Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2024, 03:13
Behavioral task
behavioral1
Sample
f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe
-
Size
3.7MB
-
MD5
c52eaf07720402052a26c885c2465ab0
-
SHA1
3c0e8b786246ad42f779a3dc61b6abe9188fa7cd
-
SHA256
f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9
-
SHA512
35581c9ca7b320e4a714272e6c62739adc1ea1aeac3ae7e48518820ec87cd9e6d2162b78da3ce639d83ce115428f8b7e8a77161814599019777a06314a6c5689
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF988:U6XLq/qPPslzKx/dJg1ErmNB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4676-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/888-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3796-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-553-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-729-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-790-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/912-878-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-1354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-1403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/824-1452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1284 vdpdj.exe 3968 vvpjd.exe 5108 tnnhbt.exe 1288 tbthtn.exe 3612 bbnhth.exe 3448 jdpjv.exe 5044 rffxrlf.exe 3700 vvvdp.exe 4696 fxflffx.exe 3260 hhhbnh.exe 4924 rxxrrlf.exe 1272 9rxllfr.exe 4356 xlxxfll.exe 4400 frfrxrx.exe 2064 7rrlxrf.exe 2484 hbttnh.exe 5012 ppvpp.exe 1540 xxxrrxr.exe 2940 tnhtnh.exe 4956 rlxllxx.exe 2336 rrrfxlx.exe 224 hbnbbb.exe 3136 lfllrxx.exe 824 rxrflrf.exe 2128 rlfxfxx.exe 2984 rfrrxll.exe 4680 nnhtnn.exe 4616 jddvj.exe 5040 btnntb.exe 1752 thnhbt.exe 3492 ttnbnt.exe 428 hthbhh.exe 888 rlrllff.exe 3796 dpvjd.exe 4452 vvvvp.exe 5100 jvjdd.exe 2300 jddvp.exe 2980 jvdjv.exe 4276 jjppp.exe 4624 vjvpp.exe 4676 vvjvp.exe 2244 ppjjd.exe 3656 nbnhbb.exe 3680 1pjdd.exe 4776 ddpjj.exe 1416 jvddv.exe 2524 xrxrrrl.exe 2664 xfxrlfx.exe 728 vpddv.exe 3448 pdppp.exe 2640 jvjjj.exe 1964 jddpj.exe 1096 bhhbth.exe 3508 bbbbbb.exe 3120 btbttt.exe 4516 lrflfrx.exe 944 lxffxxr.exe 4672 xlrlffr.exe 1292 jdvpv.exe 4348 vpvpj.exe 1272 dpvpj.exe 4480 djvpd.exe 4252 nthbbt.exe 2636 nntnnt.exe -
resource yara_rule behavioral2/memory/4676-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b3f-3.dat upx behavioral2/memory/4676-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-9.dat upx behavioral2/memory/1284-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-13.dat upx behavioral2/memory/3968-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b85-23.dat upx behavioral2/memory/5108-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-27.dat upx behavioral2/memory/3612-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1288-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-34.dat upx behavioral2/memory/3612-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-40.dat upx behavioral2/memory/3448-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5044-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-49.dat upx behavioral2/files/0x000a000000023b8f-52.dat upx behavioral2/files/0x000a000000023b90-57.dat upx behavioral2/memory/4696-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-63.dat upx