Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe
-
Size
453KB
-
MD5
4112c1d6072012a878e7e93f19536c8d
-
SHA1
7b46324436023f2a3a82dc463f3745c0aee29f5d
-
SHA256
20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec
-
SHA512
90293eea29f5f26e82a0760417b7a21dfa26de71190d3bcf7b8c0c70f9b5a20a70a8443cc7be5e963cc04647512570c4a8cf9060800fe98984cb83b2b0f708ca
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1224-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-1675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-1799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1224 7xrlflf.exe 1272 tbnnbn.exe 956 htbtnh.exe 3996 pjddd.exe 980 5xrlfxr.exe 1520 1rllffl.exe 5112 hhhbtt.exe 628 9ddvp.exe 3792 vppdv.exe 4364 xrrllll.exe 3708 bttnbh.exe 4200 bntnnh.exe 3056 ddjdp.exe 2524 vjpjj.exe 4504 fffllrx.exe 2400 1nnbtt.exe 2728 tnbnnn.exe 4608 jjpjj.exe 3992 ffflfxf.exe 4480 rxfxrlf.exe 3952 1hhbhh.exe 4928 9tnhbb.exe 3488 3pvpp.exe 2240 lfrrrxx.exe 5004 nthbtb.exe 1612 nhhbth.exe 2620 vpdvv.exe 3424 rxxfxrl.exe 4836 xlrlffx.exe 1420 1btnhb.exe 2744 ntbttt.exe 3508 9vpjd.exe 4520 rffxxrr.exe 1984 fflfxrr.exe 2104 bhnbtn.exe 3080 jjdvv.exe 1268 jjpvp.exe 4884 xlrrllf.exe 1608 fxlxfxf.exe 1688 7tbttt.exe 4064 jdvpj.exe 4960 rlxfflf.exe 4492 xrlxxrr.exe 4900 7hbthh.exe 4540 tnntbn.exe 676 3vppj.exe 940 rxrfxrl.exe 2192 flrlfrl.exe 2808 tnnhhb.exe 2884 dppjd.exe 1712 dpvpd.exe 2244 7lrlrrx.exe 2380 nhhbht.exe 2928 hthbtt.exe 776 pjppj.exe 472 lxxxxxx.exe 4676 3btnnn.exe 1224 vdjdp.exe 4912 dpdvj.exe 840 ffrrffr.exe 3996 bttnnn.exe 2924 nnnhbt.exe 3888 jdddv.exe 5112 xxllrrr.exe -
resource yara_rule behavioral2/memory/1224-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-890-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 1224 2724 20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe 140 PID 2724 wrote to memory of 1224 2724 20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe 140 PID 2724 wrote to memory of 1224 2724 20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe 140 PID 1224 wrote to memory of 1272 1224 7xrlflf.exe 83 PID 1224 wrote to memory of 1272 1224 7xrlflf.exe 83 PID 1224 wrote to memory of 1272 1224 7xrlflf.exe 83 PID 1272 wrote to memory of 956 1272 tbnnbn.exe 84 PID 1272 wrote to memory of 956 1272 tbnnbn.exe 84 PID 1272 wrote to memory of 956 1272 tbnnbn.exe 84 PID 956 wrote to memory of 3996 956 htbtnh.exe 143 PID 956 wrote to memory of 3996 956 htbtnh.exe 143 PID 956 wrote to memory of 3996 956 htbtnh.exe 143 PID 3996 wrote to memory of 980 3996 pjddd.exe 86 PID 3996 wrote to memory of 980 3996 pjddd.exe 86 PID 3996 wrote to memory of 980 3996 pjddd.exe 86 PID 980 wrote to memory of 1520 980 5xrlfxr.exe 87 PID 980 wrote to memory of 1520 980 5xrlfxr.exe 87 PID 980 wrote to memory of 1520 980 5xrlfxr.exe 87 PID 1520 wrote to memory of 5112 1520 1rllffl.exe 88 PID 1520 wrote to memory of 5112 1520 1rllffl.exe 88 PID 1520 wrote to memory of 5112 1520 1rllffl.exe 88 PID 5112 wrote to memory of 628 5112 hhhbtt.exe 89 PID 5112 wrote to memory of 628 5112 hhhbtt.exe 89 PID 5112 wrote to memory of 628 5112 hhhbtt.exe 89 PID 628 wrote to memory of 3792 