Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe
-
Size
455KB
-
MD5
6c094423151ca8135feb0ddf76a08630
-
SHA1
39cf6929aad58026554fde70ae75b8936e2708b7
-
SHA256
080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266
-
SHA512
af3b5c4e540831fa6e9b13f202f1886f5cd70bd55bae9a06245494b4088a66e80abb831b17998d551e52decddc4901681406e640fba512042164b075df098030
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3484-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-1082-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-1183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4316 rxxrfll.exe 4352 jvvpj.exe 1988 thttnn.exe 3344 rlfxrfx.exe 1376 vjppp.exe 1896 9lrlffx.exe 2640 dppjd.exe 4360 jpvpp.exe 456 pvpjd.exe 4144 tbhbhh.exe 3044 5hnnbb.exe 1292 5pvvd.exe 1724 lfxxrrl.exe 1316 nntttt.exe 208 ffllxxl.exe 3176 bhnnnn.exe 3704 1jvjv.exe 2032 rffxlxr.exe 4420 hbbbtt.exe 1352 pdvpp.exe 2868 bbbhnh.exe 3772 jppjv.exe 860 lxxrxxr.exe 4844 hnbtnn.exe 1448 nntnnn.exe 1196 frrlfxr.exe 4636 bbhhbb.exe 1496 tnbthn.exe 4616 pdjdp.exe 1668 rrlfxxx.exe 2504 nttnnh.exe 2024 vppjd.exe 1172 lffxrrl.exe 2324 xlllfff.exe 1192 thtbbt.exe 5092 3vvjd.exe 2232 frrrlll.exe 2180 xrlxrrl.exe 3992 tbtnhh.exe 976 vjpjd.exe 4600 lxffxxx.exe 1860 rxfllff.exe 3564 bbnntt.exe 2076 ppjdv.exe 4508 llrxxxf.exe 4692 bnbbbb.exe 1532 pdppj.exe 3608 3ffxrlx.exe 4464 lflfxxl.exe 4128 httnhh.exe 3908 jvvdp.exe 1508 rxfxrrl.exe 4900 hthntb.exe 3700 tnhbbb.exe 4400 pjdpj.exe 2604 lxfrffx.exe 5024 tbtnhh.exe 972 thnhbh.exe 2276 rrrlxxl.exe 4804 lffxxrr.exe 3488 bttnnn.exe 3344 tnnhhh.exe 1884 pvdvj.exe 2708 ffxrffx.exe -
resource yara_rule behavioral2/memory/3484-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-991-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4316 3484 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 82 PID 3484 wrote to memory of 4316 3484 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 82 PID 3484 wrote to memory of 4316 3484 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 82 PID 4316 wrote to memory of 4352 4316 rxxrfll.exe 83 PID 4316 wrote to memory of 4352 4316 rxxrfll.exe 83 PID 4316 wrote to memory of 4352 4316 rxxrfll.exe 83 PID 4352 wrote to memory of 1988 4352 jvvpj.exe 84 PID 4352 wrote to memory of 1988 4352 jvvpj.exe 84 PID 4352 wrote to memory of 1988 4352 jvvpj.exe 84 PID 1988 wrote to memory of 3344 1988 thttnn.exe 85 PID 1988 wrote to memory of 3344 1988 thttnn.exe 85 PID 1988 wrote to memory of 3344 1988 thttnn.exe 85 PID 3344 wrote to memory of 1376 3344 rlfxrfx.exe 86 PID 3344 wrote to memory of 1376 3344 rlfxrfx.exe 86 PID 3344 wrote to memory of 1376 3344 rlfxrfx.exe 86 PID 1376 wrote to memory of 1896 1376 vjppp.exe 87 PID 1376 wrote to memory of 1896 1376 vjppp.exe 87 PID 1376 wrote to memory of 1896 1376 vjppp.exe 87 PID 1896 wrote to memory of 2640 1896 9lrlffx.exe 88 PID 1896 wrote to memory of 2640 1896 9lrlffx.exe 88 PID 1896 wrote to memory of 2640 1896 9lrlffx.exe 88 PID 2640 wrote to memory of 4360 2640 dppjd.exe 89 PID 2640 wrote to memory of 4360 2640 dppjd.exe 89 PID 2640 wrote to memory of 4360 