Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:28
Behavioral task
behavioral1
Sample
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
-
Size
332KB
-
MD5
557ed787bced7e444ccf6021227a8ce7
-
SHA1
6ea7f7320f3ba030684e9d43f93f296ca0385f44
-
SHA256
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6
-
SHA512
719708aaf8303f4a08f06960bbcf3bca67699d9c006af778eb6f293b074e318c227c0fdcd591872f7b2407fe095c8138f3c9933f2e3b179373574f63ba8566de
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeHN:R4wFHoSHYHUrAwfMp3CDHN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4380-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3064-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2420-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3080-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-680-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-1132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-1387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3084 fxrfrfx.exe 2380 btnhtn.exe 3904 3ddvd.exe 812 fflxlfx.exe 3648 rllxrlf.exe 3476 thnbnh.exe 2392 hnnhtt.exe 2004 pppdp.exe 3424 flxxflf.exe 3644 5frfrrf.exe 876 btnhtn.exe 4436 nhnhbt.exe 3036 vjjdp.exe 2988 jvjpd.exe 1144 fxrlrlf.exe 1088 thbnbt.exe 4484 dvjdp.exe 3356 lfxlfxr.exe 4948 tbthbt.exe 228 dppjd.exe 2264 lxrfrlf.exe 904 bhntht.exe 4532 vdvpj.exe 2676 fxrfxrf.exe 3968 xxrfrlx.exe 4808 5ttnhb.exe 1816 vvpjd.exe 2216 fllxxrl.exe 3492 jvddv.exe 3668 flxxxff.exe 552 xfxfffr.exe 1848 hbnnhn.exe 3960 vpddj.exe 4412 flflllf.exe 1316 htbbtt.exe 3316 tnbbtt.exe 3984 vjjdv.exe 3216 rfllfff.exe 4576 5xlxrfx.exe 732 tbbtnb.exe 3384 jpddd.exe 984 1dpjd.exe 3428 1xrfxrr.exe 3064 nntbth.exe 4184 pdjjv.exe 1576 7jppd.exe 3872 lflrlll.exe 4368 nhbhtn.exe 4896 djppj.exe 2588 ttbtht.exe 2208 nhhbbt.exe 396 pjjdd.exe 3088 5frrrxr.exe 1968 btnhbt.exe 2308 7jpjj.exe 872 vjpdv.exe 4256 llfxfrl.exe 2420 tnbntt.exe 3868 jddvv.exe 208 jvpdv.exe 3436 rrrllfx.exe 4420 nbbtht.exe 2376 pdvdv.exe 868 pppjd.exe -
resource yara_rule behavioral2/memory/4380-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c0f-3.dat upx behavioral2/memory/4380-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cb2-9.dat upx behavioral2/memory/3084-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-11.dat upx behavioral2/memory/2380-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-18.dat upx behavioral2/memory/812-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-24.dat upx behavioral2/files/0x0007000000023cb9-29.dat upx behavioral2/memory/3476-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-35.dat upx behavioral2/files/0x0007000000023cbb-39.dat upx behavioral2/memory/2392-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-44.dat upx behavioral2/files/0x0007000000023cbd-48.dat upx behavioral2/memory/3648-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3904-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cb2-53.dat upx behavioral2/memory/876-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3644-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-57.dat upx behavioral2/files/0x0007000000023cbf-61.dat