Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 16:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe
-
Size
456KB
-
MD5
ca09624799ae23990ff7158dae4864a0
-
SHA1
142f121b416cd0f14676ca8d9ef1ba2d9477c18a
-
SHA256
c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ff
-
SHA512
a1a481941f07e7e6f9c48c14eaccfd7793fa442495eef9d4bf8606a2751622e32873453719adbc57f04377ca89815ef9a458f7d44406eb7cef8ff5ff013b27d4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR84:q7Tc2NYHUrAwfMp3CDRF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3228-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-1051-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-1144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-1941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2204 jdpjd.exe 1372 fflrlfx.exe 1644 hnttnn.exe 2052 7nhbbt.exe 4468 rlflrrr.exe 3680 vvddj.exe 4380 1xrlfff.exe 2104 7jjjd.exe 2552 9lfrlfx.exe 1844 vvjvp.exe 644 pjvpv.exe 4748 bbbnht.exe 2472 7lrfflr.exe 4224 htttbb.exe 540 dvdvv.exe 544 tnbttt.exe 1500 nbbtnn.exe 4844 rflfrll.exe 3096 btthbt.exe 3016 lflrfxl.exe 2724 ttbttt.exe 64 bthnbb.exe 3964 pjjpj.exe 776 ttbtnn.exe 2516 xxffffx.exe 3988 httnhb.exe 2280 7ppjv.exe 4516 rlxrrrx.exe 4528 nbhhbb.exe 4060 jppjd.exe 976 ppppj.exe 1084 rxfxxrf.exe 3504 bthbbb.exe 1676 nhbthh.exe 4300 7pvpp.exe 1880 rfllfff.exe 4064 pjppj.exe 1144 7rlfxxr.exe 4180 nhhbtt.exe 4020 rrxrlrr.exe 2728 xrrxrrl.exe 2784 5bbbtt.exe 2128 7vvpd.exe 4336 vvdpd.exe 2848 lflfllr.exe 3228 bthbtn.exe 2468 7hhbbt.exe 4148 vpdpp.exe 4800 rrfxxxx.exe 3872 bbnhbb.exe 5012 9jdvp.exe 2052 9vdvv.exe 1476 xlrlffx.exe 2072 ttbttn.exe 448 hbnhtt.exe 2684 9dpjd.exe 3416 fxfflxf.exe 2104 nbtnbb.exe 2432 1tthtn.exe 3536 1ddvj.exe 2320 fllxllx.exe 3552 9rffxxr.exe 4668 hnnnbh.exe 2480 pvdvp.exe -
resource yara_rule behavioral2/memory/3228-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 2204 3228 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 84 PID 3228 wrote to memory of 2204 3228 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 84 PID 3228 wrote to memory of 2204 3228 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 84 PID 2204 wrote to memory of 1372 2204 jdpjd.exe 85 PID 2204 wrote to memory of 1372 2204 jdpjd.exe 85 PID 2204 wrote to memory of 1372 2204 jdpjd.exe 85 PID 1372 wrote to memory of 1644 1372 fflrlfx.exe 86 PID 1372 wrote to memory of 1644 1372 fflrlfx.exe 86 PID 1372 wrote to memory of 1644 1372 fflrlfx.exe 86 PID 1644 wrote to memory of 2052 1644 hnttnn.exe 87 PID 1644 wrote to memory of 2052 1644 hnttnn.exe 87 PID 1644 wrote to memory of 2052 1644 hnttnn.exe 87 PID 2052 wrote to memory of 4468 2052 7nhbbt.exe 88 PID 2052 wrote to memory of 4468 2052 7nhbbt.exe 88 PID 2052 wrote to memory of 4468 2052 7nhbbt.exe 88 PID 4468 wrote to memory of 3680 4468 rlflrrr.exe 89 PID 4468 wrote to memory of 3680 4468 rlflrrr.exe 89 PID 4468 wrote to memory of 3680 4468 rlflrrr.exe 89 PID 3680 wrote to memory of 4380 3680 vvddj.exe 90 PID 3680 wrote to memory of 4380 3680 vvddj.exe 90 PID 3680 wrote to memory of 4380 3680 vvddj.exe 90 PID 4380 wrote to memory of 2104 4380 1xrlfff.exe 91 PID 4380 wrote to