Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 23:15
Behavioral task
behavioral1
Sample
720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe
-
Size
201KB
-
MD5
05563d6a115ab574dd39807b7d3c9ba0
-
SHA1
c3fdf1fa0c4541db85708e4f2d999bd1f211a4b2
-
SHA256
720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1
-
SHA512
d1b5e0c75b3f2521f28fe539d1976d9e076f98a66fe279a8df918926fc278895e3a412d2c5435de464e49126358fd6061703c56bdd6c5e8fa8e3e256086e5be6
-
SSDEEP
3072:ZhOmTsF93UYfwC6GIoutFza6BhOmTsUm82xpi8rY9AABa1JePQKN1hJCDN:Zcm4FmowdHoSha6Bcm4JddW7Y6XJCDN
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3664-6-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4476-28-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4688-346-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3200-342-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4688-338-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3068-335-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3200-333-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1924-332-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4588-328-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4992-319-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/5092-315-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/5092-313-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3832-310-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3020-308-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/752-306-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3432-297-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2804-293-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3752-291-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2804-287-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4540-286-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3100-282-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2696-276-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1112-272-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1112-267-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1568-266-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4516-262-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4516-260-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1492-257-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2628-253-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2628-251-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1492-248-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4696-247-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1080-243-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4696-238-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1156-237-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3916-233-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3672-229-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4504-227-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3672-223-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/456-222-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4504-218-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/532-215-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2640-209-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4088-206-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4948-197-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1100-191-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2956-185-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4980-177-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2956-175-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2116-171-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1616-169-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2264-159-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2324-153-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2496-145-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4048-140-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2496-138-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/5044-137-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/1476-127-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/5044-124-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/5024-120-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/4844-113-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/2268-104-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/3780-99-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon behavioral2/memory/64-92-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4464 dvdvv.exe 4424 llfxxrr.exe 4476 rlrlflf.exe 336 thnhbb.exe 3660 tnbbhh.exe 4688 vdvdj.exe 4560 vpdvp.exe 3960 xxflffr.exe 1708 bhnnnn.exe 1592 tbhbtt.exe 5048 jpvjv.exe 64 dpvpd.exe 3780 xrxfxll.exe 2268 lrxrxlx.exe 4844 1tbbtb.exe 5024 nhnhnn.exe 1476 pvpvp.exe 5044 pjjdv.exe 4048 lrffrrr.exe 2496 5rxxrxx.exe 2324 bhnbbn.exe 2264 5ttnhn.exe 1616 vpddj.exe 2116 jjjjj.exe 4980 llrllll.exe 2956 xrxfxff.exe 1100 tnttnn.exe 4948 nbnhtt.exe 4088 dpdvv.exe 2640 dvvpd.exe 532 xfrlfff.exe 456 xxfffff.exe 4504 ntnhhh.exe 3672 tbhbbb.exe 1156 1pjjj.exe 3916 djjdv.exe 4696 rlffxxx.exe 1080 fxflfff.exe 1492 7hbtnn.exe 2628 djvpj.exe 1568 jvdvv.exe 4516 dvvvj.exe 1112 xfrrfff.exe 2696 rxllfff.exe 3100 1ttnhh.exe 4540 nhtthn.exe 3752 vjjjv.exe 2804 vjvpd.exe 4940 rxrrrxr.exe 3432 lflfxxr.exe 752 bbnhbb.exe 3832 thtnnn.exe 3020 ppjdd.exe 5092 pvjdd.exe 4992 7flffff.exe 4588 xrxffll.exe 1924 bthhnt.exe 3068 bthhbt.exe 3200 jvjjv.exe 4688 dpddp.exe 3892 lxfxrrl.exe 3128 fxxxxxr.exe 1132 hnnhnh.exe 3740 httnnt.exe -
resource yara_rule behavioral2/memory/3664-0-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3664-6-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4464-8-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x0009000000023447-4.dat upx behavioral2/files/0x000800000002349f-10.dat upx behavioral2/memory/4424-14-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x00070000000234a3-18.dat upx behavioral2/memory/4476-28-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x00070000000234a6-38.dat upx behavioral2/files/0x00070000000234aa-67.dat upx behavioral2/files/0x00070000000234af-101.dat upx behavioral2/files/0x00070000000234b2-121.dat upx behavioral2/files/0x00070000000234b9-165.dat upx behavioral2/files/0x00070000000234bf-202.dat upx behavioral2/memory/1924-324-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4688-346-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3200-342-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4688-338-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3068-335-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3200-333-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1924-332-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4588-328-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4992-319-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/5092-315-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/5092-313-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3832-310-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3020-308-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/752-306-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3432-297-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/2804-293-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3752-291-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/2804-287-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4540-286-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3100-282-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/2696-276-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1112-272-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/2696-269-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1112-267-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1568-266-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4516-262-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4516-260-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1492-257-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/2628-253-