Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 03:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe
-
Size
454KB
-
MD5
1473e792116bb9e4d6b3f4743850321b
-
SHA1
68d45f1e626f51647bdfb0514c6a09fcace5d417
-
SHA256
3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af
-
SHA512
b8cfe6ae57e3da358702c057a425738f6e108c4b8f0ba046a5e1c4b5a248515d97a68f0b8e2c5a41f017ae65d3c2512c0edd720989e673c1f9e8d568b2466cff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3380-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-1444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 956 fxfxrlf.exe 2020 vdjdp.exe 5004 rllfrfx.exe 4136 flrlffx.exe 3464 btnhbb.exe 3704 pdjvp.exe 3892 lfllfxr.exe 4912 9nhbtn.exe 3028 bnnhnn.exe 4964 vjvdd.exe 4296 lxlffll.exe 4968 ddjpp.exe 2036 fffrrrr.exe 112 xrlrlrr.exe 3696 vvppj.exe 5012 lxxrlfx.exe 3232 nhttbb.exe 3160 vpdjd.exe 2984 vpvvp.exe 4392 rrxxxxr.exe 1888 ttbbtb.exe 448 fxffflf.exe 2396 lllllll.exe 1816 djddv.exe 2496 xlxxrxx.exe 2996 xrlllll.exe 3624 xlxxxxx.exe 4228 1jppj.exe 1952 dvjjp.exe 1648 tntnhb.exe 3852 3vvpp.exe 1344 1jjdv.exe 4112 frfxffr.exe 1960 1hhbtt.exe 2828 jddvp.exe 556 jpvpd.exe 2096 xrrllfr.exe 3108 hbbbtt.exe 2748 dpvpj.exe 4552 vpjdd.exe 2168 xlxrrrr.exe 4332 htbttt.exe 3052 dppjd.exe 2544 ddpdp.exe 2020 3llfrll.exe 3936 bhnhbh.exe 2600 thnbnh.exe 316 jdjdp.exe 3068 xllfxxx.exe 3980 bbtnbb.exe 3704 bnnhtt.exe 4696 7djjd.exe 2572 7rlfllx.exe 4716 nhttbt.exe 3116 pdvpd.exe 1236 1djdv.exe 4512 lfflxff.exe 2140 nhtttb.exe 3712 pvpjj.exe 3800 pjpvj.exe 1964 xxfxxxx.exe 4312 hhhbtt.exe 116 jjjpp.exe 2016 7fllfff.exe -
resource yara_rule behavioral2/memory/3380-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-1289-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3380 wrote to memory of 956 3380 3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe 82 PID 3380 wrote to memory of 956 3380 3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe 82 PID 3380 wrote to memory of 956 3380 3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe 82 PID 956 wrote to memory of 2020 956 fxfxrlf.exe 83 PID 956 wrote to memory of 2020 956 fxfxrlf.exe 83 PID 956 wrote to memory of 2020 956 fxfxrlf.exe 83 PID 2020 wrote to memory of 5004 2020 vdjdp.exe 84 PID 2020 wrote to memory of 5004 2020 vdjdp.exe 84 PID 2020 wrote to memory of 5004 2020 vdjdp.exe 84 PID 5004 wrote to memory of 4136 5004 rllfrfx.exe 85 PID 5004 wrote to memory of 4136 5004 rllfrfx.exe 85 PID 5004 wrote to memory of 4136 5004 rllfrfx.exe 85 PID 4136 wrote to memory of 3464 4136 flrlffx.exe 86 PID 4136 wrote to memory of 3464 4136 flrlffx.exe 86 PID 4136 wrote to memory of 3464 4136 flrlffx.exe 86 PID 3464 wrote to memory of 3704 3464 btnhbb.exe 87 PID 3464 wrote to memory of 3704 3464 btnhbb.exe 87 PID 3464 wrote to memory of 3704 3464 btnhbb.exe 87 PID 3704 wrote to memory of 3892 3704 pdjvp.exe 88 PID 3704 wrote to memory of 3892 3704 pdjvp.exe 88 PID 3704 wrote to memory of 3892 3704 pdjvp.exe 88 PID 3892 wrote to memory of 4912 3892 lfllfxr.exe 89 PID 3892 wrote to memory of 4912 3892 lfllfxr.exe 89 PID 