2640 dppjd.exe 89 PID 4360 wrote to memory of 456 4360 jpvpp.exe 90 PID 4360 wrote to memory of 456 4360 jpvpp.exe 90 PID 4360 wrote to memory of 456 4360 jpvpp.exe 90 PID 456 wrote to memory of 4144 456 pvpjd.exe 91 PID 456 wrote to memory of 4144 456 pvpjd.exe 91 PID 456 wrote to memory of 4144 456 pvpjd.exe 91 PID 4144 wrote to memory of 3044 4144 tbhbhh.exe 92 PID 4144 wrote to memory of 3044 4144 tbhbhh.exe 92 PID 4144 wrote to memory of 3044 4144 tbhbhh.exe 92 PID 3044 wrote to memory of 1292 3044 5hnnbb.exe 93 PID 3044 wrote to memory of 1292 3044 5hnnbb.exe 93 PID 3044 wrote to memory of 1292 3044 5hnnbb.exe 93 PID 1292 wrote to memory of 1724 1292 5pvvd.exe 94 PID 1292 wrote to memory of 1724 1292 5pvvd.exe 94 PID 1292 wrote to memory of 1724 1292 5pvvd.exe 94 PID 1724 wrote to memory of 1316 1724 lfxxrrl.exe 95 PID 1724 wrote to memory of 1316 1724 lfxxrrl.exe 95 PID 1724 wrote to memory of 1316 1724 lfxxrrl.exe 95 PID 1316 wrote to memory of 208 1316 nntttt.exe 96 PID 1316 wrote to memory of 208 1316 nntttt.exe 96 PID 1316 wrote to memory of 208 1316 nntttt.exe 96 PID 208 wrote to memory of 3176 208 ffllxxl.exe 97 PID 208 wrote to memory of 3176 208 ffllxxl.exe 97 PID 208 wrote to memory of 3176 208 ffllxxl.exe 97 PID 3176 wrote to memory of 3704 3176 bhnnnn.exe 98 PID 3176 wrote to memory of 3704 3176 bhnnnn.exe 98 PID 3176 wrote to memory of 3704 3176 bhnnnn.exe 98 PID 3704 wrote to memory of 2032 3704 1jvjv.exe 99 PID 3704 wrote to memory of 2032 3704 1jvjv.exe 99 PID 3704 wrote to memory of 2032 3704 1jvjv.exe 99 PID 2032 wrote to memory of 4420 2032 rffxlxr.exe 100 PID 2032 wrote to memory of 4420 2032 rffxlxr.exe 100 PID 2032 wrote to memory of 4420 2032 rffxlxr.exe 100 PID 4420 wrote to memory of 1352 4420 hbbbtt.exe 101 PID 4420 wrote to memory of 1352 4420 hbbbtt.exe 101 PID 4420 wrote to memory of 1352 4420 hbbbtt.exe 101 PID 1352 wrote to memory of 2868 1352 pdvpp.exe 102 PID 1352 wrote to memory of 2868 1352 pdvpp.exe 102 PID 1352 wrote to memory of 2868 1352 pdvpp.exe 102 PID 2868 wrote to memory of 3772 2868 bbbhnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe"C:\Users\Admin\AppData\Local\Temp\080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\rxxrfll.exec:\rxxrfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\jvvpj.exec:\jvvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\thttnn.exec:\thttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\rlfxrfx.exec:\rlfxrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\vjppp.exec:\vjppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\9lrlffx.exec:\9lrlffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\dppjd.exec:\dppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\jpvpp.exec:\jpvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\pvpjd.exec:\pvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\tbhbhh.exec:\tbhbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\5hnnbb.exec:\5hnnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\5pvvd.exec:\5pvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\nntttt.exec:\nntttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\ffllxxl.exec:\ffllxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\bhnnnn.exec:\bhnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\1jvjv.exec:\1jvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\rffxlxr.exec:\rffxlxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\hbbbtt.exec:\hbbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\pdvpp.exec:\pdvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\bbbhnh.exec:\bbbhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\jppjv.exec:\jppjv.exe23⤵
- Executes dropped EXE
PID:3772 -
\??\c:\lxxrxxr.exec:\lxxrxxr.exe24⤵
- Executes dropped EXE
PID:860 -
\??\c:\hnbtnn.exec:\hnbtnn.exe25⤵
- Executes dropped EXE
PID:4844 -
\??\c:\nntnnn.exec:\nntnnn.exe26⤵
- Executes dropped EXE
PID:1448 -
\??\c:\frrlfxr.exec:\frrlfxr.exe27⤵
- Executes dropped EXE
PID:1196 -
\??\c:\bbhhbb.exec:\bbhhbb.exe28⤵
- Executes dropped EXE
PID:4636 -
\??\c:\tnbthn.exec:\tnbthn.exe29⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pdjdp.exec:\pdjdp.exe30⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rrlfxxx.exec:\rrlfxxx.exe31⤵
- Executes dropped EXE
PID:1668 -
\??\c:\nttnnh.exec:\nttnnh.exe32⤵
- Executes dropped EXE
PID:2504 -
\??\c:\vppjd.exec:\vppjd.exe33⤵
- Executes dropped EXE
PID:2024 -
\??\c:\lffxrrl.exec:\lffxrrl.exe34⤵
- Executes dropped EXE
PID:1172 -
\??\c:\xlllfff.exec:\xlllfff.exe35⤵
- Executes dropped EXE
PID:2324 -
\??\c:\thtbbt.exec:\thtbbt.exe36⤵
- Executes dropped EXE
PID:1192 -
\??\c:\3vvjd.exec:\3vvjd.exe37⤵
- Executes dropped EXE
PID:5092 -
\??\c:\frrrlll.exec:\frrrlll.exe38⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xrlxrrl.exec:\xrlxrrl.exe39⤵
- Executes dropped EXE
PID:2180 -
\??\c:\tbtnhh.exec:\tbtnhh.exe40⤵
- Executes dropped EXE
PID:3992 -
\??\c:\vjpjd.exec:\vjpjd.exe41⤵
- Executes dropped EXE
PID:976 -
\??\c:\lxffxxx.exec:\lxffxxx.exe42⤵
- Executes dropped EXE
PID:4600 -
\??\c:\rxfllff.exec:\rxfllff.exe43⤵
- Executes dropped EXE
PID:1860 -
\??\c:\bbnntt.exec:\bbnntt.exe44⤵
- Executes dropped EXE
PID:3564 -
\??\c:\ppjdv.exec:\ppjdv.exe45⤵
- Executes dropped EXE
PID:2076 -
\??\c:\llrxxxf.exec:\llrxxxf.exe46⤵
- Executes dropped EXE
PID:4508 -
\??\c:\bnbbbb.exec:\bnbbbb.exe47⤵
- Executes dropped EXE
PID:4692 -
\??\c:\pdppj.exec:\pdppj.exe48⤵
- Executes dropped EXE
PID:1532 -
\??\c:\3ffxrlx.exec:\3ffxrlx.exe49⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lflfxxl.exec:\lflfxxl.exe50⤵
- Executes dropped EXE
PID:4464 -
\??\c:\httnhh.exec:\httnhh.exe51⤵
- Executes dropped EXE
PID:4128 -
\??\c:\jvvdp.exec:\jvvdp.exe52⤵
- Executes dropped EXE
PID:3908 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe53⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hthntb.exec:\hthntb.exe54⤵
- Executes dropped EXE
PID:4900 -
\??\c:\tnhbbb.exec:\tnhbbb.exe55⤵
- Executes dropped EXE
PID:3700 -
\??\c:\pjdpj.exec:\pjdpj.exe56⤵
- Executes dropped EXE
PID:4400 -
\??\c:\lxfrffx.exec:\lxfrffx.exe57⤵
- Executes dropped EXE
PID:2604 -
\??\c:\tbtnhh.exec:\tbtnhh.exe58⤵
- Executes dropped EXE
PID:5024 -
\??\c:\thnhbh.exec:\thnhbh.exe59⤵
