Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 10:03
Behavioral task
behavioral1
Sample
8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe
-
Size
330KB
-
MD5
6c4ada1795e75357f702f2a928d2e0a8
-
SHA1
90fe2ed5edbad8963d2a1052654a50f22aa430cd
-
SHA256
8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d
-
SHA512
51265d8abf61a3fd796b3a3f8e29b9e39fdb6966551f4e6a4451d8467892f8a8deb90e4d78a46afb19199df5a03b19cd595e2846180830d0178c90d40b6fed7f
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tv:94wFHoStJdSjylh2b77BoTMA9gX59sTH
Malware Config
Signatures
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3012-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/996-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-534-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-609-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4172 3pdpd.exe 3260 fllffxx.exe 1740 hhttnn.exe 3176 nbhbbb.exe 1336 ddjdj.exe 1220 fflrfxl.exe 1440 9lxrxxr.exe 4520 httnnn.exe 1716 vvvpj.exe 1008 1dvpv.exe 732 lllfxrl.exe 3600 ppvvv.exe 3452 bbhbbb.exe 2372 nnbbtb.exe 4188 9vjjd.exe 2928 flrxxxf.exe 1284 bthbtb.exe 1788 jppdv.exe 212 xrxrllf.exe 2888 xlfffxx.exe 5008 bnhtbt.exe 3808 5vjjd.exe 4488 llrffll.exe 4576 hnnhhb.exe 1832 xxfxlfx.exe 3684 nhtnhb.exe 4420 5nbhth.exe 2264 vvvpp.exe 2500 ffffxxf.exe 4992 ttbtth.exe 2768 dvdjj.exe 3508 rrxxxff.exe 2920 dpppd.exe 3588 rxxxrxr.exe 3636 bnhhhh.exe 64 pvpvv.exe 4376 lfrllff.exe 3736 fxfffff.exe 4468 bhnnnt.exe 3740 ttbttb.exe 3284 jjjjd.exe 2172 5vpvv.exe 2692 xrxflll.exe 4040 9xxxxfl.exe 4916 bbtthh.exe 4568 vpvdv.exe 1572 vjvdv.exe 1700 lxlllll.exe 1828 5fxffxf.exe 3800 hhhhhn.exe 4960 bhtthn.exe 1776 jvjjd.exe 908 vddvv.exe 4816 llxxllr.exe 4760 rxlfxfx.exe 5052 9hnnht.exe 4392 hhbbnt.exe 440 djppd.exe 4352 pdjpp.exe 3012 lxlxfff.exe 2876 btbttt.exe 2772 btnhhh.exe 3840 dvjdd.exe 3176 lfxrrrr.exe -
resource yara_rule behavioral2/memory/3012-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023404-3.dat upx behavioral2/memory/3012-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023461-10.dat upx behavioral2/memory/4172-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023466-13.dat upx behavioral2/memory/1220-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4520-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346c-45.dat upx behavioral2/files/0x000700000002346e-55.dat upx behavioral2/memory/1716-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346d-50.dat upx behavioral2/files/0x000700000002346f-60.dat upx behavioral2/memory/732-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023470-65.dat upx behavioral2/memory/3600-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3452-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023473-81.dat upx behavioral2/files/0x0007000000023474-85.dat upx behavioral2/memory/2888-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023478-104.dat upx behavioral2/files/0x0007000000023479-108.dat upx behavioral2/memory/4488-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347b-117.dat upx behavioral2/files/0x0007000000023480-144.dat upx behavioral2/memory/2264-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023481-149.dat