behavioral2/memory/3260-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b92-69.dat upx behavioral2/files/0x000b000000023b93-74.dat upx behavioral2/files/0x000b000000023b94-79.dat upx behavioral2/files/0x000a000000023b9c-83.dat upx behavioral2/files/0x000e000000023ba3-89.dat upx behavioral2/memory/2064-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bac-96.dat upx behavioral2/memory/2484-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb1-101.dat upx behavioral2/memory/5012-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb2-107.dat upx behavioral2/memory/1540-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bb3-116.dat upx behavioral2/memory/2940-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bb7-119.dat upx behavioral2/files/0x0008000000023bb9-124.dat upx behavioral2/files/0x0008000000023bbc-129.dat upx behavioral2/memory/224-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbd-135.dat upx behavioral2/files/0x0008000000023bbe-140.dat upx behavioral2/files/0x0008000000023bbf-145.dat upx behavioral2/memory/2128-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bee-151.dat upx behavioral2/memory/2984-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bef-157.dat upx behavioral2/memory/4680-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4616-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf0-164.dat upx behavioral2/files/0x0008000000023bf1-169.dat upx behavioral2/files/0x0008000000023bf2-177.dat upx behavioral2/memory/1752-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/428-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bf3-181.dat upx behavioral2/memory/888-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3796-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5100-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2300-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4276-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3656-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1416-235-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 1284 4676 f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe 83 PID 4676 wrote to memory of 1284 4676 f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe 83 PID 4676 wrote to memory of 1284 4676 f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe 83 PID 1284 wrote to memory of 3968 1284 vdpdj.exe 84 PID 1284 wrote to memory of 3968 1284 vdpdj.exe 84 PID 1284 wrote to memory of 3968 1284 vdpdj.exe 84 PID 3968 wrote to memory of 5108 3968 vvpjd.exe 85 PID 3968 wrote to memory of 5108 3968 vvpjd.exe 85 PID 3968 wrote to memory of 5108 3968 vvpjd.exe 85 PID 5108 wrote to memory of 1288 5108 tnnhbt.exe 86 PID 5108 wrote to memory of 1288 5108 tnnhbt.exe 86 PID 5108 wrote to memory of 1288 5108 tnnhbt.exe 86 PID 1288 wrote to memory of 3612 1288 tbthtn.exe 87 PID 1288 wrote to memory of 3612 1288 tbthtn.exe 87 PID 1288 wrote to memory of 3612 1288 tbthtn.exe 87 PID 3612 wrote to memory of 3448 3612 bbnhth.exe 88 PID 3612 wrote to memory of 3448 3612 bbnhth.exe 88 PID 3612 wrote to memory of 3448 3612 bbnhth.exe 88 PID 3448 wrote to memory of 5044 3448 jdpjv.exe 89 PID 3448 wrote to memory of 5044 3448 jdpjv.exe 89 PID 3448 wrote to memory of 5044 3448 jdpjv.exe 89 PID 5044 wrote