Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 04:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe
-
Size
454KB
-
MD5
98a4fcbc050461cb68e375be281a3856
-
SHA1
e60fad020adfa73376674ddc9dd1eea63779298f
-
SHA256
c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee
-
SHA512
dc51829148fdfb0e871a446f0ae867c780d6831ca5afd9c0ab3a475adf91e507168aac823c1cf4668c4cedc53b81f1fdd20370d0157a4bd55e5890f5f4288fd4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec4:q7Tc2NYHUrAwfMp3CDc4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2180-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-1101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 748 xffxrrl.exe 3404 5dddp.exe 4712 pvjdp.exe 3316 pdvvv.exe 3212 fxfrlfr.exe 3812 3bbbtb.exe 4272 llxxlll.exe 2184 1jpjj.exe 3124 frffxff.exe 1664 jvvvv.exe 2732 flxxrrr.exe 2828 bhnhbb.exe 4708 rlrrlrr.exe 2460 lfffxxx.exe 2816 nthhhh.exe 1340 jvjdd.exe 4952 nthhbh.exe 872 rffffrr.exe 1848 hthbtt.exe 4244 bhhhbb.exe 4252 vpvpj.exe 1652 3pppj.exe 4280 xlrlfrl.exe 4748 btbbtb.exe 3920 thnhhh.exe 3060 pjpjd.exe 2768 ttbttt.exe 4640 vddpp.exe 4612 llxxrrr.exe 2260 nbbtnn.exe 1064 7jpjd.exe 4004 7jjdv.exe 5032 rfrllfx.exe 3972 bnttnn.exe 2268 jjpjv.exe 3916 lxfxfxr.exe 2940 thnhbb.exe 1988 jjpdp.exe 960 xxffxrl.exe 1600 hntthh.exe 3304 djdjd.exe 2564 jvpdp.exe 3820 lrlfxrr.exe 3576 nbhbbt.exe 4448 jddjd.exe 1248 xxlrrxx.exe 4800 rllxrff.exe 4756 bttnbt.exe 208 pvjjd.exe 1432 flffrxl.exe 4304 lffxrrf.exe 2180 1vpjj.exe 3352 9ppjd.exe 4088 xfrlfxr.exe 3596 tthhnh.exe 2112 ddpjv.exe 3080 frxrlxr.exe 648 fxxrrll.exe 2228 5hnhbb.exe 3212 pvvvv.exe 2652 9ppjj.exe 3192 rrfxrxl.exe 4580 nntnhh.exe 3980 jddvp.exe -
resource yara_rule behavioral2/memory/2180-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 748 2180 c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe 82 PID 2180 wrote to memory of 748 2180 c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe 82 PID 2180 wrote to memory of 748 2180 c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe 82 PID 748 wrote to memory of 3404 748 xffxrrl.exe 83 PID 748 wrote to memory of 3404 748 xffxrrl.exe 83 PID 748 wrote to memory of 3404 748 xffxrrl.exe 83 PID 3404 wrote to memory of 4712 3404 5dddp.exe 84 PID 3404 wrote to memory of 4712 3404 5dddp.exe 84 PID 3404 wrote to memory of 4712 3404 5dddp.exe 84 PID 4712 wrote to memory of 3316 4712 pvjdp.exe 85 PID 4712 wrote to memory of 3316 4712 pvjdp.exe 85 PID 4712 wrote to memory of 3316 4712 pvjdp.exe 85 PID 3316 wrote to memory of 3212 3316 pdvvv.exe 86 PID 3316 wrote to memory of 3212 3316 pdvvv.exe 86 PID 3316 wrote to memory of 3212 3316 pdvvv.exe 86 PID 3212 wrote to memory of 3812 3212 fxfrlfr.exe 87 PID 3212 wrote to memory of 3812 3212 fxfrlfr.exe 87 PID 3212 wrote to memory of 3812 3212 fxfrlfr.exe 87 PID 3812 wrote to memory of 4272 3812 3bbbtb.exe 88 PID 3812 wrote to memory of 4272 3812 3bbbtb.exe 88 PID 3812 wrote to memory of 4272 3812 3bbbtb.exe 88 PID 4272 wrote to memory of 2184 4272 llxxlll.exe 89 PID 4272 wrote to memory of 2184 4272 llxxlll.exe 89 PID 4272 wrote to memory of 2184 4272 llxxlll.exe 89 PID 