3892 wrote to memory of 4912 3892 lfllfxr.exe 89 PID 4912 wrote to memory of 3028 4912 9nhbtn.exe 90 PID 4912 wrote to memory of 3028 4912 9nhbtn.exe 90 PID 4912 wrote to memory of 3028 4912 9nhbtn.exe 90 PID 3028 wrote to memory of 4964 3028 bnnhnn.exe 91 PID 3028 wrote to memory of 4964 3028 bnnhnn.exe 91 PID 3028 wrote to memory of 4964 3028 bnnhnn.exe 91 PID 4964 wrote to memory of 4296 4964 vjvdd.exe 92 PID 4964 wrote to memory of 4296 4964 vjvdd.exe 92 PID 4964 wrote to memory of 4296 4964 vjvdd.exe 92 PID 4296 wrote to memory of 4968 4296 lxlffll.exe 93 PID 4296 wrote to memory of 4968 4296 lxlffll.exe 93 PID 4296 wrote to memory of 4968 4296 lxlffll.exe 93 PID 4968 wrote to memory of 2036 4968 ddjpp.exe 94 PID 4968 wrote to memory of 2036 4968 ddjpp.exe 94 PID 4968 wrote to memory of 2036 4968 ddjpp.exe 94 PID 2036 wrote to memory of 112 2036 fffrrrr.exe 95 PID 2036 wrote to memory of 112 2036 fffrrrr.exe 95 PID 2036 wrote to memory of 112 2036 fffrrrr.exe 95 PID 112 wrote to memory of 3696 112 xrlrlrr.exe 96 PID 112 wrote to memory of 3696 112 xrlrlrr.exe 96 PID 112 wrote to memory of 3696 112 xrlrlrr.exe 96 PID 3696 wrote to memory of 5012 3696 vvppj.exe 97 PID 3696 wrote to memory of 5012 3696 vvppj.exe 97 PID 3696 wrote to memory of 5012 3696 vvppj.exe 97 PID 5012 wrote to memory of 3232 5012 lxxrlfx.exe 98 PID 5012 wrote to memory of 3232 5012 lxxrlfx.exe 98 PID 5012 wrote to memory of 3232 5012 lxxrlfx.exe 98 PID 3232 wrote to memory of 3160 3232 nhttbb.exe 99 PID 3232 wrote to memory of 3160 3232 nhttbb.exe 99 PID 3232 wrote to memory of 3160 3232 nhttbb.exe 99 PID 3160 wrote to memory of 2984 3160 vpdjd.exe 100 PID 3160 wrote to memory of 2984 3160 vpdjd.exe 100 PID 3160 wrote to memory of 2984 3160 vpdjd.exe 100 PID 2984 wrote to memory of 4392 2984 vpvvp.exe 101 PID 2984 wrote to memory of 4392 2984 vpvvp.exe 101 PID 2984 wrote to memory of 4392 2984 vpvvp.exe 101 PID 4392 wrote to memory of 1888 4392 rrxxxxr.exe 102 PID 4392 wrote to memory of 1888 4392 rrxxxxr.exe 102 PID 4392 wrote to memory of 1888 4392 rrxxxxr.exe 102 PID 1888 wrote to memory of 448 1888 ttbbtb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe"C:\Users\Admin\AppData\Local\Temp\3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\vdjdp.exec:\vdjdp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\rllfrfx.exec:\rllfrfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\flrlffx.exec:\flrlffx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\btnhbb.exec:\btnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\pdjvp.exec:\pdjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\lfllfxr.exec:\lfllfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\9nhbtn.exec:\9nhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\bnnhnn.exec:\bnnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\vjvdd.exec:\vjvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\lxlffll.exec:\lxlffll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\ddjpp.exec:\ddjpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\fffrrrr.exec:\fffrrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\xrlrlrr.exec:\xrlrlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\vvppj.exec:\vvppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\nhttbb.exec:\nhttbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\vpdjd.exec:\vpdjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\vpvvp.exec:\vpvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\rrxxxxr.exec:\rrxxxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\ttbbtb.exec:\ttbbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\fxffflf.exec:\fxffflf.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\lllllll.exec:\lllllll.exe24⤵
- Executes dropped EXE
PID:2396 -
\??\c:\djddv.exec:\djddv.exe25⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xlxxrxx.exec:\xlxxrxx.exe26⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xrlllll.exec:\xrlllll.exe27⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xlxxxxx.exec:\xlxxxxx.exe28⤵
- Executes dropped EXE
PID:3624 -
\??\c:\1jppj.exec:\1jppj.exe29⤵
- Executes dropped EXE
PID:4228 -
\??\c:\dvjjp.exec:\dvjjp.exe30⤵
- Executes dropped EXE
PID:1952 -
\??\c:\tntnhb.exec:\tntnhb.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\3vvpp.exec:\3vvpp.exe32⤵
- Executes dropped EXE
PID:3852 -
\??\c:\1jjdv.exec:\1jjdv.exe33⤵
- Executes dropped EXE
PID:1344 -
\??\c:\frfxffr.exec:\frfxffr.exe34⤵
- Executes dropped EXE
PID:4112 -
\??\c:\1hhbtt.exec:\1hhbtt.exe35⤵
- Executes dropped EXE
PID:1960 -
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jpvpd.exec:\jpvpd.exe37⤵
- Executes dropped EXE
PID:556 -
\??\c:\xrrllfr.exec:\xrrllfr.exe38⤵
- Executes dropped EXE
PID:2096 -
\??\c:\hbbbtt.exec:\hbbbtt.exe39⤵
- Executes dropped EXE
PID:3108 -
\??\c:\dpvpj.exec:\dpvpj.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vpjdd.exec:\vpjdd.exe41⤵
- Executes dropped EXE
PID:4552 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe42⤵
- Executes dropped EXE
PID:2168 -
\??\c:\htbttt.exec:\htbttt.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\dppjd.exec:\dppjd.exe44⤵
- Executes dropped EXE
PID:3052 -
\??\c:\ddpdp.exec:\ddpdp.exe45⤵
- Executes dropped EXE
PID:2544 -
\??\c:\3llfrll.exec:\3llfrll.exe46⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bhnhbh.exec:\bhnhbh.exe47⤵
- Executes dropped EXE
PID:3936 -
\??\c:\thnbnh.exec:\thnbnh.exe48⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jdjdp.exec:\jdjdp.exe49⤵
- Executes dropped EXE
PID:316 -
\??\c:\xllfxxx.exec:\xllfxxx.exe50⤵
- Executes dropped EXE
PID:3068 -
\??\c:\bbtnbb.exec:\bbtnbb.exe51⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bnnhtt.exec:\bnnhtt.exe52⤵
- Executes dropped EXE
PID:3704 -
\??\c:\7djjd.exec:\7djjd.exe53⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7rlfllx.exec:\7rlfllx.exe54⤵
- Executes dropped EXE
PID:2572 -
\??\c:\nhttbt.exec:\nhttbt.exe55⤵
- Executes dropped EXE
PID:4716 -
\??\c:\pdvpd.exec:\pdvpd.exe56⤵
- Executes dropped EXE
PID:3116 -
\??\c:\1djdv.exec:\1djdv.exe57⤵
- Executes dropped EXE
PID:1236 -
\??\c:\lfflxff.exec:\lfflxff.exe58⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nhtttb.exec:\nhtttb.exe59⤵