to memory of 3700 5044 rffxrlf.exe 90 PID 5044 wrote to memory of 3700 5044 rffxrlf.exe 90 PID 5044 wrote to memory of 3700 5044 rffxrlf.exe 90 PID 3700 wrote to memory of 4696 3700 vvvdp.exe 91 PID 3700 wrote to memory of 4696 3700 vvvdp.exe 91 PID 3700 wrote to memory of 4696 3700 vvvdp.exe 91 PID 4696 wrote to memory of 3260 4696 fxflffx.exe 92 PID 4696 wrote to memory of 3260 4696 fxflffx.exe 92 PID 4696 wrote to memory of 3260 4696 fxflffx.exe 92 PID 3260 wrote to memory of 4924 3260 hhhbnh.exe 93 PID 3260 wrote to memory of 4924 3260 hhhbnh.exe 93 PID 3260 wrote to memory of 4924 3260 hhhbnh.exe 93 PID 4924 wrote to memory of 1272 4924 rxxrrlf.exe 94 PID 4924 wrote to memory of 1272 4924 rxxrrlf.exe 94 PID 4924 wrote to memory of 1272 4924 rxxrrlf.exe 94 PID 1272 wrote to memory of 4356 1272 9rxllfr.exe 95 PID 1272 wrote to memory of 4356 1272 9rxllfr.exe 95 PID 1272 wrote to memory of 4356 1272 9rxllfr.exe 95 PID 4356 wrote to memory of 4400 4356 xlxxfll.exe 96 PID 4356 wrote to memory of 4400 4356 xlxxfll.exe 96 PID 4356 wrote to memory of 4400 4356 xlxxfll.exe 96 PID 4400 wrote to memory of 2064 4400 frfrxrx.exe 97 PID 4400 wrote to memory of 2064 4400 frfrxrx.exe 97 PID 4400 wrote to memory of 2064 4400 frfrxrx.exe 97 PID 2064 wrote to memory of 2484 2064 7rrlxrf.exe 98 PID 2064 wrote to memory of 2484 2064 7rrlxrf.exe 98 PID 2064 wrote to memory of 2484 2064 7rrlxrf.exe 98 PID 2484 wrote to memory of 5012 2484 hbttnh.exe 99 PID 2484 wrote to memory of 5012 2484 hbttnh.exe 99 PID 2484 wrote to memory of 5012 2484 hbttnh.exe 99 PID 5012 wrote to memory of 1540 5012 ppvpp.exe 101 PID 5012 wrote to memory of 1540 5012 ppvpp.exe 101 PID 5012 wrote to memory of 1540 5012 ppvpp.exe 101 PID 1540 wrote to memory of 2940 1540 xxxrrxr.exe 102 PID 1540 wrote to memory of 2940 1540 xxxrrxr.exe 102 PID 1540 wrote to memory of 2940 1540 xxxrrxr.exe 102 PID 2940 wrote to memory of 4956 2940 tnhtnh.exe 103 PID 2940 wrote to memory of 4956 2940 tnhtnh.exe 103 PID 2940 wrote to memory of 4956 2940 tnhtnh.exe 103 PID 4956 wrote to memory of 2336 4956 rlxllxx.exe 104 PID 4956 wrote to memory of 2336 4956 rlxllxx.exe 104 PID 4956 wrote to memory of 2336 4956 rlxllxx.exe 104 PID 2336 wrote to memory of 224 2336 rrrfxlx.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe"C:\Users\Admin\AppData\Local\Temp\f9d80efc65e8597a99293bdc9fd3288cb38fa56be473d2ebfd3927f4827c54d9N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\vdpdj.exec:\vdpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\vvpjd.exec:\vvpjd.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\tnnhbt.exec:\tnnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\tbthtn.exec:\tbthtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\bbnhth.exec:\bbnhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\jdpjv.exec:\jdpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\rffxrlf.exec:\rffxrlf.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\vvvdp.exec:\vvvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\fxflffx.exec:\fxflffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\hhhbnh.exec:\hhhbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\rxxrrlf.exec:\rxxrrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\9rxllfr.exec:\9rxllfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\xlxxfll.exec:\xlxxfll.