Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe
-
Size
454KB
-
MD5
5ed1e612d3273688a8f59f0fff22d710
-
SHA1
9072bf735269e4c2fad6c94ae00ff65d6b771ef5
-
SHA256
bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8d
-
SHA512
19a97cc9e661526f4ed3292d034c5dedc9d8ed634336777901c08eddbedb7f43ab29fbf387e4e8a3ddc7b59d25544adeb6f1b084dda2564e0151b6e0caa5f43d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/324-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-1098-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-1189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4680 nhnhtt.exe 3200 vjdpd.exe 2016 rxlxlrf.exe 4996 fllfxrf.exe 1208 nnhthb.exe 2628 xrrxxfl.exe 5024 fllxlrl.exe 5048 vvvpd.exe 3372 ththbt.exe 652 nbbthb.exe 4384 hhhtbt.exe 1700 rlfrfxr.exe 2696 frrffxx.exe 116 pjpjd.exe 760 lflxrrx.exe 836 jjjjj.exe 2400 rxxlxrr.exe 2304 lrlfrlr.exe 4084 dpjdv.exe 4080 llrffrr.exe 896 fxxrfxl.exe 1596 9bthtn.exe 828 3xxlfxr.exe 2612 thbbhn.exe 1544 xffxllf.exe 4888 frfxxrx.exe 4388 ttbtnb.exe 4828 1vpjd.exe 2300 hthnht.exe 5044 3jdpd.exe 1136 ttnbnh.exe 1020 5ppjd.exe 1060 hhnbnh.exe 1392 bttnhn.exe 3688 dvvdv.exe 3396 pjdvp.exe 3728 frxfrxl.exe 3016 hnnnbt.exe 4172 3dvvp.exe 2220 rffxlff.exe 1492 bntnhh.exe 1176 pvvjv.exe 3952 5dddd.exe 2408 rxfxlrl.exe 1956 7nnbnn.exe 1300 vjpjd.exe 620 xffxrll.exe 4696 jjpjp.exe 2432 7ddpd.exe 3200 rllfxrr.exe 3156 fllflfr.exe 4996 ntbbbh.exe 4140 jvdpp.exe 3740 3lffxxr.exe 1208 llxxrrr.exe 3908 hnhbtn.exe 3616 djjjv.exe 5024 fxrrlfl.exe 4892 ffrrffx.exe 884 tnbtht.exe 2512 jdvvj.exe 792 lffrffl.exe 2712 rlllrrx.exe 3392 btbbbb.exe -
resource yara_rule behavioral2/memory/324-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-772-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 324 wrote to memory of 4680 324 bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe 82 PID 324 wrote to memory of 4680 324 bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe 82 PID 324 wrote to memory of 4680 324 bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe 82 PID 4680 wrote to memory of 3200 4680 nhnhtt.exe 83 PID 4680 wrote to memory of 3200 4680 nhnhtt.exe 83 PID 4680 wrote to memory of 3200 4680 nhnhtt.exe 83 PID 3200 wrote to memory of 2016 3200 vjdpd.exe 84 PID 3200 wrote to memory of 2016 3200 vjdpd.exe 84 PID 3200 wrote to memory of 2016 3200 vjdpd.exe 84 PID 2016 wrote to memory of 4996 2016 rxlxlrf.exe 85 PID 2016 wrote to memory of 4996 2016 rxlxlrf.exe 85 PID 2016 wrote to memory of 4996 2016 rxlxlrf.exe 85 PID 4996 wrote to memory of 1208 4996 fllfxrf.exe 86 PID 4996 wrote to memory of 1208 4996 fllfxrf.exe 86 PID 4996 wrote to memory of 1208 4996 fllfxrf.exe 86 PID 1208 wrote to memory of 2628 1208 nnhthb.exe 87 PID 1208 wrote to memory of 2628 1208 nnhthb.exe 87 PID 1208 wrote to memory of 2628 1208 nnhthb.exe 87 PID 2628 wrote to memory of 5024 2628 xrrxxfl.exe 88 PID 2628 wrote to memory of 5024 2628 xrrxxfl.exe 88 PID 2628 wrote to memory of 5024 2628 xrrxxfl.exe 88 PID 5024 wrote to memory of 5048 5024 fllxlrl.exe 89 PID 5024 wrote to memory of 5048 5024 fllxlrl.exe 