Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe
-
Size
453KB
-
MD5
eca359b22b705c449d5daadf24b181c5
-
SHA1
5e4b6d51436b7bb689df69dd2e34abce1dff4eb1
-
SHA256
a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317
-
SHA512
e876cc4bde272aa8a7285cdd6c1598f962c87e83440a31ce51c7413c9c761fa3f91202c282ef60a8319b14bf3d11de8ead15b2b5de83a5b6b054ee906704e606
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2364-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-1168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-1465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-1713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2908 lrxrlff.exe 4172 bnbnhh.exe 2608 jjvpd.exe 3308 7llfrrl.exe 2440 5ppjd.exe 3568 nhbnbt.exe 4584 7vppd.exe 2060 xlxrfff.exe 1188 tbhbnb.exe 4456 nhhhhh.exe 2552 jjpdv.exe 4272 3bnhhh.exe 2036 7pvjv.exe 3644 llffxxx.exe 3556 btnbnh.exe 4400 djjdd.exe 3164 thbtnn.exe 2680 ddppv.exe 620 3rrrrlf.exe 2328 dpdvp.exe 3368 jjppv.exe 4824 9tbnhh.exe 3168 1jpvp.exe 4948 llxflll.exe 3280 1pppp.exe 744 xllrlll.exe 4068 9rlfxxr.exe 4304 thhtnh.exe 1552 9pvdp.exe 5096 xlrlxrl.exe 4476 tbhbhh.exe 464 9ppjd.exe 3968 lllfxxr.exe 2092 rxfrlfx.exe 4480 hhbnbn.exe 3792 jjvvp.exe 3544 lfrrxrr.exe 2860 5ntntn.exe 3152 dvvpj.exe 1068 xrxfffl.exe 1272 3nbtnn.exe 4648 jddvj.exe 4264 xrrlffx.exe 5084 nnnbhb.exe 1396 jdpdp.exe 4000 xxxrfxr.exe 5108 bbnnhh.exe 2608 bttbtn.exe 4936 jjdjd.exe 4744 9nhbtt.exe 4756 hnnbth.exe 3180 7xxrfxr.exe 3456 fxlfrlf.exe 4164 ntnntb.exe 2060 jvjvv.exe 2896 1rrllll.exe 4104 vdvpd.exe 4660 fflxrxx.exe 2148 frfxfxr.exe 1180 3ppdv.exe 2264 jdjdp.exe 2376 9lrrfxr.exe 5068 3vdvv.exe 3912 xrrfrrl.exe -
resource yara_rule behavioral2/memory/2364-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-1168-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2908 2364 a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe 83 PID 2364 wrote to memory of 2908 2364 a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe 83 PID 2364 wrote to memory of 2908 2364 a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe 83 PID 2908 wrote to memory of 4172 2908 lrxrlff.exe 84 PID 2908 wrote to memory of 4172 2908 lrxrlff.exe 84 PID 2908 wrote to memory of 4172 2908 lrxrlff.exe 84 PID 4172 wrote to memory of 2608 4172 bnbnhh.exe 85 PID 4172 wrote to memory of 2608 4172 bnbnhh.exe 85 PID 4172 wrote to memory of 2608 4172 bnbnhh.exe 85 PID 2608 wrote to memory of 3308 2608 jjvpd.exe 86 PID 2608 wrote to memory of 3308 2608 jjvpd.exe 86 PID 2608 wrote to memory of 3308 2608 jjvpd.exe 86 PID 3308 wrote to memory of 2440 3308 7llfrrl.exe 87 PID 3308 wrote to memory of 2440 3308 7llfrrl.exe 87 PID 3308 wrote to memory of 2440 3308 7llfrrl.exe 87 PID 2440 wrote to memory of 3568 2440 5ppjd.exe 88 PID 2440 wrote to memory of 3568 2440 5ppjd.exe 88 PID 2440 wrote to memory of 3568 2440 5ppjd.exe 88 PID 3568 wrote to memory of 4584 3568 nhbnbt.exe 89 PID 3568 wrote to memory of 4584 3568 nhbnbt.exe 89 PID 3568 wrote to memory of 4584 3568 nhbnbt.exe 89 PID 4584 wrote to memory of 2060 4584 7vppd.exe 90 PID 4584 wrote to memory of 2060 4584 7vppd.exe 90 PID 4584 