Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 18:13
Behavioral task
behavioral1
Sample
ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe
-
Size
3.7MB
-
MD5
42bb15c291efb67575c921348bdc442f
-
SHA1
c31d54b949677456e34f1a17161019dffd08546a
-
SHA256
ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54
-
SHA512
5bd269f0706b783b809e41d2621d871372da67a3f1726770255f47b236d5c2ef407171d1b06dae828cc83e5497718357c8e97eeb2597817806c47146d6d33468
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF985:U6XLq/qPPslzKx/dJg1ErmNy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2864-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2548-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/364-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/524-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/784-572-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-683-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-768-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-868-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-958-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-996-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/796-1228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-1316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3976-2076-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-2311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 5112 ffrlxxr.exe 2472 jdvvj.exe 3280 pjvpp.exe 4712 vjvvj.exe 3100 ddjjv.exe 4924 rxllrrr.exe 1064 7vjjp.exe 2192 1pjjj.exe 4500 ppddv.exe 1468 9hnbhb.exe 2180 lfffxlx.exe 1540 jvdvp.exe 2548 htbbbb.exe 5108 xxrfrfl.exe 4252 xlxrlrr.exe 3608 5hnhnn.exe 2836 bhthtn.exe 4968 1llfxrx.exe 4216 5llxrfx.exe 4056 thnhbb.exe 4748 rfrxxxx.exe 1952 bbhhtn.exe 2896 nbnbbn.exe 4048 7xfxxrl.exe 4108 7dppp.exe 2336 jvvvv.exe 3136 frrrrlf.exe 1616 fflfxxr.exe 4032 hntntn.exe 2592 vvdvj.exe 864 jdvpd.exe 3496 3jvpj.exe 960 lxfxrxx.exe 2532 1frrxxf.exe 1768 lrrrlfx.exe 4940 3lrlffx.exe 3996 nhtnhh.exe 1360 tbnhbb.exe 1168 btbnnt.exe 2892 bbtbbt.exe 2560 3ttnhn.exe 1128 3hnhbb.exe 4920 bnttbt.exe 4752 ntbnhb.exe 5076 bbhbtt.exe 4712 bhbtnn.exe 4324 bhnhtt.exe 3728 1jdvp.exe 1396 bbbtnn.exe 3832 tbntnt.exe 3588 hbhbtt.exe 4832 bttntn.exe 4208 9tbtnh.exe 436 httnnh.exe 1984 ntbttn.exe 3044 tttnht.exe 1540 hnbnhh.exe 2100 tbhtnh.exe 1792 lfxfxxx.exe 4404 1frfrlx.exe 4012 lflxrrl.exe 1036 xrxrrlf.exe 3764 xrfxrlf.exe 4564 frrfxlx.exe -
resource yara_rule behavioral2/memory/2864-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b0e-3.dat upx behavioral2/memory/2864-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-8.dat upx behavioral2/files/0x0031000000023b70-13.dat upx behavioral2/memory/3280-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2472-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5112-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b71-21.dat upx behavioral2/memory/4712-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6b-26.dat upx behavioral2/files/0x0031000000023b72-33.dat upx behavioral2/memory/4924-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3100-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-42.dat upx behavioral2/memory/4924-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-45.dat upx