Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 10:35
Behavioral task
behavioral1
Sample
54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe
-
Size
67KB
-
MD5
87fd57d32f54a02186b4850acdb92c89
-
SHA1
6f6dbb996ae8a20e6138620cada0eac8dbe543ff
-
SHA256
54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d
-
SHA512
f03914a30a1180860c9667285bb45ccd01d522071c5c9f6e52687367ea214d51fd7cbce9ed2a96a402e3e635c0b526052f8b9b73872d5fd5823cc0f649ae9495
-
SSDEEP
1536:/vQBeOGtrYS3srx93UBWfwC6Ggnouy8jb5DiLKrb08I:/hOmTsF93UYfwC6GIoutcKbe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1336-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/672-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/864-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/612-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3924-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-534-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-551-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-600-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-616-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-810-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-820-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-1371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3184 7htnht.exe 2532 5hnhbb.exe 4460 ppvpd.exe 2788 fxxlxrl.exe 1776 bttbnh.exe 3576 3ppjv.exe 3852 xxfflff.exe 3280 ntnbhh.exe 3972 bbntbt.exe 400 3vdvp.exe 2016 fxxrlxl.exe 3960 nhbthb.exe 3376 jddpv.exe 2676 jvpdv.exe 3876 fflxrfl.exe 3224 htnbbb.exe 4716 lfxrfxr.exe 4076 3rxlfrl.exe 808 btbnhh.exe 4644 7jdpj.exe 2380 vppjd.exe 2248 rxrlxrf.exe 1368 dvddd.exe 4248 jvpdj.exe 1448 rlrlllr.exe 2296 hhhbtt.exe 2752 dpdpd.exe 1172 vpvjv.exe 672 5rrfxxr.exe 2216 flrlxrl.exe 5016 ttbhbb.exe 536 vjpdp.exe 320 ppvvj.exe 1160 xffxffr.exe 4416 lffrrll.exe 864 hbbtnn.exe 3300 tnhbnh.exe 1836 jvdpd.exe 4884 frlxxrf.exe 3116 hnnhhb.exe 4752 7pjvj.exe 2212 3vvjj.exe 612 ppvpj.exe 1820 9lxrrll.exe 1940 3nthbt.exe 3624 tbhtnh.exe 3040 vpjdv.exe 5060 pjdpd.exe 4768 ffflfrl.exe 4148 btbtnh.exe 4488 fflfllf.exe 4396 fxxrxrl.exe 3168 bnnbtn.exe 1072 jdvjj.exe 2532 dvjjv.exe 2864 3xrxlfx.exe 4844 rrlrrxf.exe 1968 bbhnnt.exe 3676 3btnbb.exe 2636 jjjvj.exe 1088 rllfrrr.exe 4424 xrlfxrr.exe 4000 hhhthb.exe 2044 nhttnh.exe -
resource yara_rule behavioral2/memory/1336-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1336-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b0f-6.dat upx behavioral2/memory/3184-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6d-11.dat upx behavioral2/files/0x000a000000023b71-13.dat upx behavioral2/memory/2532-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-21.dat upx behavioral2/memory/4460-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-27.dat upx behavioral2/memory/2788-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1776-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-35.dat upx behavioral2/files/0x000a000000023b76-39.dat upx behavioral2/memory/3576-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-45.dat upx behavioral2/memory/3852-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-50.dat upx behavioral2/memory/3280-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-56.dat