Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 20:36 UTC
Behavioral task
behavioral1
Sample
27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe
-
Size
3.7MB
-
MD5
ddf90800de4b47fb26c03f6f646346e2
-
SHA1
3bb32a60164c10721200549fd060708370a0f661
-
SHA256
27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04
-
SHA512
21ec966e1ca53c1191f94811701fb9c3f11fe465275eccacf4c01f16c00f2fd14b3b6bcc198b5686b6bd0e4ce414d6180eaca4c00ecb03a4785516bdf54ebfca
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98q1:U6XLq/qPPslzKx/dJg1ErmNb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4532-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1544-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/832-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-629-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-645-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2928-694-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-732-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-811-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-866-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-906-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-1318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-1436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-1461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 368 frrrrff.exe 5060 nnnnhn.exe 1152 5pjvv.exe 952 vjppp.exe 3548 tthhtb.exe 876 bbnnhn.exe 1544 bbhbbh.exe 532 tbhhbh.exe 3884 9htnbb.exe 3952 3btthh.exe 4564 7lxrllf.exe 3684 nbhbhb.exe 4528 djdvj.exe 4664 rxlxrlx.exe 2428 pjvvp.exe 3600 5nthnn.exe 1904 5ttnnn.exe 1476 9hbhhh.exe 1960 htbbhh.exe 2308 xfrlfrr.exe 4076 fxxxlrr.exe 4336 ppjpp.exe 2204 pdppp.exe 4776 dppjp.exe 832 btnhbh.exe 4228 tnbhtb.exe 3540 ttbttt.exe 3900 jpvdv.exe 3324 7thbtb.exe 4264 hhbtnn.exe 4716 bnnhbh.exe 5020 rlfxxrx.exe 1792 btbttt.exe 4516 tbtnnh.exe 1668 xxlfxrl.exe 3356 5xfxfff.exe 4880 frrxrfx.exe 696 1llfxxx.exe 1440 jpdvp.exe 2876 jjpjv.exe 4860 jjjjj.exe 2548 dpvdd.exe 1004 vjjdv.exe 3660 nhbtnh.exe 4296 bbbbhh.exe 2024 htnhbb.exe 2912 7rlfffx.exe 4824 lfxrlxr.exe 1172 hnbbhh.exe 4044 bhhhbb.exe 5104 flrfffl.exe 764 rxrlllr.exe 3944 flxlfxx.exe 1520 fflrlrl.exe 1672 7rlfrxf.exe 2304 lrffxxr.exe 2460 xfxxrfx.exe 1180 fxfxrrl.exe 1288 rllxxfx.exe 636 xllffrl.exe 2156 fxlfxxf.exe 3976 ffxxrrr.exe 2232 rrfxrxl.exe 1380 xxfxrlf.exe -
resource yara_rule behavioral2/memory/4532-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bb6-3.dat upx behavioral2/memory/4532-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-9.dat upx behavioral2/memory/368-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c99-13.dat upx behavioral2/memory/5060-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1152-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-23.dat upx behavioral2/memory/952-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-28.dat upx behavioral2/memory/952-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3548-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-36.dat upx behavioral2/memory/876-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-41.dat upx behavioral2/memory/1544-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-47.dat upx