Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 07:48
Behavioral task
behavioral1
Sample
38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
General
-
Target
38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe
-
Size
3.7MB
-
MD5
5127135160820791053140ddc771c6c0
-
SHA1
3db0e069724c220eac26d7c4f2819c3ff17f86f9
-
SHA256
38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18
-
SHA512
8965566ea8fe95b5afd1b154ba9ea08941a2fb2478b9877fe2ced65be47b950796026c5783933286105dfb2d02eee0303d9e9c0689d89346c613dfbd209e101e
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98e:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2552-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/728-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/728-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-551-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-581-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-743-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-825-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-1023-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1156-1150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-1366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-1373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4188 bhttbb.exe 2028 flrlfrl.exe 2368 tttnbt.exe 2132 dppdv.exe 3616 vvpvj.exe 1384 tnttnh.exe 976 fxfxfxf.exe 1848 htbnhh.exe 1340 jdddv.exe 4980 rlrlrlr.exe 3724 vjddv.exe 728 1lllffx.exe 2164 5xfxxff.exe 1352 nhnhbb.exe 4252 xfffxlf.exe 1480 ffffllr.exe 452 rlrlrlr.exe 3088 rrrxrrx.exe 4376 ffxxxff.exe 3548 rllrlll.exe 1364 rxrrxfl.exe 4840 bnhbnn.exe 1348 3htbbh.exe 3196 tnnhhh.exe 4816 7jpjd.exe 1192 nnttbt.exe 4716 rfxxrrl.exe 1908 3lrrllf.exe 3348 jjvvp.exe 4732 jvjjd.exe 4088 1jjjd.exe 3528 ttttnt.exe 2596 vddvp.exe 1608 3bhnnt.exe 3044 htbbtn.exe 208 vvpdp.exe 4768 dvdvv.exe 4660 tnhtth.exe 2364 fxfrxfl.exe 4400 dvjdd.exe 5112 dpjdv.exe 4872 dpvjj.exe 740 jpvvd.exe 1468 jdjjp.exe 3540 1vddv.exe 3212 vdpjj.exe 1996 bhtnnt.exe 1332 bnbtnb.exe 2632 tntnhb.exe 1496 5bbtnn.exe 4224 5pvpj.exe 216 pdddv.exe 728 jppjd.exe 3740 5jdvp.exe 1600 vvjjj.exe 4844 tnttth.exe 1184 ddvpj.exe 4036 1dvpj.exe 1352 9nhhbb.exe 3120 bnnhbn.exe 4252 nhnhhb.exe 2820 nhnhhh.exe 2872 9rlrxrr.exe 452 llrllrl.exe -
resource yara_rule behavioral2/memory/2552-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba8-3.dat upx behavioral2/memory/4188-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2552-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb3-9.dat upx behavioral2/memory/4188-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bba-13.dat upx behavioral2/memory/2368-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2028-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc3-22.dat upx behavioral2/memory/2368-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba9-28.dat upx behavioral2/memory/2132-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc9-35.dat upx behavioral2/memory/1384-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bca-40.dat upx behavioral2/files/0x000e000000023bce-48.dat upx behavioral2/memory/976-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd0-51.dat upx