Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 07:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe
-
Size
453KB
-
MD5
0c53788155817112067cb4138c939994
-
SHA1
cfe7f043508c251d3ed88ef18cb7486eeaba31ea
-
SHA256
ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2
-
SHA512
7b8daca8f32909c6c335f8e0f270c0587e8e6eadc337b33ff73c894577f71110584ad8340526461f1e9db78b75215f9c7d980198419455bcb02e34205fe81c4f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1376-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-912-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-1318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-1361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 532 nnthtt.exe 4204 ffxxrxr.exe 1176 dvvvv.exe 4700 82826.exe 4384 7fxxrrl.exe 4104 fflfxff.exe 2364 jjdpj.exe 1868 jjvvd.exe 4412 vjvpp.exe 3112 m2882.exe 3896 242600.exe 3676 g8406.exe 4756 pddjp.exe 2076 9nnhtt.exe 2656 0444222.exe 212 2222666.exe 4148 vvjdv.exe 3688 420444.exe 2980 408260.exe 4540 bntbnb.exe 2328 5rfxllf.exe 2592 k46262.exe 3312 3ddpj.exe 4012 a4608.exe 2112 fxrfrlx.exe 5108 vjdvp.exe 1476 8226048.exe 4940 rlllfff.exe 3924 vvvvp.exe 2976 688088.exe 4112 60666.exe 1084 hnbnbt.exe 424 nthbhb.exe 3392 488080.exe 404 lxllflf.exe 4480 xrxlffr.exe 2272 084822.exe 4652 262606.exe 3724 ppvvj.exe 1516 ddddv.exe 4048 ntnnnn.exe 2928 844442.exe 4084 2844844.exe 1280 tnbnht.exe 4768 bbthhh.exe 3152 jpdvv.exe 1992 lfrlfxr.exe 1708 e42622.exe 3540 48022.exe 3120 64806.exe 3660 262648.exe 4352 jdvpv.exe 3744 hbhbtt.exe 4020 c248444.exe 4548 bttbbb.exe 4424 00000.exe 3248 o620826.exe 1088 fffffff.exe 2388 rlrllfx.exe 3388 nnhnbb.exe 2364 fxlfxxx.exe 2816 rrxrlff.exe 1520 o642604.exe 2624 262600.exe -
resource yara_rule behavioral2/memory/1376-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 532 1376 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 83 PID 1376 wrote to memory of 532 1376 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 83 PID 1376 wrote to memory of 532 1376 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 83 PID 532 wrote to memory of 4204 532 nnthtt.exe 84 PID 532 wrote to memory of 4204 532 nnthtt.exe 84 PID 532 wrote to memory of 4204 532 nnthtt.exe 84 PID 4204 wrote to memory of 1176 4204 ffxxrxr.exe 85 PID 4204 wrote to memory of 1176 4204 ffxxrxr.exe 85 PID 4204 wrote to memory of 1176 4204 ffxxrxr.exe 85 PID 1176 wrote to memory of 4700 1176 dvvvv.exe 86 PID 1176 wrote to memory of 4700 1176 dvvvv.exe 86 PID 1176 wrote to memory of 4700 1176 dvvvv.exe 86 PID 4700 wrote to memory of 4384 4700 82826.exe 87 PID 4700 wrote to memory of 4384 4700 82826.exe 87 PID 4700 wrote to memory of 4384 4700 82826.exe 87 PID 4384 wrote to memory of 4104 4384 7fxxrrl.exe 88 PID 4384 wrote to memory of 4104 4384 7fxxrrl.exe 88 PID 4384 wrote to memory of 4104 4384 7fxxrrl.exe 88 PID 4104 wrote to memory of 2364 4104 fflfxff.exe 143 PID 4104 wrote to memory of 2364 4104 fflfxff.exe 143 PID 4104 wrote to memory of 2364 4104 fflfxff.exe 143 PID 2364 wrote to memory of 1868 2364 jjdpj.exe 90 PID 2364 wrote to memory of 1868 2364 jjdpj.exe 90 PID 2364 wrote to