Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 04:00
Behavioral task
behavioral1
Sample
b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe
-
Size
333KB
-
MD5
0ec537d5a7ff2301be0b68bf73f26562
-
SHA1
0a532336db28d622c9c5f1b270386985aa38d8d9
-
SHA256
b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7
-
SHA512
13ba6de4cbf05c7ef841a901a6717c3f936459c07d13430b0cbe8f5e15de88675dfd7c0bee9fa51fbaac563e6effab3824d343d921936ad2acb38a4491fc4b2a
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeTq:R4wFHoSHYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3208-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/804-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3224-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2900-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-515-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-661-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-678-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-776-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2848-811-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-824-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1252-1241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 636 lrlxrlx.exe 1568 vvdvv.exe 3444 lrxlxrf.exe 3376 bhnttn.exe 2472 vpvpj.exe 1072 lfrlfxx.exe 4244 xxxrlfx.exe 4160 pvpjd.exe 3872 bhbnth.exe 3648 jpvpj.exe 624 3xfxlfr.exe 4388 1xxlxlf.exe 1472 5rrrflx.exe 1756 rlrlxrl.exe 3132 vdjvj.exe 1220 xxfrfxl.exe 1656 5ffrlfx.exe 2028 bnnbth.exe 3116 7dvjv.exe 1356 pdjvj.exe 2632 rxfrlfl.exe 4224 hhnhbt.exe 3552 nnthbt.exe 4836 pddpj.exe 3224 3djjj.exe 4168 xlxllff.exe 2208 thtbnn.exe 4988 hthbtn.exe 1248 vddvp.exe 932 vjvjj.exe 3628 rfxlrlx.exe 3228 hbhbbt.exe 756 3tthbt.exe 2648 1vdvv.exe 1256 jvjvv.exe 4992 lllxlfl.exe 4292 5nnhbt.exe 804 nnbtnh.exe 3588 djpjv.exe 4464 djddd.exe 4356 xrlfrrf.exe 3644 rlxlrlr.exe 5112 tbhhbt.exe 528 htnbnh.exe 2116 jjdjv.exe 428 1rrrffr.exe 2816 flxlfxr.exe 1684 5pvjd.exe 2840 xlrrlfx.exe 3988 vjpjj.exe 1528 lflfrlf.exe 2856 tnnbnn.exe 4476 9djvj.exe 4492 djdvd.exe 3388 5xxrlxr.exe 1416 jpvpj.exe 636 lflffxx.exe 4156 5hhbtn.exe 4664 vjvpd.exe 3260 jpvvp.exe 4808 fxrrxrx.exe 2756 bnbbbt.exe 1260 bntnhh.exe 864 vjpvj.exe -
resource yara_rule behavioral2/memory/3208-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b0f-2.dat upx behavioral2/memory/3208-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b68-8.dat upx behavioral2/memory/636-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-11.dat upx behavioral2/memory/3444-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1568-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-20.dat upx behavioral2/memory/3376-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6e-24.dat upx behavioral2/memory/3376-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-29.dat upx behavioral2/memory/1072-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2472-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b70-34.dat upx behavioral2/files/0x0031000000023b71-39.dat upx behavioral2/memory/4244-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-44.dat upx