Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 04:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe
-
Size
332KB
-
MD5
457d0c38bcfda459a43e0336ee95b4cf
-
SHA1
9065d904f68ad5bf21e0a427e94c6684d6e46a34
-
SHA256
bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527
-
SHA512
2484d2419b0023795d14e7e1c99ce4f840e50d5fe1347fc28665ee1b2f90610bf530351dc786d70ad212aaf987cfa4998f6a81065017d14f49fa46db70d5fa57
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhp:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTZ
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3920-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-1226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-1905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1272 lxxlfxr.exe 4560 3ttnbt.exe 3284 jvdpp.exe 396 pdpjd.exe 2240 xlflflf.exe 4204 bhttnh.exe 4592 jjppp.exe 3000 lrfxxxx.exe 2508 hhhhbh.exe 1452 vjjpd.exe 4132 7lrxxll.exe 1836 lfrlrlx.exe 4848 lxrlllf.exe 1532 nhhnht.exe 3516 ddpjd.exe 1288 9pdjv.exe 2344 7hnnhn.exe 1372 rflrrrl.exe 2428 nhhhnn.exe 3384 xxlffxx.exe 4072 nnbnnb.exe 4004 htbttt.exe 4736 dppjp.exe 3496 3rlfxxr.exe 3728 nbnnhb.exe 2908 xlfllrr.exe 2848 bbhhbh.exe 1496 9lxlxrf.exe 1972 xlrlffr.exe 4280 9ttnbb.exe 3656 pdjvp.exe 3692 xlrlxxr.exe 2108 ttbbnh.exe 3744 djpjj.exe 4304 pjjdp.exe 4312 nhtntb.exe 1884 jjjdp.exe 4856 xrxrlll.exe 4560 9rlffff.exe 3836 hnbtnn.exe 1824 jdvvp.exe 396 vvvjv.exe 1904 lllrlfr.exe 3172 thbtnn.exe 1108 jdjdp.exe 2900 llffxxx.exe 4200 hthtbb.exe 2036 tnbtbb.exe 3612 7pdvp.exe 4988 5lxrllr.exe 4964 xrrfxrf.exe 4500 7ttnhn.exe 3372 9ddvj.exe 4020 9xxrlrl.exe 4160 nnhhhh.exe 444 9hnnhh.exe 3552 ppddj.exe 4908 llfrxlr.exe 5052 tbtbbh.exe 4696 nbbnhh.exe 424 3ppvv.exe 3628 lffffff.exe 4992 xrrllrl.exe 4060 bthbhh.exe -
resource yara_rule behavioral2/memory/3920-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-557-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 1272 3920 bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe 84 PID 3920 wrote to memory of 1272 3920 bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe 84 PID 3920 wrote to memory of 1272 3920 bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe 84 PID 1272 wrote to memory of 4560 1272 lxxlfxr.exe 85 PID 1272 wrote to memory of 4560 1272 lxxlfxr.exe 85 PID 1272 wrote to memory of 4560 1272 lxxlfxr.exe 85 PID 4560 wrote to memory of 3284 4560 3ttnbt.exe 86 PID 4560 wrote to memory of 3284 4560 3ttnbt.exe 86 PID 4560 wrote to memory of 3284 4560 3ttnbt.exe 86 PID 3284 wrote to memory of 396 3284 jvdpp.exe 87 PID 3284 wrote to memory of 396 3284 jvdpp.exe 87 PID 3284 wrote to memory of 396 3284 jvdpp.exe 87 PID 396 wrote to memory of 2240 396 pdpjd.exe 88 PID 396 wrote to memory of 2240 396 pdpjd.exe 88 PID 396 wrote to memory of 2240 396 pdpjd.exe 88 PID 2240 wrote to memory of 4204 2240 xlflflf.exe 89 PID 2240 wrote to memory of 4204 2240 xlflflf.exe 89 PID 2240 wrote to memory of 4204 2240 xlflflf.exe 89 PID 4204 wrote to memory of 4592 4204 bhttnh.exe 90 PID 4204 wrote to memory of 4592 4204 bhttnh.exe 90 PID 4204 wrote to memory of 4592 4204 bhttnh.exe 90 PID 4592 wrote to memory