memory of 2104 4380 1xrlfff.exe 91 PID 4380 wrote to memory of 2104 4380 1xrlfff.exe 91 PID 2104 wrote to memory of 2552 2104 7jjjd.exe 92 PID 2104 wrote to memory of 2552 2104 7jjjd.exe 92 PID 2104 wrote to memory of 2552 2104 7jjjd.exe 92 PID 2552 wrote to memory of 1844 2552 9lfrlfx.exe 93 PID 2552 wrote to memory of 1844 2552 9lfrlfx.exe 93 PID 2552 wrote to memory of 1844 2552 9lfrlfx.exe 93 PID 1844 wrote to memory of 644 1844 vvjvp.exe 94 PID 1844 wrote to memory of 644 1844 vvjvp.exe 94 PID 1844 wrote to memory of 644 1844 vvjvp.exe 94 PID 644 wrote to memory of 4748 644 pjvpv.exe 95 PID 644 wrote to memory of 4748 644 pjvpv.exe 95 PID 644 wrote to memory of 4748 644 pjvpv.exe 95 PID 4748 wrote to memory of 2472 4748 bbbnht.exe 96 PID 4748 wrote to memory of 2472 4748 bbbnht.exe 96 PID 4748 wrote to memory of 2472 4748 bbbnht.exe 96 PID 2472 wrote to memory of 4224 2472 7lrfflr.exe 97 PID 2472 wrote to memory of 4224 2472 7lrfflr.exe 97 PID 2472 wrote to memory of 4224 2472 7lrfflr.exe 97 PID 4224 wrote to memory of 540 4224 htttbb.exe 98 PID 4224 wrote to memory of 540 4224 htttbb.exe 98 PID 4224 wrote to memory of 540 4224 htttbb.exe 98 PID 540 wrote to memory of 544 540 dvdvv.exe 99 PID 540 wrote to memory of 544 540 dvdvv.exe 99 PID 540 wrote to memory of 544 540 dvdvv.exe 99 PID 544 wrote to memory of 1500 544 tnbttt.exe 100 PID 544 wrote to memory of 1500 544 tnbttt.exe 100 PID 544 wrote to memory of 1500 544 tnbttt.exe 100 PID 1500 wrote to memory of 4844 1500 nbbtnn.exe 101 PID 1500 wrote to memory of 4844 1500 nbbtnn.exe 101 PID 1500 wrote to memory of 4844 1500 nbbtnn.exe 101 PID 4844 wrote to memory of 3096 4844 rflfrll.exe 102 PID 4844 wrote to memory of 3096 4844 rflfrll.exe 102 PID 4844 wrote to memory of 3096 4844 rflfrll.exe 102 PID 3096 wrote to memory of 3016 3096 btthbt.exe 103 PID 3096 wrote to memory of 3016 3096 btthbt.exe 103 PID 3096 wrote to memory of 3016 3096 btthbt.exe 103 PID 3016 wrote to memory of 2724 3016 lflrfxl.exe 104 PID 3016 wrote to memory of 2724 3016 lflrfxl.exe 104 PID 3016 wrote to memory of 2724 3016 lflrfxl.exe 104 PID 2724 wrote to memory of 64 2724 ttbttt.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe"C:\Users\Admin\AppData\Local\Temp\c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\jdpjd.exec:\jdpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\fflrlfx.exec:\fflrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\hnttnn.exec:\hnttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\7nhbbt.exec:\7nhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\rlflrrr.exec:\rlflrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\vvddj.exec:\vvddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\1xrlfff.exec:\1xrlfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\7jjjd.exec:\7jjjd.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\9lfrlfx.exec:\9lfrlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\vvjvp.exec:\vvjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\pjvpv.exec:\pjvpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\bbbnht.exec:\bbbnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\7lrfflr.exec:\7lrfflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\htttbb.exec:\htttbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\dvdvv.exec:\dvdvv.