Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe
-
Size
454KB
-
MD5
96c6733c872c40739541d6fbc5e13990
-
SHA1
b16bea653d4caa5f8ff08cb856517f63f5cda651
-
SHA256
fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752
-
SHA512
3b9c7389f1aebc8722ef483055c4a11027400aa515cf26d81005433acceaa0e40a7156fda34056bc552d8c202692907f2ab980d6d00bfab5277035e3bf1c0e24
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1752-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/356-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-910-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-1355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2264 pppjv.exe 764 xfffxff.exe 2464 pdvdd.exe 3244 bbbnhb.exe 2308 fxrffxx.exe 2332 thbbhb.exe 2692 frrrlll.exe 4460 btnnhh.exe 2992 9lrlffx.exe 1796 djddj.exe 424 xfrlfxx.exe 1396 hhtbhh.exe 4356 hthbbt.exe 3048 9vpjd.exe 5080 thtnhh.exe 2128 bthnbt.exe 2056 btbbtt.exe 2804 5xxrrrl.exe 1184 jdpjd.exe 3872 btbtnn.exe 1296 rrfrllr.exe 3528 hhtbbb.exe 1216 pjjdv.exe 1628 htbnhh.exe 4804 rxlrfxf.exe 4944 nbhhhb.exe 960 rrflrlr.exe 4664 rfrxxfx.exe 4740 bttnnh.exe 500 bbbbtt.exe 2748 vvdvd.exe 3280 nntnbn.exe 3172 bbbbhb.exe 4812 7djvv.exe 2676 lxlfxxr.exe 2184 tntttt.exe 4660 ddpjj.exe 2620 1xlfxrx.exe 544 9bbtbb.exe 4820 hbnhhh.exe 1096 vpppp.exe 3428 xfllffx.exe 2060 7tnnbb.exe 3344 djpjj.exe 3916 pjjdv.exe 3732 fxlfffl.exe 1156 7bhbtt.exe 3616 ppvvv.exe 744 9vvvp.exe 4396 fxfrlll.exe 3216 1ffxxrr.exe 3056 9bbtnh.exe 5028 1nbtnn.exe 3180 3vvpj.exe 2284 lllfxxr.exe 864 nthbtt.exe 356 1tbtnn.exe 4408 jvvvj.exe 440 tbhbth.exe 444 nhtnhb.exe 2692 dvpjd.exe 4696 1frlflf.exe 2752 nhnnhh.exe 4736 7bbbtb.exe -
resource yara_rule behavioral2/memory/1752-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/356-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-910-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2264 1752 fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe 82 PID 1752 wrote to memory of 2264 1752 fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe 82 PID 1752 wrote to memory of 2264 1752 fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe 82 PID 2264 wrote to memory of 764 2264 pppjv.exe 83 PID 2264 wrote to memory of 764 2264 pppjv.exe 83 PID 2264 wrote to memory of 764 2264 pppjv.exe 83 PID 764 wrote to memory of 2464 764 xfffxff.exe 84 PID 764 wrote to memory of 2464 764 xfffxff.exe 84 PID 764 wrote to memory of 2464 764 xfffxff.exe 84 PID 2464 wrote to memory of 3244 2464 pdvdd.exe 85 PID 2464 wrote to memory of 3244 2464 pdvdd.exe 85 PID 2464 wrote to memory of 3244 2464 pdvdd.exe 85 PID 3244 wrote to memory of 2308 3244 bbbnhb.exe 86 PID 3244 wrote to memory of 2308 3244 bbbnhb.exe 86 PID 3244 wrote to memory of 2308 3244 bbbnhb.exe 86 PID 2308 wrote to memory of 2332 2308 fxrffxx.exe 87 PID 2308 wrote to memory of 2332 2308 fxrffxx.exe 87 PID 2308 wrote to memory of 2332 2308 fxrffxx.exe 87 PID 2332 wrote to memory of 2692 2332 thbbhb.exe 88 PID 2332 wrote to memory of 2692 2332 thbbhb.exe 88 PID 2332 wrote to memory of 2692 2332 thbbhb.exe 88 PID 2692 wrote to memory of 4460 2692 frrrlll.exe 89 PID 2692 wrote to memory of 4460 2692 