Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 06:31
Behavioral task
behavioral1
Sample
92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe
-
Size
3.7MB
-
MD5
bcb7fbe544a5cb5cce83b81a3387fa51
-
SHA1
fdb957330a0ceece59d7b9d493a568eeed95a178
-
SHA256
92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b
-
SHA512
3c44b0ff6a207f9bb325d59b13e2e8891a34ef6619c647a49edf2bc673ca2d55ce0af87df615d429a83edd6543d249ecf3a8ff89ca6e5c81bc99cc7b10e156cc
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98P:U6XLq/qPPslzKx/dJg1ErmNY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4600-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1460-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/988-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1760-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/600-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2416-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-642-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-673-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-808-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-815-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-858-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-910-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-1031-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-1035-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1800 tttnnn.exe 3124 fffrllf.exe 2544 xrllfll.exe 1460 vjjpp.exe 2012 frfffff.exe 2484 flffxxx.exe 1604 flfffll.exe 1188 xxlrllx.exe 3724 tbbttt.exe 5052 nttttt.exe 816 hbbttb.exe 1420 jdjjj.exe 4848 djvvj.exe 220 rllfxxr.exe 932 vvpjj.exe 5060 xrxlffx.exe 3376 rlrllll.exe 452 5fxrlfx.exe 5072 lfxrlfx.exe 4656 xxfffll.exe 2372 llfxfxr.exe 4244 xrfxxxr.exe 4632 3ntnhh.exe 8 fxlfffx.exe 988 bntnhb.exe 1532 fllrffr.exe 3536 rllfxxr.exe 1760 lrfllrx.exe 3476 llfllll.exe 1040 ttbbtb.exe 1300 jvjdv.exe 4884 vpvdj.exe 3680 3djjj.exe 2296 thnhhh.exe 2672 htbnnn.exe 4368 tbhhnn.exe 4600 bnnnnn.exe 3988 hthhhh.exe 2224 dvvvp.exe 772 7ttttn.exe 3124 hbhbbb.exe 4836 hbtnht.exe 3944 bthhhn.exe 4568 thnnnt.exe 216 bbhtnh.exe 2484 bbbnhb.exe 1524 ddpjd.exe 2700 bhnntt.exe 2728 hhhbtn.exe 4280 3ttnhh.exe 2736 tnhhtn.exe 2680 ttbbbt.exe 3520 tthhhh.exe 4112 bhnnnb.exe 4020 bbbtbb.exe 2136 hntnnh.exe 764 tthnhn.exe 2360 ttbbnt.exe 1640 bbnhtt.exe 4852 7tbbtb.exe 1904 flxfrfr.exe 876 ffrrllf.exe 4404 rxxxrrx.exe 1228 lflllrr.exe -
resource yara_rule behavioral2/memory/4600-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bad-3.dat upx behavioral2/memory/4600-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd3-8.dat upx behavioral2/memory/1800-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bd7-12.dat upx behavioral2/files/0x0008000000023bd9-20.dat upx behavioral2/memory/1460-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdc-27.dat upx behavioral2/memory/1460-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdd-31.dat upx behavioral2/memory/2484-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2012-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bde-38.dat upx behavioral2/memory/1604-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bdf-44.dat upx behavioral2/memory/1188-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0e-51.dat