upx behavioral2/files/0x0007000000023cc0-66.dat upx behavioral2/memory/3036-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-70.dat upx behavioral2/memory/2988-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-75.dat upx behavioral2/memory/1144-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-80.dat upx behavioral2/memory/1088-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-85.dat upx behavioral2/memory/4484-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-90.dat upx behavioral2/files/0x0007000000023cc7-96.dat upx behavioral2/memory/3356-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4948-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-102.dat upx behavioral2/memory/228-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cb3-106.dat upx behavioral2/memory/2264-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/904-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-111.dat upx behavioral2/files/0x0007000000023cca-116.dat upx behavioral2/memory/2676-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-121.dat upx behavioral2/memory/4532-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3968-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-126.dat upx behavioral2/memory/4808-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-130.dat upx behavioral2/memory/1816-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-135.dat upx behavioral2/files/0x0007000000023ccf-140.dat upx behavioral2/files/0x0007000000023cd0-144.dat upx behavioral2/memory/3668-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd1-147.dat upx behavioral2/files/0x0007000000023cd2-153.dat upx behavioral2/memory/552-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1848-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1316-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4576-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3384-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4380 wrote to memory of 3084 4380 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 82 PID 4380 wrote to memory of 3084 4380 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 82 PID 4380 wrote to memory of 3084 4380 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 82 PID 3084 wrote to memory of 2380 3084 fxrfrfx.exe 83 PID 3084 wrote to memory of 2380 3084 fxrfrfx.exe 83 PID 3084 wrote to memory of 2380 3084 fxrfrfx.exe 83 PID 2380 wrote to memory of 3904 2380 btnhtn.exe 84 PID 2380 wrote to memory of 3904 2380 btnhtn.exe 84 PID 2380 wrote to memory of 3904 2380 btnhtn.exe 84 PID 3904 wrote to memory of 812 3904 3ddvd.exe 85 PID 3904 wrote to memory of 812 3904 3ddvd.exe 85 PID 3904 wrote to memory of 812 3904 3ddvd.exe 85 PID 812 wrote to memory of 3648 812 fflxlfx.exe 86 PID 812 wrote to memory of 3648 812 fflxlfx.exe 86 PID 812 wrote to memory of 3648 812 fflxlfx.exe 86 PID 3648 wrote to memory of 3476 3648 rllxrlf.exe 87 PID 3648 wrote to memory of 3476 3648 rllxrlf.exe 87 PID 3648 wrote to memory of 3476 3648 rllxrlf.exe 87 PID 3476 wrote to memory of 2392 3476 thnbnh.exe 88 PID 3476 wrote to memory of 2392 3476 