Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 17:37
Behavioral task
behavioral1
Sample
b88040f32b7e02bcd7460b22d84bec00N.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
120 seconds
General
-
Target
b88040f32b7e02bcd7460b22d84bec00N.exe
-
Size
95KB
-
MD5
b88040f32b7e02bcd7460b22d84bec00
-
SHA1
31885831b2dcabb05306ac940181ae1c4a5812d1
-
SHA256
d454b3fc4bcdd5a63f144839090db09c2c483c73d7c0bedfc26a3689edf8b2c3
-
SHA512
d0ed88551888ac96308001a288aa818f721d00bcc6d2a5a458b93c67ea90368541bd3c4e679e4e0f4d4f804b3ab353b475bcdf2206df5c1933c6d5e8b90047a3
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w801ouAsG9ZoPEudJGdXRKXREmXZj:xhOmTsF93UYfwC6GIout03Fv9KdJoQGg
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4508-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/348-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1236-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1908-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/936-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-434-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-619-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-669-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-734-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-741-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-760-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-848-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1044 pvvvp.exe 1820 vpjdp.exe 4244 fxlxffl.exe 5032 rrxxxxf.exe 3964 3jpjj.exe 3736 7djpd.exe 3052 xflfrrl.exe 3280 xrfxrrl.exe 4700 tnnhhb.exe 952 ppjvp.exe 208 jjdpj.exe 2596 1rlfrll.exe 3292 hntnhh.exe 4580 ddvpp.exe 348 pdvpd.exe 2224 3xfrlff.exe 5020 btnhbb.exe 3208 hbnnnn.exe 4928 jpvpp.exe 3948 5ppjd.exe 3132 lxxrxxr.exe 4812 rflfxxr.exe 1088 hbnnhh.exe 3160 nhnnnn.exe 4536 tttnbb.exe 4816 vpddd.exe 1524 jvpjd.exe 1748 5ffxxrr.exe 2540 lxxrrrl.exe 4400 hnnhbt.exe 3416 tnntnt.exe 3812 nbtnhh.exe 1208 pdjdv.exe 1236 vppdd.exe 2244 rlxxrrl.exe 4648 xnttnnh.exe 1788 hntnhb.exe 1044 bbnnhh.exe 4424 jpjjp.exe 1908 jdjjd.exe 5032 fxrrllf.exe 3036 xrlxrlf.exe 2576 7tbtnh.exe 4116 tthbtt.exe 2784 dpvpj.exe 4240 9vvpj.exe 2560 xrlfxrl.exe 3648 lflxrfx.exe 3444 bthtnn.exe 3480 hbttnn.exe 1648 djvvj.exe 1060 vvvpj.exe 2240 rllfxrl.exe 3696 bhhtnn.exe 2060 bhhbbh.exe 2228 dpdpj.exe 940 jdvpd.exe 3992 fxxrllf.exe 3420 thbbtt.exe 1960 1ttnbh.exe 3232 vppjv.exe 4388 rfffrrr.exe 4272 llffxxx.exe 4660 tbhnhh.exe -
resource yara_rule behavioral2/memory/4508-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000900000002342e-4.dat upx behavioral2/memory/4508-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1044-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023434-10.dat upx behavioral2/files/0x0007000000023435-12.dat upx behavioral2/memory/1820-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023436-23.dat upx behavioral2/memory/4244-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023437-30.dat upx behavioral2/files/0x0007000000023438-36.dat upx behavioral2/memory/3736-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3964-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023439-40.dat upx behavioral2/files/0x000700000002343a-46.dat upx behavioral2/memory/3280-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3052-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343b-52.dat