Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe
-
Size
456KB
-
MD5
4f4711dc16fd510b8eb7c602d68a2069
-
SHA1
50d1e340a14439e58e98152a912a546250bdfb45
-
SHA256
8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd
-
SHA512
40b1053252f7d3e775693ac3fdae9aefc29ed8c76fab9f7219bb2775c2709061b8d3bb39428ff9428ef49951c420a0a16e13a3612562fc6e27c15f36d4262c9e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2428-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-1151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-1256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-2255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3576 vvvjd.exe 1460 3flxfrl.exe 4504 vjjpp.exe 4916 bnbbhb.exe 1224 vjjdv.exe 4732 bnhbbt.exe 2784 hbtbnh.exe 2832 jvjvj.exe 3636 vpjjd.exe 2312 7nbttn.exe 32 nhbtth.exe 3940 rxxrflf.exe 2332 htttnn.exe 5016 lxffxxr.exe 2768 ffrrlfr.exe 3040 3hhbtt.exe 216 jdjdd.exe 4120 xlrxrrl.exe 3540 tbnhnh.exe 3816 fffxrrl.exe 1388 hhtnnn.exe 4712 djdvv.exe 4128 hntntb.exe 1396 dpddp.exe 3640 rxffrrr.exe 4892 llrxxxx.exe 4868 ddvvp.exe 4104 7tttnt.exe 4928 pjpjd.exe 4280 1jvjp.exe 744 frxrlfl.exe 3644 vvvpp.exe 1768 xffxxfx.exe 4416 hhhhbh.exe 3536 vpvpd.exe 1456 rlrllll.exe 4344 nbhhbh.exe 1596 ppjdp.exe 1060 dddvv.exe 3336 rrrlffx.exe 4152 hbhbtn.exe 2220 3vddd.exe 1492 vppjj.exe 448 1xxfxll.exe 452 tnbbtt.exe 1160 bnnnnn.exe 2156 vvppj.exe 5100 rfrllll.exe 4392 llllxxf.exe 388 tbbhbh.exe 4456 vpvpp.exe 4756 rlfrrfx.exe 4172 1tttnt.exe 2124 3bbthb.exe 4412 ddjdd.exe 4672 fxrllll.exe 464 hbnhhh.exe 4088 bttnhb.exe 3492 ddjdd.exe 1124 lffxrrr.exe 436 tbnhhh.exe 1052 vdjdv.exe 2832 jppjd.exe 4820 xrrllll.exe -
resource yara_rule behavioral2/memory/2428-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-765-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 3576 2428 8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe 82 PID 2428 wrote to memory of 3576 2428 8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe 82 PID 2428 wrote to memory of 3576 2428 8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe 82 PID 3576 wrote to memory of 1460 3576 vvvjd.exe 83 PID 3576 wrote to memory of 1460 3576 vvvjd.exe 83 PID 3576 wrote to memory of 1460 3576 vvvjd.exe 83 PID 1460 wrote to memory of 4504 1460 3flxfrl.exe 84 PID 1460 wrote to memory of 4504 1460 3flxfrl.exe 84 PID 1460 wrote to memory of 4504 1460 3flxfrl.exe 84 PID 4504 wrote to memory of 4916 4504 vjjpp.exe 85 PID 4504 wrote to memory of 4916 4504 vjjpp.exe 85 PID 4504 wrote to memory of 4916 4504 vjjpp.exe 85 PID 4916 wrote to memory of 1224 4916 bnbbhb.exe 86 PID 4916 wrote to memory of 1224 4916 bnbbhb.exe 86 PID 4916 wrote to memory of 1224 4916 bnbbhb.exe 86 PID 1224 wrote to memory of 4732 1224 vjjdv.exe 87 PID 1224 wrote to memory of 4732 1224 vjjdv.exe 87 PID 1224 wrote to memory of 4732 1224 vjjdv.exe 87 PID 4732 wrote to memory of 2784 4732 bnhbbt.exe 88 PID 4732 wrote to memory of 2784 4732 bnhbbt.exe 88 PID 4732 wrote to memory of 2784 4732 bnhbbt.exe 88 PID 2784 wrote to memory of 2832 2784 hbtbnh.exe 89 PID 2784 wrote to memory of 2832 2784 hbtbnh.exe 89 PID 2784 wrote to