Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 08:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe
-
Size
454KB
-
MD5
22d568622f39cb5627b662d060565a13
-
SHA1
34755aa1b7dac6b44272dd6c73270aa45bb8f0dd
-
SHA256
acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e
-
SHA512
e286ea9975bdf996c48da5cb59759ce63591146683840aaaf0f8d49ddf1b211f89b4cde2828c3b0873d75655a30e9a36eb3ebb8e0a86183619e61d7a4e71daa5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3000-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-1132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-1392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-1685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4008 5tbtnn.exe 4548 xrrrfxx.exe 1788 vdvdd.exe 5040 fffffxr.exe 3188 vvppp.exe 4172 hbbhbb.exe 1816 1djjd.exe 4152 frrrlll.exe 2856 frlffrr.exe 980 nhnhbb.exe 4324 bhbbtb.exe 560 hhhbtt.exe 3108 jjpjd.exe 2812 nbnnth.exe 3068 vjjdv.exe 116 hbbbht.exe 1836 pddvp.exe 4792 5lrrxxf.exe 1372 3bbttb.exe 5080 pjpjd.exe 1940 rlrfxrl.exe 3976 7fxrlfr.exe 3536 vjpjd.exe 532 lffxrfr.exe 1616 3ntnnn.exe 2820 lffrlrl.exe 2868 btnbth.exe 5060 9frxxlf.exe 4656 nttnbb.exe 2328 1llxrrf.exe 224 bnnbtn.exe 404 jvvvp.exe 3060 1nnbnn.exe 1120 ppjdv.exe 3608 frlfxrl.exe 3808 ttnnbh.exe 4652 btttnb.exe 2640 vpdvd.exe 220 xlxxxxx.exe 3048 vjvvp.exe 1852 frxlfrl.exe 3448 7hnhbb.exe 4484 bnttnh.exe 4396 5ddvp.exe 1928 xrllfll.exe 4400 tnnbhb.exe 5088 jpjdj.exe 2352 5rxxxxr.exe 3416 bbnhhh.exe 732 jjjdv.exe 3436 xxxrlll.exe 4348 1nhbtt.exe 3188 ppppj.exe 4952 xxfxfxx.exe 5008 nbhtnt.exe 2872 jdvpp.exe 876 pjjvp.exe 4152 lffxrrf.exe 3140 nhhbtn.exe 4612 jjjdv.exe 3668 3jjvj.exe 1496 rflfxxx.exe 4212 hbhbbt.exe 1728 pjjvd.exe -
resource yara_rule behavioral2/memory/3000-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-815-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 4008 3000 acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe 82 PID 3000 wrote to memory of 4008 3000 acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe 82 PID 3000 wrote to memory of 4008 3000 acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe 82 PID 4008 wrote to memory of 4548 4008 5tbtnn.exe 83 PID 4008 wrote to memory of 4548 4008 5tbtnn.exe 83 PID 4008 wrote to memory of 4548 4008 5tbtnn.exe 83 PID 4548 wrote to memory of 1788 4548 xrrrfxx.exe 84 PID 4548 wrote to memory of 1788 4548 xrrrfxx.exe 84 PID 4548 wrote to memory of 1788 4548 xrrrfxx.exe 84 PID 1788 wrote to memory of 5040 1788 vdvdd.exe 85 PID 1788 wrote to memory of 5040 1788 vdvdd.exe 85 PID 1788 wrote to memory of 5040 1788 vdvdd.exe 85 PID 5040 wrote to memory of 3188 5040 fffffxr.exe 86 PID 5040 wrote to memory of 3188 5040 fffffxr.exe 86 PID 5040 wrote to memory of 3188 5040 fffffxr.exe 86 PID 3188 wrote to memory of 4172 3188 vvppp.exe 87 PID 3188 wrote to memory of 4172 3188 vvppp.exe 87 PID 3188 wrote to memory of 4172 3188 vvppp.exe 87 PID 4172 wrote to memory of 1816 4172 hbbhbb.exe 88 PID 4172 wrote to memory of 1816 4172 hbbhbb.exe 88 PID 4172 wrote to memory of 1816 4172 hbbhbb.exe 88 PID 1816 wrote to memory of 4152 1816 1djjd.exe 89 PID 1816 wrote to