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/2628-251-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1492-248-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4696-247-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1080-243-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1080-241-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4696-238-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1156-237-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3916-233-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3672-229-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4504-227-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/3672-223-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/456-222-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4504-218-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/532-215-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x00070000000234c0-211.dat upx behavioral2/memory/2640-209-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4088-206-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x00070000000234be-199.dat upx behavioral2/memory/4948-197-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x00070000000234bd-193.dat upx behavioral2/memory/1100-191-0x0000000000400000-0x000000000043F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3664 wrote to memory of 4464 3664 720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe 82 PID 3664 wrote to memory of 4464 3664 720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe 82 PID 3664 wrote to memory of 4464 3664 720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe 82 PID 4464 wrote to memory of 4424 4464 dvdvv.exe 83 PID 4464 wrote to memory of 4424 4464 dvdvv.exe 83 PID 4464 wrote to memory of 4424 4464 dvdvv.exe 83 PID 4424 wrote to memory of 4476 4424 llfxxrr.exe 84 PID 4424 wrote to memory of 4476 4424 llfxxrr.exe 84 PID 4424 wrote to memory of 4476 4424 llfxxrr.exe 84 PID 4476 wrote to memory of 336 4476 rlrlflf.exe 85 PID 4476 wrote to memory of 336 4476 rlrlflf.exe 85 PID 4476 wrote to memory of 336 4476 rlrlflf.exe 85 PID 336 wrote to memory of 3660 336 thnhbb.exe 86 PID 336 wrote to memory of 3660 336 thnhbb.exe 86 PID 336 wrote to memory of 3660 336 thnhbb.exe 86 PID 3660 wrote to memory of 4688 3660 tnbbhh.exe 87 PID 3660 wrote to memory of 4688 3660 tnbbhh.exe 87 PID 3660 wrote to memory of 4688 3660 tnbbhh.exe 87 PID 4688 wrote to memory of 4560 4688 vdvdj.exe 88 PID 4688 wrote to memory of 4560 4688 vdvdj.exe 88 PID 4688 wrote to memory of 4560 4688 vdvdj.exe 88 PID 4560 wrote to memory of 3960 4560 vpdvp.exe 89 PID 4560 wrote to memory of 3960 4560 vpdvp.exe 89 PID 4560 wrote to memory of 3960 4560 vpdvp.exe 89 PID 3960 wrote to memory of 1708 3960 xxflffr.exe 90 PID 3960 wrote to memory of 1708 3960 xxflffr.exe 90 PID 3960 wrote to memory of 1708 3960 xxflffr.exe 90 PID 1708 wrote to memory of 1592 1708 bhnnnn.exe 91 PID 1708 wrote to memory of 1592 1708 bhnnnn.exe 91 PID 1708 wrote to memory of 1592 1708 bhnnnn.exe 91 PID 1592 wrote to memory of 5048 1592 tbhbtt.exe 92 PID 1592 wrote to memory of 5048 1592 tbhbtt.exe 92 PID 1592 wrote to memory of 5048 1592 tbhbtt.exe 92 PID 5048 wrote to memory of 64 5048 jpvjv.exe 93 PID 5048 wrote to memory of 64 5048 jpvjv.exe 93 PID 5048 wrote to memory of 64 5048 jpvjv.exe 93 PID 64 wrote to memory of 3780 64 dpvpd.exe 94 PID 64 wrote to memory of 3780 64 dpvpd.exe 94 PID 64 wrote to memory of 3780 64 dpvpd.exe 94 PID 3780 wrote to memory of 2268 3780 xrxfxll.exe 95 PID 3780 wrote to memory of 2268 3780 xrxfxll.exe 95 PID 3780 wrote to memory of 2268 3780 xrxfxll.exe 95 PID 2268 wrote to memory of 4844 2268 lrxrxlx.exe 96 PID 2268 wrote to memory of 4844 2268 lrxrxlx.exe 96 PID 2268 wrote to memory of 4844 2268 lrxrxlx.exe 96 PID 4844 wrote to memory of 5024 4844 1tbbtb.exe 97 PID 4844 wrote to memory of 5024 4844 1tbbtb.exe 97 PID 4844 wrote to memory of 5024 4844 1tbbtb.exe 97 PID 5024 wrote to memory of 1476 5024 nhnhnn.exe 98 PID 5024 wrote to memory of 1476 5024 nhnhnn.exe 98 PID 5024 wrote to