Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe
-
Size
453KB
-
MD5
9faebdeedd066ef8fef5bd2a18868370
-
SHA1
5baef415cc595543fa22492ebf01468a3a14db85
-
SHA256
a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41
-
SHA512
3691dbf72f175b963caaf861144c95e290ba491d14151bfa17f3ad8431192cbd9d6f8be58f49a8b50d0cb1e4fb8ad56d0968c6fe5fd3df05d817c710abd1f749
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5076-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1012 rllrllx.exe 4180 bhnhbb.exe 5028 thhbtn.exe 2924 jddvv.exe 2472 ppvvj.exe 1928 lflflfx.exe 4352 ppjjd.exe 4560 nhhbhb.exe 1004 dvjjp.exe 2748 rfrrxxf.exe 1264 dpdpj.exe 3036 bhnnnn.exe 4968 ddjdp.exe 1076 bntnhh.exe 1488 vdjvp.exe 1256 1rrrllf.exe 116 1jpjj.exe 2448 llrxrfr.exe 3932 9xrrrxr.exe 2792 1btntt.exe 1080 vjdvp.exe 3104 rfrxrrx.exe 1568 dppjd.exe 1040 jvdjd.exe 832 frxrrfl.exe 4912 5fxxrlr.exe 4272 nhbnhb.exe 4056 pppdd.exe 4140 djjjd.exe 4132 llrfxxr.exe 2220 vvjvd.exe 2344 jjpdj.exe 3572 tbhbtt.exe 3024 hbbtnn.exe 2812 dvvpp.exe 976 fxrrrlf.exe 964 rfllfxr.exe 1648 nhnhbb.exe 4256 jpvvp.exe 4012 fxrlrll.exe 3620 ththbt.exe 2172 jvjvv.exe 2488 lrxfxxx.exe 3340 vjjvd.exe 1128 lflflff.exe 2456 ttbbbb.exe 3336 vpvjd.exe 4712 fxrlrfl.exe 2428 hbbbbb.exe 4076 pdjdp.exe 2120 rllfffx.exe 4292 vppjj.exe 4052 frxrrxr.exe 2308 btnntt.exe 3076 ppdpj.exe 4180 lfrrxrx.exe 4668 vvpjv.exe 1644 rrrfrlf.exe 2336 bntnhh.exe 3604 ttbtnn.exe 1980 xlrffrr.exe 1928 llxxrlf.exe 4352 ntbbbb.exe 2944 ddpjd.exe -
resource yara_rule behavioral2/memory/5076-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-752-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 1012 5076 a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe 82 PID 5076 wrote to memory of 1012 5076 a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe 82 PID 5076 wrote to memory of 1012 5076 a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe 82 PID 1012 wrote to memory of 4180 1012 rllrllx.exe 83 PID 1012 wrote to memory of 4180 1012 rllrllx.exe 83 PID 1012 wrote to memory of 4180 1012 rllrllx.exe 83 PID 4180 wrote to memory of 5028 4180 bhnhbb.exe 84 PID 4180 wrote to memory of 5028 4180 bhnhbb.exe 84 PID 4180 wrote to memory of 5028 4180 bhnhbb.exe 84 PID 5028 wrote to memory of 2924 5028 thhbtn.exe 85 PID 5028 wrote to memory of 2924 5028 thhbtn.exe 85 PID 5028 wrote to memory of 2924 5028 thhbtn.exe 85 PID 2924 wrote to memory of 2472 2924 jddvv.exe 86 PID 2924 wrote to memory of 2472 2924 jddvv.exe 86 PID 2924 wrote to memory of 2472 2924 jddvv.exe 86 PID 2472 wrote to memory of 1928 2472 ppvvj.exe 87 PID 2472 wrote to memory of 1928 2472 ppvvj.exe 87 PID 2472 wrote to memory of 1928 2472 ppvvj.exe 87 PID 1928 wrote to memory of 4352 1928 lflflfx.exe 88 PID 1928 wrote to memory of 4352 1928 lflflfx.exe 88 PID 1928 wrote to memory of 4352 1928 lflflfx.exe 88 PID 4352 wrote to memory of 4560 4352 ppjjd.exe 89 PID 4352 wrote to memory of 4560 4352 ppjjd.exe 89 PID 4352 wrote to memory of 4560 4352 ppjjd.exe 89 PID 4560 wrote to memory of 1004 4560 nhhbhb.exe 90 PID 4560 wrote to memory of 1004 4560 nhhbhb.exe 