Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe
-
Size
453KB
-
MD5
09f71b43a2b4c441e7e5c42cdf6cefe0
-
SHA1
98fda3534bbf5f06ae1962ea3c8106c5a7eb853d
-
SHA256
08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07
-
SHA512
40e65507eed2c10bc31b4a0bbb35f3ed08d34bf30ade0ba8b93d9cff6c2defcf547970417286bd50665355d801948c53982160859e6c775f1267830f1344cbb9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5076-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/356-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-1299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2200 lrlfrfx.exe 4368 bhthtn.exe 3180 djppd.exe 3348 ddvjv.exe 2788 rxxlfrf.exe 2332 hnnbth.exe 4544 jvvjv.exe 3404 vdvdd.exe 3424 rxlfxlx.exe 1632 djppv.exe 4888 hhhhth.exe 992 frrfxrf.exe 2044 vpjvp.exe 5072 tnbbth.exe 116 1ddpd.exe 2744 7nnhbn.exe 952 jpppd.exe 4296 fflrlll.exe 3884 5btbnn.exe 3768 9nbbnh.exe 2684 5lfrrll.exe 4000 nbbbbn.exe 364 pjpdv.exe 2564 xrxrrrx.exe 856 nbnbhh.exe 4576 1fxrllf.exe 2900 jddvp.exe 1912 nbhthb.exe 4740 lxrfxrf.exe 4676 bhbnbt.exe 5060 pjvvp.exe 4824 lrrflfr.exe 2740 bhtnbb.exe 4812 vddpj.exe 4360 frlfrrf.exe 1988 bnhthn.exe 4700 vpjvj.exe 4404 xlfrxrf.exe 1688 nnnbnh.exe 4820 hhhthb.exe 1096 9pvjd.exe 3428 pdvjv.exe 2060 bhhnbt.exe 5096 1hhnbn.exe 2052 9vvjv.exe 5036 rxrlxrl.exe 4876 tnnhbt.exe 4108 nnhtnb.exe 4332 pjpdp.exe 3364 9llxxrl.exe 2004 llrlxrf.exe 2200 tnhnbn.exe 1780 jvpdj.exe 4532 frffrfr.exe 2532 lxrlrll.exe 2788 bnhbtt.exe 2332 pdvjd.exe 4480 3vjvj.exe 1560 frrxlxl.exe 3596 bbbnbt.exe 2692 5bnbnb.exe 2992 pddpj.exe 3388 rlfflrf.exe 3040 lxrfrlx.exe -
resource yara_rule behavioral2/memory/5076-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/356-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-770-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2200 5076 08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe 82 PID 5076 wrote to memory of 2200 5076 08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe 82 PID 5076 wrote to memory of 2200 5076 08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe 82 PID 2200 wrote to memory of 4368 2200 lrlfrfx.exe 83 PID 2200 wrote to memory of 4368 2200 lrlfrfx.exe 83 PID 2200 wrote to memory of 4368 2200 lrlfrfx.exe 83 PID 4368 wrote to memory of 3180 4368 bhthtn.exe 84 PID 4368 wrote to memory of 3180 4368 bhthtn.exe 84 PID 4368 wrote to memory of 3180 4368 bhthtn.exe 84 PID 3180 wrote to memory of 3348 3180 djppd.exe 85 PID 3180 wrote to memory of 3348 3180 djppd.exe 85 PID 3180 wrote to memory of 3348 3180 djppd.exe 85 PID 3348 wrote to memory of 2788 3348 ddvjv.exe 86 PID 3348 wrote to memory of 2788 3348 ddvjv.exe 86 PID 3348 wrote to memory of 2788 3348 ddvjv.exe 86 PID 2788 wrote to memory of 2332 2788 rxxlfrf.exe 87 PID 2788 wrote to memory of 2332 2788 rxxlfrf.exe 87 PID 2788 wrote to memory of 2332 2788 rxxlfrf.exe 87 PID 2332 wrote to memory of 4544 2332 hnnbth.exe 88 PID 2332 wrote to memory of 4544 2332 hnnbth.exe 88 PID 2332 wrote to memory of 4544 2332 hnnbth.exe 88 PID 4544 wrote to memory of 3404 4544 jvvjv.exe 89 PID 4544 wrote to memory of 3404 4544 jvvjv.exe 89 PID 4544 wrote