upx behavioral2/files/0x0008000000023c0f-57.dat upx behavioral2/memory/5052-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c10-63.dat upx behavioral2/memory/816-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3724-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c11-69.dat upx behavioral2/files/0x0008000000023c12-73.dat upx behavioral2/memory/1420-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c13-79.dat upx behavioral2/memory/4848-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c18-85.dat upx behavioral2/memory/220-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c19-91.dat upx behavioral2/memory/932-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c1a-97.dat upx behavioral2/memory/5060-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2c-106.dat upx behavioral2/memory/3376-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c32-109.dat upx behavioral2/memory/452-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c33-115.dat upx behavioral2/files/0x0008000000023c34-120.dat upx behavioral2/memory/2372-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c35-126.dat upx behavioral2/files/0x0008000000023c36-131.dat upx behavioral2/files/0x0008000000023c37-136.dat upx behavioral2/files/0x000b000000023c4c-141.dat upx behavioral2/memory/8-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000300000001e754-146.dat upx behavioral2/memory/988-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c13-152.dat upx behavioral2/memory/3536-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c53-160.dat upx behavioral2/files/0x0008000000023c63-162.dat upx behavioral2/memory/1760-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c64-169.dat upx behavioral2/memory/3476-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c65-175.dat upx behavioral2/files/0x0008000000023c66-180.dat upx behavioral2/memory/4884-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3680-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2296-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2672-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4368-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3124-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4568-228-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 1800 4600 92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe 82 PID 4600 wrote to memory of 1800 4600 92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe 82 PID 4600 wrote to memory of 1800 4600 92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe 82 PID 1800 wrote to memory of 3124 1800 tttnnn.exe 83 PID 1800 wrote to memory of 3124 1800 tttnnn.exe 83 PID 1800 wrote to memory of 3124 1800 tttnnn.exe 83 PID 3124 wrote to memory of 2544 3124 fffrllf.exe 84 PID 3124 wrote to memory of 2544 3124 fffrllf.exe 84 PID 3124 wrote to memory of 2544 3124 fffrllf.exe 84 PID 2544 wrote to memory of 1460 2544 xrllfll.exe 85 PID 2544 wrote to memory of 1460 2544 xrllfll.exe 85 PID 2544 wrote to memory of 1460 2544 xrllfll.exe 85 PID 1460 wrote to memory of 2012 1460 vjjpp.exe 86 PID 1460 wrote to memory of 2012 1460 vjjpp.exe 86 PID 1460 wrote to memory of 2012 1460 vjjpp.exe 86 PID 2012 wrote to memory of 2484 2012 frfffff.exe 87 PID 