵
- Executes dropped EXE
PID:556 -
\??\c:\7nnhbb.exec:\7nnhbb.exe53⤵
- Executes dropped EXE
PID:672 -
\??\c:\pvjdv.exec:\pvjdv.exe54⤵
- Executes dropped EXE
PID:3616 -
\??\c:\3xfflfl.exec:\3xfflfl.exe55⤵
- Executes dropped EXE
PID:2556 -
\??\c:\rflfxlx.exec:\rflfxlx.exe56⤵
- Executes dropped EXE
PID:4080 -
\??\c:\tttnhh.exec:\tttnhh.exe57⤵
- Executes dropped EXE
PID:3500 -
\??\c:\jppjd.exec:\jppjd.exe58⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jvddp.exec:\jvddp.exe59⤵
- Executes dropped EXE
PID:4712 -
\??\c:\frrlffx.exec:\frrlffx.exe60⤵
- Executes dropped EXE
PID:3064 -
\??\c:\hbnbbt.exec:\hbnbbt.exe61⤵
- Executes dropped EXE
PID:2660 -
\??\c:\bbnhbb.exec:\bbnhbb.exe62⤵
- Executes dropped EXE
PID:4800 -
\??\c:\jdjvp.exec:\jdjvp.exe63⤵
- Executes dropped EXE
PID:2120 -
\??\c:\xlrlffx.exec:\xlrlffx.exe64⤵
- Executes dropped EXE
PID:752 -
\??\c:\5fffxxx.exec:\5fffxxx.exe65⤵
- Executes dropped EXE
PID:1920 -
\??\c:\hnntth.exec:\hnntth.exe66⤵PID:4180
-
\??\c:\jpvpj.exec:\jpvpj.exe67⤵PID:4040
-
\??\c:\vdjdj.exec:\vdjdj.exe68⤵PID:1676
-
\??\c:\lrfxrll.exec:\lrfxrll.exe69⤵PID:4824
-
\??\c:\tbnhht.exec:\tbnhht.exe70⤵PID:4540
-
\??\c:\nhbhbb.exec:\nhbhbb.exe71⤵PID:4740
-
\??\c:\jdvpv.exec:\jdvpv.exe72⤵PID:208
-
\??\c:\lflfrrr.exec:\lflfrrr.exe73⤵PID:1744
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe74⤵PID:4752
-
\??\c:\5xxxllx.exec:\5xxxllx.exe75⤵PID:2628
-
\??\c:\jdjjd.exec:\jdjjd.exe76⤵PID:5056
-
\??\c:\lxlxrrf.exec:\lxlxrrf.exe77⤵PID:4164
-
\??\c:\5nbhth.exec:\5nbhth.exe78⤵PID:2876
-
\??\c:\jvddj.exec:\jvddj.exe79⤵PID:4212
-
\??\c:\flrlxxl.exec:\flrlxxl.exe80⤵
- System Location Discovery: System Language Discovery
PID:4172 -
\??\c:\nbbtnh.exec:\nbbtnh.exe81⤵PID:4452
-
\??\c:\pddvd.exec:\pddvd.exe82⤵PID:3180
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe83⤵PID:372
-
\??\c:\9hbnht.exec:\9hbnht.exe84⤵PID:1112
-
\??\c:\tnbnhb.exec:\tnbnhb.exe85⤵PID:4516
-
\??\c:\dpvvp.exec:\dpvvp.exe86⤵PID:2840
-
\??\c:\rfrffxl.exec:\rfrffxl.exe87⤵PID:4536
-
\??\c:\bttbbn.exec:\bttbbn.exe88⤵PID:3088
-
\??\c:\bbthbn.exec:\bbthbn.exe89⤵PID:1736
-
\??\c:\pjpjp.exec:\pjpjp.exe90⤵PID:2576
-
\??\c:\rfrlffx.exec:\rfrlffx.exe91⤵PID:1844
-
\??\c:\thbtnh.exec:\thbtnh.exe92⤵PID:2072
-
\??\c:\jppdv.exec:\jppdv.exe93⤵PID:5084
-
\??\c:\1fxlfxl.exec:\1fxlfxl.exe94⤵PID:4344
-
\??\c:\vpjdp.exec:\vpjdp.exe95⤵PID:440
-
\??\c:\rfrffxr.exec:\rfrffxr.exe96⤵PID:4340
-
\??\c:\rrllrlx.exec:\rrllrlx.exe97⤵PID:740
-
\??\c:\hhbnbt.exec:\hhbnbt.exe98⤵PID:1928
-
\??\c:\dvjjv.exec:\dvjjv.exe99⤵PID:4332
-
\??\c:\lffxxlf.exec:\lffxxlf.exe100⤵PID:3484
-
\??\c:\5tttnh.exec:\5tttnh.exe101⤵PID:4268
-
\??\c:\tnnhbt.exec:\tnnhbt.exe102⤵PID:4932
-
\??\c:\lflfllf.exec:\lflfllf.exe103⤵PID:1740
-
\??\c:\bbnhhb.exec:\bbnhhb.exe104⤵PID:3444
-
\??\c:\vvjdp.exec:\vvjdp.exe105⤵PID:2256
-
\??\c:\pdpjj.exec:\pdpjj.exe106⤵PID:4768
-
\??\c:\xllxrrf.exec:\xllxrrf.exe107⤵PID:2296
-
\??\c:\nhbthb.exec:\nhbthb.exe108⤵PID:2244
-
\??\c:\5tnhtn.exec:\5tnhtn.exe109⤵PID:1592
-
\??\c:\fflrxrl.exec:\fflrxrl.exe110⤵PID:2988
-
\??\c:\bbtnhb.exec:\bbtnhb.exe111⤵PID:868
-
\??\c:\pddvp.exec:\pddvp.exe112⤵PID:3968
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe113⤵PID:1784
-
\??\c:\ntbbnh.exec:\ntbbnh.exe114⤵PID:3860
-
\??\c:\jjdpd.exec:\jjdpd.exe115⤵PID:1264
-
\??\c:\frrfrfx.exec:\frrfrfx.exe116⤵PID:1460
-
\??\c:\hnnbtn.exec:\hnnbtn.exe117⤵PID:4120
-
\??\c:\vpvpd.exec:\vpvpd.exe118⤵PID:4540
-
\??\c:\xffxlfx.exec:\xffxlfx.exe119⤵PID:4352
-
\??\c:\9hbttn.exec:\9hbttn.exe120⤵PID:4360
-
\??\c:\1rxlrrr.exec:\1rxlrrr.exe121⤵PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-