89 PID 5024 wrote to memory of 5048 5024 fllxlrl.exe 89 PID 5048 wrote to memory of 3372 5048 vvvpd.exe 90 PID 5048 wrote to memory of 3372 5048 vvvpd.exe 90 PID 5048 wrote to memory of 3372 5048 vvvpd.exe 90 PID 3372 wrote to memory of 652 3372 ththbt.exe 91 PID 3372 wrote to memory of 652 3372 ththbt.exe 91 PID 3372 wrote to memory of 652 3372 ththbt.exe 91 PID 652 wrote to memory of 4384 652 nbbthb.exe 92 PID 652 wrote to memory of 4384 652 nbbthb.exe 92 PID 652 wrote to memory of 4384 652 nbbthb.exe 92 PID 4384 wrote to memory of 1700 4384 hhhtbt.exe 93 PID 4384 wrote to memory of 1700 4384 hhhtbt.exe 93 PID 4384 wrote to memory of 1700 4384 hhhtbt.exe 93 PID 1700 wrote to memory of 2696 1700 rlfrfxr.exe 94 PID 1700 wrote to memory of 2696 1700 rlfrfxr.exe 94 PID 1700 wrote to memory of 2696 1700 rlfrfxr.exe 94 PID 2696 wrote to memory of 116 2696 frrffxx.exe 95 PID 2696 wrote to memory of 116 2696 frrffxx.exe 95 PID 2696 wrote to memory of 116 2696 frrffxx.exe 95 PID 116 wrote to memory of 760 116 pjpjd.exe 96 PID 116 wrote to memory of 760 116 pjpjd.exe 96 PID 116 wrote to memory of 760 116 pjpjd.exe 96 PID 760 wrote to memory of 836 760 lflxrrx.exe 97 PID 760 wrote to memory of 836 760 lflxrrx.exe 97 PID 760 wrote to memory of 836 760 lflxrrx.exe 97 PID 836 wrote to memory of 2400 836 jjjjj.exe 98 PID 836 wrote to memory of 2400 836 jjjjj.exe 98 PID 836 wrote to memory of 2400 836 jjjjj.exe 98 PID 2400 wrote to memory of 2304 2400 rxxlxrr.exe 99 PID 2400 wrote to memory of 2304 2400 rxxlxrr.exe 99 PID 2400 wrote to memory of 2304 2400 rxxlxrr.exe 99 PID 2304 wrote to memory of 4084 2304 lrlfrlr.exe 100 PID 2304 wrote to memory of 4084 2304 lrlfrlr.exe 100 PID 2304 wrote to memory of 4084 2304 lrlfrlr.exe 100 PID 4084 wrote to memory of 4080 4084 dpjdv.exe 101 PID 4084 wrote to memory of 4080 4084 dpjdv.exe 101 PID 4084 wrote to memory of 4080 4084 dpjdv.exe 101 PID 4080 wrote to memory of 896 4080 llrffrr.exe 102 PID 4080 wrote to memory of 896 4080 llrffrr.exe 102 PID 4080 wrote to memory of 896 4080 llrffrr.exe 102 PID 896 wrote to memory of 1596 896 fxxrfxl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe"C:\Users\Admin\AppData\Local\Temp\bb50202a6d331d8a125a36bbc51df529b247a082cdd091235012be23156f0c8dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\nhnhtt.exec:\nhnhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\vjdpd.exec:\vjdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\rxlxlrf.exec:\rxlxlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\fllfxrf.exec:\fllfxrf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\nnhthb.exec:\nnhthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\xrrxxfl.exec:\xrrxxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\fllxlrl.exec:\fllxlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\vvvpd.exec:\vvvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\ththbt.exec:\ththbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\nbbthb.exec:\nbbthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\hhhtbt.exec:\hhhtbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