Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 03:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe
-
Size
453KB
-
MD5
7c4ee55372a70b6196c4e9f4e630c8f3
-
SHA1
0f74b176d10d0bf4b37aca649c3d30e4843f4324
-
SHA256
4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0
-
SHA512
f69a48e34352aac3fe35d29e3c41045eddf667833d11e33803e064da38271070e5566c8edd2984c65509ff70c09175a1647b412274da7782922fe9b57622e984
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2180-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-1183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 748 rrfllrf.exe 1144 ffllllr.exe 4796 vjpjd.exe 5052 5frrlll.exe 3080 jjdvv.exe 2932 xfxxrll.exe 2152 tbnhnn.exe 3192 bhnhbb.exe 5064 1vvvp.exe 3136 flrxrlf.exe 4192 7tbhbh.exe 1060 3jpjd.exe 4708 jvjdp.exe 432 ttnhhh.exe 3888 vppjj.exe 2912 lffxrfx.exe 1828 vpppj.exe 872 nntnbb.exe 2916 jvvpj.exe 4836 hbbhbb.exe 2212 5vjdj.exe 1644 bhnhbt.exe 1328 tbnhbb.exe 1376 xlrlllf.exe 2544 dpvvp.exe 972 rlrfxfx.exe 2068 hhhtnn.exe 1568 jjppp.exe 1188 xxllfll.exe 2260 bbnhnn.exe 1064 pjvvp.exe 3220 1bbttt.exe 1284 tnnnnb.exe 4632 vpjdj.exe 3856 hhtntn.exe 788 lrxrxxr.exe 2752 nhhbtt.exe 3928 vvpdp.exe 756 xlrlfxx.exe 3152 7nnhhh.exe 1012 jddjd.exe 988 jdpjj.exe 4128 7ffffrr.exe 4884 nhbttt.exe 1868 7vppj.exe 1196 xrllflf.exe 384 9rlffff.exe 5088 3tnhhb.exe 4316 jpddv.exe 4288 9lrlrfl.exe 1916 1bntnt.exe 3396 vvjjd.exe 4468 xlxrrrl.exe 4240 bntnnn.exe 3596 vjdvj.exe 4608 pjjvp.exe 2228 lrxxlfx.exe 1460 bhnbtn.exe 4844 9tbbtt.exe 4236 9vvjj.exe 4920 lflrllf.exe 3912 nbttnn.exe 2088 vdpvv.exe 4576 dpvpj.exe -
resource yara_rule behavioral2/memory/2180-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-660-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 748 2180 4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe 82 PID 2180 wrote to memory of 748 2180 4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe 82 PID 2180 wrote to memory of 748 2180 4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe 82 PID 748 wrote to memory of 1144 748 rrfllrf.exe 83 PID 748 wrote to memory of 1144 748 rrfllrf.exe 83 PID 748 wrote to memory of 1144 748 rrfllrf.exe 83 PID 1144 wrote to memory of 4796 1144 ffllllr.exe 84 PID 1144 wrote to memory of 4796 1144 ffllllr.exe 84 PID 1144 wrote to memory of 4796 1144 ffllllr.exe 84 PID 4796 wrote to memory of 5052 4796 vjpjd.exe 85 PID 4796 wrote to memory of 5052 4796 vjpjd.exe 85 PID 4796 wrote to memory of 5052 4796 vjpjd.exe 85 PID 5052 wrote to memory of 3080 5052 5frrlll.exe 86 PID 5052 wrote to memory of 3080 5052 5frrlll.exe 86 PID 5052 wrote to memory of 3080 5052 5frrlll.exe 86 PID 3080 wrote to memory of 2932 3080 jjdvv.exe 87 PID 3080 wrote to memory of 2932 3080 jjdvv.exe 87 PID 3080 wrote to memory of 2932 3080 jjdvv.exe 87 PID 2932 wrote to memory of 2152 2932 xfxxrll.exe 88 PID 2932 wrote to memory of 2152 2932 xfxxrll.exe 88 PID 2932 wrote to memory of 2152 2932 xfxxrll.exe 88 PID 2152 wrote to memory of 3192 2152 tbnhnn.exe 89 PID 2152 wrote to memory of 3192 2152 tbnhnn.exe 89 PID 2152 wrote to memory of 3192 2152 tbnhnn.exe 89 PID 3192 wrote