upx behavioral2/memory/4700-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343d-63.dat upx behavioral2/files/0x000700000002343c-60.dat upx behavioral2/memory/952-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/208-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2596-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023440-82.dat upx behavioral2/memory/4580-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3292-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002343f-78.dat upx behavioral2/files/0x000700000002343e-71.dat upx behavioral2/memory/348-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023442-97.dat upx behavioral2/files/0x0007000000023443-102.dat upx behavioral2/memory/2224-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023444-108.dat upx behavioral2/files/0x0007000000023445-113.dat upx behavioral2/files/0x0007000000023446-117.dat upx behavioral2/files/0x0007000000023447-123.dat upx behavioral2/files/0x0007000000023448-131.dat upx behavioral2/files/0x000800000002344b-143.dat upx behavioral2/files/0x000700000002344d-155.dat upx behavioral2/memory/1748-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023452-185.dat upx behavioral2/files/0x0007000000023453-188.dat upx behavioral2/memory/1236-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1788-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4424-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2784-239-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1908-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2560-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1044-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3648-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2244-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1236-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2540-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023451-178.dat upx behavioral2/memory/1748-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023450-173.dat upx behavioral2/files/0x000700000002344f-167.dat upx behavioral2/memory/1524-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344e-161.dat upx behavioral2/memory/3444-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4536-151-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 1044 4508 b88040f32b7e02bcd7460b22d84bec00N.exe 83 PID 4508 wrote to memory of 1044 4508 b88040f32b7e02bcd7460b22d84bec00N.exe 83 PID 4508 wrote to memory of 1044 4508 b88040f32b7e02bcd7460b22d84bec00N.exe 83 PID 1044 wrote to memory of 1820 1044 pvvvp.exe 84 PID 1044 wrote to memory of 1820 1044 pvvvp.exe 84 PID 1044 wrote to memory of 1820 1044 pvvvp.exe 84 PID 1820 wrote to memory of 4244 1820 vpjdp.exe 85 PID 1820 wrote to memory of 4244 1820 vpjdp.exe 85 PID 1820 wrote to memory of 4244 1820 vpjdp.exe 85 PID 4244 wrote to memory of 5032 4244 fxlxffl.exe 126 PID 4244 wrote to memory of 5032 4244 fxlxffl.exe 126 PID 4244 wrote to memory of 5032 4244 fxlxffl.exe 126 PID 5032 wrote to memory of 3964 5032 rrxxxxf.exe 88 PID 5032 wrote to memory of 3964 5032 rrxxxxf.exe 88 PID 5032 wrote to memory of 3964 5032 rrxxxxf.exe 88 PID 3964 wrote to memory of 3736 3964 3jpjj.exe 90 PID 3964 wrote to memory of 3736 3964 