to memory of 3404 4544 jvvjv.exe 89 PID 3404 wrote to memory of 3424 3404 vdvdd.exe 90 PID 3404 wrote to memory of 3424 3404 vdvdd.exe 90 PID 3404 wrote to memory of 3424 3404 vdvdd.exe 90 PID 3424 wrote to memory of 1632 3424 rxlfxlx.exe 91 PID 3424 wrote to memory of 1632 3424 rxlfxlx.exe 91 PID 3424 wrote to memory of 1632 3424 rxlfxlx.exe 91 PID 1632 wrote to memory of 4888 1632 djppv.exe 92 PID 1632 wrote to memory of 4888 1632 djppv.exe 92 PID 1632 wrote to memory of 4888 1632 djppv.exe 92 PID 4888 wrote to memory of 992 4888 hhhhth.exe 93 PID 4888 wrote to memory of 992 4888 hhhhth.exe 93 PID 4888 wrote to memory of 992 4888 hhhhth.exe 93 PID 992 wrote to memory of 2044 992 frrfxrf.exe 94 PID 992 wrote to memory of 2044 992 frrfxrf.exe 94 PID 992 wrote to memory of 2044 992 frrfxrf.exe 94 PID 2044 wrote to memory of 5072 2044 vpjvp.exe 95 PID 2044 wrote to memory of 5072 2044 vpjvp.exe 95 PID 2044 wrote to memory of 5072 2044 vpjvp.exe 95 PID 5072 wrote to memory of 116 5072 tnbbth.exe 96 PID 5072 wrote to memory of 116 5072 tnbbth.exe 96 PID 5072 wrote to memory of 116 5072 tnbbth.exe 96 PID 116 wrote to memory of 2744 116 1ddpd.exe 97 PID 116 wrote to memory of 2744 116 1ddpd.exe 97 PID 116 wrote to memory of 2744 116 1ddpd.exe 97 PID 2744 wrote to memory of 952 2744 7nnhbn.exe 98 PID 2744 wrote to memory of 952 2744 7nnhbn.exe 98 PID 2744 wrote to memory of 952 2744 7nnhbn.exe 98 PID 952 wrote to memory of 4296 952 jpppd.exe 99 PID 952 wrote to memory of 4296 952 jpppd.exe 99 PID 952 wrote to memory of 4296 952 jpppd.exe 99 PID 4296 wrote to memory of 3884 4296 fflrlll.exe 100 PID 4296 wrote to memory of 3884 4296 fflrlll.exe 100 PID 4296 wrote to memory of 3884 4296 fflrlll.exe 100 PID 3884 wrote to memory of 3768 3884 5btbnn.exe 101 PID 3884 wrote to memory of 3768 3884 5btbnn.exe 101 PID 3884 wrote to memory of 3768 3884 5btbnn.exe 101 PID 3768 wrote to memory of 2684 3768 9nbbnh.exe 102 PID 3768 wrote to memory of 2684 3768 9nbbnh.exe 102 PID 3768 wrote to memory of 2684 3768 9nbbnh.exe 102 PID 2684 wrote to memory of 4000 2684 5lfrrll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe"C:\Users\Admin\AppData\Local\Temp\08271f8e13b04af3ca2ce4a21c7a6cb4e24ebe1c969737ddcca23b47bf744a07N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\lrlfrfx.exec:\lrlfrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\bhthtn.exec:\bhthtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\djppd.exec:\djppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\ddvjv.exec:\ddvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\rxxlfrf.exec:\rxxlfrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\hnnbth.exec:\hnnbth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\jvvjv.exec:\jvvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\vdvdd.exec:\vdvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\rxlfxlx.exec:\rxlfxlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\djppv.exec:\djppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\hhhhth.exec:\hhhhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\frrfxrf.exec:\frrfxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