Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 15:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe
-
Size
452KB
-
MD5
791638acb24c6978a7e96a9f4eb9ee90
-
SHA1
435eedee2bc5e96377084dc3d2e35cff07879e9e
-
SHA256
7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708
-
SHA512
913e4ac0c8b7d87253c8b150ca0beeb01a0c3bed617b1cabe9fcea8ab8c8499d2492fc668a83b84fd9346b311a7638241003b1c39577cf0fd330dbb6e3992d0f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2328-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-1105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-1426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3048 5xflxrr.exe 3372 vjdvj.exe 4808 1rlxlfr.exe 2216 nhnbnb.exe 2812 nnhtnb.exe 3012 xrllxxr.exe 4832 ntttbb.exe 2760 xxrlllx.exe 4668 jpjvj.exe 4488 bnthnh.exe 4392 bnnhnh.exe 4580 lrxrfxf.exe 2264 bnthhn.exe 4260 pjjdd.exe 2296 frlxfrl.exe 2164 ttbbtt.exe 3964 9rrfxfr.exe 2072 xfxlfxl.exe 2384 jvpdp.exe 3016 lrlxrlx.exe 4476 tbntnb.exe 724 rrrrllf.exe 4720 pdvvp.exe 3304 rlrlflf.exe 3288 bhbbnb.exe 2568 flxrllf.exe 4664 nthbtn.exe 4792 fxrfxlf.exe 920 3jddp.exe 4532 pjjdd.exe 4152 9htbnt.exe 2888 xlrlllf.exe 4316 3rllffx.exe 3844 nbbttt.exe 4604 jvjdv.exe 2520 3lrlllr.exe 2128 hbtnhh.exe 3120 nhbnhb.exe 4600 dvdvj.exe 1680 nntntn.exe 4936 vvppp.exe 2096 9xxrlff.exe 3412 ntthth.exe 3024 ddpjd.exe 4640 rxrfrxf.exe 3404 fxxrlfr.exe 4520 hbnhnh.exe 3960 djdvp.exe 3000 fxxxrrl.exe 2328 nbbhnb.exe 4940 ppvdp.exe 3372 lrrfrfx.exe 4468 rrxrfxr.exe 4808 bhnhbb.exe 4428 vjjjd.exe 580 vjpjd.exe 1616 3rlflfx.exe 4240 httnbb.exe 1744 3jjpj.exe 4832 3jpdv.exe 2668 lrrfxrf.exe 3132 tttnhh.exe 712 5dppd.exe 4420 dpjvj.exe -
resource yara_rule behavioral2/memory/2328-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3048 2328 7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe 85 PID 2328 wrote to memory of 3048 2328 7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe 85 PID 2328 wrote to memory of 3048 2328 7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe 85 PID 3048 wrote to memory of 3372 3048 5xflxrr.exe 86 PID 3048 wrote to memory of 3372 3048 5xflxrr.exe 86 PID 3048 wrote to memory of 3372 3048 5xflxrr.exe 86 PID 3372 wrote to memory of 4808 3372 vjdvj.exe 87 PID 3372 wrote to memory of 4808 3372 vjdvj.exe 87 PID 3372 wrote to memory of 4808 3372 vjdvj.exe 87 PID 4808 wrote to memory of 2216 4808 1rlxlfr.exe 88 PID 4808 wrote to memory of 2216 4808 1rlxlfr.exe 88 PID 4808 wrote to memory of 2216 4808 1rlxlfr.exe 88 PID 2216 wrote to memory of 2812 2216 nhnbnb.exe 89 PID 2216 wrote to memory of 2812 2216 nhnbnb.exe 89 PID 2216 wrote to memory of 2812 2216 nhnbnb.exe 89 PID 2812 wrote to memory of 3012 2812 nnhtnb.exe 90 PID 2812 wrote to memory of 3012 2812 nnhtnb.exe 90 PID 2812 wrote to memory of 3012 2812 nnhtnb.exe 90 PID 3012 wrote to memory of 4832 3012 xrllxxr.exe 91 PID 3012 wrote to memory of 4832 3012 xrllxxr.exe 91 PID 3012 wrote to memory of 4832 3012 xrllxxr.exe 91 PID 4832 wrote to memory of 2760 4832 ntttbb.exe 92 PID 4832 wrote to memory of 2760 4832 ntttbb.exe 92 PID 4832 wrote to memory of 2760 4832 ntttbb.exe 92 PID 