upx behavioral2/memory/3972-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-62.dat upx behavioral2/files/0x000a000000023b7b-67.dat upx behavioral2/files/0x000a000000023b7c-74.dat upx behavioral2/memory/3960-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3376-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-79.dat upx behavioral2/memory/3376-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-85.dat upx behavioral2/memory/2676-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-92.dat upx behavioral2/memory/3876-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-97.dat upx behavioral2/files/0x000a000000023b81-102.dat upx behavioral2/files/0x000a000000023b82-107.dat upx behavioral2/memory/808-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-112.dat upx behavioral2/files/0x000a000000023b84-118.dat upx behavioral2/memory/4644-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2380-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-126.dat upx behavioral2/files/0x000a000000023b86-130.dat upx behavioral2/memory/2248-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4248-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1368-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-136.dat upx behavioral2/files/0x000a000000023b88-142.dat upx behavioral2/memory/1448-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6e-147.dat upx behavioral2/files/0x000a000000023b89-156.dat upx behavioral2/memory/2752-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2296-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-161.dat upx behavioral2/memory/1172-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1172-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-168.dat upx behavioral2/files/0x000a000000023b8c-174.dat upx behavioral2/memory/672-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-180.dat upx behavioral2/memory/2216-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-184.dat upx behavioral2/memory/5016-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/320-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1160-198-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 3184 1336 54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe 83 PID 1336 wrote to memory of 3184 1336 54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe 83 PID 1336 wrote to memory of 3184 1336 54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe 83 PID 3184 wrote to memory of 2532 3184 7htnht.exe 84 PID 3184 wrote to memory of 2532 3184 7htnht.exe 84 PID 3184 wrote to memory of 2532 3184 7htnht.exe 84 PID 2532 wrote to memory of 4460 2532 5hnhbb.exe 85 PID 2532 wrote to memory of 4460 2532 5hnhbb.exe 85 PID 2532 wrote to memory of 4460 2532 5hnhbb.exe 85 PID 4460 wrote to memory of 2788 4460 ppvpd.exe 86 PID 4460 wrote to memory of 2788 4460 ppvpd.exe 86 PID 4460 wrote to memory of 2788 4460 ppvpd.exe 86 PID 2788 wrote to memory of 1776 2788 fxxlxrl.exe 87 PID 2788 wrote to memory of 1776 2788 fxxlxrl.exe 87 PID 2788 wrote to memory of 1776 2788 fxxlxrl.exe 87 PID 1776 wrote to memory of 3576 1776 bttbnh.exe 88 PID 1776 wrote to memory of 3576 1776 bttbnh.exe 88 PID 1776 wrote to memory of 3576 1776 bttbnh.exe 88 PID 3576 wrote to memory of 3852 3576 3ppjv.exe 89 PID 3576 wrote to memory of 3852 3576 3ppjv.exe 89 PID 3576 wrote to memory of 3852 3576 3ppjv.exe 89 PID 3852 wrote to memory of 3280 3852 xxfflff.exe 90 PID 3852 wrote to memory of 3280 3852 xxfflff.exe 90 PID 3852 wrote to memory of 3280 3852 xxfflff.exe 90 PID 3280 wrote to memory of 3972 3280 ntnbhh.exe 91 PID 3280 wrote to memory of 3972 3280 ntnbhh.exe 91 PID 3280 wrote to memory of 3972 3280 ntnbhh.exe 91 PID 3972 wrote to memory of 400 3972 bbntbt.exe 92 PID 3972 wrote to memory of 400 3972 bbntbt.exe 92 PID 3972 wrote to memory of 400 3972 bbntbt.exe 92 PID 400 wrote to memory of 2016 400 3vdvp.exe 93 PID 400 wrote to memory of 2016 400 3vdvp.exe 93 PID 400 wrote to memory of 2016 400 3vdvp.exe 93 PID 2016 wrote to memory of 3960 2016 fxxrlxl.exe 94 PID 2016 wrote to memory of 3960 2016 fxxrlxl.exe 94 PID 2016 wrote to memory of 3960 2016 fxxrlxl.exe 94 PID 3960 wrote to memory of 3376 3960 nhbthb.exe 95 PID 3960 wrote to memory of 3376 3960 nhbthb.exe 95 PID 3960 wrote to memory of 3376 3960 nhbthb.exe 95 PID 3376 wrote to memory of 2676 3376 jddpv.exe 96 PID 3376 wrote to memory of 2676 3376 jddpv.exe 96 PID 3376 wrote to memory of 2676 3376 jddpv.exe 96 PID 2676 wrote to memory of 3876 2676 jvpdv.exe 97 PID 2676 wrote to memory of 3876 2676 jvpdv.exe 97 PID 2676 wrote to memory of 3876 2676 jvpdv.exe 97 PID 3876 wrote to memory of 3224 3876 fflxrfl.exe 98 PID 3876 wrote to memory of 3224 3876 fflxrfl.exe 98 PID 3876 wrote to memory of 3224 3876 fflxrfl.exe 98 PID 3224 wrote to memory of 4716 3224 htnbbb.exe 99 PID 3224 wrote to memory of 4716 3224 htnbbb.exe 99 PID 3224 wrote to memory of 4716 3224 htnbbb.exe 99 PID 4716 wrote to memory of 4076 4716 lfxrfxr.exe 100 PID 4716 wrote to memory of 4076 4716 lfxrfxr.exe 100 PID 4716 wrote to memory of 4076 4716 lfxrfxr.exe 100 PID 4076 wrote to memory of 808 4076 3rxlfrl.exe 101 PID 4076 wrote to memory of 808 4076 3rxlfrl.exe 101 PID 4076 wrote to memory of 808 4076 3rxlfrl.exe 101 PID 808 wrote to memory of 4644 808 btbnhh.exe 102 PID 808 wrote to memory of 4644 808 btbnhh.exe 102 PID 808 wrote to memory of 4644 808 btbnhh.exe 102 PID 4644 wrote to memory of 2380 4644 7jdpj.exe 103 PID 4644 wrote to memory of 2380 4644 7jdpj.exe 103 PID 4644 wrote to memory of 2380 4644 7jdpj.exe 103 PID 2380 wrote to memory of 2248 2380 vppjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe"C:\Users\Admin\AppData\Local\Temp\54dfd30f8476669fa88b6d84cfb89c2d92502ca5aaed6b290e39d1e6fde1a48d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\7htnht.exec:\7htnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\5hnhbb.exec:\5hnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ppvpd.exec:\ppvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\bttbnh.exec:\bttbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\3ppjv.exec:\3ppjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\xxfflff.exec:\xxfflff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\ntnbhh.exec:\ntnbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\bbntbt.exec:\bbntbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\3vdvp.exec:\3vdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\fxxrlxl.exec:\fxxrlxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\nhbthb.exec:\nhbthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\jddpv.exec:\jddpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\jvpdv.exec:\jvpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\fflxrfl.exec:\fflxrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\htnbbb.exec:\htnbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\3rxlfrl.exec:\3rxlfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\btbnhh.exec:\btbnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\7jdpj.exec:\7jdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\vppjd.exec:\vppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe23⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dvddd.exec:\dvddd.exe24⤵
- Executes dropped EXE
PID:1368 -
\??\c:\jvpdj.exec:\jvpdj.exe25⤵
- Executes dropped EXE
PID:4248 -
\??\c:\rlrlllr.exec:\rlrlllr.exe26⤵
- Executes dropped EXE
PID:1448 -
\??\c:\hhhbtt.exec:\hhhbtt.exe27⤵
- Executes dropped EXE
PID:2296 -
\??\c:\dpdpd.exec:\dpdpd.exe28⤵
- Executes dropped EXE
PID:2752 -
\??\c:\vpvjv.exec:\vpvjv.exe29⤵
- Executes dropped EXE
PID:1172 -
\??\c:\5rrfxxr.exec:\5rrfxxr.exe30⤵
- Executes dropped EXE
PID:672 -
\??\c:\flrlxrl.exec:\flrlxrl.exe31⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ttbhbb.exec:\ttbhbb.exe32⤵
- Executes dropped EXE
PID:5016 -
\??\c:\vjpdp.exec:\vjpdp.exe33⤵
- Executes dropped EXE
PID:536 -
\??\c:\ppvvj.exec:\ppvvj.exe34⤵
- Executes dropped EXE
PID:320 -
\??\c:\xffxffr.exec:\xffxffr.exe35⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lffrrll.exec:\lffrrll.exe36⤵
- Executes dropped EXE
PID:4416 -
\??\c:\hbbtnn.exec:\hbbtnn.exe37⤵
- Executes dropped EXE
PID:864 -
\??\c:\tnhbnh.exec:\tnhbnh.exe38⤵
- Executes dropped EXE
PID:3300 -
\??\c:\jvdpd.exec:\jvdpd.exe39⤵
- Executes dropped EXE
PID:1836 -
\??\c:\frlxxrf.exec:\frlxxrf.exe40⤵
- Executes dropped EXE
PID:4884 -
\??\c:\hnnhhb.exec:\hnnhhb.exe41⤵
- Executes dropped EXE
PID:3116 -
\??\c:\7pjvj.exec:\7pjvj.exe42⤵
- Executes dropped EXE
PID:4752 -
\??\c:\3vvjj.exec:\3vvjj.exe43⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ppvpj.exec:\ppvpj.exe44⤵
- Executes dropped EXE
PID:612 -
\??\c:\9lxrrll.exec:\9lxrrll.exe45⤵
- Executes dropped EXE
PID:1820 -
\??\c:\3nthbt.exec:\3nthbt.exe46⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tbhtnh.exec:\tbhtnh.exe47⤵
- Executes dropped EXE
PID:3624 -
\??\c:\vpjdv.exec:\vpjdv.exe48⤵
- Executes dropped EXE
PID:3040 -
\??\c:\pjdpd.exec:\pjdpd.exe49⤵
- Executes dropped EXE
PID:5060 -
\??\c:\ffflfrl.exec:\ffflfrl.exe50⤵
- Executes dropped EXE
PID:4768 -
\??\c:\btbtnh.exec:\btbtnh.exe51⤵
- Executes dropped EXE
PID:4148 -
\??\c:\fflfllf.exec:\fflfllf.exe52⤵
- Executes dropped EXE
PID:4488 -
\??\c:\fxxrxrl.exec:\fxxrxrl.exe53⤵
- Executes dropped EXE
PID:4396 -
\??\c:\bnnbtn.exec:\bnnbtn.exe54⤵
- Executes dropped EXE
PID:3168 -
\??\c:\jdvjj.exec:\jdvjj.exe55⤵
- Executes dropped EXE
PID:1072 -
\??\c:\dvjjv.exec:\dvjjv.exe56⤵
- Executes dropped EXE
PID:2532 -
\??\c:\3xrxlfx.exec:\3xrxlfx.exe57⤵
- Executes dropped EXE
PID:2864 -
\??\c:\rrlrrxf.exec:\rrlrrxf.exe58⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bbhnnt.exec:\bbhnnt.exe59⤵