memory of 2832 2784 hbtbnh.exe 89 PID 2832 wrote to memory of 3636 2832 jvjvj.exe 90 PID 2832 wrote to memory of 3636 2832 jvjvj.exe 90 PID 2832 wrote to memory of 3636 2832 jvjvj.exe 90 PID 3636 wrote to memory of 2312 3636 vpjjd.exe 91 PID 3636 wrote to memory of 2312 3636 vpjjd.exe 91 PID 3636 wrote to memory of 2312 3636 vpjjd.exe 91 PID 2312 wrote to memory of 32 2312 7nbttn.exe 92 PID 2312 wrote to memory of 32 2312 7nbttn.exe 92 PID 2312 wrote to memory of 32 2312 7nbttn.exe 92 PID 32 wrote to memory of 3940 32 nhbtth.exe 93 PID 32 wrote to memory of 3940 32 nhbtth.exe 93 PID 32 wrote to memory of 3940 32 nhbtth.exe 93 PID 3940 wrote to memory of 2332 3940 rxxrflf.exe 94 PID 3940 wrote to memory of 2332 3940 rxxrflf.exe 94 PID 3940 wrote to memory of 2332 3940 rxxrflf.exe 94 PID 2332 wrote to memory of 5016 2332 htttnn.exe 95 PID 2332 wrote to memory of 5016 2332 htttnn.exe 95 PID 2332 wrote to memory of 5016 2332 htttnn.exe 95 PID 5016 wrote to memory of 2768 5016 lxffxxr.exe 96 PID 5016 wrote to memory of 2768 5016 lxffxxr.exe 96 PID 5016 wrote to memory of 2768 5016 lxffxxr.exe 96 PID 2768 wrote to memory of 3040 2768 ffrrlfr.exe 97 PID 2768 wrote to memory of 3040 2768 ffrrlfr.exe 97 PID 2768 wrote to memory of 3040 2768 ffrrlfr.exe 97 PID 3040 wrote to memory of 216 3040 3hhbtt.exe 98 PID 3040 wrote to memory of 216 3040 3hhbtt.exe 98 PID 3040 wrote to memory of 216 3040 3hhbtt.exe 98 PID 216 wrote to memory of 4120 216 jdjdd.exe 99 PID 216 wrote to memory of 4120 216 jdjdd.exe 99 PID 216 wrote to memory of 4120 216 jdjdd.exe 99 PID 4120 wrote to memory of 3540 4120 xlrxrrl.exe 100 PID 4120 wrote to memory of 3540 4120 xlrxrrl.exe 100 PID 4120 wrote to memory of 3540 4120 xlrxrrl.exe 100 PID 3540 wrote to memory of 3816 3540 tbnhnh.exe 101 PID 3540 wrote to memory of 3816 3540 tbnhnh.exe 101 PID 3540 wrote to memory of 3816 3540 tbnhnh.exe 101 PID 3816 wrote to memory of 1388 3816 fffxrrl.exe 102 PID 3816 wrote to memory of 1388 3816 fffxrrl.exe 102 PID 3816 wrote to memory of 1388 3816 fffxrrl.exe 102 PID 1388 wrote to memory of 4712 1388 hhtnnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe"C:\Users\Admin\AppData\Local\Temp\8a39b2b17a431219043790a609486d59fc0ff541d9ff24155858d99f88e206fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\vvvjd.exec:\vvvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\3flxfrl.exec:\3flxfrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\vjjpp.exec:\vjjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\bnbbhb.exec:\bnbbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\vjjdv.exec:\vjjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\bnhbbt.exec:\bnhbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\hbtbnh.exec:\hbtbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\jvjvj.exec:\jvjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\vpjjd.exec:\vpjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\7nbttn.exec:\7nbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\nhbtth.exec:\nhbtth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\rxxrflf.exec:\rxxrflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\htttnn.exec:\htttnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\lxffxxr.exec:\lxffxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\ffrrlfr.exec:\ffrrlfr.