memory of 1476 5024 nhnhnn.exe 98 PID 1476 wrote to memory of 5044 1476 pvpvp.exe 203 PID 1476 wrote to memory of 5044 1476 pvpvp.exe 203 PID 1476 wrote to memory of 5044 1476 pvpvp.exe 203 PID 5044 wrote to memory of 4048 5044 pjjdv.exe 100 PID 5044 wrote to memory of 4048 5044 pjjdv.exe 100 PID 5044 wrote to memory of 4048 5044 pjjdv.exe 100 PID 4048 wrote to memory of 2496 4048 lrffrrr.exe 101 PID 4048 wrote to memory of 2496 4048 lrffrrr.exe 101 PID 4048 wrote to memory of 2496 4048 lrffrrr.exe 101 PID 2496 wrote to memory of 2324 2496 5rxxrxx.exe 102 PID 2496 wrote to memory of 2324 2496 5rxxrxx.exe 102 PID 2496 wrote to memory of 2324 2496 5rxxrxx.exe 102 PID 2324 wrote to memory of 2264 2324 bhnbbn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe"C:\Users\Admin\AppData\Local\Temp\720abe70e3ec8ae83a769e5367c8aec23eb5cbfba58d67c450dc57e1b6b93eb1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\dvdvv.exec:\dvdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\llfxxrr.exec:\llfxxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\rlrlflf.exec:\rlrlflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\thnhbb.exec:\thnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\tnbbhh.exec:\tnbbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\vdvdj.exec:\vdvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\vpdvp.exec:\vpdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\xxflffr.exec:\xxflffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\bhnnnn.exec:\bhnnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\tbhbtt.exec:\tbhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\jpvjv.exec:\jpvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\dpvpd.exec:\dpvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\xrxfxll.exec:\xrxfxll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\lrxrxlx.exec:\lrxrxlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\1tbbtb.exec:\1tbbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\nhnhnn.exec:\nhnhnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\pvpvp.exec:\pvpvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\pjjdv.exec:\pjjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\lrffrrr.exec:\lrffrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\5rxxrxx.exec:\5rxxrxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\bhnbbn.exec:\bhnbbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\5ttnhn.exec:\5ttnhn.exe23⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vpddj.exec:\vpddj.exe24⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jjjjj.exec:\jjjjj.exe25⤵
- Executes dropped EXE
PID:2116 -
\??\c:\llrllll.exec:\llrllll.exe26⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xrxfxff.exec:\xrxfxff.exe27⤵
- Executes dropped EXE
PID:2956 -
\??\c:\tnttnn.exec:\tnttnn.exe28⤵
- Executes dropped EXE
PID:1100 -
\??\c:\nbnhtt.exec:\nbnhtt.exe29⤵
- Executes dropped EXE
PID:4948 -
\??\c:\dpdvv.exec:\dpdvv.exe30⤵
- Executes dropped EXE
PID:4088 -
\??\c:\dvvpd.exec:\dvvpd.exe31⤵
- Executes dropped EXE
PID:2640 -
\??\c:\xfrlfff.exec:\xfrlfff.exe32⤵
- Executes dropped EXE
PID:532 -
\??\c:\xxfffff.exec:\xxfffff.exe33⤵
- Executes dropped EXE
PID:456 -
\??\c:\ntnhhh.exec:\ntnhhh.exe34⤵
- Executes dropped EXE
PID:4504 -
\??\c:\tbhbbb.exec:\tbhbbb.exe35⤵
- Executes dropped EXE
PID:3672 -
\??\c:\1pjjj.exec:\1pjjj.exe36⤵
- Executes dropped EXE
PID:1156 -
\??\c:\djjdv.exec:\djjdv.exe37⤵
- Executes dropped EXE
PID:3916 -
\??\c:\rlffxxx.exec:\rlffxxx.exe38⤵
- Executes dropped EXE
PID:4696 -
\??\c:\fxflfff.exec:\fxflfff.exe39⤵
- Executes dropped EXE
PID:1080 -
\??\c:\7hbtnn.exec:\7hbtnn.exe40⤵
- Executes dropped EXE
PID:1492 -
\??\c:\djvpj.exec:\djvpj.exe41⤵
- Executes dropped EXE
PID:2628 -
\??\c:\jvdvv.exec:\jvdvv.exe42⤵
- Executes dropped EXE
PID:1568 -
\??\c:\dvvvj.exec:\dvvvj.exe43⤵
- Executes dropped EXE
PID:4516 -
\??\c:\xfrrfff.exec:\xfrrfff.exe44⤵
- Executes dropped EXE
PID:1112 -
\??\c:\rxllfff.exec:\rxllfff.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\1ttnhh.exec:\1ttnhh.exe46⤵
- Executes dropped EXE
PID:3100 -