memory of 1868 2364 jjdpj.exe 90 PID 1868 wrote to memory of 4412 1868 jjvvd.exe 91 PID 1868 wrote to memory of 4412 1868 jjvvd.exe 91 PID 1868 wrote to memory of 4412 1868 jjvvd.exe 91 PID 4412 wrote to memory of 3112 4412 vjvpp.exe 92 PID 4412 wrote to memory of 3112 4412 vjvpp.exe 92 PID 4412 wrote to memory of 3112 4412 vjvpp.exe 92 PID 3112 wrote to memory of 3896 3112 m2882.exe 93 PID 3112 wrote to memory of 3896 3112 m2882.exe 93 PID 3112 wrote to memory of 3896 3112 m2882.exe 93 PID 3896 wrote to memory of 3676 3896 242600.exe 94 PID 3896 wrote to memory of 3676 3896 242600.exe 94 PID 3896 wrote to memory of 3676 3896 242600.exe 94 PID 3676 wrote to memory of 4756 3676 g8406.exe 95 PID 3676 wrote to memory of 4756 3676 g8406.exe 95 PID 3676 wrote to memory of 4756 3676 g8406.exe 95 PID 4756 wrote to memory of 2076 4756 pddjp.exe 96 PID 4756 wrote to memory of 2076 4756 pddjp.exe 96 PID 4756 wrote to memory of 2076 4756 pddjp.exe 96 PID 2076 wrote to memory of 2656 2076 9nnhtt.exe 97 PID 2076 wrote to memory of 2656 2076 9nnhtt.exe 97 PID 2076 wrote to memory of 2656 2076 9nnhtt.exe 97 PID 2656 wrote to memory of 212 2656 0444222.exe 98 PID 2656 wrote to memory of 212 2656 0444222.exe 98 PID 2656 wrote to memory of 212 2656 0444222.exe 98 PID 212 wrote to memory of 4148 212 2222666.exe 99 PID 212 wrote to memory of 4148 212 2222666.exe 99 PID 212 wrote to memory of 4148 212 2222666.exe 99 PID 4148 wrote to memory of 3688 4148 vvjdv.exe 100 PID 4148 wrote to memory of 3688 4148 vvjdv.exe 100 PID 4148 wrote to memory of 3688 4148 vvjdv.exe 100 PID 3688 wrote to memory of 2980 3688 420444.exe 101 PID 3688 wrote to memory of 2980 3688 420444.exe 101 PID 3688 wrote to memory of 2980 3688 420444.exe 101 PID 2980 wrote to memory of 4540 2980 408260.exe 102 PID 2980 wrote to memory of 4540 2980 408260.exe 102 PID 2980 wrote to memory of 4540 2980 408260.exe 102 PID 4540 wrote to memory of 2328 4540 bntbnb.exe 103 PID 4540 wrote to memory of 2328 4540 bntbnb.exe 103 PID 4540 wrote to memory of 2328 4540 bntbnb.exe 103 PID 2328 wrote to memory of 2592 2328 5rfxllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe"C:\Users\Admin\AppData\Local\Temp\ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\nnthtt.exec:\nnthtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\ffxxrxr.exec:\ffxxrxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\dvvvv.exec:\dvvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\82826.exec:\82826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\7fxxrrl.exec:\7fxxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\fflfxff.exec:\fflfxff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\jjdpj.exec:\jjdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\jjvvd.exec:\jjvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\vjvpp.exec:\vjvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\m2882.exec:\m2882.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\242600.exec:\242600.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\g8406.exec:\g8406.