Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:37 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe
-
Size
454KB
-
MD5
7a5fdda9516c689c4135b85c28579750
-
SHA1
b60bae11971b06726232d837c15b73f3878281e5
-
SHA256
d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac
-
SHA512
5e23e316a27dc5c18e56ffaf8b3bb19bb4e0d003d5445316b647a13919f0a22410c5467db2fae79a815bc09171c6ffdf6ec838fd42f3e6fe893570c29353de5c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3572-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-1704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-1766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2664 lrxrrll.exe 3976 djpjv.exe 2600 5rlfxxr.exe 1256 hhtbnb.exe 2540 frfxrrr.exe 1436 nhbttt.exe 3400 xrfxxrx.exe 2964 jvddv.exe 2376 vpvpj.exe 3028 fxfxrrl.exe 2456 bhnbtn.exe 2396 vjpjd.exe 1076 rrflfff.exe 4820 djvvp.exe 4680 tbbtnn.exe 2828 bhnbnn.exe 1152 pjjpj.exe 4384 xxlfrrl.exe 4828 ppjvj.exe 404 7xfrlfx.exe 3220 pddvp.exe 3368 vpvpj.exe 3668 3pddd.exe 1516 hbtntt.exe 3968 hhhnnn.exe 3384 thhhtt.exe 1824 hbhhbb.exe 4772 lxfxrrl.exe 2180 dvjdd.exe 1748 hbbbtb.exe 3164 vvpjd.exe 2592 hthhbt.exe 1400 7bbtnn.exe 4420 jvdvp.exe 5092 3flfrrl.exe 4792 bttnhh.exe 2824 vdpvd.exe 5072 xrxrlrr.exe 3508 nhttnn.exe 3472 vpdvd.exe 3068 xlxrffx.exe 4864 lfrrlxl.exe 3564 ttbbtt.exe 5036 ppdvp.exe 4684 ffrlllr.exe 4200 bbbbtt.exe 1396 pjvdv.exe 2516 xflfxrr.exe 2268 xrlfxll.exe 1116 nnttnn.exe 4016 pjpjd.exe 508 rlrlfff.exe 4524 xrllxxl.exe 2388 nbnnhh.exe 4428 ppvpj.exe 3536 5flffll.exe 4556 nntthh.exe 2656 bthbbb.exe 2736 jdjjv.exe 1436 rrxrfxx.exe 900 nhnhbb.exe 1092 tbbtnn.exe 2328 jvdvv.exe 4940 rfrlfrr.exe -
resource yara_rule behavioral2/memory/3572-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-1078-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3572 wrote to memory of 2664 3572 d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe 82 PID 3572 wrote to memory of 2664 3572 d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe 82 PID 3572 wrote to memory of 2664 3572 d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe 82 PID 2664 wrote to memory of 3976 2664 lrxrrll.exe 83 PID 2664 wrote to memory of 3976 2664 lrxrrll.exe 83 PID 2664 wrote to memory of 3976 2664 lrxrrll.exe 83 PID 3976 wrote to memory of 2600 3976 djpjv.exe 84 PID 3976 wrote to memory of 2600 3976 djpjv.exe 84 PID 3976 wrote to memory of 2600 3976 djpjv.exe 84 PID 2600 wrote to memory of 1256 2600 5rlfxxr.exe 85 PID 2600 wrote to memory of 1256 2600 5rlfxxr.exe 85 PID 2600 wrote to memory of 1256 2600 5rlfxxr.exe 85 PID 1256 wrote to memory of 2540 1256 hhtbnb.exe 86 PID 1256 wrote to memory of 2540 1256 hhtbnb.exe 86 PID 1256 wrote to memory of 2540 1256 hhtbnb.exe 86 PID 2540 wrote to memory of 1436 2540 frfxrrr.exe 87 PID 2540 wrote to memory of 1436 2540 frfxrrr.exe 87 PID 2540 wrote to memory of 1436 2540 frfxrrr.exe 87 PID 1436 wrote to memory of 3400 1436 nhbttt.exe 88 PID 1436 wrote to memory of 3400 1436 nhbttt.exe 88 PID 1436 wrote to memory of 3400 1436 nhbttt.exe 88 PID 3400 wrote to memory of 2964 3400 xrfxxrx.exe 89 PID 3400 wrote to memory