Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 20:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe
-
Size
455KB
-
MD5
730024d670661855cc6d71257a5b8981
-
SHA1
619f085c62270414c08f9877756192b29ae183a6
-
SHA256
166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe
-
SHA512
793f944801d7ffa17af10f03c8c734d6c543f7704cf06284db51f003a8f89365732b0811696aac426c6ffd2ef873be406232482ba2f928b264433d5060c0f184
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+Y:q7Tc2NYHUrAwfMp3CD+Y
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1856-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-1273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-1605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-1729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 856 lrlfrfr.exe 1144 nnbbtb.exe 464 lfllrrl.exe 2956 7hnhbb.exe 1780 1vddj.exe 2316 pjvjj.exe 1172 vpddj.exe 1880 rfxfxxr.exe 228 nbbbbh.exe 1932 bbnhnn.exe 3888 dpdvv.exe 3480 rfxrxlx.exe 3332 vvvvj.exe 2848 lxxrlfx.exe 4580 1nnnhh.exe 1632 djjjd.exe 632 9jpdv.exe 2988 ffffffr.exe 4556 3tbtbb.exe 4808 7dpvp.exe 2688 7xffxfx.exe 1832 xxrrxxx.exe 1716 3vvjv.exe 3552 lllfxxf.exe 3520 fflrflx.exe 2236 nhtbbh.exe 392 jppdp.exe 3492 vdppj.exe 2844 9rrfxfl.exe 5112 hbbnnh.exe 3308 vdvpp.exe 3472 rxrxxlx.exe 1016 bbbbtt.exe 2928 vjjjd.exe 2144 flxxxrf.exe 3060 1xlllll.exe 2208 9bbttb.exe 716 3nhbnn.exe 3716 pdjdv.exe 3340 fxxrrlf.exe 1580 nbnbnh.exe 3184 btbbth.exe 3156 5dppj.exe 4672 xrrxrxr.exe 1808 fflllrx.exe 924 7nhhbh.exe 4424 jpddd.exe 224 fxllfll.exe 4800 hbtnbb.exe 512 dppdp.exe 5048 lrxlxlx.exe 464 rrxflrl.exe 3020 hhhbbb.exe 3260 jjvdv.exe 5068 jvpjv.exe 4256 lrrfxrl.exe 940 hbttnt.exe 2340 jpvdj.exe 1880 vpddj.exe 2008 lfxxlfl.exe 3940 fxlfllx.exe 5072 nbtnhb.exe 4124 pdjjd.exe 3152 dvvpp.exe -
resource yara_rule behavioral2/memory/856-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-810-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 856 1856 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 84 PID 1856 wrote to memory of 856 1856 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 84 PID 1856 wrote to memory of 856 1856 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 84 PID 856 wrote to memory of 1144 856 lrlfrfr.exe 85 PID 856 wrote to memory of 1144 856 lrlfrfr.exe 85 PID 856 wrote to memory of 1144 856 lrlfrfr.exe 85 PID 1144 wrote to memory of 464 1144 nnbbtb.exe 135 PID 1144 wrote to memory of 464 1144 nnbbtb.exe 135 PID 1144 wrote to memory of 464 1144 nnbbtb.exe 135 PID 464 wrote to memory of 2956 464 lfllrrl.exe 87 PID 464 wrote to memory of 2956 464 lfllrrl.exe 87 PID 464 wrote to memory of 2956 464 lfllrrl.exe 87 PID 2956 wrote to memory of 1780 2956 7hnhbb.exe 88 PID 2956 wrote to memory of 1780 2956 7hnhbb.exe 88 PID 2956 wrote to memory of 1780 2956 7hnhbb.exe 88 PID 1780 wrote to memory of 2316 1780 1vddj.exe 89 PID 1780 wrote to memory of 2316 1780 1vddj.exe 89 PID 1780 wrote to memory of 2316 1780 1vddj.exe 89 PID 2316 wrote to memory of 1172 2316 pjvjj.exe 90 PID 2316 wrote to memory of 1172 2316 pjvjj.exe 90 PID 2316 wrote to memory of 1172 2316 pjvjj.exe 90 PID 