Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2025, 11:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe
-
Size
457KB
-
MD5
5d4abf117033436a48a3834cf4fac176
-
SHA1
05124be2c9adf5931f5215212f6dc27dc9e1f2b1
-
SHA256
bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387
-
SHA512
0a2160d829a6233756d356348bad29fe21c9eb2706fa05e4ea58e9f5bb5c00f8974aa75bac843fdbfaa0400329d080fb87cf55cbb75a991ddf4e16fc10e1cac2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSHy:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1824-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5544-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5160-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5436-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5604-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5568-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5292-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6084-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5740-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5556-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-1927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5160 xffxrll.exe 5544 tnbhbt.exe 2808 xfxrlrr.exe 2384 tthtnh.exe 5436 tnhtnn.exe 112 dvjdv.exe 2364 rffrlfx.exe 2456 tnnbnh.exe 4052 jvdvp.exe 1040 ppvpj.exe 3680 xrlllrr.exe 4360 nbhbtt.exe 4384 3pdpd.exe 4508 xxfxrrl.exe 5100 nthtth.exe 4424 1pjdv.exe 4736 hbhbbt.exe 1480 fffrfxr.exe 2668 xrfrxrx.exe 4592 bthhnh.exe 5660 ppvdv.exe 4700 hbhbnh.exe 4704 3nhthn.exe 5604 fxrrllf.exe 2252 rlrlfxx.exe 1740 djppj.exe 5032 lflfrlf.exe 4336 rrlfxxr.exe 1820 9xxfxxr.exe 3436 lffxllx.exe 6024 hbhbtt.exe 2940 rlrlflf.exe 3480 nbbtnh.exe 1620 hbhnbt.exe 2004 jppjd.exe 632 thtnnn.exe 5608 hthtnb.exe 5248 rxffffx.exe 3224 lxxrlfr.exe 5724 nhhtnn.exe 5568 ppvpj.exe 2948 3pdpj.exe 3964 rlflrxf.exe 4464 ttnhth.exe 4188 pjjdv.exe 5628 jvvjd.exe 3128 rxfrfrl.exe 4804 7bbtnt.exe 4020 bnnnhb.exe 5292 jvvjp.exe 6084 lrrllll.exe 1424 lflfllf.exe 4460 tbtnbt.exe 1732 pdpjd.exe 3996 pjpvv.exe 3184 llfxrlf.exe 2972 nhbtnt.exe 3708 dpjjd.exe 3460 vdpjj.exe 4572 xllfrxl.exe 3568 nhnhtn.exe 552 jvdvp.exe 2184 fflfxrl.exe 4868 9nnhbb.exe -
resource yara_rule behavioral2/memory/1824-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5544-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5160-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5436-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5660-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5604-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5568-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5292-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6084-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6044-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5740-561-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 5160 1824 bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe 86 PID 1824 wrote to memory of 5160 1824 bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe 86 PID 1824 wrote to memory of 5160 1824 bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe 86 PID 5160 wrote to memory of 5544 5160 xffxrll.exe 87 PID 5160 wrote to memory of 5544 5160 xffxrll.exe 87 PID 5160 wrote to memory of 5544 5160 xffxrll.exe 87 PID 5544 wrote to memory of 2808 5544 tnbhbt.exe 88 PID 5544 wrote to memory of 2808 5544 tnbhbt.exe 88 PID 5544 