upx behavioral2/files/0x0007000000023482-153.dat upx behavioral2/files/0x0007000000023483-157.dat upx behavioral2/memory/3508-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3588-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3736-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4392-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3012-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2876-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4688-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/948-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5016-288-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3300-313-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/996-329-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3588-336-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3188-318-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3040-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2720-291-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4352-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3800-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4568-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2692-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3740-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4376-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2920-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347f-140.dat upx behavioral2/memory/4420-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1284-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347e-134.dat upx behavioral2/memory/3684-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1832-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347d-127.dat upx behavioral2/memory/1832-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4576-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023462-122.dat upx behavioral2/files/0x000700000002347a-113.dat upx behavioral2/memory/3808-112-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 4172 3012 8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe 81 PID 3012 wrote to memory of 4172 3012 8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe 81 PID 3012 wrote to memory of 4172 3012 8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe 81 PID 4172 wrote to memory of 3260 4172 3pdpd.exe 82 PID 4172 wrote to memory of 3260 4172 3pdpd.exe 82 PID 4172 wrote to memory of 3260 4172 3pdpd.exe 82 PID 3260 wrote to memory of 1740 3260 fllffxx.exe 83 PID 3260 wrote to memory of 1740 3260 fllffxx.exe 83 PID 3260 wrote to memory of 1740 3260 fllffxx.exe 83 PID 1740 wrote to memory of 3176 1740 hhttnn.exe 145 PID 1740 wrote to memory of 3176 1740 hhttnn.exe 145 PID 1740 wrote to memory of 3176 1740 hhttnn.exe 145 PID 3176 wrote to memory of 1336 3176 nbhbbb.exe 85 PID 3176 wrote to memory of 1336 3176 nbhbbb.exe 85 PID 3176 wrote to memory of 1336 3176 nbhbbb.exe 85 PID 1336 wrote to memory of 1220 1336 ddjdj.exe 86 PID 1336 wrote to memory of 1220 1336 ddjdj.exe 86 PID 1336 wrote to memory of 1220 1336 ddjdj.exe 86 PID 1220 wrote to memory of 1440 1220 fflrfxl.exe 87 PID 1220 wrote to memory of 1440 1220 fflrfxl.exe 