behavioral2/memory/1064-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-52.dat upx behavioral2/memory/4500-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-57.dat upx behavioral2/memory/1468-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-63.dat upx behavioral2/files/0x000a000000023b78-68.dat upx behavioral2/memory/2180-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-74.dat upx behavioral2/memory/1540-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-80.dat upx behavioral2/memory/2548-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-86.dat upx behavioral2/memory/5108-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-92.dat upx behavioral2/memory/4252-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-98.dat upx behavioral2/files/0x000a000000023b7e-103.dat upx behavioral2/memory/2836-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-110.dat upx behavioral2/files/0x000a000000023b80-114.dat upx behavioral2/memory/4216-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-120.dat upx behavioral2/files/0x000a000000023b82-125.dat upx behavioral2/memory/1952-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4748-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-132.dat upx behavioral2/files/0x000a000000023b84-137.dat upx behavioral2/memory/4048-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-143.dat upx behavioral2/files/0x000a000000023b86-148.dat upx behavioral2/memory/4108-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e764-154.dat upx behavioral2/memory/2336-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-159.dat upx behavioral2/files/0x000a000000023b89-166.dat upx behavioral2/memory/1616-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-172.dat upx behavioral2/memory/4032-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2592-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-177.dat upx behavioral2/files/0x000a000000023b8d-183.dat upx behavioral2/memory/3496-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2532-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1768-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4940-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3996-208-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xflllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2864 wrote to memory of 5112 2864 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 82 PID 2864 wrote to memory of 5112 2864 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 82 PID 2864 wrote to memory of 5112 2864 ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe 82 PID 5112 wrote to memory of 2472 5112 ffrlxxr.exe 83 PID 5112 wrote to memory of 2472 5112 ffrlxxr.exe 83 PID 5112 wrote to memory of 2472 5112 ffrlxxr.exe 83 PID 2472 wrote to memory of 3280 2472 jdvvj.exe 84 PID 2472 wrote to memory of 3280 2472 jdvvj.exe 84 PID 2472 wrote to memory of 3280 2472 jdvvj.exe 84 PID 3280 wrote to memory of 4712 3280 pjvpp.exe 85 PID 3280 wrote to memory of 4712 3280 pjvpp.exe 85 PID 3280 wrote to memory of 4712 3280 pjvpp.exe 85 PID 4712 wrote to memory of 3100 4712 vjvvj.exe 86 PID 4712 wrote to memory of 3100 4712 vjvvj.exe 86 PID 4712 wrote to memory of 3100 4712 vjvvj.exe 86 PID 3100 wrote to memory of 4924 3100 ddjjv.exe 87 PID 3100 wrote to memory of 4924 3100 ddjjv.exe 