2184 wrote to memory of 3124 2184 1jpjj.exe 90 PID 2184 wrote to memory of 3124 2184 1jpjj.exe 90 PID 2184 wrote to memory of 3124 2184 1jpjj.exe 90 PID 3124 wrote to memory of 1664 3124 frffxff.exe 91 PID 3124 wrote to memory of 1664 3124 frffxff.exe 91 PID 3124 wrote to memory of 1664 3124 frffxff.exe 91 PID 1664 wrote to memory of 2732 1664 jvvvv.exe 92 PID 1664 wrote to memory of 2732 1664 jvvvv.exe 92 PID 1664 wrote to memory of 2732 1664 jvvvv.exe 92 PID 2732 wrote to memory of 2828 2732 flxxrrr.exe 93 PID 2732 wrote to memory of 2828 2732 flxxrrr.exe 93 PID 2732 wrote to memory of 2828 2732 flxxrrr.exe 93 PID 2828 wrote to memory of 4708 2828 bhnhbb.exe 94 PID 2828 wrote to memory of 4708 2828 bhnhbb.exe 94 PID 2828 wrote to memory of 4708 2828 bhnhbb.exe 94 PID 4708 wrote to memory of 2460 4708 rlrrlrr.exe 95 PID 4708 wrote to memory of 2460 4708 rlrrlrr.exe 95 PID 4708 wrote to memory of 2460 4708 rlrrlrr.exe 95 PID 2460 wrote to memory of 2816 2460 lfffxxx.exe 96 PID 2460 wrote to memory of 2816 2460 lfffxxx.exe 96 PID 2460 wrote to memory of 2816 2460 lfffxxx.exe 96 PID 2816 wrote to memory of 1340 2816 nthhhh.exe 97 PID 2816 wrote to memory of 1340 2816 nthhhh.exe 97 PID 2816 wrote to memory of 1340 2816 nthhhh.exe 97 PID 1340 wrote to memory of 4952 1340 jvjdd.exe 98 PID 1340 wrote to memory of 4952 1340 jvjdd.exe 98 PID 1340 wrote to memory of 4952 1340 jvjdd.exe 98 PID 4952 wrote to memory of 872 4952 nthhbh.exe 99 PID 4952 wrote to memory of 872 4952 nthhbh.exe 99 PID 4952 wrote to memory of 872 4952 nthhbh.exe 99 PID 872 wrote to memory of 1848 872 rffffrr.exe 100 PID 872 wrote to memory of 1848 872 rffffrr.exe 100 PID 872 wrote to memory of 1848 872 rffffrr.exe 100 PID 1848 wrote to memory of 4244 1848 hthbtt.exe 101 PID 1848 wrote to memory of 4244 1848 hthbtt.exe 101 PID 1848 wrote to memory of 4244 1848 hthbtt.exe 101 PID 4244 wrote to memory of 4252 4244 bhhhbb.exe 102 PID 4244 wrote to memory of 4252 4244 bhhhbb.exe 102 PID 4244 wrote to memory of 4252 4244 bhhhbb.exe 102 PID 4252 wrote to memory of 1652 4252 vpvpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe"C:\Users\Admin\AppData\Local\Temp\c617a8b3a8311dad9c4099dacb3dcf9c015f69b4ab3df6b24517ad5a66c63aee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\xffxrrl.exec:\xffxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\5dddp.exec:\5dddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\pvjdp.exec:\pvjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\pdvvv.exec:\pdvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\fxfrlfr.exec:\fxfrlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\3bbbtb.exec:\3bbbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\llxxlll.exec:\llxxlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\1jpjj.exec:\1jpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\frffxff.exec:\frffxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\jvvvv.exec:\jvvvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\flxxrrr.exec:\flxxrrr.