1172 wrote to memory of 1880 1172 vpddj.exe 142 PID 1172 wrote to memory of 1880 1172 vpddj.exe 142 PID 1172 wrote to memory of 1880 1172 vpddj.exe 142 PID 1880 wrote to memory of 228 1880 rfxfxxr.exe 92 PID 1880 wrote to memory of 228 1880 rfxfxxr.exe 92 PID 1880 wrote to memory of 228 1880 rfxfxxr.exe 92 PID 228 wrote to memory of 1932 228 nbbbbh.exe 93 PID 228 wrote to memory of 1932 228 nbbbbh.exe 93 PID 228 wrote to memory of 1932 228 nbbbbh.exe 93 PID 1932 wrote to memory of 3888 1932 bbnhnn.exe 94 PID 1932 wrote to memory of 3888 1932 bbnhnn.exe 94 PID 1932 wrote to memory of 3888 1932 bbnhnn.exe 94 PID 3888 wrote to memory of 3480 3888 dpdvv.exe 95 PID 3888 wrote to memory of 3480 3888 dpdvv.exe 95 PID 3888 wrote to memory of 3480 3888 dpdvv.exe 95 PID 3480 wrote to memory of 3332 3480 rfxrxlx.exe 96 PID 3480 wrote to memory of 3332 3480 rfxrxlx.exe 96 PID 3480 wrote to memory of 3332 3480 rfxrxlx.exe 96 PID 3332 wrote to memory of 2848 3332 vvvvj.exe 97 PID 3332 wrote to memory of 2848 3332 vvvvj.exe 97 PID 3332 wrote to memory of 2848 3332 vvvvj.exe 97 PID 2848 wrote to memory of 4580 2848 lxxrlfx.exe 98 PID 2848 wrote to memory of 4580 2848 lxxrlfx.exe 98 PID 2848 wrote to memory of 4580 2848 lxxrlfx.exe 98 PID 4580 wrote to memory of 1632 4580 1nnnhh.exe 99 PID 4580 wrote to memory of 1632 4580 1nnnhh.exe 99 PID 4580 wrote to memory of 1632 4580 1nnnhh.exe 99 PID 1632 wrote to memory of 632 1632 djjjd.exe 100 PID 1632 wrote to memory of 632 1632 djjjd.exe 100 PID 1632 wrote to memory of 632 1632 djjjd.exe 100 PID 632 wrote to memory of 2988 632 9jpdv.exe 101 PID 632 wrote to memory of 2988 632 9jpdv.exe 101 PID 632 wrote to memory of 2988 632 9jpdv.exe 101 PID 2988 wrote to memory of 4556 2988 ffffffr.exe 102 PID 2988 wrote to memory of 4556 2988 ffffffr.exe 102 PID 2988 wrote to memory of 4556 2988 ffffffr.exe 102 PID 4556 wrote to memory of 4808 4556 3tbtbb.exe 103 PID 4556 wrote to memory of 4808 4556 3tbtbb.exe 103 PID 4556 wrote to memory of 4808 4556 3tbtbb.exe 103 PID 4808 wrote to memory of 2688 4808 7dpvp.exe 104 PID 4808 wrote to memory of 2688 4808 7dpvp.exe 104 PID 4808 wrote to memory of 2688 4808 7dpvp.exe 104 PID 2688 wrote to memory of 1832 2688 7xffxfx.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe"C:\Users\Admin\AppData\Local\Temp\166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\lrlfrfr.exec:\lrlfrfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\nnbbtb.exec:\nnbbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\lfllrrl.exec:\lfllrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\7hnhbb.exec:\7hnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\1vddj.exec:\1vddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\pjvjj.exec:\pjvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\vpddj.exec:\vpddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\rfxfxxr.exec:\rfxfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\nbbbbh.exec:\nbbbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\bbnhnn.exec:\bbnhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\dpdvv.exec:\dpdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