- Executes dropped EXE
PID:1968 -
\??\c:\3btnbb.exec:\3btnbb.exe60⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jjjvj.exec:\jjjvj.exe61⤵
- Executes dropped EXE
PID:2636 -
\??\c:\rllfrrr.exec:\rllfrrr.exe62⤵
- Executes dropped EXE
PID:1088 -
\??\c:\xrlfxrr.exec:\xrlfxrr.exe63⤵
- Executes dropped EXE
PID:4424 -
\??\c:\hhhthb.exec:\hhhthb.exe64⤵
- Executes dropped EXE
PID:4000 -
\??\c:\nhttnh.exec:\nhttnh.exe65⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pjvpj.exec:\pjvpj.exe66⤵
- System Location Discovery: System Language Discovery
PID:3028 -
\??\c:\5ffxlff.exec:\5ffxlff.exe67⤵PID:4016
-
\??\c:\5ffxrfr.exec:\5ffxrfr.exe68⤵PID:4092
-
\??\c:\tbbttt.exec:\tbbttt.exe69⤵PID:3208
-
\??\c:\nbttnn.exec:\nbttnn.exe70⤵PID:4788
-
\??\c:\7bnhtb.exec:\7bnhtb.exe71⤵PID:3600
-
\??\c:\3dvjv.exec:\3dvjv.exe72⤵PID:4808
-
\??\c:\xlrffxx.exec:\xlrffxx.exe73⤵PID:4772
-
\??\c:\1llffxf.exec:\1llffxf.exe74⤵PID:4412
-
\??\c:\3bbnhh.exec:\3bbnhh.exe75⤵PID:4300
-
\??\c:\djdjj.exec:\djdjj.exe76⤵PID:2188
-
\??\c:\5nnhnn.exec:\5nnhnn.exe77⤵PID:2432
-
\??\c:\dvpdp.exec:\dvpdp.exe78⤵PID:2776
-
\??\c:\djdpd.exec:\djdpd.exe79⤵PID:4200
-
\??\c:\1xfxxff.exec:\1xfxxff.exe80⤵PID:4940
-
\??\c:\lxxxxxx.exec:\lxxxxxx.exe81⤵PID:4620
-
\??\c:\hntnhh.exec:\hntnhh.exe82⤵PID:3308
-
\??\c:\hnnbnn.exec:\hnnbnn.exe83⤵PID:4656
-
\??\c:\9jdvj.exec:\9jdvj.exe84⤵PID:1508
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe85⤵PID:1364
-
\??\c:\fxxfrlx.exec:\fxxfrlx.exe86⤵PID:3936
-
\??\c:\bhthnb.exec:\bhthnb.exe87⤵PID:1544
-
\??\c:\vpvvv.exec:\vpvvv.exe88⤵PID:3340
-
\??\c:\7vddp.exec:\7vddp.exe89⤵PID:5088
-
\??\c:\frrlxxx.exec:\frrlxxx.exe90⤵PID:2104
-
\??\c:\htbbtb.exec:\htbbtb.exe91⤵PID:4812
-
\??\c:\vpppd.exec:\vpppd.exe92⤵PID:5040
-
\??\c:\jdjjj.exec:\jdjjj.exe93⤵PID:4348
-
\??\c:\lfrfxrf.exec:\lfrfxrf.exe94⤵PID:372
-
\??\c:\hnbbtt.exec:\hnbbtt.exe95⤵PID:2540
-
\??\c:\nbttnh.exec:\nbttnh.exe96⤵PID:3060
-
\??\c:\djvdp.exec:\djvdp.exe97⤵PID:2192
-
\??\c:\pjvpj.exec:\pjvpj.exe98⤵PID:320
-
\??\c:\7flfxrr.exec:\7flfxrr.exe99⤵PID:4324
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe100⤵PID:4520
-
\??\c:\hnttnn.exec:\hnttnn.exe101⤵PID:3124
-
\??\c:\pjdpd.exec:\pjdpd.exe102⤵PID:3736
-
\??\c:\7pjdp.exec:\7pjdp.exe103⤵PID:4600
-
\??\c:\5rxrlll.exec:\5rxrlll.exe104⤵PID:1100
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe105⤵PID:4128
-
\??\c:\tnhbtt.exec:\tnhbtt.exe106⤵PID:3148
-
\??\c:\nhhhhh.exec:\nhhhhh.exe107⤵PID:4752
-
\??\c:\pppjd.exec:\pppjd.exe108⤵PID:2212
-
\??\c:\dppjv.exec:\dppjv.exe109⤵PID:3988
-
\??\c:\rxffxxr.exec:\rxffxxr.exe110⤵PID:2588
-
\??\c:\rfllffx.exec:\rfllffx.exe111⤵PID:1536
-
\??\c:\ttnhbt.exec:\ttnhbt.exe112⤵PID:228
-
\??\c:\jjpjv.exec:\jjpjv.exe113⤵PID:1356
-
\??\c:\vdddv.exec:\vdddv.exe114⤵PID:3924
-
\??\c:\1lrlllr.exec:\1lrlllr.exe115⤵PID:3324
-
\??\c:\lrxxlfx.exec:\lrxxlfx.exe116⤵PID:1460
-
\??\c:\nhbnhh.exec:\nhbnhh.exe117⤵
- System Location Discovery: System Language Discovery
PID:4784 -
\??\c:\vpjdd.exec:\vpjdd.exe118⤵PID:3464
-
\??\c:\1lrlrlf.exec:\1lrlrlf.exe119⤵PID:4776
-
\??\c:\3lllffx.exec:\3lllffx.exe120⤵PID:1532
-
\??\c:\hhbbnn.exec:\hhbbnn.exe121⤵PID:1492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-