Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe
-
Size
458KB
-
MD5
129a485aaf7c0f83f4e1d2243531134d
-
SHA1
69d288cadd9defb01c22fa5e4daa2c556f7da5b9
-
SHA256
27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373
-
SHA512
f60f10ab6ac999d104fa1888d1b03a0b95c4a049e197a6f02de262f2403f0c5376c9be14e99221bd48997572a3de6a962b10588fcee5739dfe8083209990fe35
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2S:q7Tc2NYHUrAwfMp3CDR2S
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1512-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-1075-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 5tbttt.exe 1420 1ddvp.exe 3344 lflfxrl.exe 1568 nntnnb.exe 4880 vvpjj.exe 2392 1jddv.exe 1140 rxfxrll.exe 4812 rrxffff.exe 4732 bbhbtt.exe 1936 dpjdp.exe 1924 jppjd.exe 3368 9xrlxxr.exe 2372 pvpjd.exe 1500 rlrffxr.exe 2072 hhhbbb.exe 2412 vvvpj.exe 3372 lrlllrr.exe 4884 9dvpj.exe 680 xrrrrll.exe 436 5nnhhn.exe 884 1vjjp.exe 4796 lrffxxx.exe 1964 5vdvj.exe 2552 rffxrlf.exe 740 xrxxfxf.exe 32 nhttnb.exe 4528 rllrlrl.exe 2744 ttbbhh.exe 448 jpvpp.exe 2384 9vvvp.exe 3680 fffxllf.exe 4356 jpvjj.exe 732 7frlxff.exe 4236 tttnhh.exe 2976 vpjpj.exe 4936 pppdv.exe 2360 5lfxffx.exe 968 1ttnhh.exe 1720 fxffxxr.exe 4896 btbtbt.exe 4648 jdjjj.exe 1868 lrfxxll.exe 532 jdjvp.exe 3088 xflflfx.exe 2468 9hnbhh.exe 4612 fxrrlll.exe 2424 hnnnhh.exe 3832 dddvp.exe 4336 7flfrlx.exe 208 nbhbtb.exe 1616 5vpdv.exe 4900 lflffrl.exe 1516 9nhhbb.exe 1512 5djdv.exe 4456 llrxrxx.exe 5092 nbnbbb.exe 976 bntnhb.exe 1108 pvvpp.exe 1380 xrfxrrl.exe 1400 tbhhhn.exe 788 dvdvp.exe 1876 ddvpd.exe 4916 flrfxrf.exe 876 tnhtnh.exe -
resource yara_rule behavioral2/memory/1512-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-811-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2300 1512 27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe 82 PID 1512 wrote to memory of 2300 1512 27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe 82 PID 1512 wrote to memory of 2300 1512 27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe 82 PID 2300 wrote to memory of 1420 2300 5tbttt.exe 83 PID 2300 wrote to memory of 1420 2300 5tbttt.exe 83 PID 2300 wrote to memory of 1420 2300 5tbttt.exe 83 PID 1420 wrote to memory of 3344 1420 1ddvp.exe 84 PID 1420 wrote to memory of 3344 1420 1ddvp.exe 84 PID 1420 wrote to memory of 3344 1420 1ddvp.exe 84 PID 3344 wrote to memory of 1568 3344 lflfxrl.exe 85 PID 3344 wrote to memory of 1568 3344 lflfxrl.exe 85 PID 3344 wrote to memory of 1568 3344 lflfxrl.exe 85 PID 1568 wrote to memory of 4880 1568 nntnnb.exe 86 PID 1568 wrote to memory of 4880 1568 nntnnb.exe 86 PID 1568 wrote to memory of 4880 1568 nntnnb.exe 86 PID 4880 wrote to memory of 2392 4880 vvpjj.exe 87 PID 4880 wrote to memory of 2392 4880 vvpjj.exe 87 PID 4880 wrote to memory of 2392 4880 vvpjj.exe 87 PID 2392 wrote to memory of 1140 2392 1jddv.exe 88 PID 2392 wrote to memory of 1140 2392 1jddv.exe 88 PID 2392 wrote to memory of 1140 2392 1jddv.exe 88 PID 1140 wrote to memory of 4812 1140 rxfxrll.exe 89 PID 1140 wrote to memory of 4812 1140 rxfxrll.exe 89 PID 1140 wrote to memory of 4812 1140 rxfxrll.exe 