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\bhnhbb.exec:\bhnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\lfffxxx.exec:\lfffxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\nthhhh.exec:\nthhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\jvjdd.exec:\jvjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\nthhbh.exec:\nthhbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\rffffrr.exec:\rffffrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\hthbtt.exec:\hthbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\bhhhbb.exec:\bhhhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\vpvpj.exec:\vpvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\3pppj.exec:\3pppj.exe23⤵
- Executes dropped EXE
PID:1652 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe24⤵
- Executes dropped EXE
PID:4280 -
\??\c:\btbbtb.exec:\btbbtb.exe25⤵
- Executes dropped EXE
PID:4748 -
\??\c:\thnhhh.exec:\thnhhh.exe26⤵
- Executes dropped EXE
PID:3920 -
\??\c:\pjpjd.exec:\pjpjd.exe27⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ttbttt.exec:\ttbttt.exe28⤵
- Executes dropped EXE
PID:2768 -
\??\c:\vddpp.exec:\vddpp.exe29⤵
- Executes dropped EXE
PID:4640 -
\??\c:\llxxrrr.exec:\llxxrrr.exe30⤵
- Executes dropped EXE
PID:4612 -
\??\c:\nbbtnn.exec:\nbbtnn.exe31⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7jpjd.exec:\7jpjd.exe32⤵
- Executes dropped EXE
PID:1064 -
\??\c:\7jjdv.exec:\7jjdv.exe33⤵
- Executes dropped EXE
PID:4004 -
\??\c:\rfrllfx.exec:\rfrllfx.exe34⤵
- Executes dropped EXE
PID:5032 -
\??\c:\bnttnn.exec:\bnttnn.exe35⤵
- Executes dropped EXE
PID:3972 -
\??\c:\jjpjv.exec:\jjpjv.exe36⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lxfxfxr.exec:\lxfxfxr.exe37⤵
- Executes dropped EXE
PID:3916 -
\??\c:\thnhbb.exec:\thnhbb.exe38⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jjpdp.exec:\jjpdp.exe39⤵
- Executes dropped EXE
PID:1988 -
\??\c:\xxffxrl.exec:\xxffxrl.exe40⤵
- Executes dropped EXE
PID:960 -
\??\c:\hntthh.exec:\hntthh.exe41⤵
- Executes dropped EXE
PID:1600 -
\??\c:\djdjd.exec:\djdjd.exe42⤵
- Executes dropped EXE
PID:3304 -
\??\c:\jvpdp.exec:\jvpdp.exe43⤵
- Executes dropped EXE
PID:2564 -
\??\c:\lrlfxrr.exec:\lrlfxrr.exe44⤵
- Executes dropped EXE
PID:3820 -
\??\c:\nbhbbt.exec:\nbhbbt.exe45⤵
- Executes dropped EXE
PID:3576 -
\??\c:\jddjd.exec:\jddjd.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\xxlrrxx.exec:\xxlrrxx.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
\??\c:\rllxrff.exec:\rllxrff.exe48⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bttnbt.exec:\bttnbt.exe49⤵
- Executes dropped EXE
PID:4756 -
\??\c:\pvjjd.exec:\pvjjd.exe50⤵
- Executes dropped EXE
PID:208 -
\??\c:\flffrxl.exec:\flffrxl.exe51⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lffxrrf.exec:\lffxrrf.exe52⤵
- Executes dropped EXE
PID:4304 -
\??\c:\1vpjj.exec:\1vpjj.exe53⤵
- Executes dropped EXE
PID:2180 -
\??\c:\9ppjd.exec:\9ppjd.exe54⤵
- Executes dropped EXE
PID:3352 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe55⤵
- Executes dropped EXE
PID:4088 -
\??\c:\tthhnh.exec:\tthhnh.exe56⤵
- Executes dropped EXE
PID:3596 -
\??\c:\ddpjv.exec:\ddpjv.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\frxrlxr.exec:\frxrlxr.exe58⤵
- Executes dropped EXE