87 PID 1220 wrote to memory of 1440 1220 fflrfxl.exe 87 PID 1440 wrote to memory of 4520 1440 9lxrxxr.exe 88 PID 1440 wrote to memory of 4520 1440 9lxrxxr.exe 88 PID 1440 wrote to memory of 4520 1440 9lxrxxr.exe 88 PID 4520 wrote to memory of 1716 4520 httnnn.exe 89 PID 4520 wrote to memory of 1716 4520 httnnn.exe 89 PID 4520 wrote to memory of 1716 4520 httnnn.exe 89 PID 1716 wrote to memory of 1008 1716 vvvpj.exe 90 PID 1716 wrote to memory of 1008 1716 vvvpj.exe 90 PID 1716 wrote to memory of 1008 1716 vvvpj.exe 90 PID 1008 wrote to memory of 732 1008 1dvpv.exe 91 PID 1008 wrote to memory of 732 1008 1dvpv.exe 91 PID 1008 wrote to memory of 732 1008 1dvpv.exe 91 PID 732 wrote to memory of 3600 732 lllfxrl.exe 92 PID 732 wrote to memory of 3600 732 lllfxrl.exe 92 PID 732 wrote to memory of 3600 732 lllfxrl.exe 92 PID 3600 wrote to memory of 3452 3600 ppvvv.exe 93 PID 3600 wrote to memory of 3452 3600 ppvvv.exe 93 PID 3600 wrote to memory of 3452 3600 ppvvv.exe 93 PID 3452 wrote to memory of 2372 3452 bbhbbb.exe 94 PID 3452 wrote to memory of 2372 3452 bbhbbb.exe 94 PID 3452 wrote to memory of 2372 3452 bbhbbb.exe 94 PID 2372 wrote to memory of 4188 2372 nnbbtb.exe 95 PID 2372 wrote to memory of 4188 2372 nnbbtb.exe 95 PID 2372 wrote to memory of 4188 2372 nnbbtb.exe 95 PID 4188 wrote to memory of 2928 4188 9vjjd.exe 96 PID 4188 wrote to memory of 2928 4188 9vjjd.exe 96 PID 4188 wrote to memory of 2928 4188 9vjjd.exe 96 PID 2928 wrote to memory of 1284 2928 flrxxxf.exe 97 PID 2928 wrote to memory of 1284 2928 flrxxxf.exe 97 PID 2928 wrote to memory of 1284 2928 flrxxxf.exe 97 PID 1284 wrote to memory of 1788 1284 bthbtb.exe 98 PID 1284 wrote to memory of 1788 1284 bthbtb.exe 98 PID 1284 wrote to memory of 1788 1284 bthbtb.exe 98 PID 1788 wrote to memory of 212 1788 jppdv.exe 99 PID 1788 wrote to memory of 212 1788 jppdv.exe 99 PID 1788 wrote to memory of 212 1788 jppdv.exe 99 PID 212 wrote to memory of 2888 212 xrxrllf.exe 100 PID 212 wrote to memory of 2888 212 xrxrllf.exe 100 PID 212 wrote to memory of 2888 212 xrxrllf.exe 100 PID 2888 wrote to memory of 5008 2888 xlfffxx.exe 101 PID 2888 wrote to memory of 5008 2888 xlfffxx.exe 101 PID 2888 wrote to memory of 5008 2888 xlfffxx.exe 101 PID 5008 wrote to memory of 3808 5008 bnhtbt.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe"C:\Users\Admin\AppData\Local\Temp\8bfd08851aebd2bd1679ad38faf41549d5a64f3609059e98b3c0bf7a6939767d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\3pdpd.exec:\3pdpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\fllffxx.exec:\fllffxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\hhttnn.exec:\hhttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\nbhbbb.exec:\nbhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\ddjdj.exec:\ddjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\fflrfxl.exec:\fflrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\9lxrxxr.exec:\9lxrxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\httnnn.exec:\httnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\vvvpj.exec:\vvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\1dvpv.exec:\1dvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