of 2964 3400 xrfxxrx.exe 89 PID 3400 wrote to memory of 2964 3400 xrfxxrx.exe 89 PID 2964 wrote to memory of 2376 2964 jvddv.exe 90 PID 2964 wrote to memory of 2376 2964 jvddv.exe 90 PID 2964 wrote to memory of 2376 2964 jvddv.exe 90 PID 2376 wrote to memory of 3028 2376 vpvpj.exe 91 PID 2376 wrote to memory of 3028 2376 vpvpj.exe 91 PID 2376 wrote to memory of 3028 2376 vpvpj.exe 91 PID 3028 wrote to memory of 2456 3028 fxfxrrl.exe 92 PID 3028 wrote to memory of 2456 3028 fxfxrrl.exe 92 PID 3028 wrote to memory of 2456 3028 fxfxrrl.exe 92 PID 2456 wrote to memory of 2396 2456 bhnbtn.exe 93 PID 2456 wrote to memory of 2396 2456 bhnbtn.exe 93 PID 2456 wrote to memory of 2396 2456 bhnbtn.exe 93 PID 2396 wrote to memory of 1076 2396 vjpjd.exe 94 PID 2396 wrote to memory of 1076 2396 vjpjd.exe 94 PID 2396 wrote to memory of 1076 2396 vjpjd.exe 94 PID 1076 wrote to memory of 4820 1076 rrflfff.exe 95 PID 1076 wrote to memory of 4820 1076 rrflfff.exe 95 PID 1076 wrote to memory of 4820 1076 rrflfff.exe 95 PID 4820 wrote to memory of 4680 4820 djvvp.exe 96 PID 4820 wrote to memory of 4680 4820 djvvp.exe 96 PID 4820 wrote to memory of 4680 4820 djvvp.exe 96 PID 4680 wrote to memory of 2828 4680 tbbtnn.exe 97 PID 4680 wrote to memory of 2828 4680 tbbtnn.exe 97 PID 4680 wrote to memory of 2828 4680 tbbtnn.exe 97 PID 2828 wrote to memory of 1152 2828 bhnbnn.exe 98 PID 2828 wrote to memory of 1152 2828 bhnbnn.exe 98 PID 2828 wrote to memory of 1152 2828 bhnbnn.exe 98 PID 1152 wrote to memory of 4384 1152 pjjpj.exe 99 PID 1152 wrote to memory of 4384 1152 pjjpj.exe 99 PID 1152 wrote to memory of 4384 1152 pjjpj.exe 99 PID 4384 wrote to memory of 4828 4384 xxlfrrl.exe 100 PID 4384 wrote to memory of 4828 4384 xxlfrrl.exe 100 PID 4384 wrote to memory of 4828 4384 xxlfrrl.exe 100 PID 4828 wrote to memory of 404 4828 ppjvj.exe 101 PID 4828 wrote to memory of 404 4828 ppjvj.exe 101 PID 4828 wrote to memory of 404 4828 ppjvj.exe 101 PID 404 wrote to memory of 3220 404 7xfrlfx.exe 102 PID 404 wrote to memory of 3220 404 7xfrlfx.exe 102 PID 404 wrote to memory of 3220 404 7xfrlfx.exe 102 PID 3220 wrote to memory of 3368 3220 pddvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe"C:\Users\Admin\AppData\Local\Temp\d9d53becab5cc6ab3c4b43006edd609a8fe37959578de331e8553d8f4da907ac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\lrxrrll.exec:\lrxrrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\djpjv.exec:\djpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\5rlfxxr.exec:\5rlfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\hhtbnb.exec:\hhtbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\frfxrrr.exec:\frfxrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\nhbttt.exec:\nhbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\xrfxxrx.exec:\xrfxxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\jvddv.exec:\jvddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vpvpj.exec:\vpvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\bhnbtn.exec:\bhnbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vjpjd.exec:\vjpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