87 PID 3100 wrote to memory of 4924 3100 ddjjv.exe 87 PID 4924 wrote to memory of 1064 4924 rxllrrr.exe 88 PID 4924 wrote to memory of 1064 4924 rxllrrr.exe 88 PID 4924 wrote to memory of 1064 4924 rxllrrr.exe 88 PID 1064 wrote to memory of 2192 1064 7vjjp.exe 89 PID 1064 wrote to memory of 2192 1064 7vjjp.exe 89 PID 1064 wrote to memory of 2192 1064 7vjjp.exe 89 PID 2192 wrote to memory of 4500 2192 1pjjj.exe 90 PID 2192 wrote to memory of 4500 2192 1pjjj.exe 90 PID 2192 wrote to memory of 4500 2192 1pjjj.exe 90 PID 4500 wrote to memory of 1468 4500 ppddv.exe 91 PID 4500 wrote to memory of 1468 4500 ppddv.exe 91 PID 4500 wrote to memory of 1468 4500 ppddv.exe 91 PID 1468 wrote to memory of 2180 1468 9hnbhb.exe 92 PID 1468 wrote to memory of 2180 1468 9hnbhb.exe 92 PID 1468 wrote to memory of 2180 1468 9hnbhb.exe 92 PID 2180 wrote to memory of 1540 2180 lfffxlx.exe 93 PID 2180 wrote to memory of 1540 2180 lfffxlx.exe 93 PID 2180 wrote to memory of 1540 2180 lfffxlx.exe 93 PID 1540 wrote to memory of 2548 1540 jvdvp.exe 94 PID 1540 wrote to memory of 2548 1540 jvdvp.exe 94 PID 1540 wrote to memory of 2548 1540 jvdvp.exe 94 PID 2548 wrote to memory of 5108 2548 htbbbb.exe 95 PID 2548 wrote to memory of 5108 2548 htbbbb.exe 95 PID 2548 wrote to memory of 5108 2548 htbbbb.exe 95 PID 5108 wrote to memory of 4252 5108 xxrfrfl.exe 96 PID 5108 wrote to memory of 4252 5108 xxrfrfl.exe 96 PID 5108 wrote to memory of 4252 5108 xxrfrfl.exe 96 PID 4252 wrote to memory of 3608 4252 xlxrlrr.exe 97 PID 4252 wrote to memory of 3608 4252 xlxrlrr.exe 97 PID 4252 wrote to memory of 3608 4252 xlxrlrr.exe 97 PID 3608 wrote to memory of 2836 3608 5hnhnn.exe 98 PID 3608 wrote to memory of 2836 3608 5hnhnn.exe 98 PID 3608 wrote to memory of 2836 3608 5hnhnn.exe 98 PID 2836 wrote to memory of 4968 2836 bhthtn.exe 99 PID 2836 wrote to memory of 4968 2836 bhthtn.exe 99 PID 2836 wrote to memory of 4968 2836 bhthtn.exe 99 PID 4968 wrote to memory of 4216 4968 1llfxrx.exe 100 PID 4968 wrote to memory of 4216 4968 1llfxrx.exe 100 PID 4968 wrote to memory of 4216 4968 1llfxrx.exe 100 PID 4216 wrote to memory of 4056 4216 5llxrfx.exe 101 PID 4216 wrote to memory of 4056 4216 5llxrfx.exe 101 PID 4216 wrote to memory of 4056 4216 5llxrfx.exe 101 PID 4056 wrote to memory of 4748 4056 thnhbb.exe 102 PID 4056 wrote to memory of 4748 4056 thnhbb.exe 102 PID 4056 wrote to memory of 4748 4056 thnhbb.exe 102 PID 4748 wrote to memory of 1952 4748 rfrxxxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe"C:\Users\Admin\AppData\Local\Temp\ffb15e1ab75eb739ab968f5a6fe5c10c5ff32b37679449314342e1becd2cff54.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\jdvvj.exec:\jdvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\pjvpp.exec:\pjvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\vjvvj.exec:\vjvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\ddjjv.exec:\ddjjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\rxllrrr.exec:\rxllrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\7vjjp.exec:\7vjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\1pjjj.exec:\1pjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\ppddv.exec:\ppddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\9hnbhb.exec:\9hnbhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\