thnbnh.exe 88 PID 3476 wrote to memory of 2392 3476 thnbnh.exe 88 PID 2392 wrote to memory of 2004 2392 hnnhtt.exe 89 PID 2392 wrote to memory of 2004 2392 hnnhtt.exe 89 PID 2392 wrote to memory of 2004 2392 hnnhtt.exe 89 PID 2004 wrote to memory of 3424 2004 pppdp.exe 90 PID 2004 wrote to memory of 3424 2004 pppdp.exe 90 PID 2004 wrote to memory of 3424 2004 pppdp.exe 90 PID 3424 wrote to memory of 3644 3424 flxxflf.exe 91 PID 3424 wrote to memory of 3644 3424 flxxflf.exe 91 PID 3424 wrote to memory of 3644 3424 flxxflf.exe 91 PID 3644 wrote to memory of 876 3644 5frfrrf.exe 92 PID 3644 wrote to memory of 876 3644 5frfrrf.exe 92 PID 3644 wrote to memory of 876 3644 5frfrrf.exe 92 PID 876 wrote to memory of 4436 876 btnhtn.exe 93 PID 876 wrote to memory of 4436 876 btnhtn.exe 93 PID 876 wrote to memory of 4436 876 btnhtn.exe 93 PID 4436 wrote to memory of 3036 4436 nhnhbt.exe 94 PID 4436 wrote to memory of 3036 4436 nhnhbt.exe 94 PID 4436 wrote to memory of 3036 4436 nhnhbt.exe 94 PID 3036 wrote to memory of 2988 3036 vjjdp.exe 95 PID 3036 wrote to memory of 2988 3036 vjjdp.exe 95 PID 3036 wrote to memory of 2988 3036 vjjdp.exe 95 PID 2988 wrote to memory of 1144 2988 jvjpd.exe 96 PID 2988 wrote to memory of 1144 2988 jvjpd.exe 96 PID 2988 wrote to memory of 1144 2988 jvjpd.exe 96 PID 1144 wrote to memory of 1088 1144 fxrlrlf.exe 97 PID 1144 wrote to memory of 1088 1144 fxrlrlf.exe 97 PID 1144 wrote to memory of 1088 1144 fxrlrlf.exe 97 PID 1088 wrote to memory of 4484 1088 thbnbt.exe 98 PID 1088 wrote to memory of 4484 1088 thbnbt.exe 98 PID 1088 wrote to memory of 4484 1088 thbnbt.exe 98 PID 4484 wrote to memory of 3356 4484 dvjdp.exe 99 PID 4484 wrote to memory of 3356 4484 dvjdp.exe 99 PID 4484 wrote to memory of 3356 4484 dvjdp.exe 99 PID 3356 wrote to memory of 4948 3356 lfxlfxr.exe 100 PID 3356 wrote to memory of 4948 3356 lfxlfxr.exe 100 PID 3356 wrote to memory of 4948 3356 lfxlfxr.exe 100 PID 4948 wrote to memory of 228 4948 tbthbt.exe 101 PID 4948 wrote to memory of 228 4948 tbthbt.exe 101 PID 4948 wrote to memory of 228 4948 tbthbt.exe 101 PID 228 wrote to memory of 2264 228 dppjd.exe 102 PID 228 wrote to memory of 2264 228 dppjd.exe 102 PID 228 wrote to memory of 2264 228 dppjd.exe 102 PID 2264 wrote to memory of 904 2264 lxrfrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\fxrfrfx.exec:\fxrfrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\btnhtn.exec:\btnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\3ddvd.exec:\3ddvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\fflxlfx.exec:\fflxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\rllxrlf.exec:\rllxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\thnbnh.exec:\thnbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\hnnhtt.exec:\hnnhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\pppdp.exec:\pppdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\flxxflf.exec:\flxxflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\5frfrrf.exec:\5frfrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\btnhtn.exec:\btnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