Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 00:59 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe
-
Size
453KB
-
MD5
12fad5f472dce1ce739d894bf33a4508
-
SHA1
49005eb30aee3c24bf8d887948f6da4f401732e0
-
SHA256
9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49
-
SHA512
e79ad33e02dbb27e8041fb6b99d3f568eba06cdafa5a8e1bedcd4292e608c3fa4cb1582f0b86a60bdb0193d15e789e29c7e5bd93788ed75127fe35bb7069f7e2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4436-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-1006-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-1751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-1829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-1926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1512 lflxfxr.exe 2008 htnhbb.exe 4384 rfllfrr.exe 456 rrlfxrr.exe 1368 djdvp.exe 2604 hhhhbb.exe 952 jvdvv.exe 4808 7tbttt.exe 3660 hbbttn.exe 2760 3pjvp.exe 936 tnttbh.exe 1996 ddjpj.exe 3688 rrrllll.exe 2040 nbtnbb.exe 1812 9xllrlr.exe 5020 fffffll.exe 2664 vdvpj.exe 2768 llxxlfl.exe 4052 1bnhbb.exe 2124 pvvvp.exe 3164 lxxrxxf.exe 3528 rlfxxrr.exe 5052 bbtnht.exe 3088 lxfxrrl.exe 1484 nhtntt.exe 1016 3pjdd.exe 748 vpddj.exe 440 vvvvp.exe 3192 btbnhh.exe 2192 frrlllr.exe 4484 7vvdv.exe 4564 nbhhhb.exe 3244 9flflrl.exe 3832 nhnhbt.exe 1880 jvjdj.exe 3960 pvvpp.exe 2372 frxrrll.exe 1588 nbnhbb.exe 2356 vdpjd.exe 2032 lffxrrl.exe 4240 lrrllff.exe 2364 nhnhnn.exe 5068 jjdvp.exe 4552 rxfxrlf.exe 4948 ththnb.exe 452 vdpjv.exe 2312 pdjjv.exe 536 rxfxrrl.exe 4276 ttttnn.exe 892 pdjdj.exe 4324 pjdvp.exe 4316 3fxfxrf.exe 4740 bnthbt.exe 756 jjdvp.exe 408 rxxrlfx.exe 1608 7hbbtt.exe 2896 pjjdv.exe 1384 frxrffx.exe 4632 tthbtb.exe 1368 5hnhhh.exe 1160 vpvjd.exe 4208 lflfxxr.exe 3536 dvdjd.exe 4808 lrrfxxr.exe -
resource yara_rule behavioral2/memory/4436-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-1109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 1512 4436 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 82 PID 4436 wrote to memory of 1512 4436 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 82 PID 4436 wrote to memory of 1512 4436 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 82 PID 1512 wrote to memory of 2008 1512 lflxfxr.exe 83 PID 1512 wrote to memory of 2008 1512 lflxfxr.exe 83 PID 1512 wrote to memory of 2008 1512 lflxfxr.exe 83 PID 2008 wrote to memory of 4384 2008 htnhbb.exe 84 PID 2008 wrote to memory of 4384 2008 htnhbb.exe 84 PID 2008 wrote to memory of 4384 2008 htnhbb.exe 84 PID 4384 wrote to memory of 456 4384 rfllfrr.exe 85 PID 4384 wrote to memory of 456 4384 rfllfrr.exe 85 PID 4384 wrote to memory of 456 4384 rfllfrr.exe 85 PID 456 wrote to memory of 1368 456 rrlfxrr.exe 86 PID 456 wrote to memory of 1368 456 rrlfxrr.exe 86 PID 456 wrote to memory of 1368 456 rrlfxrr.exe 86 PID 1368 wrote to memory of 2604 1368 djdvp.exe 87 PID 1368 wrote to memory of 2604 1368 djdvp.exe 87 PID 1368 wrote to memory of 2604 1368 djdvp.exe 87 PID 2604 wrote to memory of 952 2604 hhhhbb.exe 88 PID 2604 wrote to memory of 952 2604 hhhhbb.exe 88 PID 2604 wrote to memory of 952 2604 hhhhbb.exe 88 PID 952 wrote to memory of 4808 