to memory of 5064 3192 bhnhbb.exe 90 PID 3192 wrote to memory of 5064 3192 bhnhbb.exe 90 PID 3192 wrote to memory of 5064 3192 bhnhbb.exe 90 PID 5064 wrote to memory of 3136 5064 1vvvp.exe 91 PID 5064 wrote to memory of 3136 5064 1vvvp.exe 91 PID 5064 wrote to memory of 3136 5064 1vvvp.exe 91 PID 3136 wrote to memory of 4192 3136 flrxrlf.exe 92 PID 3136 wrote to memory of 4192 3136 flrxrlf.exe 92 PID 3136 wrote to memory of 4192 3136 flrxrlf.exe 92 PID 4192 wrote to memory of 1060 4192 7tbhbh.exe 93 PID 4192 wrote to memory of 1060 4192 7tbhbh.exe 93 PID 4192 wrote to memory of 1060 4192 7tbhbh.exe 93 PID 1060 wrote to memory of 4708 1060 3jpjd.exe 94 PID 1060 wrote to memory of 4708 1060 3jpjd.exe 94 PID 1060 wrote to memory of 4708 1060 3jpjd.exe 94 PID 4708 wrote to memory of 432 4708 jvjdp.exe 95 PID 4708 wrote to memory of 432 4708 jvjdp.exe 95 PID 4708 wrote to memory of 432 4708 jvjdp.exe 95 PID 432 wrote to memory of 3888 432 ttnhhh.exe 96 PID 432 wrote to memory of 3888 432 ttnhhh.exe 96 PID 432 wrote to memory of 3888 432 ttnhhh.exe 96 PID 3888 wrote to memory of 2912 3888 vppjj.exe 97 PID 3888 wrote to memory of 2912 3888 vppjj.exe 97 PID 3888 wrote to memory of 2912 3888 vppjj.exe 97 PID 2912 wrote to memory of 1828 2912 lffxrfx.exe 98 PID 2912 wrote to memory of 1828 2912 lffxrfx.exe 98 PID 2912 wrote to memory of 1828 2912 lffxrfx.exe 98 PID 1828 wrote to memory of 872 1828 vpppj.exe 99 PID 1828 wrote to memory of 872 1828 vpppj.exe 99 PID 1828 wrote to memory of 872 1828 vpppj.exe 99 PID 872 wrote to memory of 2916 872 nntnbb.exe 100 PID 872 wrote to memory of 2916 872 nntnbb.exe 100 PID 872 wrote to memory of 2916 872 nntnbb.exe 100 PID 2916 wrote to memory of 4836 2916 jvvpj.exe 101 PID 2916 wrote to memory of 4836 2916 jvvpj.exe 101 PID 2916 wrote to memory of 4836 2916 jvvpj.exe 101 PID 4836 wrote to memory of 2212 4836 hbbhbb.exe 102 PID 4836 wrote to memory of 2212 4836 hbbhbb.exe 102 PID 4836 wrote to memory of 2212 4836 hbbhbb.exe 102 PID 2212 wrote to memory of 1644 2212 5vjdj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe"C:\Users\Admin\AppData\Local\Temp\4ee035a1c99acbc08f978adbcf231c9a3ec699fabaf4fe7967987c152b3a22c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\rrfllrf.exec:\rrfllrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\ffllllr.exec:\ffllllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\vjpjd.exec:\vjpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\5frrlll.exec:\5frrlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\jjdvv.exec:\jjdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\xfxxrll.exec:\xfxxrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\tbnhnn.exec:\tbnhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\bhnhbb.exec:\bhnhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\1vvvp.exec:\1vvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\flrxrlf.exec:\flrxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\7tbhbh.exec:\7tbhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\3jpjd.exec:\3jpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\jvjdp.exec:\jvjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\ttnhhh.exec:\ttnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\vppjj.exec:\vppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\lffxrfx.exec:\lffxrfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\vpppj.exec:\vpppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\nntnbb.exec:\nntnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\jvvpj.exec:\jvvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\hbbhbb.exec:\hbbhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\5vjdj.exec:\5vjdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\bhnhbt.exec:\bhnhbt.exe23⤵
- Executes dropped EXE
PID:1644 -
\??\c:\tbnhbb.exec:\tbnhbb.exe24⤵
- Executes dropped EXE
PID:1328 -
\??\c:\xlrlllf.exec:\xlrlllf.exe25⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dpvvp.exec:\dpvvp.exe26⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rlrfxfx.exec:\rlrfxfx.exe27⤵
- Executes dropped EXE
PID:972 -
\??\c:\hhhtnn.exec:\hhhtnn.exe28⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jjppp.exec:\jjppp.exe29⤵
- Executes dropped EXE
PID:1568 -
\??\c:\xxllfll.exec:\xxllfll.exe30⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bbnhnn.exec:\bbnhnn.exe31⤵
- Executes dropped EXE
PID:2260 -
\??\c:\pjvvp.exec:\pjvvp.exe32⤵
- Executes dropped EXE
PID:1064 -
\??\c:\1bbttt.exec:\1bbttt.exe33⤵
- Executes dropped EXE
PID:3220 -
\??\c:\tnnnnb.exec:\tnnnnb.exe34⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vpjdj.exec:\vpjdj.exe35⤵
- Executes dropped EXE
PID:4632 -
\??\c:\hhtntn.exec:\hhtntn.exe36⤵
- Executes dropped EXE
PID:3856 -
\??\c:\lrxrxxr.exec:\lrxrxxr.exe37⤵
- Executes dropped EXE
PID:788 -
\??\c:\nhhbtt.exec:\nhhbtt.exe38⤵
- Executes dropped EXE
PID:2752 -
\??\c:\vvpdp.exec:\vvpdp.exe39⤵
- Executes dropped EXE
PID:3928 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe40⤵
- Executes dropped EXE
PID:756 -
\??\c:\7nnhhh.exec:\7nnhhh.exe41⤵
- Executes dropped EXE
PID:3152 -
\??\c:\jddjd.exec:\jddjd.exe42⤵
- Executes dropped EXE
PID:1012 -
\??\c:\jdpjj.exec:\jdpjj.exe43⤵
- Executes dropped EXE
PID:988 -
\??\c:\7ffffrr.exec:\7ffffrr.exe44⤵
- Executes dropped EXE
PID:4128 -
\??\c:\nhbttt.exec:\nhbttt.exe45⤵
- Executes dropped EXE
PID:4884 -
\??\c:\7vppj.exec:\7vppj.exe46⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xrllflf.exec:\xrllflf.exe47⤵
- Executes dropped EXE
PID:1196 -
\??\c:\9rlffff.exec:\9rlffff.exe48⤵
- Executes dropped EXE
PID:384 -
\??\c:\3tnhhb.exec:\3tnhhb.exe49⤵
- Executes dropped EXE
PID:5088 -
\??\c:\jpddv.exec:\jpddv.exe50⤵
- Executes dropped EXE
PID:4316 -
\??\c:\9lrlrfl.exec:\9lrlrfl.exe51⤵
- Executes dropped EXE
PID:4288 -
\??\c:\1bntnt.exec:\1bntnt.exe52⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vvjjd.exec:\vvjjd.exe53⤵
- Executes dropped EXE
PID:3396 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe54⤵
- Executes dropped EXE
PID:4468 -
\??\c:\bntnnn.exec:\bntnnn.exe55⤵
- Executes dropped EXE
PID:4240 -
\??\c:\vjdvj.exec:\vjdvj.exe56⤵
- Executes dropped EXE
PID:3596 -
\??\c:\pjjvp.exec:\pjjvp.exe57⤵
- Executes dropped EXE
PID:4608 -
\??\c:\lrxxlfx.exec:\lrxxlfx.exe58⤵
