Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 02:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe
-
Size
454KB
-
MD5
4b57c9766eecfcef559a26ba4b838d26
-
SHA1
5beac97aa545e79ce68ff3a5be2ed09edea83bf3
-
SHA256
ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e
-
SHA512
7378de75809f458fbe5676ea3a0d9ee689b18cc3c58fb50a55e99cb44d96a5cb80e0be003708b6db35985b9db6725e4cea79500a22ab12f93da2e186831318ef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeToA:q7Tc2NYHUrAwfMp3CDcA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/324-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-1475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-1578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4680 lxlfxlf.exe 3176 hhtnnh.exe 3600 vpjdv.exe 4140 xxxrrlf.exe 1612 htnhhb.exe 3908 ppjdv.exe 3968 lflfxxr.exe 5084 dpjpv.exe 3372 rllfrlf.exe 4564 hnbthh.exe 3948 hhthhn.exe 2136 vddvj.exe 3392 fffxllf.exe 892 1nbtnn.exe 364 3hhbnn.exe 2060 ddjdp.exe 2988 rlfxxff.exe 3672 hhhbtn.exe 1808 pjvpd.exe 1476 9vvpd.exe 1980 xlrxlfx.exe 1804 9ttnbb.exe 524 vdjdd.exe 2668 lllflfl.exe 1448 7ttnbb.exe 2716 9ddvv.exe 4420 jpvpd.exe 1388 htthtn.exe 1104 9ddvj.exe 1436 jdvpj.exe 3148 lxffrll.exe 1084 7hnbbb.exe 2836 djjdp.exe 3648 ppjjv.exe 3244 rrfxrrl.exe 4676 hbnhhb.exe 4692 jppjd.exe 4528 rxxrffr.exe 5108 ttthbt.exe 4032 jddpd.exe 700 llfxrrl.exe 4964 rfrfxff.exe 3824 tbhbtt.exe 3964 jvvjd.exe 756 frfxrlx.exe 2052 bhbnht.exe 432 3hbhtb.exe 2408 1ddpd.exe 1920 frrrlfx.exe 804 hbhbbt.exe 4696 hbtnbt.exe 1088 7jjdd.exe 3156 fffxrrl.exe 3980 1lrfxxr.exe 4884 3ntbbt.exe 4820 9nhtht.exe 3528 1jpdj.exe 3988 xxxlfxr.exe 3384 rlrlfxr.exe 3740 hhbnhh.exe 4484 9vvpd.exe 528 jdjjv.exe 968 5fxlfxr.exe 1188 thhtht.exe -
resource yara_rule behavioral2/memory/324-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-11-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 324 wrote to memory of 4680 324 ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe 82 PID 324 wrote to memory of 4680 324 ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe 82 PID 324 wrote to memory of 4680 324 ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe 82 PID 4680 wrote to memory of 3176 4680 lxlfxlf.exe 83 PID 4680 wrote to memory of 3176 4680 lxlfxlf.exe 83 PID 4680 wrote to memory of 3176 4680 lxlfxlf.exe 83 PID 3176 wrote to memory of 3600 3176 hhtnnh.exe 84 PID 3176 wrote to memory of 3600 3176 hhtnnh.exe 84 PID 3176 wrote to memory of 3600 3176 hhtnnh.exe 84 PID 3600 wrote to memory of 4140 3600 vpjdv.exe 85 PID 3600 wrote to memory of 4140 3600 vpjdv.exe 85 PID 3600 wrote to memory of 4140 3600 vpjdv.exe 85 PID 4140 wrote to memory of 1612 4140 xxxrrlf.exe 263 PID 4140 wrote to memory of 1612 4140 xxxrrlf.exe 263 PID 4140 wrote to memory of 1612 4140 xxxrrlf.exe 263 PID 1612 wrote to memory of 3908 1612 htnhhb.exe 87 PID 1612 wrote to memory of 3908 1612 htnhhb.exe 87 PID 1612 wrote to memory of 3908 1612 htnhhb.exe 87 PID 3908 wrote to memory of 3968 3908 ppjdv.exe 88 PID 3908 wrote to memory of 3968 3908 ppjdv.exe 88 PID 3908 wrote to memory of 3968 3908 ppjdv.exe 88 PID 3968 wrote to memory