89 PID 4812 wrote to memory of 4732 4812 rrxffff.exe 90 PID 4812 wrote to memory of 4732 4812 rrxffff.exe 90 PID 4812 wrote to memory of 4732 4812 rrxffff.exe 90 PID 4732 wrote to memory of 1936 4732 bbhbtt.exe 91 PID 4732 wrote to memory of 1936 4732 bbhbtt.exe 91 PID 4732 wrote to memory of 1936 4732 bbhbtt.exe 91 PID 1936 wrote to memory of 1924 1936 dpjdp.exe 92 PID 1936 wrote to memory of 1924 1936 dpjdp.exe 92 PID 1936 wrote to memory of 1924 1936 dpjdp.exe 92 PID 1924 wrote to memory of 3368 1924 jppjd.exe 93 PID 1924 wrote to memory of 3368 1924 jppjd.exe 93 PID 1924 wrote to memory of 3368 1924 jppjd.exe 93 PID 3368 wrote to memory of 2372 3368 9xrlxxr.exe 94 PID 3368 wrote to memory of 2372 3368 9xrlxxr.exe 94 PID 3368 wrote to memory of 2372 3368 9xrlxxr.exe 94 PID 2372 wrote to memory of 1500 2372 pvpjd.exe 95 PID 2372 wrote to memory of 1500 2372 pvpjd.exe 95 PID 2372 wrote to memory of 1500 2372 pvpjd.exe 95 PID 1500 wrote to memory of 2072 1500 rlrffxr.exe 96 PID 1500 wrote to memory of 2072 1500 rlrffxr.exe 96 PID 1500 wrote to memory of 2072 1500 rlrffxr.exe 96 PID 2072 wrote to memory of 2412 2072 hhhbbb.exe 97 PID 2072 wrote to memory of 2412 2072 hhhbbb.exe 97 PID 2072 wrote to memory of 2412 2072 hhhbbb.exe 97 PID 2412 wrote to memory of 3372 2412 vvvpj.exe 98 PID 2412 wrote to memory of 3372 2412 vvvpj.exe 98 PID 2412 wrote to memory of 3372 2412 vvvpj.exe 98 PID 3372 wrote to memory of 4884 3372 lrlllrr.exe 99 PID 3372 wrote to memory of 4884 3372 lrlllrr.exe 99 PID 3372 wrote to memory of 4884 3372 lrlllrr.exe 99 PID 4884 wrote to memory of 680 4884 9dvpj.exe 100 PID 4884 wrote to memory of 680 4884 9dvpj.exe 100 PID 4884 wrote to memory of 680 4884 9dvpj.exe 100 PID 680 wrote to memory of 436 680 xrrrrll.exe 101 PID 680 wrote to memory of 436 680 xrrrrll.exe 101 PID 680 wrote to memory of 436 680 xrrrrll.exe 101 PID 436 wrote to memory of 884 436 5nnhhn.exe 102 PID 436 wrote to memory of 884 436 5nnhhn.exe 102 PID 436 wrote to memory of 884 436 5nnhhn.exe 102 PID 884 wrote to memory of 4796 884 1vjjp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe"C:\Users\Admin\AppData\Local\Temp\27c8524482b53671b0f0d4194aa4ba70bb06bc6da78476e3e9ee081a13929373.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\5tbttt.exec:\5tbttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\1ddvp.exec:\1ddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\lflfxrl.exec:\lflfxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\nntnnb.exec:\nntnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\vvpjj.exec:\vvpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\1jddv.exec:\1jddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\rxfxrll.exec:\rxfxrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\rrxffff.exec:\rrxffff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\bbhbtt.exec:\bbhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\dpjdp.exec:\dpjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\jppjd.exec:\jppjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\9xrlxxr.exec:\9xrlxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