wrote to memory of 2808 5544 tnbhbt.exe 88 PID 2808 wrote to memory of 2384 2808 xfxrlrr.exe 89 PID 2808 wrote to memory of 2384 2808 xfxrlrr.exe 89 PID 2808 wrote to memory of 2384 2808 xfxrlrr.exe 89 PID 2384 wrote to memory of 5436 2384 tthtnh.exe 90 PID 2384 wrote to memory of 5436 2384 tthtnh.exe 90 PID 2384 wrote to memory of 5436 2384 tthtnh.exe 90 PID 5436 wrote to memory of 112 5436 tnhtnn.exe 91 PID 5436 wrote to memory of 112 5436 tnhtnn.exe 91 PID 5436 wrote to memory of 112 5436 tnhtnn.exe 91 PID 112 wrote to memory of 2364 112 dvjdv.exe 92 PID 112 wrote to memory of 2364 112 dvjdv.exe 92 PID 112 wrote to memory of 2364 112 dvjdv.exe 92 PID 2364 wrote to memory of 2456 2364 rffrlfx.exe 93 PID 2364 wrote to memory of 2456 2364 rffrlfx.exe 93 PID 2364 wrote to memory of 2456 2364 rffrlfx.exe 93 PID 2456 wrote to memory of 4052 2456 tnnbnh.exe 94 PID 2456 wrote to memory of 4052 2456 tnnbnh.exe 94 PID 2456 wrote to memory of 4052 2456 tnnbnh.exe 94 PID 4052 wrote to memory of 1040 4052 jvdvp.exe 97 PID 4052 wrote to memory of 1040 4052 jvdvp.exe 97 PID 4052 wrote to memory of 1040 4052 jvdvp.exe 97 PID 1040 wrote to memory of 3680 1040 ppvpj.exe 98 PID 1040 wrote to memory of 3680 1040 ppvpj.exe 98 PID 1040 wrote to memory of 3680 1040 ppvpj.exe 98 PID 3680 wrote to memory of 4360 3680 xrlllrr.exe 99 PID 3680 wrote to memory of 4360 3680 xrlllrr.exe 99 PID 3680 wrote to memory of 4360 3680 xrlllrr.exe 99 PID 4360 wrote to memory of 4384 4360 nbhbtt.exe 100 PID 4360 wrote to memory of 4384 4360 nbhbtt.exe 100 PID 4360 wrote to memory of 4384 4360 nbhbtt.exe 100 PID 4384 wrote to memory of 4508 4384 3pdpd.exe 101 PID 4384 wrote to memory of 4508 4384 3pdpd.exe 101 PID 4384 wrote to memory of 4508 4384 3pdpd.exe 101 PID 4508 wrote to memory of 5100 4508 xxfxrrl.exe 103 PID 4508 wrote to memory of 5100 4508 xxfxrrl.exe 103 PID 4508 wrote to memory of 5100 4508 xxfxrrl.exe 103 PID 5100 wrote to memory of 4424 5100 nthtth.exe 104 PID 5100 wrote to memory of 4424 5100 nthtth.exe 104 PID 5100 wrote to memory of 4424 5100 nthtth.exe 104 PID 4424 wrote to memory of 4736 4424 1pjdv.exe 105 PID 4424 wrote to memory of 4736 4424 1pjdv.exe 105 PID 4424 wrote to memory of 4736 4424 1pjdv.exe 105 PID 4736 wrote to memory of 1480 4736 hbhbbt.exe 106 PID 4736 wrote to memory of 1480 4736 hbhbbt.exe 106 PID 4736 wrote to memory of 1480 4736 hbhbbt.exe 106 PID 1480 wrote to memory of 2668 1480 fffrfxr.exe 107 PID 1480 wrote to memory of 2668 1480 fffrfxr.exe 107 PID 1480 wrote to memory of 2668 1480 fffrfxr.exe 107 PID 2668 wrote to memory of 4592 2668 xrfrxrx.exe 108 PID 2668 wrote to memory of 4592 2668 xrfrxrx.exe 108 PID 2668 wrote to memory of 4592 2668 xrfrxrx.exe 108 PID 4592 wrote to memory of 5660 4592 bthhnh.exe 109 PID 4592 wrote to memory of 5660 4592 bthhnh.exe 109 PID 4592 wrote to memory of 5660 4592 bthhnh.exe 109 PID 5660 wrote to memory of 4700 5660 ppvdv.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe"C:\Users\Admin\AppData\Local\Temp\bd2f8780c1968f9070d0a2ef71d8924e1b1792492b90804fcd95fa22e6f5f387.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\xffxrll.exec:\xffxrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5160 -
\??\c:\tnbhbt.exec:\tnbhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5544 -
\??\c:\xfxrlrr.exec:\xfxrlrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\tthtnh.exec:\tthtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\tnhtnn.exec:\tnhtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5436 -