\rrflfff.exec:\rrflfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\djvvp.exec:\djvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\tbbtnn.exec:\tbbtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\bhnbnn.exec:\bhnbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\pjjpj.exec:\pjjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\xxlfrrl.exec:\xxlfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\ppjvj.exec:\ppjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\7xfrlfx.exec:\7xfrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\pddvp.exec:\pddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\vpvpj.exec:\vpvpj.exe23⤵
- Executes dropped EXE
PID:3368 -
\??\c:\3pddd.exec:\3pddd.exe24⤵
- Executes dropped EXE
PID:3668 -
\??\c:\hbtntt.exec:\hbtntt.exe25⤵
- Executes dropped EXE
PID:1516 -
\??\c:\hhhnnn.exec:\hhhnnn.exe26⤵
- Executes dropped EXE
PID:3968 -
\??\c:\thhhtt.exec:\thhhtt.exe27⤵
- Executes dropped EXE
PID:3384 -
\??\c:\hbhhbb.exec:\hbhhbb.exe28⤵
- Executes dropped EXE
PID:1824 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe29⤵
- Executes dropped EXE
PID:4772 -
\??\c:\dvjdd.exec:\dvjdd.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\hbbbtb.exec:\hbbbtb.exe31⤵
- Executes dropped EXE
PID:1748 -
\??\c:\vvpjd.exec:\vvpjd.exe32⤵
- Executes dropped EXE
PID:3164 -
\??\c:\hthhbt.exec:\hthhbt.exe33⤵
- Executes dropped EXE
PID:2592 -
\??\c:\7bbtnn.exec:\7bbtnn.exe34⤵
- Executes dropped EXE
PID:1400 -
\??\c:\jvdvp.exec:\jvdvp.exe35⤵
- Executes dropped EXE
PID:4420 -
\??\c:\3flfrrl.exec:\3flfrrl.exe36⤵
- Executes dropped EXE
PID:5092 -
\??\c:\bttnhh.exec:\bttnhh.exe37⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vdpvd.exec:\vdpvd.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xrxrlrr.exec:\xrxrlrr.exe39⤵
- Executes dropped EXE
PID:5072 -
\??\c:\nhttnn.exec:\nhttnn.exe40⤵
- Executes dropped EXE
PID:3508 -
\??\c:\vpdvd.exec:\vpdvd.exe41⤵
- Executes dropped EXE
PID:3472 -
\??\c:\xlxrffx.exec:\xlxrffx.exe42⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lfrrlxl.exec:\lfrrlxl.exe43⤵
- Executes dropped EXE
PID:4864 -
\??\c:\ttbbtt.exec:\ttbbtt.exe44⤵
- Executes dropped EXE
PID:3564 -
\??\c:\ppdvp.exec:\ppdvp.exe45⤵
- Executes dropped EXE
PID:5036 -
\??\c:\ffrlllr.exec:\ffrlllr.exe46⤵
- Executes dropped EXE
PID:4684 -
\??\c:\bbbbtt.exec:\bbbbtt.exe47⤵
- Executes dropped EXE
PID:4200 -
\??\c:\pjvdv.exec:\pjvdv.exe48⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xflfxrr.exec:\xflfxrr.exe49⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xrlfxll.exec:\xrlfxll.exe50⤵
- Executes dropped EXE
PID:2268 -
\??\c:\nnttnn.exec:\nnttnn.exe51⤵
- Executes dropped EXE
PID:1116 -
\??\c:\pjpjd.exec:\pjpjd.exe52⤵
- Executes dropped EXE
PID:4016 -
\??\c:\rlrlfff.exec:\rlrlfff.exe53⤵
- Executes dropped EXE
PID:508 -
\??\c:\xrllxxl.exec:\xrllxxl.exe54⤵
- Executes dropped EXE
PID:4524 -
\??\c:\nbnnhh.exec:\nbnnhh.exe55⤵
- Executes dropped EXE
PID:2388 -
\??\c:\ppvpj.exec:\ppvpj.exe56⤵
- Executes dropped EXE
PID:4428 -
\??\c:\5flffll.exec:\5flffll.exe57⤵
- Executes dropped EXE
PID:3536 -
\??\c:\nntthh.exec:\nntthh.exe58⤵
