Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 01:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe
-
Size
454KB
-
MD5
ac7af43888ea256b1e1fb543f6dd2c69
-
SHA1
67f01fe07a841d744f2f5c92331988746b109d51
-
SHA256
a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0
-
SHA512
ad7e11c7c4ae1b59a8d16d5deff2d201051688c11b10b81e1df39e16efec43d3a698d03137e06c9e9cf85d20fc3666d5d00c52f5897429461b97f7f093f4a165
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetQ:q7Tc2NYHUrAwfMp3CDtQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4264-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1784 xrrlffr.exe 4780 thnhbt.exe 1700 3bhbbb.exe 888 rrrllrl.exe 1856 jvdvj.exe 1668 xrlfxxx.exe 2816 3jjjd.exe 220 rrxxxrx.exe 2060 5xrlffx.exe 3828 5bbttn.exe 540 jjdpj.exe 4640 dvdvp.exe 1932 rfffrxr.exe 224 nttnhh.exe 4560 bhhhtt.exe 3000 bbhbhb.exe 1748 dpvpj.exe 1744 vpdjp.exe 468 dvpdv.exe 1696 bbbnht.exe 5012 dvpjp.exe 4312 9nnbth.exe 556 5llxrlf.exe 4352 hbbttn.exe 2792 dpdpp.exe 1604 xffrxxl.exe 228 vpjvp.exe 1632 3lxrfxf.exe 512 5ttntt.exe 3928 lfffrlf.exe 2084 btbtbb.exe 4152 vpvvd.exe 1984 bhnbnn.exe 4760 dvvpd.exe 2624 5lrlffx.exe 3024 tbhbnh.exe 3536 jpjdv.exe 3996 jpvjd.exe 4968 lfllrxf.exe 3116 bnthtn.exe 3880 pvvjv.exe 3168 lfxfflr.exe 4356 btbntb.exe 1572 vvjvv.exe 3612 vpppj.exe 1116 rxlfllx.exe 1672 bhbtnh.exe 4076 vdvpv.exe 592 frlxlfx.exe 940 7hhbbb.exe 4952 1nbtbt.exe 2928 1jjdv.exe 3628 5llfffx.exe 2676 tbbttn.exe 3460 dpjdj.exe 1088 jpjjp.exe 4620 rfxrfxr.exe 2008 3ntnbt.exe 1684 nnbhth.exe 4916 vvpjp.exe 4836 rrfxrrl.exe 1660 thnhhb.exe 4756 bnbtnt.exe 1184 jvdpd.exe -
resource yara_rule behavioral2/memory/4264-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-760-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 1784 4264 a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe 82 PID 4264 wrote to memory of 1784 4264 a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe 82 PID 4264 wrote to memory of 1784 4264 a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe 82 PID 1784 wrote to memory of 4780 1784 xrrlffr.exe 83 PID 1784 wrote to memory of 4780 1784 xrrlffr.exe 83 PID 1784 wrote to memory of 4780 1784 xrrlffr.exe 83 PID 4780 wrote to memory of 1700 4780 thnhbt.exe 84 PID 4780 wrote to memory of 1700 4780 thnhbt.exe 84 PID 4780 wrote to memory of 1700 4780 thnhbt.exe 84 PID 1700 wrote to memory of 888 1700 3bhbbb.exe 85 PID 1700 wrote to memory of 888 1700 3bhbbb.exe 85 PID 1700 wrote to memory of 888 1700 3bhbbb.exe 85 PID 888 wrote to memory of 1856 888 rrrllrl.exe 86 PID 888 wrote to memory of 1856 888 rrrllrl.exe 86 PID 888 wrote to memory of 1856 888 rrrllrl.exe 86 PID 1856 wrote to memory of 1668 1856 jvdvj.exe 87 PID 1856 wrote to memory of 1668 1856 jvdvj.exe 87 PID 1856 wrote to memory of 1668 1856 jvdvj.exe 87 PID 1668 wrote to memory of 2816 1668 xrlfxxx.exe 88 PID 1668 wrote to memory of 2816 1668 xrlfxxx.exe 88 PID 1668 wrote to memory of 2816 1668 xrlfxxx.exe 88 PID 2816 wrote to memory of 220 2816 3jjjd.exe 89 PID 2816 wrote to memory of 220 2816 3jjjd.exe 89 PID 2816 wrote to memory of 220 2816 