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\pddjp.exec:\pddjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\9nnhtt.exec:\9nnhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\0444222.exec:\0444222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\2222666.exec:\2222666.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\vvjdv.exec:\vvjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\420444.exec:\420444.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\408260.exec:\408260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\bntbnb.exec:\bntbnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\5rfxllf.exec:\5rfxllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\k46262.exec:\k46262.exe23⤵
- Executes dropped EXE
PID:2592 -
\??\c:\3ddpj.exec:\3ddpj.exe24⤵
- Executes dropped EXE
PID:3312 -
\??\c:\a4608.exec:\a4608.exe25⤵
- Executes dropped EXE
PID:4012 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe26⤵
- Executes dropped EXE
PID:2112 -
\??\c:\vjdvp.exec:\vjdvp.exe27⤵
- Executes dropped EXE
PID:5108 -
\??\c:\8226048.exec:\8226048.exe28⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rlllfff.exec:\rlllfff.exe29⤵
- Executes dropped EXE
PID:4940 -
\??\c:\vvvvp.exec:\vvvvp.exe30⤵
- Executes dropped EXE
PID:3924 -
\??\c:\688088.exec:\688088.exe31⤵
- Executes dropped EXE
PID:2976 -
\??\c:\60666.exec:\60666.exe32⤵
- Executes dropped EXE
PID:4112 -
\??\c:\hnbnbt.exec:\hnbnbt.exe33⤵
- Executes dropped EXE
PID:1084 -
\??\c:\nthbhb.exec:\nthbhb.exe34⤵
- Executes dropped EXE
PID:424 -
\??\c:\488080.exec:\488080.exe35⤵
- Executes dropped EXE
PID:3392 -
\??\c:\lxllflf.exec:\lxllflf.exe36⤵
- Executes dropped EXE
PID:404 -
\??\c:\xrxlffr.exec:\xrxlffr.exe37⤵
- Executes dropped EXE
PID:4480 -
\??\c:\084822.exec:\084822.exe38⤵
- Executes dropped EXE
PID:2272 -
\??\c:\262606.exec:\262606.exe39⤵
- Executes dropped EXE
PID:4652 -
\??\c:\ppvvj.exec:\ppvvj.exe40⤵
- Executes dropped EXE
PID:3724 -
\??\c:\ddddv.exec:\ddddv.exe41⤵
- Executes dropped EXE
PID:1516 -
\??\c:\ntnnnn.exec:\ntnnnn.exe42⤵
- Executes dropped EXE
PID:4048 -
\??\c:\844442.exec:\844442.exe43⤵
- Executes dropped EXE
PID:2928 -
\??\c:\2844844.exec:\2844844.exe44⤵
- Executes dropped EXE
PID:4084 -
\??\c:\tnbnht.exec:\tnbnht.exe45⤵
- Executes dropped EXE
PID:1280 -
\??\c:\bbthhh.exec:\bbthhh.exe46⤵
- Executes dropped EXE
PID:4768 -
\??\c:\jpdvv.exec:\jpdvv.exe47⤵
- Executes dropped EXE
PID:3152 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe48⤵
- Executes dropped EXE
PID:1992 -
\??\c:\e42622.exec:\e42622.exe49⤵
- Executes dropped EXE
PID:1708 -
\??\c:\48022.exec:\48022.exe50⤵
- Executes dropped EXE
PID:3540 -
\??\c:\64806.exec:\64806.exe51⤵
- Executes dropped EXE
PID:3120 -
\??\c:\262648.exec:\262648.exe52⤵
- Executes dropped EXE
PID:3660 -
\??\c:\jdvpv.exec:\jdvpv.exe53⤵
- Executes dropped EXE
PID:4352 -
\??\c:\hbhbtt.exec:\hbhbtt.exe54⤵
- Executes dropped EXE
PID:3744 -
\??\c:\c248444.exec:\c248444.exe55⤵
- Executes dropped EXE
PID:4020 -
\??\c:\bttbbb.exec:\bttbbb.exe56⤵
- Executes dropped EXE
PID:4548 -
\??\c:\00000.exec:\00000.exe57⤵
- Executes dropped EXE
PID:4424 -
\??\c:\o620826.exec:\o620826.exe58⤵
- Executes dropped EXE
PID:3248 -
\??\c:\fffffff.exec:\fffffff.exe59⤵