\frrffxx.exec:\frrffxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\pjpjd.exec:\pjpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\lflxrrx.exec:\lflxrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\jjjjj.exec:\jjjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\rxxlxrr.exec:\rxxlxrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\lrlfrlr.exec:\lrlfrlr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\dpjdv.exec:\dpjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\llrffrr.exec:\llrffrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\fxxrfxl.exec:\fxxrfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\9bthtn.exec:\9bthtn.exe23⤵
- Executes dropped EXE
PID:1596 -
\??\c:\3xxlfxr.exec:\3xxlfxr.exe24⤵
- Executes dropped EXE
PID:828 -
\??\c:\thbbhn.exec:\thbbhn.exe25⤵
- Executes dropped EXE
PID:2612 -
\??\c:\xffxllf.exec:\xffxllf.exe26⤵
- Executes dropped EXE
PID:1544 -
\??\c:\frfxxrx.exec:\frfxxrx.exe27⤵
- Executes dropped EXE
PID:4888 -
\??\c:\ttbtnb.exec:\ttbtnb.exe28⤵
- Executes dropped EXE
PID:4388 -
\??\c:\1vpjd.exec:\1vpjd.exe29⤵
- Executes dropped EXE
PID:4828 -
\??\c:\hthnht.exec:\hthnht.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
\??\c:\3jdpd.exec:\3jdpd.exe31⤵
- Executes dropped EXE
PID:5044 -
\??\c:\ttnbnh.exec:\ttnbnh.exe32⤵
- Executes dropped EXE
PID:1136 -
\??\c:\5ppjd.exec:\5ppjd.exe33⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hhnbnh.exec:\hhnbnh.exe34⤵
- Executes dropped EXE
PID:1060 -
\??\c:\bttnhn.exec:\bttnhn.exe35⤵
- Executes dropped EXE
PID:1392 -
\??\c:\dvvdv.exec:\dvvdv.exe36⤵
- Executes dropped EXE
PID:3688 -
\??\c:\pjdvp.exec:\pjdvp.exe37⤵
- Executes dropped EXE
PID:3396 -
\??\c:\frxfrxl.exec:\frxfrxl.exe38⤵
- Executes dropped EXE
PID:3728 -
\??\c:\hnnnbt.exec:\hnnnbt.exe39⤵
- Executes dropped EXE
PID:3016 -
\??\c:\3dvvp.exec:\3dvvp.exe40⤵
- Executes dropped EXE
PID:4172 -
\??\c:\rffxlff.exec:\rffxlff.exe41⤵
- Executes dropped EXE
PID:2220 -
\??\c:\bntnhh.exec:\bntnhh.exe42⤵
- Executes dropped EXE
PID:1492 -
\??\c:\pvvjv.exec:\pvvjv.exe43⤵
- Executes dropped EXE
PID:1176 -
\??\c:\5dddd.exec:\5dddd.exe44⤵
- Executes dropped EXE
PID:3952 -
\??\c:\rxfxlrl.exec:\rxfxlrl.exe45⤵
- Executes dropped EXE
PID:2408 -
\??\c:\7nnbnn.exec:\7nnbnn.exe46⤵
- Executes dropped EXE
PID:1956 -
\??\c:\vjpjd.exec:\vjpjd.exe47⤵
- Executes dropped EXE
PID:1300 -
\??\c:\xffxrll.exec:\xffxrll.exe48⤵
- Executes dropped EXE
PID:620 -
\??\c:\tbhthh.exec:\tbhthh.exe49⤵PID:4980
-
\??\c:\jjpjp.exec:\jjpjp.exe50⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7ddpd.exec:\7ddpd.exe51⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rllfxrr.exec:\rllfxrr.exe52⤵
- Executes dropped EXE
PID:3200 -
\??\c:\fllflfr.exec:\fllflfr.exe53⤵
- Executes dropped EXE
PID:3156 -
\??\c:\ntbbbh.exec:\ntbbbh.exe54⤵
- Executes dropped EXE
PID:4996 -
\??\c:\jvdpp.exec:\jvdpp.exe55⤵
- Executes dropped EXE
PID:4140 -
\??\c:\3lffxxr.exec:\3lffxxr.exe56⤵
- Executes dropped EXE
PID:3740 -
\??\c:\llxxrrr.exec:\llxxrrr.exe57⤵
- Executes dropped EXE
PID:1208 -
\??\c:\hnhbtn.exec:\hnhbtn.exe58⤵