behavioral2/memory/1848-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd3-57.dat upx behavioral2/memory/1340-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4980-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd4-66.dat upx behavioral2/memory/3724-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd5-70.dat upx behavioral2/memory/728-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd6-76.dat upx behavioral2/files/0x0008000000023c05-81.dat upx behavioral2/memory/2164-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c06-89.dat upx behavioral2/files/0x0008000000023c07-92.dat upx behavioral2/memory/4252-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd3-98.dat upx behavioral2/memory/1480-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c08-104.dat upx behavioral2/memory/452-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c09-110.dat upx behavioral2/files/0x0008000000023c0a-116.dat upx behavioral2/memory/3548-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0f-123.dat upx behavioral2/files/0x0008000000023c10-126.dat upx behavioral2/memory/1364-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4840-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c11-134.dat upx behavioral2/files/0x0008000000023c23-141.dat upx behavioral2/memory/1348-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3196-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000200000001e746-145.dat upx behavioral2/memory/4816-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2a-152.dat upx behavioral2/memory/1192-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2b-158.dat upx behavioral2/files/0x0008000000023c2c-162.dat upx behavioral2/files/0x0008000000023c2e-169.dat upx behavioral2/files/0x000b000000023c43-174.dat upx behavioral2/memory/3348-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0016000000023c44-179.dat upx behavioral2/memory/4088-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c4a-184.dat upx behavioral2/memory/3528-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2596-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1608-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/208-204-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxxrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 4188 2552 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 82 PID 2552 wrote to memory of 4188 2552 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 82 PID 2552 wrote to memory of 4188 2552 38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe 82 PID 4188 wrote to memory of 2028 4188 bhttbb.exe 83 PID 4188 wrote to memory of 2028 4188 bhttbb.exe 83 PID 4188 wrote to memory of 2028 4188 bhttbb.exe 83 PID 2028 wrote to memory of 2368 2028 flrlfrl.exe 84 PID 2028 wrote to memory of 2368 2028 flrlfrl.exe 84 PID 2028 wrote to memory of 2368 2028 flrlfrl.exe 84 PID 2368 wrote to memory of 2132 2368 tttnbt.exe 85 PID 2368 wrote to memory of 2132 2368 tttnbt.exe 85 PID 2368 wrote to memory of 2132 2368 tttnbt.exe 85 PID 2132 wrote to memory of 3616 2132 dppdv.exe 86 PID 2132 wrote to memory of 3616 2132 dppdv.exe 86 PID 2132 wrote to memory of 3616 2132 dppdv.exe 86 PID 3616 wrote to memory of 1384 3616 vvpvj.exe 87 