\nhnhbt.exec:\nhnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\vjjdp.exec:\vjjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\jvjpd.exec:\jvjpd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\fxrlrlf.exec:\fxrlrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\thbnbt.exec:\thbnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\dvjdp.exec:\dvjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\tbthbt.exec:\tbthbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\dppjd.exec:\dppjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\lxrfrlf.exec:\lxrfrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\bhntht.exec:\bhntht.exe23⤵
- Executes dropped EXE
PID:904 -
\??\c:\vdvpj.exec:\vdvpj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532 -
\??\c:\fxrfxrf.exec:\fxrfxrf.exe25⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xxrfrlx.exec:\xxrfrlx.exe26⤵
- Executes dropped EXE
PID:3968 -
\??\c:\5ttnhb.exec:\5ttnhb.exe27⤵
- Executes dropped EXE
PID:4808 -
\??\c:\vvpjd.exec:\vvpjd.exe28⤵
- Executes dropped EXE
PID:1816 -
\??\c:\fllxxrl.exec:\fllxxrl.exe29⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jvddv.exec:\jvddv.exe30⤵
- Executes dropped EXE
PID:3492 -
\??\c:\flxxxff.exec:\flxxxff.exe31⤵
- Executes dropped EXE
PID:3668 -
\??\c:\xfxfffr.exec:\xfxfffr.exe32⤵
- Executes dropped EXE
PID:552 -
\??\c:\hbnnhn.exec:\hbnnhn.exe33⤵
- Executes dropped EXE
PID:1848 -
\??\c:\vpddj.exec:\vpddj.exe34⤵
- Executes dropped EXE
PID:3960 -
\??\c:\flflllf.exec:\flflllf.exe35⤵
- Executes dropped EXE
PID:4412 -
\??\c:\htbbtt.exec:\htbbtt.exe36⤵
- Executes dropped EXE
PID:1316 -
\??\c:\tnbbtt.exec:\tnbbtt.exe37⤵
- Executes dropped EXE
PID:3316 -
\??\c:\vjjdv.exec:\vjjdv.exe38⤵
- Executes dropped EXE
PID:3984 -
\??\c:\rfllfff.exec:\rfllfff.exe39⤵
- Executes dropped EXE
PID:3216 -
\??\c:\5xlxrfx.exec:\5xlxrfx.exe40⤵
- Executes dropped EXE
PID:4576 -
\??\c:\tbbtnb.exec:\tbbtnb.exe41⤵
- Executes dropped EXE
PID:732 -
\??\c:\jpddd.exec:\jpddd.exe42⤵
- Executes dropped EXE
PID:3384 -
\??\c:\1dpjd.exec:\1dpjd.exe43⤵
- Executes dropped EXE
PID:984 -
\??\c:\1xrfxrr.exec:\1xrfxrr.exe44⤵
- Executes dropped EXE
PID:3428 -
\??\c:\nntbth.exec:\nntbth.exe45⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pdjjv.exec:\pdjjv.exe46⤵
- Executes dropped EXE
PID:4184 -
\??\c:\7jppd.exec:\7jppd.exe47⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lflrlll.exec:\lflrlll.exe48⤵
- Executes dropped EXE
PID:3872 -
\??\c:\nhbhtn.exec:\nhbhtn.exe49⤵
- Executes dropped EXE
PID:4368 -
\??\c:\djppj.exec:\djppj.exe50⤵
- Executes dropped EXE
PID:4896 -
\??\c:\ttbtht.exec:\ttbtht.exe51⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nhhbbt.exec:\nhhbbt.exe52⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pjjdd.exec:\pjjdd.exe53⤵
- Executes dropped EXE
PID:396 -
\??\c:\5frrrxr.exec:\5frrrxr.exe54⤵
- Executes dropped EXE
PID:3088 -
\??\c:\btnhbt.exec:\btnhbt.exe55⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7jpjj.exec:\7jpjj.exe56⤵
- Executes dropped EXE
PID:2308 -
\??\c:\vjpdv.exec:\vjpdv.exe57⤵
- Executes dropped EXE
PID:872 -
