Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 10:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe
-
Size
453KB
-
MD5
4266a5bf9a89d5a443e3fb62308f9867
-
SHA1
7ab3f62ce74a276c137b3ca9fda651f0ec9d75f5
-
SHA256
1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38
-
SHA512
78d5d3cdcf162cd618d9703165b28cc7355ff26e3876c9f92abb8ee96cd3b767080a1242314911f0f1deb5441fa8c6196c8b70f0ae7e6c2c4b5f29f6b4b6de93
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/736-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-894-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1047-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-1259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 736 lfrlffx.exe 4448 844828.exe 4844 httnnn.exe 1408 pjvdv.exe 4964 882802.exe 2136 lxlllll.exe 3504 xlfxrll.exe 3128 pvddd.exe 536 i622882.exe 2448 vddvd.exe 1860 jdppd.exe 4392 tnhnnh.exe 4888 o644882.exe 2756 jdvpj.exe 1332 frxrrxx.exe 1176 260866.exe 4636 40604.exe 2692 rxxrfrx.exe 4064 jdjdv.exe 468 8220468.exe 1172 264480.exe 3136 644282.exe 688 0040808.exe 3616 tnbtnh.exe 212 1ppjv.exe 1604 tnhbnh.exe 3056 824800.exe 4036 tntnhn.exe 1996 pjpjv.exe 4820 2644444.exe 4284 426044.exe 2084 lrlxlfr.exe 4792 rfllffr.exe 1416 06264.exe 3544 8860002.exe 2880 246000.exe 4880 rxflffx.exe 2700 868226.exe 1452 llflllf.exe 3640 rfxxrxr.exe 4088 dvddv.exe 3680 xflllrl.exe 3244 jdjvv.exe 2716 thhhbb.exe 4500 42666.exe 2452 lllllrr.exe 2392 dvpdv.exe 1752 ntnntt.exe 3232 bttttt.exe 3220 hnnhbt.exe 4468 hhbtnb.exe 2336 dvpjd.exe 1240 jddvp.exe 2688 5jpjj.exe 1788 662662.exe 408 62024.exe 1312 jjdpd.exe 5020 8022484.exe 3704 s4864.exe 2656 9rlfrrl.exe 2604 42486.exe 4280 468248.exe 5056 1ddpj.exe 1864 bhhnht.exe -
resource yara_rule behavioral2/memory/736-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-809-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4860044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6860048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w06820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6622044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u642220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82664.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3716 wrote to memory of 736 3716 1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe 83 PID 3716 wrote to memory of 736 3716 1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe 83 PID 3716 wrote to memory of 736 3716 1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe 83 PID 736 wrote to memory of 4448 736 lfrlffx.exe 84 PID 736 wrote to memory of 4448 736 lfrlffx.exe 84 PID 736 wrote to memory of 4448 736 lfrlffx.exe 84 PID 4448 wrote to memory of 4844 4448 844828.exe 85 PID 4448 wrote to memory of 4844 4448 844828.exe 85 PID 4448 wrote to memory of 4844 4448 844828.exe 85 PID 4844 wrote to memory of 1408 4844 httnnn.exe 86 PID 4844 wrote to memory of 1408 4844 httnnn.exe 86 PID 4844 wrote to memory of 1408 4844 httnnn.exe 86 PID 1408 wrote to memory of 4964 1408 pjvdv.exe 87 PID 1408 wrote to memory of 4964 1408 pjvdv.exe 87 PID 1408 wrote to memory of 4964 1408 pjvdv.exe 87 PID 4964 wrote to memory of 2136 4964 882802.exe 88 PID 4964 wrote to memory of 2136 4964 