PID 3616 wrote to memory of 1384 3616 vvpvj.exe 87 PID 3616 wrote to memory of 1384 3616 vvpvj.exe 87 PID 1384 wrote to memory of 976 1384 tnttnh.exe 88 PID 1384 wrote to memory of 976 1384 tnttnh.exe 88 PID 1384 wrote to memory of 976 1384 tnttnh.exe 88 PID 976 wrote to memory of 1848 976 fxfxfxf.exe 89 PID 976 wrote to memory of 1848 976 fxfxfxf.exe 89 PID 976 wrote to memory of 1848 976 fxfxfxf.exe 89 PID 1848 wrote to memory of 1340 1848 htbnhh.exe 90 PID 1848 wrote to memory of 1340 1848 htbnhh.exe 90 PID 1848 wrote to memory of 1340 1848 htbnhh.exe 90 PID 1340 wrote to memory of 4980 1340 jdddv.exe 91 PID 1340 wrote to memory of 4980 1340 jdddv.exe 91 PID 1340 wrote to memory of 4980 1340 jdddv.exe 91 PID 4980 wrote to memory of 3724 4980 rlrlrlr.exe 92 PID 4980 wrote to memory of 3724 4980 rlrlrlr.exe 92 PID 4980 wrote to memory of 3724 4980 rlrlrlr.exe 92 PID 3724 wrote to memory of 728 3724 vjddv.exe 93 PID 3724 wrote to memory of 728 3724 vjddv.exe 93 PID 3724 wrote to memory of 728 3724 vjddv.exe 93 PID 728 wrote to memory of 2164 728 1lllffx.exe 94 PID 728 wrote to memory of 2164 728 1lllffx.exe 94 PID 728 wrote to memory of 2164 728 1lllffx.exe 94 PID 2164 wrote to memory of 1352 2164 5xfxxff.exe 95 PID 2164 wrote to memory of 1352 2164 5xfxxff.exe 95 PID 2164 wrote to memory of 1352 2164 5xfxxff.exe 95 PID 1352 wrote to memory of 4252 1352 nhnhbb.exe 96 PID 1352 wrote to memory of 4252 1352 nhnhbb.exe 96 PID 1352 wrote to memory of 4252 1352 nhnhbb.exe 96 PID 4252 wrote to memory of 1480 4252 xfffxlf.exe 97 PID 4252 wrote to memory of 1480 4252 xfffxlf.exe 97 PID 4252 wrote to memory of 1480 4252 xfffxlf.exe 97 PID 1480 wrote to memory of 452 1480 ffffllr.exe 98 PID 1480 wrote to memory of 452 1480 ffffllr.exe 98 PID 1480 wrote to memory of 452 1480 ffffllr.exe 98 PID 452 wrote to memory of 3088 452 rlrlrlr.exe 99 PID 452 wrote to memory of 3088 452 rlrlrlr.exe 99 PID 452 wrote to memory of 3088 452 rlrlrlr.exe 99 PID 3088 wrote to memory of 4376 3088 rrrxrrx.exe 100 PID 3088 wrote to memory of 4376 3088 rrrxrrx.exe 100 PID 3088 wrote to memory of 4376 3088 rrrxrrx.exe 100 PID 4376 wrote to memory of 3548 4376 ffxxxff.exe 101 PID 4376 wrote to memory of 3548 4376 ffxxxff.exe 101 PID 4376 wrote to memory of 3548 4376 ffxxxff.exe 101 PID 3548 wrote to memory of 1364 3548 rllrlll.exe 102 PID 3548 wrote to memory of 1364 3548 rllrlll.exe 102 PID 3548 wrote to memory of 1364 3548 rllrlll.exe 102 PID 1364 wrote to memory of 4840 1364 rxrrxfl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe"C:\Users\Admin\AppData\Local\Temp\38b576faa276a751d9f5f783841786b444862152e8d04cf33ca825dbf5c28f18N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\bhttbb.exec:\bhttbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\flrlfrl.exec:\flrlfrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\tttnbt.exec:\tttnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\dppdv.exec:\dppdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\vvpvj.exec:\vvpvj.