Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe
-
Size
453KB
-
MD5
d3fd3cb51b35dac1e354db8e829d55d0
-
SHA1
4cb4afdd12ba70ee00549bc6600416b129abdcc7
-
SHA256
a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9
-
SHA512
e4afd6c9fc8eebef656aeb7eb8d493a16cc650c776cdd771e3c5eeee1b2d3d5ea6fc8ce042580a6149853ce8f088d9aec1d4c340c2f15dcdd95da3f04ebc767a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2196-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/484-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-1332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-1904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4220 flrlffx.exe 1164 jddvv.exe 5020 rffxxxf.exe 1496 hnnhhh.exe 2156 9pvpj.exe 364 llrrlrx.exe 3492 tnnhbb.exe 1276 bhbhbh.exe 2112 djpvp.exe 2544 rllfxrl.exe 828 vdddv.exe 2788 nthbbb.exe 4940 bthnbt.exe 3448 5lxrlfx.exe 4476 dddvp.exe 3716 djjjd.exe 1992 9nbtnh.exe 2856 9tbbhh.exe 3544 9xxfffr.exe 2308 xflrlxl.exe 816 bntnnt.exe 4012 vjvvp.exe 4652 xlrlfxr.exe 1900 fffxxxx.exe 4180 tbhhbt.exe 1308 jpvpj.exe 3952 pddvp.exe 4804 9rlrxxf.exe 484 nbnnhh.exe 2044 hthbhh.exe 2624 vdpjd.exe 2920 pdjdj.exe 624 rllfxxr.exe 1044 9nbntt.exe 1660 1ntnhh.exe 2072 jpppj.exe 2968 pdjjj.exe 3944 lrxrlfx.exe 3052 bhnhtn.exe 2744 nbhhbb.exe 3688 dvddd.exe 2924 7pdpj.exe 2612 rrxrlxr.exe 812 hhtnhb.exe 2520 thhbbt.exe 3692 vjjdv.exe 3636 ddpdj.exe 2392 xflrlll.exe 4884 nntnbb.exe 1356 bnthtn.exe 3036 jjpdv.exe 4780 llrlxfx.exe 2716 flrfxrf.exe 4324 5jpdp.exe 1972 3jpjd.exe 1184 1ffrlfx.exe 1704 bbnbnt.exe 1164 hntnnn.exe 2332 frrlxlf.exe 1768 ntthtn.exe 1496 jpvpj.exe 4708 3fxxlrl.exe 1616 thhthh.exe 2148 htnnhh.exe -
resource yara_rule behavioral2/memory/2196-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/484-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-897-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-1165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4220 2196 a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe 83 PID 2196 wrote to memory of 4220 2196 a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe 83 PID 2196 wrote to memory of 4220 2196 a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe 83 PID 4220 wrote to memory of 1164 4220 flrlffx.exe 84 PID 4220 wrote to memory of 1164 4220 flrlffx.exe 84 PID 4220 wrote to memory of 1164 4220 flrlffx.exe 84 PID 1164 wrote to memory of 5020 1164 jddvv.exe 85 PID 1164 wrote to memory of 5020 1164 jddvv.exe 85 PID 1164 wrote to memory of 5020 1164 jddvv.exe 85 PID 5020 wrote to memory of 1496 5020 rffxxxf.exe 86 PID 5020 wrote to memory of 1496 5020 rffxxxf.exe 86 PID 5020 wrote to memory of 1496 5020 rffxxxf.exe 86 PID 1496 wrote to memory of 2156 1496 hnnhhh.exe 87 PID 1496 wrote to memory of 2156 1496 hnnhhh.exe 87 PID 1496 wrote to memory of 2156 1496 hnnhhh.exe 87 PID 2156 wrote to memory of 364 2156 9pvpj.exe 88 PID 2156 wrote to memory of 364 2156 9pvpj.exe 88 PID 2156 wrote to memory of 364 2156 9pvpj.exe 88 PID 364 wrote to memory of 3492 364 llrrlrx.exe 89 PID 364 wrote to memory of 3492 364 llrrlrx.exe 89 PID 364 wrote to memory of 3492 364 llrrlrx.exe 89 PID 3492 wrote to memory of 