628 9ddvp.exe 90 PID 628 wrote to memory of 3792 628 9ddvp.exe 90 PID 628 wrote to memory of 3792 628 9ddvp.exe 90 PID 3792 wrote to memory of 4364 3792 vppdv.exe 91 PID 3792 wrote to memory of 4364 3792 vppdv.exe 91 PID 3792 wrote to memory of 4364 3792 vppdv.exe 91 PID 4364 wrote to memory of 3708 4364 xrrllll.exe 92 PID 4364 wrote to memory of 3708 4364 xrrllll.exe 92 PID 4364 wrote to memory of 3708 4364 xrrllll.exe 92 PID 3708 wrote to memory of 4200 3708 bttnbh.exe 93 PID 3708 wrote to memory of 4200 3708 bttnbh.exe 93 PID 3708 wrote to memory of 4200 3708 bttnbh.exe 93 PID 4200 wrote to memory of 3056 4200 bntnnh.exe 94 PID 4200 wrote to memory of 3056 4200 bntnnh.exe 94 PID 4200 wrote to memory of 3056 4200 bntnnh.exe 94 PID 3056 wrote to memory of 2524 3056 ddjdp.exe 95 PID 3056 wrote to memory of 2524 3056 ddjdp.exe 95 PID 3056 wrote to memory of 2524 3056 ddjdp.exe 95 PID 2524 wrote to memory of 4504 2524 vjpjj.exe 96 PID 2524 wrote to memory of 4504 2524 vjpjj.exe 96 PID 2524 wrote to memory of 4504 2524 vjpjj.exe 96 PID 4504 wrote to memory of 2400 4504 fffllrx.exe 97 PID 4504 wrote to memory of 2400 4504 fffllrx.exe 97 PID 4504 wrote to memory of 2400 4504 fffllrx.exe 97 PID 2400 wrote to memory of 2728 2400 1nnbtt.exe 98 PID 2400 wrote to memory of 2728 2400 1nnbtt.exe 98 PID 2400 wrote to memory of 2728 2400 1nnbtt.exe 98 PID 2728 wrote to memory of 4608 2728 tnbnnn.exe 99 PID 2728 wrote to memory of 4608 2728 tnbnnn.exe 99 PID 2728 wrote to memory of 4608 2728 tnbnnn.exe 99 PID 4608 wrote to memory of 3992 4608 jjpjj.exe 100 PID 4608 wrote to memory of 3992 4608 jjpjj.exe 100 PID 4608 wrote to memory of 3992 4608 jjpjj.exe 100 PID 3992 wrote to memory of 4480 3992 ffflfxf.exe 101 PID 3992 wrote to memory of 4480 3992 ffflfxf.exe 101 PID 3992 wrote to memory of 4480 3992 ffflfxf.exe 101 PID 4480 wrote to memory of 3952 4480 rxfxrlf.exe 102 PID 4480 wrote to memory of 3952 4480 rxfxrlf.exe 102 PID 4480 wrote to memory of 3952 4480 rxfxrlf.exe 102 PID 3952 wrote to memory of 4928 3952 1hhbhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe"C:\Users\Admin\AppData\Local\Temp\20928ff63ec9aa19f224b0b36a8c5f75b6ad06bc17d920e725572833a1b05aec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\7xrlflf.exec:\7xrlflf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\tbnnbn.exec:\tbnnbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\htbtnh.exec:\htbtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\pjddd.exec:\pjddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\5xrlfxr.exec:\5xrlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\1rllffl.exec:\1rllffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\hhhbtt.exec:\hhhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\9ddvp.exec:\9ddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\vppdv.exec:\vppdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\xrrllll.exec:\xrrllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\bttnbh.exec:\bttnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\bntnnh.exec:\bntnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\ddjdp.exec:\ddjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\vjpjj.exec:\vjpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\fffllrx.exec:\fffllrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\1nnbtt.exec:\1nnbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\tnbnnn.exec:\tnbnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\jjpjj.exec:\jjpjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\ffflfxf.exec:\ffflfxf.