Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe
-
Size
454KB
-
MD5
abeadc4604d342f50fdeaeb93ac58779
-
SHA1
793a6a31f2445e043257d4dc0f6f31a23fe385ee
-
SHA256
94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9
-
SHA512
7524c080e3eacaeb85e46bceda3039973b61211905d48eb22b1008f319e4a225d751ea54e4d32c5fb9f5b364f4254fd4faef86c05953ee7ad67b3a6c5d5ea9b2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-1290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-1303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-1409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4948 rrrxlxr.exe 3668 9ppjv.exe 4384 fllxlfr.exe 220 9xrxxfr.exe 4656 ffffxlf.exe 4596 3ddjv.exe 3260 3rrlfxr.exe 3428 lxrfxrf.exe 1052 vjvpp.exe 4900 ntbbtb.exe 1016 jppdp.exe 4260 thtbbt.exe 1852 pvdvv.exe 2044 ffflxrf.exe 2052 tbhnhb.exe 5096 bnhnbh.exe 2268 rllxlxx.exe 3700 xfxlfxl.exe 3536 vjvjv.exe 1040 hnnbnh.exe 1420 djdpd.exe 436 nbnbbn.exe 4520 ntnhtn.exe 404 jdvpd.exe 2320 llrfrlr.exe 3940 tbtnhb.exe 2468 pvdvp.exe 1048 djdvj.exe 1936 rfrxflf.exe 1448 bhhthb.exe 1912 9jpvd.exe 1776 bthhnt.exe 3160 9frlxrx.exe 1348 lrxlfxl.exe 3084 5bthtb.exe 1120 hhbtbt.exe 2532 vddpd.exe 4528 nnnbhb.exe 4752 9xlxlfr.exe 4760 bhbbtn.exe 1784 btbnnh.exe 2452 vjdvd.exe 2600 xlfrxrl.exe 1824 nntnbt.exe 2172 ddjjd.exe 1356 xrrlffx.exe 1524 hbbnhb.exe 4500 9jpjj.exe 3452 xxfrffx.exe 3228 hbtnbt.exe 452 nntnbb.exe 1892 7jpjv.exe 3400 9xxxrrr.exe 3280 bnbtnh.exe 4932 9pdvj.exe 2896 jddpd.exe 3668 nhtnnh.exe 920 pvddp.exe 3520 vjjvd.exe 220 lfxlxrf.exe 4408 tbhnnn.exe 2868 3dvjd.exe 4596 jvpdj.exe 3764 fllrlrl.exe -
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-847-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 4948 4932 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 82 PID 4932 wrote to memory of 4948 4932 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 82 PID 4932 wrote to memory of 4948 4932 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 82 PID 4948 wrote to memory of 3668 4948 rrrxlxr.exe 83 PID 4948 wrote to memory of 3668 4948 rrrxlxr.exe 83 PID 4948 wrote to memory of 3668 4948 rrrxlxr.exe 83 PID 3668 wrote to memory of 4384 3668 9ppjv.exe 84 PID 3668 wrote to memory of 4384 3668 9ppjv.exe 84 PID 3668 wrote to memory of 4384 3668 9ppjv.exe 84 PID 4384 wrote to memory of 220 4384 fllxlfr.exe 85 PID 4384 wrote to memory of 220 4384 fllxlfr.exe 85 PID 4384 wrote to memory of 220 4384 fllxlfr.exe 85 PID 220 wrote to memory of 4656 220 9xrxxfr.exe 86 PID 220 wrote to memory of 4656 220 9xrxxfr.exe 86 PID 220 wrote to memory of 4656 220 9xrxxfr.exe 86 PID 4656 wrote to memory of 4596 4656 ffffxlf.exe 87 PID 4656 wrote to memory of 4596 4656 ffffxlf.exe 87 PID 4656 wrote to memory of 4596 4656 ffffxlf.exe 87 PID 4596 wrote to memory of 3260 4596 3ddjv.exe 88 PID 4596 wrote to memory of 3260 4596 3ddjv.exe 88 PID 4596 wrote to memory of 3260 4596 3ddjv.exe 88 PID 3260 wrote to memory of 3428 3260 3rrlfxr.exe 89 PID 3260 wrote to memory of 3428 3260 3rrlfxr.exe 89 PID 3260 wrote to memory of 3428 3260 3rrlfxr.exe 89 PID 3428 wrote to memory of 1052 3428 