\rfxrxlx.exec:\rfxrxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\vvvvj.exec:\vvvvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\1nnnhh.exec:\1nnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\djjjd.exec:\djjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\9jpdv.exec:\9jpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\ffffffr.exec:\ffffffr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\3tbtbb.exec:\3tbtbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\7dpvp.exec:\7dpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\7xffxfx.exec:\7xffxfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\xxrrxxx.exec:\xxrrxxx.exe23⤵
- Executes dropped EXE
PID:1832 -
\??\c:\3vvjv.exec:\3vvjv.exe24⤵
- Executes dropped EXE
PID:1716 -
\??\c:\lllfxxf.exec:\lllfxxf.exe25⤵
- Executes dropped EXE
PID:3552 -
\??\c:\fflrflx.exec:\fflrflx.exe26⤵
- Executes dropped EXE
PID:3520 -
\??\c:\nhtbbh.exec:\nhtbbh.exe27⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jppdp.exec:\jppdp.exe28⤵
- Executes dropped EXE
PID:392 -
\??\c:\vdppj.exec:\vdppj.exe29⤵
- Executes dropped EXE
PID:3492 -
\??\c:\9rrfxfl.exec:\9rrfxfl.exe30⤵
- Executes dropped EXE
PID:2844 -
\??\c:\hbbnnh.exec:\hbbnnh.exe31⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vdvpp.exec:\vdvpp.exe32⤵
- Executes dropped EXE
PID:3308 -
\??\c:\rxrxxlx.exec:\rxrxxlx.exe33⤵
- Executes dropped EXE
PID:3472 -
\??\c:\bbbbtt.exec:\bbbbtt.exe34⤵
- Executes dropped EXE
PID:1016 -
\??\c:\vjjjd.exec:\vjjjd.exe35⤵
- Executes dropped EXE
PID:2928 -
\??\c:\flxxxrf.exec:\flxxxrf.exe36⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1xlllll.exec:\1xlllll.exe37⤵
- Executes dropped EXE
PID:3060 -
\??\c:\9bbttb.exec:\9bbttb.exe38⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3nhbnn.exec:\3nhbnn.exe39⤵
- Executes dropped EXE
PID:716 -
\??\c:\pdjdv.exec:\pdjdv.exe40⤵
- Executes dropped EXE
PID:3716 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe41⤵
- Executes dropped EXE
PID:3340 -
\??\c:\nbnbnh.exec:\nbnbnh.exe42⤵
- Executes dropped EXE
PID:1580 -
\??\c:\btbbth.exec:\btbbth.exe43⤵
- Executes dropped EXE
PID:3184 -
\??\c:\5dppj.exec:\5dppj.exe44⤵
- Executes dropped EXE
PID:3156 -
\??\c:\xrrxrxr.exec:\xrrxrxr.exe45⤵
- Executes dropped EXE
PID:4672 -
\??\c:\fflllrx.exec:\fflllrx.exe46⤵
- Executes dropped EXE
PID:1808 -
\??\c:\7nhhbh.exec:\7nhhbh.exe47⤵
- Executes dropped EXE
PID:924 -
\??\c:\jpddd.exec:\jpddd.exe48⤵
- Executes dropped EXE
PID:4424 -
\??\c:\fxllfll.exec:\fxllfll.exe49⤵
- Executes dropped EXE
PID:224 -
\??\c:\hbtnbb.exec:\hbtnbb.exe50⤵
- Executes dropped EXE
PID:4800 -
\??\c:\dppdp.exec:\dppdp.exe51⤵
- Executes dropped EXE
PID:512 -
\??\c:\lrxlxlx.exec:\lrxlxlx.exe52⤵
- Executes dropped EXE
PID:5048 -
\??\c:\rrxflrl.exec:\rrxflrl.exe53⤵
- Executes dropped EXE
PID:464 -
\??\c:\hhhbbb.exec:\hhhbbb.exe54⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jjvdv.exec:\jjvdv.exe55⤵
- Executes dropped EXE
PID:3260 -
\??\c:\jvpjv.exec:\jvpjv.exe56⤵
- Executes dropped EXE
PID:5068 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe57⤵
- Executes dropped EXE
PID:4256 -
