Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe
-
Size
454KB
-
MD5
2fa21b7cbba39836d175210921f62740
-
SHA1
ae2df66be3eba49b4391e9a05ad3f7c85efbd2ef
-
SHA256
8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696
-
SHA512
eca315e7dd9b7ff65722f16f7d0aa63dc675bbc6cf6f18cae0b01a8ed64b99ea69b652f82ee684cf831ed17523314ddb96da34c247eff0dbd1555507f72c7bb0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2620-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-1290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-1781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2200 dpvjd.exe 5064 3llxllf.exe 3672 tbnhbt.exe 1644 dpjjj.exe 5108 xffxlfx.exe 4396 btnbtn.exe 3620 hthbth.exe 2056 9xrfrlx.exe 1284 bbtbtn.exe 1740 rxfrlfx.exe 1476 thhbnh.exe 972 fxlfxff.exe 3532 hhtnhb.exe 1540 lfxfxlf.exe 3248 hbbnhh.exe 4120 llrfxrl.exe 4328 bnhbtt.exe 2376 xlrllfl.exe 1780 hnthnh.exe 1124 xrrfrfr.exe 1260 1nnnhb.exe 2336 rxfxrlf.exe 448 9pdpd.exe 1944 btbtnn.exe 3896 xlfrlfx.exe 1896 tnbnhb.exe 2816 vvdpj.exe 3088 nbbthh.exe 3108 ththbt.exe 2920 jdvpj.exe 2564 pjdpd.exe 3272 pdjjd.exe 1436 nttnbt.exe 1748 3dppd.exe 5096 ntnhbt.exe 4424 ttthth.exe 4196 jddvj.exe 2720 xrxxxxx.exe 4352 nhnhbb.exe 1328 djppv.exe 4428 pjdjd.exe 3352 rxfrllf.exe 4864 3hbthh.exe 2984 pdvpv.exe 924 rllfxrl.exe 376 ntbtnh.exe 3680 pddpd.exe 2548 jvjdd.exe 3044 xflxlfx.exe 4828 bthbtt.exe 3668 3vjdp.exe 3692 pdjdp.exe 2620 hbhhbb.exe 3404 pjjvp.exe 4908 llrlxrf.exe 3368 9rlfrlx.exe 4408 7ttnhb.exe 2572 pjjvj.exe 1728 7lfrffr.exe 4940 lrxxrrl.exe 1140 htbtnn.exe 1400 jjvpv.exe 2696 rxrlxrl.exe 4452 bbttnn.exe -
resource yara_rule behavioral2/memory/2620-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 2200 2620 8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe 82 PID 2620 wrote to memory of 2200 2620 8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe 82 PID 2620 wrote to memory of 2200 2620 8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe 82 PID 2200 wrote to memory of 5064 2200 dpvjd.exe 83 PID 2200 wrote to memory of 5064 2200 dpvjd.exe 83 PID 2200 wrote to memory of 5064 2200 dpvjd.exe 83 PID 5064 wrote to memory of 3672 5064 3llxllf.exe 84 PID 5064 wrote to memory of 3672 5064 3llxllf.exe 84 PID 5064 wrote to memory of 3672 5064 3llxllf.exe 84 PID 3672 wrote to memory of 1644 3672 tbnhbt.exe 85 PID 3672 wrote to memory of 1644 3672 tbnhbt.exe 85 PID 3672 wrote to memory of 1644 3672 tbnhbt.exe 85 PID 1644 wrote to memory of 5108 1644 dpjjj.exe 86 PID 1644 wrote to memory of 5108 1644 dpjjj.exe 86 PID 1644 wrote to memory of 5108 1644 dpjjj.exe 86 PID 5108 wrote to memory of 4396 5108 xffxlfx.exe 87 PID 5108 wrote to memory of 4396 5108 xffxlfx.exe 87 PID 5108 wrote to memory of 4396 5108 xffxlfx.exe 87 PID 4396 wrote to memory of 3620 4396 btnbtn.exe 88 PID 4396 wrote to memory of 3620 4396 btnbtn.exe 88 PID 4396 wrote to memory of 3620 4396 btnbtn.exe 88 PID 3620 wrote to memory of 2056 3620 hthbth.exe 89 PID 3620 wrote to memory of 2056 3620 hthbth.exe 89 PID 3620 wrote to memory of 2056 3620 hthbth.exe 89 PID 2056 wrote to memory of 1284 2056 9xrfrlx.exe 90 PID 2056 wrote to memory of 1284 2056 9xrfrlx.exe 90 PID 2056 wrote to memory of 1284 2056 9xrfrlx.exe 90 PID 1284 wrote to memory of 1740 1284 bbtbtn.exe 91 PID 1284 wrote to memory of 1740 1284 bbtbtn.exe 91 PID 1284 wrote to memory of 1740 1284 bbtbtn.exe 91 PID 1740 wrote to memory of 1476 1740 rxfrlfx.exe 92 PID 1740 wrote to memory of 1476 1740 rxfrlfx.exe 92 PID 1740 wrote to memory of 1476 1740 rxfrlfx.exe 92 PID 1476 wrote to memory of 972 1476 thhbnh.exe 93 PID 1476 wrote to memory of 972 1476 thhbnh.exe 93 PID 1476 wrote to memory of 972 1476 thhbnh.exe 93 PID 972 wrote to memory of 3532 972 fxlfxff.exe 94 PID 972 wrote to memory of 3532 972 fxlfxff.exe 94 PID 972 wrote to memory of 3532 972 fxlfxff.exe 94 PID 3532 wrote to memory of 1540 3532 hhtnhb.exe 95 PID 3532 wrote to memory of 1540 3532 hhtnhb.exe 95 PID 3532 wrote to memory of 1540 3532 hhtnhb.exe 95 PID 1540 wrote to memory of 3248 1540 lfxfxlf.exe 96 PID 1540 wrote to memory of 3248 1540 lfxfxlf.exe 96 PID 1540 wrote to memory of 3248 1540 lfxfxlf.exe 96 PID 3248 wrote to memory of 4120 3248 hbbnhh.exe 97 PID 3248 wrote to memory of 4120 3248 hbbnhh.exe 97 PID 3248 wrote to memory of 4120 3248 hbbnhh.exe 97 PID 4120 wrote to memory of 4328 4120 llrfxrl.exe 98 PID 4120 wrote to memory of 4328 4120 llrfxrl.exe 98 PID 4120 wrote to memory of 4328 4120 llrfxrl.exe 98 PID 4328 wrote to memory of 2376 4328 bnhbtt.exe 99 PID 4328 wrote to memory of 2376 4328 bnhbtt.exe 99 PID 4328 wrote to memory of 2376 4328 bnhbtt.exe 99 PID 2376 wrote to memory of 1780 2376 xlrllfl.exe 100 PID 2376 wrote to memory of 1780 2376 xlrllfl.exe 100 PID 2376 wrote to memory of 1780 2376 xlrllfl.exe 100 PID 1780 wrote to memory of 1124 1780 hnthnh.exe 101 PID 1780 wrote to memory of 1124 1780 hnthnh.exe 101 PID 1780 wrote to memory of 1124 1780 hnthnh.exe 101 PID 1124 wrote to memory of 1260 1124 xrrfrfr.exe 102 PID 1124 wrote to memory of 1260 1124 xrrfrfr.exe 102 PID 1124 wrote to memory of 1260 1124 xrrfrfr.exe 102 PID 1260 wrote to memory of 2336 1260 1nnnhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe"C:\Users\Admin\AppData\Local\Temp\8ae177f3bb7dc69e0016152a51d784c60efccd0afdf2f0a50903952c1d15c696N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\dpvjd.exec:\dpvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\3llxllf.exec:\3llxllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\tbnhbt.exec:\tbnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\dpjjj.exec:\dpjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\xffxlfx.exec:\xffxlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\btnbtn.exec:\btnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\hthbth.exec:\hthbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\9xrfrlx.exec:\9xrfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\bbtbtn.exec:\bbtbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\thhbnh.exec:\thhbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\fxlfxff.exec:\fxlfxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\hhtnhb.exec:\hhtnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\lfxfxlf.exec:\lfxfxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\hbbnhh.exec:\hbbnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\llrfxrl.exec:\llrfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\bnhbtt.exec:\bnhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\xlrllfl.exec:\xlrllfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\hnthnh.exec:\hnthnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\xrrfrfr.exec:\xrrfrfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\1nnnhb.exec:\1nnnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe23⤵
- Executes dropped EXE
PID:2336 -
\??\c:\9pdpd.exec:\9pdpd.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\btbtnn.exec:\btbtnn.exe25⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe26⤵
- Executes dropped EXE
PID:3896 -
\??\c:\tnbnhb.exec:\tnbnhb.exe27⤵
- Executes dropped EXE
PID:1896 -
\??\c:\vvdpj.exec:\vvdpj.exe28⤵
- Executes dropped EXE
PID:2816 -
\??\c:\nbbthh.exec:\nbbthh.exe29⤵
- Executes dropped EXE
PID:3088 -
\??\c:\ththbt.exec:\ththbt.exe30⤵
- Executes dropped EXE
PID:3108 -
\??\c:\jdvpj.exec:\jdvpj.exe31⤵
- Executes dropped EXE
PID:2920 -
\??\c:\pjdpd.exec:\pjdpd.exe32⤵
- Executes dropped EXE
PID:2564 -
\??\c:\pdjjd.exec:\pdjjd.exe33⤵
- Executes dropped EXE
PID:3272 -
\??\c:\nttnbt.exec:\nttnbt.exe34⤵
- Executes dropped EXE
PID:1436 -
\??\c:\3dppd.exec:\3dppd.exe35⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ntnhbt.exec:\ntnhbt.exe36⤵
- Executes dropped EXE
PID:5096 -
\??\c:\ttthth.exec:\ttthth.exe37⤵
- Executes dropped EXE
PID:4424 -
\??\c:\jddvj.exec:\jddvj.exe38⤵
- Executes dropped EXE
PID:4196 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\nhnhbb.exec:\nhnhbb.exe40⤵
- Executes dropped EXE
PID:4352 -
\??\c:\djppv.exec:\djppv.exe41⤵
- Executes dropped EXE
PID:1328 -
\??\c:\pjdjd.exec:\pjdjd.exe42⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rxfrllf.exec:\rxfrllf.exe43⤵
- Executes dropped EXE
PID:3352 -
\??\c:\3hbthh.exec:\3hbthh.exe44⤵
- Executes dropped EXE
PID:4864 -
\??\c:\pdvpv.exec:\pdvpv.exe45⤵
- Executes dropped EXE
PID:2984 -
\??\c:\rllfxrl.exec:\rllfxrl.exe46⤵
- Executes dropped EXE
PID:924 -
\??\c:\ntbtnh.exec:\ntbtnh.exe47⤵
- Executes dropped EXE
PID:376 -
\??\c:\pddpd.exec:\pddpd.exe48⤵
- Executes dropped EXE
PID:3680 -
\??\c:\jvjdd.exec:\jvjdd.exe49⤵
- Executes dropped EXE
PID:2548 -
\??\c:\xflxlfx.exec:\xflxlfx.exe50⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bthbtt.exec:\bthbtt.exe51⤵
- Executes dropped EXE
PID:4828 -
\??\c:\3vjdp.exec:\3vjdp.exe52⤵
- Executes dropped EXE
PID:3668 -
\??\c:\pdjdp.exec:\pdjdp.exe53⤵
- Executes dropped EXE
PID:3692 -
\??\c:\lffrlfx.exec:\lffrlfx.exe54⤵PID:2788
-
\??\c:\hbhhbb.exec:\hbhhbb.exe55⤵
- Executes dropped EXE
PID:2620 -
\??\c:\pjjvp.exec:\pjjvp.exe56⤵
- Executes dropped EXE
PID:3404 -
\??\c:\llrlxrf.exec:\llrlxrf.exe57⤵
- Executes dropped EXE
PID:4908 -
\??\c:\9rlfrlx.exec:\9rlfrlx.exe58⤵
- Executes dropped EXE
PID:3368 -
\??\c:\7ttnhb.exec:\7ttnhb.exe59⤵
- Executes dropped EXE
PID:4408 -
\??\c:\pjjvj.exec:\pjjvj.exe60⤵