2012 wrote to memory of 2484 2012 frfffff.exe 87 PID 2012 wrote to memory of 2484 2012 frfffff.exe 87 PID 2484 wrote to memory of 1604 2484 flffxxx.exe 88 PID 2484 wrote to memory of 1604 2484 flffxxx.exe 88 PID 2484 wrote to memory of 1604 2484 flffxxx.exe 88 PID 1604 wrote to memory of 1188 1604 flfffll.exe 89 PID 1604 wrote to memory of 1188 1604 flfffll.exe 89 PID 1604 wrote to memory of 1188 1604 flfffll.exe 89 PID 1188 wrote to memory of 3724 1188 xxlrllx.exe 90 PID 1188 wrote to memory of 3724 1188 xxlrllx.exe 90 PID 1188 wrote to memory of 3724 1188 xxlrllx.exe 90 PID 3724 wrote to memory of 5052 3724 tbbttt.exe 91 PID 3724 wrote to memory of 5052 3724 tbbttt.exe 91 PID 3724 wrote to memory of 5052 3724 tbbttt.exe 91 PID 5052 wrote to memory of 816 5052 nttttt.exe 92 PID 5052 wrote to memory of 816 5052 nttttt.exe 92 PID 5052 wrote to memory of 816 5052 nttttt.exe 92 PID 816 wrote to memory of 1420 816 hbbttb.exe 93 PID 816 wrote to memory of 1420 816 hbbttb.exe 93 PID 816 wrote to memory of 1420 816 hbbttb.exe 93 PID 1420 wrote to memory of 4848 1420 jdjjj.exe 94 PID 1420 wrote to memory of 4848 1420 jdjjj.exe 94 PID 1420 wrote to memory of 4848 1420 jdjjj.exe 94 PID 4848 wrote to memory of 220 4848 djvvj.exe 95 PID 4848 wrote to memory of 220 4848 djvvj.exe 95 PID 4848 wrote to memory of 220 4848 djvvj.exe 95 PID 220 wrote to memory of 932 220 rllfxxr.exe 96 PID 220 wrote to memory of 932 220 rllfxxr.exe 96 PID 220 wrote to memory of 932 220 rllfxxr.exe 96 PID 932 wrote to memory of 5060 932 vvpjj.exe 97 PID 932 wrote to memory of 5060 932 vvpjj.exe 97 PID 932 wrote to memory of 5060 932 vvpjj.exe 97 PID 5060 wrote to memory of 3376 5060 xrxlffx.exe 98 PID 5060 wrote to memory of 3376 5060 xrxlffx.exe 98 PID 5060 wrote to memory of 3376 5060 xrxlffx.exe 98 PID 3376 wrote to memory of 452 3376 rlrllll.exe 99 PID 3376 wrote to memory of 452 3376 rlrllll.exe 99 PID 3376 wrote to memory of 452 3376 rlrllll.exe 99 PID 452 wrote to memory of 5072 452 5fxrlfx.exe 100 PID 452 wrote to memory of 5072 452 5fxrlfx.exe 100 PID 452 wrote to memory of 5072 452 5fxrlfx.exe 100 PID 5072 wrote to memory of 4656 5072 lfxrlfx.exe 101 PID 5072 wrote to memory of 4656 5072 lfxrlfx.exe 101 PID 5072 wrote to memory of 4656 5072 lfxrlfx.exe 101 PID 4656 wrote to memory of 2372 4656 xxfffll.exe 102 PID 4656 wrote to memory of 2372 4656 xxfffll.exe 102 PID 4656 wrote to memory of 2372 4656 xxfffll.exe 102 PID 2372 wrote to memory of 4244 2372 llfxfxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe"C:\Users\Admin\AppData\Local\Temp\92152ddcad49daba8d7344aed4dba33eb07844bd02f7bd78f691e7d0615b863b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\tttnnn.exec:\tttnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\fffrllf.exec:\fffrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\xrllfll.exec:\xrllfll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\vjjpp.exec:\vjjpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\frfffff.exec:\frfffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\flffxxx.exec:\flffxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\flfffll.exec:\flfffll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\xxlrllx.exec:\xxlrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