of 5084 3968 lflfxxr.exe 89 PID 3968 wrote to memory of 5084 3968 lflfxxr.exe 89 PID 3968 wrote to memory of 5084 3968 lflfxxr.exe 89 PID 5084 wrote to memory of 3372 5084 dpjpv.exe 90 PID 5084 wrote to memory of 3372 5084 dpjpv.exe 90 PID 5084 wrote to memory of 3372 5084 dpjpv.exe 90 PID 3372 wrote to memory of 4564 3372 rllfrlf.exe 91 PID 3372 wrote to memory of 4564 3372 rllfrlf.exe 91 PID 3372 wrote to memory of 4564 3372 rllfrlf.exe 91 PID 4564 wrote to memory of 3948 4564 hnbthh.exe 92 PID 4564 wrote to memory of 3948 4564 hnbthh.exe 92 PID 4564 wrote to memory of 3948 4564 hnbthh.exe 92 PID 3948 wrote to memory of 2136 3948 hhthhn.exe 93 PID 3948 wrote to memory of 2136 3948 hhthhn.exe 93 PID 3948 wrote to memory of 2136 3948 hhthhn.exe 93 PID 2136 wrote to memory of 3392 2136 vddvj.exe 94 PID 2136 wrote to memory of 3392 2136 vddvj.exe 94 PID 2136 wrote to memory of 3392 2136 vddvj.exe 94 PID 3392 wrote to memory of 892 3392 fffxllf.exe 95 PID 3392 wrote to memory of 892 3392 fffxllf.exe 95 PID 3392 wrote to memory of 892 3392 fffxllf.exe 95 PID 892 wrote to memory of 364 892 1nbtnn.exe 96 PID 892 wrote to memory of 364 892 1nbtnn.exe 96 PID 892 wrote to memory of 364 892 1nbtnn.exe 96 PID 364 wrote to memory of 2060 364 3hhbnn.exe 152 PID 364 wrote to memory of 2060 364 3hhbnn.exe 152 PID 364 wrote to memory of 2060 364 3hhbnn.exe 152 PID 2060 wrote to memory of 2988 2060 ddjdp.exe 98 PID 2060 wrote to memory of 2988 2060 ddjdp.exe 98 PID 2060 wrote to memory of 2988 2060 ddjdp.exe 98 PID 2988 wrote to memory of 3672 2988 rlfxxff.exe 99 PID 2988 wrote to memory of 3672 2988 rlfxxff.exe 99 PID 2988 wrote to memory of 3672 2988 rlfxxff.exe 99 PID 3672 wrote to memory of 1808 3672 hhhbtn.exe 100 PID 3672 wrote to memory of 1808 3672 hhhbtn.exe 100 PID 3672 wrote to memory of 1808 3672 hhhbtn.exe 100 PID 1808 wrote to memory of 1476 1808 pjvpd.exe 101 PID 1808 wrote to memory of 1476 1808 pjvpd.exe 101 PID 1808 wrote to memory of 1476 1808 pjvpd.exe 101 PID 1476 wrote to memory of 1980 1476 9vvpd.exe 102 PID 1476 wrote to memory of 1980 1476 9vvpd.exe 102 PID 1476 wrote to memory of 1980 1476 9vvpd.exe 102 PID 1980 wrote to memory of 1804 1980 xlrxlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe"C:\Users\Admin\AppData\Local\Temp\ba36e7c1629787156004b83faab397024927a6dd2d89ee1d7c8759bda5c7f34e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\lxlfxlf.exec:\lxlfxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\hhtnnh.exec:\hhtnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\vpjdv.exec:\vpjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\htnhhb.exec:\htnhhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ppjdv.exec:\ppjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\lflfxxr.exec:\lflfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\dpjpv.exec:\dpjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\rllfrlf.exec:\rllfrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\hnbthh.exec:\hnbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\hhthhn.exec:\hhthhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\vddvj.exec:\vddvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\fffxllf.exec:\fffxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\1nbtnn.exec:\1nbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\3hhbnn.exec:\3hhbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\ddjdp.exec:\ddjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\rlfxxff.exec:\rlfxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\hhhbtn.exec:\hhhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\pjvpd.exec:\pjvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\9vvpd.exec:\9vvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\xlrxlfx.exec:\xlrxlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\9ttnbb.exec:\9ttnbb.exe23⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vdjdd.exec:\vdjdd.exe24⤵
- Executes dropped EXE
PID:524 -
\??\c:\lllflfl.exec:\lllflfl.exe25⤵
- Executes dropped EXE
PID:2668 -
\??\c:\7ttnbb.exec:\7ttnbb.exe26⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9ddvv.exec:\9ddvv.exe27⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jpvpd.exec:\jpvpd.exe28⤵
- Executes dropped EXE
PID:4420 -
\??\c:\htthtn.exec:\htthtn.exe29⤵
- Executes dropped EXE
PID:1388 -
\??\c:\9ddvj.exec:\9ddvj.exe30⤵
- Executes dropped EXE
PID:1104 -
\??\c:\jdvpj.exec:\jdvpj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\lxffrll.exec:\lxffrll.exe32⤵
- Executes dropped EXE
PID:3148 -
\??\c:\7hnbbb.exec:\7hnbbb.exe33⤵
- Executes dropped EXE
PID:1084 -
\??\c:\djjdp.exec:\djjdp.exe34⤵
- Executes dropped EXE
PID:2836 -
\??\c:\ppjjv.exec:\ppjjv.exe35⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe36⤵
- Executes dropped EXE
PID:3244 -
\??\c:\hbnhhb.exec:\hbnhhb.exe37⤵
- Executes dropped EXE
PID:4676 -
\??\c:\jppjd.exec:\jppjd.exe38⤵
- Executes dropped EXE
PID:4692 -
\??\c:\rxxrffr.exec:\rxxrffr.exe39⤵
- Executes dropped EXE
PID:4528 -
\??\c:\ttthbt.exec:\ttthbt.exe40⤵
- Executes dropped EXE
PID:5108 -
\??\c:\jddpd.exec:\jddpd.exe41⤵
- Executes dropped EXE
PID:4032 -
\??\c:\llfxrrl.exec:\llfxrrl.exe42⤵
- Executes dropped EXE
PID:700 -
\??\c:\rfrfxff.exec:\rfrfxff.exe43⤵
- Executes dropped EXE
PID:4964 -
\??\c:\tbhbtt.exec:\tbhbtt.exe44⤵
- Executes dropped EXE
PID:3824 -
\??\c:\jvvjd.exec:\jvvjd.exe45⤵
- Executes dropped EXE
PID:3964 -
\??\c:\frfxrlx.exec:\frfxrlx.exe46⤵
- Executes dropped EXE
PID:756 -
\??\c:\bhbnht.exec:\bhbnht.exe47⤵
- Executes dropped EXE
PID:2052 -
\??\c:\3hbhtb.exec:\3hbhtb.exe48⤵
- Executes dropped EXE
PID:432 -
\??\c:\1ddpd.exec:\1ddpd.exe49⤵
- Executes dropped EXE
PID:2408 -
\??\c:\frrrlfx.exec:\frrrlfx.exe50⤵
- Executes dropped EXE
PID:1920 -
\??\c:\hbhbbt.exec:\hbhbbt.exe51⤵
- Executes dropped EXE
PID:804 -
\??\c:\hbtnbt.exec:\hbtnbt.exe52⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7jjdd.exec:\7jjdd.exe53⤵
- Executes dropped EXE
PID:1088 -
\??\c:\fffxrrl.exec:\fffxrrl.exe54⤵
- Executes dropped EXE
PID:3156 -
\??\c:\1lrfxxr.exec:\1lrfxxr.exe55⤵
- Executes dropped EXE
PID:3980 -
\??\c:\3ntbbt.exec:\3ntbbt.exe56⤵
- Executes dropped EXE
PID:4884 -
\??\c:\9nhtht.exec:\9nhtht.exe57⤵
- Executes dropped EXE
PID:4820 -
\??\c:\1jpdj.exec:\1jpdj.exe58⤵
- Executes dropped EXE