952 jvdvv.exe 89 PID 952 wrote to memory of 4808 952 jvdvv.exe 89 PID 952 wrote to memory of 4808 952 jvdvv.exe 89 PID 4808 wrote to memory of 3660 4808 7tbttt.exe 90 PID 4808 wrote to memory of 3660 4808 7tbttt.exe 90 PID 4808 wrote to memory of 3660 4808 7tbttt.exe 90 PID 3660 wrote to memory of 2760 3660 hbbttn.exe 91 PID 3660 wrote to memory of 2760 3660 hbbttn.exe 91 PID 3660 wrote to memory of 2760 3660 hbbttn.exe 91 PID 2760 wrote to memory of 936 2760 3pjvp.exe 92 PID 2760 wrote to memory of 936 2760 3pjvp.exe 92 PID 2760 wrote to memory of 936 2760 3pjvp.exe 92 PID 936 wrote to memory of 1996 936 tnttbh.exe 93 PID 936 wrote to memory of 1996 936 tnttbh.exe 93 PID 936 wrote to memory of 1996 936 tnttbh.exe 93 PID 1996 wrote to memory of 3688 1996 ddjpj.exe 94 PID 1996 wrote to memory of 3688 1996 ddjpj.exe 94 PID 1996 wrote to memory of 3688 1996 ddjpj.exe 94 PID 3688 wrote to memory of 2040 3688 rrrllll.exe 95 PID 3688 wrote to memory of 2040 3688 rrrllll.exe 95 PID 3688 wrote to memory of 2040 3688 rrrllll.exe 95 PID 2040 wrote to memory of 1812 2040 nbtnbb.exe 96 PID 2040 wrote to memory of 1812 2040 nbtnbb.exe 96 PID 2040 wrote to memory of 1812 2040 nbtnbb.exe 96 PID 1812 wrote to memory of 5020 1812 9xllrlr.exe 97 PID 1812 wrote to memory of 5020 1812 9xllrlr.exe 97 PID 1812 wrote to memory of 5020 1812 9xllrlr.exe 97 PID 5020 wrote to memory of 2664 5020 fffffll.exe 98 PID 5020 wrote to memory of 2664 5020 fffffll.exe 98 PID 5020 wrote to memory of 2664 5020 fffffll.exe 98 PID 2664 wrote to memory of 2768 2664 vdvpj.exe 99 PID 2664 wrote to memory of 2768 2664 vdvpj.exe 99 PID 2664 wrote to memory of 2768 2664 vdvpj.exe 99 PID 2768 wrote to memory of 4052 2768 llxxlfl.exe 100 PID 2768 wrote to memory of 4052 2768 llxxlfl.exe 100 PID 2768 wrote to memory of 4052 2768 llxxlfl.exe 100 PID 4052 wrote to memory of 2124 4052 1bnhbb.exe 101 PID 4052 wrote to memory of 2124 4052 1bnhbb.exe 101 PID 4052 wrote to memory of 2124 4052 1bnhbb.exe 101 PID 2124 wrote to memory of 3164 2124 pvvvp.exe 102 PID 2124 wrote to memory of 3164 2124 pvvvp.exe 102 PID 2124 wrote to memory of 3164 2124 pvvvp.exe 102 PID 3164 wrote to memory of 3528 3164 lxxrxxf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe"C:\Users\Admin\AppData\Local\Temp\9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\lflxfxr.exec:\lflxfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\htnhbb.exec:\htnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\rfllfrr.exec:\rfllfrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\rrlfxrr.exec:\rrlfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\djdvp.exec:\djdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\hhhhbb.exec:\hhhhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\jvdvv.exec:\jvdvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\7tbttt.exec:\7tbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\hbbttn.exec:\hbbttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\3pjvp.exec:\3pjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\tnttbh.exec:\tnttbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\ddjpj.exec:\ddjpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\rrrllll.exec:\rrrllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\nbtnbb.exec:\nbtnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\9xllrlr.exec:\9xllrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\fffffll.exec:\fffffll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\vdvpj.exec:\vdvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\llxxlfl.exec:\llxxlfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\1bnhbb.exec:\1bnhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\pvvvp.exec:\pvvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lxxrxxf.exec:\lxxrxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\rlfxxrr.exec:\rlfxxrr.exe23⤵
- Executes dropped EXE
PID:3528 -
\??\c:\bbtnht.exec:\bbtnht.exe24⤵
- Executes dropped EXE
PID:5052 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe25⤵
- Executes dropped EXE
PID:3088 -
\??\c:\nhtntt.exec:\nhtntt.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\3pjdd.exec:\3pjdd.exe27⤵
- Executes dropped EXE
PID:1016 -
\??\c:\vpddj.exec:\vpddj.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\vvvvp.exec:\vvvvp.exe29⤵
- Executes dropped EXE
PID:440 -
\??\c:\btbnhh.exec:\btbnhh.exe30⤵
- Executes dropped EXE
PID:3192 -
\??\c:\frrlllr.exec:\frrlllr.exe31⤵
- Executes dropped EXE
PID:2192 -
\??\c:\7vvdv.exec:\7vvdv.exe32⤵
- Executes dropped EXE
PID:4484 -
\??\c:\nbhhhb.exec:\nbhhhb.exe33⤵
- Executes dropped EXE
PID:4564 -
\??\c:\9flflrl.exec:\9flflrl.exe34⤵
- Executes dropped EXE
PID:3244 -
\??\c:\nhnhbt.exec:\nhnhbt.exe35⤵
- Executes dropped EXE
PID:3832 -
\??\c:\jvjdj.exec:\jvjdj.exe36⤵
- Executes dropped EXE
PID:1880 -
\??\c:\pvvpp.exec:\pvvpp.exe37⤵
- Executes dropped EXE
PID:3960 -
\??\c:\frxrrll.exec:\frxrrll.exe38⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nbnhbb.exec:\nbnhbb.exe39⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vdpjd.exec:\vdpjd.exe40⤵
- Executes dropped EXE
PID:2356 -
\??\c:\lffxrrl.exec:\lffxrrl.exe41⤵
- Executes dropped EXE
PID:2032 -
\??\c:\lrrllff.exec:\lrrllff.exe42⤵
- Executes dropped EXE
PID:4240 -
\??\c:\nhnhnn.exec:\nhnhnn.exe43⤵
- Executes dropped EXE
PID:2364 -
\??\c:\jjdvp.exec:\jjdvp.exe44⤵
- Executes dropped EXE
PID:5068 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe45⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ththnb.exec:\ththnb.exe46⤵
- Executes dropped EXE
PID:4948 -
\??\c:\vdpjv.exec:\vdpjv.exe47⤵
- Executes dropped EXE
PID:452 -
\??\c:\pdjjv.exec:\pdjjv.exe48⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe49⤵
- Executes dropped EXE
PID:536 -
\??\c:\ttttnn.exec:\ttttnn.exe50⤵
- Executes dropped EXE
PID:4276 -
\??\c:\pdjdj.exec:\pdjdj.exe51⤵
- Executes dropped EXE
PID:892 -
\??\c:\pjdvp.exec:\pjdvp.exe52⤵
- Executes dropped EXE
PID:4324 -
\??\c:\3fxfxrf.exec:\3fxfxrf.exe53⤵
- Executes dropped EXE
PID:4316 -
\??\c:\bnthbt.exec:\bnthbt.exe54⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jjdvp.exec:\jjdvp.exe55⤵
- Executes dropped EXE
PID:756 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe56⤵
- Executes dropped EXE
PID:408 -
\??\c:\7hbbtt.exec:\7hbbtt.exe57⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pjjdv.exec:\pjjdv.exe58⤵