wrote to memory of 2060 4584 7vppd.exe 90 PID 2060 wrote to memory of 1188 2060 xlxrfff.exe 91 PID 2060 wrote to memory of 1188 2060 xlxrfff.exe 91 PID 2060 wrote to memory of 1188 2060 xlxrfff.exe 91 PID 1188 wrote to memory of 4456 1188 tbhbnb.exe 92 PID 1188 wrote to memory of 4456 1188 tbhbnb.exe 92 PID 1188 wrote to memory of 4456 1188 tbhbnb.exe 92 PID 4456 wrote to memory of 2552 4456 nhhhhh.exe 93 PID 4456 wrote to memory of 2552 4456 nhhhhh.exe 93 PID 4456 wrote to memory of 2552 4456 nhhhhh.exe 93 PID 2552 wrote to memory of 4272 2552 jjpdv.exe 94 PID 2552 wrote to memory of 4272 2552 jjpdv.exe 94 PID 2552 wrote to memory of 4272 2552 jjpdv.exe 94 PID 4272 wrote to memory of 2036 4272 3bnhhh.exe 95 PID 4272 wrote to memory of 2036 4272 3bnhhh.exe 95 PID 4272 wrote to memory of 2036 4272 3bnhhh.exe 95 PID 2036 wrote to memory of 3644 2036 7pvjv.exe 96 PID 2036 wrote to memory of 3644 2036 7pvjv.exe 96 PID 2036 wrote to memory of 3644 2036 7pvjv.exe 96 PID 3644 wrote to memory of 3556 3644 llffxxx.exe 97 PID 3644 wrote to memory of 3556 3644 llffxxx.exe 97 PID 3644 wrote to memory of 3556 3644 llffxxx.exe 97 PID 3556 wrote to memory of 4400 3556 btnbnh.exe 98 PID 3556 wrote to memory of 4400 3556 btnbnh.exe 98 PID 3556 wrote to memory of 4400 3556 btnbnh.exe 98 PID 4400 wrote to memory of 3164 4400 djjdd.exe 99 PID 4400 wrote to memory of 3164 4400 djjdd.exe 99 PID 4400 wrote to memory of 3164 4400 djjdd.exe 99 PID 3164 wrote to memory of 2680 3164 thbtnn.exe 100 PID 3164 wrote to memory of 2680 3164 thbtnn.exe 100 PID 3164 wrote to memory of 2680 3164 thbtnn.exe 100 PID 2680 wrote to memory of 620 2680 ddppv.exe 101 PID 2680 wrote to memory of 620 2680 ddppv.exe 101 PID 2680 wrote to memory of 620 2680 ddppv.exe 101 PID 620 wrote to memory of 2328 620 3rrrrlf.exe 102 PID 620 wrote to memory of 2328 620 3rrrrlf.exe 102 PID 620 wrote to memory of 2328 620 3rrrrlf.exe 102 PID 2328 wrote to memory of 3368 2328 dpdvp.exe 103 PID 2328 wrote to memory of 3368 2328 dpdvp.exe 103 PID 2328 wrote to memory of 3368 2328 dpdvp.exe 103 PID 3368 wrote to memory of 4824 3368 jjppv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe"C:\Users\Admin\AppData\Local\Temp\a9a31e66a66b1058052fc582630eeb9b753d848fb0eb4b45ec799a0c4de6a317.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\lrxrlff.exec:\lrxrlff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\bnbnhh.exec:\bnbnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\jjvpd.exec:\jjvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\7llfrrl.exec:\7llfrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\5ppjd.exec:\5ppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\nhbnbt.exec:\nhbnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\7vppd.exec:\7vppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\xlxrfff.exec:\xlxrfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\tbhbnb.exec:\tbhbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\nhhhhh.exec:\nhhhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\jjpdv.exec:\jjpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\3bnhhh.exec:\3bnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\7pvjv.exec:\7pvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\llffxxx.exec:\llffxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\btnbnh.exec:\btnbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\djjdd.exec:\djjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\thbtnn.exec:\thbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\ddppv.exec:\ddppv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\3rrrrlf.exec:\3rrrrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\dpdvp.exec:\dpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\jjppv.exec:\jjppv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\9tbnhh.exec:\9tbnhh.exe23⤵
- Executes dropped EXE
PID:4824 -
\??\c:\1jpvp.exec:\1jpvp.exe24⤵
- Executes dropped EXE
PID:3168 -
\??\c:\llxflll.exec:\llxflll.exe25⤵
- Executes dropped EXE
PID:4948 -
\??\c:\1pppp.exec:\1pppp.exe26⤵
- Executes dropped EXE
PID:3280 -
\??\c:\xllrlll.exec:\xllrlll.exe27⤵
- Executes dropped EXE
PID:744 -
\??\c:\9rlfxxr.exec:\9rlfxxr.exe28⤵
- Executes dropped EXE
PID:4068 -
\??\c:\thhtnh.exec:\thhtnh.exe29⤵
- Executes dropped EXE
PID:4304 -
\??\c:\9pvdp.exec:\9pvdp.exe30⤵
- Executes dropped EXE
PID:1552 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe31⤵
- Executes dropped EXE
PID:5096 -
\??\c:\tbhbhh.exec:\tbhbhh.exe32⤵
- Executes dropped EXE
PID:4476 -
\??\c:\9ppjd.exec:\9ppjd.exe33⤵
- Executes dropped EXE
PID:464 -
\??\c:\lllfxxr.exec:\lllfxxr.exe34⤵
- Executes dropped EXE
PID:3968 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe35⤵
- Executes dropped EXE
PID:2092 -
\??\c:\hhbnbn.exec:\hhbnbn.exe36⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jjvvp.exec:\jjvvp.exe37⤵
- Executes dropped EXE
PID:3792 -
\??\c:\lfrrxrr.exec:\lfrrxrr.exe38⤵
- Executes dropped EXE
PID:3544 -
\??\c:\5ntntn.exec:\5ntntn.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\dvvpj.exec:\dvvpj.exe40⤵
- Executes dropped EXE
PID:3152 -
\??\c:\xrxfffl.exec:\xrxfffl.exe41⤵
- Executes dropped EXE
PID:1068 -
\??\c:\3nbtnn.exec:\3nbtnn.exe42⤵
- Executes dropped EXE
PID:1272 -
\??\c:\jddvj.exec:\jddvj.exe43⤵
- Executes dropped EXE
PID:4648 -
\??\c:\xrrlffx.exec:\xrrlffx.exe44⤵
- Executes dropped EXE
PID:4264 -
\??\c:\nnnbhb.exec:\nnnbhb.exe45⤵
- Executes dropped EXE
PID:5084 -
\??\c:\jdpdp.exec:\jdpdp.exe46⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xxxrfxr.exec:\xxxrfxr.exe47⤵
- Executes dropped EXE
PID:4000 -
\??\c:\bbnnhh.exec:\bbnnhh.exe48⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bttbtn.exec:\bttbtn.exe49⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jjdjd.exec:\jjdjd.exe50⤵
- Executes dropped EXE
PID:4936 -
\??\c:\9nhbtt.exec:\9nhbtt.exe51⤵
- Executes dropped EXE
PID:4744 -
\??\c:\hnnbth.exec:\hnnbth.exe52⤵
- Executes dropped EXE
PID:4756 -
\??\c:\7xxrfxr.exec:\7xxrfxr.exe53⤵
- Executes dropped EXE
PID:3180 -
\??\c:\fxlfrlf.exec:\fxlfrlf.exe54⤵
- Executes dropped EXE
PID:3456 -
\??\c:\ntnntb.exec:\ntnntb.exe55⤵
- Executes dropped EXE
PID:4164 -
\??\c:\jvjvv.exec:\jvjvv.exe56⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1rrllll.exec:\1rrllll.exe57⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vdvpd.exec:\vdvpd.exe58⤵
- Executes dropped EXE
PID:4104 -
\??\c:\fflxrxx.exec:\fflxrxx.exe59⤵
- Executes dropped EXE
PID:4660 -
\??\c:\frfxfxr.exec:\frfxfxr.exe60⤵
- Executes dropped EXE
PID:2148 -
\??\c:\3ppdv.exec:\3ppdv.exe61⤵
- Executes dropped EXE
PID:1180 -
\??\c:\jdjdp.exec:\jdjdp.exe62⤵
- Executes dropped EXE
PID:2264 -
\??\c:\9lrrfxr.exec:\9lrrfxr.exe63⤵
- Executes dropped EXE
PID:2376 -
\??\c:\3vdvv.exec:\3vdvv.exe64⤵
- Executes dropped EXE
PID:5068 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe65⤵
- Executes dropped EXE
PID:3912 -
\??\c:\5tnbnb.exec:\5tnbnb.exe66⤵PID:5008
-
\??\c:\9vdvj.exec:\9vdvj.exe67⤵PID:4768
-
\??\c:\pjpjd.exec:\pjpjd.exe68⤵PID:3076
-
\??\c:\lrxfrlf.exec:\lrxfrlf.exe69⤵PID:860
-
\??\c:\hhhbtt.exec:\hhhbtt.exe70⤵PID:2588
-
\??\c:\5ddvj.exec:\5ddvj.exe71⤵PID:540
-
\??\c:\3jjdp.exec:\3jjdp.exe72⤵PID:412
-
\??\c:\frxrrlf.exec:\frxrrlf.exe73⤵PID:4376
-
\??\c:\nbtbnt.exec:\nbtbnt.exe74⤵PID:3260
-
\??\c:\pvpdv.exec:\pvpdv.exe75⤵PID:1620
-
\??\c:\3lfxffx.exec:\3lfxffx.exe76⤵PID:4080
-
\??\c:\1bnhbh.exec:\1bnhbh.exe77⤵PID:3168
-
\??\c:\3bnhtt.exec:\3bnhtt.exe78⤵PID:4064
-
\??\c:\1dvvv.exec:\1dvvv.exe79⤵PID:732
-
\??\c:\rlllxrl.exec:\rlllxrl.exe80⤵PID:744
-
\??\c:\3ntnhn.exec:\3ntnhn.exe81⤵PID:4604
-
\??\c:\nhbtnt.exec:\nhbtnt.exe82⤵PID:968
-
\??\c:\pjjdv.exec:\pjjdv.exe83⤵PID:1140
-
\??\c:\3llfxrl.exec:\3llfxrl.exe84⤵PID:4852
-
\??\c:\nhtttb.exec:\nhtttb.exe85⤵PID:2128
-
\??\c:\hhnhtt.exec:\hhnhtt.exe86⤵PID:3460
-
\??\c:\jjddv.exec:\jjddv.exe87⤵PID:464
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe88⤵PID:1136
-
\??\c:\hnbnth.exec:\hnbnth.exe89⤵PID:408
-
\??\c:\vpddd.exec:\vpddd.exe90⤵PID:3232
-
\??\c:\rllxlxx.exec:\rllxlxx.exe91⤵PID:2248
-
\??\c:\rfrxrrl.exec:\rfrxrrl.exe92⤵PID:2840
-
\??\c:\nbnhnh.exec:\nbnhnh.exe93⤵PID:4816
-
\??\c:\dppjv.exec:\dppjv.exe94⤵PID:3152
-
\??\c:\dddvj.exec:\dddvj.exe95⤵PID:1672
-
\??\c:\5ffxllf.exec:\5ffxllf.exe96⤵PID:2000
-
\??\c:\tbhbtt.exec:\tbhbtt.exe97⤵PID:4648
-
\??\c:\bntnnn.exec:\bntnnn.exe98⤵PID:3472
-
\??\c:\9vpjv.exec:\9vpjv.exe99⤵PID:4884
-
\??\c:\7fllxxr.exec:\7fllxxr.exe100⤵PID:2908
-
\??\c:\9nnhbt.exec:\9nnhbt.exe101⤵PID:3060
-
\??\c:\nbhbbb.exec:\nbhbbb.exe102⤵PID:3288
-
\??\c:\3vvdd.exec:\3vvdd.exe103⤵PID:1372
-
\??\c:\xrrllll.exec:\xrrllll.exe104⤵PID:2316
-
\??\c:\htbtbb.exec:\htbtbb.exe105⤵PID:3724
-
\??\c:\hhnnbt.exec:\hhnnbt.exe106⤵PID:324
-
\??\c:\vpjdv.exec:\vpjdv.exe107⤵PID:3116
-
\??\c:\fffxlfx.exec:\fffxlfx.exe108⤵PID:1264
-
\??\c:\bbbnbb.exec:\bbbnbb.exe109⤵PID:456
-
\??\c:\vdjjd.exec:\vdjjd.exe110⤵PID:3476
-
\??\c:\jddvp.exec:\jddvp.exe111⤵PID:4456
-
\??\c:\lrrlffx.exec:\lrrlffx.exe112⤵PID:4704
-
\??\c:\tntttb.exec:\tntttb.exe113⤵PID:1536
-
\??\c:\vddvv.exec:\vddvv.exe114⤵PID:3728
-
\??\c:\dpvdv.exec:\dpvdv.exe115⤵PID:4996
-
\??\c:\3llflfx.exec:\3llflfx.exe116⤵PID:2524
-
\??\c:\bthbtn.exec:\bthbtn.exe117⤵PID:3888
-
\??\c:\9bbtnn.exec:\9bbtnn.exe118⤵PID:2580
-
\??\c:\pvvpj.exec:\pvvpj.exe119⤵PID:4736
-
\??\c:\lffrrlf.exec:\lffrrlf.exe120⤵PID:764
-
\??\c:\3hnhhb.exec:\3hnhhb.exe121⤵PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-