\??\c:\dvjdv.exec:\dvjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\rffrlfx.exec:\rffrlfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\tnnbnh.exec:\tnnbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\ppvpj.exec:\ppvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\xrlllrr.exec:\xrlllrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\nbhbtt.exec:\nbhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\3pdpd.exec:\3pdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\nthtth.exec:\nthtth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\1pjdv.exec:\1pjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\hbhbbt.exec:\hbhbbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\fffrfxr.exec:\fffrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\xrfrxrx.exec:\xrfrxrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bthhnh.exec:\bthhnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\ppvdv.exec:\ppvdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5660 -
\??\c:\hbhbnh.exec:\hbhbnh.exe23⤵
- Executes dropped EXE
PID:4700 -
\??\c:\3nhthn.exec:\3nhthn.exe24⤵
- Executes dropped EXE
PID:4704 -
\??\c:\fxrrllf.exec:\fxrrllf.exe25⤵
- Executes dropped EXE
PID:5604 -
\??\c:\rlrlfxx.exec:\rlrlfxx.exe26⤵
- Executes dropped EXE
PID:2252 -
\??\c:\djppj.exec:\djppj.exe27⤵
- Executes dropped EXE
PID:1740 -
\??\c:\lflfrlf.exec:\lflfrlf.exe28⤵
- Executes dropped EXE
PID:5032 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe29⤵
- Executes dropped EXE
PID:4336 -
\??\c:\9xxfxxr.exec:\9xxfxxr.exe30⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lffxllx.exec:\lffxllx.exe31⤵
- Executes dropped EXE
PID:3436 -
\??\c:\hbhbtt.exec:\hbhbtt.exe32⤵
- Executes dropped EXE
PID:6024 -
\??\c:\rlrlflf.exec:\rlrlflf.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nbbtnh.exec:\nbbtnh.exe34⤵
- Executes dropped EXE
PID:3480 -
\??\c:\hbhnbt.exec:\hbhnbt.exe35⤵
- Executes dropped EXE
PID:1620 -
\??\c:\jppjd.exec:\jppjd.exe36⤵
- Executes dropped EXE
PID:2004 -
\??\c:\thtnnn.exec:\thtnnn.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\hthtnb.exec:\hthtnb.exe38⤵
- Executes dropped EXE
PID:5608 -
\??\c:\rxffffx.exec:\rxffffx.exe39⤵
- Executes dropped EXE
PID:5248 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe40⤵
- Executes dropped EXE
PID:3224 -
\??\c:\nhhtnn.exec:\nhhtnn.exe41⤵
- Executes dropped EXE
PID:5724 -
\??\c:\ppvpj.exec:\ppvpj.exe42⤵
- Executes dropped EXE
PID:5568 -
\??\c:\3pdpj.exec:\3pdpj.exe43⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rlflrxf.exec:\rlflrxf.exe44⤵
- Executes dropped EXE
PID:3964 -
\??\c:\ttnhth.exec:\ttnhth.exe45⤵
- Executes dropped EXE
PID:4464 -
\??\c:\pjjdv.exec:\pjjdv.exe46⤵
- Executes dropped EXE
PID:4188 -
\??\c:\jvvjd.exec:\jvvjd.exe47⤵
- Executes dropped EXE
PID:5628 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe48⤵
- Executes dropped EXE
PID:3128 -
\??\c:\7bbtnt.exec:\7bbtnt.exe49⤵
- Executes dropped EXE
PID:4804 -
\??\c:\bnnnhb.exec:\bnnnhb.exe50⤵
- Executes dropped EXE
PID:4020 -
\??\c:\jvvjp.exec:\jvvjp.exe51⤵
- Executes dropped EXE
PID:5292 -
\??\c:\lrrllll.exec:\lrrllll.exe52⤵
- Executes dropped EXE
PID:6084 -
\??\c:\lflfllf.exec:\lflfllf.exe53⤵
- Executes dropped EXE
PID:1424 -
\??\c:\tbtnbt.exec:\tbtnbt.exe54⤵
- Executes dropped EXE
PID:4460 -