lfffxlx.exec:\lfffxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\jvdvp.exec:\jvdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\htbbbb.exec:\htbbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\xxrfrfl.exec:\xxrfrfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\xlxrlrr.exec:\xlxrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\5hnhnn.exec:\5hnhnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\bhthtn.exec:\bhthtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\1llfxrx.exec:\1llfxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\5llxrfx.exec:\5llxrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\thnhbb.exec:\thnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\rfrxxxx.exec:\rfrxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\bbhhtn.exec:\bbhhtn.exe23⤵
- Executes dropped EXE
PID:1952 -
\??\c:\nbnbbn.exec:\nbnbbn.exe24⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7xfxxrl.exec:\7xfxxrl.exe25⤵
- Executes dropped EXE
PID:4048 -
\??\c:\7dppp.exec:\7dppp.exe26⤵
- Executes dropped EXE
PID:4108 -
\??\c:\jvvvv.exec:\jvvvv.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\frrrrlf.exec:\frrrrlf.exe28⤵
- Executes dropped EXE
PID:3136 -
\??\c:\fflfxxr.exec:\fflfxxr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\hntntn.exec:\hntntn.exe30⤵
- Executes dropped EXE
PID:4032 -
\??\c:\vvdvj.exec:\vvdvj.exe31⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jdvpd.exec:\jdvpd.exe32⤵
- Executes dropped EXE
PID:864 -
\??\c:\3jvpj.exec:\3jvpj.exe33⤵
- Executes dropped EXE
PID:3496 -
\??\c:\lxfxrxx.exec:\lxfxrxx.exe34⤵
- Executes dropped EXE
PID:960 -
\??\c:\1frrxxf.exec:\1frrxxf.exe35⤵
- Executes dropped EXE
PID:2532 -
\??\c:\lrrrlfx.exec:\lrrrlfx.exe36⤵
- Executes dropped EXE
PID:1768 -
\??\c:\3lrlffx.exec:\3lrlffx.exe37⤵
- Executes dropped EXE
PID:4940 -
\??\c:\nhtnhh.exec:\nhtnhh.exe38⤵
- Executes dropped EXE
PID:3996 -
\??\c:\tbnhbb.exec:\tbnhbb.exe39⤵
- Executes dropped EXE
PID:1360 -
\??\c:\btbnnt.exec:\btbnnt.exe40⤵
- Executes dropped EXE
PID:1168 -
\??\c:\bbtbbt.exec:\bbtbbt.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\3ttnhn.exec:\3ttnhn.exe42⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3hnhbb.exec:\3hnhbb.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1128 -
\??\c:\bnttbt.exec:\bnttbt.exe44⤵
- Executes dropped EXE
PID:4920 -
\??\c:\ntbnhb.exec:\ntbnhb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4752 -
\??\c:\bbhbtt.exec:\bbhbtt.exe46⤵
- Executes dropped EXE
PID:5076 -
\??\c:\bhbtnn.exec:\bhbtnn.exe47⤵
- Executes dropped EXE
PID:4712 -
\??\c:\bhnhtt.exec:\bhnhtt.exe48⤵
- Executes dropped EXE
PID:4324 -
\??\c:\1jdvp.exec:\1jdvp.exe49⤵
- Executes dropped EXE
PID:3728 -
\??\c:\bbbtnn.exec:\bbbtnn.exe50⤵
- Executes dropped EXE
PID:1396 -
\??\c:\tbntnt.exec:\tbntnt.exe51⤵
- Executes dropped EXE
PID:3832 -
\??\c:\hbhbtt.exec:\hbhbtt.exe52⤵
- Executes dropped EXE
PID:3588 -
\??\c:\bttntn.exec:\bttntn.exe53⤵
- Executes dropped EXE
PID:4832 -
\??\c:\9tbtnh.exec:\9tbtnh.exe54⤵
- Executes dropped EXE
PID:4208 -
\??\c:\httnnh.exec:\httnnh.exe55⤵
- Executes dropped EXE
PID:436 -
\??\c:\ntbttn.exec:\ntbttn.exe56⤵
- Executes dropped EXE
PID:1984 -
\??\c:\tttnht.exec:\tttnht.exe57⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hnbnhh.exec:\hnbnhh.exe58⤵