90 PID 4560 wrote to memory of 1004 4560 nhhbhb.exe 90 PID 1004 wrote to memory of 2748 1004 dvjjp.exe 91 PID 1004 wrote to memory of 2748 1004 dvjjp.exe 91 PID 1004 wrote to memory of 2748 1004 dvjjp.exe 91 PID 2748 wrote to memory of 1264 2748 rfrrxxf.exe 92 PID 2748 wrote to memory of 1264 2748 rfrrxxf.exe 92 PID 2748 wrote to memory of 1264 2748 rfrrxxf.exe 92 PID 1264 wrote to memory of 3036 1264 dpdpj.exe 93 PID 1264 wrote to memory of 3036 1264 dpdpj.exe 93 PID 1264 wrote to memory of 3036 1264 dpdpj.exe 93 PID 3036 wrote to memory of 4968 3036 bhnnnn.exe 94 PID 3036 wrote to memory of 4968 3036 bhnnnn.exe 94 PID 3036 wrote to memory of 4968 3036 bhnnnn.exe 94 PID 4968 wrote to memory of 1076 4968 ddjdp.exe 95 PID 4968 wrote to memory of 1076 4968 ddjdp.exe 95 PID 4968 wrote to memory of 1076 4968 ddjdp.exe 95 PID 1076 wrote to memory of 1488 1076 bntnhh.exe 96 PID 1076 wrote to memory of 1488 1076 bntnhh.exe 96 PID 1076 wrote to memory of 1488 1076 bntnhh.exe 96 PID 1488 wrote to memory of 1256 1488 vdjvp.exe 97 PID 1488 wrote to memory of 1256 1488 vdjvp.exe 97 PID 1488 wrote to memory of 1256 1488 vdjvp.exe 97 PID 1256 wrote to memory of 116 1256 1rrrllf.exe 98 PID 1256 wrote to memory of 116 1256 1rrrllf.exe 98 PID 1256 wrote to memory of 116 1256 1rrrllf.exe 98 PID 116 wrote to memory of 2448 116 1jpjj.exe 99 PID 116 wrote to memory of 2448 116 1jpjj.exe 99 PID 116 wrote to memory of 2448 116 1jpjj.exe 99 PID 2448 wrote to memory of 3932 2448 llrxrfr.exe 100 PID 2448 wrote to memory of 3932 2448 llrxrfr.exe 100 PID 2448 wrote to memory of 3932 2448 llrxrfr.exe 100 PID 3932 wrote to memory of 2792 3932 9xrrrxr.exe 101 PID 3932 wrote to memory of 2792 3932 9xrrrxr.exe 101 PID 3932 wrote to memory of 2792 3932 9xrrrxr.exe 101 PID 2792 wrote to memory of 1080 2792 1btntt.exe 102 PID 2792 wrote to memory of 1080 2792 1btntt.exe 102 PID 2792 wrote to memory of 1080 2792 1btntt.exe 102 PID 1080 wrote to memory of 3104 1080 vjdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe"C:\Users\Admin\AppData\Local\Temp\a730c7928d48338f2b0ca072585ccf95901f7dd35f73a8cea92b8e85ac11cb41N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\rllrllx.exec:\rllrllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\bhnhbb.exec:\bhnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\thhbtn.exec:\thhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\jddvv.exec:\jddvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\ppvvj.exec:\ppvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\lflflfx.exec:\lflflfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\ppjjd.exec:\ppjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\nhhbhb.exec:\nhhbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\dvjjp.exec:\dvjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\dpdpj.exec:\dpdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\bhnnnn.exec:\bhnnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\ddjdp.exec:\ddjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\bntnhh.exec:\bntnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\vdjvp.exec:\vdjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\1rrrllf.exec:\1rrrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\1jpjj.exec:\1jpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\llrxrfr.exec:\llrxrfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\9xrrrxr.exec:\9xrrrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\1btntt.exec:\1btntt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\vjdvp.exec:\vjdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\rfrxrrx.exec:\rfrxrrx.exe23⤵
- Executes dropped EXE
PID:3104 -
\??\c:\dppjd.exec:\dppjd.exe24⤵
- Executes dropped EXE
PID:1568 -
\??\c:\jvdjd.exec:\jvdjd.exe25⤵
- Executes dropped EXE
PID:1040 -
\??\c:\frxrrfl.exec:\frxrrfl.exe26⤵
- Executes dropped EXE
PID:832 -
\??\c:\5fxxrlr.exec:\5fxxrlr.exe27⤵
- Executes dropped EXE
PID:4912 -
\??\c:\nhbnhb.exec:\nhbnhb.exe28⤵
- Executes dropped EXE
PID:4272 -
\??\c:\pppdd.exec:\pppdd.exe29⤵
- Executes dropped EXE
PID:4056 -
\??\c:\djjjd.exec:\djjjd.exe30⤵
- Executes dropped EXE
PID:4140 -
\??\c:\llrfxxr.exec:\llrfxxr.exe31⤵
- Executes dropped EXE
PID:4132 -
\??\c:\vvjvd.exec:\vvjvd.exe32⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jjpdj.exec:\jjpdj.exe33⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tbhbtt.exec:\tbhbtt.exe34⤵
- Executes dropped EXE
PID:3572 -
\??\c:\hbbtnn.exec:\hbbtnn.exe35⤵
- Executes dropped EXE
PID:3024 -
\??\c:\dvvpp.exec:\dvvpp.exe36⤵
- Executes dropped EXE
PID:2812 -
\??\c:\fxrrrlf.exec:\fxrrrlf.exe37⤵
- Executes dropped EXE
PID:976 -
\??\c:\rfllfxr.exec:\rfllfxr.exe38⤵
- Executes dropped EXE
PID:964 -
\??\c:\nhnhbb.exec:\nhnhbb.exe39⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jpvvp.exec:\jpvvp.exe40⤵
- Executes dropped EXE
PID:4256 -
\??\c:\fxrlrll.exec:\fxrlrll.exe41⤵
- Executes dropped EXE
PID:4012 -
\??\c:\ththbt.exec:\ththbt.exe42⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jvjvv.exec:\jvjvv.exe43⤵
- Executes dropped EXE
PID:2172 -
\??\c:\lrxfxxx.exec:\lrxfxxx.exe44⤵
- Executes dropped EXE
PID:2488 -
\??\c:\vjjvd.exec:\vjjvd.exe45⤵
- Executes dropped EXE
PID:3340 -
\??\c:\lflflff.exec:\lflflff.exe46⤵
- Executes dropped EXE
PID:1128 -
\??\c:\ttbbbb.exec:\ttbbbb.exe47⤵
- Executes dropped EXE
PID:2456 -
\??\c:\vpvjd.exec:\vpvjd.exe48⤵
- Executes dropped EXE
PID:3336 -
\??\c:\fxrlrfl.exec:\fxrlrfl.exe49⤵
- Executes dropped EXE
PID:4712 -
\??\c:\hbbbbb.exec:\hbbbbb.exe50⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pdjdp.exec:\pdjdp.exe51⤵
- Executes dropped EXE
PID:4076 -
\??\c:\rllfffx.exec:\rllfffx.exe52⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vppjj.exec:\vppjj.exe53⤵
- Executes dropped EXE
PID:4292 -
\??\c:\frxrrxr.exec:\frxrrxr.exe54⤵
- Executes dropped EXE
PID:4052 -
\??\c:\btnntt.exec:\btnntt.exe55⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ppdpj.exec:\ppdpj.exe56⤵
- Executes dropped EXE
PID:3076 -
\??\c:\lfrrxrx.exec:\lfrrxrx.exe57⤵
- Executes dropped EXE
PID:4180 -
\??\c:\vvpjv.exec:\vvpjv.exe58⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe59⤵
- Executes dropped EXE
PID:1644 -
\??\c:\bntnhh.exec:\bntnhh.exe60⤵
