Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe
-
Size
454KB
-
MD5
24c370f1592c15f02284689804ab6cfe
-
SHA1
4527344624d7ec793a794a107e1915e7fad7fa95
-
SHA256
eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260
-
SHA512
771cffc7ddded9e20fe58c0c8be490d6706aa62651e8d3c9a67ebdb866728b8d3320ca488e9519d54a25684c7c3c1bf9215252516f3385647530209acd844ae5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1064-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-1062-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-1066-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-1321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1392 xxxrrrr.exe 2900 bthnbh.exe 3176 3xlflrr.exe 3384 lfxrxfl.exe 3488 dvdvd.exe 3288 bnthhb.exe 3500 3pvvp.exe 4244 hhnnht.exe 4948 pjdpp.exe 4136 vpvvd.exe 100 7vpjj.exe 212 dpvvv.exe 3276 nhhbtt.exe 3212 httnhh.exe 1228 5ntntn.exe 4936 lxxxfff.exe 4976 vpvvd.exe 3820 fflfxxr.exe 1452 vvdvv.exe 1216 pdjdv.exe 1476 llrfxxx.exe 4376 hntnhb.exe 3980 jpvpj.exe 732 dvjdj.exe 4536 rlxxfxf.exe 772 pjjjd.exe 4708 xxfxrrl.exe 4144 3lfxllf.exe 2848 3xrrrrl.exe 5032 3djdv.exe 4680 rxfxffx.exe 752 vppjj.exe 940 hthhbb.exe 448 jjvpv.exe 3584 1llrxlr.exe 1256 rllfxxr.exe 4240 hhhbbt.exe 3248 jvdvp.exe 4952 rlllflf.exe 4796 xffxrrl.exe 3900 bhttnt.exe 848 pdjdv.exe 2544 3xlrlxx.exe 3960 bhnnhh.exe 3680 tnhbtn.exe 1044 ppjdv.exe 4332 xlllffx.exe 4336 hbhbhb.exe 4416 tbnhbh.exe 4308 1ddjd.exe 1416 rfrrlrl.exe 2344 frrrlrr.exe 2900 nhnttb.exe 3620 jpdvd.exe 1564 rflrlll.exe 4172 rfxxrlf.exe 3020 5hnbnn.exe 1116 jddvp.exe 412 xfllfrl.exe 3288 nhbtnn.exe 4320 jvjdv.exe 2312 3jddp.exe 4832 rllfffx.exe 628 nhhbnn.exe -
resource yara_rule behavioral2/memory/1064-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1392 1064 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 83 PID 1064 wrote to memory of 1392 1064 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 83 PID 1064 wrote to memory of 1392 1064 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 83 PID 1392 wrote to memory of 2900 1392 xxxrrrr.exe 84 PID 1392 wrote to memory of 2900 1392 xxxrrrr.exe 84 PID 1392 wrote to memory of 2900 1392 xxxrrrr.exe 84 PID 2900 wrote to memory of 3176 2900 bthnbh.exe 85 PID 2900 wrote to memory of 3176 2900 bthnbh.exe 85 PID 2900 wrote to memory of 3176 2900 bthnbh.exe 85 PID 3176 wrote to memory of 3384 3176 3xlflrr.exe 86 PID 3176 wrote to memory of 3384 3176 3xlflrr.exe 86 PID 3176 wrote to memory of 3384 3176 3xlflrr.exe 86 PID 3384 wrote to memory of 3488 3384 lfxrxfl.exe 87 PID 3384 wrote to memory of 3488 3384 lfxrxfl.exe 87 PID 3384 wrote to memory of 3488 3384 lfxrxfl.exe 87 PID 3488 wrote to memory of 3288 3488 dvdvd.exe 88 PID 3488 wrote to memory of 3288 3488 dvdvd.exe 88 PID 3488 wrote to memory of 3288 3488 dvdvd.exe 88 PID 3288 wrote to memory of 3500 3288 bnthhb.exe 89 PID 3288 wrote to memory of 3500 3288 bnthhb.exe 89 PID 3288 wrote to memory of 3500 3288 bnthhb.exe 89 PID 3500 wrote to memory of 4244 3500 3pvvp.exe 90 PID 3500 wrote to memory of 4244 3500 3pvvp.exe 90 PID 3500 wrote to memory of 4244 3500 