lxrfxrf.exe 90 PID 3428 wrote to memory of 1052 3428 lxrfxrf.exe 90 PID 3428 wrote to memory of 1052 3428 lxrfxrf.exe 90 PID 1052 wrote to memory of 4900 1052 vjvpp.exe 91 PID 1052 wrote to memory of 4900 1052 vjvpp.exe 91 PID 1052 wrote to memory of 4900 1052 vjvpp.exe 91 PID 4900 wrote to memory of 1016 4900 ntbbtb.exe 92 PID 4900 wrote to memory of 1016 4900 ntbbtb.exe 92 PID 4900 wrote to memory of 1016 4900 ntbbtb.exe 92 PID 1016 wrote to memory of 4260 1016 jppdp.exe 93 PID 1016 wrote to memory of 4260 1016 jppdp.exe 93 PID 1016 wrote to memory of 4260 1016 jppdp.exe 93 PID 4260 wrote to memory of 1852 4260 thtbbt.exe 94 PID 4260 wrote to memory of 1852 4260 thtbbt.exe 94 PID 4260 wrote to memory of 1852 4260 thtbbt.exe 94 PID 1852 wrote to memory of 2044 1852 pvdvv.exe 95 PID 1852 wrote to memory of 2044 1852 pvdvv.exe 95 PID 1852 wrote to memory of 2044 1852 pvdvv.exe 95 PID 2044 wrote to memory of 2052 2044 ffflxrf.exe 96 PID 2044 wrote to memory of 2052 2044 ffflxrf.exe 96 PID 2044 wrote to memory of 2052 2044 ffflxrf.exe 96 PID 2052 wrote to memory of 5096 2052 tbhnhb.exe 97 PID 2052 wrote to memory of 5096 2052 tbhnhb.exe 97 PID 2052 wrote to memory of 5096 2052 tbhnhb.exe 97 PID 5096 wrote to memory of 2268 5096 bnhnbh.exe 98 PID 5096 wrote to memory of 2268 5096 bnhnbh.exe 98 PID 5096 wrote to memory of 2268 5096 bnhnbh.exe 98 PID 2268 wrote to memory of 3700 2268 rllxlxx.exe 99 PID 2268 wrote to memory of 3700 2268 rllxlxx.exe 99 PID 2268 wrote to memory of 3700 2268 rllxlxx.exe 99 PID 3700 wrote to memory of 3536 3700 xfxlfxl.exe 100 PID 3700 wrote to memory of 3536 3700 xfxlfxl.exe 100 PID 3700 wrote to memory of 3536 3700 xfxlfxl.exe 100 PID 3536 wrote to memory of 1040 3536 vjvjv.exe 101 PID 3536 wrote to memory of 1040 3536 vjvjv.exe 101 PID 3536 wrote to memory of 1040 3536 vjvjv.exe 101 PID 1040 wrote to memory of 1420 1040 hnnbnh.exe 102 PID 1040 wrote to memory of 1420 1040 hnnbnh.exe 102 PID 1040 wrote to memory of 1420 1040 hnnbnh.exe 102 PID 1420 wrote to memory of 436 1420 djdpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe"C:\Users\Admin\AppData\Local\Temp\94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\rrrxlxr.exec:\rrrxlxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\9ppjv.exec:\9ppjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\fllxlfr.exec:\fllxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\9xrxxfr.exec:\9xrxxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\ffffxlf.exec:\ffffxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\3ddjv.exec:\3ddjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\3rrlfxr.exec:\3rrlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\lxrfxrf.exec:\lxrfxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\vjvpp.exec:\vjvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\ntbbtb.exec:\ntbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\jppdp.exec:\jppdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\thtbbt.exec:\thtbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\pvdvv.exec:\pvdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