frrrlll.exe 89 PID 2692 wrote to memory of 4460 2692 frrrlll.exe 89 PID 4460 wrote to memory of 2992 4460 btnnhh.exe 90 PID 4460 wrote to memory of 2992 4460 btnnhh.exe 90 PID 4460 wrote to memory of 2992 4460 btnnhh.exe 90 PID 2992 wrote to memory of 1796 2992 9lrlffx.exe 91 PID 2992 wrote to memory of 1796 2992 9lrlffx.exe 91 PID 2992 wrote to memory of 1796 2992 9lrlffx.exe 91 PID 1796 wrote to memory of 424 1796 djddj.exe 92 PID 1796 wrote to memory of 424 1796 djddj.exe 92 PID 1796 wrote to memory of 424 1796 djddj.exe 92 PID 424 wrote to memory of 1396 424 xfrlfxx.exe 93 PID 424 wrote to memory of 1396 424 xfrlfxx.exe 93 PID 424 wrote to memory of 1396 424 xfrlfxx.exe 93 PID 1396 wrote to memory of 4356 1396 hhtbhh.exe 94 PID 1396 wrote to memory of 4356 1396 hhtbhh.exe 94 PID 1396 wrote to memory of 4356 1396 hhtbhh.exe 94 PID 4356 wrote to memory of 3048 4356 hthbbt.exe 95 PID 4356 wrote to memory of 3048 4356 hthbbt.exe 95 PID 4356 wrote to memory of 3048 4356 hthbbt.exe 95 PID 3048 wrote to memory of 5080 3048 9vpjd.exe 96 PID 3048 wrote to memory of 5080 3048 9vpjd.exe 96 PID 3048 wrote to memory of 5080 3048 9vpjd.exe 96 PID 5080 wrote to memory of 2128 5080 thtnhh.exe 97 PID 5080 wrote to memory of 2128 5080 thtnhh.exe 97 PID 5080 wrote to memory of 2128 5080 thtnhh.exe 97 PID 2128 wrote to memory of 2056 2128 bthnbt.exe 98 PID 2128 wrote to memory of 2056 2128 bthnbt.exe 98 PID 2128 wrote to memory of 2056 2128 bthnbt.exe 98 PID 2056 wrote to memory of 2804 2056 btbbtt.exe 99 PID 2056 wrote to memory of 2804 2056 btbbtt.exe 99 PID 2056 wrote to memory of 2804 2056 btbbtt.exe 99 PID 2804 wrote to memory of 1184 2804 5xxrrrl.exe 100 PID 2804 wrote to memory of 1184 2804 5xxrrrl.exe 100 PID 2804 wrote to memory of 1184 2804 5xxrrrl.exe 100 PID 1184 wrote to memory of 3872 1184 jdpjd.exe 101 PID 1184 wrote to memory of 3872 1184 jdpjd.exe 101 PID 1184 wrote to memory of 3872 1184 jdpjd.exe 101 PID 3872 wrote to memory of 1296 3872 btbtnn.exe 102 PID 3872 wrote to memory of 1296 3872 btbtnn.exe 102 PID 3872 wrote to memory of 1296 3872 btbtnn.exe 102 PID 1296 wrote to memory of 3528 1296 rrfrllr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe"C:\Users\Admin\AppData\Local\Temp\fcc7f07253567f3d24d1b9b37b6fb2176277f235ca191216bb1b533c5ad82752N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\pppjv.exec:\pppjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\xfffxff.exec:\xfffxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\pdvdd.exec:\pdvdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\bbbnhb.exec:\bbbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\fxrffxx.exec:\fxrffxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\thbbhb.exec:\thbbhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\frrrlll.exec:\frrrlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\btnnhh.exec:\btnnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\9lrlffx.exec:\9lrlffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\djddj.exec:\djddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\xfrlfxx.exec:\xfrlfxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424 -
