Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2025, 11:26
Behavioral task
behavioral1
Sample
bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe
-
Size
339KB
-
MD5
e9291706024b0dfcaa39f1358f5bcd3a
-
SHA1
964b0667d421a8fc96a851af5a4a54a1cc581732
-
SHA256
bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd
-
SHA512
7e50ab5b408e0f58f66e70012cd6469c2694686996567fb8c5d9b94d6852a830aaa80a9c172af47a631d6a1280c3350b22e3aa535250680d62e583d8e4168872
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe5jBa:R4wFHoSHYHUrAwfMp3CD5jBa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4828-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/752-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/700-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1300-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/620-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/704-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4164-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-485-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-759-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4724 frxrrlf.exe 4676 rrlflfl.exe 2764 ppjjj.exe 4876 nhnhnn.exe 2976 llrlxxr.exe 2984 jjvpp.exe 2768 40888.exe 1768 bhtnhb.exe 4020 lxfxrlf.exe 1700 26206.exe 3340 lfllrlr.exe 3044 lfrlffx.exe 4168 frxrffx.exe 3432 frxrlff.exe 4148 02844.exe 4016 26444.exe 3860 hnnttt.exe 1680 1llxrll.exe 1672 vvdvj.exe 1228 frlxrlr.exe 536 m8864.exe 2772 4464044.exe 768 08042.exe 752 vjjjv.exe 4228 tttnnh.exe 2016 1llxlfx.exe 628 5xrrfrl.exe 1112 80864.exe 1048 xffrlff.exe 812 jddvj.exe 2196 62420.exe 4780 02826.exe 3940 vddpd.exe 436 e24628.exe 700 frlxlfr.exe 2608 m0486.exe 4308 7jjvj.exe 3612 822426.exe 548 xrxlrlx.exe 2896 68820.exe 2372 1llxrlf.exe 2004 nbhttb.exe 4644 8860426.exe 1752 i886486.exe 2224 422860.exe 212 9ddjd.exe 2464 6442086.exe 3712 hnthbt.exe 3456 c288604.exe 4260 ddjvj.exe 2204 404860.exe 1608 k22426.exe 4452 jpjvp.exe 776 nbtnbt.exe 4272 80042.exe 5024 0804004.exe 1764 pvvjp.exe 1392 444486.exe 1856 088026.exe 4028 nbthth.exe 1556 g4448.exe 1220 q60860.exe 3684 20408.exe 4956 i008642.exe -
resource yara_rule behavioral2/memory/4828-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0012000000023f16-2.dat upx behavioral2/memory/4828-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a00000002401a-8.dat upx behavioral2/memory/4724-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240c8-11.dat upx behavioral2/memory/4676-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240c9-20.dat upx behavioral2/memory/2764-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240ca-23.dat upx behavioral2/memory/4876-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240cb-28.dat upx behavioral2/memory/2976-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240cc-33.dat upx behavioral2/memory/2984-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240ce-38.dat upx behavioral2/memory/2768-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1768-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240cf-44.dat upx behavioral2/memory/4020-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240d0-49.dat upx behavioral2/memory/1700-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000240c5-54.dat