- Executes dropped EXE
PID:2140 -
\??\c:\pvpjj.exec:\pvpjj.exe60⤵
- Executes dropped EXE
PID:3712 -
\??\c:\pjpvj.exec:\pjpvj.exe61⤵
- Executes dropped EXE
PID:3800 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe62⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hhhbtt.exec:\hhhbtt.exe63⤵
- Executes dropped EXE
PID:4312 -
\??\c:\jjjpp.exec:\jjjpp.exe64⤵
- Executes dropped EXE
PID:116 -
\??\c:\7fllfff.exec:\7fllfff.exe65⤵
- Executes dropped EXE
PID:2016 -
\??\c:\5lrllrl.exec:\5lrllrl.exe66⤵PID:1620
-
\??\c:\thnnnt.exec:\thnnnt.exe67⤵PID:4296
-
\??\c:\7pjvp.exec:\7pjvp.exe68⤵PID:2348
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe69⤵PID:3784
-
\??\c:\btttbh.exec:\btttbh.exe70⤵
- System Location Discovery: System Language Discovery
PID:672 -
\??\c:\bbttbb.exec:\bbttbb.exe71⤵PID:968
-
\??\c:\7pdpp.exec:\7pdpp.exe72⤵PID:5032
-
\??\c:\fxlllll.exec:\fxlllll.exe73⤵PID:4584
-
\??\c:\nntnnt.exec:\nntnnt.exe74⤵PID:4568
-
\??\c:\dvjjj.exec:\dvjjj.exe75⤵PID:3460
-
\??\c:\vjvvp.exec:\vjvvp.exe76⤵PID:3316
-
\??\c:\lfffxxx.exec:\lfffxxx.exe77⤵PID:5000
-
\??\c:\nhttnt.exec:\nhttnt.exe78⤵PID:3708
-
\??\c:\pjvpj.exec:\pjvpj.exe79⤵PID:2684
-
\??\c:\rffxlfx.exec:\rffxlfx.exe80⤵PID:1732
-
\??\c:\bhtnbb.exec:\bhtnbb.exe81⤵PID:4664
-
\??\c:\tbnhht.exec:\tbnhht.exe82⤵PID:3744
-
\??\c:\pdjjd.exec:\pdjjd.exe83⤵PID:536
-
\??\c:\fxffrrr.exec:\fxffrrr.exe84⤵PID:668
-
\??\c:\bbbhhn.exec:\bbbhhn.exe85⤵PID:1888
-
\??\c:\nnhhtb.exec:\nnhhtb.exe86⤵PID:936
-
\??\c:\1pjvj.exec:\1pjvj.exe87⤵PID:2972
-
\??\c:\xxffxxx.exec:\xxffxxx.exe88⤵PID:828
-
\??\c:\bntttn.exec:\bntttn.exe89⤵PID:624
-
\??\c:\9htthh.exec:\9htthh.exe90⤵PID:2144
-
\??\c:\jvdvd.exec:\jvdvd.exe91⤵PID:1064
-
\??\c:\fflrlll.exec:\fflrlll.exe92⤵PID:3376
-
\??\c:\thnhhb.exec:\thnhhb.exe93⤵PID:3624
-
\??\c:\1jpdv.exec:\1jpdv.exe94⤵PID:4500
-
\??\c:\lxllfll.exec:\lxllfll.exe95⤵PID:3164
-
\??\c:\thntnt.exec:\thntnt.exe96⤵PID:1952
-
\??\c:\jvjdv.exec:\jvjdv.exe97⤵PID:1728
-
\??\c:\xrxlrll.exec:\xrxlrll.exe98⤵PID:3768
-
\??\c:\3tbtnh.exec:\3tbtnh.exe99⤵PID:3484
-
\??\c:\1dppd.exec:\1dppd.exe100⤵PID:1344
-
\??\c:\7jjjj.exec:\7jjjj.exe101⤵PID:2504
-
\??\c:\rrxlxrr.exec:\rrxlxrr.exe102⤵PID:2800
-
\??\c:\hthnnn.exec:\hthnnn.exe103⤵PID:4180
-
\??\c:\9jjdv.exec:\9jjdv.exe104⤵PID:4232
-
\??\c:\rrfffll.exec:\rrfffll.exe105⤵PID:3252
-
\??\c:\hhtnhh.exec:\hhtnhh.exe106⤵PID:2116
-
\??\c:\3bntbb.exec:\3bntbb.exe107⤵PID:4868
-
\??\c:\vjpjd.exec:\vjpjd.exe108⤵PID:1180
-
\??\c:\3rrxrxf.exec:\3rrxrxf.exe109⤵PID:1612
-
\??\c:\bbhhbb.exec:\bbhhbb.exe110⤵PID:2804
-
\??\c:\3bnhtt.exec:\3bnhtt.exe111⤵PID:3340
-
\??\c:\rllfxff.exec:\rllfxff.exe112⤵PID:956
-
\??\c:\xfllfff.exec:\xfllfff.exe113⤵PID:4784
-
\??\c:\thtttn.exec:\thtttn.exe114⤵PID:3312
-
\??\c:\pvddd.exec:\pvddd.exe115⤵PID:4004
-
\??\c:\7xllflr.exec:\7xllflr.exe116⤵PID:4736
-
\??\c:\7rllflf.exec:\7rllflf.exe117⤵PID:3104
-
\??\c:\5bttnb.exec:\5bttnb.exe118⤵PID:2304
-
\??\c:\vddpj.exec:\vddpj.exe119⤵PID:1092
-
\??\c:\llfxrrl.exec:\llfxrrl.exe120⤵PID:2668
-
\??\c:\lfrlfrl.exec:\lfrlfrl.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-