Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe
-
Size
455KB
-
MD5
daedd621153c201278bd0521a3200a30
-
SHA1
e6302faec0fb431a05944169299009f8deda73ab
-
SHA256
1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ec
-
SHA512
6132bb2bbe9cca884ab17ce538d27bc408edf1ea3da32db894fbd805bbe47e4b3f07f52238eda385122d970da7f5b12cc0d9001bb635defc3d9468c8763995e1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2376-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4308 fxlfxxx.exe 2900 dvjdv.exe 4276 3rrllll.exe 3620 9bhhnt.exe 60 xllfflf.exe 3288 vvpjd.exe 3500 3lrrlrr.exe 4244 lrlfrrl.exe 1708 jjpvd.exe 4136 lflffff.exe 464 fllffff.exe 116 vpdvd.exe 5048 nhnhbb.exe 3212 btbtnn.exe 400 rxllflf.exe 3596 tnbbbh.exe 3496 vpvvp.exe 4960 tnbttt.exe 3172 nttnnh.exe 3920 pdpjd.exe 3108 tnbttt.exe 4924 dddjd.exe 1332 fffxxxl.exe 3296 btnhbb.exe 1300 jdjdv.exe 3528 jjpjd.exe 3180 9xfxrrl.exe 1560 jdjdv.exe 4984 ffxrffr.exe 4584 hbbhbt.exe 4684 1bhhbb.exe 4476 pjpjp.exe 4480 ttntht.exe 4888 1hnnnt.exe 448 lxffxxx.exe 3584 bhnnbn.exe 2764 jjvvp.exe 3712 rfxrllf.exe 5104 thhbbt.exe 4608 3ppjj.exe 2636 rlrlfxr.exe 4864 3bhbtt.exe 1700 vpppj.exe 1048 vdjjd.exe 1080 rlllflf.exe 4768 nntnhn.exe 1600 ddvvp.exe 2316 fxxfrrr.exe 2676 tbtthh.exe 4292 ddjjd.exe 2376 rrllrrf.exe 2020 9tnbtn.exe 3260 9vvjd.exe 2900 5djdd.exe 4492 flxrrrl.exe 3384 nttnhb.exe 3620 pjjjd.exe 4472 frrrfxl.exe 348 bntbbb.exe 1028 pvdvd.exe 2912 fllrlll.exe 3624 llxrffl.exe 4244 9ntnhn.exe 4776 djvjd.exe -
resource yara_rule behavioral2/memory/2376-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-880-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 4308 2376 1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe 83 PID 2376 wrote to memory of 4308 2376 1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe 83 PID 2376 wrote to memory of 4308 2376 1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe 83 PID 4308 wrote to memory of 2900 4308 fxlfxxx.exe 84 PID 4308 wrote to memory of 2900 4308 fxlfxxx.exe 84 PID 4308 wrote to memory of 2900 4308 fxlfxxx.exe 84 PID 2900 wrote to memory of 4276 2900 dvjdv.exe 85 PID 2900 wrote to memory of 4276 2900 dvjdv.exe 85 PID 2900 wrote to memory of 4276 2900 dvjdv.exe 85 PID 4276 wrote to memory of 3620 4276 3rrllll.exe 86 PID 4276 wrote to memory of 3620 4276 3rrllll.exe 86 PID 4276 wrote to memory of 3620 4276 3rrllll.exe 86 PID 3620 wrote to memory of 60 3620 9bhhnt.exe 87 PID 3620 wrote to memory of 60 3620 9bhhnt.exe 87 PID 3620 wrote to memory of 60 3620 9bhhnt.exe 87 PID 60 wrote to memory of 3288 60 xllfflf.exe 88 PID 60 wrote to memory of 3288 60 xllfflf.exe 88 PID 60 wrote to memory of 3288 60 xllfflf.exe 88 PID 3288 wrote to memory of 3500 3288 vvpjd.exe 89 PID 3288 wrote to memory of 3500 3288 vvpjd.exe 89 PID 3288 wrote to memory of 3500 3288 vvpjd.exe 89 PID 3500 wrote to memory of 4244 3500 3lrrlrr.exe 90 PID 3500 wrote to memory of 4244 3500 3lrrlrr.exe 90 PID 3500 wrote to memory of 4244 3500 3lrrlrr.exe 90 PID 4244 wrote to memory of 1708 4244 lrlfrrl.exe 91 PID 4244 wrote to memory of 1708 4244 lrlfrrl.exe 91 PID 4244 