2760 wrote to memory of 4668 2760 xxrlllx.exe 93 PID 2760 wrote to memory of 4668 2760 xxrlllx.exe 93 PID 2760 wrote to memory of 4668 2760 xxrlllx.exe 93 PID 4668 wrote to memory of 4488 4668 jpjvj.exe 94 PID 4668 wrote to memory of 4488 4668 jpjvj.exe 94 PID 4668 wrote to memory of 4488 4668 jpjvj.exe 94 PID 4488 wrote to memory of 4392 4488 bnthnh.exe 95 PID 4488 wrote to memory of 4392 4488 bnthnh.exe 95 PID 4488 wrote to memory of 4392 4488 bnthnh.exe 95 PID 4392 wrote to memory of 4580 4392 bnnhnh.exe 96 PID 4392 wrote to memory of 4580 4392 bnnhnh.exe 96 PID 4392 wrote to memory of 4580 4392 bnnhnh.exe 96 PID 4580 wrote to memory of 2264 4580 lrxrfxf.exe 97 PID 4580 wrote to memory of 2264 4580 lrxrfxf.exe 97 PID 4580 wrote to memory of 2264 4580 lrxrfxf.exe 97 PID 2264 wrote to memory of 4260 2264 bnthhn.exe 98 PID 2264 wrote to memory of 4260 2264 bnthhn.exe 98 PID 2264 wrote to memory of 4260 2264 bnthhn.exe 98 PID 4260 wrote to memory of 2296 4260 pjjdd.exe 99 PID 4260 wrote to memory of 2296 4260 pjjdd.exe 99 PID 4260 wrote to memory of 2296 4260 pjjdd.exe 99 PID 2296 wrote to memory of 2164 2296 frlxfrl.exe 100 PID 2296 wrote to memory of 2164 2296 frlxfrl.exe 100 PID 2296 wrote to memory of 2164 2296 frlxfrl.exe 100 PID 2164 wrote to memory of 3964 2164 ttbbtt.exe 101 PID 2164 wrote to memory of 3964 2164 ttbbtt.exe 101 PID 2164 wrote to memory of 3964 2164 ttbbtt.exe 101 PID 3964 wrote to memory of 2072 3964 9rrfxfr.exe 102 PID 3964 wrote to memory of 2072 3964 9rrfxfr.exe 102 PID 3964 wrote to memory of 2072 3964 9rrfxfr.exe 102 PID 2072 wrote to memory of 2384 2072 xfxlfxl.exe 103 PID 2072 wrote to memory of 2384 2072 xfxlfxl.exe 103 PID 2072 wrote to memory of 2384 2072 xfxlfxl.exe 103 PID 2384 wrote to memory of 3016 2384 jvpdp.exe 104 PID 2384 wrote to memory of 3016 2384 jvpdp.exe 104 PID 2384 wrote to memory of 3016 2384 jvpdp.exe 104 PID 3016 wrote to memory of 4476 3016 lrlxrlx.exe 105 PID 3016 wrote to memory of 4476 3016 lrlxrlx.exe 105 PID 3016 wrote to memory of 4476 3016 lrlxrlx.exe 105 PID 4476 wrote to memory of 724 4476 tbntnb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe"C:\Users\Admin\AppData\Local\Temp\7bac2e79ee2f15773681b450edc0b847aefeaf78c8f970658b93af0da8ded708N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\5xflxrr.exec:\5xflxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\vjdvj.exec:\vjdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\1rlxlfr.exec:\1rlxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\nhnbnb.exec:\nhnbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\nnhtnb.exec:\nnhtnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xrllxxr.exec:\xrllxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\ntttbb.exec:\ntttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\xxrlllx.exec:\xxrlllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\jpjvj.exec:\jpjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\bnthnh.exec:\bnthnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\bnnhnh.exec:\bnnhnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\lrxrfxf.exec:\lrxrfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\bnthhn.exec:\bnthhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\pjjdd.exec:\pjjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\frlxfrl.exec:\frlxfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\ttbbtt.exec:\ttbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\9rrfxfr.exec:\9rrfxfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\xfxlfxl.exec:\xfxlfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\jvpdp.exec:\jvpdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\tbntnb.exec:\tbntnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\rrrrllf.exec:\rrrrllf.exe23⤵
- Executes dropped EXE
PID:724 -
\??\c:\pdvvp.exec:\pdvvp.exe24⤵
- Executes dropped EXE
PID:4720 -
\??\c:\rlrlflf.exec:\rlrlflf.exe25⤵
- Executes dropped EXE
PID:3304 -
\??\c:\bhbbnb.exec:\bhbbnb.exe26⤵
- Executes dropped EXE
PID:3288 -
\??\c:\flxrllf.exec:\flxrllf.exe27⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nthbtn.exec:\nthbtn.exe28⤵
- Executes dropped EXE
PID:4664 -
\??\c:\fxrfxlf.exec:\fxrfxlf.exe29⤵
- Executes dropped EXE
PID:4792 -
\??\c:\3jddp.exec:\3jddp.exe30⤵
- Executes dropped EXE
PID:920 -
\??\c:\pjjdd.exec:\pjjdd.exe31⤵
- Executes dropped EXE
PID:4532 -
\??\c:\9htbnt.exec:\9htbnt.exe32⤵
- Executes dropped EXE
PID:4152 -
\??\c:\xlrlllf.exec:\xlrlllf.exe33⤵
- Executes dropped EXE
PID:2888 -
\??\c:\3rllffx.exec:\3rllffx.exe34⤵
- Executes dropped EXE
PID:4316 -
\??\c:\nbbttt.exec:\nbbttt.exe35⤵
- Executes dropped EXE
PID:3844 -
\??\c:\jvjdv.exec:\jvjdv.exe36⤵
- Executes dropped EXE
PID:4604 -
\??\c:\3lrlllr.exec:\3lrlllr.exe37⤵
- Executes dropped EXE
PID:2520 -
\??\c:\hbtnhh.exec:\hbtnhh.exe38⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nhbnhb.exec:\nhbnhb.exe39⤵
- Executes dropped EXE
PID:3120 -
\??\c:\dvdvj.exec:\dvdvj.exe40⤵
- Executes dropped EXE
PID:4600 -
\??\c:\nntntn.exec:\nntntn.exe41⤵
- Executes dropped EXE
PID:1680 -
\??\c:\vvppp.exec:\vvppp.exe42⤵
- Executes dropped EXE
PID:4936 -
\??\c:\9xxrlff.exec:\9xxrlff.exe43⤵
- Executes dropped EXE
PID:2096 -
\??\c:\ntthth.exec:\ntthth.exe44⤵
- Executes dropped EXE
PID:3412 -
\??\c:\ddpjd.exec:\ddpjd.exe45⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rxrfrxf.exec:\rxrfrxf.exe46⤵
- Executes dropped EXE
PID:4640 -
\??\c:\fxxrlfr.exec:\fxxrlfr.exe47⤵
- Executes dropped EXE
PID:3404 -
\??\c:\hbnhnh.exec:\hbnhnh.exe48⤵
- Executes dropped EXE
PID:4520 -
\??\c:\djdvp.exec:\djdvp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3960 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe50⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nbbhnb.exec:\nbbhnb.exe51⤵
- Executes dropped EXE
PID:2328 -
\??\c:\ppvdp.exec:\ppvdp.exe52⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lrrfrfx.exec:\lrrfrfx.exe53⤵
- Executes dropped EXE
PID:3372 -
\??\c:\rrxrfxr.exec:\rrxrfxr.exe54⤵
- Executes dropped EXE
PID:4468 -
\??\c:\bhnhbb.exec:\bhnhbb.exe55⤵
- Executes dropped EXE
PID:4808 -
\??\c:\vjjjd.exec:\vjjjd.exe56⤵
- Executes dropped EXE
PID:4428 -
\??\c:\vjpjd.exec:\vjpjd.exe57⤵
- Executes dropped EXE
PID:580 -
\??\c:\3rlflfx.exec:\3rlflfx.exe58⤵
- Executes dropped EXE