\tbbttt.exec:\tbbttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\nttttt.exec:\nttttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\hbbttb.exec:\hbbttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\jdjjj.exec:\jdjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\djvvj.exec:\djvvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\rllfxxr.exec:\rllfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\vvpjj.exec:\vvpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\xrxlffx.exec:\xrxlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\rlrllll.exec:\rlrllll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\5fxrlfx.exec:\5fxrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\xxfffll.exec:\xxfffll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\llfxfxr.exec:\llfxfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe23⤵
- Executes dropped EXE
PID:4244 -
\??\c:\3ntnhh.exec:\3ntnhh.exe24⤵
- Executes dropped EXE
PID:4632 -
\??\c:\fxlfffx.exec:\fxlfffx.exe25⤵
- Executes dropped EXE
PID:8 -
\??\c:\bntnhb.exec:\bntnhb.exe26⤵
- Executes dropped EXE
PID:988 -
\??\c:\fllrffr.exec:\fllrffr.exe27⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rllfxxr.exec:\rllfxxr.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536 -
\??\c:\lrfllrx.exec:\lrfllrx.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
\??\c:\llfllll.exec:\llfllll.exe30⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ttbbtb.exec:\ttbbtb.exe31⤵
- Executes dropped EXE
PID:1040 -
\??\c:\jvjdv.exec:\jvjdv.exe32⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vpvdj.exec:\vpvdj.exe33⤵
- Executes dropped EXE
PID:4884 -
\??\c:\3djjj.exec:\3djjj.exe34⤵
- Executes dropped EXE
PID:3680 -
\??\c:\thnhhh.exec:\thnhhh.exe35⤵
- Executes dropped EXE
PID:2296 -
\??\c:\htbnnn.exec:\htbnnn.exe36⤵
- Executes dropped EXE
PID:2672 -
\??\c:\tbhhnn.exec:\tbhhnn.exe37⤵
- Executes dropped EXE
PID:4368 -
\??\c:\bnnnnn.exec:\bnnnnn.exe38⤵
- Executes dropped EXE
PID:4600 -
\??\c:\hthhhh.exec:\hthhhh.exe39⤵
- Executes dropped EXE
PID:3988 -
\??\c:\dvvvp.exec:\dvvvp.exe40⤵
- Executes dropped EXE
PID:2224 -
\??\c:\7ttttn.exec:\7ttttn.exe41⤵
- Executes dropped EXE
PID:772 -
\??\c:\hbhbbb.exec:\hbhbbb.exe42⤵
- Executes dropped EXE
PID:3124 -
\??\c:\hbtnht.exec:\hbtnht.exe43⤵
- Executes dropped EXE
PID:4836 -
\??\c:\bthhhn.exec:\bthhhn.exe44⤵
- Executes dropped EXE
PID:3944 -
\??\c:\thnnnt.exec:\thnnnt.exe45⤵
- Executes dropped EXE
PID:4568 -
\??\c:\bbhtnh.exec:\bbhtnh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216 -
\??\c:\bbbnhb.exec:\bbbnhb.exe47⤵
- Executes dropped EXE
PID:2484 -
\??\c:\ddpjd.exec:\ddpjd.exe48⤵
- Executes dropped EXE
PID:1524 -
\??\c:\bhnntt.exec:\bhnntt.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\hhhbtn.exec:\hhhbtn.exe50⤵
- Executes dropped EXE
PID:2728 -
\??\c:\3ttnhh.exec:\3ttnhh.exe51⤵
- Executes dropped EXE
PID:4280 -
\??\c:\tnhhtn.exec:\tnhhtn.exe52⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ttbbbt.exec:\ttbbbt.exe53⤵
- Executes dropped EXE
PID:2680 -
\??\c:\tthhhh.exec:\tthhhh.exe54⤵
- Executes dropped EXE
PID:3520 -
\??\c:\bhnnnb.exec:\bhnnnb.exe55⤵
- Executes dropped EXE
PID:4112 -
\??\c:\bbbtbb.exec:\bbbtbb.exe56⤵
- Executes dropped EXE
PID:4020 -
