Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe
-
Size
453KB
-
MD5
ccdd7e03b5a0627d2daa73ade67da9ab
-
SHA1
7e5ab154336c5d825640eaa437a8e4b7431bb9a2
-
SHA256
27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794
-
SHA512
add5ec8eafe718a7742915ea6d4bc88916203f86f1ebeedcb3de4dbd788d04eecc1db0b29e8950b25d6ac16e849007f09ed00badf8f97774c7ad2cad308d9fe8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2764-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-1076-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-1195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4956 thnbnt.exe 4296 xflxlfx.exe 3664 dvpdd.exe 3824 lxxrfxr.exe 5080 vdvvp.exe 1060 tthhbh.exe 4268 fxrfxxr.exe 1304 9bbthn.exe 2580 vvvjd.exe 3540 bnbhbh.exe 1788 btbtht.exe 1912 fxrlxlx.exe 4584 hhhbtn.exe 1512 xxxrlfx.exe 4920 3ttnnh.exe 4884 3ppdp.exe 2972 xlrfrlx.exe 2088 1bnhtn.exe 788 frxxlfl.exe 2284 nhhbbt.exe 2740 vjvdp.exe 3704 rlfxllf.exe 4172 htbnnh.exe 1224 tnttnn.exe 1864 9nnthb.exe 1996 htnbtn.exe 4392 llrfrlf.exe 1720 ntbtnn.exe 1424 jpvpj.exe 4376 fxxlfxr.exe 3064 3ttnhh.exe 4368 7lllxrl.exe 2192 tnnbnb.exe 2776 jvvjd.exe 1176 7xrfrfx.exe 3088 lrxrfxr.exe 3796 bbhbtt.exe 1784 vjjjv.exe 2996 xxlrxlr.exe 3588 1bthbt.exe 1600 thhnbt.exe 1652 dpjvj.exe 888 llrfrlx.exe 4908 rflrllf.exe 2752 hbbttn.exe 3356 jvjpj.exe 4592 jpvjd.exe 4604 lxxlrlr.exe 2092 bbbthb.exe 2080 btthhb.exe 1468 vdpdv.exe 2336 9lrffxx.exe 1360 flrfrlf.exe 3472 tnhbnh.exe 5084 dpvpd.exe 3764 1ppjv.exe 4728 lxrflxf.exe 1664 btnhbt.exe 2660 vdddv.exe 1472 lrllxrl.exe 920 bthbtb.exe 2736 9vvvp.exe 3940 djjjj.exe 3748 bbbtbb.exe -
resource yara_rule behavioral2/memory/2764-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-695-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 4956 2764 27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe 83 PID 2764 wrote to memory of 4956 2764 27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe 83 PID 2764 wrote to memory of 4956 2764 27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe 83 PID 4956 wrote to memory of 4296 4956 thnbnt.exe 84 PID 4956 wrote to memory of 4296 4956 thnbnt.exe 84 PID 4956 wrote to memory of 4296 4956 thnbnt.exe 84 PID 4296 wrote to memory of 3664 4296 xflxlfx.exe 85 PID 4296 wrote to memory of 3664 4296 xflxlfx.exe 85 PID 4296 wrote to memory of 3664 4296 xflxlfx.exe 85 PID 3664 wrote to memory of 3824 3664 dvpdd.exe 87 PID 3664 wrote to memory of 3824 3664 dvpdd.exe 87 PID 3664 wrote to memory of 3824 3664 dvpdd.exe 87 PID 3824 wrote to memory of 5080 3824 lxxrfxr.exe 88 PID 3824 wrote to memory of 5080 3824 lxxrfxr.exe 88 PID 3824 wrote to memory of 5080 3824 lxxrfxr.exe 88 PID 5080 wrote to memory of 1060 5080 vdvvp.exe 90 PID 5080 wrote to memory of 1060 5080 vdvvp.exe 90 PID 5080 wrote to memory of 1060 5080 vdvvp.exe 90 PID 1060 wrote to memory of 4268 1060 tthhbh.exe 91 PID 1060 wrote to memory of 4268 1060 tthhbh.exe 91 PID 1060 wrote to memory of 4268 1060 tthhbh.exe 91 PID 4268 wrote to memory of 1304 4268 fxrfxxr.exe 92 PID 4268 wrote to memory of 1304 4268 fxrfxxr.exe 92 PID 4268 wrote to memory of 1304 