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\frfrxrx.exec:\frfrxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\7rrlxrf.exec:\7rrlxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\hbttnh.exec:\hbttnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\ppvpp.exec:\ppvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\xxxrrxr.exec:\xxxrrxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\tnhtnh.exec:\tnhtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\rlxllxx.exec:\rlxllxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\rrrfxlx.exec:\rrrfxlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\hbnbbb.exec:\hbnbbb.exe23⤵
- Executes dropped EXE
PID:224 -
\??\c:\lfllrxx.exec:\lfllrxx.exe24⤵
- Executes dropped EXE
PID:3136 -
\??\c:\rxrflrf.exec:\rxrflrf.exe25⤵
- Executes dropped EXE
PID:824 -
\??\c:\rlfxfxx.exec:\rlfxfxx.exe26⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rfrrxll.exec:\rfrrxll.exe27⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nnhtnn.exec:\nnhtnn.exe28⤵
- Executes dropped EXE
PID:4680 -
\??\c:\jddvj.exec:\jddvj.exe29⤵
- Executes dropped EXE
PID:4616 -
\??\c:\btnntb.exec:\btnntb.exe30⤵
- Executes dropped EXE
PID:5040 -
\??\c:\thnhbt.exec:\thnhbt.exe31⤵
- Executes dropped EXE
PID:1752 -
\??\c:\ttnbnt.exec:\ttnbnt.exe32⤵
- Executes dropped EXE
PID:3492 -
\??\c:\hthbhh.exec:\hthbhh.exe33⤵
- Executes dropped EXE
PID:428 -
\??\c:\rlrllff.exec:\rlrllff.exe34⤵
- Executes dropped EXE
PID:888 -
\??\c:\dpvjd.exec:\dpvjd.exe35⤵
- Executes dropped EXE
PID:3796 -
\??\c:\vvvvp.exec:\vvvvp.exe36⤵
- Executes dropped EXE
PID:4452 -
\??\c:\jvjdd.exec:\jvjdd.exe37⤵
- Executes dropped EXE
PID:5100 -
\??\c:\jddvp.exec:\jddvp.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\jvdjv.exec:\jvdjv.exe39⤵
- Executes dropped EXE
PID:2980 -
\??\c:\jjppp.exec:\jjppp.exe40⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vjvpp.exec:\vjvpp.exe41⤵
- Executes dropped EXE
PID:4624 -
\??\c:\vvjvp.exec:\vvjvp.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4676 -
\??\c:\ppjjd.exec:\ppjjd.exe43⤵
- Executes dropped EXE
PID:2244 -
\??\c:\nbnhbb.exec:\nbnhbb.exe44⤵
- Executes dropped EXE
PID:3656 -
\??\c:\1pjdd.exec:\1pjdd.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3680 -
\??\c:\ddpjj.exec:\ddpjj.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4776 -
\??\c:\jvddv.exec:\jvddv.exe47⤵
- Executes dropped EXE
PID:1416 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe48⤵
- Executes dropped EXE
PID:2524 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe49⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vpddv.exec:\vpddv.exe50⤵
- Executes dropped EXE
PID:728 -
\??\c:\pdppp.exec:\pdppp.exe51⤵
- Executes dropped EXE
PID:3448 -
\??\c:\jvjjj.exec:\jvjjj.exe52⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jddpj.exec:\jddpj.exe53⤵
- Executes dropped EXE
PID:1964 -
\??\c:\bhhbth.exec:\bhhbth.exe54⤵
- Executes dropped EXE
PID:1096 -
\??\c:\bbbbbb.exec:\bbbbbb.exe55⤵
- Executes dropped EXE
PID:3508 -
\??\c:\btbttt.exec:\btbttt.exe56⤵
- Executes dropped EXE
PID:3120 -
\??\c:\lrflfrx.exec:\lrflfrx.exe57⤵
- Executes dropped EXE
PID:4516 -