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\tnbttt.exec:\tnbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\nbbtnn.exec:\nbbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\rflfrll.exec:\rflfrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\btthbt.exec:\btthbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\lflrfxl.exec:\lflrfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\ttbttt.exec:\ttbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\bthnbb.exec:\bthnbb.exe23⤵
- Executes dropped EXE
PID:64 -
\??\c:\pjjpj.exec:\pjjpj.exe24⤵
- Executes dropped EXE
PID:3964 -
\??\c:\ttbtnn.exec:\ttbtnn.exe25⤵
- Executes dropped EXE
PID:776 -
\??\c:\xxffffx.exec:\xxffffx.exe26⤵
- Executes dropped EXE
PID:2516 -
\??\c:\httnhb.exec:\httnhb.exe27⤵
- Executes dropped EXE
PID:3988 -
\??\c:\7ppjv.exec:\7ppjv.exe28⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rlxrrrx.exec:\rlxrrrx.exe29⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nbhhbb.exec:\nbhhbb.exe30⤵
- Executes dropped EXE
PID:4528 -
\??\c:\jppjd.exec:\jppjd.exe31⤵
- Executes dropped EXE
PID:4060 -
\??\c:\ppppj.exec:\ppppj.exe32⤵
- Executes dropped EXE
PID:976 -
\??\c:\rxfxxrf.exec:\rxfxxrf.exe33⤵
- Executes dropped EXE
PID:1084 -
\??\c:\bthbbb.exec:\bthbbb.exe34⤵
- Executes dropped EXE
PID:3504 -
\??\c:\nhbthh.exec:\nhbthh.exe35⤵
- Executes dropped EXE
PID:1676 -
\??\c:\7pvpp.exec:\7pvpp.exe36⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rfllfff.exec:\rfllfff.exe37⤵
- Executes dropped EXE
PID:1880 -
\??\c:\pjppj.exec:\pjppj.exe38⤵
- Executes dropped EXE
PID:4064 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe39⤵
- Executes dropped EXE
PID:1144 -
\??\c:\nhhbtt.exec:\nhhbtt.exe40⤵
- Executes dropped EXE
PID:4180 -
\??\c:\rrxrlrr.exec:\rrxrlrr.exe41⤵
- Executes dropped EXE
PID:4020 -
\??\c:\xrrxrrl.exec:\xrrxrrl.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\5bbbtt.exec:\5bbbtt.exe43⤵
- Executes dropped EXE
PID:2784 -
\??\c:\7vvpd.exec:\7vvpd.exe44⤵
- Executes dropped EXE
PID:2128 -
\??\c:\vvdpd.exec:\vvdpd.exe45⤵
- Executes dropped EXE
PID:4336 -
\??\c:\lflfllr.exec:\lflfllr.exe46⤵
- Executes dropped EXE
PID:2848 -
\??\c:\bthbtn.exec:\bthbtn.exe47⤵
- Executes dropped EXE
PID:3228 -
\??\c:\7hhbbt.exec:\7hhbbt.exe48⤵
- Executes dropped EXE
PID:2468 -
\??\c:\vpdpp.exec:\vpdpp.exe49⤵
- Executes dropped EXE
PID:4148 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe50⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bbnhbb.exec:\bbnhbb.exe51⤵
- Executes dropped EXE
PID:3872 -
\??\c:\9jdvp.exec:\9jdvp.exe52⤵
- Executes dropped EXE
PID:5012 -
\??\c:\9vdvv.exec:\9vdvv.exe53⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xlrlffx.exec:\xlrlffx.exe54⤵
- Executes dropped EXE
PID:1476 -
\??\c:\ttbttn.exec:\ttbttn.exe55⤵
- Executes dropped EXE
PID:2072 -
\??\c:\hbnhtt.exec:\hbnhtt.exe56⤵
- Executes dropped EXE
PID:448 -
\??\c:\9dpjd.exec:\9dpjd.exe57⤵
- Executes dropped EXE
PID:2684 -
\??\c:\fxfflxf.exec:\fxfflxf.exe58⤵
- Executes dropped EXE