- Executes dropped EXE
PID:3908 -
\??\c:\djjjv.exec:\djjjv.exe59⤵
- Executes dropped EXE
PID:3616 -
\??\c:\fxrrlfl.exec:\fxrrlfl.exe60⤵
- Executes dropped EXE
PID:5024 -
\??\c:\ffrrffx.exec:\ffrrffx.exe61⤵
- Executes dropped EXE
PID:4892 -
\??\c:\tnbtht.exec:\tnbtht.exe62⤵
- Executes dropped EXE
PID:884 -
\??\c:\jdvvj.exec:\jdvvj.exe63⤵
- Executes dropped EXE
PID:2512 -
\??\c:\lffrffl.exec:\lffrffl.exe64⤵
- Executes dropped EXE
PID:792 -
\??\c:\rlllrrx.exec:\rlllrrx.exe65⤵
- Executes dropped EXE
PID:2712 -
\??\c:\btbbbb.exec:\btbbbb.exe66⤵
- Executes dropped EXE
PID:3392 -
\??\c:\7pjdd.exec:\7pjdd.exe67⤵PID:4856
-
\??\c:\9fxxlfx.exec:\9fxxlfx.exe68⤵PID:2696
-
\??\c:\7thhtb.exec:\7thhtb.exe69⤵PID:1664
-
\??\c:\ththtt.exec:\ththtt.exe70⤵PID:4588
-
\??\c:\pdvpj.exec:\pdvpj.exe71⤵PID:2700
-
\??\c:\fffrxrf.exec:\fffrxrf.exe72⤵PID:3092
-
\??\c:\bnnbnh.exec:\bnnbnh.exe73⤵PID:2660
-
\??\c:\bhbtnn.exec:\bhbtnn.exe74⤵PID:460
-
\??\c:\9pddj.exec:\9pddj.exe75⤵PID:3468
-
\??\c:\5llffll.exec:\5llffll.exe76⤵PID:3664
-
\??\c:\nhnntn.exec:\nhnntn.exe77⤵PID:1980
-
\??\c:\jvvpj.exec:\jvvpj.exe78⤵PID:3884
-
\??\c:\vpdvd.exec:\vpdvd.exe79⤵PID:2328
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe80⤵PID:524
-
\??\c:\bbhbhb.exec:\bbhbhb.exe81⤵PID:828
-
\??\c:\jjpjp.exec:\jjpjp.exe82⤵PID:4612
-
\??\c:\vppjp.exec:\vppjp.exe83⤵PID:1952
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe84⤵PID:2532
-
\??\c:\bnbtbb.exec:\bnbtbb.exe85⤵PID:3660
-
\??\c:\tttnhh.exec:\tttnhh.exe86⤵PID:1328
-
\??\c:\dpddp.exec:\dpddp.exe87⤵PID:1388
-
\??\c:\frlfrlx.exec:\frlfrlx.exe88⤵PID:2596
-
\??\c:\1bnnhn.exec:\1bnnhn.exe89⤵PID:3144
-
\??\c:\vjjdj.exec:\vjjdj.exe90⤵PID:2300
-
\??\c:\1jjjv.exec:\1jjjv.exe91⤵PID:1960
-
\??\c:\9rrfrrx.exec:\9rrfrrx.exe92⤵PID:4160
-
\??\c:\btnhtt.exec:\btnhtt.exe93⤵PID:3648
-
\??\c:\pdvvp.exec:\pdvvp.exe94⤵PID:3136
-
\??\c:\xlffxrr.exec:\xlffxrr.exe95⤵PID:3864
-
\??\c:\3hbtnn.exec:\3hbtnn.exe96⤵PID:3232
-
\??\c:\thbthh.exec:\thbthh.exe97⤵PID:1480
-
\??\c:\7jjdv.exec:\7jjdv.exe98⤵PID:3396
-
\??\c:\7lfxlxr.exec:\7lfxlxr.exe99⤵PID:3728
-
\??\c:\9rrlfff.exec:\9rrlfff.exe100⤵PID:3480
-
\??\c:\tnnbtt.exec:\tnnbtt.exe101⤵PID:4684
-
\??\c:\ppvpj.exec:\ppvpj.exe102⤵PID:1848
-
\??\c:\3pvpp.exec:\3pvpp.exe103⤵PID:5072
-
\??\c:\rxxfxxr.exec:\rxxfxxr.exe104⤵PID:4456
-
\??\c:\7nbtnh.exec:\7nbtnh.exe105⤵PID:872
-
\??\c:\7jpjj.exec:\7jpjj.exe106⤵PID:3720
-
\??\c:\lxfrffr.exec:\lxfrffr.exe107⤵PID:2408
-
\??\c:\tbhnhh.exec:\tbhnhh.exe108⤵PID:3924
-
\??\c:\dddvj.exec:\dddvj.exe109⤵PID:4336
-
\??\c:\vvvpj.exec:\vvvpj.exe110⤵PID:1444
-
\??\c:\rlxlxrx.exec:\rlxlxrx.exe111⤵PID:4220
-
\??\c:\ntthht.exec:\ntthht.exe112⤵PID:4004
-
\??\c:\vpdvv.exec:\vpdvv.exe113⤵PID:1140
-
\??\c:\fxlfffx.exec:\fxlfffx.exe114⤵PID:3988
-
\??\c:\rflfxrl.exec:\rflfxrl.exe115⤵PID:224
-
\??\c:\ttbnbt.exec:\ttbnbt.exe116⤵PID:3488
-
\??\c:\vjjdv.exec:\vjjdv.exe117⤵PID:4740
-
\??\c:\rxxlxlf.exec:\rxxlxlf.exe118⤵PID:3740
-
\??\c:\bhhtnh.exec:\bhhtnh.exe119⤵PID:4840
-
\??\c:\vddpj.exec:\vddpj.exe120⤵PID:3908
-
\??\c:\pppjd.exec:\pppjd.exe121⤵PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-