3jpjj.exe 90 PID 3964 wrote to memory of 3736 3964 3jpjj.exe 90 PID 3736 wrote to memory of 3052 3736 7djpd.exe 91 PID 3736 wrote to memory of 3052 3736 7djpd.exe 91 PID 3736 wrote to memory of 3052 3736 7djpd.exe 91 PID 3052 wrote to memory of 3280 3052 xflfrrl.exe 92 PID 3052 wrote to memory of 3280 3052 xflfrrl.exe 92 PID 3052 wrote to memory of 3280 3052 xflfrrl.exe 92 PID 3280 wrote to memory of 4700 3280 xrfxrrl.exe 93 PID 3280 wrote to memory of 4700 3280 xrfxrrl.exe 93 PID 3280 wrote to memory of 4700 3280 xrfxrrl.exe 93 PID 4700 wrote to memory of 952 4700 tnnhhb.exe 94 PID 4700 wrote to memory of 952 4700 tnnhhb.exe 94 PID 4700 wrote to memory of 952 4700 tnnhhb.exe 94 PID 952 wrote to memory of 208 952 ppjvp.exe 95 PID 952 wrote to memory of 208 952 ppjvp.exe 95 PID 952 wrote to memory of 208 952 ppjvp.exe 95 PID 208 wrote to memory of 2596 208 jjdpj.exe 97 PID 208 wrote to memory of 2596 208 jjdpj.exe 97 PID 208 wrote to memory of 2596 208 jjdpj.exe 97 PID 2596 wrote to memory of 3292 2596 1rlfrll.exe 98 PID 2596 wrote to memory of 3292 2596 1rlfrll.exe 98 PID 2596 wrote to memory of 3292 2596 1rlfrll.exe 98 PID 3292 wrote to memory of 4580 3292 hntnhh.exe 99 PID 3292 wrote to memory of 4580 3292 hntnhh.exe 99 PID 3292 wrote to memory of 4580 3292 hntnhh.exe 99 PID 4580 wrote to memory of 348 4580 ddvpp.exe 100 PID 4580 wrote to memory of 348 4580 ddvpp.exe 100 PID 4580 wrote to memory of 348 4580 ddvpp.exe 100 PID 348 wrote to memory of 2224 348 pdvpd.exe 101 PID 348 wrote to memory of 2224 348 pdvpd.exe 101 PID 348 wrote to memory of 2224 348 pdvpd.exe 101 PID 2224 wrote to memory of 5020 2224 3xfrlff.exe 102 PID 2224 wrote to memory of 5020 2224 3xfrlff.exe 102 PID 2224 wrote to memory of 5020 2224 3xfrlff.exe 102 PID 5020 wrote to memory of 3208 5020 btnhbb.exe 103 PID 5020 wrote to memory of 3208 5020 btnhbb.exe 103 PID 5020 wrote to memory of 3208 5020 btnhbb.exe 103 PID 3208 wrote to memory of 4928 3208 hbnnnn.exe 104 PID 3208 wrote to memory of 4928 3208 hbnnnn.exe 104 PID 3208 wrote to memory of 4928 3208 hbnnnn.exe 104 PID 4928 wrote to memory of 3948 4928 jpvpp.exe 105 PID 4928 wrote to memory of 3948 4928 jpvpp.exe 105 PID 4928 wrote to memory of 3948 4928 jpvpp.exe 105 PID 3948 wrote to memory of 3132 3948 5ppjd.exe 106 PID 3948 wrote to memory of 3132 3948 5ppjd.exe 106 PID 3948 wrote to memory of 3132 3948 5ppjd.exe 106 PID 3132 wrote to memory of 4812 3132 lxxrxxr.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b88040f32b7e02bcd7460b22d84bec00N.exe"C:\Users\Admin\AppData\Local\Temp\b88040f32b7e02bcd7460b22d84bec00N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\pvvvp.exec:\pvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\vpjdp.exec:\vpjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\fxlxffl.exec:\fxlxffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\3jpjj.exec:\3jpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\7djpd.exec:\7djpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\xflfrrl.exec:\xflfrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\tnnhhb.exec:\tnnhhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\ppjvp.exec:\ppjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\jjdpj.exec:\jjdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\1rlfrll