\lllfxrl.exec:\lllfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\ppvvv.exec:\ppvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\bbhbbb.exec:\bbhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\nnbbtb.exec:\nnbbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\9vjjd.exec:\9vjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\flrxxxf.exec:\flrxxxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\bthbtb.exec:\bthbtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\jppdv.exec:\jppdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xrxrllf.exec:\xrxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\xlfffxx.exec:\xlfffxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\bnhtbt.exec:\bnhtbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\5vjjd.exec:\5vjjd.exe23⤵
- Executes dropped EXE
PID:3808 -
\??\c:\llrffll.exec:\llrffll.exe24⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hnnhhb.exec:\hnnhhb.exe25⤵
- Executes dropped EXE
PID:4576 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe26⤵
- Executes dropped EXE
PID:1832 -
\??\c:\nhtnhb.exec:\nhtnhb.exe27⤵
- Executes dropped EXE
PID:3684 -
\??\c:\5nbhth.exec:\5nbhth.exe28⤵
- Executes dropped EXE
PID:4420 -
\??\c:\vvvpp.exec:\vvvpp.exe29⤵
- Executes dropped EXE
PID:2264 -
\??\c:\ffffxxf.exec:\ffffxxf.exe30⤵
- Executes dropped EXE
PID:2500 -
\??\c:\ttbtth.exec:\ttbtth.exe31⤵
- Executes dropped EXE
PID:4992 -
\??\c:\dvdjj.exec:\dvdjj.exe32⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rrxxxff.exec:\rrxxxff.exe33⤵
- Executes dropped EXE
PID:3508 -
\??\c:\dpppd.exec:\dpppd.exe34⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rxxxrxr.exec:\rxxxrxr.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
\??\c:\bnhhhh.exec:\bnhhhh.exe36⤵
- Executes dropped EXE
PID:3636 -
\??\c:\pvpvv.exec:\pvpvv.exe37⤵
- Executes dropped EXE
PID:64 -
\??\c:\lfrllff.exec:\lfrllff.exe38⤵
- Executes dropped EXE
PID:4376 -
\??\c:\fxfffff.exec:\fxfffff.exe39⤵
- Executes dropped EXE
PID:3736 -
\??\c:\bhnnnt.exec:\bhnnnt.exe40⤵
- Executes dropped EXE
PID:4468 -
\??\c:\ttbttb.exec:\ttbttb.exe41⤵
- Executes dropped EXE
PID:3740 -
\??\c:\jjjjd.exec:\jjjjd.exe42⤵
- Executes dropped EXE
PID:3284 -
\??\c:\5vpvv.exec:\5vpvv.exe43⤵
- Executes dropped EXE
PID:2172 -
\??\c:\xrxflll.exec:\xrxflll.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\9xxxxfl.exec:\9xxxxfl.exe45⤵
- Executes dropped EXE
PID:4040 -
\??\c:\bbtthh.exec:\bbtthh.exe46⤵
- Executes dropped EXE
PID:4916 -
\??\c:\vpvdv.exec:\vpvdv.exe47⤵
- Executes dropped EXE
PID:4568 -
\??\c:\vjvdv.exec:\vjvdv.exe48⤵
- Executes dropped EXE
PID:1572 -
\??\c:\lxlllll.exec:\lxlllll.exe49⤵
- Executes dropped EXE
PID:1700 -
\??\c:\5fxffxf.exec:\5fxffxf.exe50⤵
- Executes dropped EXE
PID:1828 -
\??\c:\hhhhhn.exec:\hhhhhn.exe51⤵
- Executes dropped EXE
PID:3800 -
\??\c:\bhtthn.exec:\bhtthn.exe52⤵
- Executes dropped EXE
PID:4960 -
\??\c:\jvjjd.exec:\jvjjd.exe53⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vddvv.exec:\vddvv.exe54⤵
- Executes dropped EXE
PID:908 -
\??\c:\llxxllr.exec:\llxxllr.exe55⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rxlfxfx.exec:\rxlfxfx.exe56⤵
- Executes dropped EXE
