Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 19:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe
-
Size
453KB
-
MD5
08f87bcea1bf3ec48a5a678d201db4da
-
SHA1
c3ce831d8daedaab496143294ac496383d2fad58
-
SHA256
9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed
-
SHA512
c79453d923e8a2c0ab6e8a3f30f188c4811d4a8ffef67c8a6b3f57221555cb3b0f3d089422510e8fb3ebb7007e013e0ceb90f6a89ce8b906272a876789dc36f9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2184-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-976-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-1483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3892 lrflrrx.exe 4036 hhbttt.exe 5108 dvjdd.exe 3688 ffxrxxf.exe 3564 btnnbb.exe 4448 jdpjv.exe 712 ppdvv.exe 2576 fxfffll.exe 1540 rxrrllr.exe 1036 pjppp.exe 1496 jpvpj.exe 872 rrxrrll.exe 3164 9hhbtb.exe 5032 vjppp.exe 3232 ffxlfxx.exe 2076 hhbhnh.exe 2680 vvdvv.exe 3268 fxxrllx.exe 4852 lxlfxxr.exe 2896 hbhhbb.exe 924 1xfxfxf.exe 4176 dpvpp.exe 2972 rrfxffl.exe 4936 jddvp.exe 4900 bnttnn.exe 2208 jppjd.exe 3596 rxfrffr.exe 2072 lflxrlf.exe 5008 thnthn.exe 2520 fffrlfr.exe 4108 bhhbnh.exe 4460 vjpjj.exe 4796 rflfxrl.exe 3052 hhnhnn.exe 4004 jdvpp.exe 244 lxxrlfx.exe 2092 tnnhtt.exe 4904 7nttnn.exe 1200 dvdvp.exe 2296 lfxrfxl.exe 4208 btthbb.exe 2528 3dvjd.exe 3004 xlxrrrl.exe 1276 nttbtn.exe 1520 jpvpj.exe 5100 dddvp.exe 4464 flrlfrl.exe 3092 bthtbt.exe 3676 vjjdv.exe 3688 jppjd.exe 1116 llxrffl.exe 3028 bbbhbh.exe 3948 dvddj.exe 2160 5jppj.exe 4992 lfrrxrr.exe 2884 3nttbh.exe 376 jvjdv.exe 1036 rfrlrll.exe 1488 nnnhbt.exe 4184 vjvdv.exe 5012 fllffxx.exe 5032 btnhtt.exe 4980 bbbtnn.exe 920 vvppd.exe -
resource yara_rule behavioral2/memory/2184-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lflxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbntn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 3892 2184 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 82 PID 2184 wrote to memory of 3892 2184 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 82 PID 2184 wrote to memory of 3892 2184 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 82 PID 3892 wrote to memory of 4036 3892 lrflrrx.exe 83 PID 3892 wrote to memory of 4036 3892 lrflrrx.exe 83 PID 3892 wrote to memory of 4036 3892 lrflrrx.exe 83 PID 4036 wrote to memory of 5108 4036 hhbttt.exe 84 PID 4036 wrote to memory of 5108 4036 hhbttt.exe 84 PID 4036 wrote to memory of 5108 4036 hhbttt.exe 84 PID 5108 wrote to memory of 3688 5108 dvjdd.exe 85 PID 5108 wrote to memory of 3688 5108 dvjdd.exe 85 PID 5108 wrote to memory of 3688 5108 dvjdd.exe 85 PID 3688 wrote to memory of 3564 3688 ffxrxxf.exe 86 PID 3688 wrote to memory of 3564 3688 ffxrxxf.exe 86 PID 3688 wrote to memory of 3564 3688 ffxrxxf.exe 86 PID 3564 wrote to memory of 4448 3564 btnnbb.exe 87 PID 3564 wrote to memory of 4448 3564 btnnbb.exe 87 PID 3564 wrote to memory of 4448 3564 btnnbb.exe 87 PID 4448 wrote to memory of 712 4448 jdpjv.exe 88 PID 4448 wrote to memory of 712 4448 jdpjv.exe 88 PID 4448 wrote to memory of 712 4448 jdpjv.exe 88 PID 712 wrote to memory of 2576 712 ppdvv.exe 89 PID 