of 3000 4592 jjppp.exe 91 PID 4592 wrote to memory of 3000 4592 jjppp.exe 91 PID 4592 wrote to memory of 3000 4592 jjppp.exe 91 PID 3000 wrote to memory of 2508 3000 lrfxxxx.exe 92 PID 3000 wrote to memory of 2508 3000 lrfxxxx.exe 92 PID 3000 wrote to memory of 2508 3000 lrfxxxx.exe 92 PID 2508 wrote to memory of 1452 2508 hhhhbh.exe 93 PID 2508 wrote to memory of 1452 2508 hhhhbh.exe 93 PID 2508 wrote to memory of 1452 2508 hhhhbh.exe 93 PID 1452 wrote to memory of 4132 1452 vjjpd.exe 94 PID 1452 wrote to memory of 4132 1452 vjjpd.exe 94 PID 1452 wrote to memory of 4132 1452 vjjpd.exe 94 PID 4132 wrote to memory of 1836 4132 7lrxxll.exe 95 PID 4132 wrote to memory of 1836 4132 7lrxxll.exe 95 PID 4132 wrote to memory of 1836 4132 7lrxxll.exe 95 PID 1836 wrote to memory of 4848 1836 lfrlrlx.exe 96 PID 1836 wrote to memory of 4848 1836 lfrlrlx.exe 96 PID 1836 wrote to memory of 4848 1836 lfrlrlx.exe 96 PID 4848 wrote to memory of 1532 4848 lxrlllf.exe 97 PID 4848 wrote to memory of 1532 4848 lxrlllf.exe 97 PID 4848 wrote to memory of 1532 4848 lxrlllf.exe 97 PID 1532 wrote to memory of 3516 1532 nhhnht.exe 98 PID 1532 wrote to memory of 3516 1532 nhhnht.exe 98 PID 1532 wrote to memory of 3516 1532 nhhnht.exe 98 PID 3516 wrote to memory of 1288 3516 ddpjd.exe 99 PID 3516 wrote to memory of 1288 3516 ddpjd.exe 99 PID 3516 wrote to memory of 1288 3516 ddpjd.exe 99 PID 1288 wrote to memory of 2344 1288 9pdjv.exe 100 PID 1288 wrote to memory of 2344 1288 9pdjv.exe 100 PID 1288 wrote to memory of 2344 1288 9pdjv.exe 100 PID 2344 wrote to memory of 1372 2344 7hnnhn.exe 102 PID 2344 wrote to memory of 1372 2344 7hnnhn.exe 102 PID 2344 wrote to memory of 1372 2344 7hnnhn.exe 102 PID 1372 wrote to memory of 2428 1372 rflrrrl.exe 103 PID 1372 wrote to memory of 2428 1372 rflrrrl.exe 103 PID 1372 wrote to memory of 2428 1372 rflrrrl.exe 103 PID 2428 wrote to memory of 3384 2428 nhhhnn.exe 105 PID 2428 wrote to memory of 3384 2428 nhhhnn.exe 105 PID 2428 wrote to memory of 3384 2428 nhhhnn.exe 105 PID 3384 wrote to memory of 4072 3384 xxlffxx.exe 106 PID 3384 wrote to memory of 4072 3384 xxlffxx.exe 106 PID 3384 wrote to memory of 4072 3384 xxlffxx.exe 106 PID 4072 wrote to memory of 4004 4072 nnbnnb.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe"C:\Users\Admin\AppData\Local\Temp\bfec8c9f7db1d90a0bc59b96e065a2acd56732c1256145d08bcdc689950d1527.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\3ttnbt.exec:\3ttnbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\jvdpp.exec:\jvdpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\pdpjd.exec:\pdpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\xlflflf.exec:\xlflflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\bhttnh.exec:\bhttnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\jjppp.exec:\jjppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\hhhhbh.exec:\hhhhbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\vjjpd.exec:\vjjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\7lrxxll.exec:\7lrxxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\lfrlrlx.exec:\lfrlrlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\lxrlllf.exec:\lxrlllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\nhhnht.exec:\nhhnht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\ddpjd.exec:\ddpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\9pdjv.exec:\9pdjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\7hnnhn.exec:\7hnnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\rflrrrl.exec:\rflrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\nhhhnn.exec:\nhhhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\xxlffxx.exec:\xxlffxx.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\nnbnnb.exec:\nnbnnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\htbttt.exec:\htbttt.exe23⤵
- Executes dropped EXE
PID:4004 -
\??\c:\dppjp.exec:\dppjp.exe24⤵
- Executes dropped EXE
PID:4736 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe25⤵
- Executes dropped EXE
PID:3496 -
\??\c:\nbnnhb.exec:\nbnnhb.exe26⤵
- Executes dropped EXE
PID:3728 -
\??\c:\xlfllrr.exec:\xlfllrr.exe27⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bbhhbh.exec:\bbhhbh.exe28⤵
- Executes dropped EXE
PID:2848 -
\??\c:\9lxlxrf.exec:\9lxlxrf.exe29⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xlrlffr.exec:\xlrlffr.exe30⤵
- Executes dropped EXE
PID:1972 -
\??\c:\9ttnbb.exec:\9ttnbb.exe31⤵
- Executes dropped EXE
PID:4280 -
\??\c:\pdjvp.exec:\pdjvp.exe32⤵
- Executes dropped EXE
PID:3656 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe33⤵
- Executes dropped EXE
PID:3692 -
\??\c:\ttbbnh.exec:\ttbbnh.exe34⤵
- Executes dropped EXE
PID:2108 -
\??\c:\djpjj.exec:\djpjj.exe35⤵
- Executes dropped EXE
PID:3744 -
\??\c:\pjjdp.exec:\pjjdp.exe36⤵
- Executes dropped EXE
PID:4304 -
\??\c:\nhtntb.exec:\nhtntb.exe37⤵
- Executes dropped EXE
PID:4312 -
\??\c:\jjjdp.exec:\jjjdp.exe38⤵
- Executes dropped EXE
PID:1884 -
\??\c:\xrxrlll.exec:\xrxrlll.exe39⤵
- Executes dropped EXE
PID:4856 -
\??\c:\9rlffff.exec:\9rlffff.exe40⤵
- Executes dropped EXE
PID:4560 -
\??\c:\hnbtnn.exec:\hnbtnn.exe41⤵
- Executes dropped EXE
PID:3836 -
\??\c:\jdvvp.exec:\jdvvp.exe42⤵
- Executes dropped EXE
PID:1824 -
\??\c:\vvvjv.exec:\vvvjv.exe43⤵
- Executes dropped EXE
PID:396 -
\??\c:\lllrlfr.exec:\lllrlfr.exe44⤵
- Executes dropped EXE
PID:1904 -
\??\c:\thbtnn.exec:\thbtnn.exe45⤵
- Executes dropped EXE
PID:3172 -
\??\c:\jdjdp.exec:\jdjdp.exe46⤵
- Executes dropped EXE
PID:1108 -
\??\c:\llffxxx.exec:\llffxxx.exe47⤵
- Executes dropped EXE
PID:2900 -
\??\c:\hthtbb.exec:\hthtbb.exe48⤵
- Executes dropped EXE
PID:4200 -
\??\c:\tnbtbb.exec:\tnbtbb.exe49⤵
- Executes dropped EXE
PID:2036 -
\??\c:\7pdvp.exec:\7pdvp.exe50⤵
- Executes dropped EXE
PID:3612 -
\??\c:\5lxrllr.exec:\5lxrllr.exe51⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe52⤵
- Executes dropped EXE
PID:4964 -
\??\c:\7ttnhn.exec:\7ttnhn.exe53⤵
- Executes dropped EXE
PID:4500 -
\??\c:\9ddvj.exec:\9ddvj.exe54⤵
- Executes dropped EXE
PID:3372 -
\??\c:\9xxrlrl.exec:\9xxrlrl.exe55⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nnhhhh.exec:\nnhhhh.exe56⤵
- Executes dropped EXE
PID:4160 -
\??\c:\9hnnhh.exec:\9hnnhh.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:444 -
\??\c:\ppddj.exec:\ppddj.exe58⤵
- Executes dropped EXE