\??\c:\lxffxxr.exec:\lxffxxr.exe58⤵
- Executes dropped EXE
PID:944 -
\??\c:\xlrlffr.exec:\xlrlffr.exe59⤵
- Executes dropped EXE
PID:4672 -
\??\c:\jdvpv.exec:\jdvpv.exe60⤵
- Executes dropped EXE
PID:1292 -
\??\c:\vpvpj.exec:\vpvpj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348 -
\??\c:\dpvpj.exec:\dpvpj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1272 -
\??\c:\djvpd.exec:\djvpd.exe63⤵
- Executes dropped EXE
PID:4480 -
\??\c:\nthbbt.exec:\nthbbt.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4252 -
\??\c:\nntnnt.exec:\nntnnt.exe65⤵
- Executes dropped EXE
PID:2636 -
\??\c:\hnbnhh.exec:\hnbnhh.exe66⤵PID:3484
-
\??\c:\fflfxfx.exec:\fflfxfx.exe67⤵PID:4572
-
\??\c:\rfrllff.exec:\rfrllff.exe68⤵PID:1148
-
\??\c:\rxlllrr.exec:\rxlllrr.exe69⤵PID:3536
-
\??\c:\fxffrrl.exec:\fxffrrl.exe70⤵PID:2940
-
\??\c:\rlllffx.exec:\rlllffx.exe71⤵PID:3624
-
\??\c:\1xfxfxr.exec:\1xfxfxr.exe72⤵PID:3060
-
\??\c:\xlrfxxr.exec:\xlrfxxr.exe73⤵PID:4704
-
\??\c:\jddpd.exec:\jddpd.exe74⤵PID:4068
-
\??\c:\vpjjp.exec:\vpjjp.exe75⤵PID:4564
-
\??\c:\jvjvd.exec:\jvjvd.exe76⤵PID:2652
-
\??\c:\pvvpv.exec:\pvvpv.exe77⤵PID:5032
-
\??\c:\dvddv.exec:\dvddv.exe78⤵PID:1120
-
\??\c:\3ntnhb.exec:\3ntnhb.exe79⤵PID:1248
-
\??\c:\5nthtt.exec:\5nthtt.exe80⤵PID:2684
-
\??\c:\hththt.exec:\hththt.exe81⤵PID:4620
-
\??\c:\lxxlrrf.exec:\lxxlrrf.exe82⤵PID:2676
-
\??\c:\rrrfxlf.exec:\rrrfxlf.exe83⤵PID:1948
-
\??\c:\9vvjd.exec:\9vvjd.exe84⤵PID:4752
-
\??\c:\vdppv.exec:\vdppv.exe85⤵PID:1420
-
\??\c:\ppjvd.exec:\ppjvd.exe86⤵PID:1348
-
\??\c:\pdpvv.exec:\pdpvv.exe87⤵PID:4392
-
\??\c:\vjjvj.exec:\vjjvj.exe88⤵PID:3936
-
\??\c:\tntnht.exec:\tntnht.exe89⤵PID:3264
-
\??\c:\tbhthb.exec:\tbhthb.exe90⤵PID:1356
-
\??\c:\htnbnb.exec:\htnbnb.exe91⤵PID:4112
-
\??\c:\nhnhtn.exec:\nhnhtn.exe92⤵PID:4288
-
\??\c:\fllfxrl.exec:\fllfxrl.exe93⤵PID:3688
-
\??\c:\3lfxrxr.exec:\3lfxrxr.exe94⤵PID:2464
-
\??\c:\xfrfxxl.exec:\xfrfxxl.exe95⤵PID:1044
-
\??\c:\rxrrrrx.exec:\rxrrrrx.exe96⤵PID:748
-
\??\c:\3rxlfxr.exec:\3rxlfxr.exe97⤵PID:3656
-
\??\c:\rrxfrlx.exec:\rrxfrlx.exe98⤵PID:2680
-
\??\c:\fxfrflx.exec:\fxfrflx.exe99⤵PID:1160
-
\??\c:\7jpdp.exec:\7jpdp.exe100⤵PID:736
-
\??\c:\jvpjv.exec:\jvpjv.exe101⤵PID:4012
-
\??\c:\9pvjv.exec:\9pvjv.exe102⤵PID:3228
-
\??\c:\pppdv.exec:\pppdv.exe103⤵PID:2288
-
\??\c:\pvvjd.exec:\pvvjd.exe104⤵PID:2460
-
\??\c:\dvpjp.exec:\dvpjp.exe105⤵PID:2028
-
\??\c:\hbhbbt.exec:\hbhbbt.exe106⤵PID:184
-
\??\c:\nbbthb.exec:\nbbthb.exe107⤵PID:2952
-
\??\c:\nhbtnh.exec:\nhbtnh.exe108⤵
- System Location Discovery: System Language Discovery
PID:1476 -
\??\c:\btbtbt.exec:\btbtbt.exe109⤵PID:2808
-
\??\c:\bbhtnh.exec:\bbhtnh.exe110⤵PID:3144
-
\??\c:\nbtnbn.exec:\nbtnbn.exe111⤵PID:2004
-
\??\c:\rrxrlfr.exec:\rrxrlfr.exe112⤵PID:1352
-
\??\c:\fffxffx.exec:\fffxffx.exe113⤵PID:4672
-
\??\c:\bthbbt.exec:\bthbbt.exe114⤵PID:1292
-
\??\c:\5rxrfxl.exec:\5rxrfxl.exe115⤵
- System Location Discovery: System Language Discovery
PID:4348 -
\??\c:\lrfxflx.exec:\lrfxflx.exe116⤵PID:3292
-
\??\c:\xxrlrlr.exec:\xxrlrlr.exe117⤵PID:1796
-
\??\c:\lllxrfr.exec:\lllxrfr.exe118⤵PID:1840
-
\??\c:\rrrrlff.exec:\rrrrlff.exe119⤵PID:1540
-
\??\c:\frfrxrx.exec:\frfrxrx.exe120⤵PID:1780
-
\??\c:\ffrxxrl.exec:\ffrxxrl.exe121⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-