upx behavioral2/memory/1700-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000240d1-60.dat upx behavioral2/memory/3340-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000600000001da09-64.dat upx behavioral2/memory/3044-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000400000001da16-69.dat upx behavioral2/files/0x000800000001da4e-73.dat upx behavioral2/memory/4148-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3432-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000001da61-80.dat upx behavioral2/files/0x000500000001daa3-84.dat upx behavioral2/memory/4016-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000400000001dab1-88.dat upx behavioral2/memory/3860-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1680-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000400000001dab3-93.dat upx behavioral2/memory/1672-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000400000001dadb-99.dat upx behavioral2/files/0x000400000001db40-103.dat upx behavioral2/memory/1228-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000500000001e449-108.dat upx behavioral2/memory/2772-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000400000001e454-114.dat upx behavioral2/memory/768-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000900000001e498-118.dat upx behavioral2/memory/752-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000300000001e582-124.dat upx behavioral2/files/0x000300000001e59d-127.dat upx behavioral2/files/0x000300000001e5bc-131.dat upx behavioral2/files/0x000500000001e5bd-135.dat upx behavioral2/files/0x000300000001e655-138.dat upx behavioral2/memory/1112-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e722-143.dat upx behavioral2/memory/1048-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e723-149.dat upx behavioral2/files/0x000200000001e8ed-153.dat upx behavioral2/memory/3940-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/700-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2608-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3612-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/548-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2222048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6220820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4828 wrote to memory of 4724 4828 bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe 86 PID 4828 wrote to memory of 4724 4828 bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe 86 PID 4828 wrote to memory of 4724 4828 bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe 86 PID 4724 wrote to memory of 4676 4724 frxrrlf.exe 87 PID 4724 wrote to memory of 4676 4724 frxrrlf.exe 87 PID 4724 wrote to memory of 4676 4724 frxrrlf.exe 87 PID 4676 wrote to memory of 2764 4676 rrlflfl.exe 88 PID 4676 wrote to memory of 2764 4676 rrlflfl.exe 88 PID 4676 wrote to memory of 2764 4676 rrlflfl.exe 88 PID 2764 wrote to memory of 4876 2764 ppjjj.exe 89 PID 2764 wrote to memory of 4876 2764 ppjjj.exe 89 PID 2764 wrote to memory of 4876 2764 ppjjj.exe 89 PID 4876 wrote to memory of 2976 4876 nhnhnn.exe 91 PID 4876 wrote to memory of 2976 4876 nhnhnn.exe 91 PID 4876 wrote to memory of 2976 4876 nhnhnn.exe 91 PID 2976 wrote to memory of 2984 2976 