3pvvp.exe 90 PID 4244 wrote to memory of 4948 4244 hhnnht.exe 91 PID 4244 wrote to memory of 4948 4244 hhnnht.exe 91 PID 4244 wrote to memory of 4948 4244 hhnnht.exe 91 PID 4948 wrote to memory of 4136 4948 pjdpp.exe 92 PID 4948 wrote to memory of 4136 4948 pjdpp.exe 92 PID 4948 wrote to memory of 4136 4948 pjdpp.exe 92 PID 4136 wrote to memory of 100 4136 vpvvd.exe 93 PID 4136 wrote to memory of 100 4136 vpvvd.exe 93 PID 4136 wrote to memory of 100 4136 vpvvd.exe 93 PID 100 wrote to memory of 212 100 7vpjj.exe 94 PID 100 wrote to memory of 212 100 7vpjj.exe 94 PID 100 wrote to memory of 212 100 7vpjj.exe 94 PID 212 wrote to memory of 3276 212 dpvvv.exe 95 PID 212 wrote to memory of 3276 212 dpvvv.exe 95 PID 212 wrote to memory of 3276 212 dpvvv.exe 95 PID 3276 wrote to memory of 3212 3276 nhhbtt.exe 96 PID 3276 wrote to memory of 3212 3276 nhhbtt.exe 96 PID 3276 wrote to memory of 3212 3276 nhhbtt.exe 96 PID 3212 wrote to memory of 1228 3212 httnhh.exe 97 PID 3212 wrote to memory of 1228 3212 httnhh.exe 97 PID 3212 wrote to memory of 1228 3212 httnhh.exe 97 PID 1228 wrote to memory of 4936 1228 5ntntn.exe 98 PID 1228 wrote to memory of 4936 1228 5ntntn.exe 98 PID 1228 wrote to memory of 4936 1228 5ntntn.exe 98 PID 4936 wrote to memory of 4976 4936 lxxxfff.exe 99 PID 4936 wrote to memory of 4976 4936 lxxxfff.exe 99 PID 4936 wrote to memory of 4976 4936 lxxxfff.exe 99 PID 4976 wrote to memory of 3820 4976 vpvvd.exe 100 PID 4976 wrote to memory of 3820 4976 vpvvd.exe 100 PID 4976 wrote to memory of 3820 4976 vpvvd.exe 100 PID 3820 wrote to memory of 1452 3820 fflfxxr.exe 101 PID 3820 wrote to memory of 1452 3820 fflfxxr.exe 101 PID 3820 wrote to memory of 1452 3820 fflfxxr.exe 101 PID 1452 wrote to memory of 1216 1452 vvdvv.exe 102 PID 1452 wrote to memory of 1216 1452 vvdvv.exe 102 PID 1452 wrote to memory of 1216 1452 vvdvv.exe 102 PID 1216 wrote to memory of 1476 1216 pdjdv.exe 103 PID 1216 wrote to memory of 1476 1216 pdjdv.exe 103 PID 1216 wrote to memory of 1476 1216 pdjdv.exe 103 PID 1476 wrote to memory of 4376 1476 llrfxxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe"C:\Users\Admin\AppData\Local\Temp\eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\bthnbh.exec:\bthnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\3xlflrr.exec:\3xlflrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\lfxrxfl.exec:\lfxrxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\dvdvd.exec:\dvdvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\bnthhb.exec:\bnthhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\3pvvp.exec:\3pvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\hhnnht.exec:\hhnnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\pjdpp.exec:\pjdpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\vpvvd.exec:\vpvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\7vpjj.exec:\7vpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\dpvvv.exec:\dpvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\nhhbtt.exec:\nhhbtt.