.exec:\1rlfrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\hntnhh.exec:\hntnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\ddvpp.exec:\ddvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\pdvpd.exec:\pdvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\3xfrlff.exec:\3xfrlff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\btnhbb.exec:\btnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\hbnnnn.exec:\hbnnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\jpvpp.exec:\jpvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\5ppjd.exec:\5ppjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\lxxrxxr.exec:\lxxrxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\rflfxxr.exec:\rflfxxr.exe23⤵
- Executes dropped EXE
PID:4812 -
\??\c:\hbnnhh.exec:\hbnnhh.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nhnnnn.exec:\nhnnnn.exe25⤵
- Executes dropped EXE
PID:3160 -
\??\c:\tttnbb.exec:\tttnbb.exe26⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vpddd.exec:\vpddd.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816 -
\??\c:\jvpjd.exec:\jvpjd.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\5ffxxrr.exec:\5ffxxrr.exe29⤵
- Executes dropped EXE
PID:1748 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe30⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hnnhbt.exec:\hnnhbt.exe31⤵
- Executes dropped EXE
PID:4400 -
\??\c:\tnntnt.exec:\tnntnt.exe32⤵
- Executes dropped EXE
PID:3416 -
\??\c:\nbtnhh.exec:\nbtnhh.exe33⤵
- Executes dropped EXE
PID:3812 -
\??\c:\pdjdv.exec:\pdjdv.exe34⤵
- Executes dropped EXE
PID:1208 -
\??\c:\vppdd.exec:\vppdd.exe35⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rlxxrrl.exec:\rlxxrrl.exe36⤵
- Executes dropped EXE
PID:2244 -
\??\c:\xnttnnh.exec:\xnttnnh.exe37⤵
- Executes dropped EXE
PID:4648 -
\??\c:\hntnhb.exec:\hntnhb.exe38⤵
- Executes dropped EXE
PID:1788 -
\??\c:\bbnnhh.exec:\bbnnhh.exe39⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jpjjp.exec:\jpjjp.exe40⤵
- Executes dropped EXE
PID:4424 -
\??\c:\jdjjd.exec:\jdjjd.exe41⤵
- Executes dropped EXE
PID:1908 -
\??\c:\fxrrllf.exec:\fxrrllf.exe42⤵
- Executes dropped EXE
PID:5032 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe43⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7tbtnh.exec:\7tbtnh.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\tthbtt.exec:\tthbtt.exe45⤵
- Executes dropped EXE
PID:4116 -
\??\c:\dpvpj.exec:\dpvpj.exe46⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9vvpj.exec:\9vvpj.exe47⤵
- Executes dropped EXE
PID:4240 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe48⤵
- Executes dropped EXE
PID:2560 -
\??\c:\lflxrfx.exec:\lflxrfx.exe49⤵
- Executes dropped EXE
PID:3648 -
\??\c:\bthtnn.exec:\bthtnn.exe50⤵
- Executes dropped EXE
PID:3444 -
\??\c:\hbttnn.exec:\hbttnn.exe51⤵
- Executes dropped EXE
PID:3480 -
\??\c:\djvvj.exec:\djvvj.exe52⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vvvpj.exec:\vvvpj.exe53⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rllfxrl.exec:\rllfxrl.exe54⤵
- Executes dropped EXE
PID:2240 -
\??\c:\bhhtnn.exec:\bhhtnn.exe55⤵
- Executes dropped EXE
PID:3696 -
\??\c:\bhhbbh.exec:\bhhbbh.exe56⤵
- Executes dropped EXE
PID:2060 -
\??\c:\dpdpj.exec:\dpdpj.exe57⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jdvpd.exec:\jdvpd.exe58⤵