wrote to memory of 1708 4244 lrlfrrl.exe 91 PID 1708 wrote to memory of 4136 1708 jjpvd.exe 92 PID 1708 wrote to memory of 4136 1708 jjpvd.exe 92 PID 1708 wrote to memory of 4136 1708 jjpvd.exe 92 PID 4136 wrote to memory of 464 4136 lflffff.exe 93 PID 4136 wrote to memory of 464 4136 lflffff.exe 93 PID 4136 wrote to memory of 464 4136 lflffff.exe 93 PID 464 wrote to memory of 116 464 fllffff.exe 94 PID 464 wrote to memory of 116 464 fllffff.exe 94 PID 464 wrote to memory of 116 464 fllffff.exe 94 PID 116 wrote to memory of 5048 116 vpdvd.exe 95 PID 116 wrote to memory of 5048 116 vpdvd.exe 95 PID 116 wrote to memory of 5048 116 vpdvd.exe 95 PID 5048 wrote to memory of 3212 5048 nhnhbb.exe 96 PID 5048 wrote to memory of 3212 5048 nhnhbb.exe 96 PID 5048 wrote to memory of 3212 5048 nhnhbb.exe 96 PID 3212 wrote to memory of 400 3212 btbtnn.exe 97 PID 3212 wrote to memory of 400 3212 btbtnn.exe 97 PID 3212 wrote to memory of 400 3212 btbtnn.exe 97 PID 400 wrote to memory of 3596 400 rxllflf.exe 98 PID 400 wrote to memory of 3596 400 rxllflf.exe 98 PID 400 wrote to memory of 3596 400 rxllflf.exe 98 PID 3596 wrote to memory of 3496 3596 tnbbbh.exe 99 PID 3596 wrote to memory of 3496 3596 tnbbbh.exe 99 PID 3596 wrote to memory of 3496 3596 tnbbbh.exe 99 PID 3496 wrote to memory of 4960 3496 vpvvp.exe 100 PID 3496 wrote to memory of 4960 3496 vpvvp.exe 100 PID 3496 wrote to memory of 4960 3496 vpvvp.exe 100 PID 4960 wrote to memory of 3172 4960 tnbttt.exe 101 PID 4960 wrote to memory of 3172 4960 tnbttt.exe 101 PID 4960 wrote to memory of 3172 4960 tnbttt.exe 101 PID 3172 wrote to memory of 3920 3172 nttnnh.exe 102 PID 3172 wrote to memory of 3920 3172 nttnnh.exe 102 PID 3172 wrote to memory of 3920 3172 nttnnh.exe 102 PID 3920 wrote to memory of 3108 3920 pdpjd.exe 103 PID 3920 wrote to memory of 3108 3920 pdpjd.exe 103 PID 3920 wrote to memory of 3108 3920 pdpjd.exe 103 PID 3108 wrote to memory of 4924 3108 tnbttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe"C:\Users\Admin\AppData\Local\Temp\1ed8adf4db02957c309ed86f2c24057636e2f123c5651b28556165eb7a42e9ecN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\fxlfxxx.exec:\fxlfxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\dvjdv.exec:\dvjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\3rrllll.exec:\3rrllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\9bhhnt.exec:\9bhhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\xllfflf.exec:\xllfflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\vvpjd.exec:\vvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\3lrrlrr.exec:\3lrrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\lrlfrrl.exec:\lrlfrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\jjpvd.exec:\jjpvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\lflffff.exec:\lflffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\fllffff.exec:\fllffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\vpdvd.exec:\vpdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\nhnhbb.exec:\nhnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\btbtnn.exec:\btbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\rxllflf.exec:\rxllflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\tnbbbh.exec:\tnbbbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\vpvvp.exec:\vpvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\tnbttt.exec:\tnbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\nttnnh.exec:\nttnnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\pdpjd.exec:\pdpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\tnbttt.exec:\tnbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\dddjd.exec:\dddjd.exe23⤵
- Executes dropped EXE
PID:4924 -
\??\c:\fffxxxl.exec:\fffxxxl.exe24⤵
- Executes dropped EXE
PID:1332 -
\??\c:\btnhbb.exec:\btnhbb.exe25⤵
- Executes dropped EXE
PID:3296 -
\??\c:\jdjdv.exec:\jdjdv.exe26⤵
- Executes dropped EXE
PID:1300 -
\??\c:\jjpjd.exec:\jjpjd.exe27⤵
- Executes dropped EXE
PID:3528 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe28⤵
- Executes dropped EXE
PID:3180 -
\??\c:\jdjdv.exec:\jdjdv.exe29⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ffxrffr.exec:\ffxrffr.exe30⤵
- Executes dropped EXE
PID:4984 -
\??\c:\hbbhbt.exec:\hbbhbt.exe31⤵
- Executes dropped EXE
PID:4584 -
\??\c:\1bhhbb.exec:\1bhhbb.exe32⤵
- Executes dropped EXE
PID:4684 -
\??\c:\pjpjp.exec:\pjpjp.exe33⤵
- Executes dropped EXE
PID:4476 -
\??\c:\ttntht.exec:\ttntht.exe34⤵
- Executes dropped EXE
PID:4480 -
\??\c:\1hnnnt.exec:\1hnnnt.exe35⤵
- Executes dropped EXE
PID:4888 -
\??\c:\lxffxxx.exec:\lxffxxx.exe36⤵
- Executes dropped EXE
PID:448 -
\??\c:\bhnnbn.exec:\bhnnbn.exe37⤵
- Executes dropped EXE
PID:3584 -
\??\c:\jjvvp.exec:\jjvvp.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rfxrllf.exec:\rfxrllf.exe39⤵
- Executes dropped EXE
PID:3712 -
\??\c:\thhbbt.exec:\thhbbt.exe40⤵
- Executes dropped EXE
PID:5104 -
\??\c:\3ppjj.exec:\3ppjj.exe41⤵
- Executes dropped EXE
PID:4608 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe42⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3bhbtt.exec:\3bhbtt.exe43⤵
- Executes dropped EXE
PID:4864 -
\??\c:\vpppj.exec:\vpppj.exe44⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vdjjd.exec:\vdjjd.exe45⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rlllflf.exec:\rlllflf.exe46⤵
- Executes dropped EXE
PID:1080 -
\??\c:\nntnhn.exec:\nntnhn.exe47⤵
- Executes dropped EXE
PID:4768 -
\??\c:\ddvvp.exec:\ddvvp.exe48⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxxfrrr.exec:\fxxfrrr.exe49⤵
- Executes dropped EXE
PID:2316 -
\??\c:\tbtthh.exec:\tbtthh.exe50⤵
- Executes dropped EXE
PID:2676 -
\??\c:\ddjjd.exec:\ddjjd.exe51⤵
- Executes dropped EXE
PID:4292 -
\??\c:\rrllrrf.exec:\rrllrrf.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
\??\c:\9tnbtn.exec:\9tnbtn.exe53⤵
- Executes dropped EXE
PID:2020 -
\??\c:\9vvjd.exec:\9vvjd.exe54⤵
- Executes dropped EXE
PID:3260 -
\??\c:\5djdd.exec:\5djdd.exe55⤵
- Executes dropped EXE
PID:2900 -
\??\c:\flxrrrl.exec:\flxrrrl.exe56⤵
- Executes dropped EXE
PID:4492 -
\??\c:\nttnhb.exec:\nttnhb.exe57⤵
- Executes dropped EXE
PID:3384 -
\??\c:\pjjjd.exec:\pjjjd.exe58⤵
- Executes dropped EXE
PID:3620 -