712 wrote to memory of 2576 712 ppdvv.exe 89 PID 712 wrote to memory of 2576 712 ppdvv.exe 89 PID 2576 wrote to memory of 1540 2576 fxfffll.exe 90 PID 2576 wrote to memory of 1540 2576 fxfffll.exe 90 PID 2576 wrote to memory of 1540 2576 fxfffll.exe 90 PID 1540 wrote to memory of 1036 1540 rxrrllr.exe 91 PID 1540 wrote to memory of 1036 1540 rxrrllr.exe 91 PID 1540 wrote to memory of 1036 1540 rxrrllr.exe 91 PID 1036 wrote to memory of 1496 1036 pjppp.exe 92 PID 1036 wrote to memory of 1496 1036 pjppp.exe 92 PID 1036 wrote to memory of 1496 1036 pjppp.exe 92 PID 1496 wrote to memory of 872 1496 jpvpj.exe 93 PID 1496 wrote to memory of 872 1496 jpvpj.exe 93 PID 1496 wrote to memory of 872 1496 jpvpj.exe 93 PID 872 wrote to memory of 3164 872 rrxrrll.exe 94 PID 872 wrote to memory of 3164 872 rrxrrll.exe 94 PID 872 wrote to memory of 3164 872 rrxrrll.exe 94 PID 3164 wrote to memory of 5032 3164 9hhbtb.exe 95 PID 3164 wrote to memory of 5032 3164 9hhbtb.exe 95 PID 3164 wrote to memory of 5032 3164 9hhbtb.exe 95 PID 5032 wrote to memory of 3232 5032 vjppp.exe 96 PID 5032 wrote to memory of 3232 5032 vjppp.exe 96 PID 5032 wrote to memory of 3232 5032 vjppp.exe 96 PID 3232 wrote to memory of 2076 3232 ffxlfxx.exe 97 PID 3232 wrote to memory of 2076 3232 ffxlfxx.exe 97 PID 3232 wrote to memory of 2076 3232 ffxlfxx.exe 97 PID 2076 wrote to memory of 2680 2076 hhbhnh.exe 98 PID 2076 wrote to memory of 2680 2076 hhbhnh.exe 98 PID 2076 wrote to memory of 2680 2076 hhbhnh.exe 98 PID 2680 wrote to memory of 3268 2680 vvdvv.exe 99 PID 2680 wrote to memory of 3268 2680 vvdvv.exe 99 PID 2680 wrote to memory of 3268 2680 vvdvv.exe 99 PID 3268 wrote to memory of 4852 3268 fxxrllx.exe 100 PID 3268 wrote to memory of 4852 3268 fxxrllx.exe 100 PID 3268 wrote to memory of 4852 3268 fxxrllx.exe 100 PID 4852 wrote to memory of 2896 4852 lxlfxxr.exe 101 PID 4852 wrote to memory of 2896 4852 lxlfxxr.exe 101 PID 4852 wrote to memory of 2896 4852 lxlfxxr.exe 101 PID 2896 wrote to memory of 924 2896 hbhhbb.exe 102 PID 2896 wrote to memory of 924 2896 hbhhbb.exe 102 PID 2896 wrote to memory of 924 2896 hbhhbb.exe 102 PID 924 wrote to memory of 4176 924 1xfxfxf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe"C:\Users\Admin\AppData\Local\Temp\9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\lrflrrx.exec:\lrflrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\hhbttt.exec:\hhbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\dvjdd.exec:\dvjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\ffxrxxf.exec:\ffxrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\btnnbb.exec:\btnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\jdpjv.exec:\jdpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\ppdvv.exec:\ppdvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\fxfffll.exec:\fxfffll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\rxrrllr.exec:\rxrrllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\pjppp.exec:\pjppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\jpvpj.exec:\jpvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\rrxrrll.exec:\rrxrrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\9hhbtb.exec:\9hhbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\vjppp.exec:\vjppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\ffxlfxx.exec:\ffxlfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\hhbhnh.exec:\hhbhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\vvdvv.exec:\vvdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\fxxrllx.exec:\fxxrllx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\hbhhbb.exec:\hbhhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\1xfxfxf.exec:\1xfxfxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\dpvpp.exec:\dpvpp.exe23⤵
- Executes dropped EXE
PID:4176 -
\??\c:\rrfxffl.exec:\rrfxffl.exe24⤵
- Executes dropped EXE
PID:2972 -
\??\c:\jddvp.exec:\jddvp.exe25⤵
- Executes dropped EXE
PID:4936 -
\??\c:\bnttnn.exec:\bnttnn.exe26⤵
- Executes dropped EXE
PID:4900 -
\??\c:\jppjd.exec:\jppjd.exe27⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rxfrffr.exec:\rxfrffr.exe28⤵
- Executes dropped EXE
PID:3596 -
\??\c:\lflxrlf.exec:\lflxrlf.exe29⤵
- Executes dropped EXE
PID:2072 -
\??\c:\thnthn.exec:\thnthn.exe30⤵
- Executes dropped EXE
PID:5008 -
\??\c:\fffrlfr.exec:\fffrlfr.exe31⤵
- Executes dropped EXE
PID:2520 -
\??\c:\bhhbnh.exec:\bhhbnh.exe32⤵
- Executes dropped EXE
PID:4108 -
\??\c:\vjpjj.exec:\vjpjj.exe33⤵
- Executes dropped EXE
PID:4460 -
\??\c:\rflfxrl.exec:\rflfxrl.exe34⤵
- Executes dropped EXE
PID:4796 -
\??\c:\hhnhnn.exec:\hhnhnn.exe35⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdvpp.exec:\jdvpp.exe36⤵
- Executes dropped EXE
PID:4004 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:244 -
\??\c:\tnnhtt.exec:\tnnhtt.exe38⤵
- Executes dropped EXE
PID:2092 -
\??\c:\7nttnn.exec:\7nttnn.exe39⤵
- Executes dropped EXE
PID:4904 -
\??\c:\dvdvp.exec:\dvdvp.exe40⤵
- Executes dropped EXE
PID:1200 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe41⤵
- Executes dropped EXE
PID:2296 -
\??\c:\btthbb.exec:\btthbb.exe42⤵
- Executes dropped EXE
PID:4208 -
\??\c:\3dvjd.exec:\3dvjd.exe43⤵
- Executes dropped EXE
PID:2528 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe44⤵
- Executes dropped EXE
PID:3004 -
\??\c:\nttbtn.exec:\nttbtn.exe45⤵
- Executes dropped EXE
PID:1276 -
\??\c:\jpvpj.exec:\jpvpj.exe46⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dddvp.exec:\dddvp.exe47⤵
- Executes dropped EXE
PID:5100 -
\??\c:\flrlfrl.exec:\flrlfrl.exe48⤵
- Executes dropped EXE
PID:4464 -
\??\c:\bthtbt.exec:\bthtbt.exe49⤵
- Executes dropped EXE
PID:3092 -
\??\c:\vjjdv.exec:\vjjdv.exe50⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jppjd.exec:\jppjd.exe51⤵
- Executes dropped EXE
PID:3688 -
\??\c:\llxrffl.exec:\llxrffl.exe52⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bbbhbh.exec:\bbbhbh.exe53⤵
- Executes dropped EXE
PID:3028 -
\??\c:\dvddj.exec:\dvddj.exe54⤵
- Executes dropped EXE
PID:3948 -
\??\c:\5jppj.exec:\5jppj.exe55⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lfrrxrr.exec:\lfrrxrr.exe56⤵
- Executes dropped EXE
PID:4992 -
\??\c:\3nttbh.exec:\3nttbh.exe57⤵
- Executes dropped EXE
PID:2884 -
\??\c:\jvjdv.exec:\jvjdv.exe58⤵