PID:4760 -
\??\c:\9hnnht.exec:\9hnnht.exe57⤵
- Executes dropped EXE
PID:5052 -
\??\c:\hhbbnt.exec:\hhbbnt.exe58⤵
- Executes dropped EXE
PID:4392 -
\??\c:\djppd.exec:\djppd.exe59⤵
- Executes dropped EXE
PID:440 -
\??\c:\pdjpp.exec:\pdjpp.exe60⤵
- Executes dropped EXE
PID:4352 -
\??\c:\lxlxfff.exec:\lxlxfff.exe61⤵
- Executes dropped EXE
PID:3012 -
\??\c:\btbttt.exec:\btbttt.exe62⤵
- Executes dropped EXE
PID:2876 -
\??\c:\btnhhh.exec:\btnhhh.exe63⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dvjdd.exec:\dvjdd.exe64⤵
- Executes dropped EXE
PID:3840 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe65⤵
- Executes dropped EXE
PID:3176 -
\??\c:\xrlfffl.exec:\xrlfffl.exe66⤵PID:2220
-
\??\c:\bbbbtb.exec:\bbbbtb.exe67⤵PID:4688
-
\??\c:\tthhhh.exec:\tthhhh.exe68⤵PID:3468
-
\??\c:\djjjj.exec:\djjjj.exe69⤵PID:4516
-
\??\c:\dpjdj.exec:\dpjdj.exe70⤵PID:4796
-
\??\c:\lrxxxxr.exec:\lrxxxxr.exe71⤵PID:872
-
\??\c:\tnhtht.exec:\tnhtht.exe72⤵PID:1648
-
\??\c:\thnnnb.exec:\thnnnb.exe73⤵PID:2900
-
\??\c:\ffrxrfl.exec:\ffrxrfl.exe74⤵PID:4884
-
\??\c:\ttnhtt.exec:\ttnhtt.exe75⤵PID:3756
-
\??\c:\vvvjd.exec:\vvvjd.exe76⤵PID:2624
-
\??\c:\djvdv.exec:\djvdv.exe77⤵PID:2932
-
\??\c:\rlxrrll.exec:\rlxrrll.exe78⤵PID:948
-
\??\c:\thbnnh.exec:\thbnnh.exe79⤵PID:856
-
\??\c:\pvddd.exec:\pvddd.exe80⤵PID:3160
-
\??\c:\pjvpp.exec:\pjvpp.exe81⤵PID:4044
-
\??\c:\frrrllr.exec:\frrrllr.exe82⤵PID:3980
-
\??\c:\xxffffr.exec:\xxffffr.exe83⤵PID:1672
-
\??\c:\hnbhnb.exec:\hnbhnb.exe84⤵PID:2076
-
\??\c:\hbbtnn.exec:\hbbtnn.exe85⤵PID:4248
-
\??\c:\pjvpv.exec:\pjvpv.exe86⤵PID:3288
-
\??\c:\ppjjd.exec:\ppjjd.exe87⤵PID:4092
-
\??\c:\rlrrrlf.exec:\rlrrrlf.exe88⤵PID:3752
-
\??\c:\btthhn.exec:\btthhn.exe89⤵PID:5016
-
\??\c:\hnbtbt.exec:\hnbtbt.exe90⤵PID:2720
-
\??\c:\jdddd.exec:\jdddd.exe91⤵PID:2984
-
\??\c:\jdvpp.exec:\jdvpp.exe92⤵PID:2592
-
\??\c:\lxllfxr.exec:\lxllfxr.exe93⤵PID:3040
-
\??\c:\3lxxlrr.exec:\3lxxlrr.exe94⤵PID:1400
-
\??\c:\tttbhh.exec:\tttbhh.exe95⤵PID:4576
-
\??\c:\tnhbhh.exec:\tnhbhh.exe96⤵PID:2556
-
\??\c:\dpvjd.exec:\dpvjd.exe97⤵PID:1000
-
\??\c:\jdpjj.exec:\jdpjj.exe98⤵PID:4420
-
\??\c:\lxffxfx.exec:\lxffxfx.exe99⤵PID:1812
-
\??\c:\xflfxrl.exec:\xflfxrl.exe100⤵PID:3300
-
\??\c:\7bhbbh.exec:\7bhbbh.exe101⤵PID:1468
-
\??\c:\hbhbnn.exec:\hbhbnn.exe102⤵PID:3188
-
\??\c:\pdjjv.exec:\pdjjv.exe103⤵PID:4544
-
\??\c:\djvvp.exec:\djvvp.exe104⤵PID:2768
-
\??\c:\lfrrlrl.exec:\lfrrlrl.exe105⤵PID:2944
-
\??\c:\ffxxflr.exec:\ffxxflr.exe106⤵PID:2288
-
\??\c:\btbbbb.exec:\btbbbb.exe107⤵PID:996
-
\??\c:\nhhbtt.exec:\nhhbtt.exe108⤵PID:2920
-
\??\c:\jvpjd.exec:\jvpjd.exe109⤵PID:1532
-
\??\c:\rlfxxrl.exec:\rlfxxrl.exe110⤵PID:3588
-
\??\c:\xrlrxll.exec:\xrlrxll.exe111⤵PID:3132
-
\??\c:\nbhhhn.exec:\nbhhhn.exe112⤵PID:1240
-
\??\c:\hhhbbb.exec:\hhhbbb.exe113⤵PID:4828
-
\??\c:\ddjjj.exec:\ddjjj.exe114⤵PID:416
-
\??\c:\5jvpv.exec:\5jvpv.exe115⤵PID:3308
-
\??\c:\rfrxfxl.exec:\rfrxfxl.exe116⤵PID:2216
-
\??\c:\xxflfff.exec:\xxflfff.exe117⤵PID:4284
-
\??\c:\nntttt.exec:\nntttt.exe118⤵PID:2936
-
\??\c:\dpddd.exec:\dpddd.exe119⤵PID:5116
-
\??\c:\xxlllrr.exec:\xxlllrr.exe120⤵PID:2172
-
\??\c:\hntttt.exec:\hntttt.exe121⤵PID:2976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-