llrlxxr.exe 93 PID 2976 wrote to memory of 2984 2976 llrlxxr.exe 93 PID 2976 wrote to memory of 2984 2976 llrlxxr.exe 93 PID 2984 wrote to memory of 2768 2984 jjvpp.exe 94 PID 2984 wrote to memory of 2768 2984 jjvpp.exe 94 PID 2984 wrote to memory of 2768 2984 jjvpp.exe 94 PID 2768 wrote to memory of 1768 2768 40888.exe 95 PID 2768 wrote to memory of 1768 2768 40888.exe 95 PID 2768 wrote to memory of 1768 2768 40888.exe 95 PID 1768 wrote to memory of 4020 1768 bhtnhb.exe 96 PID 1768 wrote to memory of 4020 1768 bhtnhb.exe 96 PID 1768 wrote to memory of 4020 1768 bhtnhb.exe 96 PID 4020 wrote to memory of 1700 4020 lxfxrlf.exe 97 PID 4020 wrote to memory of 1700 4020 lxfxrlf.exe 97 PID 4020 wrote to memory of 1700 4020 lxfxrlf.exe 97 PID 1700 wrote to memory of 3340 1700 26206.exe 99 PID 1700 wrote to memory of 3340 1700 26206.exe 99 PID 1700 wrote to memory of 3340 1700 26206.exe 99 PID 3340 wrote to memory of 3044 3340 lfllrlr.exe 100 PID 3340 wrote to memory of 3044 3340 lfllrlr.exe 100 PID 3340 wrote to memory of 3044 3340 lfllrlr.exe 100 PID 3044 wrote to memory of 4168 3044 lfrlffx.exe 101 PID 3044 wrote to memory of 4168 3044 lfrlffx.exe 101 PID 3044 wrote to memory of 4168 3044 lfrlffx.exe 101 PID 4168 wrote to memory of 3432 4168 frxrffx.exe 102 PID 4168 wrote to memory of 3432 4168 frxrffx.exe 102 PID 4168 wrote to memory of 3432 4168 frxrffx.exe 102 PID 3432 wrote to memory of 4148 3432 frxrlff.exe 103 PID 3432 wrote to memory of 4148 3432 frxrlff.exe 103 PID 3432 wrote to memory of 4148 3432 frxrlff.exe 103 PID 4148 wrote to memory of 4016 4148 02844.exe 104 PID 4148 wrote to memory of 4016 4148 02844.exe 104 PID 4148 wrote to memory of 4016 4148 02844.exe 104 PID 4016 wrote to memory of 3860 4016 26444.exe 105 PID 4016 wrote to memory of 3860 4016 26444.exe 105 PID 4016 wrote to memory of 3860 4016 26444.exe 105 PID 3860 wrote to memory of 1680 3860 hnnttt.exe 106 PID 3860 wrote to memory of 1680 3860 hnnttt.exe 106 PID 3860 wrote to memory of 1680 3860 hnnttt.exe 106 PID 1680 wrote to memory of 1672 1680 1llxrll.exe 107 PID 1680 wrote to memory of 1672 1680 1llxrll.exe 107 PID 1680 wrote to memory of 1672 1680 1llxrll.exe 107 PID 1672 wrote to memory of 1228 1672 vvdvj.exe 108 PID 1672 wrote to memory of 1228 1672 vvdvj.exe 108 PID 1672 wrote to memory of 1228 1672 vvdvj.exe 108 PID 1228 wrote to memory of 536 1228 frlxrlr.exe 109 PID 1228 wrote to memory of 536 1228 frlxrlr.exe 109 PID 1228 wrote to memory of 536 1228 frlxrlr.exe 109 PID 536 wrote to memory of 2772 536 m8864.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe"C:\Users\Admin\AppData\Local\Temp\bdc2fa6f997a9ee448f0c1cb777fbf7c2e3ee542c325c7c3b522037df64f3fbd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\frxrrlf.exec:\frxrrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\rrlflfl.exec:\rrlflfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\ppjjj.exec:\ppjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\nhnhnn.exec:\nhnhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\llrlxxr.exec:\llrlxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\jjvpp.exec:\jjvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\40888.exec:\40888.