- Executes dropped EXE
PID:4556 -
\??\c:\bthbbb.exec:\bthbbb.exe59⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jdjjv.exec:\jdjjv.exe60⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rrxrfxx.exec:\rrxrfxx.exe61⤵
- Executes dropped EXE
PID:1436 -
\??\c:\nhnhbb.exec:\nhnhbb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:900 -
\??\c:\tbbtnn.exec:\tbbtnn.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092 -
\??\c:\jvdvv.exec:\jvdvv.exe64⤵
- Executes dropped EXE
PID:2328 -
\??\c:\rfrlfrr.exec:\rfrlfrr.exe65⤵
- Executes dropped EXE
PID:4940 -
\??\c:\tbhhtb.exec:\tbhhtb.exe66⤵PID:4336
-
\??\c:\dvjdj.exec:\dvjdj.exe67⤵PID:1472
-
\??\c:\lxffflf.exec:\lxffflf.exe68⤵PID:416
-
\??\c:\hbnhnh.exec:\hbnhnh.exe69⤵PID:3704
-
\??\c:\djpvd.exec:\djpvd.exe70⤵PID:100
-
\??\c:\rrfxfll.exec:\rrfxfll.exe71⤵PID:968
-
\??\c:\7fxrllf.exec:\7fxrllf.exe72⤵PID:1136
-
\??\c:\hbnhtt.exec:\hbnhtt.exe73⤵PID:4288
-
\??\c:\jpdvp.exec:\jpdvp.exe74⤵PID:3060
-
\??\c:\rlrllfx.exec:\rlrllfx.exe75⤵PID:2804
-
\??\c:\hhhhbt.exec:\hhhhbt.exe76⤵PID:3788
-
\??\c:\bntnhb.exec:\bntnhb.exe77⤵PID:3740
-
\??\c:\vpppd.exec:\vpppd.exe78⤵PID:680
-
\??\c:\lffxllf.exec:\lffxllf.exe79⤵PID:2320
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe80⤵PID:2144
-
\??\c:\hhttbn.exec:\hhttbn.exe81⤵PID:4724
-
\??\c:\tntnth.exec:\tntnth.exe82⤵PID:4040
-
\??\c:\dvvdv.exec:\dvvdv.exe83⤵PID:4924
-
\??\c:\3lxrxlr.exec:\3lxrxlr.exe84⤵PID:4956
-
\??\c:\tbhbtn.exec:\tbhbtn.exe85⤵PID:4716
-
\??\c:\tnbbbb.exec:\tnbbbb.exe86⤵PID:4504
-
\??\c:\pdjjd.exec:\pdjjd.exe87⤵PID:4324
-
\??\c:\1xfxrrr.exec:\1xfxrrr.exe88⤵PID:4280
-
\??\c:\bttnhb.exec:\bttnhb.exe89⤵PID:4752
-
\??\c:\vpvpd.exec:\vpvpd.exe90⤵PID:2112
-
\??\c:\ffxffll.exec:\ffxffll.exe91⤵PID:4464
-
\??\c:\nthntb.exec:\nthntb.exe92⤵PID:2180
-
\??\c:\9pvvp.exec:\9pvvp.exe93⤵PID:3868
-
\??\c:\rfrxrrr.exec:\rfrxrrr.exe94⤵PID:1276
-
\??\c:\frxrrrl.exec:\frxrrrl.exe95⤵PID:2000
-
\??\c:\bbnnnt.exec:\bbnnnt.exe96⤵PID:1988
-
\??\c:\ddjdv.exec:\ddjdv.exe97⤵PID:4572
-
\??\c:\xrffrrr.exec:\xrffrrr.exe98⤵PID:1580
-
\??\c:\tbhbtn.exec:\tbhbtn.exe99⤵PID:4420
-
\??\c:\nhhnnt.exec:\nhhnnt.exe100⤵PID:1676
-
\??\c:\pjvpp.exec:\pjvpp.exe101⤵PID:3836
-
\??\c:\bhtnbb.exec:\bhtnbb.exe102⤵PID:1836
-
\??\c:\7bbtnn.exec:\7bbtnn.exe103⤵PID:5072
-
\??\c:\dvpjj.exec:\dvpjj.exe104⤵PID:1368
-
\??\c:\fllrlfx.exec:\fllrlfx.exe105⤵PID:4456
-
\??\c:\hbthbb.exec:\hbthbb.exe106⤵PID:3460
-
\??\c:\5djdv.exec:\5djdv.exe107⤵PID:2160
-
\??\c:\dvddv.exec:\dvddv.exe108⤵PID:3832
-
\??\c:\fxffxxx.exec:\fxffxxx.exe109⤵PID:3076
-
\??\c:\bbhhhh.exec:\bbhhhh.exe110⤵PID:4548
-
\??\c:\pjjdv.exec:\pjjdv.exe111⤵PID:3180
-
\??\c:\rxfffrr.exec:\rxfffrr.exe112⤵PID:4748
-
\??\c:\hhnhbt.exec:\hhnhbt.exe113⤵PID:1972
-
\??\c:\pjvvv.exec:\pjvvv.exe114⤵PID:896
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe115⤵PID:4892
-
\??\c:\btttnn.exec:\btttnn.exe116⤵PID:1116
-
\??\c:\ntbtnh.exec:\ntbtnh.exe117⤵PID:4016
-
\??\c:\jjppv.exec:\jjppv.exe118⤵PID:3976
-
\??\c:\rfrfrfr.exec:\rfrfrfr.exe119⤵PID:4004
-
\??\c:\tthbtn.exec:\tthbtn.exe120⤵PID:4600
-
\??\c:\jdpjd.exec:\jdpjd.exe121⤵PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-