- Executes dropped EXE
PID:1540 -
\??\c:\tbhtnh.exec:\tbhtnh.exe59⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lfxfxxx.exec:\lfxfxxx.exe60⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1frfrlx.exec:\1frfrlx.exe61⤵
- Executes dropped EXE
PID:4404 -
\??\c:\lflxrrl.exec:\lflxrrl.exe62⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xrxrrlf.exec:\xrxrrlf.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036 -
\??\c:\xrfxrlf.exec:\xrfxrlf.exe64⤵
- Executes dropped EXE
PID:3764 -
\??\c:\frrfxlx.exec:\frrfxlx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4564 -
\??\c:\xxfflrr.exec:\xxfflrr.exe66⤵PID:4416
-
\??\c:\dpvdp.exec:\dpvdp.exe67⤵PID:3484
-
\??\c:\3pjdv.exec:\3pjdv.exe68⤵PID:2460
-
\??\c:\vjddv.exec:\vjddv.exe69⤵PID:3880
-
\??\c:\jvvpj.exec:\jvvpj.exe70⤵PID:1952
-
\??\c:\vpvvj.exec:\vpvvj.exe71⤵PID:3560
-
\??\c:\hbhhbb.exec:\hbhhbb.exe72⤵
- System Location Discovery: System Language Discovery
PID:4584 -
\??\c:\btnnnh.exec:\btnnnh.exe73⤵PID:736
-
\??\c:\lrxxfxf.exec:\lrxxfxf.exe74⤵PID:4872
-
\??\c:\rfxfrrl.exec:\rfxfrrl.exe75⤵PID:2160
-
\??\c:\xlrlxxl.exec:\xlrlxxl.exe76⤵PID:1868
-
\??\c:\xllfxrl.exec:\xllfxrl.exe77⤵PID:2596
-
\??\c:\rfrrllf.exec:\rfrrllf.exe78⤵PID:4432
-
\??\c:\5rffflr.exec:\5rffflr.exe79⤵PID:4900
-
\??\c:\frxfflr.exec:\frxfflr.exe80⤵PID:1124
-
\??\c:\7rxlfrl.exec:\7rxlfrl.exe81⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\dvppp.exec:\dvppp.exe82⤵PID:3112
-
\??\c:\1jvvj.exec:\1jvvj.exe83⤵PID:2588
-
\??\c:\3ddvv.exec:\3ddvv.exe84⤵PID:3384
-
\??\c:\jvjdp.exec:\jvjdp.exe85⤵PID:4452
-
\??\c:\ppvjd.exec:\ppvjd.exe86⤵PID:2000
-
\??\c:\pjpjd.exec:\pjpjd.exe87⤵PID:1108
-
\??\c:\7tbttt.exec:\7tbttt.exe88⤵PID:620
-
\??\c:\3bhnhh.exec:\3bhnhh.exe89⤵PID:856
-
\??\c:\tnthbb.exec:\tnthbb.exe90⤵PID:5072
-
\??\c:\7bthbt.exec:\7bthbt.exe91⤵PID:3420
-
\??\c:\jjdvv.exec:\jjdvv.exe92⤵PID:4240
-
\??\c:\jjvpd.exec:\jjvpd.exe93⤵PID:4512
-
\??\c:\dpjjj.exec:\dpjjj.exe94⤵PID:2868
-
\??\c:\jjdvj.exec:\jjdvj.exe95⤵
- System Location Discovery: System Language Discovery
PID:2332 -
\??\c:\pjpjd.exec:\pjpjd.exe96⤵PID:852
-
\??\c:\3ppvp.exec:\3ppvp.exe97⤵PID:812
-
\??\c:\jjpjj.exec:\jjpjj.exe98⤵PID:404
-
\??\c:\nntnhn.exec:\nntnhn.exe99⤵PID:364
-
\??\c:\bbtnhh.exec:\bbtnhh.exe100⤵PID:4712
-
\??\c:\bnttnn.exec:\bnttnn.exe101⤵PID:1044
-
\??\c:\nhhbtn.exec:\nhhbtn.exe102⤵PID:1064
-
\??\c:\bbnhnh.exec:\bbnhnh.exe103⤵PID:1904
-
\??\c:\ntbnht.exec:\ntbnht.exe104⤵PID:3588
-
\??\c:\3hbthb.exec:\3hbthb.exe105⤵PID:4832
-
\??\c:\tnhtnn.exec:\tnhtnn.exe106⤵PID:4208
-
\??\c:\7bnbhh.exec:\7bnbhh.exe107⤵PID:1220
-
\??\c:\nntnnn.exec:\nntnnn.exe108⤵PID:1984
-
\??\c:\htbhnh.exec:\htbhnh.exe109⤵PID:2508
-
\??\c:\nhbnhn.exec:\nhbnhn.exe110⤵PID:2548
-
\??\c:\9hbhbb.exec:\9hbhbb.exe111⤵PID:2056
-
\??\c:\nhbttt.exec:\nhbttt.exe112⤵
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\nttnhb.exec:\nttnhb.exe113⤵PID:2388
-
\??\c:\tnnhbb.exec:\tnnhbb.exe114⤵PID:4300
-
\??\c:\nbhbtt.exec:\nbhbtt.exe115⤵PID:2800
-
\??\c:\9bbttt.exec:\9bbttt.exe116⤵PID:4216
-
\??\c:\5llfxxx.exec:\5llfxxx.exe117⤵PID:3484
-
\??\c:\xxxfrll.exec:\xxxfrll.exe118⤵PID:2460
-
\??\c:\lfrxxff.exec:\lfrxxff.exe119⤵PID:3880
-
\??\c:\xxllfxr.exec:\xxllfxr.exe120⤵PID:2012
-
\??\c:\9llxrrl.exec:\9llxrrl.exe121⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-