\vpjvp.exec:\vpjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\tnbbth.exec:\tnbbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\1ddpd.exec:\1ddpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\7nnhbn.exec:\7nnhbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\jpppd.exec:\jpppd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\fflrlll.exec:\fflrlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\5btbnn.exec:\5btbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\9nbbnh.exec:\9nbbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\5lfrrll.exec:\5lfrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\nbbbbn.exec:\nbbbbn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000 -
\??\c:\pjpdv.exec:\pjpdv.exe24⤵
- Executes dropped EXE
PID:364 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe25⤵
- Executes dropped EXE
PID:2564 -
\??\c:\nbnbhh.exec:\nbnbhh.exe26⤵
- Executes dropped EXE
PID:856 -
\??\c:\1fxrllf.exec:\1fxrllf.exe27⤵
- Executes dropped EXE
PID:4576 -
\??\c:\jddvp.exec:\jddvp.exe28⤵
- Executes dropped EXE
PID:2900 -
\??\c:\nbhthb.exec:\nbhthb.exe29⤵
- Executes dropped EXE
PID:1912 -
\??\c:\lxrfxrf.exec:\lxrfxrf.exe30⤵
- Executes dropped EXE
PID:4740 -
\??\c:\bhbnbt.exec:\bhbnbt.exe31⤵
- Executes dropped EXE
PID:4676 -
\??\c:\pjvvp.exec:\pjvvp.exe32⤵
- Executes dropped EXE
PID:5060 -
\??\c:\lrrflfr.exec:\lrrflfr.exe33⤵
- Executes dropped EXE
PID:4824 -
\??\c:\bhtnbb.exec:\bhtnbb.exe34⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vddpj.exec:\vddpj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\frlfrrf.exec:\frlfrrf.exe36⤵
- Executes dropped EXE
PID:4360 -
\??\c:\bnhthn.exec:\bnhthn.exe37⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vpjvj.exec:\vpjvj.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4700 -
\??\c:\xlfrxrf.exec:\xlfrxrf.exe39⤵
- Executes dropped EXE
PID:4404 -
\??\c:\nnnbnh.exec:\nnnbnh.exe40⤵
- Executes dropped EXE
PID:1688 -
\??\c:\hhhthb.exec:\hhhthb.exe41⤵
- Executes dropped EXE
PID:4820 -
\??\c:\9pvjd.exec:\9pvjd.exe42⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pdvjv.exec:\pdvjv.exe43⤵
- Executes dropped EXE
PID:3428 -
\??\c:\bhhnbt.exec:\bhhnbt.exe44⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1hhnbn.exec:\1hhnbn.exe45⤵
- Executes dropped EXE
PID:5096 -
\??\c:\9vvjv.exec:\9vvjv.exe46⤵
- Executes dropped EXE
PID:2052 -
\??\c:\rxrlxrl.exec:\rxrlxrl.exe47⤵
- Executes dropped EXE
PID:5036 -
\??\c:\tnnhbt.exec:\tnnhbt.exe48⤵
- Executes dropped EXE
PID:4876 -
\??\c:\nnhtnb.exec:\nnhtnb.exe49⤵
- Executes dropped EXE
PID:4108 -
\??\c:\pjpdp.exec:\pjpdp.exe50⤵
- Executes dropped EXE
PID:4332 -
\??\c:\9llxxrl.exec:\9llxxrl.exe51⤵
- Executes dropped EXE
PID:3364 -
\??\c:\llrlxrf.exec:\llrlxrf.exe52⤵
- Executes dropped EXE
PID:2004 -
\??\c:\tnhnbn.exec:\tnhnbn.exe53⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jvpdj.exec:\jvpdj.exe54⤵
- Executes dropped EXE
PID:1780 -
\??\c:\frffrfr.exec:\frffrfr.exe55⤵
- Executes dropped EXE
PID:4532 -
\??\c:\lxrlrll.exec:\lxrlrll.exe56⤵
- Executes dropped EXE
PID:2532 -
\??\c:\bnhbtt.exec:\bnhbtt.exe57⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pdvjd.exec:\pdvjd.exe58⤵