PID:3528 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe59⤵
- Executes dropped EXE
PID:3988 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe60⤵
- Executes dropped EXE
PID:3384 -
\??\c:\hhbnhh.exec:\hhbnhh.exe61⤵
- Executes dropped EXE
PID:3740 -
\??\c:\9vvpd.exec:\9vvpd.exe62⤵
- Executes dropped EXE
PID:4484 -
\??\c:\jdjjv.exec:\jdjjv.exe63⤵
- Executes dropped EXE
PID:528 -
\??\c:\5fxlfxr.exec:\5fxlfxr.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\thhtht.exec:\thhtht.exe65⤵
- Executes dropped EXE
PID:1188 -
\??\c:\jpvpp.exec:\jpvpp.exe66⤵PID:792
-
\??\c:\7vjdv.exec:\7vjdv.exe67⤵PID:5068
-
\??\c:\rxxrxxx.exec:\rxxrxxx.exe68⤵PID:3632
-
\??\c:\rllfxrl.exec:\rllfxrl.exe69⤵PID:3216
-
\??\c:\ntbnhb.exec:\ntbnhb.exe70⤵PID:364
-
\??\c:\hhhthb.exec:\hhhthb.exe71⤵PID:2920
-
\??\c:\vjddj.exec:\vjddj.exe72⤵PID:2060
-
\??\c:\fxxrrlf.exec:\fxxrrlf.exe73⤵PID:460
-
\??\c:\nbbtnn.exec:\nbbtnn.exe74⤵PID:2924
-
\??\c:\htnntt.exec:\htnntt.exe75⤵PID:3664
-
\??\c:\3ppjv.exec:\3ppjv.exe76⤵PID:2464
-
\??\c:\llrlfxx.exec:\llrlfxx.exe77⤵PID:4228
-
\??\c:\lflfrrf.exec:\lflfrrf.exe78⤵PID:4976
-
\??\c:\7nbnbn.exec:\7nbnbn.exe79⤵PID:1804
-
\??\c:\btbhhh.exec:\btbhhh.exe80⤵PID:2816
-
\??\c:\pppjd.exec:\pppjd.exe81⤵PID:3104
-
\??\c:\dppjd.exec:\dppjd.exe82⤵PID:2164
-
\??\c:\5xxrffr.exec:\5xxrffr.exe83⤵PID:1160
-
\??\c:\tthhbt.exec:\tthhbt.exe84⤵PID:388
-
\??\c:\3hhbnh.exec:\3hhbnh.exe85⤵PID:4176
-
\??\c:\pdpdv.exec:\pdpdv.exe86⤵PID:1552
-
\??\c:\5fxrffr.exec:\5fxrffr.exe87⤵PID:1104
-
\??\c:\rxfxxff.exec:\rxfxxff.exe88⤵PID:1752
-
\??\c:\htthtt.exec:\htthtt.exe89⤵PID:1960
-
\??\c:\1vjdp.exec:\1vjdp.exe90⤵PID:4092
-
\??\c:\vpdpv.exec:\vpdpv.exe91⤵PID:3932
-
\??\c:\rllfxxf.exec:\rllfxxf.exe92⤵PID:2836
-
\??\c:\9tnnhb.exec:\9tnnhb.exe93⤵PID:4592
-
\??\c:\httnhh.exec:\httnhh.exe94⤵PID:4600
-
\??\c:\jpdvv.exec:\jpdvv.exe95⤵PID:3776
-
\??\c:\rlfxrfx.exec:\rlfxrfx.exe96⤵PID:1640
-
\??\c:\5xlfrlx.exec:\5xlfrlx.exe97⤵PID:4692
-
\??\c:\nhtnnh.exec:\nhtnnh.exe98⤵PID:4416
-
\??\c:\pdpjd.exec:\pdpjd.exe99⤵
- System Location Discovery: System Language Discovery
PID:3400 -
\??\c:\djpjv.exec:\djpjv.exe100⤵PID:3084
-
\??\c:\lrllxrl.exec:\lrllxrl.exe101⤵PID:2420
-
\??\c:\btbtbh.exec:\btbtbh.exe102⤵PID:3088
-
\??\c:\bbnbbb.exec:\bbnbbb.exe103⤵PID:336
-
\??\c:\vpjdv.exec:\vpjdv.exe104⤵PID:5072
-
\??\c:\rxlxxlf.exec:\rxlxxlf.exe105⤵PID:5000
-
\??\c:\7rxrllx.exec:\7rxrllx.exe106⤵PID:3704
-
\??\c:\nnhbhb.exec:\nnhbhb.exe107⤵PID:756
-
\??\c:\1vppj.exec:\1vppj.exe108⤵PID:2052
-
\??\c:\vjvjd.exec:\vjvjd.exe109⤵PID:432
-
\??\c:\lffxrfx.exec:\lffxrfx.exe110⤵PID:1616
-
\??\c:\bnnhhh.exec:\bnnhhh.exe111⤵PID:4380
-
\??\c:\3nbttt.exec:\3nbttt.exe112⤵PID:324
-
\??\c:\pjvjp.exec:\pjvjp.exe113⤵PID:2400
-
\??\c:\xlfrxff.exec:\xlfrxff.exe114⤵PID:1916
-
\??\c:\rllflfr.exec:\rllflfr.exe115⤵PID:2080
-
\??\c:\hnnhbt.exec:\hnnhbt.exe116⤵PID:2168
-
\??\c:\dppjv.exec:\dppjv.exe117⤵PID:3488
-
\??\c:\fffxllf.exec:\fffxllf.exe118⤵PID:5024
-
\??\c:\lffxllx.exec:\lffxllx.exe119⤵PID:4216
-
\??\c:\9ttnnt.exec:\9ttnnt.exe120⤵PID:2980
-
\??\c:\dpdvj.exec:\dpdvj.exe121⤵PID:4984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-