behavioral2/files/0x0007000000023ca8-51.dat upx behavioral2/memory/532-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3884-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-59.dat upx behavioral2/files/0x0007000000023caa-64.dat upx behavioral2/memory/3952-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-70.dat upx behavioral2/memory/4564-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-76.dat upx behavioral2/memory/3684-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-82.dat upx behavioral2/memory/4528-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-88.dat upx behavioral2/memory/2428-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-93.dat upx behavioral2/files/0x0007000000023cb0-98.dat upx behavioral2/memory/3600-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-106.dat upx behavioral2/memory/1904-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1476-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-112.dat upx behavioral2/files/0x0007000000023cb3-115.dat upx behavioral2/memory/1960-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-122.dat upx behavioral2/memory/2308-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-127.dat upx behavioral2/memory/4076-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-133.dat upx behavioral2/memory/4336-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-139.dat upx behavioral2/memory/2204-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-145.dat upx behavioral2/memory/4776-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-151.dat upx behavioral2/memory/832-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-159.dat upx behavioral2/files/0x0007000000023cbb-162.dat upx behavioral2/memory/3540-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-168.dat upx behavioral2/memory/3324-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3900-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-175.dat upx behavioral2/files/0x0007000000023cbe-179.dat upx behavioral2/memory/4264-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-188.dat upx behavioral2/memory/4716-187-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4532 wrote to memory of 368 4532 27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe 83 PID 4532 wrote to memory of 368 4532 27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe 83 PID 4532 wrote to memory of 368 4532 27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe 83 PID 368 wrote to memory of 5060 368 frrrrff.exe 84 PID 368 wrote to memory of 5060 368 frrrrff.exe 84 PID 368 wrote to memory of 5060 368 frrrrff.exe 84 PID 5060 wrote to memory of 1152 5060 nnnnhn.exe 85 PID 5060 wrote to memory of 1152 5060 nnnnhn.exe 85 PID 5060 wrote to memory of 1152 5060 nnnnhn.exe 85 PID 1152 wrote to memory of 952 1152 5pjvv.exe 86 PID 1152 wrote to memory of 952 1152 5pjvv.exe 86 PID 1152 wrote to memory of 952 1152 5pjvv.exe 86 PID 952 wrote to memory of 3548 952 vjppp.exe 87 PID 952 wrote to memory of 3548 952 vjppp.exe 87 PID 952 wrote to memory of 3548 952 vjppp.exe 87 PID 3548 wrote to memory of 876 3548 tthhtb.exe 88 PID 3548 wrote to memory of 876 3548 tthhtb.exe 88 PID 3548 wrote to memory of 876 3548 tthhtb.exe 88 PID 876 wrote to memory of 1544 876 bbnnhn.exe 89 PID 876 