\??\c:\nhtthn.exec:\nhtthn.exe47⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vjjjv.exec:\vjjjv.exe48⤵
- Executes dropped EXE
PID:3752 -
\??\c:\vjvpd.exec:\vjvpd.exe49⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rxrrrxr.exec:\rxrrrxr.exe50⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lflfxxr.exec:\lflfxxr.exe51⤵
- Executes dropped EXE
PID:3432 -
\??\c:\bbnhbb.exec:\bbnhbb.exe52⤵
- Executes dropped EXE
PID:752 -
\??\c:\thtnnn.exec:\thtnnn.exe53⤵
- Executes dropped EXE
PID:3832 -
\??\c:\ppjdd.exec:\ppjdd.exe54⤵
- Executes dropped EXE
PID:3020 -
\??\c:\pvjdd.exec:\pvjdd.exe55⤵
- Executes dropped EXE
PID:5092 -
\??\c:\7flffff.exec:\7flffff.exe56⤵
- Executes dropped EXE
PID:4992 -
\??\c:\xrxffll.exec:\xrxffll.exe57⤵
- Executes dropped EXE
PID:4588 -
\??\c:\bthhnt.exec:\bthhnt.exe58⤵
- Executes dropped EXE
PID:1924 -
\??\c:\bthhbt.exec:\bthhbt.exe59⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jvjjv.exec:\jvjjv.exe60⤵
- Executes dropped EXE
PID:3200 -
\??\c:\dpddp.exec:\dpddp.exe61⤵
- Executes dropped EXE
PID:4688 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe62⤵
- Executes dropped EXE
PID:3892 -
\??\c:\fxxxxxr.exec:\fxxxxxr.exe63⤵
- Executes dropped EXE
PID:3128 -
\??\c:\hnnhnh.exec:\hnnhnh.exe64⤵
- Executes dropped EXE
PID:1132 -
\??\c:\httnnt.exec:\httnnt.exe65⤵
- Executes dropped EXE
PID:3740 -
\??\c:\pdddv.exec:\pdddv.exe66⤵PID:2984
-
\??\c:\djpdp.exec:\djpdp.exe67⤵PID:1388
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe68⤵PID:2900
-
\??\c:\ffrxlrl.exec:\ffrxlrl.exe69⤵PID:2860
-
\??\c:\9hnhbb.exec:\9hnhbb.exe70⤵PID:2752
-
\??\c:\hbhbtt.exec:\hbhbtt.exe71⤵PID:4408
-
\??\c:\jvjjd.exec:\jvjjd.exe72⤵PID:4048
-
\??\c:\xlxrrrl.exec:\xlxrrrl.exe73⤵PID:4632
-
\??\c:\1xxffff.exec:\1xxffff.exe74⤵PID:3412
-
\??\c:\tnhhhh.exec:\tnhhhh.exe75⤵PID:1136
-
\??\c:\1hhbtt.exec:\1hhbtt.exe76⤵PID:3876
-
\??\c:\djdjd.exec:\djdjd.exe77⤵PID:3932
-
\??\c:\jdppp.exec:\jdppp.exe78⤵PID:3400
-
\??\c:\rlxxrrx.exec:\rlxxrrx.exe79⤵PID:4948
-
\??\c:\5rrlffx.exec:\5rrlffx.exe80⤵PID:4088
-
\??\c:\bbbhnn.exec:\bbbhnn.exe81⤵PID:4292
-
\??\c:\thhhhh.exec:\thhhhh.exe82⤵PID:4496
-
\??\c:\7vdvv.exec:\7vdvv.exe83⤵PID:4856
-
\??\c:\vjjjv.exec:\vjjjv.exe84⤵PID:3788
-
\??\c:\7llfffx.exec:\7llfffx.exe85⤵PID:4312
-
\??\c:\ffxfxxx.exec:\ffxfxxx.exe86⤵PID:4788
-
\??\c:\9htbth.exec:\9htbth.exe87⤵PID:4820
-
\??\c:\7nnhbb.exec:\7nnhbb.exe88⤵
- System Location Discovery: System Language Discovery
PID:968 -
\??\c:\ddjdd.exec:\ddjdd.exe89⤵PID:1740
-
\??\c:\lffxrrl.exec:\lffxrrl.exe90⤵PID:3216
-
\??\c:\fxlrffl.exec:\fxlrffl.exe91⤵PID:2616
-
\??\c:\btttbn.exec:\btttbn.exe92⤵PID:1688
-
\??\c:\hhhhhh.exec:\hhhhhh.exe93⤵PID:3684
-
\??\c:\pdjjj.exec:\pdjjj.exe94⤵PID:3652
-
\??\c:\djppd.exec:\djppd.exe95⤵PID:4176
-
\??\c:\lfllffx.exec:\lfllffx.exe96⤵PID:1480
-
\??\c:\fxrrfff.exec:\fxrrfff.exe97⤵PID:4724
-
\??\c:\7tnnhh.exec:\7tnnhh.exe98⤵PID:4464
-
\??\c:\nnttbb.exec:\nnttbb.exe99⤵PID:4132
-
\??\c:\1pdvd.exec:\1pdvd.exe100⤵PID:8
-
\??\c:\vpppj.exec:\vpppj.exe101⤵PID:4776
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe102⤵PID:4432
-
\??\c:\xxfxxfx.exec:\xxfxxfx.exe103⤵PID:208
-
\??\c:\hbhhhn.exec:\hbhhhn.exe104⤵PID:3200
-
\??\c:\9nhbtt.exec:\9nhbtt.exe105⤵PID:2612
-
\??\c:\vvdvd.exec:\vvdvd.exe106⤵PID:1332
-
\??\c:\jjpjp.exec:\jjpjp.exe107⤵PID:3128
-
\??\c:\rxlxrrf.exec:\rxlxrrf.exe108⤵PID:1992
-
\??\c:\hbbttt.exec:\hbbttt.exe109⤵PID:3196
-
\??\c:\pdppp.exec:\pdppp.exe110⤵PID:4844
-
\??\c:\frxxrrx.exec:\frxxrrx.exe111⤵PID:3232
-
\??\c:\tnnnhh.exec:\tnnnhh.exe112⤵PID:656
-
\??\c:\pdvpv.exec:\pdvpv.exe113⤵PID:4632
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe114⤵PID:3680
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe115⤵PID:4372
-
\??\c:\5tnbbh.exec:\5tnbbh.exe116⤵
- System Location Discovery: System Language Discovery
PID:3876 -
\??\c:\jddvv.exec:\jddvv.exe117⤵PID:4768
-
\??\c:\5rlfxxr.exec:\5rlfxxr.exe118⤵PID:5072
-
\??\c:\ffffxxr.exec:\ffffxxr.exe119⤵PID:3504
-
\??\c:\bbtbht.exec:\bbtbht.exe120⤵PID:4292
-
\??\c:\3vpjd.exec:\3vpjd.exe121⤵PID:468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-