\??\c:\llfxfrl.exec:\llfxfrl.exe58⤵
- Executes dropped EXE
PID:4256 -
\??\c:\tnbntt.exec:\tnbntt.exe59⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jddvv.exec:\jddvv.exe60⤵
- Executes dropped EXE
PID:3868 -
\??\c:\jvpdv.exec:\jvpdv.exe61⤵
- Executes dropped EXE
PID:208 -
\??\c:\rrrllfx.exec:\rrrllfx.exe62⤵
- Executes dropped EXE
PID:3436 -
\??\c:\nbbtht.exec:\nbbtht.exe63⤵
- Executes dropped EXE
PID:4420 -
\??\c:\pdvdv.exec:\pdvdv.exe64⤵
- Executes dropped EXE
PID:2376 -
\??\c:\pppjd.exec:\pppjd.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe66⤵PID:1132
-
\??\c:\btnhbt.exec:\btnhbt.exe67⤵PID:3700
-
\??\c:\vvjvv.exec:\vvjvv.exe68⤵PID:3344
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe69⤵PID:3448
-
\??\c:\rrxrfxf.exec:\rrxrfxf.exe70⤵PID:4512
-
\??\c:\9ttnhh.exec:\9ttnhh.exe71⤵PID:3648
-
\??\c:\vdjdd.exec:\vdjdd.exe72⤵PID:3784
-
\??\c:\fllfrlf.exec:\fllfrlf.exe73⤵PID:788
-
\??\c:\7flllrr.exec:\7flllrr.exe74⤵PID:4492
-
\??\c:\bbbnhh.exec:\bbbnhh.exe75⤵PID:4904
-
\??\c:\9pvvp.exec:\9pvvp.exe76⤵PID:4952
-
\??\c:\vpdpv.exec:\vpdpv.exe77⤵PID:3456
-
\??\c:\lfrfrxr.exec:\lfrfrxr.exe78⤵PID:1936
-
\??\c:\nbbtth.exec:\nbbtth.exe79⤵PID:2772
-
\??\c:\5vpdp.exec:\5vpdp.exe80⤵PID:4692
-
\??\c:\jvvjd.exec:\jvvjd.exe81⤵PID:452
-
\??\c:\5xlfrlf.exec:\5xlfrlf.exe82⤵PID:2224
-
\??\c:\flrlllx.exec:\flrlllx.exe83⤵PID:3440
-
\??\c:\tbhnhh.exec:\tbhnhh.exe84⤵PID:4084
-
\??\c:\dpdvv.exec:\dpdvv.exe85⤵PID:3432
-
\??\c:\xlfrflf.exec:\xlfrflf.exe86⤵PID:3532
-
\??\c:\lfxrxxl.exec:\lfxrxxl.exe87⤵PID:2072
-
\??\c:\7bbtnh.exec:\7bbtnh.exe88⤵PID:2412
-
\??\c:\vpjvp.exec:\vpjvp.exe89⤵PID:636
-
\??\c:\7vddv.exec:\7vddv.exe90⤵PID:700
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe91⤵PID:828
-
\??\c:\hbnbth.exec:\hbnbth.exe92⤵PID:464
-
\??\c:\jvddv.exec:\jvddv.exe93⤵PID:3664
-
\??\c:\djvvp.exec:\djvvp.exe94⤵PID:2020
-
\??\c:\xxrxrrl.exec:\xxrxrrl.exe95⤵PID:4392
-
\??\c:\thhtbh.exec:\thhtbh.exe96⤵PID:3008
-
\??\c:\jvjvj.exec:\jvjvj.exe97⤵PID:1860
-
\??\c:\vpvvp.exec:\vpvvp.exe98⤵PID:4532
-
\??\c:\lxffxxr.exec:\lxffxxr.exe99⤵PID:2676
-
\??\c:\bnttnt.exec:\bnttnt.exe100⤵PID:4656
-
\??\c:\3pjdp.exec:\3pjdp.exe101⤵PID:4796
-
\??\c:\jjvjp.exec:\jjvjp.exe102⤵PID:1492
-
\??\c:\9rllxxr.exec:\9rllxxr.exe103⤵PID:4808
-
\??\c:\btbtbt.exec:\btbtbt.exe104⤵PID:2604
-
\??\c:\nbhhbh.exec:\nbhhbh.exe105⤵PID:2568
-
\??\c:\dpvjd.exec:\dpvjd.exe106⤵PID:4940
-
\??\c:\9rrlxll.exec:\9rrlxll.exe107⤵PID:4980
-
\??\c:\fllrffx.exec:\fllrffx.exe108⤵PID:3100
-
\??\c:\btthtn.exec:\btthtn.exe109⤵PID:3780
-
\??\c:\pppjp.exec:\pppjp.exe110⤵PID:4248
-
\??\c:\vpjjp.exec:\vpjjp.exe111⤵PID:1848
-
\??\c:\3xfrrlr.exec:\3xfrrlr.exe112⤵PID:1556
-
\??\c:\7lrlfrl.exec:\7lrlfrl.exe113⤵PID:2384
-
\??\c:\hbhtnn.exec:\hbhtnn.exe114⤵PID:4036
-
\??\c:\vvdvj.exec:\vvdvj.exe115⤵PID:4908
-
\??\c:\5vpjd.exec:\5vpjd.exe116⤵PID:3016
-
\??\c:\rrllfxx.exec:\rrllfxx.exe117⤵PID:3584
-
\??\c:\tbbhhh.exec:\tbbhhh.exe118⤵PID:624
-
\??\c:\tthhnn.exec:\tthhnn.exe119⤵PID:3324
-
\??\c:\djjjv.exec:\djjjv.exe120⤵PID:3948
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe121⤵PID:4444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-