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\httnhh.exec:\httnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\5ntntn.exec:\5ntntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\lxxxfff.exec:\lxxxfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\vpvvd.exec:\vpvvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\fflfxxr.exec:\fflfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\vvdvv.exec:\vvdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\pdjdv.exec:\pdjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\llrfxxx.exec:\llrfxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\hntnhb.exec:\hntnhb.exe23⤵
- Executes dropped EXE
PID:4376 -
\??\c:\jpvpj.exec:\jpvpj.exe24⤵
- Executes dropped EXE
PID:3980 -
\??\c:\dvjdj.exec:\dvjdj.exe25⤵
- Executes dropped EXE
PID:732 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe26⤵
- Executes dropped EXE
PID:4536 -
\??\c:\pjjjd.exec:\pjjjd.exe27⤵
- Executes dropped EXE
PID:772 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe28⤵
- Executes dropped EXE
PID:4708 -
\??\c:\3lfxllf.exec:\3lfxllf.exe29⤵
- Executes dropped EXE
PID:4144 -
\??\c:\3xrrrrl.exec:\3xrrrrl.exe30⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3djdv.exec:\3djdv.exe31⤵
- Executes dropped EXE
PID:5032 -
\??\c:\rxfxffx.exec:\rxfxffx.exe32⤵
- Executes dropped EXE
PID:4680 -
\??\c:\vppjj.exec:\vppjj.exe33⤵
- Executes dropped EXE
PID:752 -
\??\c:\hthhbb.exec:\hthhbb.exe34⤵
- Executes dropped EXE
PID:940 -
\??\c:\jjvpv.exec:\jjvpv.exe35⤵
- Executes dropped EXE
PID:448 -
\??\c:\1llrxlr.exec:\1llrxlr.exe36⤵
- Executes dropped EXE
PID:3584 -
\??\c:\rllfxxr.exec:\rllfxxr.exe37⤵
- Executes dropped EXE
PID:1256 -
\??\c:\hhhbbt.exec:\hhhbbt.exe38⤵
- Executes dropped EXE
PID:4240 -
\??\c:\jvdvp.exec:\jvdvp.exe39⤵
- Executes dropped EXE
PID:3248 -
\??\c:\rlllflf.exec:\rlllflf.exe40⤵
- Executes dropped EXE
PID:4952 -
\??\c:\xffxrrl.exec:\xffxrrl.exe41⤵
- Executes dropped EXE
PID:4796 -
\??\c:\bhttnt.exec:\bhttnt.exe42⤵
- Executes dropped EXE
PID:3900 -
\??\c:\pdjdv.exec:\pdjdv.exe43⤵
- Executes dropped EXE
PID:848 -
\??\c:\3xlrlxx.exec:\3xlrlxx.exe44⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bhnnhh.exec:\bhnnhh.exe45⤵
- Executes dropped EXE
PID:3960 -
\??\c:\tnhbtn.exec:\tnhbtn.exe46⤵
- Executes dropped EXE
PID:3680 -
\??\c:\ppjdv.exec:\ppjdv.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1044 -
\??\c:\xlllffx.exec:\xlllffx.exe48⤵
- Executes dropped EXE
PID:4332 -
\??\c:\hbhbhb.exec:\hbhbhb.exe49⤵
- Executes dropped EXE
PID:4336 -
\??\c:\tbnhbh.exec:\tbnhbh.exe50⤵
- Executes dropped EXE
PID:4416 -
\??\c:\1ddjd.exec:\1ddjd.exe51⤵
- Executes dropped EXE
PID:4308 -
\??\c:\rfrrlrl.exec:\rfrrlrl.exe52⤵
- Executes dropped EXE
PID:1416 -
\??\c:\frrrlrr.exec:\frrrlrr.exe53⤵
- Executes dropped EXE
PID:2344 -
\??\c:\nhnttb.exec:\nhnttb.exe54⤵
- Executes dropped EXE
PID:2900 -
\??\c:\jpdvd.exec:\jpdvd.exe55⤵
- Executes dropped EXE
PID:3620 -
\??\c:\rflrlll.exec:\rflrlll.exe56⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rfxxrlf.exec:\rfxxrlf.exe57⤵
- Executes dropped EXE
PID:4172 -
\??\c:\5hnbnn.exec:\5hnbnn.exe58⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jddvp.exec:\jddvp.exe59⤵