4268 fxrfxxr.exe 92 PID 1304 wrote to memory of 2580 1304 9bbthn.exe 93 PID 1304 wrote to memory of 2580 1304 9bbthn.exe 93 PID 1304 wrote to memory of 2580 1304 9bbthn.exe 93 PID 2580 wrote to memory of 3540 2580 vvvjd.exe 94 PID 2580 wrote to memory of 3540 2580 vvvjd.exe 94 PID 2580 wrote to memory of 3540 2580 vvvjd.exe 94 PID 3540 wrote to memory of 1788 3540 bnbhbh.exe 96 PID 3540 wrote to memory of 1788 3540 bnbhbh.exe 96 PID 3540 wrote to memory of 1788 3540 bnbhbh.exe 96 PID 1788 wrote to memory of 1912 1788 btbtht.exe 97 PID 1788 wrote to memory of 1912 1788 btbtht.exe 97 PID 1788 wrote to memory of 1912 1788 btbtht.exe 97 PID 1912 wrote to memory of 4584 1912 fxrlxlx.exe 98 PID 1912 wrote to memory of 4584 1912 fxrlxlx.exe 98 PID 1912 wrote to memory of 4584 1912 fxrlxlx.exe 98 PID 4584 wrote to memory of 1512 4584 hhhbtn.exe 99 PID 4584 wrote to memory of 1512 4584 hhhbtn.exe 99 PID 4584 wrote to memory of 1512 4584 hhhbtn.exe 99 PID 1512 wrote to memory of 4920 1512 xxxrlfx.exe 100 PID 1512 wrote to memory of 4920 1512 xxxrlfx.exe 100 PID 1512 wrote to memory of 4920 1512 xxxrlfx.exe 100 PID 4920 wrote to memory of 4884 4920 3ttnnh.exe 101 PID 4920 wrote to memory of 4884 4920 3ttnnh.exe 101 PID 4920 wrote to memory of 4884 4920 3ttnnh.exe 101 PID 4884 wrote to memory of 2972 4884 3ppdp.exe 102 PID 4884 wrote to memory of 2972 4884 3ppdp.exe 102 PID 4884 wrote to memory of 2972 4884 3ppdp.exe 102 PID 2972 wrote to memory of 2088 2972 xlrfrlx.exe 103 PID 2972 wrote to memory of 2088 2972 xlrfrlx.exe 103 PID 2972 wrote to memory of 2088 2972 xlrfrlx.exe 103 PID 2088 wrote to memory of 788 2088 1bnhtn.exe 104 PID 2088 wrote to memory of 788 2088 1bnhtn.exe 104 PID 2088 wrote to memory of 788 2088 1bnhtn.exe 104 PID 788 wrote to memory of 2284 788 frxxlfl.exe 105 PID 788 wrote to memory of 2284 788 frxxlfl.exe 105 PID 788 wrote to memory of 2284 788 frxxlfl.exe 105 PID 2284 wrote to memory of 2740 2284 nhhbbt.exe 106 PID 2284 wrote to memory of 2740 2284 nhhbbt.exe 106 PID 2284 wrote to memory of 2740 2284 nhhbbt.exe 106 PID 2740 wrote to memory of 3704 2740 vjvdp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe"C:\Users\Admin\AppData\Local\Temp\27b902be7c4b102145afb5acbf4e3be1c403ccf6ecbfe7874e98dbbbe9847794.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\thnbnt.exec:\thnbnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\xflxlfx.exec:\xflxlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\dvpdd.exec:\dvpdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\vdvvp.exec:\vdvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\tthhbh.exec:\tthhbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\fxrfxxr.exec:\fxrfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\9bbthn.exec:\9bbthn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\vvvjd.exec:\vvvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\bnbhbh.exec:\bnbhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\btbtht.exec:\btbtht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\fxrlxlx.exec:\fxrlxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\hhhbtn.exec:\hhhbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\3ttnnh.exec:\3ttnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\3ppdp.exec:\3ppdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\xlrfrlx.exec:\xlrfrlx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\1bnhtn.exec:\1bnhtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\frxxlfl.exec:\frxxlfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\nhhbbt.exec:\nhhbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\vjvdp.exec:\vjvdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\rlfxllf.exec:\rlfxllf.exe23⤵
- Executes dropped EXE
PID:3704 -
\??\c:\htbnnh.exec:\htbnnh.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172 -
\??\c:\tnttnn.exec:\tnttnn.exe25⤵
- Executes dropped EXE
PID:1224 -
\??\c:\9nnthb.exec:\9nnthb.exe26⤵
- Executes dropped EXE
PID:1864 -
\??\c:\htnbtn.exec:\htnbtn.exe27⤵
- Executes dropped EXE
PID:1996 -
\??\c:\llrfrlf.exec:\llrfrlf.exe28⤵
- Executes dropped EXE
PID:4392 -
\??\c:\ntbtnn.exec:\ntbtnn.exe29⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jpvpj.exec:\jpvpj.exe30⤵
- Executes dropped EXE
PID:1424 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe31⤵
- Executes dropped EXE
PID:4376 -
\??\c:\3ttnhh.exec:\3ttnhh.exe32⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7lllxrl.exec:\7lllxrl.exe33⤵
- Executes dropped EXE
PID:4368 -
\??\c:\tnnbnb.exec:\tnnbnb.exe34⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jvvjd.exec:\jvvjd.exe35⤵
- Executes dropped EXE
PID:2776 -
\??\c:\7xrfrfx.exec:\7xrfrfx.exe36⤵
- Executes dropped EXE
PID:1176 -
\??\c:\lrxrfxr.exec:\lrxrfxr.exe37⤵
- Executes dropped EXE
PID:3088 -
\??\c:\bbhbtt.exec:\bbhbtt.exe38⤵
- Executes dropped EXE
PID:3796 -
\??\c:\vjjjv.exec:\vjjjv.exe39⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xxlrxlr.exec:\xxlrxlr.exe40⤵
- Executes dropped EXE
PID:2996 -
\??\c:\1bthbt.exec:\1bthbt.exe41⤵
- Executes dropped EXE
PID:3588 -
\??\c:\thhnbt.exec:\thhnbt.exe42⤵
- Executes dropped EXE
PID:1600 -
\??\c:\dpjvj.exec:\dpjvj.exe43⤵
- Executes dropped EXE
PID:1652 -
\??\c:\llrfrlx.exec:\llrfrlx.exe44⤵
- Executes dropped EXE
PID:888 -
\??\c:\rflrllf.exec:\rflrllf.exe45⤵
- Executes dropped EXE
PID:4908 -
\??\c:\hbbttn.exec:\hbbttn.exe46⤵
- Executes dropped EXE
PID:2752 -
\??\c:\jvjpj.exec:\jvjpj.exe47⤵
- Executes dropped EXE
PID:3356 -
\??\c:\jpvjd.exec:\jpvjd.exe48⤵
- Executes dropped EXE
PID:4592 -
\??\c:\lxxlrlr.exec:\lxxlrlr.exe49⤵
- Executes dropped EXE
PID:4604 -
\??\c:\bbbthb.exec:\bbbthb.exe50⤵
- Executes dropped EXE
PID:2092 -
\??\c:\btthhb.exec:\btthhb.exe51⤵
- Executes dropped EXE
PID:2080 -
\??\c:\vdpdv.exec:\vdpdv.exe52⤵
- Executes dropped EXE
PID:1468 -
\??\c:\9lrffxx.exec:\9lrffxx.exe53⤵
- Executes dropped EXE
PID:2336 -
\??\c:\flrfrlf.exec:\flrfrlf.exe54⤵
- Executes dropped EXE
PID:1360 -
\??\c:\tnhbnh.exec:\tnhbnh.exe55⤵
- Executes dropped EXE
PID:3472 -
\??\c:\dpvpd.exec:\dpvpd.exe56⤵
- Executes dropped EXE
PID:5084 -
\??\c:\1ppjv.exec:\1ppjv.exe57⤵
- Executes dropped EXE
PID:3764 -
\??\c:\lxrflxf.exec:\lxrflxf.exe58⤵
- Executes dropped EXE
PID:4728 -