PID:3416 -
\??\c:\nbtnbb.exec:\nbtnbb.exe59⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1tthtn.exec:\1tthtn.exe60⤵
- Executes dropped EXE
PID:2432 -
\??\c:\1ddvj.exec:\1ddvj.exe61⤵
- Executes dropped EXE
PID:3536 -
\??\c:\fllxllx.exec:\fllxllx.exe62⤵
- Executes dropped EXE
PID:2320 -
\??\c:\9rffxxr.exec:\9rffxxr.exe63⤵
- Executes dropped EXE
PID:3552 -
\??\c:\hnnnbh.exec:\hnnnbh.exe64⤵
- Executes dropped EXE
PID:4668 -
\??\c:\pvdvp.exec:\pvdvp.exe65⤵
- Executes dropped EXE
PID:2480 -
\??\c:\pjpjp.exec:\pjpjp.exe66⤵PID:4876
-
\??\c:\fxlfllr.exec:\fxlfllr.exe67⤵PID:1076
-
\??\c:\nnhhbt.exec:\nnhhbt.exe68⤵PID:2816
-
\??\c:\ddvpj.exec:\ddvpj.exe69⤵
- System Location Discovery: System Language Discovery
PID:3196 -
\??\c:\1jjvv.exec:\1jjvv.exe70⤵PID:5032
-
\??\c:\xrrrlfx.exec:\xrrrlfx.exe71⤵PID:2028
-
\??\c:\bnnnhn.exec:\bnnnhn.exe72⤵PID:4572
-
\??\c:\dvddd.exec:\dvddd.exe73⤵PID:3224
-
\??\c:\fxrfxxr.exec:\fxrfxxr.exe74⤵PID:3744
-
\??\c:\nttnhh.exec:\nttnhh.exe75⤵PID:3432
-
\??\c:\vddvj.exec:\vddvj.exe76⤵PID:4844
-
\??\c:\xrxrlll.exec:\xrxrlll.exe77⤵PID:3900
-
\??\c:\fxrlflf.exec:\fxrlflf.exe78⤵PID:5056
-
\??\c:\nhhbbt.exec:\nhhbbt.exe79⤵PID:2724
-
\??\c:\pddvj.exec:\pddvj.exe80⤵PID:4500
-
\??\c:\7djjd.exec:\7djjd.exe81⤵PID:3000
-
\??\c:\ffxrxxf.exec:\ffxrxxf.exe82⤵PID:4388
-
\??\c:\3hhbtn.exec:\3hhbtn.exe83⤵PID:1552
-
\??\c:\pdddd.exec:\pdddd.exe84⤵PID:776
-
\??\c:\3ddpp.exec:\3ddpp.exe85⤵PID:4944
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe86⤵
- System Location Discovery: System Language Discovery
PID:2068 -
\??\c:\xrllrrl.exec:\xrllrrl.exe87⤵PID:4316
-
\??\c:\hbbtnh.exec:\hbbtnh.exe88⤵PID:4776
-
\??\c:\dpppp.exec:\dpppp.exe89⤵PID:4924
-
\??\c:\xxfxlxr.exec:\xxfxlxr.exe90⤵PID:3020
-
\??\c:\3bbnnn.exec:\3bbnnn.exe91⤵PID:4164
-
\??\c:\djppj.exec:\djppj.exe92⤵PID:1900
-
\??\c:\1pdvd.exec:\1pdvd.exe93⤵PID:2820
-
\??\c:\5lrfrfx.exec:\5lrfrfx.exe94⤵PID:3628
-
\??\c:\tntntt.exec:\tntntt.exe95⤵PID:4072
-
\??\c:\ntthth.exec:\ntthth.exe96⤵PID:2536
-
\??\c:\9pjdp.exec:\9pjdp.exe97⤵PID:1068
-
\??\c:\lllxrlx.exec:\lllxrlx.exe98⤵PID:1580
-
\??\c:\5nttbb.exec:\5nttbb.exe99⤵PID:1880
-
\??\c:\bbnhbb.exec:\bbnhbb.exe100⤵PID:4064
-
\??\c:\pjjdp.exec:\pjjdp.exe101⤵PID:4212
-
\??\c:\rxfxlxr.exec:\rxfxlxr.exe102⤵PID:3948
-
\??\c:\tbthbt.exec:\tbthbt.exe103⤵PID:4128
-
\??\c:\1dpdp.exec:\1dpdp.exe104⤵PID:872
-
\??\c:\pdpjj.exec:\pdpjj.exe105⤵PID:1548
-
\??\c:\1llxrll.exec:\1llxrll.exe106⤵PID:4288
-
\??\c:\3btnbt.exec:\3btnbt.exe107⤵PID:2852
-
\??\c:\djppv.exec:\djppv.exe108⤵PID:3136
-
\??\c:\rxxlxxx.exec:\rxxlxxx.exe109⤵PID:2848
-
\??\c:\bnhtht.exec:\bnhtht.exe110⤵PID:1808
-
\??\c:\9jvvv.exec:\9jvvv.exe111⤵PID:2844
-
\??\c:\jdvpd.exec:\jdvpd.exe112⤵PID:4328
-
\??\c:\llrfrrl.exec:\llrfrrl.exe113⤵PID:4216
-
\??\c:\ntnnhh.exec:\ntnnhh.exe114⤵PID:3872
-
\??\c:\jvpdp.exec:\jvpdp.exe115⤵PID:5012
-
\??\c:\frrfrlf.exec:\frrfrlf.exe116⤵PID:2052
-
\??\c:\xflfrfr.exec:\xflfrfr.exe117⤵PID:2664
-
\??\c:\ttnbth.exec:\ttnbth.exe118⤵PID:3680
-
\??\c:\bthnbn.exec:\bthnbn.exe119⤵PID:3028
-
\??\c:\dpjdj.exec:\dpjdj.exe120⤵PID:1004
-
\??\c:\7lflxrf.exec:\7lflxrf.exe121⤵PID:5004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-