\??\c:\hntnnh.exec:\hntnnh.exe57⤵
- Executes dropped EXE
PID:2136 -
\??\c:\tthnhn.exec:\tthnhn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
\??\c:\ttbbnt.exec:\ttbbnt.exe59⤵
- Executes dropped EXE
PID:2360 -
\??\c:\bbnhtt.exec:\bbnhtt.exe60⤵
- Executes dropped EXE
PID:1640 -
\??\c:\7tbbtb.exec:\7tbbtb.exe61⤵
- Executes dropped EXE
PID:4852 -
\??\c:\flxfrfr.exec:\flxfrfr.exe62⤵
- Executes dropped EXE
PID:1904 -
\??\c:\ffrrllf.exec:\ffrrllf.exe63⤵
- Executes dropped EXE
PID:876 -
\??\c:\rxxxrrx.exec:\rxxxrrx.exe64⤵
- Executes dropped EXE
PID:4404 -
\??\c:\lflllrr.exec:\lflllrr.exe65⤵
- Executes dropped EXE
PID:1228 -
\??\c:\xlflffl.exec:\xlflffl.exe66⤵PID:488
-
\??\c:\1fxxxrr.exec:\1fxxxrr.exe67⤵PID:3360
-
\??\c:\5fxxrlf.exec:\5fxxrlf.exe68⤵PID:2624
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe69⤵PID:5072
-
\??\c:\xlfrlrr.exec:\xlfrlrr.exe70⤵PID:1068
-
\??\c:\rffxxxr.exec:\rffxxxr.exe71⤵PID:3152
-
\??\c:\fllllll.exec:\fllllll.exe72⤵PID:4232
-
\??\c:\lrflrrr.exec:\lrflrrr.exe73⤵PID:4692
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe74⤵PID:3252
-
\??\c:\5pvpv.exec:\5pvpv.exe75⤵PID:4636
-
\??\c:\ppvpp.exec:\ppvpp.exe76⤵PID:4588
-
\??\c:\jdvpj.exec:\jdvpj.exe77⤵PID:1572
-
\??\c:\pjddd.exec:\pjddd.exe78⤵PID:5112
-
\??\c:\pppvp.exec:\pppvp.exe79⤵PID:2640
-
\??\c:\vdjvp.exec:\vdjvp.exe80⤵PID:4324
-
\??\c:\jvjdp.exec:\jvjdp.exe81⤵PID:3688
-
\??\c:\pjpvj.exec:\pjpvj.exe82⤵PID:2420
-
\??\c:\jvvpd.exec:\jvvpd.exe83⤵PID:1676
-
\??\c:\nhhbtt.exec:\nhhbtt.exe84⤵PID:2368
-
\??\c:\bnhbnb.exec:\bnhbnb.exe85⤵PID:2920
-
\??\c:\1nhbtt.exec:\1nhbtt.exe86⤵PID:3436
-
\??\c:\hnnhht.exec:\hnnhht.exe87⤵PID:2296
-
\??\c:\hntnhh.exec:\hntnhh.exe88⤵
- System Location Discovery: System Language Discovery
PID:4436 -
\??\c:\flflfxl.exec:\flflfxl.exe89⤵PID:4408
-
\??\c:\llxlfxr.exec:\llxlfxr.exe90⤵PID:2428
-
\??\c:\lxxxxrr.exec:\lxxxxrr.exe91⤵PID:4708
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe92⤵PID:2020
-
\??\c:\pjvjv.exec:\pjvjv.exe93⤵PID:3700
-
\??\c:\7ddvp.exec:\7ddvp.exe94⤵PID:2288
-
\??\c:\vdjdv.exec:\vdjdv.exe95⤵PID:4828
-
\??\c:\vpvpj.exec:\vpvpj.exe96⤵PID:1592
-
\??\c:\djpjj.exec:\djpjj.exe97⤵PID:4788
-
\??\c:\jjppp.exec:\jjppp.exe98⤵PID:860
-
\??\c:\vvddd.exec:\vvddd.exe99⤵PID:2188
-
\??\c:\vppjj.exec:\vppjj.exe100⤵PID:3820
-
\??\c:\jvpjd.exec:\jvpjd.exe101⤵PID:600
-
\??\c:\jppjd.exec:\jppjd.exe102⤵PID:4280
-
\??\c:\pjjjd.exec:\pjjjd.exe103⤵PID:5092
-
\??\c:\ddpjv.exec:\ddpjv.exe104⤵PID:2988
-
\??\c:\bnnnbb.exec:\bnnnbb.exe105⤵PID:4928
-
\??\c:\bhttnh.exec:\bhttnh.exe106⤵PID:4864
-
\??\c:\bhbtnn.exec:\bhbtnn.exe107⤵PID:1432
-
\??\c:\hnhbbb.exec:\hnhbbb.exe108⤵PID:4008
-
\??\c:\bhthbt.exec:\bhthbt.exe109⤵PID:4896
-
\??\c:\flxrrll.exec:\flxrrll.exe110⤵PID:1640
-
\??\c:\frrlxxl.exec:\frrlxxl.exe111⤵PID:3016
-
\??\c:\rxrxlxr.exec:\rxrxlxr.exe112⤵PID:556
-
\??\c:\llffrxr.exec:\llffrxr.exe113⤵PID:876
-
\??\c:\ffxrlll.exec:\ffxrlll.exe114⤵PID:4648
-
\??\c:\dvdpj.exec:\dvdpj.exe115⤵PID:368
-
\??\c:\jpvpj.exec:\jpvpj.exe116⤵PID:1468
-
\??\c:\vvdvp.exec:\vvdvp.exe117⤵PID:4696
-
\??\c:\jjjdp.exec:\jjjdp.exe118⤵PID:1688
-
\??\c:\djvvp.exec:\djvvp.exe119⤵PID:4372
-
\??\c:\7nthbb.exec:\7nthbb.exe120⤵PID:1472
-
\??\c:\thbbbb.exec:\thbbbb.exe121⤵PID:1372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-