- Executes dropped EXE
PID:2896 -
\??\c:\frxrffx.exec:\frxrffx.exe59⤵
- Executes dropped EXE
PID:1384 -
\??\c:\tthbtb.exec:\tthbtb.exe60⤵
- Executes dropped EXE
PID:4632 -
\??\c:\5hnhhh.exec:\5hnhhh.exe61⤵
- Executes dropped EXE
PID:1368 -
\??\c:\vpvjd.exec:\vpvjd.exe62⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lflfxxr.exec:\lflfxxr.exe63⤵
- Executes dropped EXE
PID:4208 -
\??\c:\dvdjd.exec:\dvdjd.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536 -
\??\c:\lrrfxxr.exec:\lrrfxxr.exe65⤵
- Executes dropped EXE
PID:4808 -
\??\c:\xxfrrlf.exec:\xxfrrlf.exe66⤵PID:4736
-
\??\c:\tnnhhh.exec:\tnnhhh.exe67⤵PID:392
-
\??\c:\djddv.exec:\djddv.exe68⤵PID:1556
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe69⤵PID:1976
-
\??\c:\1hnbbt.exec:\1hnbbt.exe70⤵PID:2760
-
\??\c:\1hnhtt.exec:\1hnhtt.exe71⤵PID:2632
-
\??\c:\pdjdv.exec:\pdjdv.exe72⤵PID:3100
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe73⤵PID:1996
-
\??\c:\hbbtnh.exec:\hbbtnh.exe74⤵PID:3556
-
\??\c:\hnnhbb.exec:\hnnhbb.exe75⤵PID:1764
-
\??\c:\vvvvv.exec:\vvvvv.exe76⤵PID:2444
-
\??\c:\xxxrlff.exec:\xxxrlff.exe77⤵PID:1528
-
\??\c:\nhbbnb.exec:\nhbbnb.exe78⤵PID:320
-
\??\c:\5dvpj.exec:\5dvpj.exe79⤵PID:3624
-
\??\c:\fxlffxf.exec:\fxlffxf.exe80⤵PID:4352
-
\??\c:\thnhnh.exec:\thnhnh.exe81⤵PID:4284
-
\??\c:\btbtnh.exec:\btbtnh.exe82⤵PID:1932
-
\??\c:\pdjdv.exec:\pdjdv.exe83⤵PID:1952
-
\??\c:\rrlrlfx.exec:\rrlrlfx.exe84⤵PID:4480
-
\??\c:\tnhtnt.exec:\tnhtnt.exe85⤵PID:4496
-
\??\c:\5jjdp.exec:\5jjdp.exe86⤵PID:1100
-
\??\c:\9llrllf.exec:\9llrllf.exe87⤵PID:4076
-
\??\c:\bbbtnh.exec:\bbbtnh.exe88⤵PID:3740
-
\??\c:\pddvj.exec:\pddvj.exe89⤵PID:3340
-
\??\c:\5dpdv.exec:\5dpdv.exe90⤵PID:3088
-
\??\c:\lflrllx.exec:\lflrllx.exe91⤵PID:3384
-
\??\c:\htttnh.exec:\htttnh.exe92⤵PID:5088
-
\??\c:\pjvpp.exec:\pjvpp.exe93⤵PID:4672
-
\??\c:\ffxxlrx.exec:\ffxxlrx.exe94⤵PID:416
-
\??\c:\btbtth.exec:\btbtth.exe95⤵PID:4416
-
\??\c:\1jpjp.exec:\1jpjp.exe96⤵PID:1712
-
\??\c:\rxfrlfx.exec:\rxfrlfx.exe97⤵PID:2408
-
\??\c:\nnbtnb.exec:\nnbtnb.exe98⤵PID:2908
-
\??\c:\jvddd.exec:\jvddd.exe99⤵PID:2228
-
\??\c:\vppjp.exec:\vppjp.exe100⤵PID:3712
-
\??\c:\5lrxfxf.exec:\5lrxfxf.exe101⤵PID:1288
-
\??\c:\nhnhbb.exec:\nhnhbb.exe102⤵PID:4528
-
\??\c:\5jpjd.exec:\5jpjd.exe103⤵PID:928
-
\??\c:\1lfrllf.exec:\1lfrllf.exe104⤵PID:2440
-
\??\c:\btbtnh.exec:\btbtnh.exe105⤵PID:1424
-
\??\c:\hhnbnn.exec:\hhnbnn.exe106⤵PID:1644
-
\??\c:\pvdvp.exec:\pvdvp.exe107⤵PID:1784
-
\??\c:\lxfxxlf.exec:\lxfxxlf.exe108⤵PID:2356
-
\??\c:\1tbtnn.exec:\1tbtnn.exe109⤵PID:1612
-
\??\c:\hbbttt.exec:\hbbttt.exe110⤵PID:3520
-
\??\c:\1xfrllf.exec:\1xfrllf.exe111⤵PID:4788
-
\??\c:\ntbhbt.exec:\ntbhbt.exe112⤵PID:4456
-
\??\c:\dvdvp.exec:\dvdvp.exe113⤵PID:3652
-
\??\c:\djjjj.exec:\djjjj.exe114⤵PID:4948
-
\??\c:\rffxxxr.exec:\rffxxxr.exe115⤵PID:984
-
\??\c:\ttbhtt.exec:\ttbhtt.exe116⤵PID:1328
-
\??\c:\dvppd.exec:\dvppd.exe117⤵PID:3724
-
\??\c:\5flxxxr.exec:\5flxxxr.exe118⤵PID:2224
-
\??\c:\thhhhb.exec:\thhhhb.exe119⤵PID:4328
-
\??\c:\dvppp.exec:\dvppp.exe120⤵PID:1236
-
\??\c:\rlxlxxf.exec:\rlxlxxf.exe121⤵PID:3588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-