memory of 4152 1816 1djjd.exe 89 PID 1816 wrote to memory of 4152 1816 1djjd.exe 89 PID 4152 wrote to memory of 2856 4152 frrrlll.exe 90 PID 4152 wrote to memory of 2856 4152 frrrlll.exe 90 PID 4152 wrote to memory of 2856 4152 frrrlll.exe 90 PID 2856 wrote to memory of 980 2856 frlffrr.exe 91 PID 2856 wrote to memory of 980 2856 frlffrr.exe 91 PID 2856 wrote to memory of 980 2856 frlffrr.exe 91 PID 980 wrote to memory of 4324 980 nhnhbb.exe 92 PID 980 wrote to memory of 4324 980 nhnhbb.exe 92 PID 980 wrote to memory of 4324 980 nhnhbb.exe 92 PID 4324 wrote to memory of 560 4324 bhbbtb.exe 93 PID 4324 wrote to memory of 560 4324 bhbbtb.exe 93 PID 4324 wrote to memory of 560 4324 bhbbtb.exe 93 PID 560 wrote to memory of 3108 560 hhhbtt.exe 94 PID 560 wrote to memory of 3108 560 hhhbtt.exe 94 PID 560 wrote to memory of 3108 560 hhhbtt.exe 94 PID 3108 wrote to memory of 2812 3108 jjpjd.exe 95 PID 3108 wrote to memory of 2812 3108 jjpjd.exe 95 PID 3108 wrote to memory of 2812 3108 jjpjd.exe 95 PID 2812 wrote to memory of 3068 2812 nbnnth.exe 96 PID 2812 wrote to memory of 3068 2812 nbnnth.exe 96 PID 2812 wrote to memory of 3068 2812 nbnnth.exe 96 PID 3068 wrote to memory of 116 3068 vjjdv.exe 97 PID 3068 wrote to memory of 116 3068 vjjdv.exe 97 PID 3068 wrote to memory of 116 3068 vjjdv.exe 97 PID 116 wrote to memory of 1836 116 hbbbht.exe 98 PID 116 wrote to memory of 1836 116 hbbbht.exe 98 PID 116 wrote to memory of 1836 116 hbbbht.exe 98 PID 1836 wrote to memory of 4792 1836 pddvp.exe 99 PID 1836 wrote to memory of 4792 1836 pddvp.exe 99 PID 1836 wrote to memory of 4792 1836 pddvp.exe 99 PID 4792 wrote to memory of 1372 4792 5lrrxxf.exe 100 PID 4792 wrote to memory of 1372 4792 5lrrxxf.exe 100 PID 4792 wrote to memory of 1372 4792 5lrrxxf.exe 100 PID 1372 wrote to memory of 5080 1372 3bbttb.exe 101 PID 1372 wrote to memory of 5080 1372 3bbttb.exe 101 PID 1372 wrote to memory of 5080 1372 3bbttb.exe 101 PID 5080 wrote to memory of 1940 5080 pjpjd.exe 102 PID 5080 wrote to memory of 1940 5080 pjpjd.exe 102 PID 5080 wrote to memory of 1940 5080 pjpjd.exe 102 PID 1940 wrote to memory of 3976 1940 rlrfxrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe"C:\Users\Admin\AppData\Local\Temp\acd8c66f14fe324ec9eed4fd145d4dd44403b44fdb0f3f0af2e8897dce82fc1e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\5tbtnn.exec:\5tbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\xrrrfxx.exec:\xrrrfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\vdvdd.exec:\vdvdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\fffffxr.exec:\fffffxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\vvppp.exec:\vvppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\hbbhbb.exec:\hbbhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\1djjd.exec:\1djjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\frrrlll.exec:\frrrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\frlffrr.exec:\frlffrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\nhnhbb.exec:\nhnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\bhbbtb.exec:\bhbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\hhhbtt.exec:\hhhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\jjpjd.exec:\jjpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\nbnnth.exec:\nbnnth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\vjjdv.exec:\vjjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\hbbbht.exec:\hbbbht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\pddvp.exec:\pddvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\5lrrxxf.exec:\5lrrxxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\3bbttb.exec:\3bbttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\pjpjd.exec:\pjpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\rlrfxrl.exec:\rlrfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\7fxrlfr.exec:\7fxrlfr.exe23⤵
- Executes dropped EXE
PID:3976 -
\??\c:\vjpjd.exec:\vjpjd.exe24⤵
- Executes dropped EXE
PID:3536 -
\??\c:\lffxrfr.exec:\lffxrfr.exe25⤵
- Executes dropped EXE
PID:532 -
\??\c:\3ntnnn.exec:\3ntnnn.exe26⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lffrlrl.exec:\lffrlrl.exe27⤵
- Executes dropped EXE
PID:2820 -
\??\c:\btnbth.exec:\btnbth.exe28⤵
- Executes dropped EXE
PID:2868 -
\??\c:\9frxxlf.exec:\9frxxlf.exe29⤵
- Executes dropped EXE
PID:5060 -
\??\c:\nttnbb.exec:\nttnbb.exe30⤵
- Executes dropped EXE
PID:4656 -
\??\c:\1llxrrf.exec:\1llxrrf.exe31⤵
- Executes dropped EXE
PID:2328 -
\??\c:\bnnbtn.exec:\bnnbtn.exe32⤵
- Executes dropped EXE
PID:224 -
\??\c:\jvvvp.exec:\jvvvp.exe33⤵
- Executes dropped EXE
PID:404 -
\??\c:\1nnbnn.exec:\1nnbnn.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ppjdv.exec:\ppjdv.exe35⤵
- Executes dropped EXE
PID:1120 -
\??\c:\frlfxrl.exec:\frlfxrl.exe36⤵
- Executes dropped EXE
PID:3608 -
\??\c:\ttnnbh.exec:\ttnnbh.exe37⤵
- Executes dropped EXE
PID:3808 -
\??\c:\btttnb.exec:\btttnb.exe38⤵
- Executes dropped EXE
PID:4652 -
\??\c:\vpdvd.exec:\vpdvd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
\??\c:\xlxxxxx.exec:\xlxxxxx.exe40⤵
- Executes dropped EXE
PID:220 -
\??\c:\vjvvp.exec:\vjvvp.exe41⤵
- Executes dropped EXE
PID:3048 -
\??\c:\frxlfrl.exec:\frxlfrl.exe42⤵
- Executes dropped EXE
PID:1852 -
\??\c:\7hnhbb.exec:\7hnhbb.exe43⤵
- Executes dropped EXE
PID:3448 -
\??\c:\bnttnh.exec:\bnttnh.exe44⤵
- Executes dropped EXE
PID:4484 -
\??\c:\5ddvp.exec:\5ddvp.exe45⤵
- Executes dropped EXE
PID:4396 -
\??\c:\xrllfll.exec:\xrllfll.exe46⤵
- Executes dropped EXE
PID:1928 -
\??\c:\tnnbhb.exec:\tnnbhb.exe47⤵
- Executes dropped EXE
PID:4400 -
\??\c:\jpjdj.exec:\jpjdj.exe48⤵
- Executes dropped EXE
PID:5088 -
\??\c:\5rxxxxr.exec:\5rxxxxr.exe49⤵
- Executes dropped EXE
PID:2352 -
\??\c:\bbnhhh.exec:\bbnhhh.exe50⤵
- Executes dropped EXE
PID:3416 -
\??\c:\jjjdv.exec:\jjjdv.exe51⤵
- Executes dropped EXE
PID:732 -
\??\c:\xxxrlll.exec:\xxxrlll.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
\??\c:\1nhbtt.exec:\1nhbtt.exe53⤵
- Executes dropped EXE
PID:4348 -
\??\c:\ppppj.exec:\ppppj.exe54⤵
- Executes dropped EXE
PID:3188 -
\??\c:\xxfxfxx.exec:\xxfxfxx.exe55⤵
- Executes dropped EXE
PID:4952 -
\??\c:\nbhtnt.exec:\nbhtnt.exe56⤵
- Executes dropped EXE
PID:5008 -
\??\c:\jdvpp.exec:\jdvpp.exe57⤵
- Executes dropped EXE
PID:2872 -
\??\c:\pjjvp.exec:\pjjvp.exe58⤵