PID:3552 -
\??\c:\llfrxlr.exec:\llfrxlr.exe59⤵
- Executes dropped EXE
PID:4908 -
\??\c:\tbtbbh.exec:\tbtbbh.exe60⤵
- Executes dropped EXE
PID:5052 -
\??\c:\nbbnhh.exec:\nbbnhh.exe61⤵
- Executes dropped EXE
PID:4696 -
\??\c:\3ppvv.exec:\3ppvv.exe62⤵
- Executes dropped EXE
PID:424 -
\??\c:\lffffff.exec:\lffffff.exe63⤵
- Executes dropped EXE
PID:3628 -
\??\c:\xrrllrl.exec:\xrrllrl.exe64⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bthbhh.exec:\bthbhh.exe65⤵
- Executes dropped EXE
PID:4060 -
\??\c:\jpjdp.exec:\jpjdp.exe66⤵PID:2032
-
\??\c:\xrllrrl.exec:\xrllrrl.exe67⤵PID:2352
-
\??\c:\xrffffl.exec:\xrffffl.exe68⤵PID:2460
-
\??\c:\tthtbb.exec:\tthtbb.exe69⤵PID:2988
-
\??\c:\9tbhbh.exec:\9tbhbh.exe70⤵PID:4644
-
\??\c:\dvdvp.exec:\dvdvp.exe71⤵PID:3728
-
\??\c:\rlxrlfr.exec:\rlxrlfr.exe72⤵PID:3820
-
\??\c:\rllfxxx.exec:\rllfxxx.exe73⤵PID:2116
-
\??\c:\bbnhbb.exec:\bbnhbb.exe74⤵PID:692
-
\??\c:\dvddv.exec:\dvddv.exe75⤵PID:4816
-
\??\c:\djjpp.exec:\djjpp.exe76⤵PID:1764
-
\??\c:\llfrlfr.exec:\llfrlfr.exe77⤵PID:3452
-
\??\c:\3tnhhh.exec:\3tnhhh.exe78⤵PID:4168
-
\??\c:\htnnhh.exec:\htnnhh.exe79⤵PID:4464
-
\??\c:\jjpjp.exec:\jjpjp.exe80⤵PID:4752
-
\??\c:\5lxxlrr.exec:\5lxxlrr.exe81⤵PID:4732
-
\??\c:\rlffxxx.exec:\rlffxxx.exe82⤵PID:808
-
\??\c:\nbntnn.exec:\nbntnn.exe83⤵
- System Location Discovery: System Language Discovery
PID:4308 -
\??\c:\bntnhh.exec:\bntnhh.exe84⤵PID:4396
-
\??\c:\vpddv.exec:\vpddv.exe85⤵PID:2232
-
\??\c:\jjvpj.exec:\jjvpj.exe86⤵PID:1884
-
\??\c:\lxfffff.exec:\lxfffff.exe87⤵PID:4184
-
\??\c:\ttbtnn.exec:\ttbtnn.exe88⤵PID:4560
-
\??\c:\7nhbnn.exec:\7nhbnn.exe89⤵
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\pjdpv.exec:\pjdpv.exe90⤵PID:4384
-
\??\c:\dpjdp.exec:\dpjdp.exe91⤵PID:3264
-
\??\c:\5lrlllf.exec:\5lrlllf.exe92⤵PID:1992
-
\??\c:\hhhbbh.exec:\hhhbbh.exe93⤵PID:4592
-
\??\c:\tnnbtt.exec:\tnnbtt.exe94⤵PID:1108
-
\??\c:\vvvpp.exec:\vvvpp.exe95⤵PID:2432
-
\??\c:\3ffxxxx.exec:\3ffxxxx.exe96⤵PID:2860
-
\??\c:\xrxlfff.exec:\xrxlfff.exe97⤵PID:1996
-
\??\c:\thnhbb.exec:\thnhbb.exe98⤵PID:4828
-
\??\c:\vvddd.exec:\vvddd.exe99⤵PID:3724
-
\??\c:\vpdvd.exec:\vpdvd.exe100⤵PID:2024
-
\??\c:\rffxrxf.exec:\rffxrxf.exe101⤵PID:1588
-
\??\c:\thhnhn.exec:\thhnhn.exe102⤵PID:1532
-
\??\c:\rxfrlfr.exec:\rxfrlfr.exe103⤵PID:4972
-
\??\c:\lxfrlrl.exec:\lxfrlrl.exe104⤵PID:1388
-
\??\c:\btbtnn.exec:\btbtnn.exe105⤵PID:4232
-
\??\c:\ppvpj.exec:\ppvpj.exe106⤵PID:3460
-
\??\c:\lfxlffx.exec:\lfxlffx.exe107⤵PID:1832
-
\??\c:\rlllflf.exec:\rlllflf.exe108⤵PID:1564
-
\??\c:\bttnhh.exec:\bttnhh.exe109⤵PID:3716
-
\??\c:\vdjdp.exec:\vdjdp.exe110⤵PID:1432
-
\??\c:\xffxrrl.exec:\xffxrrl.exe111⤵PID:460
-
\??\c:\llffxxx.exec:\llffxxx.exe112⤵PID:3492
-
\??\c:\bbhhbn.exec:\bbhhbn.exe113⤵PID:2032
-
\??\c:\pjpjd.exec:\pjpjd.exe114⤵PID:3180
-
\??\c:\dpvpp.exec:\dpvpp.exe115⤵PID:4428
-
\??\c:\xffxrlf.exec:\xffxrlf.exe116⤵PID:676
-
\??\c:\xlfxrxr.exec:\xlfxrxr.exe117⤵PID:3440
-
\??\c:\btbtnb.exec:\btbtnb.exe118⤵PID:2908
-
\??\c:\dvjdv.exec:\dvjdv.exe119⤵PID:2368
-
\??\c:\vpvpj.exec:\vpvpj.exe120⤵PID:1740
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe121⤵PID:1076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-