- Executes dropped EXE
PID:2228 -
\??\c:\bhnbtn.exec:\bhnbtn.exe59⤵
- Executes dropped EXE
PID:1460 -
\??\c:\9tbbtt.exec:\9tbbtt.exe60⤵
- Executes dropped EXE
PID:4844 -
\??\c:\9vvjj.exec:\9vvjj.exe61⤵
- Executes dropped EXE
PID:4236 -
\??\c:\lflrllf.exec:\lflrllf.exe62⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nbttnn.exec:\nbttnn.exe63⤵
- Executes dropped EXE
PID:3912 -
\??\c:\vdpvv.exec:\vdpvv.exe64⤵
- Executes dropped EXE
PID:2088 -
\??\c:\dpvpj.exec:\dpvpj.exe65⤵
- Executes dropped EXE
PID:4576 -
\??\c:\3bhhbb.exec:\3bhhbb.exe66⤵PID:1888
-
\??\c:\pvddp.exec:\pvddp.exe67⤵PID:4804
-
\??\c:\vjpjd.exec:\vjpjd.exe68⤵PID:1280
-
\??\c:\xlxxfll.exec:\xlxxfll.exe69⤵PID:5012
-
\??\c:\hnnhht.exec:\hnnhht.exe70⤵PID:3620
-
\??\c:\1dvvd.exec:\1dvvd.exe71⤵PID:3740
-
\??\c:\rrrflxx.exec:\rrrflxx.exe72⤵PID:432
-
\??\c:\llfrllx.exec:\llfrllx.exe73⤵PID:928
-
\??\c:\9tttnt.exec:\9tttnt.exe74⤵PID:2524
-
\??\c:\jpvpp.exec:\jpvpp.exe75⤵PID:2428
-
\??\c:\lfrllff.exec:\lfrllff.exe76⤵PID:2124
-
\??\c:\hbtnnn.exec:\hbtnnn.exe77⤵PID:3184
-
\??\c:\pppjd.exec:\pppjd.exe78⤵PID:872
-
\??\c:\rxflllf.exec:\rxflllf.exe79⤵PID:4152
-
\??\c:\hnnnnn.exec:\hnnnnn.exe80⤵PID:4840
-
\??\c:\vpvjj.exec:\vpvjj.exe81⤵PID:2212
-
\??\c:\ffffxfx.exec:\ffffxfx.exe82⤵PID:4916
-
\??\c:\bbbttn.exec:\bbbttn.exe83⤵PID:2740
-
\??\c:\hbbbbt.exec:\hbbbbt.exe84⤵PID:1236
-
\??\c:\pddvv.exec:\pddvv.exe85⤵PID:1376
-
\??\c:\9xffrfx.exec:\9xffrfx.exe86⤵PID:2544
-
\??\c:\tnttnn.exec:\tnttnn.exe87⤵PID:716
-
\??\c:\jpdvj.exec:\jpdvj.exe88⤵PID:1688
-
\??\c:\lxfxllf.exec:\lxfxllf.exe89⤵PID:3604
-
\??\c:\hbtnhb.exec:\hbtnhb.exe90⤵PID:3000
-
\??\c:\vppjd.exec:\vppjd.exe91⤵PID:1568
-
\??\c:\rfrxrxx.exec:\rfrxrxx.exe92⤵PID:3460
-
\??\c:\nhnhhh.exec:\nhnhhh.exe93⤵PID:4760
-
\??\c:\5vpdd.exec:\5vpdd.exe94⤵PID:2032
-
\??\c:\jjvpp.exec:\jjvpp.exe95⤵PID:2968
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe96⤵PID:2948
-
\??\c:\5hnhbn.exec:\5hnhbn.exe97⤵PID:2636
-
\??\c:\bhhttn.exec:\bhhttn.exe98⤵PID:1304
-
\??\c:\pdppd.exec:\pdppd.exe99⤵PID:4360
-
\??\c:\xfrxxxx.exec:\xfrxxxx.exe100⤵PID:1696
-
\??\c:\nttttt.exec:\nttttt.exe101⤵PID:3120
-
\??\c:\5vdvv.exec:\5vdvv.exe102⤵PID:2752
-
\??\c:\rfffxlf.exec:\rfffxlf.exe103⤵PID:2408
-
\??\c:\1hhnnh.exec:\1hhnnh.exe104⤵PID:2888
-
\??\c:\vppdj.exec:\vppdj.exe105⤵PID:1876
-
\??\c:\rllllfr.exec:\rllllfr.exe106⤵PID:3260
-
\??\c:\rllfrrf.exec:\rllfrrf.exe107⤵PID:988
-
\??\c:\tnnbbh.exec:\tnnbbh.exe108⤵PID:2096
-
\??\c:\5vddd.exec:\5vddd.exe109⤵PID:3936
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe110⤵PID:5060
-
\??\c:\bhnbtt.exec:\bhnbtt.exe111⤵PID:2380
-
\??\c:\3nbnbb.exec:\3nbnbb.exe112⤵PID:116
-
\??\c:\7rrfxff.exec:\7rrfxff.exe113⤵PID:2136
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe114⤵PID:4308
-
\??\c:\hhtbbb.exec:\hhtbbb.exe115⤵PID:4348
-
\??\c:\jpvpj.exec:\jpvpj.exe116⤵PID:2180
-
\??\c:\fffrlxx.exec:\fffrlxx.exe117⤵PID:3224
-
\??\c:\bttttt.exec:\bttttt.exe118⤵PID:2216
-
\??\c:\ttttbb.exec:\ttttbb.exe119⤵PID:4468
-
\??\c:\ddjjj.exec:\ddjjj.exe120⤵PID:668
-
\??\c:\xffllrf.exec:\xffllrf.exe121⤵PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-