3jjjd.exe 89 PID 220 wrote to memory of 2060 220 rrxxxrx.exe 90 PID 220 wrote to memory of 2060 220 rrxxxrx.exe 90 PID 220 wrote to memory of 2060 220 rrxxxrx.exe 90 PID 2060 wrote to memory of 3828 2060 5xrlffx.exe 91 PID 2060 wrote to memory of 3828 2060 5xrlffx.exe 91 PID 2060 wrote to memory of 3828 2060 5xrlffx.exe 91 PID 3828 wrote to memory of 540 3828 5bbttn.exe 92 PID 3828 wrote to memory of 540 3828 5bbttn.exe 92 PID 3828 wrote to memory of 540 3828 5bbttn.exe 92 PID 540 wrote to memory of 4640 540 jjdpj.exe 93 PID 540 wrote to memory of 4640 540 jjdpj.exe 93 PID 540 wrote to memory of 4640 540 jjdpj.exe 93 PID 4640 wrote to memory of 1932 4640 dvdvp.exe 94 PID 4640 wrote to memory of 1932 4640 dvdvp.exe 94 PID 4640 wrote to memory of 1932 4640 dvdvp.exe 94 PID 1932 wrote to memory of 224 1932 rfffrxr.exe 95 PID 1932 wrote to memory of 224 1932 rfffrxr.exe 95 PID 1932 wrote to memory of 224 1932 rfffrxr.exe 95 PID 224 wrote to memory of 4560 224 nttnhh.exe 96 PID 224 wrote to memory of 4560 224 nttnhh.exe 96 PID 224 wrote to memory of 4560 224 nttnhh.exe 96 PID 4560 wrote to memory of 3000 4560 bhhhtt.exe 97 PID 4560 wrote to memory of 3000 4560 bhhhtt.exe 97 PID 4560 wrote to memory of 3000 4560 bhhhtt.exe 97 PID 3000 wrote to memory of 1748 3000 bbhbhb.exe 98 PID 3000 wrote to memory of 1748 3000 bbhbhb.exe 98 PID 3000 wrote to memory of 1748 3000 bbhbhb.exe 98 PID 1748 wrote to memory of 1744 1748 dpvpj.exe 99 PID 1748 wrote to memory of 1744 1748 dpvpj.exe 99 PID 1748 wrote to memory of 1744 1748 dpvpj.exe 99 PID 1744 wrote to memory of 468 1744 vpdjp.exe 100 PID 1744 wrote to memory of 468 1744 vpdjp.exe 100 PID 1744 wrote to memory of 468 1744 vpdjp.exe 100 PID 468 wrote to memory of 1696 468 dvpdv.exe 101 PID 468 wrote to memory of 1696 468 dvpdv.exe 101 PID 468 wrote to memory of 1696 468 dvpdv.exe 101 PID 1696 wrote to memory of 5012 1696 bbbnht.exe 102 PID 1696 wrote to memory of 5012 1696 bbbnht.exe 102 PID 1696 wrote to memory of 5012 1696 bbbnht.exe 102 PID 5012 wrote to memory of 4312 5012 dvpjp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe"C:\Users\Admin\AppData\Local\Temp\a2f1c78c7a80fb3544cb494fbfd9570ec5a4d61e3c647f4d441502735ffb5ee0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\xrrlffr.exec:\xrrlffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\thnhbt.exec:\thnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\3bhbbb.exec:\3bhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\rrrllrl.exec:\rrrllrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\jvdvj.exec:\jvdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\3jjjd.exec:\3jjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\rrxxxrx.exec:\rrxxxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\5xrlffx.exec:\5xrlffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\5bbttn.exec:\5bbttn.