\??\c:\hhtbhh.exec:\hhtbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\hthbbt.exec:\hthbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\9vpjd.exec:\9vpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\thtnhh.exec:\thtnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\bthnbt.exec:\bthnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\btbbtt.exec:\btbbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\5xxrrrl.exec:\5xxrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\jdpjd.exec:\jdpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\btbtnn.exec:\btbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\rrfrllr.exec:\rrfrllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\hhtbbb.exec:\hhtbbb.exe23⤵
- Executes dropped EXE
PID:3528 -
\??\c:\pjjdv.exec:\pjjdv.exe24⤵
- Executes dropped EXE
PID:1216 -
\??\c:\htbnhh.exec:\htbnhh.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rxlrfxf.exec:\rxlrfxf.exe26⤵
- Executes dropped EXE
PID:4804 -
\??\c:\nbhhhb.exec:\nbhhhb.exe27⤵
- Executes dropped EXE
PID:4944 -
\??\c:\rrflrlr.exec:\rrflrlr.exe28⤵
- Executes dropped EXE
PID:960 -
\??\c:\rfrxxfx.exec:\rfrxxfx.exe29⤵
- Executes dropped EXE
PID:4664 -
\??\c:\bttnnh.exec:\bttnnh.exe30⤵
- Executes dropped EXE
PID:4740 -
\??\c:\bbbbtt.exec:\bbbbtt.exe31⤵
- Executes dropped EXE
PID:500 -
\??\c:\vvdvd.exec:\vvdvd.exe32⤵
- Executes dropped EXE
PID:2748 -
\??\c:\nntnbn.exec:\nntnbn.exe33⤵
- Executes dropped EXE
PID:3280 -
\??\c:\bbbbhb.exec:\bbbbhb.exe34⤵
- Executes dropped EXE
PID:3172 -
\??\c:\7djvv.exec:\7djvv.exe35⤵
- Executes dropped EXE
PID:4812 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe36⤵
- Executes dropped EXE
PID:2676 -
\??\c:\tntttt.exec:\tntttt.exe37⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ddpjj.exec:\ddpjj.exe38⤵
- Executes dropped EXE
PID:4660 -
\??\c:\1xlfxrx.exec:\1xlfxrx.exe39⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9bbtbb.exec:\9bbtbb.exe40⤵
- Executes dropped EXE
PID:544 -
\??\c:\hbnhhh.exec:\hbnhhh.exe41⤵
- Executes dropped EXE
PID:4820 -
\??\c:\vpppp.exec:\vpppp.exe42⤵
- Executes dropped EXE
PID:1096 -
\??\c:\xfllffx.exec:\xfllffx.exe43⤵
- Executes dropped EXE
PID:3428 -
\??\c:\7tnnbb.exec:\7tnnbb.exe44⤵
- Executes dropped EXE
PID:2060 -
\??\c:\djpjj.exec:\djpjj.exe45⤵
- Executes dropped EXE
PID:3344 -
\??\c:\pjjdv.exec:\pjjdv.exe46⤵
- Executes dropped EXE
PID:3916 -
\??\c:\fxlfffl.exec:\fxlfffl.exe47⤵
- Executes dropped EXE
PID:3732 -
\??\c:\7bhbtt.exec:\7bhbtt.exe48⤵
- Executes dropped EXE
PID:1156 -
\??\c:\ppvvv.exec:\ppvvv.exe49⤵
- Executes dropped EXE
PID:3616 -
\??\c:\9vvvp.exec:\9vvvp.exe50⤵
- Executes dropped EXE
PID:744 -
\??\c:\fxfrlll.exec:\fxfrlll.exe51⤵
- Executes dropped EXE
PID:4396 -
\??\c:\1ffxxrr.exec:\1ffxxrr.exe52⤵
- Executes dropped EXE
PID:3216 -
\??\c:\9bbtnh.exec:\9bbtnh.exe53⤵
- Executes dropped EXE
PID:3056 -
\??\c:\1nbtnn.exec:\1nbtnn.exe54⤵
- Executes dropped EXE
PID:5028 -
\??\c:\3vvpj.exec:\3vvpj.exe55⤵
- Executes dropped EXE
PID:3180 -
\??\c:\lllfxxr.exec:\lllfxxr.exe56⤵
- Executes dropped EXE
PID:2284 -
\??\c:\nthbtt.exec:\nthbtt.exe57⤵
- Executes dropped EXE
PID:864 -
\??\c:\1tbtnn.exec:\1tbtnn.exe58⤵