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\tnttnh.exec:\tnttnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\htbnhh.exec:\htbnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\jdddv.exec:\jdddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\vjddv.exec:\vjddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\1lllffx.exec:\1lllffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\5xfxxff.exec:\5xfxxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nhnhbb.exec:\nhnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\xfffxlf.exec:\xfffxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\ffffllr.exec:\ffffllr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\rrrxrrx.exec:\rrrxrrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\ffxxxff.exec:\ffxxxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\rllrlll.exec:\rllrlll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\rxrrxfl.exec:\rxrrxfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\bnhbnn.exec:\bnhbnn.exe23⤵
- Executes dropped EXE
PID:4840 -
\??\c:\3htbbh.exec:\3htbbh.exe24⤵
- Executes dropped EXE
PID:1348 -
\??\c:\tnnhhh.exec:\tnnhhh.exe25⤵
- Executes dropped EXE
PID:3196 -
\??\c:\7jpjd.exec:\7jpjd.exe26⤵
- Executes dropped EXE
PID:4816 -
\??\c:\nnttbt.exec:\nnttbt.exe27⤵
- Executes dropped EXE
PID:1192 -
\??\c:\rfxxrrl.exec:\rfxxrrl.exe28⤵
- Executes dropped EXE
PID:4716 -
\??\c:\3lrrllf.exec:\3lrrllf.exe29⤵
- Executes dropped EXE
PID:1908 -
\??\c:\jjvvp.exec:\jjvvp.exe30⤵
- Executes dropped EXE
PID:3348 -
\??\c:\jvjjd.exec:\jvjjd.exe31⤵
- Executes dropped EXE
PID:4732 -
\??\c:\1jjjd.exec:\1jjjd.exe32⤵
- Executes dropped EXE
PID:4088 -
\??\c:\ttttnt.exec:\ttttnt.exe33⤵
- Executes dropped EXE
PID:3528 -
\??\c:\vddvp.exec:\vddvp.exe34⤵
- Executes dropped EXE
PID:2596 -
\??\c:\3bhnnt.exec:\3bhnnt.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\htbbtn.exec:\htbbtn.exe36⤵
- Executes dropped EXE
PID:3044 -
\??\c:\vvpdp.exec:\vvpdp.exe37⤵
- Executes dropped EXE
PID:208 -
\??\c:\dvdvv.exec:\dvdvv.exe38⤵
- Executes dropped EXE
PID:4768 -
\??\c:\tnhtth.exec:\tnhtth.exe39⤵
- Executes dropped EXE
PID:4660 -
\??\c:\fxfrxfl.exec:\fxfrxfl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\dvjdd.exec:\dvjdd.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400 -
\??\c:\dpjdv.exec:\dpjdv.exe42⤵
- Executes dropped EXE
PID:5112 -
\??\c:\dpvjj.exec:\dpvjj.exe43⤵
- Executes dropped EXE
PID:4872 -
\??\c:\jpvvd.exec:\jpvvd.exe44⤵
- Executes dropped EXE
PID:740 -
\??\c:\jdjjp.exec:\jdjjp.exe45⤵
- Executes dropped EXE
PID:1468 -
\??\c:\1vddv.exec:\1vddv.exe46⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vdpjj.exec:\vdpjj.exe47⤵
- Executes dropped EXE
PID:3212 -
\??\c:\bhtnnt.exec:\bhtnnt.exe48⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bnbtnb.exec:\bnbtnb.exe49⤵
- Executes dropped EXE
PID:1332 -
\??\c:\tntnhb.exec:\tntnhb.exe50⤵
- Executes dropped EXE
PID:2632 -
\??\c:\5bbtnn.exec:\5bbtnn.exe51⤵
- Executes dropped EXE
PID:1496 -
\??\c:\5pvpj.exec:\5pvpj.exe52⤵
- Executes dropped EXE
PID:4224 -
\??\c:\pdddv.exec:\pdddv.exe53⤵
- Executes dropped EXE
PID:216 -
\??\c:\jppjd.exec:\jppjd.exe54⤵
- Executes dropped EXE
PID:728 -
\??\c:\5jdvp.exec:\5jdvp.exe55⤵
- Executes dropped EXE
PID:3740 -
\??\c:\vvjjj.exec:\vvjjj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\tnttth.exec:\tnttth.exe57⤵
- Executes dropped EXE
PID:4844 -
\??\c:\ddvpj.exec:\ddvpj.exe58⤵