- Executes dropped EXE
PID:1088 -
\??\c:\rlrllfx.exec:\rlrllfx.exe60⤵
- Executes dropped EXE
PID:2388 -
\??\c:\nnhnbb.exec:\nnhnbb.exe61⤵
- Executes dropped EXE
PID:3388 -
\??\c:\fxlfxxx.exec:\fxlfxxx.exe62⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rrxrlff.exec:\rrxrlff.exe63⤵
- Executes dropped EXE
PID:2816 -
\??\c:\o642604.exec:\o642604.exe64⤵
- Executes dropped EXE
PID:1520 -
\??\c:\262600.exec:\262600.exe65⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jvjpv.exec:\jvjpv.exe66⤵PID:2860
-
\??\c:\0222662.exec:\0222662.exe67⤵PID:5004
-
\??\c:\fffxxxr.exec:\fffxxxr.exe68⤵PID:1200
-
\??\c:\btbhbn.exec:\btbhbn.exe69⤵PID:5024
-
\??\c:\0682008.exec:\0682008.exe70⤵PID:5028
-
\??\c:\q68288.exec:\q68288.exe71⤵PID:3984
-
\??\c:\jvpvd.exec:\jvpvd.exe72⤵PID:4860
-
\??\c:\pddvp.exec:\pddvp.exe73⤵PID:632
-
\??\c:\lrrlrxx.exec:\lrrlrxx.exe74⤵PID:4288
-
\??\c:\vjvpj.exec:\vjvpj.exe75⤵PID:3592
-
\??\c:\ddpjp.exec:\ddpjp.exe76⤵PID:1168
-
\??\c:\040422.exec:\040422.exe77⤵PID:3124
-
\??\c:\tnnnhn.exec:\tnnnhn.exe78⤵PID:968
-
\??\c:\w64486.exec:\w64486.exe79⤵PID:2840
-
\??\c:\xrrllll.exec:\xrrllll.exe80⤵PID:3616
-
\??\c:\tntbtt.exec:\tntbtt.exe81⤵PID:2508
-
\??\c:\86660.exec:\86660.exe82⤵PID:1476
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe83⤵PID:2292
-
\??\c:\jvdjv.exec:\jvdjv.exe84⤵PID:3924
-
\??\c:\7pvvv.exec:\7pvvv.exe85⤵PID:2976
-
\??\c:\8840044.exec:\8840044.exe86⤵PID:4080
-
\??\c:\7pdvd.exec:\7pdvd.exe87⤵
- System Location Discovery: System Language Discovery
PID:3196 -
\??\c:\xxffflf.exec:\xxffflf.exe88⤵PID:4576
-
\??\c:\ppppj.exec:\ppppj.exe89⤵PID:2280
-
\??\c:\nnhhhh.exec:\nnhhhh.exe90⤵PID:3352
-
\??\c:\062222.exec:\062222.exe91⤵PID:3556
-
\??\c:\24044.exec:\24044.exe92⤵PID:460
-
\??\c:\04004.exec:\04004.exe93⤵PID:2852
-
\??\c:\446224.exec:\446224.exe94⤵PID:4928
-
\??\c:\7pjjd.exec:\7pjjd.exe95⤵PID:4808
-
\??\c:\08680.exec:\08680.exe96⤵PID:3948
-
\??\c:\0804264.exec:\0804264.exe97⤵PID:1484
-
\??\c:\00464.exec:\00464.exe98⤵PID:2340
-
\??\c:\dpjpd.exec:\dpjpd.exe99⤵PID:3756
-
\??\c:\06646.exec:\06646.exe100⤵PID:4568
-
\??\c:\7nhthb.exec:\7nhthb.exe101⤵PID:3432
-
\??\c:\4220048.exec:\4220048.exe102⤵PID:2916
-
\??\c:\jvpjj.exec:\jvpjj.exe103⤵PID:4252
-
\??\c:\44006.exec:\44006.exe104⤵PID:4508
-
\??\c:\nhbnhh.exec:\nhbnhh.exe105⤵PID:4844
-
\??\c:\00482.exec:\00482.exe106⤵PID:4268
-
\??\c:\0622604.exec:\0622604.exe107⤵PID:3628
-
\??\c:\66260.exec:\66260.exe108⤵PID:3272
-
\??\c:\tnhthb.exec:\tnhthb.exe109⤵PID:4520
-
\??\c:\60444.exec:\60444.exe110⤵PID:224
-
\??\c:\7lfrfxl.exec:\7lfrfxl.exe111⤵PID:4840
-
\??\c:\thtnbt.exec:\thtnbt.exe112⤵PID:2432
-
\??\c:\dpdvd.exec:\dpdvd.exe113⤵PID:3652
-
\??\c:\u648604.exec:\u648604.exe114⤵PID:2988
-
\??\c:\pjpdp.exec:\pjpdp.exe115⤵
- System Location Discovery: System Language Discovery
PID:1820 -
\??\c:\xlrlllf.exec:\xlrlllf.exe116⤵PID:1624
-
\??\c:\frrlrlx.exec:\frrlrlx.exe117⤵PID:5032
-
\??\c:\ttthbb.exec:\ttthbb.exe118⤵PID:3512
-
\??\c:\8222044.exec:\8222044.exe119⤵PID:544
-
\??\c:\xxxlrrr.exec:\xxxlrrr.exe120⤵PID:1016
-
\??\c:\lrxrllf.exec:\lrxrllf.exe121⤵PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-