behavioral2/memory/3872-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-50.dat upx behavioral2/files/0x000a000000023b75-53.dat upx behavioral2/files/0x000a000000023b76-58.dat upx behavioral2/memory/624-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-62.dat upx behavioral2/files/0x000a000000023b78-66.dat upx behavioral2/memory/1472-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-71.dat upx behavioral2/memory/1756-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b69-76.dat upx behavioral2/memory/1220-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3132-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-83.dat upx behavioral2/memory/2028-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-91.dat upx behavioral2/files/0x000a000000023b7d-97.dat upx behavioral2/files/0x000a000000023b7e-102.dat upx behavioral2/files/0x000a000000023b89-153.dat upx behavioral2/memory/756-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3644-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/528-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4464-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/804-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3228-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-149.dat upx behavioral2/files/0x000a000000023b87-145.dat upx behavioral2/files/0x000a000000023b86-141.dat upx behavioral2/memory/4988-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-136.dat upx behavioral2/memory/2208-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-131.dat upx behavioral2/memory/4168-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-126.dat upx behavioral2/memory/3224-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-121.dat upx behavioral2/memory/4836-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-116.dat upx behavioral2/memory/3552-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-111.dat upx behavioral2/memory/4224-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-106.dat upx behavioral2/memory/1356-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3116-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-87.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3208 wrote to memory of 636 3208 b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe 82 PID 3208 wrote to memory of 636 3208 b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe 82 PID 3208 wrote to memory of 636 3208 b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe 82 PID 636 wrote to memory of 1568 636 lrlxrlx.exe 83 PID 636 wrote to memory of 1568 636 lrlxrlx.exe 83 PID 636 wrote to memory of 1568 636 lrlxrlx.exe 83 PID 1568 wrote to memory of 3444 1568 vvdvv.exe 84 PID 1568 wrote to memory of 3444 1568 vvdvv.exe 84 PID 1568 wrote to memory of 3444 1568 vvdvv.exe 84 PID 3444 wrote to memory of 3376 3444 lrxlxrf.exe 85 PID 3444 wrote to memory of 3376 3444 lrxlxrf.exe 85 PID 3444 wrote to memory of 3376 3444 lrxlxrf.exe 85 PID 3376 wrote to memory of 2472 3376 bhnttn.exe 86 PID 3376 wrote to memory of 2472 3376 bhnttn.exe 86 PID 3376 wrote to memory of 2472 3376 bhnttn.exe 86 PID 2472 wrote to memory of 1072 2472 vpvpj.exe 87 PID 2472 wrote to memory of 1072 2472 vpvpj.exe 