- Executes dropped EXE
PID:2572 -
\??\c:\7lfrffr.exec:\7lfrffr.exe61⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lrxxrrl.exec:\lrxxrrl.exe62⤵
- Executes dropped EXE
PID:4940 -
\??\c:\htbtnn.exec:\htbtnn.exe63⤵
- Executes dropped EXE
PID:1140 -
\??\c:\jjvpv.exec:\jjvpv.exe64⤵
- Executes dropped EXE
PID:1400 -
\??\c:\rxrlxrl.exec:\rxrlxrl.exe65⤵
- Executes dropped EXE
PID:2696 -
\??\c:\bbttnn.exec:\bbttnn.exe66⤵
- Executes dropped EXE
PID:4452 -
\??\c:\djppj.exec:\djppj.exe67⤵PID:2568
-
\??\c:\5lrlrfx.exec:\5lrlrfx.exe68⤵
- System Location Discovery: System Language Discovery
PID:952 -
\??\c:\hthbhh.exec:\hthbhh.exe69⤵PID:2448
-
\??\c:\dvpjd.exec:\dvpjd.exe70⤵PID:5028
-
\??\c:\vvpdv.exec:\vvpdv.exe71⤵PID:216
-
\??\c:\flxrxxx.exec:\flxrxxx.exe72⤵PID:4496
-
\??\c:\tnhbbb.exec:\tnhbbb.exe73⤵PID:2808
-
\??\c:\vdpjd.exec:\vdpjd.exe74⤵PID:4224
-
\??\c:\rlffxxx.exec:\rlffxxx.exe75⤵PID:1884
-
\??\c:\hhhbbb.exec:\hhhbbb.exe76⤵PID:3284
-
\??\c:\htnbnh.exec:\htnbnh.exe77⤵PID:3548
-
\??\c:\1lfxxxx.exec:\1lfxxxx.exe78⤵PID:1016
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe79⤵PID:4328
-
\??\c:\hhtnbn.exec:\hhtnbn.exe80⤵PID:2396
-
\??\c:\7dpjv.exec:\7dpjv.exe81⤵PID:2376
-
\??\c:\lxfrfxl.exec:\lxfrfxl.exe82⤵PID:348
-
\??\c:\frfxxll.exec:\frfxxll.exe83⤵PID:5056
-
\??\c:\thbbnh.exec:\thbbnh.exe84⤵PID:2588
-
\??\c:\jvvjv.exec:\jvvjv.exe85⤵PID:2024
-
\??\c:\9ffrffr.exec:\9ffrffr.exe86⤵PID:1932
-
\??\c:\lxffrlx.exec:\lxffrlx.exe87⤵PID:2520
-
\??\c:\nbhtnn.exec:\nbhtnn.exe88⤵PID:4532
-
\??\c:\9ddvd.exec:\9ddvd.exe89⤵PID:4100
-
\??\c:\vpdvv.exec:\vpdvv.exe90⤵PID:2272
-
\??\c:\7fllfll.exec:\7fllfll.exe91⤵PID:1424
-
\??\c:\htbttb.exec:\htbttb.exe92⤵PID:812
-
\??\c:\djvvp.exec:\djvvp.exe93⤵PID:4716
-
\??\c:\7ffrlfr.exec:\7ffrlfr.exe94⤵PID:4756
-
\??\c:\thhbtn.exec:\thhbtn.exe95⤵PID:1196
-
\??\c:\djppd.exec:\djppd.exe96⤵PID:3816
-
\??\c:\lfflxlx.exec:\lfflxlx.exe97⤵PID:2660
-
\??\c:\9ffxllf.exec:\9ffxllf.exe98⤵PID:3972
-
\??\c:\nnbtbt.exec:\nnbtbt.exe99⤵PID:3572
-
\??\c:\ppjjj.exec:\ppjjj.exe100⤵PID:1008
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe101⤵PID:3528
-
\??\c:\bbhbnh.exec:\bbhbnh.exe102⤵PID:3320
-
\??\c:\1vddv.exec:\1vddv.exe103⤵PID:5004
-
\??\c:\xxfxrll.exec:\xxfxrll.exe104⤵PID:4348
-
\??\c:\nhhtnt.exec:\nhhtnt.exe105⤵PID:1988
-
\??\c:\7pvjd.exec:\7pvjd.exe106⤵PID:2720
-
\??\c:\lfllrlf.exec:\lfllrlf.exe107⤵PID:1328
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe108⤵PID:3188
-
\??\c:\nbnhnh.exec:\nbnhnh.exe109⤵PID:1224
-
\??\c:\vpdvd.exec:\vpdvd.exe110⤵PID:5092
-
\??\c:\xxlflll.exec:\xxlflll.exe111⤵PID:2100
-
\??\c:\1bbhbb.exec:\1bbhbb.exe112⤵PID:112
-
\??\c:\3tnhbb.exec:\3tnhbb.exe113⤵PID:3348
-
\??\c:\pvjdp.exec:\pvjdp.exe114⤵PID:4872
-
\??\c:\fflxxrx.exec:\fflxxrx.exe115⤵PID:5040
-
\??\c:\3hhtbb.exec:\3hhtbb.exe116⤵PID:4024
-
\??\c:\vdpdv.exec:\vdpdv.exe117⤵PID:4340
-
\??\c:\jpvjd.exec:\jpvjd.exe118⤵PID:4364
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe119⤵PID:3628
-
\??\c:\hhthbb.exec:\hhthbb.exe120⤵PID:3952
-
\??\c:\djjvp.exec:\djjvp.exe121⤵PID:5064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-