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\jjdpj.exec:\jjdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\dvdvp.exec:\dvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\rfffrxr.exec:\rfffrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\nttnhh.exec:\nttnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\bhhhtt.exec:\bhhhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\bbhbhb.exec:\bbhbhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\dpvpj.exec:\dpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\vpdjp.exec:\vpdjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\dvpdv.exec:\dvpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\bbbnht.exec:\bbbnht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\dvpjp.exec:\dvpjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\9nnbth.exec:\9nnbth.exe23⤵
- Executes dropped EXE
PID:4312 -
\??\c:\5llxrlf.exec:\5llxrlf.exe24⤵
- Executes dropped EXE
PID:556 -
\??\c:\hbbttn.exec:\hbbttn.exe25⤵
- Executes dropped EXE
PID:4352 -
\??\c:\dpdpp.exec:\dpdpp.exe26⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xffrxxl.exec:\xffrxxl.exe27⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vpjvp.exec:\vpjvp.exe28⤵
- Executes dropped EXE
PID:228 -
\??\c:\3lxrfxf.exec:\3lxrfxf.exe29⤵
- Executes dropped EXE
PID:1632 -
\??\c:\5ttntt.exec:\5ttntt.exe30⤵
- Executes dropped EXE
PID:512 -
\??\c:\lfffrlf.exec:\lfffrlf.exe31⤵
- Executes dropped EXE
PID:3928 -
\??\c:\btbtbb.exec:\btbtbb.exe32⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vpvvd.exec:\vpvvd.exe33⤵
- Executes dropped EXE
PID:4152 -
\??\c:\bhnbnn.exec:\bhnbnn.exe34⤵
- Executes dropped EXE
PID:1984 -
\??\c:\dvvpd.exec:\dvvpd.exe35⤵
- Executes dropped EXE
PID:4760 -
\??\c:\5lrlffx.exec:\5lrlffx.exe36⤵
- Executes dropped EXE
PID:2624 -
\??\c:\tbhbnh.exec:\tbhbnh.exe37⤵
- Executes dropped EXE
PID:3024 -
\??\c:\jpjdv.exec:\jpjdv.exe38⤵
- Executes dropped EXE
PID:3536 -
\??\c:\jpvjd.exec:\jpvjd.exe39⤵
- Executes dropped EXE
PID:3996 -
\??\c:\lfllrxf.exec:\lfllrxf.exe40⤵
- Executes dropped EXE
PID:4968 -
\??\c:\bnthtn.exec:\bnthtn.exe41⤵
- Executes dropped EXE
PID:3116 -
\??\c:\pvvjv.exec:\pvvjv.exe42⤵
- Executes dropped EXE
PID:3880 -
\??\c:\lfxfflr.exec:\lfxfflr.exe43⤵
- Executes dropped EXE
PID:3168 -
\??\c:\btbntb.exec:\btbntb.exe44⤵
- Executes dropped EXE
PID:4356 -
\??\c:\vvjvv.exec:\vvjvv.exe45⤵
- Executes dropped EXE
PID:1572 -
\??\c:\vpppj.exec:\vpppj.exe46⤵
- Executes dropped EXE
PID:3612 -
\??\c:\rxlfllx.exec:\rxlfllx.exe47⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bhbtnh.exec:\bhbtnh.exe48⤵
- Executes dropped EXE
PID:1672 -
\??\c:\htnbhb.exec:\htnbhb.exe49⤵PID:3840
-
\??\c:\vdvpv.exec:\vdvpv.exe50⤵
- Executes dropped EXE
PID:4076 -
\??\c:\frlxlfx.exec:\frlxlfx.exe51⤵
- Executes dropped EXE
PID:592 -
\??\c:\7hhbbb.exec:\7hhbbb.exe52⤵
- Executes dropped EXE
PID:940 -
\??\c:\1nbtbt.exec:\1nbtbt.exe53⤵
- Executes dropped EXE
PID:4952 -
\??\c:\1jjdv.exec:\1jjdv.exe54⤵
- Executes dropped EXE
PID:2928 -
\??\c:\5llfffx.exec:\5llfffx.exe55⤵
- Executes dropped EXE
PID:3628 -
\??\c:\tbbttn.exec:\tbbttn.exe56⤵
- Executes dropped EXE
PID:2676 -
\??\c:\dpjdj.exec:\dpjdj.exe57⤵
- Executes dropped EXE
PID:3460 -
\??\c:\jpjjp.exec:\jpjjp.exe58⤵
- Executes dropped EXE
PID:1088 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe59⤵
- Executes dropped EXE