PID:1616 -
\??\c:\httnbb.exec:\httnbb.exe59⤵
- Executes dropped EXE
PID:4240 -
\??\c:\3jjpj.exec:\3jjpj.exe60⤵
- Executes dropped EXE
PID:1744 -
\??\c:\3jpdv.exec:\3jpdv.exe61⤵
- Executes dropped EXE
PID:4832 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe62⤵
- Executes dropped EXE
PID:2668 -
\??\c:\tttnhh.exec:\tttnhh.exe63⤵
- Executes dropped EXE
PID:3132 -
\??\c:\5dppd.exec:\5dppd.exe64⤵
- Executes dropped EXE
PID:712 -
\??\c:\dpjvj.exec:\dpjvj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
\??\c:\frlrrrf.exec:\frlrrrf.exe66⤵PID:1708
-
\??\c:\btttbt.exec:\btttbt.exe67⤵PID:4960
-
\??\c:\bnnhtt.exec:\bnnhtt.exe68⤵PID:4580
-
\??\c:\pdjdd.exec:\pdjdd.exe69⤵PID:2020
-
\??\c:\xfrfxrr.exec:\xfrfxrr.exe70⤵PID:216
-
\??\c:\9tnnbb.exec:\9tnnbb.exe71⤵PID:4812
-
\??\c:\nnthtt.exec:\nnthtt.exe72⤵PID:3600
-
\??\c:\vjppd.exec:\vjppd.exe73⤵PID:1888
-
\??\c:\7frfrlx.exec:\7frfrlx.exe74⤵PID:4368
-
\??\c:\lffxrrl.exec:\lffxrrl.exe75⤵PID:4212
-
\??\c:\hbbtnh.exec:\hbbtnh.exe76⤵PID:4148
-
\??\c:\dpjvd.exec:\dpjvd.exe77⤵PID:4724
-
\??\c:\lxxrfrl.exec:\lxxrfrl.exe78⤵PID:3016
-
\??\c:\bbhbnn.exec:\bbhbnn.exe79⤵PID:1556
-
\??\c:\hntthh.exec:\hntthh.exe80⤵PID:1620
-
\??\c:\jjpjp.exec:\jjpjp.exe81⤵PID:3240
-
\??\c:\xlxxlll.exec:\xlxxlll.exe82⤵PID:4620
-
\??\c:\nbhbnn.exec:\nbhbnn.exe83⤵PID:2504
-
\??\c:\3nnbnn.exec:\3nnbnn.exe84⤵PID:1908
-
\??\c:\vjpjd.exec:\vjpjd.exe85⤵PID:2420
-
\??\c:\frrfrlr.exec:\frrfrlr.exe86⤵PID:3244
-
\??\c:\ththnh.exec:\ththnh.exe87⤵PID:680
-
\??\c:\jppdj.exec:\jppdj.exe88⤵PID:5092
-
\??\c:\vddvd.exec:\vddvd.exe89⤵PID:3140
-
\??\c:\xrfrxrl.exec:\xrfrxrl.exe90⤵PID:3540
-
\??\c:\lxlfrfr.exec:\lxlfrfr.exe91⤵PID:3616
-
\??\c:\bnnnbn.exec:\bnnnbn.exe92⤵PID:1096
-
\??\c:\jvjvd.exec:\jvjvd.exe93⤵PID:4192
-
\??\c:\frrfrrr.exec:\frrfrrr.exe94⤵PID:2888
-
\??\c:\bnhbbt.exec:\bnhbbt.exe95⤵
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\thbnbt.exec:\thbnbt.exe96⤵PID:3872
-
\??\c:\5pjpd.exec:\5pjpd.exe97⤵PID:2620
-
\??\c:\xlrfrlx.exec:\xlrfrlx.exe98⤵PID:3376
-
\??\c:\hhbhtn.exec:\hhbhtn.exe99⤵PID:3496
-
\??\c:\dvvpj.exec:\dvvpj.exe100⤵PID:4108
-
\??\c:\9xxlxrf.exec:\9xxlxrf.exe101⤵PID:1116
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe102⤵PID:3100
-
\??\c:\bbnhtn.exec:\bbnhtn.exe103⤵PID:1700
-
\??\c:\jddvp.exec:\jddvp.exe104⤵PID:2096
-
\??\c:\dvjdd.exec:\dvjdd.exe105⤵PID:2928
-
\??\c:\flrfrrl.exec:\flrfrrl.exe106⤵PID:684
-
\??\c:\bnbnbt.exec:\bnbnbt.exe107⤵PID:4904
-
\??\c:\9dppd.exec:\9dppd.exe108⤵PID:3692
-
\??\c:\xflxrll.exec:\xflxrll.exe109⤵PID:1980
-
\??\c:\hbhbbn.exec:\hbhbbn.exe110⤵PID:4364
-
\??\c:\3bhbbt.exec:\3bhbbt.exe111⤵PID:3364
-
\??\c:\pdjjp.exec:\pdjjp.exe112⤵PID:2132
-
\??\c:\5frrxrl.exec:\5frrxrl.exe113⤵PID:3608
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe114⤵PID:2936
-
\??\c:\9nnbnh.exec:\9nnbnh.exe115⤵PID:4272
-
\??\c:\jvdpj.exec:\jvdpj.exe116⤵PID:4468
-
\??\c:\ffrlrlf.exec:\ffrlrlf.exe117⤵PID:1084
-
\??\c:\frllxrl.exec:\frllxrl.exe118⤵PID:1952
-
\??\c:\7tnbnh.exec:\7tnbnh.exe119⤵PID:580
-
\??\c:\5dpjp.exec:\5dpjp.exe120⤵PID:1736
-
\??\c:\fxfrlff.exec:\fxfrlff.exe121⤵PID:1624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-