\??\c:\btnhbt.exec:\btnhbt.exe59⤵
- Executes dropped EXE
PID:1664 -
\??\c:\vdddv.exec:\vdddv.exe60⤵
- Executes dropped EXE
PID:2660 -
\??\c:\lrllxrl.exec:\lrllxrl.exe61⤵
- Executes dropped EXE
PID:1472 -
\??\c:\bthbtb.exec:\bthbtb.exe62⤵
- Executes dropped EXE
PID:920 -
\??\c:\9vvvp.exec:\9vvvp.exe63⤵
- Executes dropped EXE
PID:2736 -
\??\c:\djjjj.exec:\djjjj.exe64⤵
- Executes dropped EXE
PID:3940 -
\??\c:\bbbtbb.exec:\bbbtbb.exe65⤵
- Executes dropped EXE
PID:3748 -
\??\c:\tntnnh.exec:\tntnnh.exe66⤵PID:1324
-
\??\c:\jdjdv.exec:\jdjdv.exe67⤵PID:536
-
\??\c:\rrrfxrl.exec:\rrrfxrl.exe68⤵PID:1476
-
\??\c:\lflfxxr.exec:\lflfxxr.exe69⤵PID:1328
-
\??\c:\hbbtnn.exec:\hbbtnn.exe70⤵PID:2416
-
\??\c:\jjpdv.exec:\jjpdv.exe71⤵PID:4408
-
\??\c:\1jpjd.exec:\1jpjd.exe72⤵PID:1224
-
\??\c:\rllfxrl.exec:\rllfxrl.exe73⤵PID:4076
-
\??\c:\hhbbtt.exec:\hhbbtt.exe74⤵PID:4064
-
\??\c:\tbbtbb.exec:\tbbtbb.exe75⤵PID:4984
-
\??\c:\djvpp.exec:\djvpp.exe76⤵PID:4916
-
\??\c:\rxxrffx.exec:\rxxrffx.exe77⤵PID:3024
-
\??\c:\hbhhhh.exec:\hbhhhh.exe78⤵PID:4448
-
\??\c:\5tnnhh.exec:\5tnnhh.exe79⤵PID:3524
-
\??\c:\pddjj.exec:\pddjj.exe80⤵PID:2604
-
\??\c:\frfxxrl.exec:\frfxxrl.exe81⤵PID:3332
-
\??\c:\7bnnhh.exec:\7bnnhh.exe82⤵PID:3768
-
\??\c:\nbnntt.exec:\nbnntt.exe83⤵
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\pdddd.exec:\pdddd.exe84⤵PID:3184
-
\??\c:\fffxxxr.exec:\fffxxxr.exe85⤵PID:3088
-
\??\c:\hnbnhb.exec:\hnbnhb.exe86⤵PID:3664
-
\??\c:\pdddv.exec:\pdddv.exe87⤵PID:220
-
\??\c:\lxlrlll.exec:\lxlrlll.exe88⤵PID:3824
-
\??\c:\5fxlfll.exec:\5fxlfll.exe89⤵PID:3176
-
\??\c:\5tnhhh.exec:\5tnhhh.exe90⤵PID:3784
-
\??\c:\dpvpd.exec:\dpvpd.exe91⤵PID:2932
-
\??\c:\jpvpj.exec:\jpvpj.exe92⤵PID:1460
-
\??\c:\ffrlflx.exec:\ffrlflx.exe93⤵PID:1264
-
\??\c:\nbhhbb.exec:\nbhhbb.exe94⤵PID:3944
-
\??\c:\dvdvp.exec:\dvdvp.exe95⤵PID:1192
-
\??\c:\ddpjj.exec:\ddpjj.exe96⤵PID:4908
-
\??\c:\xrrrllf.exec:\xrrrllf.exe97⤵
- System Location Discovery: System Language Discovery
PID:2712 -
\??\c:\tbnntt.exec:\tbnntt.exe98⤵PID:1044
-
\??\c:\bbhbht.exec:\bbhbht.exe99⤵PID:2580
-
\??\c:\jdppj.exec:\jdppj.exe100⤵PID:2116
-
\??\c:\ffffxrr.exec:\ffffxrr.exe101⤵PID:1812
-
\??\c:\3xflfxr.exec:\3xflfxr.exe102⤵PID:3708
-
\??\c:\tnhbbb.exec:\tnhbbb.exe103⤵PID:2484
-
\??\c:\1pjdv.exec:\1pjdv.exe104⤵PID:2940
-
\??\c:\fxffrrl.exec:\fxffrrl.exe105⤵PID:2396
-
\??\c:\llxrrxx.exec:\llxrrxx.exe106⤵PID:4416
-
\??\c:\hbnnnh.exec:\hbnnnh.exe107⤵PID:5108
-
\??\c:\nbhhhh.exec:\nbhhhh.exe108⤵PID:2328
-
\??\c:\ddjjj.exec:\ddjjj.exe109⤵PID:1656
-
\??\c:\ffllflr.exec:\ffllflr.exe110⤵PID:3752
-
\??\c:\7hbtnt.exec:\7hbtnt.exe111⤵PID:640
-
\??\c:\ttbbtt.exec:\ttbbtt.exe112⤵PID:1856
-
\??\c:\ppddv.exec:\ppddv.exe113⤵PID:376
-
\??\c:\xxxrrfr.exec:\xxxrrfr.exe114⤵PID:2284
-
\??\c:\rffxfxf.exec:\rffxfxf.exe115⤵PID:1320
-
\??\c:\nbtthh.exec:\nbtthh.exe116⤵PID:3304
-
\??\c:\3ddvv.exec:\3ddvv.exe117⤵PID:4752
-
\??\c:\xllfffx.exec:\xllfffx.exe118⤵PID:2780
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe119⤵PID:2956
-
\??\c:\bhhhbb.exec:\bhhhbb.exe120⤵PID:2460
-
\??\c:\3jddp.exec:\3jddp.exe121⤵PID:4904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-