wrote to memory of 1544 876 bbnnhn.exe 89 PID 876 wrote to memory of 1544 876 bbnnhn.exe 89 PID 1544 wrote to memory of 532 1544 bbhbbh.exe 90 PID 1544 wrote to memory of 532 1544 bbhbbh.exe 90 PID 1544 wrote to memory of 532 1544 bbhbbh.exe 90 PID 532 wrote to memory of 3884 532 tbhhbh.exe 91 PID 532 wrote to memory of 3884 532 tbhhbh.exe 91 PID 532 wrote to memory of 3884 532 tbhhbh.exe 91 PID 3884 wrote to memory of 3952 3884 9htnbb.exe 92 PID 3884 wrote to memory of 3952 3884 9htnbb.exe 92 PID 3884 wrote to memory of 3952 3884 9htnbb.exe 92 PID 3952 wrote to memory of 4564 3952 3btthh.exe 93 PID 3952 wrote to memory of 4564 3952 3btthh.exe 93 PID 3952 wrote to memory of 4564 3952 3btthh.exe 93 PID 4564 wrote to memory of 3684 4564 7lxrllf.exe 94 PID 4564 wrote to memory of 3684 4564 7lxrllf.exe 94 PID 4564 wrote to memory of 3684 4564 7lxrllf.exe 94 PID 3684 wrote to memory of 4528 3684 nbhbhb.exe 95 PID 3684 wrote to memory of 4528 3684 nbhbhb.exe 95 PID 3684 wrote to memory of 4528 3684 nbhbhb.exe 95 PID 4528 wrote to memory of 4664 4528 djdvj.exe 96 PID 4528 wrote to memory of 4664 4528 djdvj.exe 96 PID 4528 wrote to memory of 4664 4528 djdvj.exe 96 PID 4664 wrote to memory of 2428 4664 rxlxrlx.exe 97 PID 4664 wrote to memory of 2428 4664 rxlxrlx.exe 97 PID 4664 wrote to memory of 2428 4664 rxlxrlx.exe 97 PID 2428 wrote to memory of 3600 2428 pjvvp.exe 98 PID 2428 wrote to memory of 3600 2428 pjvvp.exe 98 PID 2428 wrote to memory of 3600 2428 pjvvp.exe 98 PID 3600 wrote to memory of 1904 3600 5nthnn.exe 99 PID 3600 wrote to memory of 1904 3600 5nthnn.exe 99 PID 3600 wrote to memory of 1904 3600 5nthnn.exe 99 PID 1904 wrote to memory of 1476 1904 5ttnnn.exe 100 PID 1904 wrote to memory of 1476 1904 5ttnnn.exe 100 PID 1904 wrote to memory of 1476 1904 5ttnnn.exe 100 PID 1476 wrote to memory of 1960 1476 9hbhhh.exe 101 PID 1476 wrote to memory of 1960 1476 9hbhhh.exe 101 PID 1476 wrote to memory of 1960 1476 9hbhhh.exe 101 PID 1960 wrote to memory of 2308 1960 htbbhh.exe 103 PID 1960 wrote to memory of 2308 1960 htbbhh.exe 103 PID 1960 wrote to memory of 2308 1960 htbbhh.exe 103 PID 2308 wrote to memory of 4076 2308 xfrlfrr.exe 104 PID 2308 wrote to memory of 4076 2308 xfrlfrr.exe 104 PID 2308 wrote to memory of 4076 2308 xfrlfrr.exe 104 PID 4076 wrote to memory of 4336 4076 fxxxlrr.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe"C:\Users\Admin\AppData\Local\Temp\27b54fbd039a92ee53eeb9a7bb255dc79675f8ed5a4f2c6f1d8fe7f7af0beb04.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\frrrrff.exec:\frrrrff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\nnnnhn.exec:\nnnnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\5pjvv.exec:\5pjvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\vjppp.exec:\vjppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\tthhtb.exec:\tthhtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\bbnnhn.exec:\bbnnhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\bbhbbh.exec:\bbhbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\tbhhbh.exec:\tbhhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\9htnbb.exec:\9htnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\3btthh.exec:\3btthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\7lxrllf.exec:\7lxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\nbhbhb.exec:\nbhbhb.