- Executes dropped EXE
PID:972 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe60⤵
- Executes dropped EXE
PID:2276 -
\??\c:\lffxxrr.exec:\lffxxrr.exe61⤵
- Executes dropped EXE
PID:4804 -
\??\c:\bttnnn.exec:\bttnnn.exe62⤵
- Executes dropped EXE
PID:3488 -
\??\c:\tnnhhh.exec:\tnnhhh.exe63⤵
- Executes dropped EXE
PID:3344 -
\??\c:\pvdvj.exec:\pvdvj.exe64⤵
- Executes dropped EXE
PID:1884 -
\??\c:\ffxrffx.exec:\ffxrffx.exe65⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hbbtnh.exec:\hbbtnh.exe66⤵PID:2528
-
\??\c:\nthbnn.exec:\nthbnn.exe67⤵PID:2896
-
\??\c:\jvdpj.exec:\jvdpj.exe68⤵PID:4944
-
\??\c:\xlrlffr.exec:\xlrlffr.exe69⤵PID:4308
-
\??\c:\3ttttb.exec:\3ttttb.exe70⤵PID:4856
-
\??\c:\1jdvj.exec:\1jdvj.exe71⤵PID:456
-
\??\c:\jpjdv.exec:\jpjdv.exe72⤵PID:4768
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe73⤵PID:3068
-
\??\c:\ttnhhh.exec:\ttnhhh.exe74⤵PID:388
-
\??\c:\pvjdv.exec:\pvjdv.exe75⤵PID:1624
-
\??\c:\1lrfxfx.exec:\1lrfxfx.exe76⤵PID:216
-
\??\c:\rlfxrxr.exec:\rlfxrxr.exe77⤵PID:3004
-
\??\c:\btnbnh.exec:\btnbnh.exe78⤵PID:32
-
\??\c:\vjjdd.exec:\vjjdd.exe79⤵PID:5112
-
\??\c:\rxxlfxl.exec:\rxxlfxl.exe80⤵PID:3812
-
\??\c:\tnnhbb.exec:\tnnhbb.exe81⤵PID:2676
-
\??\c:\tnnnbh.exec:\tnnnbh.exe82⤵PID:3540
-
\??\c:\dvjjd.exec:\dvjjd.exe83⤵PID:4168
-
\??\c:\lrxrllr.exec:\lrxrllr.exe84⤵PID:3356
-
\??\c:\nnnhbh.exec:\nnnhbh.exe85⤵PID:1504
-
\??\c:\3ddvp.exec:\3ddvp.exe86⤵PID:4292
-
\??\c:\pjpjd.exec:\pjpjd.exe87⤵PID:4604
-
\??\c:\frfxxrl.exec:\frfxxrl.exe88⤵PID:440
-
\??\c:\nntnhb.exec:\nntnhb.exe89⤵PID:2972
-
\??\c:\bnnhtn.exec:\bnnhtn.exe90⤵PID:1224
-
\??\c:\pppdv.exec:\pppdv.exe91⤵
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\lxrfrrl.exec:\lxrfrrl.exe92⤵PID:2816
-
\??\c:\llrrllf.exec:\llrrllf.exe93⤵PID:728
-
\??\c:\nhhnhh.exec:\nhhnhh.exe94⤵PID:3480
-
\??\c:\jpvpj.exec:\jpvpj.exe95⤵PID:2548
-
\??\c:\3xfxfxr.exec:\3xfxfxr.exe96⤵PID:1960
-
\??\c:\rllfxxx.exec:\rllfxxx.exe97⤵PID:2400
-
\??\c:\3nhtnh.exec:\3nhtnh.exe98⤵PID:4088
-
\??\c:\ddpjj.exec:\ddpjj.exe99⤵PID:2104
-
\??\c:\rxfxxlf.exec:\rxfxxlf.exe100⤵PID:4688
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe101⤵PID:5028
-
\??\c:\nbhnhh.exec:\nbhnhh.exe102⤵PID:116
-
\??\c:\vpjdv.exec:\vpjdv.exe103⤵PID:3128
-
\??\c:\rlfxllf.exec:\rlfxllf.exe104⤵PID:1672
-
\??\c:\bnnhtn.exec:\bnnhtn.exe105⤵PID:540
-
\??\c:\9bbttb.exec:\9bbttb.exe106⤵PID:3076
-
\??\c:\1jpjv.exec:\1jpjv.exe107⤵PID:2444
-
\??\c:\xfxfrlx.exec:\xfxfrlx.exe108⤵PID:3824
-
\??\c:\bthhbb.exec:\bthhbb.exe109⤵PID:4224
-
\??\c:\pdpjv.exec:\pdpjv.exe110⤵PID:3148
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe111⤵PID:1072
-
\??\c:\fffrlll.exec:\fffrlll.exe112⤵PID:3564
-
\??\c:\thhbbt.exec:\thhbbt.exe113⤵PID:3140
-
\??\c:\dvjdv.exec:\dvjdv.exe114⤵PID:3460
-
\??\c:\ddpjv.exec:\ddpjv.exe115⤵PID:3120
-
\??\c:\xxffllr.exec:\xxffllr.exe116⤵PID:2876
-
\??\c:\rrxrrxr.exec:\rrxrrxr.exe117⤵PID:1064
-
\??\c:\tnbttb.exec:\tnbttb.exe118⤵PID:1764
-
\??\c:\vjpdv.exec:\vjpdv.exe119⤵PID:1308
-
\??\c:\rffxllf.exec:\rffxllf.exe120⤵PID:2544
-
\??\c:\9bbtnn.exec:\9bbtnn.exe121⤵PID:4956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-