\ffflxrf.exec:\ffflxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\tbhnhb.exec:\tbhnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\bnhnbh.exec:\bnhnbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\rllxlxx.exec:\rllxlxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\xfxlfxl.exec:\xfxlfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\vjvjv.exec:\vjvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\hnnbnh.exec:\hnnbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\djdpd.exec:\djdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\nbnbbn.exec:\nbnbbn.exe23⤵
- Executes dropped EXE
PID:436 -
\??\c:\ntnhtn.exec:\ntnhtn.exe24⤵
- Executes dropped EXE
PID:4520 -
\??\c:\jdvpd.exec:\jdvpd.exe25⤵
- Executes dropped EXE
PID:404 -
\??\c:\llrfrlr.exec:\llrfrlr.exe26⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tbtnhb.exec:\tbtnhb.exe27⤵
- Executes dropped EXE
PID:3940 -
\??\c:\pvdvp.exec:\pvdvp.exe28⤵
- Executes dropped EXE
PID:2468 -
\??\c:\djdvj.exec:\djdvj.exe29⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rfrxflf.exec:\rfrxflf.exe30⤵
- Executes dropped EXE
PID:1936 -
\??\c:\bhhthb.exec:\bhhthb.exe31⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9jpvd.exec:\9jpvd.exe32⤵
- Executes dropped EXE
PID:1912 -
\??\c:\bthhnt.exec:\bthhnt.exe33⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9frlxrx.exec:\9frlxrx.exe34⤵
- Executes dropped EXE
PID:3160 -
\??\c:\lrxlfxl.exec:\lrxlfxl.exe35⤵
- Executes dropped EXE
PID:1348 -
\??\c:\5bthtb.exec:\5bthtb.exe36⤵
- Executes dropped EXE
PID:3084 -
\??\c:\hhbtbt.exec:\hhbtbt.exe37⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vddpd.exec:\vddpd.exe38⤵
- Executes dropped EXE
PID:2532 -
\??\c:\nnnbhb.exec:\nnnbhb.exe39⤵
- Executes dropped EXE
PID:4528 -
\??\c:\9xlxlfr.exec:\9xlxlfr.exe40⤵
- Executes dropped EXE
PID:4752 -
\??\c:\bhbbtn.exec:\bhbbtn.exe41⤵
- Executes dropped EXE
PID:4760 -
\??\c:\btbnnh.exec:\btbnnh.exe42⤵
- Executes dropped EXE
PID:1784 -
\??\c:\vjdvd.exec:\vjdvd.exe43⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xlfrxrl.exec:\xlfrxrl.exe44⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nntnbt.exec:\nntnbt.exe45⤵
- Executes dropped EXE
PID:1824 -
\??\c:\ddjjd.exec:\ddjjd.exe46⤵
- Executes dropped EXE
PID:2172 -
\??\c:\xrrlffx.exec:\xrrlffx.exe47⤵
- Executes dropped EXE
PID:1356 -
\??\c:\hbbnhb.exec:\hbbnhb.exe48⤵
- Executes dropped EXE
PID:1524 -
\??\c:\9jpjj.exec:\9jpjj.exe49⤵
- Executes dropped EXE
PID:4500 -
\??\c:\xxfrffx.exec:\xxfrffx.exe50⤵
- Executes dropped EXE
PID:3452 -
\??\c:\hbtnbt.exec:\hbtnbt.exe51⤵
- Executes dropped EXE
PID:3228 -
\??\c:\nntnbb.exec:\nntnbb.exe52⤵
- Executes dropped EXE
PID:452 -
\??\c:\7jpjv.exec:\7jpjv.exe53⤵
- Executes dropped EXE
PID:1892 -
\??\c:\9xxxrrr.exec:\9xxxrrr.exe54⤵
- Executes dropped EXE
PID:3400 -
\??\c:\bnbtnh.exec:\bnbtnh.exe55⤵
- Executes dropped EXE
PID:3280 -
\??\c:\9pdvj.exec:\9pdvj.exe56⤵
- Executes dropped EXE
PID:4932 -
\??\c:\jddpd.exec:\jddpd.exe57⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nhtnnh.exec:\nhtnnh.exe58⤵
- Executes dropped EXE
PID:3668 -