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\djdvj.exec:\djdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\rxlxrlx.exec:\rxlxrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\pjvvp.exec:\pjvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\5nthnn.exec:\5nthnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\5ttnnn.exec:\5ttnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\9hbhhh.exec:\9hbhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\htbbhh.exec:\htbbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\xfrlfrr.exec:\xfrlfrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\fxxxlrr.exec:\fxxxlrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\ppjpp.exec:\ppjpp.exe23⤵
- Executes dropped EXE
PID:4336 -
\??\c:\pdppp.exec:\pdppp.exe24⤵
- Executes dropped EXE
PID:2204 -
\??\c:\dppjp.exec:\dppjp.exe25⤵
- Executes dropped EXE
PID:4776 -
\??\c:\btnhbh.exec:\btnhbh.exe26⤵
- Executes dropped EXE
PID:832 -
\??\c:\tnbhtb.exec:\tnbhtb.exe27⤵
- Executes dropped EXE
PID:4228 -
\??\c:\ttbttt.exec:\ttbttt.exe28⤵
- Executes dropped EXE
PID:3540 -
\??\c:\jpvdv.exec:\jpvdv.exe29⤵
- Executes dropped EXE
PID:3900 -
\??\c:\7thbtb.exec:\7thbtb.exe30⤵
- Executes dropped EXE
PID:3324 -
\??\c:\hhbtnn.exec:\hhbtnn.exe31⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bnnhbh.exec:\bnnhbh.exe32⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rlfxxrx.exec:\rlfxxrx.exe33⤵
- Executes dropped EXE
PID:5020 -
\??\c:\btbttt.exec:\btbttt.exe34⤵
- Executes dropped EXE
PID:1792 -
\??\c:\tbtnnh.exec:\tbtnnh.exe35⤵
- Executes dropped EXE
PID:4516 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe36⤵
- Executes dropped EXE
PID:1668 -
\??\c:\5xfxfff.exec:\5xfxfff.exe37⤵
- Executes dropped EXE
PID:3356 -
\??\c:\frrxrfx.exec:\frrxrfx.exe38⤵
- Executes dropped EXE
PID:4880 -
\??\c:\1llfxxx.exec:\1llfxxx.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696 -
\??\c:\jpdvp.exec:\jpdvp.exe40⤵
- Executes dropped EXE
PID:1440 -
\??\c:\jjpjv.exec:\jjpjv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
\??\c:\jjjjj.exec:\jjjjj.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\dpvdd.exec:\dpvdd.exe43⤵
- Executes dropped EXE
PID:2548 -
\??\c:\vjjdv.exec:\vjjdv.exe44⤵
- Executes dropped EXE
PID:1004 -
\??\c:\nhbtnh.exec:\nhbtnh.exe45⤵
- Executes dropped EXE
PID:3660 -
\??\c:\bbbbhh.exec:\bbbbhh.exe46⤵
- Executes dropped EXE
PID:4296 -
\??\c:\htnhbb.exec:\htnhbb.exe47⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7rlfffx.exec:\7rlfffx.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\lfxrlxr.exec:\lfxrlxr.exe49⤵
- Executes dropped EXE
PID:4824 -
\??\c:\hnbbhh.exec:\hnbbhh.exe50⤵
- Executes dropped EXE
PID:1172 -
\??\c:\bhhhbb.exec:\bhhhbb.exe51⤵
- Executes dropped EXE
PID:4044 -
\??\c:\flrfffl.exec:\flrfffl.exe52⤵
- Executes dropped EXE
PID:5104 -
\??\c:\rxrlllr.exec:\rxrlllr.exe53⤵
- Executes dropped EXE
PID:764 -
\??\c:\flxlfxx.exec:\flxlfxx.exe54⤵
- Executes dropped EXE
PID:3944 -
\??\c:\fflrlrl.exec:\fflrlrl.exe55⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7rlfrxf.exec:\7rlfrxf.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\lrffxxr.exec:\lrffxxr.exe57⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xfxxrfx.exec:\xfxxrfx.exe58⤵