- Executes dropped EXE
PID:376 -
\??\c:\rfrlrll.exec:\rfrlrll.exe59⤵
- Executes dropped EXE
PID:1036 -
\??\c:\nnnhbt.exec:\nnnhbt.exe60⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vjvdv.exec:\vjvdv.exe61⤵
- Executes dropped EXE
PID:4184 -
\??\c:\fllffxx.exec:\fllffxx.exe62⤵
- Executes dropped EXE
PID:5012 -
\??\c:\btnhtt.exec:\btnhtt.exe63⤵
- Executes dropped EXE
PID:5032 -
\??\c:\bbbtnn.exec:\bbbtnn.exe64⤵
- Executes dropped EXE
PID:4980 -
\??\c:\vvppd.exec:\vvppd.exe65⤵
- Executes dropped EXE
PID:920 -
\??\c:\lffxrll.exec:\lffxrll.exe66⤵PID:1260
-
\??\c:\htbhbt.exec:\htbhbt.exe67⤵PID:3068
-
\??\c:\pjpjd.exec:\pjpjd.exe68⤵PID:2128
-
\??\c:\7xrlfrr.exec:\7xrlfrr.exe69⤵PID:3276
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe70⤵PID:780
-
\??\c:\9nttnn.exec:\9nttnn.exe71⤵PID:2628
-
\??\c:\pjjdp.exec:\pjjdp.exe72⤵PID:1764
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe73⤵PID:4884
-
\??\c:\tbttnn.exec:\tbttnn.exe74⤵PID:1916
-
\??\c:\vjvpd.exec:\vjvpd.exe75⤵PID:2936
-
\??\c:\rxrrffl.exec:\rxrrffl.exe76⤵PID:1272
-
\??\c:\nnthtt.exec:\nnthtt.exe77⤵PID:516
-
\??\c:\hnnhtn.exec:\hnnhtn.exe78⤵PID:628
-
\??\c:\djdvp.exec:\djdvp.exe79⤵PID:2316
-
\??\c:\xrlxxxr.exec:\xrlxxxr.exe80⤵PID:4964
-
\??\c:\tntnhb.exec:\tntnhb.exe81⤵PID:2972
-
\??\c:\jvdjd.exec:\jvdjd.exe82⤵PID:3424
-
\??\c:\xllfrlx.exec:\xllfrlx.exe83⤵PID:1976
-
\??\c:\nhbtnn.exec:\nhbtnn.exe84⤵PID:3856
-
\??\c:\vjddd.exec:\vjddd.exe85⤵PID:2208
-
\??\c:\jvjdd.exec:\jvjdd.exe86⤵PID:4516
-
\??\c:\9rxrlxr.exec:\9rxrlxr.exe87⤵PID:4684
-
\??\c:\vdjjd.exec:\vdjjd.exe88⤵PID:3612
-
\??\c:\vvvdp.exec:\vvvdp.exe89⤵PID:4652
-
\??\c:\xffxrlf.exec:\xffxrlf.exe90⤵PID:2176
-
\??\c:\hhhbbb.exec:\hhhbbb.exe91⤵PID:4568
-
\??\c:\pdpjv.exec:\pdpjv.exe92⤵PID:4848
-
\??\c:\lrflfxl.exec:\lrflfxl.exe93⤵PID:4836
-
\??\c:\xlrffxx.exec:\xlrffxx.exe94⤵PID:2544
-
\??\c:\9tttnn.exec:\9tttnn.exe95⤵PID:4824
-
\??\c:\jjpjd.exec:\jjpjd.exe96⤵PID:2420
-
\??\c:\lxfflxx.exec:\lxfflxx.exe97⤵PID:4288
-
\??\c:\nntnnn.exec:\nntnnn.exe98⤵PID:4596
-
\??\c:\bbhbtt.exec:\bbhbtt.exe99⤵PID:3176
-
\??\c:\jpjvv.exec:\jpjvv.exe100⤵PID:3392
-
\??\c:\rfrrlll.exec:\rfrrlll.exe101⤵PID:1112
-
\??\c:\rxfxlxl.exec:\rxfxlxl.exe102⤵PID:1592
-
\??\c:\5bbtbt.exec:\5bbtbt.exe103⤵PID:4404
-
\??\c:\vjpjj.exec:\vjpjj.exe104⤵PID:4400
-
\??\c:\5jjjj.exec:\5jjjj.exe105⤵PID:1068
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe106⤵PID:3608
-
\??\c:\bbbnhh.exec:\bbbnhh.exe107⤵PID:8
-
\??\c:\3jpjd.exec:\3jpjd.exe108⤵PID:1032
-
\??\c:\9rxlffx.exec:\9rxlffx.exe109⤵PID:336
-
\??\c:\tbnntt.exec:\tbnntt.exe110⤵PID:116
-
\??\c:\dvpjj.exec:\dvpjj.exe111⤵PID:4856
-
\??\c:\3lfxrrr.exec:\3lfxrrr.exe112⤵PID:1168
-
\??\c:\tnhhnb.exec:\tnhhnb.exe113⤵PID:3280
-
\??\c:\bnbbbb.exec:\bnbbbb.exe114⤵PID:3092
-
\??\c:\pjvpp.exec:\pjvpp.exe115⤵PID:1040
-
\??\c:\7rxfflr.exec:\7rxfflr.exe116⤵PID:4448
-
\??\c:\3ttnhn.exec:\3ttnhn.exe117⤵PID:3912
-
\??\c:\9vppp.exec:\9vppp.exe118⤵PID:1412
-
\??\c:\ppvpp.exec:\ppvpp.exe119⤵PID:712
-
\??\c:\fffxrxx.exec:\fffxrxx.exe120⤵PID:3548
-
\??\c:\bhhtnb.exec:\bhhtnb.exe121⤵PID:540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-