882802.exe 88 PID 4964 wrote to memory of 2136 4964 882802.exe 88 PID 2136 wrote to memory of 3504 2136 lxlllll.exe 89 PID 2136 wrote to memory of 3504 2136 lxlllll.exe 89 PID 2136 wrote to memory of 3504 2136 lxlllll.exe 89 PID 3504 wrote to memory of 3128 3504 xlfxrll.exe 90 PID 3504 wrote to memory of 3128 3504 xlfxrll.exe 90 PID 3504 wrote to memory of 3128 3504 xlfxrll.exe 90 PID 3128 wrote to memory of 536 3128 pvddd.exe 91 PID 3128 wrote to memory of 536 3128 pvddd.exe 91 PID 3128 wrote to memory of 536 3128 pvddd.exe 91 PID 536 wrote to memory of 2448 536 i622882.exe 92 PID 536 wrote to memory of 2448 536 i622882.exe 92 PID 536 wrote to memory of 2448 536 i622882.exe 92 PID 2448 wrote to memory of 1860 2448 vddvd.exe 93 PID 2448 wrote to memory of 1860 2448 vddvd.exe 93 PID 2448 wrote to memory of 1860 2448 vddvd.exe 93 PID 1860 wrote to memory of 4392 1860 jdppd.exe 94 PID 1860 wrote to memory of 4392 1860 jdppd.exe 94 PID 1860 wrote to memory of 4392 1860 jdppd.exe 94 PID 4392 wrote to memory of 4888 4392 tnhnnh.exe 95 PID 4392 wrote to memory of 4888 4392 tnhnnh.exe 95 PID 4392 wrote to memory of 4888 4392 tnhnnh.exe 95 PID 4888 wrote to memory of 2756 4888 o644882.exe 96 PID 4888 wrote to memory of 2756 4888 o644882.exe 96 PID 4888 wrote to memory of 2756 4888 o644882.exe 96 PID 2756 wrote to memory of 1332 2756 jdvpj.exe 97 PID 2756 wrote to memory of 1332 2756 jdvpj.exe 97 PID 2756 wrote to memory of 1332 2756 jdvpj.exe 97 PID 1332 wrote to memory of 1176 1332 frxrrxx.exe 98 PID 1332 wrote to memory of 1176 1332 frxrrxx.exe 98 PID 1332 wrote to memory of 1176 1332 frxrrxx.exe 98 PID 1176 wrote to memory of 4636 1176 260866.exe 99 PID 1176 wrote to memory of 4636 1176 260866.exe 99 PID 1176 wrote to memory of 4636 1176 260866.exe 99 PID 4636 wrote to memory of 2692 4636 40604.exe 100 PID 4636 wrote to memory of 2692 4636 40604.exe 100 PID 4636 wrote to memory of 2692 4636 40604.exe 100 PID 2692 wrote to memory of 4064 2692 rxxrfrx.exe 101 PID 2692 wrote to memory of 4064 2692 rxxrfrx.exe 101 PID 2692 wrote to memory of 4064 2692 rxxrfrx.exe 101 PID 4064 wrote to memory of 468 4064 jdjdv.exe 102 PID 4064 wrote to memory of 468 4064 jdjdv.exe 102 PID 4064 wrote to memory of 468 4064 jdjdv.exe 102 PID 468 wrote to memory of 1172 468 8220468.exe 103 PID 468 wrote to memory of 1172 468 8220468.exe 103 PID 468 wrote to memory of 1172 468 8220468.exe 103 PID 1172 wrote to memory of 3136 1172 264480.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe"C:\Users\Admin\AppData\Local\Temp\1673809f57a324d864a1281330eca760c4b1a6d351de82acd31905ff8d803d38.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\lfrlffx.exec:\lfrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\844828.exec:\844828.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\httnnn.exec:\httnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\pjvdv.exec:\pjvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\882802.exec:\882802.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\lxlllll.exec:\lxlllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\xlfxrll.exec:\xlfxrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\pvddd.exec:\pvddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\i622882.exec:\i622882.