- Executes dropped EXE
PID:2332 -
\??\c:\3vjvj.exec:\3vjvj.exe59⤵
- Executes dropped EXE
PID:4480 -
\??\c:\frrxlxl.exec:\frrxlxl.exe60⤵
- Executes dropped EXE
PID:1560 -
\??\c:\bbbnbt.exec:\bbbnbt.exe61⤵
- Executes dropped EXE
PID:3596 -
\??\c:\5bnbnb.exec:\5bnbnb.exe62⤵
- Executes dropped EXE
PID:2692 -
\??\c:\pddpj.exec:\pddpj.exe63⤵
- Executes dropped EXE
PID:2992 -
\??\c:\rlfflrf.exec:\rlfflrf.exe64⤵
- Executes dropped EXE
PID:3388 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe65⤵
- Executes dropped EXE
PID:3040 -
\??\c:\tnhtbt.exec:\tnhtbt.exe66⤵PID:4044
-
\??\c:\1vpdj.exec:\1vpdj.exe67⤵PID:1312
-
\??\c:\jjvdj.exec:\jjvdj.exe68⤵PID:2912
-
\??\c:\xfflxrr.exec:\xfflxrr.exe69⤵PID:1536
-
\??\c:\nnnhnh.exec:\nnnhnh.exe70⤵PID:992
-
\??\c:\jdvjp.exec:\jdvjp.exe71⤵PID:1916
-
\??\c:\jjjdj.exec:\jjjdj.exe72⤵PID:4112
-
\??\c:\5flxfrf.exec:\5flxfrf.exe73⤵PID:3028
-
\??\c:\nhbnbn.exec:\nhbnbn.exe74⤵PID:116
-
\??\c:\hhbthb.exec:\hhbthb.exe75⤵PID:2032
-
\??\c:\jpjvj.exec:\jpjvj.exe76⤵PID:376
-
\??\c:\7jjvj.exec:\7jjvj.exe77⤵PID:1184
-
\??\c:\fflxrlf.exec:\fflxrlf.exe78⤵PID:2456
-
\??\c:\9ththb.exec:\9ththb.exe79⤵PID:740
-
\??\c:\pjvdp.exec:\pjvdp.exe80⤵PID:4268
-
\??\c:\vvvjd.exec:\vvvjd.exe81⤵PID:4884
-
\??\c:\fxfxfxx.exec:\fxfxfxx.exe82⤵PID:4572
-
\??\c:\thhthb.exec:\thhthb.exe83⤵PID:1592
-
\??\c:\hhhbtt.exec:\hhhbtt.exe84⤵PID:2876
-
\??\c:\jvjdv.exec:\jvjdv.exe85⤵PID:1980
-
\??\c:\rrfrrlx.exec:\rrfrrlx.exe86⤵PID:728
-
\??\c:\hbhbbt.exec:\hbhbbt.exe87⤵PID:4556
-
\??\c:\1jjdv.exec:\1jjdv.exe88⤵PID:2196
-
\??\c:\vddvp.exec:\vddvp.exe89⤵PID:3300
-
\??\c:\rfrlffx.exec:\rfrlffx.exe90⤵PID:3612
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵PID:3636
-
\??\c:\frlxlxr.exec:\frlxlxr.exe92⤵PID:1912
-
\??\c:\rllflll.exec:\rllflll.exe93⤵PID:1020
-
\??\c:\tnttnn.exec:\tnttnn.exe94⤵PID:2748
-
\??\c:\9jpjd.exec:\9jpjd.exe95⤵PID:1516
-
\??\c:\fxxlffx.exec:\fxxlffx.exe96⤵PID:2984
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe97⤵PID:2672
-
\??\c:\htthtn.exec:\htthtn.exe98⤵PID:2408
-
\??\c:\3dvjv.exec:\3dvjv.exe99⤵PID:388
-
\??\c:\lflxllx.exec:\lflxllx.exe100⤵PID:1716
-
\??\c:\bhhbnb.exec:\bhhbnb.exe101⤵PID:3520
-
\??\c:\pppvd.exec:\pppvd.exe102⤵PID:2376
-
\??\c:\vvdvp.exec:\vvdvp.exe103⤵PID:4252
-
\??\c:\rrlxllr.exec:\rrlxllr.exe104⤵PID:544
-
\??\c:\nnbtnb.exec:\nnbtnb.exe105⤵PID:3152
-
\??\c:\3vjvj.exec:\3vjvj.exe106⤵PID:3092
-
\??\c:\7frfxxr.exec:\7frfxxr.exe107⤵PID:504
-
\??\c:\bhbnnh.exec:\bhbnnh.exe108⤵PID:5068
-
\??\c:\htntnn.exec:\htntnn.exe109⤵PID:2328
-
\??\c:\5pvjp.exec:\5pvjp.exe110⤵PID:2292
-
\??\c:\rllxlxr.exec:\rllxlxr.exe111⤵PID:3460
-
\??\c:\7nbtnn.exec:\7nbtnn.exe112⤵PID:4916
-
\??\c:\nnnhhb.exec:\nnnhhb.exe113⤵PID:4596
-
\??\c:\5dvjd.exec:\5dvjd.exe114⤵PID:1644
-
\??\c:\5lrfrfr.exec:\5lrfrfr.exe115⤵PID:4332
-
\??\c:\nbnhbt.exec:\nbnhbt.exe116⤵PID:3364
-
\??\c:\7ttnbb.exec:\7ttnbb.exe117⤵PID:2208
-
\??\c:\jjppv.exec:\jjppv.exe118⤵PID:4656
-
\??\c:\9fllfff.exec:\9fllfff.exe119⤵PID:1780
-
\??\c:\nbbnhb.exec:\nbbnhb.exe120⤵PID:3640
-
\??\c:\dvpdv.exec:\dvpdv.exe121⤵PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-