87 PID 2472 wrote to memory of 1072 2472 vpvpj.exe 87 PID 1072 wrote to memory of 4244 1072 lfrlfxx.exe 88 PID 1072 wrote to memory of 4244 1072 lfrlfxx.exe 88 PID 1072 wrote to memory of 4244 1072 lfrlfxx.exe 88 PID 4244 wrote to memory of 4160 4244 xxxrlfx.exe 89 PID 4244 wrote to memory of 4160 4244 xxxrlfx.exe 89 PID 4244 wrote to memory of 4160 4244 xxxrlfx.exe 89 PID 4160 wrote to memory of 3872 4160 pvpjd.exe 90 PID 4160 wrote to memory of 3872 4160 pvpjd.exe 90 PID 4160 wrote to memory of 3872 4160 pvpjd.exe 90 PID 3872 wrote to memory of 3648 3872 bhbnth.exe 91 PID 3872 wrote to memory of 3648 3872 bhbnth.exe 91 PID 3872 wrote to memory of 3648 3872 bhbnth.exe 91 PID 3648 wrote to memory of 624 3648 jpvpj.exe 92 PID 3648 wrote to memory of 624 3648 jpvpj.exe 92 PID 3648 wrote to memory of 624 3648 jpvpj.exe 92 PID 624 wrote to memory of 4388 624 3xfxlfr.exe 93 PID 624 wrote to memory of 4388 624 3xfxlfr.exe 93 PID 624 wrote to memory of 4388 624 3xfxlfr.exe 93 PID 4388 wrote to memory of 1472 4388 1xxlxlf.exe 94 PID 4388 wrote to memory of 1472 4388 1xxlxlf.exe 94 PID 4388 wrote to memory of 1472 4388 1xxlxlf.exe 94 PID 1472 wrote to memory of 1756 1472 5rrrflx.exe 95 PID 1472 wrote to memory of 1756 1472 5rrrflx.exe 95 PID 1472 wrote to memory of 1756 1472 5rrrflx.exe 95 PID 1756 wrote to memory of 3132 1756 rlrlxrl.exe 96 PID 1756 wrote to memory of 3132 1756 rlrlxrl.exe 96 PID 1756 wrote to memory of 3132 1756 rlrlxrl.exe 96 PID 3132 wrote to memory of 1220 3132 vdjvj.exe 97 PID 3132 wrote to memory of 1220 3132 vdjvj.exe 97 PID 3132 wrote to memory of 1220 3132 vdjvj.exe 97 PID 1220 wrote to memory of 1656 1220 xxfrfxl.exe 98 PID 1220 wrote to memory of 1656 1220 xxfrfxl.exe 98 PID 1220 wrote to memory of 1656 1220 xxfrfxl.exe 98 PID 1656 wrote to memory of 2028 1656 5ffrlfx.exe 99 PID 1656 wrote to memory of 2028 1656 5ffrlfx.exe 99 PID 1656 wrote to memory of 2028 1656 5ffrlfx.exe 99 PID 2028 wrote to memory of 3116 2028 bnnbth.exe 100 PID 2028 wrote to memory of 3116 2028 bnnbth.exe 100 PID 2028 wrote to memory of 3116 2028 bnnbth.exe 100 PID 3116 wrote to memory of 1356 3116 7dvjv.exe 101 PID 3116 wrote to memory of 1356 3116 7dvjv.exe 101 PID 3116 wrote to memory of 1356 3116 7dvjv.exe 101 PID 1356 wrote to memory of 2632 1356 pdjvj.exe 102 PID 1356 wrote to memory of 2632 1356 pdjvj.exe 102 PID 1356 wrote to memory of 2632 1356 pdjvj.exe 102 PID 2632 wrote to memory of 4224 2632 rxfrlfl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe"C:\Users\Admin\AppData\Local\Temp\b146928b30228b12238fdb94b0ab8179518acff903bb31fb360b0189d2f2c7e7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\vvdvv.exec:\vvdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\lrxlxrf.exec:\lrxlxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\bhnttn.exec:\bhnttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\vpvpj.exec:\vpvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\lfrlfxx.exec:\lfrlfxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\pvpjd.exec:\pvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\bhbnth.exec:\bhbnth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\jpvpj.exec:\jpvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\3xfxlfr.exec:\3xfxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\1xxlxlf.exec:\1xxlxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\5rrrflx.exec:\5rrrflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\vdjvj.exec:\vdjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\5ffrlfx.exec:\5ffrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\bnnbth.exec:\bnnbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\7dvjv.exec:\7dvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\pdjvj.exec:\pdjvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\rxfrlfl.exec:\rxfrlfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\hhnhbt.exec:\hhnhbt.exe23⤵
- Executes dropped EXE
PID:4224 -
\??\c:\nnthbt.exec:\nnthbt.exe24⤵
- Executes dropped EXE
PID:3552 -
\??\c:\pddpj.exec:\pddpj.exe25⤵
- Executes dropped EXE
PID:4836 -
\??\c:\3djjj.exec:\3djjj.exe26⤵
- Executes dropped EXE
PID:3224 -
\??\c:\xlxllff.exec:\xlxllff.exe27⤵
- Executes dropped EXE
PID:4168 -
\??\c:\thtbnn.exec:\thtbnn.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\hthbtn.exec:\hthbtn.exe29⤵
- Executes dropped EXE
PID:4988 -
\??\c:\vddvp.exec:\vddvp.exe30⤵
- Executes dropped EXE
PID:1248 -
\??\c:\vjvjj.exec:\vjvjj.exe31⤵
- Executes dropped EXE
PID:932 -
\??\c:\rfxlrlx.exec:\rfxlrlx.exe32⤵
- Executes dropped EXE
PID:3628 -
\??\c:\hbhbbt.exec:\hbhbbt.exe33⤵
- Executes dropped EXE
PID:3228 -
\??\c:\3tthbt.exec:\3tthbt.exe34⤵
- Executes dropped EXE
PID:756 -
\??\c:\1vdvv.exec:\1vdvv.exe35⤵
- Executes dropped EXE
PID:2648 -
\??\c:\jvjvv.exec:\jvjvv.exe36⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lllxlfl.exec:\lllxlfl.exe37⤵
- Executes dropped EXE
PID:4992 -
\??\c:\5nnhbt.exec:\5nnhbt.exe38⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nnbtnh.exec:\nnbtnh.exe39⤵
- Executes dropped EXE
PID:804 -
\??\c:\djpjv.exec:\djpjv.exe40⤵
- Executes dropped EXE
PID:3588 -
\??\c:\djddd.exec:\djddd.exe41⤵
- Executes dropped EXE
PID:4464 -
\??\c:\xrlfrrf.exec:\xrlfrrf.exe42⤵
- Executes dropped EXE
PID:4356 -
\??\c:\rlxlrlr.exec:\rlxlrlr.exe43⤵
- Executes dropped EXE
PID:3644 -
\??\c:\tbhhbt.exec:\tbhhbt.exe44⤵
- Executes dropped EXE
PID:5112 -
\??\c:\htnbnh.exec:\htnbnh.exe45⤵
- Executes dropped EXE
PID:528 -
\??\c:\jjdjv.exec:\jjdjv.exe46⤵
- Executes dropped EXE
PID:2116 -
\??\c:\1rrrffr.exec:\1rrrffr.exe47⤵
- Executes dropped EXE
PID:428 -
\??\c:\flxlfxr.exec:\flxlfxr.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\5pvjd.exec:\5pvjd.exe49⤵
- Executes dropped EXE
PID:1684 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe50⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vjpjj.exec:\vjpjj.exe51⤵
- Executes dropped EXE
PID:3988 -
\??\c:\lflfrlf.exec:\lflfrlf.exe52⤵
- Executes dropped EXE
PID:1528 -
\??\c:\tnnbnn.exec:\tnnbnn.exe53⤵
- Executes dropped EXE
PID:2856 -
\??\c:\9djvj.exec:\9djvj.exe54⤵
- Executes dropped EXE
PID:4476 -
\??\c:\djdvd.exec:\djdvd.exe55⤵
- Executes dropped EXE
PID:4492 -
\??\c:\5xxrlxr.exec:\5xxrlxr.exe56⤵
- Executes dropped EXE
PID:3388 -
\??\c:\jpvpj.exec:\jpvpj.exe57⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lflffxx.exec:\lflffxx.exe58⤵