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\1hhbhh.exec:\1hhbhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\9tnhbb.exec:\9tnhbb.exe23⤵
- Executes dropped EXE
PID:4928 -
\??\c:\3pvpp.exec:\3pvpp.exe24⤵
- Executes dropped EXE
PID:3488 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe25⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nthbtb.exec:\nthbtb.exe26⤵
- Executes dropped EXE
PID:5004 -
\??\c:\nhhbth.exec:\nhhbth.exe27⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vpdvv.exec:\vpdvv.exe28⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rxxfxrl.exec:\rxxfxrl.exe29⤵
- Executes dropped EXE
PID:3424 -
\??\c:\xlrlffx.exec:\xlrlffx.exe30⤵
- Executes dropped EXE
PID:4836 -
\??\c:\1btnhb.exec:\1btnhb.exe31⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ntbttt.exec:\ntbttt.exe32⤵
- Executes dropped EXE
PID:2744 -
\??\c:\9vpjd.exec:\9vpjd.exe33⤵
- Executes dropped EXE
PID:3508 -
\??\c:\rffxxrr.exec:\rffxxrr.exe34⤵
- Executes dropped EXE
PID:4520 -
\??\c:\fflfxrr.exec:\fflfxrr.exe35⤵
- Executes dropped EXE
PID:1984 -
\??\c:\bhnbtn.exec:\bhnbtn.exe36⤵
- Executes dropped EXE
PID:2104 -
\??\c:\jjdvv.exec:\jjdvv.exe37⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jjpvp.exec:\jjpvp.exe38⤵
- Executes dropped EXE
PID:1268 -
\??\c:\xlrrllf.exec:\xlrrllf.exe39⤵
- Executes dropped EXE
PID:4884 -
\??\c:\fxlxfxf.exec:\fxlxfxf.exe40⤵
- Executes dropped EXE
PID:1608 -
\??\c:\7tbttt.exec:\7tbttt.exe41⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jdvpj.exec:\jdvpj.exe42⤵
- Executes dropped EXE
PID:4064 -
\??\c:\rlxfflf.exec:\rlxfflf.exe43⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xrlxxrr.exec:\xrlxxrr.exe44⤵
- Executes dropped EXE
PID:4492 -
\??\c:\7hbthh.exec:\7hbthh.exe45⤵
- Executes dropped EXE
PID:4900 -
\??\c:\tnntbn.exec:\tnntbn.exe46⤵
- Executes dropped EXE
PID:4540 -
\??\c:\3vppj.exec:\3vppj.exe47⤵
- Executes dropped EXE
PID:676 -
\??\c:\rxrfxrl.exec:\rxrfxrl.exe48⤵
- Executes dropped EXE
PID:940 -
\??\c:\flrlfrl.exec:\flrlfrl.exe49⤵
- Executes dropped EXE
PID:2192 -
\??\c:\tnnhhb.exec:\tnnhhb.exe50⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dppjd.exec:\dppjd.exe51⤵
- Executes dropped EXE
PID:2884 -
\??\c:\dpvpd.exec:\dpvpd.exe52⤵
- Executes dropped EXE
PID:1712 -
\??\c:\7lrlrrx.exec:\7lrlrrx.exe53⤵
- Executes dropped EXE
PID:2244 -
\??\c:\nhhbht.exec:\nhhbht.exe54⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hthbtt.exec:\hthbtt.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\pjppj.exec:\pjppj.exe56⤵
- Executes dropped EXE
PID:776 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe57⤵
- Executes dropped EXE
PID:472 -
\??\c:\xllllrl.exec:\xllllrl.exe58⤵PID:4300
-
\??\c:\3btnnn.exec:\3btnnn.exe59⤵