PID:4620 -
\??\c:\3ntnbt.exec:\3ntnbt.exe60⤵
- Executes dropped EXE
PID:2008 -
\??\c:\nnbhth.exec:\nnbhth.exe61⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vvpjp.exec:\vvpjp.exe62⤵
- Executes dropped EXE
PID:4916 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe63⤵
- Executes dropped EXE
PID:4836 -
\??\c:\thnhhb.exec:\thnhhb.exe64⤵
- Executes dropped EXE
PID:1660 -
\??\c:\bnbtnt.exec:\bnbtnt.exe65⤵
- Executes dropped EXE
PID:4756 -
\??\c:\jvdpd.exec:\jvdpd.exe66⤵
- Executes dropped EXE
PID:1184 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe67⤵PID:4272
-
\??\c:\lllrlrr.exec:\lllrlrr.exe68⤵
- System Location Discovery: System Language Discovery
PID:4640 -
\??\c:\tntnhb.exec:\tntnhb.exe69⤵PID:2004
-
\??\c:\7jvpj.exec:\7jvpj.exe70⤵PID:388
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe71⤵PID:4572
-
\??\c:\9tbtbb.exec:\9tbtbb.exe72⤵PID:2460
-
\??\c:\1nthnh.exec:\1nthnh.exe73⤵PID:2480
-
\??\c:\dpjdv.exec:\dpjdv.exe74⤵PID:3808
-
\??\c:\fflflfx.exec:\fflflfx.exe75⤵PID:3380
-
\??\c:\nhhhbb.exec:\nhhhbb.exe76⤵PID:2352
-
\??\c:\tthbnh.exec:\tthbnh.exe77⤵PID:2644
-
\??\c:\vppdv.exec:\vppdv.exe78⤵PID:468
-
\??\c:\flfxffx.exec:\flfxffx.exe79⤵PID:2592
-
\??\c:\bhthnb.exec:\bhthnb.exe80⤵PID:4428
-
\??\c:\1dvjv.exec:\1dvjv.exe81⤵PID:3084
-
\??\c:\lrrrfll.exec:\lrrrfll.exe82⤵PID:3348
-
\??\c:\hnbthn.exec:\hnbthn.exe83⤵PID:3676
-
\??\c:\vpvpj.exec:\vpvpj.exe84⤵PID:1752
-
\??\c:\pdpjj.exec:\pdpjj.exe85⤵PID:1316
-
\??\c:\rllxlff.exec:\rllxlff.exe86⤵PID:4208
-
\??\c:\nbbbtn.exec:\nbbbtn.exe87⤵PID:1824
-
\??\c:\1tnhnh.exec:\1tnhnh.exe88⤵PID:1324
-
\??\c:\vvvpv.exec:\vvvpv.exe89⤵PID:2884
-
\??\c:\ffflffl.exec:\ffflffl.exe90⤵PID:2316
-
\??\c:\nnttnn.exec:\nnttnn.exe91⤵PID:1008
-
\??\c:\jjddp.exec:\jjddp.exe92⤵PID:4280
-
\??\c:\5pjdp.exec:\5pjdp.exe93⤵PID:3020
-
\??\c:\fflfxrr.exec:\fflfxrr.exe94⤵PID:4304
-
\??\c:\3nnbth.exec:\3nnbth.exe95⤵PID:1280
-
\??\c:\tbnbnh.exec:\tbnbnh.exe96⤵PID:1480
-
\??\c:\5vpjd.exec:\5vpjd.exe97⤵PID:4084
-
\??\c:\rfrfrlx.exec:\rfrfrlx.exe98⤵PID:3220
-
\??\c:\nbbnhb.exec:\nbbnhb.exe99⤵PID:3068
-
\??\c:\bhnbnh.exec:\bhnbnh.exe100⤵PID:3556
-
\??\c:\jdjdd.exec:\jdjdd.exe101⤵PID:3536
-
\??\c:\fxrrfxr.exec:\fxrrfxr.exe102⤵PID:4432
-
\??\c:\lrxfrrf.exec:\lrxfrrf.exe103⤵PID:3564
-
\??\c:\btbtnn.exec:\btbtnn.exe104⤵PID:4436
-
\??\c:\pjvjd.exec:\pjvjd.exe105⤵PID:4524
-
\??\c:\3fffxlf.exec:\3fffxlf.exe106⤵PID:2300
-
\??\c:\flfxlrf.exec:\flfxlrf.exe107⤵PID:3452
-
\??\c:\hhbttn.exec:\hhbttn.exe108⤵PID:1612
-
\??\c:\7jdjv.exec:\7jdjv.exe109⤵PID:4932
-
\??\c:\5ddpv.exec:\5ddpv.exe110⤵PID:1400
-
\??\c:\rfrfrrl.exec:\rfrfrrl.exe111⤵PID:4384
-
\??\c:\xlrxxrl.exec:\xlrxxrl.exe112⤵PID:3456
-
\??\c:\tbbhbb.exec:\tbbhbb.exe113⤵PID:4076
-
\??\c:\ppdvp.exec:\ppdvp.exe114⤵PID:3144
-
\??\c:\lxfrlfr.exec:\lxfrlfr.exe115⤵PID:724
-
\??\c:\thhtbn.exec:\thhtbn.exe116⤵PID:5076
-
\??\c:\dpdjv.exec:\dpdjv.exe117⤵PID:4240
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe118⤵PID:4244
-
\??\c:\tbbthb.exec:\tbbthb.exe119⤵PID:1540
-
\??\c:\dvdpj.exec:\dvdpj.exe120⤵PID:3460
-
\??\c:\rllfxrl.exec:\rllfxrl.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-