- Executes dropped EXE
PID:1184 -
\??\c:\1dvpj.exec:\1dvpj.exe59⤵
- Executes dropped EXE
PID:4036 -
\??\c:\9nhhbb.exec:\9nhhbb.exe60⤵
- Executes dropped EXE
PID:1352 -
\??\c:\bnnhbn.exec:\bnnhbn.exe61⤵
- Executes dropped EXE
PID:3120 -
\??\c:\nhnhhb.exec:\nhnhhb.exe62⤵
- Executes dropped EXE
PID:4252 -
\??\c:\nhnhhh.exec:\nhnhhh.exe63⤵
- Executes dropped EXE
PID:2820 -
\??\c:\9rlrxrr.exec:\9rlrxrr.exe64⤵
- Executes dropped EXE
PID:2872 -
\??\c:\llrllrl.exec:\llrllrl.exe65⤵
- Executes dropped EXE
PID:452 -
\??\c:\llrlxxf.exec:\llrlxxf.exe66⤵PID:4360
-
\??\c:\lxfxrrf.exec:\lxfxrrf.exe67⤵PID:4376
-
\??\c:\1xlffff.exec:\1xlffff.exe68⤵PID:1556
-
\??\c:\ppddp.exec:\ppddp.exe69⤵PID:4860
-
\??\c:\5dvpj.exec:\5dvpj.exe70⤵PID:1364
-
\??\c:\1pjjj.exec:\1pjjj.exe71⤵PID:4840
-
\??\c:\5jpjp.exec:\5jpjp.exe72⤵PID:1348
-
\??\c:\dvvpj.exec:\dvvpj.exe73⤵PID:2388
-
\??\c:\1hhhbn.exec:\1hhhbn.exe74⤵PID:644
-
\??\c:\hhnthb.exec:\hhnthb.exe75⤵PID:3272
-
\??\c:\bhnhbt.exec:\bhnhbt.exe76⤵PID:2960
-
\??\c:\btnhbb.exec:\btnhbb.exe77⤵PID:4976
-
\??\c:\7hnbnn.exec:\7hnbnn.exe78⤵PID:1560
-
\??\c:\bttnbn.exec:\bttnbn.exe79⤵PID:3448
-
\??\c:\nhhbtt.exec:\nhhbtt.exe80⤵PID:4716
-
\??\c:\bbhtnh.exec:\bbhtnh.exe81⤵PID:884
-
\??\c:\hnhntn.exec:\hnhntn.exe82⤵PID:2648
-
\??\c:\3bnbtn.exec:\3bnbtn.exe83⤵PID:4016
-
\??\c:\7llxllx.exec:\7llxllx.exe84⤵PID:3340
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe85⤵PID:3384
-
\??\c:\ffxrlfx.exec:\ffxrlfx.exe86⤵PID:4088
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe87⤵PID:2144
-
\??\c:\djjdp.exec:\djjdp.exe88⤵PID:1044
-
\??\c:\vpppj.exec:\vpppj.exe89⤵PID:1512
-
\??\c:\jvjvp.exec:\jvjvp.exe90⤵PID:1680
-
\??\c:\jdpjj.exec:\jdpjj.exe91⤵PID:1660
-
\??\c:\nbnhbt.exec:\nbnhbt.exe92⤵PID:4436
-
\??\c:\tttnhh.exec:\tttnhh.exe93⤵PID:2904
-
\??\c:\pjvpv.exec:\pjvpv.exe94⤵PID:4932
-
\??\c:\nnbntn.exec:\nnbntn.exe95⤵PID:1808
-
\??\c:\1hhbtt.exec:\1hhbtt.exe96⤵PID:3616
-
\??\c:\3bbhnt.exec:\3bbhnt.exe97⤵PID:1384
-
\??\c:\nbhtnh.exec:\nbhtnh.exe98⤵PID:1328
-
\??\c:\hbbtnt.exec:\hbbtnt.exe99⤵PID:976
-
\??\c:\rrrrllr.exec:\rrrrllr.exe100⤵
- System Location Discovery: System Language Discovery
PID:312 -
\??\c:\xfrlfrl.exec:\xfrlfrl.exe101⤵PID:1704
-
\??\c:\rlrlllr.exec:\rlrlllr.exe102⤵PID:4980
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe103⤵PID:2320
-
\??\c:\dpdvp.exec:\dpdvp.exe104⤵PID:1080
-
\??\c:\jjvvp.exec:\jjvvp.exe105⤵PID:1108
-
\??\c:\vjdpp.exec:\vjdpp.exe106⤵PID:808
-
\??\c:\1dppp.exec:\1dppp.exe107⤵PID:3380
-
\??\c:\bhnbtt.exec:\bhnbtt.exe108⤵PID:1904
-
\??\c:\bhhhhb.exec:\bhhhhb.exe109⤵PID:3264
-
\??\c:\hhnhhh.exec:\hhnhhh.exe110⤵PID:4404
-
\??\c:\nhnbth.exec:\nhnbth.exe111⤵PID:4504
-
\??\c:\btnbbn.exec:\btnbbn.exe112⤵PID:1656
-
\??\c:\rxlfllf.exec:\rxlfllf.exe113⤵PID:1076
-
\??\c:\lfrlxfl.exec:\lfrlxfl.exe114⤵PID:2852
-
\??\c:\rxlfrlf.exec:\rxlfrlf.exe115⤵PID:1428
-
\??\c:\fffrxxr.exec:\fffrxxr.exe116⤵PID:212
-
\??\c:\lrllfxl.exec:\lrllfxl.exe117⤵PID:1516
-
\??\c:\ffrrllf.exec:\ffrrllf.exe118⤵
- System Location Discovery: System Language Discovery
PID:4360 -
\??\c:\dvvpd.exec:\dvvpd.exe119⤵PID:4376
-
\??\c:\jpvjd.exec:\jpvjd.exe120⤵PID:1556
-
\??\c:\tbhtbb.exec:\tbhtbb.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-