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\bhtnhb.exec:\bhtnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\26206.exec:\26206.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\lfllrlr.exec:\lfllrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\lfrlffx.exec:\lfrlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\frxrffx.exec:\frxrffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\frxrlff.exec:\frxrlff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\02844.exec:\02844.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\26444.exec:\26444.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\hnnttt.exec:\hnnttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\1llxrll.exec:\1llxrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\vvdvj.exec:\vvdvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\frlxrlr.exec:\frlxrlr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\m8864.exec:\m8864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\4464044.exec:\4464044.exe23⤵
- Executes dropped EXE
PID:2772 -
\??\c:\08042.exec:\08042.exe24⤵
- Executes dropped EXE
PID:768 -
\??\c:\vjjjv.exec:\vjjjv.exe25⤵
- Executes dropped EXE
PID:752 -
\??\c:\tttnnh.exec:\tttnnh.exe26⤵
- Executes dropped EXE
PID:4228 -
\??\c:\1llxlfx.exec:\1llxlfx.exe27⤵
- Executes dropped EXE
PID:2016 -
\??\c:\5xrrfrl.exec:\5xrrfrl.exe28⤵
- Executes dropped EXE
PID:628 -
\??\c:\80864.exec:\80864.exe29⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xffrlff.exec:\xffrlff.exe30⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jddvj.exec:\jddvj.exe31⤵
- Executes dropped EXE
PID:812 -
\??\c:\62420.exec:\62420.exe32⤵
- Executes dropped EXE
PID:2196 -
\??\c:\02826.exec:\02826.exe33⤵
- Executes dropped EXE
PID:4780 -
\??\c:\vddpd.exec:\vddpd.exe34⤵
- Executes dropped EXE
PID:3940 -
\??\c:\e24628.exec:\e24628.exe35⤵
- Executes dropped EXE
PID:436 -
\??\c:\frlxlfr.exec:\frlxlfr.exe36⤵
- Executes dropped EXE
PID:700 -
\??\c:\m0486.exec:\m0486.exe37⤵
- Executes dropped EXE
PID:2608 -
\??\c:\7jjvj.exec:\7jjvj.exe38⤵
- Executes dropped EXE
PID:4308 -
\??\c:\822426.exec:\822426.exe39⤵
- Executes dropped EXE
PID:3612 -
\??\c:\xrxlrlx.exec:\xrxlrlx.exe40⤵
- Executes dropped EXE
PID:548 -
\??\c:\68820.exec:\68820.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\1llxrlf.exec:\1llxrlf.exe42⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nbhttb.exec:\nbhttb.exe43⤵
- Executes dropped EXE
PID:2004 -
\??\c:\8860426.exec:\8860426.exe44⤵
- Executes dropped EXE
PID:4644 -
\??\c:\i886486.exec:\i886486.exe45⤵
- Executes dropped EXE
PID:1752 -
\??\c:\422860.exec:\422860.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\9ddjd.exec:\9ddjd.exe47⤵
- Executes dropped EXE
PID:212 -
\??\c:\6442086.exec:\6442086.exe48⤵
- Executes dropped EXE
PID:2464 -
\??\c:\hnthbt.exec:\hnthbt.exe49⤵
- Executes dropped EXE
PID:3712 -
\??\c:\c288604.exec:\c288604.exe50⤵
- Executes dropped EXE
PID:3456 -
\??\c:\ddjvj.exec:\ddjvj.exe51⤵
- Executes dropped EXE
PID:4260 -
\??\c:\404860.exec:\404860.exe52⤵
- Executes dropped EXE
PID:2204 -
\??\c:\k22426.exec:\k22426.exe53⤵
- Executes dropped EXE
PID:1608 -
\??\c:\jpjvp.exec:\jpjvp.exe54⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nbtnbt.exec:\nbtnbt.exe55⤵
- Executes dropped EXE
PID:776 -
\??\c:\80042.exec:\80042.exe56⤵