- Executes dropped EXE
PID:636 -
\??\c:\5hhbtn.exec:\5hhbtn.exe59⤵
- Executes dropped EXE
PID:4156 -
\??\c:\vjvpd.exec:\vjvpd.exe60⤵
- Executes dropped EXE
PID:4664 -
\??\c:\jpvvp.exec:\jpvvp.exe61⤵
- Executes dropped EXE
PID:3260 -
\??\c:\fxrrxrx.exec:\fxrrxrx.exe62⤵
- Executes dropped EXE
PID:4808 -
\??\c:\bnbbbt.exec:\bnbbbt.exe63⤵
- Executes dropped EXE
PID:2756 -
\??\c:\bntnhh.exec:\bntnhh.exe64⤵
- Executes dropped EXE
PID:1260 -
\??\c:\vjpvj.exec:\vjpvj.exe65⤵
- Executes dropped EXE
PID:864 -
\??\c:\3flfxfx.exec:\3flfxfx.exe66⤵PID:2696
-
\??\c:\fxxlxxx.exec:\fxxlxxx.exe67⤵PID:1972
-
\??\c:\nhnbtn.exec:\nhnbtn.exe68⤵PID:4160
-
\??\c:\vjppj.exec:\vjppj.exe69⤵PID:4268
-
\??\c:\jvjdv.exec:\jvjdv.exe70⤵PID:1316
-
\??\c:\3lxrllx.exec:\3lxrllx.exe71⤵PID:4092
-
\??\c:\tbtnhb.exec:\tbtnhb.exe72⤵PID:624
-
\??\c:\hbhhbb.exec:\hbhhbb.exe73⤵PID:3016
-
\??\c:\jddvp.exec:\jddvp.exe74⤵PID:1472
-
\??\c:\7xlflfl.exec:\7xlflfl.exe75⤵PID:1688
-
\??\c:\1fxxrrl.exec:\1fxxrrl.exe76⤵PID:4180
-
\??\c:\hbttnn.exec:\hbttnn.exe77⤵PID:4856
-
\??\c:\5nnbtn.exec:\5nnbtn.exe78⤵PID:2352
-
\??\c:\1dvvp.exec:\1dvvp.exe79⤵PID:1220
-
\??\c:\9ffxrrx.exec:\9ffxrrx.exe80⤵PID:4204
-
\??\c:\lxfxrll.exec:\lxfxrll.exe81⤵PID:1984
-
\??\c:\1htbbb.exec:\1htbbb.exe82⤵PID:4328
-
\??\c:\3frrfxx.exec:\3frrfxx.exe83⤵PID:3116
-
\??\c:\3nbtnn.exec:\3nbtnn.exe84⤵PID:1824
-
\??\c:\tnbttb.exec:\tnbttb.exe85⤵PID:1152
-
\??\c:\vvvpj.exec:\vvvpj.exe86⤵PID:856
-
\??\c:\1lrrllf.exec:\1lrrllf.exe87⤵PID:5104
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe88⤵PID:3552
-
\??\c:\nbnbbt.exec:\nbnbbt.exe89⤵PID:552
-
\??\c:\9hbnhb.exec:\9hbnhb.exe90⤵PID:3120
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe91⤵PID:1632
-
\??\c:\hbbtnn.exec:\hbbtnn.exe92⤵PID:3836
-
\??\c:\nhbthh.exec:\nhbthh.exe93⤵PID:4104
-
\??\c:\vvvdp.exec:\vvvdp.exe94⤵PID:4996
-
\??\c:\xllfrlr.exec:\xllfrlr.exe95⤵PID:3628
-
\??\c:\thbnhn.exec:\thbnhn.exe96⤵PID:2900
-
\??\c:\nntnbn.exec:\nntnbn.exe97⤵PID:412
-
\??\c:\vdjvp.exec:\vdjvp.exe98⤵PID:4144
-
\??\c:\lfllfrf.exec:\lfllfrf.exe99⤵PID:2060
-
\??\c:\1flfxxr.exec:\1flfxxr.exe100⤵PID:2532
-
\??\c:\5tttnn.exec:\5tttnn.exe101⤵PID:4596
-
\??\c:\7pvpp.exec:\7pvpp.exe102⤵PID:2136
-
\??\c:\rrxllfx.exec:\rrxllfx.exe103⤵PID:3816
-
\??\c:\fxlxxrr.exec:\fxlxxrr.exe104⤵PID:4576
-
\??\c:\nntnhb.exec:\nntnhb.exe105⤵PID:3596
-
\??\c:\jjvpj.exec:\jjvpj.exe106⤵PID:1212
-
\??\c:\rflfxxl.exec:\rflfxxl.exe107⤵PID:3320
-
\??\c:\1ttnnb.exec:\1ttnnb.exe108⤵PID:3644
-
\??\c:\7bbbtt.exec:\7bbbtt.exe109⤵
- System Location Discovery: System Language Discovery
PID:3732 -
\??\c:\dpdvp.exec:\dpdvp.exe110⤵PID:908
-
\??\c:\5xfxfrx.exec:\5xfxfrx.exe111⤵PID:3312
-
\??\c:\bbhbtt.exec:\bbhbtt.exe112⤵PID:2712
-
\??\c:\pdpdd.exec:\pdpdd.exe113⤵PID:5084
-
\??\c:\7jvpd.exec:\7jvpd.exe114⤵PID:3412
-
\??\c:\9flfrlf.exec:\9flfrlf.exe115⤵PID:2404
-
\??\c:\rflfxxf.exec:\rflfxxf.exe116⤵PID:2024
-
\??\c:\thbtnn.exec:\thbtnn.exe117⤵PID:5100
-
\??\c:\1dvdv.exec:\1dvdv.exe118⤵PID:2168
-
\??\c:\jjpdd.exec:\jjpdd.exe119⤵PID:1912
-
\??\c:\rxfxffx.exec:\rxfxffx.exe120⤵PID:4484
-
\??\c:\1bbtnn.exec:\1bbtnn.exe121⤵PID:4624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-