- Executes dropped EXE
PID:2336 -
\??\c:\ttbtnn.exec:\ttbtnn.exe61⤵
- Executes dropped EXE
PID:3604 -
\??\c:\xlrffrr.exec:\xlrffrr.exe62⤵
- Executes dropped EXE
PID:1980 -
\??\c:\llxxrlf.exec:\llxxrlf.exe63⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ntbbbb.exec:\ntbbbb.exe64⤵
- Executes dropped EXE
PID:4352 -
\??\c:\ddpjd.exec:\ddpjd.exe65⤵
- Executes dropped EXE
PID:2944 -
\??\c:\xllrffx.exec:\xllrffx.exe66⤵PID:2316
-
\??\c:\lffllfl.exec:\lffllfl.exe67⤵PID:2608
-
\??\c:\bntnbt.exec:\bntnbt.exe68⤵PID:1668
-
\??\c:\vdjvj.exec:\vdjvj.exe69⤵PID:1008
-
\??\c:\frrxrlr.exec:\frrxrlr.exe70⤵PID:1124
-
\??\c:\hhnhhh.exec:\hhnhhh.exe71⤵PID:2684
-
\??\c:\lrxlxrf.exec:\lrxlxrf.exe72⤵PID:4940
-
\??\c:\fxlflfl.exec:\fxlflfl.exe73⤵PID:2184
-
\??\c:\5htntt.exec:\5htntt.exe74⤵PID:1872
-
\??\c:\pddpd.exec:\pddpd.exe75⤵PID:2680
-
\??\c:\xrrlfxl.exec:\xrrlfxl.exe76⤵PID:2676
-
\??\c:\tbhhbb.exec:\tbhhbb.exe77⤵PID:1256
-
\??\c:\jvpvp.exec:\jvpvp.exe78⤵PID:4836
-
\??\c:\frxrlfx.exec:\frxrlfx.exe79⤵PID:1524
-
\??\c:\hhtnhh.exec:\hhtnhh.exe80⤵PID:3932
-
\??\c:\nnhbtt.exec:\nnhbtt.exe81⤵PID:1952
-
\??\c:\dvdvp.exec:\dvdvp.exe82⤵PID:4344
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe83⤵PID:3184
-
\??\c:\fxfxfrl.exec:\fxfxfrl.exe84⤵PID:1016
-
\??\c:\tttnnh.exec:\tttnnh.exe85⤵
- System Location Discovery: System Language Discovery
PID:4296 -
\??\c:\jjddp.exec:\jjddp.exe86⤵PID:3476
-
\??\c:\xrllxxr.exec:\xrllxxr.exe87⤵PID:1040
-
\??\c:\ntbbtt.exec:\ntbbtt.exe88⤵PID:3084
-
\??\c:\dpvpp.exec:\dpvpp.exe89⤵PID:4996
-
\??\c:\fxxfxrx.exec:\fxxfxrx.exe90⤵PID:1580
-
\??\c:\fxlfllr.exec:\fxlfllr.exe91⤵PID:4448
-
\??\c:\nhbttn.exec:\nhbttn.exe92⤵PID:3736
-
\??\c:\ppjdv.exec:\ppjdv.exe93⤵PID:296
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe94⤵PID:4316
-
\??\c:\ffffxff.exec:\ffffxff.exe95⤵PID:1156
-
\??\c:\tnbtbt.exec:\tnbtbt.exe96⤵PID:4132
-
\??\c:\3pjdp.exec:\3pjdp.exe97⤵PID:3260
-
\??\c:\xrrlrlr.exec:\xrrlrlr.exe98⤵PID:4936
-
\??\c:\hntnnn.exec:\hntnnn.exe99⤵PID:3868
-
\??\c:\hbbtbb.exec:\hbbtbb.exe100⤵PID:2244
-
\??\c:\dvvdv.exec:\dvvdv.exe101⤵PID:3608
-
\??\c:\rrxrfxx.exec:\rrxrfxx.exe102⤵PID:3916
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe103⤵PID:1536
-
\??\c:\tbhhhh.exec:\tbhhhh.exe104⤵PID:2620
-
\??\c:\5jddv.exec:\5jddv.exe105⤵PID:2444
-
\??\c:\xrxrfrr.exec:\xrxrfrr.exe106⤵PID:1168
-
\??\c:\frrfxfx.exec:\frrfxfx.exe107⤵PID:3504
-
\??\c:\hbhtnh.exec:\hbhtnh.exe108⤵PID:400
-
\??\c:\dddjv.exec:\dddjv.exe109⤵PID:2260
-
\??\c:\lffxlfx.exec:\lffxlfx.exe110⤵PID:3280
-
\??\c:\lfllllf.exec:\lfllllf.exe111⤵PID:2780
-
\??\c:\tntttn.exec:\tntttn.exe112⤵
- System Location Discovery: System Language Discovery
PID:5060 -
\??\c:\dvdpj.exec:\dvdpj.exe113⤵PID:4404
-
\??\c:\vppvj.exec:\vppvj.exe114⤵PID:2624
-
\??\c:\fxxxlfx.exec:\fxxxlfx.exe115⤵PID:3336
-
\??\c:\ttbnhb.exec:\ttbnhb.exe116⤵PID:316
-
\??\c:\dvddv.exec:\dvddv.exe117⤵PID:2428
-
\??\c:\vpvjd.exec:\vpvjd.exe118⤵PID:3864
-
\??\c:\5llxrfx.exec:\5llxrfx.exe119⤵PID:4432
-
\??\c:\httbhb.exec:\httbhb.exe120⤵PID:4324
-
\??\c:\3dddv.exec:\3dddv.exe121⤵PID:4420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-