- Executes dropped EXE
PID:940 -
\??\c:\fxxrllf.exec:\fxxrllf.exe59⤵
- Executes dropped EXE
PID:3992 -
\??\c:\thbbtt.exec:\thbbtt.exe60⤵
- Executes dropped EXE
PID:3420 -
\??\c:\1ttnbh.exec:\1ttnbh.exe61⤵
- Executes dropped EXE
PID:1960 -
\??\c:\vppjv.exec:\vppjv.exe62⤵
- Executes dropped EXE
PID:3232 -
\??\c:\rfffrrr.exec:\rfffrrr.exe63⤵
- Executes dropped EXE
PID:4388 -
\??\c:\llffxxx.exec:\llffxxx.exe64⤵
- Executes dropped EXE
PID:4272 -
\??\c:\tbhnhh.exec:\tbhnhh.exe65⤵
- Executes dropped EXE
PID:4660 -
\??\c:\3ddvp.exec:\3ddvp.exe66⤵PID:3724
-
\??\c:\vvpvp.exec:\vvpvp.exe67⤵PID:1792
-
\??\c:\llxrlfr.exec:\llxrlfr.exe68⤵PID:2192
-
\??\c:\nhttnh.exec:\nhttnh.exe69⤵PID:2740
-
\??\c:\hbbtnn.exec:\hbbtnn.exe70⤵PID:3652
-
\??\c:\btbtbb.exec:\btbtbb.exe71⤵PID:3732
-
\??\c:\vddvp.exec:\vddvp.exe72⤵PID:4020
-
\??\c:\xfffxxx.exec:\xfffxxx.exe73⤵PID:3476
-
\??\c:\xxxrllf.exec:\xxxrllf.exe74⤵PID:3564
-
\??\c:\bbtnhb.exec:\bbtnhb.exe75⤵PID:4840
-
\??\c:\9ddvv.exec:\9ddvv.exe76⤵
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\dppjd.exec:\dppjd.exe77⤵PID:4724
-
\??\c:\fxxrllf.exec:\fxxrllf.exe78⤵PID:3572
-
\??\c:\lfrlfff.exec:\lfrlfff.exe79⤵PID:1412
-
\??\c:\ttbtnh.exec:\ttbtnh.exe80⤵PID:4400
-
\??\c:\bbtthh.exec:\bbtthh.exe81⤵
- System Location Discovery: System Language Discovery
PID:968 -
\??\c:\bbtbnt.exec:\bbtbnt.exe82⤵PID:1048
-
\??\c:\pddjj.exec:\pddjj.exe83⤵PID:3812
-
\??\c:\3vdpj.exec:\3vdpj.exe84⤵PID:808
-
\??\c:\rxxxrll.exec:\rxxxrll.exe85⤵PID:1340
-
\??\c:\ttnnhh.exec:\ttnnhh.exe86⤵PID:3900
-
\??\c:\ttnhtt.exec:\ttnhtt.exe87⤵PID:2128
-
\??\c:\jjdpd.exec:\jjdpd.exe88⤵PID:4648
-
\??\c:\5xfxllf.exec:\5xfxllf.exe89⤵PID:2696
-
\??\c:\ffxfxxf.exec:\ffxfxxf.exe90⤵PID:4916
-
\??\c:\thbtht.exec:\thbtht.exe91⤵PID:4828
-
\??\c:\hhhbnn.exec:\hhhbnn.exe92⤵PID:4424
-
\??\c:\vdjjv.exec:\vdjjv.exe93⤵PID:936
-
\??\c:\3jppv.exec:\3jppv.exe94⤵PID:1736
-
\??\c:\7fxrrxx.exec:\7fxrrxx.exe95⤵PID:3964
-
\??\c:\flffxxl.exec:\flffxxl.exe96⤵PID:1676
-
\??\c:\ttbbtt.exec:\ttbbtt.exe97⤵PID:388
-
\??\c:\xrrrlff.exec:\xrrrlff.exe98⤵PID:1296
-
\??\c:\ttbbhh.exec:\ttbbhh.exe99⤵PID:3096
-
\??\c:\bbnnbb.exec:\bbnnbb.exe100⤵PID:2352
-
\??\c:\jdvpd.exec:\jdvpd.exe101⤵PID:2932
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe102⤵PID:4964
-
\??\c:\ffrlrlf.exec:\ffrlrlf.exe103⤵
- System Location Discovery: System Language Discovery
PID:4936 -
\??\c:\htbtnt.exec:\htbtnt.exe104⤵PID:3220
-
\??\c:\5pjdd.exec:\5pjdd.exe105⤵PID:636
-
\??\c:\vpjdd.exec:\vpjdd.exe106⤵PID:4920
-
\??\c:\xlfxxrr.exec:\xlfxxrr.exe107⤵PID:4256
-
\??\c:\bnnhbb.exec:\bnnhbb.exe108⤵PID:2440
-
\??\c:\vjjvp.exec:\vjjvp.exe109⤵PID:3192
-
\??\c:\lxxxrll.exec:\lxxxrll.exe110⤵
- System Location Discovery: System Language Discovery
PID:2060 -
\??\c:\llxfxff.exec:\llxfxff.exe111⤵PID:3440
-
\??\c:\thtbhb.exec:\thtbhb.exe112⤵PID:5016
-
\??\c:\vvpjv.exec:\vvpjv.exe113⤵PID:4580
-
\??\c:\dddvp.exec:\dddvp.exe114⤵PID:2432
-
\??\c:\lfllxxx.exec:\lfllxxx.exe115⤵PID:380
-
\??\c:\xllxrrl.exec:\xllxrrl.exe116⤵PID:1128
-
\??\c:\7ntnhh.exec:\7ntnhh.exe117⤵PID:2180
-
\??\c:\9pdpv.exec:\9pdpv.exe118⤵PID:2152
-
\??\c:\xrxxrrx.exec:\xrxxrrx.exe119⤵PID:856
-
\??\c:\rflffll.exec:\rflffll.exe120⤵PID:3948
-
\??\c:\pddvv.exec:\pddvv.exe121⤵PID:3724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-