1276 3492 tnnhbb.exe 90 PID 3492 wrote to memory of 1276 3492 tnnhbb.exe 90 PID 3492 wrote to memory of 1276 3492 tnnhbb.exe 90 PID 1276 wrote to memory of 2112 1276 bhbhbh.exe 91 PID 1276 wrote to memory of 2112 1276 bhbhbh.exe 91 PID 1276 wrote to memory of 2112 1276 bhbhbh.exe 91 PID 2112 wrote to memory of 2544 2112 djpvp.exe 92 PID 2112 wrote to memory of 2544 2112 djpvp.exe 92 PID 2112 wrote to memory of 2544 2112 djpvp.exe 92 PID 2544 wrote to memory of 828 2544 rllfxrl.exe 93 PID 2544 wrote to memory of 828 2544 rllfxrl.exe 93 PID 2544 wrote to memory of 828 2544 rllfxrl.exe 93 PID 828 wrote to memory of 2788 828 vdddv.exe 94 PID 828 wrote to memory of 2788 828 vdddv.exe 94 PID 828 wrote to memory of 2788 828 vdddv.exe 94 PID 2788 wrote to memory of 4940 2788 nthbbb.exe 95 PID 2788 wrote to memory of 4940 2788 nthbbb.exe 95 PID 2788 wrote to memory of 4940 2788 nthbbb.exe 95 PID 4940 wrote to memory of 3448 4940 bthnbt.exe 96 PID 4940 wrote to memory of 3448 4940 bthnbt.exe 96 PID 4940 wrote to memory of 3448 4940 bthnbt.exe 96 PID 3448 wrote to memory of 4476 3448 5lxrlfx.exe 97 PID 3448 wrote to memory of 4476 3448 5lxrlfx.exe 97 PID 3448 wrote to memory of 4476 3448 5lxrlfx.exe 97 PID 4476 wrote to memory of 3716 4476 dddvp.exe 98 PID 4476 wrote to memory of 3716 4476 dddvp.exe 98 PID 4476 wrote to memory of 3716 4476 dddvp.exe 98 PID 3716 wrote to memory of 1992 3716 djjjd.exe 99 PID 3716 wrote to memory of 1992 3716 djjjd.exe 99 PID 3716 wrote to memory of 1992 3716 djjjd.exe 99 PID 1992 wrote to memory of 2856 1992 9nbtnh.exe 100 PID 1992 wrote to memory of 2856 1992 9nbtnh.exe 100 PID 1992 wrote to memory of 2856 1992 9nbtnh.exe 100 PID 2856 wrote to memory of 3544 2856 9tbbhh.exe 101 PID 2856 wrote to memory of 3544 2856 9tbbhh.exe 101 PID 2856 wrote to memory of 3544 2856 9tbbhh.exe 101 PID 3544 wrote to memory of 2308 3544 9xxfffr.exe 102 PID 3544 wrote to memory of 2308 3544 9xxfffr.exe 102 PID 3544 wrote to memory of 2308 3544 9xxfffr.exe 102 PID 2308 wrote to memory of 816 2308 xflrlxl.exe 103 PID 2308 wrote to memory of 816 2308 xflrlxl.exe 103 PID 2308 wrote to memory of 816 2308 xflrlxl.exe 103 PID 816 wrote to memory of 4012 816 bntnnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe"C:\Users\Admin\AppData\Local\Temp\a381f3f79600fb6b691eaa0b8b6899c2bf4b251f3f31f6d323c8b76438334bc9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\flrlffx.exec:\flrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\jddvv.exec:\jddvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\rffxxxf.exec:\rffxxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\hnnhhh.exec:\hnnhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\9pvpj.exec:\9pvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\llrrlrx.exec:\llrrlrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\tnnhbb.exec:\tnnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\bhbhbh.exec:\bhbhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\djpvp.exec:\djpvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\rllfxrl.exec:\rllfxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\vdddv.exec:\vdddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\nthbbb.exec:\nthbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\bthnbt.exec:\bthnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\5lxrlfx.exec:\5lxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\dddvp.exec:\dddvp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\djjjd.exec:\djjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\9nbtnh.exec:\9nbtnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\9tbbhh.exec:\9tbbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\9xxfffr.exec:\9xxfffr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\xflrlxl.exec:\xflrlxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\bntnnt.exec:\bntnnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\vjvvp.exec:\vjvvp.exe23⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe24⤵
- Executes dropped EXE
PID:4652 -
\??\c:\fffxxxx.exec:\fffxxxx.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\tbhhbt.exec:\tbhhbt.exe26⤵
- Executes dropped EXE
PID:4180 -
\??\c:\jpvpj.exec:\jpvpj.exe27⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pddvp.exec:\pddvp.exe28⤵
- Executes dropped EXE
PID:3952 -
\??\c:\9rlrxxf.exec:\9rlrxxf.exe29⤵
- Executes dropped EXE
PID:4804 -
\??\c:\nbnnhh.exec:\nbnnhh.exe30⤵
- Executes dropped EXE
PID:484 -
\??\c:\hthbhh.exec:\hthbhh.exe31⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vdpjd.exec:\vdpjd.exe32⤵
- Executes dropped EXE
PID:2624 -
\??\c:\pdjdj.exec:\pdjdj.exe33⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rllfxxr.exec:\rllfxxr.exe34⤵
- Executes dropped EXE
PID:624 -
\??\c:\9nbntt.exec:\9nbntt.exe35⤵
- Executes dropped EXE
PID:1044 -
\??\c:\1ntnhh.exec:\1ntnhh.exe36⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jpppj.exec:\jpppj.exe37⤵
- Executes dropped EXE
PID:2072 -
\??\c:\pdjjj.exec:\pdjjj.exe38⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe39⤵
- Executes dropped EXE
PID:3944 -
\??\c:\bhnhtn.exec:\bhnhtn.exe40⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nbhhbb.exec:\nbhhbb.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\dvddd.exec:\dvddd.exe42⤵
- Executes dropped EXE
PID:3688 -
\??\c:\7pdpj.exec:\7pdpj.exe43⤵
- Executes dropped EXE
PID:2924 -
\??\c:\rrxrlxr.exec:\rrxrlxr.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\hhtnhb.exec:\hhtnhb.exe45⤵
- Executes dropped EXE
PID:812 -
\??\c:\thhbbt.exec:\thhbbt.exe46⤵
- Executes dropped EXE
PID:2520 -
\??\c:\vjjdv.exec:\vjjdv.exe47⤵
- Executes dropped EXE
PID:3692 -
\??\c:\ddpdj.exec:\ddpdj.exe48⤵
- Executes dropped EXE
PID:3636 -
\??\c:\xflrlll.exec:\xflrlll.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\nntnbb.exec:\nntnbb.exe50⤵
- Executes dropped EXE
PID:4884 -
\??\c:\bnthtn.exec:\bnthtn.exe51⤵
- Executes dropped EXE
PID:1356 -
\??\c:\jjpdv.exec:\jjpdv.exe52⤵
- Executes dropped EXE
PID:3036 -
\??\c:\llrlxfx.exec:\llrlxfx.exe53⤵
- Executes dropped EXE
PID:4780 -
\??\c:\flrfxrf.exec:\flrfxrf.exe54⤵
- Executes dropped EXE
PID:2716 -
\??\c:\5jpdp.exec:\5jpdp.exe55⤵
- Executes dropped EXE
PID:4324 -
\??\c:\3jpjd.exec:\3jpjd.exe56⤵
- Executes dropped EXE
PID:1972 -
\??\c:\1ffrlfx.exec:\1ffrlfx.exe57⤵
- Executes dropped EXE