PID:3080 -
\??\c:\fxxrrll.exec:\fxxrrll.exe59⤵
- Executes dropped EXE
PID:648 -
\??\c:\5hnhbb.exec:\5hnhbb.exe60⤵
- Executes dropped EXE
PID:2228 -
\??\c:\pvvvv.exec:\pvvvv.exe61⤵
- Executes dropped EXE
PID:3212 -
\??\c:\9ppjj.exec:\9ppjj.exe62⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rrfxrxl.exec:\rrfxrxl.exe63⤵
- Executes dropped EXE
PID:3192 -
\??\c:\nntnhh.exec:\nntnhh.exe64⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jddvp.exec:\jddvp.exe65⤵
- Executes dropped EXE
PID:3980 -
\??\c:\5vjjd.exec:\5vjjd.exe66⤵PID:1888
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe67⤵PID:512
-
\??\c:\nbhhhh.exec:\nbhhhh.exe68⤵PID:1664
-
\??\c:\1ddvj.exec:\1ddvj.exe69⤵PID:1084
-
\??\c:\7ddvv.exec:\7ddvv.exe70⤵PID:3132
-
\??\c:\1xfxrxr.exec:\1xfxrxr.exe71⤵PID:4976
-
\??\c:\bnbtnb.exec:\bnbtnb.exe72⤵PID:4192
-
\??\c:\5pvpp.exec:\5pvpp.exe73⤵PID:2536
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe74⤵PID:4716
-
\??\c:\nhnhnh.exec:\nhnhnh.exe75⤵PID:2316
-
\??\c:\vjvvp.exec:\vjvvp.exe76⤵PID:4144
-
\??\c:\frrllff.exec:\frrllff.exe77⤵PID:3184
-
\??\c:\httnbt.exec:\httnbt.exe78⤵PID:1384
-
\??\c:\vpvpj.exec:\vpvpj.exe79⤵PID:4876
-
\??\c:\jjjjj.exec:\jjjjj.exe80⤵PID:1848
-
\??\c:\lrxrllf.exec:\lrxrllf.exe81⤵PID:424
-
\??\c:\dddvp.exec:\dddvp.exe82⤵PID:4068
-
\??\c:\lffxlfx.exec:\lffxlfx.exe83⤵PID:1496
-
\??\c:\1bbthh.exec:\1bbthh.exe84⤵PID:4228
-
\??\c:\htttbb.exec:\htttbb.exe85⤵PID:2544
-
\??\c:\pjjpj.exec:\pjjpj.exe86⤵PID:4504
-
\??\c:\rlllfxl.exec:\rlllfxl.exe87⤵PID:4784
-
\??\c:\9hhttn.exec:\9hhttn.exe88⤵PID:3608
-
\??\c:\ttbbbh.exec:\ttbbbh.exe89⤵PID:3500
-
\??\c:\3ddvp.exec:\3ddvp.exe90⤵PID:2768
-
\??\c:\9xxfxrl.exec:\9xxfxrl.exe91⤵PID:3000
-
\??\c:\btnhhh.exec:\btnhhh.exe92⤵PID:2032
-
\??\c:\vpvpj.exec:\vpvpj.exe93⤵PID:5020
-
\??\c:\llrlrfx.exec:\llrlrfx.exe94⤵PID:4704
-
\??\c:\frfxrrl.exec:\frfxrrl.exe95⤵PID:4540
-
\??\c:\btbbtb.exec:\btbbtb.exe96⤵PID:3348
-
\??\c:\vpjjd.exec:\vpjjd.exe97⤵PID:3036
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe98⤵PID:2204
-
\??\c:\9hhhhn.exec:\9hhhhn.exe99⤵PID:4360
-
\??\c:\1hhbnb.exec:\1hhbnb.exe100⤵PID:3012
-
\??\c:\dpdvv.exec:\dpdvv.exe101⤵PID:4204
-
\??\c:\fxfxxrr.exec:\fxfxxrr.exe102⤵PID:3928
-
\??\c:\tbnhhb.exec:\tbnhhb.exe103⤵PID:1412
-
\??\c:\vjjdv.exec:\vjjdv.exe104⤵PID:3152
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe105⤵PID:1876
-
\??\c:\7rxrlll.exec:\7rxrlll.exe106⤵PID:1176
-
\??\c:\nbnnnn.exec:\nbnnnn.exe107⤵PID:4128
-
\??\c:\nhnhhb.exec:\nhnhhb.exe108⤵PID:4012
-
\??\c:\jpvpp.exec:\jpvpp.exe109⤵PID:3956
-
\??\c:\5rrlffx.exec:\5rrlffx.exe110⤵PID:4492
-
\??\c:\thtnnn.exec:\thtnnn.exe111⤵PID:3884
-
\??\c:\djjjd.exec:\djjjd.exe112⤵PID:1740
-
\??\c:\vdjvp.exec:\vdjvp.exe113⤵PID:2956
-
\??\c:\frxxrll.exec:\frxxrll.exe114⤵PID:1292
-
\??\c:\vjvvd.exec:\vjvvd.exe115⤵PID:3240
-
\??\c:\rfflxrf.exec:\rfflxrf.exe116⤵PID:4304
-
\??\c:\fffxrlf.exec:\fffxrlf.exe117⤵PID:3396
-
\??\c:\bnhhbb.exec:\bnhhbb.exe118⤵PID:4440
-
\??\c:\vjjdd.exec:\vjjdd.exe119⤵PID:668
-
\??\c:\ffrlrlr.exec:\ffrlrlr.exe120⤵PID:3204
-
\??\c:\tntnhb.exec:\tntnhb.exe121⤵PID:4616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-