\pvpjd.exec:\pvpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\rlrffxr.exec:\rlrffxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\hhhbbb.exec:\hhhbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\vvvpj.exec:\vvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\lrlllrr.exec:\lrlllrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\9dvpj.exec:\9dvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\xrrrrll.exec:\xrrrrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\5nnhhn.exec:\5nnhhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\1vjjp.exec:\1vjjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\lrffxxx.exec:\lrffxxx.exe23⤵
- Executes dropped EXE
PID:4796 -
\??\c:\5vdvj.exec:\5vdvj.exe24⤵
- Executes dropped EXE
PID:1964 -
\??\c:\rffxrlf.exec:\rffxrlf.exe25⤵
- Executes dropped EXE
PID:2552 -
\??\c:\xrxxfxf.exec:\xrxxfxf.exe26⤵
- Executes dropped EXE
PID:740 -
\??\c:\nhttnb.exec:\nhttnb.exe27⤵
- Executes dropped EXE
PID:32 -
\??\c:\rllrlrl.exec:\rllrlrl.exe28⤵
- Executes dropped EXE
PID:4528 -
\??\c:\ttbbhh.exec:\ttbbhh.exe29⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jpvpp.exec:\jpvpp.exe30⤵
- Executes dropped EXE
PID:448 -
\??\c:\9vvvp.exec:\9vvvp.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fffxllf.exec:\fffxllf.exe32⤵
- Executes dropped EXE
PID:3680 -
\??\c:\jpvjj.exec:\jpvjj.exe33⤵
- Executes dropped EXE
PID:4356 -
\??\c:\7frlxff.exec:\7frlxff.exe34⤵
- Executes dropped EXE
PID:732 -
\??\c:\tttnhh.exec:\tttnhh.exe35⤵
- Executes dropped EXE
PID:4236 -
\??\c:\vpjpj.exec:\vpjpj.exe36⤵
- Executes dropped EXE
PID:2976 -
\??\c:\pppdv.exec:\pppdv.exe37⤵
- Executes dropped EXE
PID:4936 -
\??\c:\5lfxffx.exec:\5lfxffx.exe38⤵
- Executes dropped EXE
PID:2360 -
\??\c:\1ttnhh.exec:\1ttnhh.exe39⤵
- Executes dropped EXE
PID:968 -
\??\c:\fxffxxr.exec:\fxffxxr.exe40⤵
- Executes dropped EXE
PID:1720 -
\??\c:\btbtbt.exec:\btbtbt.exe41⤵
- Executes dropped EXE
PID:4896 -
\??\c:\jdjjj.exec:\jdjjj.exe42⤵
- Executes dropped EXE
PID:4648 -
\??\c:\lrfxxll.exec:\lrfxxll.exe43⤵
- Executes dropped EXE
PID:1868 -
\??\c:\jdjvp.exec:\jdjvp.exe44⤵
- Executes dropped EXE
PID:532 -
\??\c:\xflflfx.exec:\xflflfx.exe45⤵
- Executes dropped EXE
PID:3088 -
\??\c:\9hnbhh.exec:\9hnbhh.exe46⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxrrlll.exec:\fxrrlll.exe47⤵
- Executes dropped EXE
PID:4612 -
\??\c:\hnnnhh.exec:\hnnnhh.exe48⤵
- Executes dropped EXE
PID:2424 -
\??\c:\dddvp.exec:\dddvp.exe49⤵
- Executes dropped EXE
PID:3832 -
\??\c:\7flfrlx.exec:\7flfrlx.exe50⤵
- Executes dropped EXE
PID:4336 -
\??\c:\nbhbtb.exec:\nbhbtb.exe51⤵
- Executes dropped EXE
PID:208 -
\??\c:\5vpdv.exec:\5vpdv.exe52⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lflffrl.exec:\lflffrl.exe53⤵
- Executes dropped EXE
PID:4900 -
\??\c:\9nhhbb.exec:\9nhhbb.exe54⤵
- Executes dropped EXE
PID:1516 -
\??\c:\5djdv.exec:\5djdv.exe55⤵
- Executes dropped EXE
PID:1512 -
\??\c:\llrxrxx.exec:\llrxrxx.exe56⤵
- Executes dropped EXE
PID:4456 -
\??\c:\nbnbbb.exec:\nbnbbb.exe57⤵
- Executes dropped EXE
PID:5092 -
\??\c:\bntnhb.exec:\bntnhb.exe58⤵
- Executes dropped EXE