- Executes dropped EXE
PID:1116 -
\??\c:\xfllfrl.exec:\xfllfrl.exe60⤵
- Executes dropped EXE
PID:412 -
\??\c:\nhbtnn.exec:\nhbtnn.exe61⤵
- Executes dropped EXE
PID:3288 -
\??\c:\jvjdv.exec:\jvjdv.exe62⤵
- Executes dropped EXE
PID:4320 -
\??\c:\3jddp.exec:\3jddp.exe63⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rllfffx.exec:\rllfffx.exe64⤵
- Executes dropped EXE
PID:4832 -
\??\c:\nhhbnn.exec:\nhhbnn.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628 -
\??\c:\ddpvv.exec:\ddpvv.exe66⤵PID:388
-
\??\c:\jdjpj.exec:\jdjpj.exe67⤵PID:4100
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe68⤵PID:2828
-
\??\c:\nbhbtn.exec:\nbhbtn.exe69⤵PID:2880
-
\??\c:\hbhbnn.exec:\hbhbnn.exe70⤵PID:1264
-
\??\c:\vpddp.exec:\vpddp.exe71⤵PID:2464
-
\??\c:\ffflffx.exec:\ffflffx.exe72⤵PID:3212
-
\??\c:\bntnhb.exec:\bntnhb.exe73⤵PID:4724
-
\??\c:\dvdvj.exec:\dvdvj.exe74⤵PID:4596
-
\??\c:\9vvpd.exec:\9vvpd.exe75⤵PID:4016
-
\??\c:\fffrlfx.exec:\fffrlfx.exe76⤵PID:4976
-
\??\c:\htbtnt.exec:\htbtnt.exe77⤵PID:4280
-
\??\c:\jpvpd.exec:\jpvpd.exe78⤵PID:3812
-
\??\c:\3xrlxrl.exec:\3xrlxrl.exe79⤵PID:3920
-
\??\c:\7hhbtt.exec:\7hhbtt.exe80⤵PID:4780
-
\??\c:\pdvdd.exec:\pdvdd.exe81⤵PID:1216
-
\??\c:\vddpj.exec:\vddpj.exe82⤵PID:4928
-
\??\c:\rxxxrlf.exec:\rxxxrlf.exe83⤵
- System Location Discovery: System Language Discovery
PID:1336 -
\??\c:\5tnnhh.exec:\5tnnhh.exe84⤵PID:1152
-
\??\c:\pdjdd.exec:\pdjdd.exe85⤵PID:1300
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe86⤵PID:4500
-
\??\c:\thnnhh.exec:\thnnhh.exe87⤵PID:2324
-
\??\c:\jdppd.exec:\jdppd.exe88⤵PID:4992
-
\??\c:\vppjv.exec:\vppjv.exe89⤵PID:2924
-
\??\c:\nbhbbb.exec:\nbhbbb.exe90⤵PID:932
-
\??\c:\7nnhbh.exec:\7nnhbh.exe91⤵PID:4804
-
\??\c:\pddpd.exec:\pddpd.exe92⤵PID:1184
-
\??\c:\xrllfff.exec:\xrllfff.exe93⤵PID:1844
-
\??\c:\btbtnt.exec:\btbtnt.exe94⤵PID:1604
-
\??\c:\1pjjj.exec:\1pjjj.exe95⤵PID:1624
-
\??\c:\rrxlxxr.exec:\rrxlxxr.exe96⤵PID:1256
-
\??\c:\nhhhbb.exec:\nhhhbb.exe97⤵PID:4240
-
\??\c:\hbbtbb.exec:\hbbtbb.exe98⤵PID:5112
-
\??\c:\vvvpj.exec:\vvvpj.exe99⤵PID:3492
-
\??\c:\7rlrlll.exec:\7rlrlll.exe100⤵PID:4796
-
\??\c:\bbbbtt.exec:\bbbbtt.exe101⤵PID:1268
-
\??\c:\httnhh.exec:\httnhh.exe102⤵PID:2060
-
\??\c:\jjppd.exec:\jjppd.exe103⤵PID:2544
-
\??\c:\rlfxrll.exec:\rlfxrll.exe104⤵PID:2172
-
\??\c:\nhtnnn.exec:\nhtnnn.exe105⤵PID:3680
-
\??\c:\5dddp.exec:\5dddp.exe106⤵PID:856
-
\??\c:\xrxrllf.exec:\xrxrllf.exe107⤵PID:372
-
\??\c:\bhnhbt.exec:\bhnhbt.exe108⤵PID:4336
-
\??\c:\1nbthh.exec:\1nbthh.exe109⤵PID:4220
-
\??\c:\jjjvj.exec:\jjjvj.exe110⤵PID:1392
-
\??\c:\lflrrrx.exec:\lflrrrx.exe111⤵PID:1416
-
\??\c:\thnhtt.exec:\thnhtt.exe112⤵PID:3480
-
\??\c:\1djdp.exec:\1djdp.exe113⤵PID:2900
-
\??\c:\vjdvj.exec:\vjdvj.exe114⤵PID:3540
-
\??\c:\7rrlfff.exec:\7rrlfff.exe115⤵PID:1564
-
\??\c:\3flxrrx.exec:\3flxrrx.exe116⤵PID:2372
-
\??\c:\nhnnnn.exec:\nhnnnn.exe117⤵PID:5028
-
\??\c:\dppjj.exec:\dppjj.exe118⤵PID:864
-
\??\c:\xlxrflf.exec:\xlxrflf.exe119⤵PID:976
-
\??\c:\ththbb.exec:\ththbb.exe120⤵PID:2896
-
\??\c:\3hhbtn.exec:\3hhbtn.exe121⤵PID:4244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-