- Executes dropped EXE
PID:4272 -
\??\c:\0804004.exec:\0804004.exe57⤵
- Executes dropped EXE
PID:5024 -
\??\c:\pvvjp.exec:\pvvjp.exe58⤵
- Executes dropped EXE
PID:1764 -
\??\c:\444486.exec:\444486.exe59⤵
- Executes dropped EXE
PID:1392 -
\??\c:\088026.exec:\088026.exe60⤵
- Executes dropped EXE
PID:1856 -
\??\c:\nbthth.exec:\nbthth.exe61⤵
- Executes dropped EXE
PID:4028 -
\??\c:\g4448.exec:\g4448.exe62⤵
- Executes dropped EXE
PID:1556 -
\??\c:\q60860.exec:\q60860.exe63⤵
- Executes dropped EXE
PID:1220 -
\??\c:\20408.exec:\20408.exe64⤵
- Executes dropped EXE
PID:3684 -
\??\c:\i008642.exec:\i008642.exe65⤵
- Executes dropped EXE
PID:4956 -
\??\c:\48042.exec:\48042.exe66⤵PID:2136
-
\??\c:\fllxxrl.exec:\fllxxrl.exe67⤵PID:1204
-
\??\c:\xrlrrrx.exec:\xrlrrrx.exe68⤵PID:4188
-
\??\c:\fflfxxl.exec:\fflfxxl.exe69⤵PID:5104
-
\??\c:\426420.exec:\426420.exe70⤵PID:2244
-
\??\c:\608868.exec:\608868.exe71⤵PID:3860
-
\??\c:\rllrffx.exec:\rllrffx.exe72⤵PID:1300
-
\??\c:\5lfrfxl.exec:\5lfrfxl.exe73⤵PID:4588
-
\??\c:\hntnbt.exec:\hntnbt.exe74⤵PID:1952
-
\??\c:\3jvpv.exec:\3jvpv.exe75⤵PID:3900
-
\??\c:\2808040.exec:\2808040.exe76⤵PID:3184
-
\??\c:\frfrrrr.exec:\frfrrrr.exe77⤵PID:1028
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe78⤵PID:536
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe79⤵PID:620
-
\??\c:\s6820.exec:\s6820.exe80⤵PID:4884
-
\??\c:\4886486.exec:\4886486.exe81⤵PID:4128
-
\??\c:\xlxrfxl.exec:\xlxrfxl.exe82⤵PID:4684
-
\??\c:\86860.exec:\86860.exe83⤵PID:8
-
\??\c:\rrrflrf.exec:\rrrflrf.exe84⤵PID:704
-
\??\c:\682260.exec:\682260.exe85⤵PID:456
-
\??\c:\7jdpd.exec:\7jdpd.exe86⤵PID:1536
-
\??\c:\9bbtnh.exec:\9bbtnh.exe87⤵PID:4348
-
\??\c:\8626080.exec:\8626080.exe88⤵PID:2336
-
\??\c:\82860.exec:\82860.exe89⤵PID:3360
-
\??\c:\o068866.exec:\o068866.exe90⤵PID:4816
-
\??\c:\s0086.exec:\s0086.exe91⤵PID:2808
-
\??\c:\68482.exec:\68482.exe92⤵PID:4604
-
\??\c:\lxfrlff.exec:\lxfrlff.exe93⤵PID:952
-
\??\c:\1jdpj.exec:\1jdpj.exe94⤵PID:4592
-
\??\c:\6628606.exec:\6628606.exe95⤵PID:3764
-
\??\c:\frxffxx.exec:\frxffxx.exe96⤵PID:3208
-
\??\c:\048042.exec:\048042.exe97⤵PID:1652
-
\??\c:\vdjpj.exec:\vdjpj.exe98⤵PID:448
-
\??\c:\pdddp.exec:\pdddp.exe99⤵PID:4392
-
\??\c:\w28200.exec:\w28200.exe100⤵PID:3508
-
\??\c:\2800822.exec:\2800822.exe101⤵PID:3336
-
\??\c:\jvdvd.exec:\jvdvd.exe102⤵PID:4724
-
\??\c:\fxffxfx.exec:\fxffxfx.exe103⤵PID:4508
-
\??\c:\2266042.exec:\2266042.exe104⤵PID:4596
-
\??\c:\6820860.exec:\6820860.exe105⤵PID:2640
-
\??\c:\tbhbtt.exec:\tbhbtt.exe106⤵PID:4460
-
\??\c:\u020040.exec:\u020040.exe107⤵PID:4644
-
\??\c:\028200.exec:\028200.exe108⤵PID:3472
-
\??\c:\9xlrrrl.exec:\9xlrrrl.exe109⤵PID:4196
-
\??\c:\00446.exec:\00446.exe110⤵PID:4528
-
\??\c:\0066482.exec:\0066482.exe111⤵PID:2464
-
\??\c:\1ppdj.exec:\1ppdj.exe112⤵PID:4204
-
\??\c:\frrlxxr.exec:\frrlxxr.exe113⤵PID:2740
-
\??\c:\802082.exec:\802082.exe114⤵PID:3168
-
\??\c:\40642.exec:\40642.exe115⤵PID:2684
-
\??\c:\408600.exec:\408600.exe116⤵PID:1208
-
\??\c:\6220286.exec:\6220286.exe117⤵PID:4452
-
\??\c:\hbbnbn.exec:\hbbnbn.exe118⤵PID:3512
-
\??\c:\066460.exec:\066460.exe119⤵PID:4020
-
\??\c:\jdvvp.exec:\jdvvp.exe120⤵PID:5024
-
\??\c:\vjpjd.exec:\vjpjd.exe121⤵PID:1848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-