PID:976 -
\??\c:\pvvpp.exec:\pvvpp.exe59⤵
- Executes dropped EXE
PID:1108 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe60⤵
- Executes dropped EXE
PID:1380 -
\??\c:\tbhhhn.exec:\tbhhhn.exe61⤵
- Executes dropped EXE
PID:1400 -
\??\c:\dvdvp.exec:\dvdvp.exe62⤵
- Executes dropped EXE
PID:788 -
\??\c:\ddvpd.exec:\ddvpd.exe63⤵
- Executes dropped EXE
PID:1876 -
\??\c:\flrfxrf.exec:\flrfxrf.exe64⤵
- Executes dropped EXE
PID:4916 -
\??\c:\tnhtnh.exec:\tnhtnh.exe65⤵
- Executes dropped EXE
PID:876 -
\??\c:\pjdpj.exec:\pjdpj.exe66⤵PID:2460
-
\??\c:\rxxrrrx.exec:\rxxrrrx.exe67⤵PID:4452
-
\??\c:\rrrfxll.exec:\rrrfxll.exe68⤵PID:3024
-
\??\c:\bbbtnh.exec:\bbbtnh.exe69⤵PID:452
-
\??\c:\pvvdv.exec:\pvvdv.exe70⤵PID:4904
-
\??\c:\frlllll.exec:\frlllll.exe71⤵PID:1144
-
\??\c:\nnbthb.exec:\nnbthb.exe72⤵PID:3664
-
\??\c:\xllrfxl.exec:\xllrfxl.exe73⤵PID:1088
-
\??\c:\rllfxlf.exec:\rllfxlf.exe74⤵PID:2540
-
\??\c:\3tbbhh.exec:\3tbbhh.exe75⤵PID:2672
-
\??\c:\9vppj.exec:\9vppj.exe76⤵PID:636
-
\??\c:\vjppj.exec:\vjppj.exe77⤵PID:2880
-
\??\c:\xffxxxr.exec:\xffxxxr.exe78⤵PID:2564
-
\??\c:\bbbtnn.exec:\bbbtnn.exe79⤵PID:3372
-
\??\c:\vdjvp.exec:\vdjvp.exe80⤵PID:536
-
\??\c:\flfxrxr.exec:\flfxrxr.exe81⤵PID:3008
-
\??\c:\tttntt.exec:\tttntt.exe82⤵PID:3032
-
\??\c:\pvpjd.exec:\pvpjd.exe83⤵PID:4172
-
\??\c:\vddvp.exec:\vddvp.exe84⤵
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\rxfxxxr.exec:\rxfxxxr.exe85⤵PID:4404
-
\??\c:\bthbtn.exec:\bthbtn.exe86⤵PID:2516
-
\??\c:\jddvj.exec:\jddvj.exe87⤵PID:1124
-
\??\c:\vpjdj.exec:\vpjdj.exe88⤵PID:3420
-
\??\c:\xrfxrlr.exec:\xrfxrlr.exe89⤵PID:4940
-
\??\c:\nbbnbt.exec:\nbbnbt.exe90⤵PID:368
-
\??\c:\vvjvv.exec:\vvjvv.exe91⤵PID:3668
-
\??\c:\1rrlflf.exec:\1rrlflf.exe92⤵PID:3100
-
\??\c:\fxfxrrf.exec:\fxfxrrf.exe93⤵PID:3780
-
\??\c:\hbnhbt.exec:\hbnhbt.exe94⤵
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\vvjpv.exec:\vvjpv.exe95⤵PID:3288
-
\??\c:\vjjdv.exec:\vjjdv.exe96⤵PID:2680
-
\??\c:\3rrlffr.exec:\3rrlffr.exe97⤵PID:2732
-
\??\c:\3ttnhb.exec:\3ttnhb.exe98⤵PID:3680
-
\??\c:\vdvpp.exec:\vdvpp.exe99⤵PID:3496
-
\??\c:\9rlxrlf.exec:\9rlxrlf.exe100⤵PID:1152
-
\??\c:\nntnnn.exec:\nntnnn.exe101⤵PID:316
-
\??\c:\5pppj.exec:\5pppj.exe102⤵PID:1596
-
\??\c:\fxfrxrx.exec:\fxfrxrx.exe103⤵PID:4444
-
\??\c:\lrrxxxf.exec:\lrrxxxf.exe104⤵PID:5056
-
\??\c:\nntnhb.exec:\nntnhb.exe105⤵PID:1660
-
\??\c:\djpjj.exec:\djpjj.exe106⤵PID:1384
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe107⤵PID:1780
-
\??\c:\tbttnn.exec:\tbttnn.exe108⤵PID:216
-
\??\c:\hbbtbb.exec:\hbbtbb.exe109⤵PID:2968
-
\??\c:\vpjvp.exec:\vpjvp.exe110⤵PID:3228
-
\??\c:\9hbttt.exec:\9hbttt.exe111⤵PID:1868
-
\??\c:\1jdvv.exec:\1jdvv.exe112⤵PID:2104
-
\??\c:\7ppdv.exec:\7ppdv.exe113⤵PID:3088
-
\??\c:\5rrlxxr.exec:\5rrlxxr.exe114⤵PID:4284
-
\??\c:\3tntnn.exec:\3tntnn.exe115⤵PID:2644
-
\??\c:\vvpdv.exec:\vvpdv.exe116⤵PID:2636
-
\??\c:\9vvvd.exec:\9vvvd.exe117⤵PID:4872
-
\??\c:\fllxrlx.exec:\fllxrlx.exe118⤵PID:2032
-
\??\c:\hhhhth.exec:\hhhhth.exe119⤵PID:3868
-
\??\c:\pjjdv.exec:\pjjdv.exe120⤵PID:1632
-
\??\c:\9rxxllf.exec:\9rxxllf.exe121⤵PID:4524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-