PID:1184 -
\??\c:\bbnbnt.exec:\bbnbnt.exe58⤵
- Executes dropped EXE
PID:1704 -
\??\c:\hntnnn.exec:\hntnnn.exe59⤵
- Executes dropped EXE
PID:1164 -
\??\c:\frrlxlf.exec:\frrlxlf.exe60⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ntthtn.exec:\ntthtn.exe61⤵
- Executes dropped EXE
PID:1768 -
\??\c:\jpvpj.exec:\jpvpj.exe62⤵
- Executes dropped EXE
PID:1496 -
\??\c:\3fxxlrl.exec:\3fxxlrl.exe63⤵
- Executes dropped EXE
PID:4708 -
\??\c:\thhthh.exec:\thhthh.exe64⤵
- Executes dropped EXE
PID:1616 -
\??\c:\htnnhh.exec:\htnnhh.exe65⤵
- Executes dropped EXE
PID:2148 -
\??\c:\jvdpv.exec:\jvdpv.exe66⤵PID:1368
-
\??\c:\rlrfxrf.exec:\rlrfxrf.exe67⤵PID:1244
-
\??\c:\jjpdv.exec:\jjpdv.exe68⤵PID:2448
-
\??\c:\xfrxrrl.exec:\xfrxrrl.exe69⤵PID:3576
-
\??\c:\ddpjv.exec:\ddpjv.exe70⤵PID:3416
-
\??\c:\rxxlxxr.exec:\rxxlxxr.exe71⤵PID:2804
-
\??\c:\pjjdp.exec:\pjjdp.exe72⤵PID:4860
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe73⤵PID:2788
-
\??\c:\5dvjj.exec:\5dvjj.exe74⤵PID:232
-
\??\c:\1nthtb.exec:\1nthtb.exe75⤵PID:544
-
\??\c:\3bnbtn.exec:\3bnbtn.exe76⤵PID:1412
-
\??\c:\llxxlfx.exec:\llxxlfx.exe77⤵PID:2084
-
\??\c:\3tnbtn.exec:\3tnbtn.exe78⤵
- System Location Discovery: System Language Discovery
PID:3716 -
\??\c:\1jpvj.exec:\1jpvj.exe79⤵PID:2600
-
\??\c:\llrlxff.exec:\llrlxff.exe80⤵PID:3172
-
\??\c:\ttbhbb.exec:\ttbhbb.exe81⤵PID:2928
-
\??\c:\jdjdp.exec:\jdjdp.exe82⤵PID:2308
-
\??\c:\bbbtnh.exec:\bbbtnh.exe83⤵PID:3564
-
\??\c:\nbbthh.exec:\nbbthh.exe84⤵PID:4388
-
\??\c:\pdvpd.exec:\pdvpd.exe85⤵PID:4652
-
\??\c:\5bthtn.exec:\5bthtn.exe86⤵PID:2960
-
\??\c:\jdjjj.exec:\jdjjj.exe87⤵PID:1284
-
\??\c:\xflfrlx.exec:\xflfrlx.exe88⤵PID:4108
-
\??\c:\thhbbb.exec:\thhbbb.exe89⤵PID:3952
-
\??\c:\3vpvv.exec:\3vpvv.exe90⤵PID:4812
-
\??\c:\fffrlxr.exec:\fffrlxr.exe91⤵PID:1092
-
\??\c:\thnnnn.exec:\thnnnn.exe92⤵PID:528
-
\??\c:\5ppdj.exec:\5ppdj.exe93⤵PID:912
-
\??\c:\lxrfrll.exec:\lxrfrll.exe94⤵PID:5044
-
\??\c:\ntnhhh.exec:\ntnhhh.exe95⤵PID:1628
-
\??\c:\bnnhtn.exec:\bnnhtn.exe96⤵PID:2264
-
\??\c:\ppjvd.exec:\ppjvd.exe97⤵PID:2968
-
\??\c:\flrlrxr.exec:\flrlrxr.exe98⤵PID:4472
-
\??\c:\thnhbt.exec:\thnhbt.exe99⤵PID:1804
-
\??\c:\1nhbnn.exec:\1nhbnn.exe100⤵PID:3524
-
\??\c:\7vjvp.exec:\7vjvp.exe101⤵PID:2220
-
\??\c:\3lflfll.exec:\3lflfll.exe102⤵PID:2684
-
\??\c:\hbhbbb.exec:\hbhbbb.exe103⤵PID:3484
-
\??\c:\dpppj.exec:\dpppj.exe104⤵PID:4716
-
\??\c:\fflfffl.exec:\fflfffl.exe105⤵PID:984
-
\??\c:\rllfxxr.exec:\rllfxxr.exe106⤵PID:1612
-
\??\c:\hthbtn.exec:\hthbtn.exe107⤵PID:2524
-
\??\c:\pdppd.exec:\pdppd.exe108⤵PID:3908
-
\??\c:\pvpdj.exec:\pvpdj.exe109⤵PID:2484
-
\??\c:\rffrfxr.exec:\rffrfxr.exe110⤵PID:4116
-
\??\c:\tbhhtt.exec:\tbhhtt.exe111⤵PID:3496
-
\??\c:\3jjpj.exec:\3jjpj.exe112⤵PID:640
-
\??\c:\frxrrrx.exec:\frxrrrx.exe113⤵PID:3036
-
\??\c:\thnnnn.exec:\thnnnn.exe114⤵PID:1204
-
\??\c:\hthbtn.exec:\hthbtn.exe115⤵PID:3096
-
\??\c:\jdjvp.exec:\jdjvp.exe116⤵PID:1964
-
\??\c:\frrfrlx.exec:\frrfrlx.exe117⤵PID:4336
-
\??\c:\ttthbb.exec:\ttthbb.exe118⤵PID:4020
-
\??\c:\dpvvj.exec:\dpvvj.exe119⤵PID:3948
-
\??\c:\1jjvj.exec:\1jjvj.exe120⤵PID:2028
-
\??\c:\rrxrxrl.exec:\rrxrxrl.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-