- Executes dropped EXE
PID:876 -
\??\c:\lffxrrf.exec:\lffxrrf.exe59⤵
- Executes dropped EXE
PID:4152 -
\??\c:\nhhbtn.exec:\nhhbtn.exe60⤵
- Executes dropped EXE
PID:3140 -
\??\c:\jjjdv.exec:\jjjdv.exe61⤵
- Executes dropped EXE
PID:4612 -
\??\c:\3jjvj.exec:\3jjvj.exe62⤵
- Executes dropped EXE
PID:3668 -
\??\c:\rflfxxx.exec:\rflfxxx.exe63⤵
- Executes dropped EXE
PID:1496 -
\??\c:\hbhbbt.exec:\hbhbbt.exe64⤵
- Executes dropped EXE
PID:4212 -
\??\c:\pjjvd.exec:\pjjvd.exe65⤵
- Executes dropped EXE
PID:1728 -
\??\c:\rflxflf.exec:\rflxflf.exe66⤵PID:4892
-
\??\c:\nhhbbt.exec:\nhhbbt.exe67⤵PID:4508
-
\??\c:\ppppp.exec:\ppppp.exe68⤵PID:3068
-
\??\c:\rrrxrxx.exec:\rrrxrxx.exe69⤵PID:116
-
\??\c:\9lxrffr.exec:\9lxrffr.exe70⤵PID:1836
-
\??\c:\thnhhh.exec:\thnhhh.exe71⤵PID:3512
-
\??\c:\5jjvp.exec:\5jjvp.exe72⤵PID:4748
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe73⤵PID:1372
-
\??\c:\3hhnbt.exec:\3hhnbt.exe74⤵PID:4104
-
\??\c:\vvpdp.exec:\vvpdp.exe75⤵PID:1096
-
\??\c:\rlfflfr.exec:\rlfflfr.exe76⤵PID:1104
-
\??\c:\btbtnb.exec:\btbtnb.exe77⤵PID:4996
-
\??\c:\nhnbnh.exec:\nhnbnh.exe78⤵PID:1924
-
\??\c:\3vjjv.exec:\3vjjv.exe79⤵PID:1392
-
\??\c:\fxflfxr.exec:\fxflfxr.exe80⤵PID:4428
-
\??\c:\btbtnn.exec:\btbtnn.exe81⤵PID:392
-
\??\c:\ppjjd.exec:\ppjjd.exe82⤵PID:892
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe83⤵PID:3724
-
\??\c:\hbtthb.exec:\hbtthb.exe84⤵PID:4460
-
\??\c:\vpppj.exec:\vpppj.exe85⤵PID:368
-
\??\c:\rfxrlff.exec:\rfxrlff.exe86⤵PID:3900
-
\??\c:\flxlfxl.exec:\flxlfxl.exe87⤵PID:4656
-
\??\c:\9nnnhh.exec:\9nnnhh.exe88⤵PID:1452
-
\??\c:\pvddd.exec:\pvddd.exe89⤵PID:3728
-
\??\c:\rrlxrff.exec:\rrlxrff.exe90⤵PID:3024
-
\??\c:\7flffll.exec:\7flffll.exe91⤵PID:404
-
\??\c:\7nnthb.exec:\7nnthb.exe92⤵PID:3588
-
\??\c:\pvjvp.exec:\pvjvp.exe93⤵PID:1600
-
\??\c:\fxxrrll.exec:\fxxrrll.exe94⤵
- System Location Discovery: System Language Discovery
PID:3608 -
\??\c:\3hhbtt.exec:\3hhbtt.exe95⤵PID:3272
-
\??\c:\bhhtnh.exec:\bhhtnh.exe96⤵PID:4652
-
\??\c:\jjpjv.exec:\jjpjv.exe97⤵PID:2412
-
\??\c:\xrffrlx.exec:\xrffrlx.exe98⤵PID:4436
-
\??\c:\thhtnn.exec:\thhtnn.exe99⤵PID:2140
-
\??\c:\thhtnh.exec:\thhtnh.exe100⤵PID:4068
-
\??\c:\pjdvj.exec:\pjdvj.exe101⤵PID:3288
-
\??\c:\5flfrff.exec:\5flfrff.exe102⤵PID:2332
-
\??\c:\bbnbtt.exec:\bbnbtt.exe103⤵PID:2832
-
\??\c:\hthbnn.exec:\hthbnn.exe104⤵PID:1056
-
\??\c:\jjjpj.exec:\jjjpj.exe105⤵PID:228
-
\??\c:\9rxxffr.exec:\9rxxffr.exe106⤵PID:4008
-
\??\c:\nnhhbb.exec:\nnhhbb.exe107⤵PID:5088
-
\??\c:\dpvpd.exec:\dpvpd.exe108⤵PID:3796
-
\??\c:\jjpjp.exec:\jjpjp.exe109⤵PID:3416
-
\??\c:\rrrlfxl.exec:\rrrlfxl.exe110⤵PID:4284
-
\??\c:\tttnhn.exec:\tttnhn.exe111⤵PID:3432
-
\??\c:\3pvpd.exec:\3pvpd.exe112⤵PID:4348
-
\??\c:\lfffxfx.exec:\lfffxfx.exe113⤵PID:4172
-
\??\c:\fxfrxxf.exec:\fxfrxxf.exe114⤵PID:4344
-
\??\c:\hbbttn.exec:\hbbttn.exe115⤵PID:3408
-
\??\c:\jjpjj.exec:\jjpjj.exe116⤵PID:2872
-
\??\c:\ffffffx.exec:\ffffffx.exe117⤵PID:3076
-
\??\c:\bttbbb.exec:\bttbbb.exe118⤵PID:3528
-
\??\c:\7jdpd.exec:\7jdpd.exe119⤵PID:3344
-
\??\c:\lllfrrr.exec:\lllfrrr.exe120⤵PID:2260
-
\??\c:\7flfxrl.exec:\7flfxrl.exe121⤵PID:1524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-