\??\c:\pvddp.exec:\pvddp.exe59⤵
- Executes dropped EXE
PID:920 -
\??\c:\vjjvd.exec:\vjjvd.exe60⤵
- Executes dropped EXE
PID:3520 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe61⤵
- Executes dropped EXE
PID:220 -
\??\c:\tbhnnn.exec:\tbhnnn.exe62⤵
- Executes dropped EXE
PID:4408 -
\??\c:\3dvjd.exec:\3dvjd.exe63⤵
- Executes dropped EXE
PID:2868 -
\??\c:\jvpdj.exec:\jvpdj.exe64⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fllrlrl.exec:\fllrlrl.exe65⤵
- Executes dropped EXE
PID:3764 -
\??\c:\nbhbbh.exec:\nbhbbh.exe66⤵PID:1612
-
\??\c:\jdpdd.exec:\jdpdd.exe67⤵PID:4208
-
\??\c:\vvvpd.exec:\vvvpd.exe68⤵PID:1224
-
\??\c:\5xrlflf.exec:\5xrlflf.exe69⤵PID:3604
-
\??\c:\bhbthh.exec:\bhbthh.exe70⤵PID:1604
-
\??\c:\tbtthh.exec:\tbtthh.exe71⤵PID:2032
-
\??\c:\vdjdd.exec:\vdjdd.exe72⤵PID:3308
-
\??\c:\lxfrfrf.exec:\lxfrfrf.exe73⤵PID:232
-
\??\c:\1nnhtt.exec:\1nnhtt.exe74⤵PID:4040
-
\??\c:\vvddv.exec:\vvddv.exe75⤵PID:3732
-
\??\c:\1jvpv.exec:\1jvpv.exe76⤵PID:3744
-
\??\c:\fflffxx.exec:\fflffxx.exe77⤵PID:4452
-
\??\c:\btnhhn.exec:\btnhhn.exe78⤵PID:2052
-
\??\c:\5dpdp.exec:\5dpdp.exe79⤵PID:4580
-
\??\c:\lflxrlf.exec:\lflxrlf.exe80⤵PID:2464
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe81⤵PID:5092
-
\??\c:\tnthnh.exec:\tnthnh.exe82⤵PID:4316
-
\??\c:\3hbbbb.exec:\3hbbbb.exe83⤵PID:5036
-
\??\c:\jvpdp.exec:\jvpdp.exe84⤵PID:4508
-
\??\c:\fxxlfxx.exec:\fxxlfxx.exe85⤵PID:2020
-
\??\c:\7lffxxx.exec:\7lffxxx.exe86⤵PID:4848
-
\??\c:\5hbbnb.exec:\5hbbnb.exe87⤵PID:3652
-
\??\c:\dpjdv.exec:\dpjdv.exe88⤵PID:2432
-
\??\c:\xflfrlf.exec:\xflfrlf.exe89⤵PID:3028
-
\??\c:\hnnhbt.exec:\hnnhbt.exe90⤵PID:3540
-
\??\c:\djjdp.exec:\djjdp.exe91⤵PID:2040
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe92⤵PID:668
-
\??\c:\btnhbt.exec:\btnhbt.exe93⤵PID:2012
-
\??\c:\djpdj.exec:\djpdj.exe94⤵PID:976
-
\??\c:\pppdv.exec:\pppdv.exe95⤵PID:2204
-
\??\c:\xxfxffx.exec:\xxfxffx.exe96⤵PID:3612
-
\??\c:\9bhbhh.exec:\9bhbhh.exe97⤵PID:2264
-
\??\c:\jvddp.exec:\jvddp.exe98⤵PID:3120
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe99⤵PID:1776
-
\??\c:\xllxlfr.exec:\xllxlfr.exe100⤵PID:4992
-
\??\c:\nnhnhb.exec:\nnhnhb.exe101⤵PID:3796
-
\??\c:\jjvvj.exec:\jjvvj.exe102⤵PID:2024
-
\??\c:\lxxlllf.exec:\lxxlllf.exe103⤵PID:1056
-
\??\c:\ffrrrlf.exec:\ffrrrlf.exe104⤵PID:2980
-
\??\c:\nbbthh.exec:\nbbthh.exe105⤵PID:2532
-
\??\c:\pjdvp.exec:\pjdvp.exe106⤵PID:4528
-
\??\c:\xllfxff.exec:\xllfxff.exe107⤵PID:3768
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe108⤵PID:3976
-
\??\c:\nhhbnh.exec:\nhhbnh.exe109⤵PID:1920
-
\??\c:\vdvjv.exec:\vdvjv.exe110⤵PID:4536
-
\??\c:\xrfxxrr.exec:\xrfxxrr.exe111⤵PID:3832
-
\??\c:\lrrllff.exec:\lrrllff.exe112⤵PID:4676
-
\??\c:\3bttnb.exec:\3bttnb.exe113⤵PID:1432
-
\??\c:\vvvpv.exec:\vvvpv.exe114⤵PID:1992
-
\??\c:\9rlfrlf.exec:\9rlfrlf.exe115⤵PID:1044
-
\??\c:\xllxlfx.exec:\xllxlfx.exe116⤵PID:3116
-
\??\c:\htnbtn.exec:\htnbtn.exe117⤵PID:4228
-
\??\c:\dvdvp.exec:\dvdvp.exe118⤵PID:2184
-
\??\c:\vjjvj.exec:\vjjvj.exe119⤵PID:4600
-
\??\c:\lrrlxlf.exec:\lrrlxlf.exe120⤵PID:4296
-
\??\c:\fxxrfxx.exec:\fxxrfxx.exe121⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-