\??\c:\frrrfxl.exec:\frrrfxl.exe59⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bntbbb.exec:\bntbbb.exe60⤵
- Executes dropped EXE
PID:348 -
\??\c:\pvdvd.exec:\pvdvd.exe61⤵
- Executes dropped EXE
PID:1028 -
\??\c:\fllrlll.exec:\fllrlll.exe62⤵
- Executes dropped EXE
PID:2912 -
\??\c:\llxrffl.exec:\llxrffl.exe63⤵
- Executes dropped EXE
PID:3624 -
\??\c:\9ntnhn.exec:\9ntnhn.exe64⤵
- Executes dropped EXE
PID:4244 -
\??\c:\djvjd.exec:\djvjd.exe65⤵
- Executes dropped EXE
PID:4776 -
\??\c:\vpppj.exec:\vpppj.exe66⤵PID:4572
-
\??\c:\3fllfxr.exec:\3fllfxr.exe67⤵PID:1744
-
\??\c:\ttnhtt.exec:\ttnhtt.exe68⤵PID:3864
-
\??\c:\pjvvd.exec:\pjvvd.exe69⤵PID:212
-
\??\c:\rxlffxx.exec:\rxlffxx.exe70⤵PID:3276
-
\??\c:\xfffffx.exec:\xfffffx.exe71⤵PID:5048
-
\??\c:\nbbtnt.exec:\nbbtnt.exe72⤵PID:2744
-
\??\c:\vpjjd.exec:\vpjjd.exe73⤵PID:4724
-
\??\c:\bhhtnh.exec:\bhhtnh.exe74⤵PID:2968
-
\??\c:\tbnhbb.exec:\tbnhbb.exe75⤵PID:4596
-
\??\c:\jvdvv.exec:\jvdvv.exe76⤵PID:4940
-
\??\c:\9frlrxf.exec:\9frlrxf.exe77⤵PID:2352
-
\??\c:\9lxxxxf.exec:\9lxxxxf.exe78⤵PID:2096
-
\??\c:\bbnhbt.exec:\bbnhbt.exe79⤵PID:3920
-
\??\c:\vppjd.exec:\vppjd.exe80⤵PID:2948
-
\??\c:\djvpp.exec:\djvpp.exe81⤵PID:4236
-
\??\c:\xllfxxr.exec:\xllfxxr.exe82⤵
- System Location Discovery: System Language Discovery
PID:4924 -
\??\c:\1nthbt.exec:\1nthbt.exe83⤵PID:4432
-
\??\c:\vjvpj.exec:\vjvpj.exe84⤵PID:2648
-
\??\c:\xrfxrrf.exec:\xrfxrrf.exe85⤵PID:3452
-
\??\c:\9ntnbb.exec:\9ntnbb.exe86⤵PID:2712
-
\??\c:\jvpjp.exec:\jvpjp.exe87⤵PID:2424
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe88⤵PID:228
-
\??\c:\rllfrlf.exec:\rllfrlf.exe89⤵PID:1084
-
\??\c:\httttn.exec:\httttn.exe90⤵PID:1184
-
\??\c:\vpvpj.exec:\vpvpj.exe91⤵PID:940
-
\??\c:\xxxxfff.exec:\xxxxfff.exe92⤵PID:4704
-
\??\c:\nbhtnh.exec:\nbhtnh.exe93⤵PID:448
-
\??\c:\5ppjv.exec:\5ppjv.exe94⤵PID:3584
-
\??\c:\9jpjj.exec:\9jpjj.exe95⤵PID:2764
-
\??\c:\5lxfxfx.exec:\5lxfxfx.exe96⤵PID:2304
-
\??\c:\hhhbtn.exec:\hhhbtn.exe97⤵PID:3200
-
\??\c:\jddvv.exec:\jddvv.exe98⤵PID:3492
-
\??\c:\flfrfxr.exec:\flfrfxr.exe99⤵PID:2124
-
\??\c:\xlffrrl.exec:\xlffrrl.exe100⤵PID:2976
-
\??\c:\bnttnh.exec:\bnttnh.exe101⤵PID:620
-
\??\c:\5pjvp.exec:\5pjvp.exe102⤵PID:1700
-
\??\c:\1xxrlfx.exec:\1xxrlfx.exe103⤵PID:4640
-
\??\c:\7hthbt.exec:\7hthbt.exe104⤵PID:1080
-
\??\c:\jvdpp.exec:\jvdpp.exe105⤵PID:372
-
\??\c:\1djvp.exec:\1djvp.exe106⤵PID:808
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe107⤵PID:4340
-
\??\c:\bhnhbb.exec:\bhnhbb.exe108⤵PID:2100
-
\??\c:\bnhbhb.exec:\bnhbhb.exe109⤵PID:3956
-
\??\c:\dvpdv.exec:\dvpdv.exe110⤵PID:1536
-
\??\c:\frxrlfx.exec:\frxrlfx.exe111⤵PID:2596
-
\??\c:\5xfxrxr.exec:\5xfxrxr.exe112⤵PID:3632
-
\??\c:\nhtnhb.exec:\nhtnhb.exe113⤵PID:3216
-
\??\c:\3vvpd.exec:\3vvpd.exe114⤵PID:3968
-
\??\c:\3vdvd.exec:\3vdvd.exe115⤵PID:4052
-
\??\c:\5xxfffl.exec:\5xxfffl.exe116⤵PID:4172
-
\??\c:\bhtnhb.exec:\bhtnhb.exe117⤵PID:1756
-
\??\c:\pjjdv.exec:\pjjdv.exe118⤵PID:1556
-
\??\c:\jppdv.exec:\jppdv.exe119⤵PID:4320
-
\??\c:\xfllfxr.exec:\xfllfxr.exe120⤵PID:3500
-
\??\c:\btnhhh.exec:\btnhhh.exe121⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-