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\vddvd.exec:\vddvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\jdppd.exec:\jdppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\tnhnnh.exec:\tnhnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\o644882.exec:\o644882.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\jdvpj.exec:\jdvpj.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\frxrrxx.exec:\frxrrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\260866.exec:\260866.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\40604.exec:\40604.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\rxxrfrx.exec:\rxxrfrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\jdjdv.exec:\jdjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\8220468.exec:\8220468.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\264480.exec:\264480.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\644282.exec:\644282.exe23⤵
- Executes dropped EXE
PID:3136 -
\??\c:\0040808.exec:\0040808.exe24⤵
- Executes dropped EXE
PID:688 -
\??\c:\tnbtnh.exec:\tnbtnh.exe25⤵
- Executes dropped EXE
PID:3616 -
\??\c:\1ppjv.exec:\1ppjv.exe26⤵
- Executes dropped EXE
PID:212 -
\??\c:\tnhbnh.exec:\tnhbnh.exe27⤵
- Executes dropped EXE
PID:1604 -
\??\c:\824800.exec:\824800.exe28⤵
- Executes dropped EXE
PID:3056 -
\??\c:\tntnhn.exec:\tntnhn.exe29⤵
- Executes dropped EXE
PID:4036 -
\??\c:\pjpjv.exec:\pjpjv.exe30⤵
- Executes dropped EXE
PID:1996 -
\??\c:\2644444.exec:\2644444.exe31⤵
- Executes dropped EXE
PID:4820 -
\??\c:\426044.exec:\426044.exe32⤵
- Executes dropped EXE
PID:4284 -
\??\c:\lrlxlfr.exec:\lrlxlfr.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\rfllffr.exec:\rfllffr.exe34⤵
- Executes dropped EXE
PID:4792 -
\??\c:\06264.exec:\06264.exe35⤵
- Executes dropped EXE
PID:1416 -
\??\c:\8860002.exec:\8860002.exe36⤵
- Executes dropped EXE
PID:3544 -
\??\c:\246000.exec:\246000.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rxflffx.exec:\rxflffx.exe38⤵
- Executes dropped EXE
PID:4880 -
\??\c:\868226.exec:\868226.exe39⤵
- Executes dropped EXE
PID:2700 -
\??\c:\llflllf.exec:\llflllf.exe40⤵
- Executes dropped EXE
PID:1452 -
\??\c:\rfxxrxr.exec:\rfxxrxr.exe41⤵
- Executes dropped EXE
PID:3640 -
\??\c:\dvddv.exec:\dvddv.exe42⤵
- Executes dropped EXE
PID:4088 -
\??\c:\xflllrl.exec:\xflllrl.exe43⤵
- Executes dropped EXE
PID:3680 -
\??\c:\jdjvv.exec:\jdjvv.exe44⤵
- Executes dropped EXE
PID:3244 -
\??\c:\thhhbb.exec:\thhhbb.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\42666.exec:\42666.exe46⤵
- Executes dropped EXE
PID:4500 -
\??\c:\lllllrr.exec:\lllllrr.exe47⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dvpdv.exec:\dvpdv.exe48⤵
- Executes dropped EXE
PID:2392 -
\??\c:\ntnntt.exec:\ntnntt.exe49⤵
- Executes dropped EXE
PID:1752 -
\??\c:\bttttt.exec:\bttttt.exe50⤵
- Executes dropped EXE
PID:3232 -
\??\c:\hnnhbt.exec:\hnnhbt.exe51⤵
- Executes dropped EXE
PID:3220 -
\??\c:\hhbtnb.exec:\hhbtnb.exe52⤵
- Executes dropped EXE
PID:4468 -
\??\c:\dvpjd.exec:\dvpjd.exe53⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jddvp.exec:\jddvp.exe54⤵
- Executes dropped EXE
PID:1240 -
\??\c:\5jpjj.exec:\5jpjj.exe55⤵
- Executes dropped EXE
PID:2688 -