- Executes dropped EXE
PID:4676 -
\??\c:\vdjdp.exec:\vdjdp.exe60⤵
- Executes dropped EXE
PID:1224 -
\??\c:\dpdvj.exec:\dpdvj.exe61⤵
- Executes dropped EXE
PID:4912 -
\??\c:\ffrrffr.exec:\ffrrffr.exe62⤵
- Executes dropped EXE
PID:840 -
\??\c:\bttnnn.exec:\bttnnn.exe63⤵
- Executes dropped EXE
PID:3996 -
\??\c:\nnnhbt.exec:\nnnhbt.exe64⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jdddv.exec:\jdddv.exe65⤵
- Executes dropped EXE
PID:3888 -
\??\c:\xxllrrr.exec:\xxllrrr.exe66⤵
- Executes dropped EXE
PID:5112 -
\??\c:\fxlflfl.exec:\fxlflfl.exe67⤵PID:1860
-
\??\c:\thhnbh.exec:\thhnbh.exe68⤵
- System Location Discovery: System Language Discovery
PID:3668 -
\??\c:\pjvpj.exec:\pjvpj.exe69⤵PID:1068
-
\??\c:\dvvdv.exec:\dvvdv.exe70⤵PID:3920
-
\??\c:\rxxfrxf.exec:\rxxfrxf.exe71⤵PID:4200
-
\??\c:\nnnhtn.exec:\nnnhtn.exe72⤵PID:3056
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe73⤵PID:2372
-
\??\c:\xffrllf.exec:\xffrllf.exe74⤵PID:4536
-
\??\c:\1bbtnt.exec:\1bbtnt.exe75⤵PID:32
-
\??\c:\nnnhbt.exec:\nnnhbt.exe76⤵PID:2400
-
\??\c:\ddjjv.exec:\ddjjv.exe77⤵PID:2532
-
\??\c:\nnbhtt.exec:\nnbhtt.exe78⤵PID:1156
-
\??\c:\jvvvp.exec:\jvvvp.exe79⤵PID:5032
-
\??\c:\btnnhh.exec:\btnnhh.exe80⤵PID:4804
-
\??\c:\thnbtb.exec:\thnbtb.exe81⤵PID:3464
-
\??\c:\7jvdv.exec:\7jvdv.exe82⤵PID:2240
-
\??\c:\3rrlfxr.exec:\3rrlfxr.exe83⤵PID:5004
-
\??\c:\tnbtnn.exec:\tnbtnn.exe84⤵PID:2500
-
\??\c:\5nnhbb.exec:\5nnhbb.exe85⤵PID:4228
-
\??\c:\vvddv.exec:\vvddv.exe86⤵PID:3612
-
\??\c:\xlllfxr.exec:\xlllfxr.exe87⤵PID:2652
-
\??\c:\bbtnnn.exec:\bbtnnn.exe88⤵PID:2440
-
\??\c:\bbhttn.exec:\bbhttn.exe89⤵PID:1852
-
\??\c:\1jvpj.exec:\1jvpj.exe90⤵PID:4424
-
\??\c:\tnhntn.exec:\tnhntn.exe91⤵PID:1984
-
\??\c:\7dppd.exec:\7dppd.exe92⤵PID:2172
-
\??\c:\7dpvp.exec:\7dpvp.exe93⤵PID:1616
-
\??\c:\rllrllf.exec:\rllrllf.exe94⤵PID:1644
-
\??\c:\ntthbn.exec:\ntthbn.exe95⤵PID:3164
-
\??\c:\hbtbnh.exec:\hbtbnh.exe96⤵PID:864
-
\??\c:\btnhtn.exec:\btnhtn.exe97⤵PID:3048
-
\??\c:\jvdpd.exec:\jvdpd.exe98⤵PID:4492
-
\??\c:\5thhtn.exec:\5thhtn.exe99⤵PID:5088
-
\??\c:\nhhbbt.exec:\nhhbbt.exe100⤵PID:3800
-
\??\c:\rrxlfxl.exec:\rrxlfxl.exe101⤵PID:940
-
\??\c:\hththb.exec:\hththb.exe102⤵PID:3356
-
\??\c:\5jjdd.exec:\5jjdd.exe103⤵PID:516
-
\??\c:\rfxlfrf.exec:\rfxlfrf.exe104⤵PID:4380
-
\??\c:\thbtnh.exec:\thbtnh.exe105⤵PID:4744
-
\??\c:\rfxrllf.exec:\rfxrllf.exe106⤵PID:812
-
\??\c:\ddpjv.exec:\ddpjv.exe107⤵PID:1944
-
\??\c:\fflfxlr.exec:\fflfxlr.exe108⤵PID:212
-
\??\c:\hnnbbt.exec:\hnnbbt.exe109⤵PID:3588
-
\??\c:\fllrxrl.exec:\fllrxrl.exe110⤵PID:1676
-
\??\c:\1btnbb.exec:\1btnbb.exe111⤵PID:5060
-
\??\c:\pvdpd.exec:\pvdpd.exe112⤵PID:3652
-
\??\c:\lrrlxrf.exec:\lrrlxrf.exe113⤵PID:1908
-
\??\c:\3nbntn.exec:\3nbntn.exe114⤵PID:4864
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe115⤵PID:3936
-
\??\c:\nbhtnh.exec:\nbhtnh.exe116⤵
- System Location Discovery: System Language Discovery
PID:2068 -
\??\c:\tnnhnn.exec:\tnnhnn.exe117⤵PID:1380
-
\??\c:\rxlxlxl.exec:\rxlxlxl.exe118⤵PID:4512
-
\??\c:\hhnnnt.exec:\hhnnnt.exe119⤵PID:1520
-
\??\c:\jvpjv.exec:\jvpjv.exe120⤵PID:60
-
\??\c:\vjjvj.exec:\vjjvj.exe121⤵PID:4924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-