\??\c:\hbttnt.exec:\hbttnt.exe58⤵
- Executes dropped EXE
PID:940 -
\??\c:\jpvdj.exec:\jpvdj.exe59⤵
- Executes dropped EXE
PID:2340 -
\??\c:\vpddj.exec:\vpddj.exe60⤵
- Executes dropped EXE
PID:1880 -
\??\c:\lfxxlfl.exec:\lfxxlfl.exe61⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxlfllx.exec:\fxlfllx.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940 -
\??\c:\nbtnhb.exec:\nbtnhb.exe63⤵
- Executes dropped EXE
PID:5072 -
\??\c:\pdjjd.exec:\pdjjd.exe64⤵
- Executes dropped EXE
PID:4124 -
\??\c:\dvvpp.exec:\dvvpp.exe65⤵
- Executes dropped EXE
PID:3152 -
\??\c:\rlffrfr.exec:\rlffrfr.exe66⤵PID:1584
-
\??\c:\tttntt.exec:\tttntt.exe67⤵PID:4144
-
\??\c:\nhbttt.exec:\nhbttt.exe68⤵PID:3516
-
\??\c:\bnhnht.exec:\bnhnht.exe69⤵PID:1444
-
\??\c:\1ppdv.exec:\1ppdv.exe70⤵PID:2248
-
\??\c:\5fxxlxl.exec:\5fxxlxl.exe71⤵PID:2452
-
\??\c:\1flxrll.exec:\1flxrll.exe72⤵PID:1632
-
\??\c:\nnhtnn.exec:\nnhtnn.exe73⤵PID:3576
-
\??\c:\3btbnh.exec:\3btbnh.exe74⤵PID:4436
-
\??\c:\1jjvp.exec:\1jjvp.exe75⤵PID:3672
-
\??\c:\fffrfxl.exec:\fffrfxl.exe76⤵PID:3256
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe77⤵PID:4216
-
\??\c:\nbbntn.exec:\nbbntn.exe78⤵PID:1548
-
\??\c:\5jdvj.exec:\5jdvj.exe79⤵PID:872
-
\??\c:\vvdpj.exec:\vvdpj.exe80⤵PID:2664
-
\??\c:\9ffrlfx.exec:\9ffrlfx.exe81⤵PID:3676
-
\??\c:\lffxrlf.exec:\lffxrlf.exe82⤵PID:4532
-
\??\c:\htbthb.exec:\htbthb.exe83⤵PID:2412
-
\??\c:\9nhtnt.exec:\9nhtnt.exe84⤵PID:1504
-
\??\c:\jddpd.exec:\jddpd.exe85⤵PID:1344
-
\??\c:\1xxllff.exec:\1xxllff.exe86⤵PID:1312
-
\??\c:\rrrffxl.exec:\rrrffxl.exe87⤵PID:5044
-
\??\c:\7ttbnn.exec:\7ttbnn.exe88⤵PID:3696
-
\??\c:\hbthbn.exec:\hbthbn.exe89⤵PID:644
-
\??\c:\jjpjd.exec:\jjpjd.exe90⤵PID:2420
-
\??\c:\dvvjd.exec:\dvvjd.exe91⤵PID:2784
-
\??\c:\fxlxrfr.exec:\fxlxrfr.exe92⤵PID:4168
-
\??\c:\btnnnh.exec:\btnnnh.exe93⤵PID:3868
-
\??\c:\tbnhbt.exec:\tbnhbt.exe94⤵PID:4308
-
\??\c:\pjvpd.exec:\pjvpd.exe95⤵PID:1936
-
\??\c:\7rlfxrf.exec:\7rlfxrf.exe96⤵PID:4536
-
\??\c:\lrrlflx.exec:\lrrlflx.exe97⤵PID:2208
-
\??\c:\tnthtn.exec:\tnthtn.exe98⤵PID:2724
-
\??\c:\nbnbhh.exec:\nbnbhh.exe99⤵PID:4812
-
\??\c:\7vvdv.exec:\7vvdv.exe100⤵PID:3232
-
\??\c:\9vpvj.exec:\9vpvj.exe101⤵PID:1644
-
\??\c:\rrlfrlx.exec:\rrlfrlx.exe102⤵PID:624
-
\??\c:\ttbnbt.exec:\ttbnbt.exe103⤵PID:2360
-
\??\c:\ntthtn.exec:\ntthtn.exe104⤵PID:1008
-
\??\c:\pvvjv.exec:\pvvjv.exe105⤵PID:3876
-
\??\c:\djpdj.exec:\djpdj.exe106⤵PID:3984
-
\??\c:\lxxrxrx.exec:\lxxrxrx.exe107⤵PID:2136
-
\??\c:\frrfrlx.exec:\frrfrlx.exe108⤵PID:32
-
\??\c:\nnnbnh.exec:\nnnbnh.exe109⤵PID:4724
-
\??\c:\vvdpd.exec:\vvdpd.exe110⤵PID:4816
-
\??\c:\pjjvp.exec:\pjjvp.exe111⤵PID:3144
-
\??\c:\xxxlxrf.exec:\xxxlxrf.exe112⤵PID:3352
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe113⤵PID:3624
-
\??\c:\9hbtht.exec:\9hbtht.exe114⤵PID:2604
-
\??\c:\hhhnbb.exec:\hhhnbb.exe115⤵PID:1196
-
\??\c:\3pdvd.exec:\3pdvd.exe116⤵PID:2800
-
\??\c:\lxrflfx.exec:\lxrflfx.exe117⤵PID:3024
-
\??\c:\xlxlxlx.exec:\xlxlxlx.exe118⤵PID:792
-
\??\c:\ntnhbt.exec:\ntnhbt.exe119⤵PID:4256
-
\??\c:\pjpdv.exec:\pjpdv.exe120⤵PID:940
-
\??\c:\rlrfxrl.exec:\rlrfxrl.exe121⤵PID:1984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-