\??\c:\pdpjd.exec:\pdpjd.exe55⤵
- Executes dropped EXE
PID:1732 -
\??\c:\pjpvv.exec:\pjpvv.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\llfxrlf.exec:\llfxrlf.exe57⤵
- Executes dropped EXE
PID:3184 -
\??\c:\nhbtnt.exec:\nhbtnt.exe58⤵
- Executes dropped EXE
PID:2972 -
\??\c:\dpjjd.exec:\dpjjd.exe59⤵
- Executes dropped EXE
PID:3708 -
\??\c:\vdpjj.exec:\vdpjj.exe60⤵
- Executes dropped EXE
PID:3460 -
\??\c:\xllfrxl.exec:\xllfrxl.exe61⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nhnhtn.exec:\nhnhtn.exe62⤵
- Executes dropped EXE
PID:3568 -
\??\c:\jvdvp.exec:\jvdvp.exe63⤵
- Executes dropped EXE
PID:552 -
\??\c:\fflfxrl.exec:\fflfxrl.exe64⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9nnhbb.exec:\9nnhbb.exe65⤵
- Executes dropped EXE
PID:4868 -
\??\c:\pdjdd.exec:\pdjdd.exe66⤵PID:1640
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe67⤵PID:2856
-
\??\c:\httnhh.exec:\httnhh.exe68⤵PID:3136
-
\??\c:\5nhbnn.exec:\5nhbnn.exe69⤵PID:644
-
\??\c:\ffrflfl.exec:\ffrflfl.exe70⤵PID:4288
-
\??\c:\httnhb.exec:\httnhb.exe71⤵PID:3360
-
\??\c:\3nnhhb.exec:\3nnhhb.exe72⤵PID:3512
-
\??\c:\3jvjv.exec:\3jvjv.exe73⤵PID:1924
-
\??\c:\1bnhhh.exec:\1bnhhh.exe74⤵PID:5544
-
\??\c:\vdvdd.exec:\vdvdd.exe75⤵PID:2808
-
\??\c:\jppdv.exec:\jppdv.exe76⤵PID:1204
-
\??\c:\5frlxrl.exec:\5frlxrl.exe77⤵PID:1604
-
\??\c:\hhhthb.exec:\hhhthb.exe78⤵PID:5436
-
\??\c:\pdjdd.exec:\pdjdd.exe79⤵PID:3320
-
\??\c:\tbtnhh.exec:\tbtnhh.exe80⤵PID:3440
-
\??\c:\9lfxrxr.exec:\9lfxrxr.exe81⤵PID:336
-
\??\c:\nhtnhb.exec:\nhtnhb.exe82⤵PID:3784
-
\??\c:\jddpj.exec:\jddpj.exe83⤵PID:5668
-
\??\c:\xxfrrlx.exec:\xxfrrlx.exe84⤵PID:2332
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe85⤵PID:4352
-
\??\c:\ththbt.exec:\ththbt.exe86⤵PID:4488
-
\??\c:\pvdpd.exec:\pvdpd.exe87⤵PID:4520
-
\??\c:\lrfxrlf.exec:\lrfxrlf.exe88⤵PID:4368
-
\??\c:\frfrrll.exec:\frfrrll.exe89⤵PID:5016
-
\??\c:\bnthbn.exec:\bnthbn.exe90⤵PID:4532
-
\??\c:\5vvpj.exec:\5vvpj.exe91⤵PID:1300
-
\??\c:\vjjdp.exec:\vjjdp.exe92⤵PID:5100
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe93⤵PID:2228
-
\??\c:\bttnhh.exec:\bttnhh.exe94⤵PID:4424
-
\??\c:\bnnbtn.exec:\bnnbtn.exe95⤵PID:4640
-
\??\c:\pvjvp.exec:\pvjvp.exe96⤵PID:1780
-
\??\c:\ffrlxfr.exec:\ffrlxfr.exe97⤵PID:4616
-
\??\c:\flrfxxr.exec:\flrfxxr.exe98⤵PID:4628
-
\??\c:\ntnnhn.exec:\ntnnhn.exe99⤵PID:4656
-
\??\c:\jpvpj.exec:\jpvpj.exe100⤵PID:4720
-
\??\c:\rlrrrlf.exec:\rlrrrlf.exe101⤵PID:4792
-
\??\c:\thhhhh.exec:\thhhhh.exe102⤵PID:2148
-
\??\c:\vjjjd.exec:\vjjjd.exe103⤵PID:472
-
\??\c:\vjpjj.exec:\vjpjj.exe104⤵PID:5972
-
\??\c:\rflfxxx.exec:\rflfxxx.exe105⤵PID:4220
-
\??\c:\tthbtt.exec:\tthbtt.exe106⤵PID:5580
-
\??\c:\nhbtnn.exec:\nhbtnn.exe107⤵PID:4544
-
\??\c:\vjvpp.exec:\vjvpp.exe108⤵PID:2596
-
\??\c:\llrllfx.exec:\llrllfx.exe109⤵PID:2312
-
\??\c:\tbhbtt.exec:\tbhbtt.exe110⤵PID:2396
-
\??\c:\nhnhnh.exec:\nhnhnh.exe111⤵PID:2140
-
\??\c:\ppjdv.exec:\ppjdv.exe112⤵PID:3264
-
\??\c:\9frrxfl.exec:\9frrxfl.exe113⤵PID:5356
-
\??\c:\1lxrrrl.exec:\1lxrrrl.exe114⤵
- System Location Discovery: System Language Discovery
PID:5300 -
\??\c:\tbbbtb.exec:\tbbbtb.exe115⤵PID:4904
-
\??\c:\jjvvv.exec:\jjvvv.exe116⤵PID:5572
-
\??\c:\rrrrlll.exec:\rrrrlll.exe117⤵PID:5692
-
\??\c:\tthhtt.exec:\tthhtt.exe118⤵PID:3036
-
\??\c:\tnthbt.exec:\tnthbt.exe119⤵PID:5648
-
\??\c:\vjvpv.exec:\vjvpv.exe120⤵PID:5892
-
\??\c:\lfxrrxx.exec:\lfxrrxx.exe121⤵PID:1848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-