\??\c:\662662.exec:\662662.exe56⤵
- Executes dropped EXE
PID:1788 -
\??\c:\62024.exec:\62024.exe57⤵
- Executes dropped EXE
PID:408 -
\??\c:\jjdpd.exec:\jjdpd.exe58⤵
- Executes dropped EXE
PID:1312 -
\??\c:\8022484.exec:\8022484.exe59⤵
- Executes dropped EXE
PID:5020 -
\??\c:\s4864.exec:\s4864.exe60⤵
- Executes dropped EXE
PID:3704 -
\??\c:\9rlfrrl.exec:\9rlfrrl.exe61⤵
- Executes dropped EXE
PID:2656 -
\??\c:\42486.exec:\42486.exe62⤵
- Executes dropped EXE
PID:2604 -
\??\c:\468248.exec:\468248.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280 -
\??\c:\1ddpj.exec:\1ddpj.exe64⤵
- Executes dropped EXE
PID:5056 -
\??\c:\bhhnht.exec:\bhhnht.exe65⤵
- Executes dropped EXE
PID:1864 -
\??\c:\llxrllf.exec:\llxrllf.exe66⤵PID:3212
-
\??\c:\4644824.exec:\4644824.exe67⤵PID:1860
-
\??\c:\8248006.exec:\8248006.exe68⤵PID:2488
-
\??\c:\vdppj.exec:\vdppj.exe69⤵PID:4020
-
\??\c:\ddppj.exec:\ddppj.exe70⤵PID:728
-
\??\c:\9hbtbb.exec:\9hbtbb.exe71⤵PID:2168
-
\??\c:\822266.exec:\822266.exe72⤵PID:1176
-
\??\c:\6266822.exec:\6266822.exe73⤵PID:760
-
\??\c:\88004.exec:\88004.exe74⤵PID:1828
-
\??\c:\lxlxlrf.exec:\lxlxlrf.exe75⤵PID:4780
-
\??\c:\o804488.exec:\o804488.exe76⤵PID:1388
-
\??\c:\jvvjv.exec:\jvvjv.exe77⤵PID:1476
-
\??\c:\bbtnhb.exec:\bbtnhb.exe78⤵PID:920
-
\??\c:\4408608.exec:\4408608.exe79⤵PID:1944
-
\??\c:\224400.exec:\224400.exe80⤵PID:544
-
\??\c:\5flxxxf.exec:\5flxxxf.exe81⤵PID:3136
-
\??\c:\1djjv.exec:\1djjv.exe82⤵PID:220
-
\??\c:\vvdvv.exec:\vvdvv.exe83⤵PID:3616
-
\??\c:\lfrlfff.exec:\lfrlfff.exe84⤵PID:212
-
\??\c:\206660.exec:\206660.exe85⤵PID:3632
-
\??\c:\hbbnhb.exec:\hbbnhb.exe86⤵PID:1392
-
\??\c:\66222.exec:\66222.exe87⤵PID:2412
-
\??\c:\vdjpv.exec:\vdjpv.exe88⤵PID:4056
-
\??\c:\684846.exec:\684846.exe89⤵PID:740
-
\??\c:\9xrfrxr.exec:\9xrfrxr.exe90⤵PID:720
-
\??\c:\xfrrxrx.exec:\xfrrxrx.exe91⤵PID:4668
-
\??\c:\1bnhnb.exec:\1bnhnb.exe92⤵PID:2008
-
\??\c:\htbnhb.exec:\htbnhb.exe93⤵PID:4412
-
\??\c:\6020488.exec:\6020488.exe94⤵PID:4200
-
\??\c:\064282.exec:\064282.exe95⤵PID:1844
-
\??\c:\840482.exec:\840482.exe96⤵PID:4880
-
\??\c:\xrxfxxr.exec:\xrxfxxr.exe97⤵PID:1612
-
\??\c:\vvdpv.exec:\vvdpv.exe98⤵PID:1732
-
\??\c:\20222.exec:\20222.exe99⤵PID:2460
-
\??\c:\62204.exec:\62204.exe100⤵PID:1368
-
\??\c:\ppvdp.exec:\ppvdp.exe101⤵PID:2772
-
\??\c:\llrrllx.exec:\llrrllx.exe102⤵PID:5072
-
\??\c:\w06088.exec:\w06088.exe103⤵PID:4068
-
\??\c:\7jjdp.exec:\7jjdp.exe104⤵PID:4376
-
\??\c:\frfflfl.exec:\frfflfl.exe105⤵PID:4572
-
\??\c:\vdjpp.exec:\vdjpp.exe106⤵PID:3716
-
\??\c:\dvpjv.exec:\dvpjv.exe107⤵PID:2300
-
\??\c:\hnnbnn.exec:\hnnbnn.exe108⤵PID:2908
-
\??\c:\9jpjj.exec:\9jpjj.exe109⤵PID:4960
-
\??\c:\0084402.exec:\0084402.exe110⤵PID:804
-
\??\c:\6048868.exec:\6048868.exe111⤵PID:4552
-
\??\c:\88826.exec:\88826.exe112⤵PID:4196
-
\??\c:\pppdp.exec:\pppdp.exe113⤵PID:664
-
\??\c:\djdvd.exec:\djdvd.exe114⤵PID:2340
-
\??\c:\m0048.exec:\m0048.exe115⤵PID:1696
-
\??\c:\8208488.exec:\8208488.exe116⤵PID:2656
-
\??\c:\lxxrrlf.exec:\lxxrrlf.exe117⤵PID:4420
-
\??\c:\xxflffx.exec:\xxflffx.exe118⤵PID:2408
-
\??\c:\s0202.exec:\s0202.exe119⤵PID:4804
-
\??\c:\rxxlfrl.exec:\rxxlfrl.exe120⤵PID:1864
-
\??\c:\682046.exec:\682046.exe121⤵PID:4920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-