- Executes dropped EXE
PID:356 -
\??\c:\jvvvj.exec:\jvvvj.exe59⤵
- Executes dropped EXE
PID:4408 -
\??\c:\tbhbth.exec:\tbhbth.exe60⤵
- Executes dropped EXE
PID:440 -
\??\c:\nhtnhb.exec:\nhtnhb.exe61⤵
- Executes dropped EXE
PID:444 -
\??\c:\dvpjd.exec:\dvpjd.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
\??\c:\1frlflf.exec:\1frlflf.exe63⤵
- Executes dropped EXE
PID:4696 -
\??\c:\nhnnhh.exec:\nhnnhh.exe64⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7bbbtb.exec:\7bbbtb.exe65⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vpvjd.exec:\vpvjd.exe66⤵PID:3388
-
\??\c:\lrflffx.exec:\lrflffx.exe67⤵PID:1796
-
\??\c:\frxrllf.exec:\frxrllf.exe68⤵PID:1632
-
\??\c:\thhbnh.exec:\thhbnh.exe69⤵PID:1504
-
\??\c:\vpdvd.exec:\vpdvd.exe70⤵PID:1152
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe71⤵PID:1532
-
\??\c:\fffffff.exec:\fffffff.exe72⤵PID:1088
-
\??\c:\nttbtn.exec:\nttbtn.exe73⤵PID:5072
-
\??\c:\3ppjd.exec:\3ppjd.exe74⤵PID:3020
-
\??\c:\9rrlrrl.exec:\9rrlrrl.exe75⤵PID:2128
-
\??\c:\3lfrfxl.exec:\3lfrfxl.exe76⤵PID:952
-
\??\c:\hbhbnh.exec:\hbhbnh.exe77⤵PID:2056
-
\??\c:\7pddj.exec:\7pddj.exe78⤵PID:2096
-
\??\c:\xlrllll.exec:\xlrllll.exe79⤵PID:2888
-
\??\c:\frfxrxr.exec:\frfxrxr.exe80⤵PID:620
-
\??\c:\7tnbnh.exec:\7tnbnh.exe81⤵PID:3872
-
\??\c:\djddp.exec:\djddp.exe82⤵PID:4064
-
\??\c:\rlxlfxl.exec:\rlxlfxl.exe83⤵PID:3800
-
\??\c:\bhhbtt.exec:\bhhbtt.exe84⤵PID:1592
-
\??\c:\bthnhh.exec:\bthnhh.exe85⤵PID:1980
-
\??\c:\vpjdp.exec:\vpjdp.exe86⤵PID:1292
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe87⤵PID:1500
-
\??\c:\bbntbt.exec:\bbntbt.exe88⤵PID:708
-
\??\c:\vvjdp.exec:\vvjdp.exe89⤵PID:2900
-
\??\c:\ddvdj.exec:\ddvdj.exe90⤵PID:4432
-
\??\c:\rlfxlfr.exec:\rlfxlfr.exe91⤵PID:1912
-
\??\c:\nthbhh.exec:\nthbhh.exe92⤵PID:4560
-
\??\c:\ppddp.exec:\ppddp.exe93⤵PID:1020
-
\??\c:\5dvvv.exec:\5dvvv.exe94⤵PID:4548
-
\??\c:\xxrlffx.exec:\xxrlffx.exe95⤵PID:1496
-
\??\c:\3xxfffl.exec:\3xxfffl.exe96⤵PID:2984
-
\??\c:\htbbtt.exec:\htbbtt.exe97⤵PID:4824
-
\??\c:\dpvpj.exec:\dpvpj.exe98⤵PID:1784
-
\??\c:\lfflllr.exec:\lfflllr.exe99⤵PID:3580
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe100⤵PID:388
-
\??\c:\5bnnnb.exec:\5bnnnb.exe101⤵PID:1988
-
\??\c:\1dddv.exec:\1dddv.exe102⤵PID:672
-
\??\c:\1lrrllx.exec:\1lrrllx.exe103⤵PID:2376
-
\??\c:\tbttnn.exec:\tbttnn.exe104⤵PID:4252
-
\??\c:\tntnbb.exec:\tntnbb.exe105⤵PID:1544
-
\??\c:\pppjj.exec:\pppjj.exe106⤵PID:3516
-
\??\c:\fxlxrrl.exec:\fxlxrrl.exe107⤵PID:1188
-
\??\c:\lfllfff.exec:\lfllfff.exe108⤵PID:3308
-
\??\c:\3nbtnt.exec:\3nbtnt.exe109⤵PID:4984
-
\??\c:\vpjdd.exec:\vpjdd.exe110⤵PID:4936
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe111⤵PID:684
-
\??\c:\htnhnn.exec:\htnhnn.exe112⤵PID:2496
-
\??\c:\dvjvj.exec:\dvjvj.exe113⤵PID:3096
-
\??\c:\ddpjj.exec:\ddpjj.exe114⤵PID:2312
-
\??\c:\rxlffll.exec:\rxlffll.exe115⤵PID:4336
-
\??\c:\bbhhhh.exec:\bbhhhh.exe116⤵PID:1752
-
\??\c:\1pppd.exec:\1pppd.exe117⤵PID:1332
-
\??\c:\jdjdv.exec:\jdjdv.exe118⤵PID:1984
-
\??\c:\rrrfxrl.exec:\rrrfxrl.exe119⤵PID:5084
-
\??\c:\hthbbn.exec:\hthbbn.exe120⤵PID:3752
-
\??\c:\vdpdv.exec:\vdpdv.exe121⤵PID:3676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-