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\3hhbtt.exec:\3hhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\jdjdd.exec:\jdjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\xlrxrrl.exec:\xlrxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\tbnhnh.exec:\tbnhnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\fffxrrl.exec:\fffxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\hhtnnn.exec:\hhtnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\djdvv.exec:\djdvv.exe23⤵
- Executes dropped EXE
PID:4712 -
\??\c:\hntntb.exec:\hntntb.exe24⤵
- Executes dropped EXE
PID:4128 -
\??\c:\dpddp.exec:\dpddp.exe25⤵
- Executes dropped EXE
PID:1396 -
\??\c:\rxffrrr.exec:\rxffrrr.exe26⤵
- Executes dropped EXE
PID:3640 -
\??\c:\llrxxxx.exec:\llrxxxx.exe27⤵
- Executes dropped EXE
PID:4892 -
\??\c:\ddvvp.exec:\ddvvp.exe28⤵
- Executes dropped EXE
PID:4868 -
\??\c:\7tttnt.exec:\7tttnt.exe29⤵
- Executes dropped EXE
PID:4104 -
\??\c:\pjpjd.exec:\pjpjd.exe30⤵
- Executes dropped EXE
PID:4928 -
\??\c:\1jvjp.exec:\1jvjp.exe31⤵
- Executes dropped EXE
PID:4280 -
\??\c:\frxrlfl.exec:\frxrlfl.exe32⤵
- Executes dropped EXE
PID:744 -
\??\c:\vvvpp.exec:\vvvpp.exe33⤵
- Executes dropped EXE
PID:3644 -
\??\c:\xffxxfx.exec:\xffxxfx.exe34⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hhhhbh.exec:\hhhhbh.exe35⤵
- Executes dropped EXE
PID:4416 -
\??\c:\vpvpd.exec:\vpvpd.exe36⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rlrllll.exec:\rlrllll.exe37⤵
- Executes dropped EXE
PID:1456 -
\??\c:\nbhhbh.exec:\nbhhbh.exe38⤵
- Executes dropped EXE
PID:4344 -
\??\c:\ppjdp.exec:\ppjdp.exe39⤵
- Executes dropped EXE
PID:1596 -
\??\c:\dddvv.exec:\dddvv.exe40⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rrrlffx.exec:\rrrlffx.exe41⤵
- Executes dropped EXE
PID:3336 -
\??\c:\hbhbtn.exec:\hbhbtn.exe42⤵
- Executes dropped EXE
PID:4152 -
\??\c:\3vddd.exec:\3vddd.exe43⤵
- Executes dropped EXE
PID:2220 -
\??\c:\vppjj.exec:\vppjj.exe44⤵
- Executes dropped EXE
PID:1492 -
\??\c:\1xxfxll.exec:\1xxfxll.exe45⤵
- Executes dropped EXE
PID:448 -
\??\c:\tnbbtt.exec:\tnbbtt.exe46⤵
- Executes dropped EXE
PID:452 -
\??\c:\bnnnnn.exec:\bnnnnn.exe47⤵
- Executes dropped EXE
PID:1160 -
\??\c:\vvppj.exec:\vvppj.exe48⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rfrllll.exec:\rfrllll.exe49⤵
- Executes dropped EXE
PID:5100 -
\??\c:\llllxxf.exec:\llllxxf.exe50⤵
- Executes dropped EXE
PID:4392 -
\??\c:\tbbhbh.exec:\tbbhbh.exe51⤵
- Executes dropped EXE
PID:388 -
\??\c:\vpvpp.exec:\vpvpp.exe52⤵
- Executes dropped EXE
PID:4456 -
\??\c:\rlfrrfx.exec:\rlfrrfx.exe53⤵
- Executes dropped EXE
PID:4756 -
\??\c:\1tttnt.exec:\1tttnt.exe54⤵
- Executes dropped EXE
PID:4172 -
\??\c:\3bbthb.exec:\3bbthb.exe55⤵
- Executes dropped EXE
PID:2124 -
\??\c:\ddjdd.exec:\ddjdd.exe56⤵
- Executes dropped EXE
PID:4412 -
\??\c:\fxrllll.exec:\fxrllll.exe57⤵
- Executes dropped EXE
PID:4672 -
\??\c:\hbnhhh.exec:\hbnhhh.exe58⤵
- Executes dropped EXE