- Executes dropped EXE
PID:2460 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe59⤵
- Executes dropped EXE
PID:1180 -
\??\c:\rllxxfx.exec:\rllxxfx.exe60⤵
- Executes dropped EXE
PID:1288 -
\??\c:\xllffrl.exec:\xllffrl.exe61⤵
- Executes dropped EXE
PID:636 -
\??\c:\fxlfxxf.exec:\fxlfxxf.exe62⤵
- Executes dropped EXE
PID:2156 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe63⤵
- Executes dropped EXE
PID:3976 -
\??\c:\rrfxrxl.exec:\rrfxrxl.exe64⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe65⤵
- Executes dropped EXE
PID:1380 -
\??\c:\xxffxll.exec:\xxffxll.exe66⤵PID:5096
-
\??\c:\fflfrrl.exec:\fflfrrl.exe67⤵PID:3960
-
\??\c:\pdvpd.exec:\pdvpd.exe68⤵PID:1476
-
\??\c:\1dpjj.exec:\1dpjj.exe69⤵PID:4500
-
\??\c:\ppjpj.exec:\ppjpj.exe70⤵PID:1308
-
\??\c:\1dpjd.exec:\1dpjd.exe71⤵PID:4428
-
\??\c:\jjdvd.exec:\jjdvd.exe72⤵PID:2336
-
\??\c:\bbnhhn.exec:\bbnhhn.exe73⤵PID:3444
-
\??\c:\nhhhbb.exec:\nhhhbb.exe74⤵PID:4704
-
\??\c:\bbbtth.exec:\bbbtth.exe75⤵PID:2528
-
\??\c:\nbhbbh.exec:\nbhbbh.exe76⤵PID:4728
-
\??\c:\frllfff.exec:\frllfff.exe77⤵PID:2004
-
\??\c:\tbhbhh.exec:\tbhbhh.exe78⤵PID:3452
-
\??\c:\frfxlxx.exec:\frfxlxx.exe79⤵PID:4576
-
\??\c:\7rlfffx.exec:\7rlfffx.exe80⤵PID:2124
-
\??\c:\1xxrllf.exec:\1xxrllf.exe81⤵
- System Location Discovery: System Language Discovery
PID:4424 -
\??\c:\xffxxff.exec:\xffxxff.exe82⤵PID:2012
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe83⤵PID:3012
-
\??\c:\9ffffff.exec:\9ffffff.exe84⤵PID:436
-
\??\c:\jjpjd.exec:\jjpjd.exe85⤵PID:4324
-
\??\c:\ddddv.exec:\ddddv.exe86⤵PID:2920
-
\??\c:\vddpj.exec:\vddpj.exe87⤵PID:5100
-
\??\c:\vpjjd.exec:\vpjjd.exe88⤵PID:3644
-
\??\c:\vjppp.exec:\vjppp.exe89⤵PID:1012
-
\??\c:\djjpd.exec:\djjpd.exe90⤵PID:4388
-
\??\c:\jvpjd.exec:\jvpjd.exe91⤵PID:3172
-
\??\c:\ntnnbt.exec:\ntnnbt.exe92⤵PID:3968
-
\??\c:\jpvvv.exec:\jpvvv.exe93⤵PID:3076
-
\??\c:\3tbnhh.exec:\3tbnhh.exe94⤵PID:1876
-
\??\c:\nhnnbb.exec:\nhnnbb.exe95⤵PID:4504
-
\??\c:\nhbthh.exec:\nhbthh.exe96⤵PID:1036
-
\??\c:\frrlxxl.exec:\frrlxxl.exe97⤵PID:1516
-
\??\c:\lrlfrrr.exec:\lrlfrrr.exe98⤵PID:2980
-
\??\c:\rrrflrr.exec:\rrrflrr.exe99⤵PID:1452
-
\??\c:\xfxrlrl.exec:\xfxrlrl.exe100⤵PID:2960
-
\??\c:\frxlxxl.exec:\frxlxxl.exe101⤵PID:4768
-
\??\c:\fxxxxxr.exec:\fxxxxxr.exe102⤵PID:3060
-
\??\c:\fflfllx.exec:\fflfllx.exe103⤵PID:3388
-
\??\c:\lxrrlrl.exec:\lxrrlrl.exe104⤵PID:4924
-
\??\c:\lxxrrlf.exec:\lxxrrlf.exe105⤵PID:5060
-
\??\c:\9llrllf.exec:\9llrllf.exe106⤵PID:3132
-
\??\c:\rffrxxl.exec:\rffrxxl.exe107⤵PID:3516
-
\??\c:\fxxxrfx.exec:\fxxxrfx.exe108⤵PID:3944
-
\??\c:\lxrrlrr.exec:\lxrrlrr.exe109⤵PID:1520
-
\??\c:\ffrrlrf.exec:\ffrrlrf.exe110⤵PID:4080
-
\??\c:\rrfrlrr.exec:\rrfrlrr.exe111⤵PID:544
-
\??\c:\rlrrxrx.exec:\rlrrxrx.exe112⤵PID:2536
-
\??\c:\pddvp.exec:\pddvp.exe113⤵PID:2232
-
\??\c:\5vvjd.exec:\5vvjd.exe114⤵PID:2136
-
\??\c:\3dvpj.exec:\3dvpj.exe115⤵PID:5040
-
\??\c:\vdjdj.exec:\vdjdj.exe116⤵PID:3372
-
\??\c:\jvjdv.exec:\jvjdv.exe117⤵PID:1676
-
\??\c:\7pjjj.exec:\7pjjj.exe118⤵PID:1960
-
\??\c:\nntnhh.exec:\nntnhh.exe119⤵PID:1504
-
\??\c:\htnbtt.exec:\htnbtt.exe120⤵PID:2884
-
\??\c:\nthtth.exec:\nthtth.exe121⤵PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-