PID:464 -
\??\c:\bttnhb.exec:\bttnhb.exe59⤵
- Executes dropped EXE
PID:4088 -
\??\c:\ddjdd.exec:\ddjdd.exe60⤵
- Executes dropped EXE
PID:3492 -
\??\c:\lffxrrr.exec:\lffxrrr.exe61⤵
- Executes dropped EXE
PID:1124 -
\??\c:\tbnhhh.exec:\tbnhhh.exe62⤵
- Executes dropped EXE
PID:436 -
\??\c:\vdjdv.exec:\vdjdv.exe63⤵
- Executes dropped EXE
PID:1052 -
\??\c:\jppjd.exec:\jppjd.exe64⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xrrllll.exec:\xrrllll.exe65⤵
- Executes dropped EXE
PID:4820 -
\??\c:\1bntnb.exec:\1bntnb.exe66⤵PID:2176
-
\??\c:\7bhhht.exec:\7bhhht.exe67⤵PID:2144
-
\??\c:\fxfrlll.exec:\fxfrlll.exe68⤵PID:2292
-
\??\c:\5lxrxxf.exec:\5lxrxxf.exe69⤵PID:3208
-
\??\c:\ddjdd.exec:\ddjdd.exe70⤵PID:5112
-
\??\c:\ppdvj.exec:\ppdvj.exe71⤵PID:4704
-
\??\c:\rlrflfx.exec:\rlrflfx.exe72⤵PID:2688
-
\??\c:\htbbtt.exec:\htbbtt.exe73⤵PID:4972
-
\??\c:\pjjdv.exec:\pjjdv.exe74⤵PID:1760
-
\??\c:\7pjdv.exec:\7pjdv.exe75⤵PID:3464
-
\??\c:\5rfxrrf.exec:\5rfxrrf.exe76⤵PID:216
-
\??\c:\hthhbn.exec:\hthhbn.exe77⤵PID:2424
-
\??\c:\1vvpj.exec:\1vvpj.exe78⤵PID:4480
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe79⤵
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\nhnhbb.exec:\nhnhbb.exe80⤵PID:2756
-
\??\c:\3ttnhh.exec:\3ttnhh.exe81⤵PID:4860
-
\??\c:\vdvvp.exec:\vdvvp.exe82⤵PID:1664
-
\??\c:\frxxrrx.exec:\frxxrrx.exe83⤵PID:5084
-
\??\c:\ntbnhb.exec:\ntbnhb.exe84⤵PID:2732
-
\??\c:\jdpjd.exec:\jdpjd.exe85⤵PID:4656
-
\??\c:\frfxrfx.exec:\frfxrfx.exe86⤵PID:2776
-
\??\c:\tnhbtn.exec:\tnhbtn.exe87⤵PID:3976
-
\??\c:\jjpjj.exec:\jjpjj.exe88⤵PID:4892
-
\??\c:\jvppj.exec:\jvppj.exe89⤵PID:2252
-
\??\c:\lrrlfrl.exec:\lrrlfrl.exe90⤵PID:3036
-
\??\c:\ttbthh.exec:\ttbthh.exe91⤵PID:3448
-
\??\c:\tnhhbb.exec:\tnhhbb.exe92⤵PID:3360
-
\??\c:\pddvp.exec:\pddvp.exe93⤵PID:4948
-
\??\c:\frxrllf.exec:\frxrllf.exe94⤵PID:4924
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe95⤵PID:2012
-
\??\c:\tnnhbh.exec:\tnnhbh.exe96⤵PID:4444
-
\??\c:\ppppp.exec:\ppppp.exe97⤵PID:4628
-
\??\c:\lxlfxll.exec:\lxlfxll.exe98⤵PID:4720
-
\??\c:\hhnttt.exec:\hhnttt.exe99⤵PID:3604
-
\??\c:\pvjdv.exec:\pvjdv.exe100⤵PID:4428
-
\??\c:\pjjdd.exec:\pjjdd.exe101⤵PID:772
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe102⤵PID:1520
-
\??\c:\thnhhn.exec:\thnhhn.exe103⤵PID:952
-
\??\c:\jddvd.exec:\jddvd.exe104⤵PID:4296
-
\??\c:\pvdvv.exec:\pvdvv.exe105⤵PID:3960
-
\??\c:\flxxrrr.exec:\flxxrrr.exe106⤵PID:2564
-
\??\c:\bhnnnn.exec:\bhnnnn.exe107⤵PID:1660
-
\??\c:\1ddvp.exec:\1ddvp.exe108⤵PID:1492
-
\??\c:\fflfxxr.exec:\fflfxxr.exe109⤵PID:448
-
\??\c:\nbnhhh.exec:\nbnhhh.exe110⤵PID:516
-
\??\c:\3vjdv.exec:\3vjdv.exe111⤵PID:1288
-
\??\c:\ffxrrxr.exec:\ffxrrxr.exe112⤵PID:4396
-
\??\c:\hnbnnt.exec:\hnbnnt.exe113⤵PID:5100
-
\??\c:\dppvj.exec:\dppvj.exe114⤵PID:4276
-
\??\c:\xlfffff.exec:\xlfffff.exe115⤵PID:1940
-
\??\c:\nbnhhh.exec:\nbnhhh.exe116⤵PID:3968
-
\??\c:\1jvvv.exec:\1jvvv.exe117⤵PID:3860
-
\??\c:\3rxrllf.exec:\3rxrllf.exe118⤵PID:3228
-
\??\c:\ffflxfx.exec:\ffflxfx.exe119⤵PID:4964
-
\??\c:\tttnhb.exec:\tttnhb.exe120⤵PID:4916
-
\??\c:\7vpjd.exec:\7vpjd.exe121⤵PID:4672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-