Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 21:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
120 seconds
General
-
Target
9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe
-
Size
456KB
-
MD5
640cf226d808afe7dadfac8600bd9730
-
SHA1
48df3ef702eaa9fdbaa127288eee20c73c6611d2
-
SHA256
9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5
-
SHA512
fed5f8e0778e8dbd7a77001e384c917ab718b331dc92f47e89b6abea0732cebcbe409cdbe8ad6d0c877ca19e866caa05bfcfe9221b54247dbd208c5ee6d58d51
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRR:q7Tc2NYHUrAwfMp3CDRR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5040-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-1196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1076 vjvjd.exe 3820 1llflxl.exe 1628 9xxlxxl.exe 4632 djvpj.exe 4832 thnhbb.exe 2208 pjvdp.exe 2552 nhbthb.exe 4916 jjpjv.exe 3484 xrrlxxl.exe 4528 pddvp.exe 4420 hntntt.exe 2776 dpjpv.exe 2024 3lxrlfx.exe 2200 nhbhbh.exe 2872 9jdvj.exe 2868 flxxxff.exe 4144 jjvjv.exe 3564 xrlxlfr.exe 4452 hnnbtb.exe 3368 pvvjv.exe 1900 llxlrlr.exe 3244 dppjd.exe 3492 rflfxrr.exe 832 9jjjd.exe 392 lfxrlfr.exe 1444 1bbnhb.exe 1540 5dvjv.exe 4160 bhtnhh.exe 1536 fffxxxf.exe 1704 hbttbb.exe 440 rrrlllf.exe 2720 lfffxxr.exe 2364 xfrrlff.exe 4216 bttttt.exe 2996 hnnnbb.exe 1620 vpjdd.exe 3988 3rrrlrl.exe 2332 ttbhbh.exe 4136 3tttnn.exe 2292 9rrlrrx.exe 2788 9thhnh.exe 1532 vjpjj.exe 3624 pjvpd.exe 4140 frrlxxr.exe 4236 ttbbhh.exe 4876 1ttnnh.exe 2976 9jdvv.exe 4360 3rrrlll.exe 1472 nttbbt.exe 1092 vdjdv.exe 4208 fxxffrr.exe 4464 1ttttb.exe 212 bnttnn.exe 4308 jdjdj.exe 1652 ffrlxxr.exe 3924 bthbbt.exe 5048 btbttt.exe 4200 jdddd.exe 1384 frrlrrl.exe 1584 btbbtt.exe 456 vpvpp.exe 4016 pvjvj.exe 1436 ffxrllf.exe 4920 bntnhb.exe -
resource yara_rule behavioral2/memory/5040-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-767-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5040 wrote to memory of 1076 5040 9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe 82 PID 5040 wrote to memory of 1076 5040 9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe 82 PID 5040 wrote to memory of 1076 5040 9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe 82 PID 1076 wrote to memory of 3820 1076 vjvjd.exe 83 PID 1076 wrote to memory of 3820 1076 vjvjd.exe 83 PID 1076 wrote to memory of 3820 1076 vjvjd.exe 83 PID 3820 wrote to memory of 1628 3820 1llflxl.exe 84 PID 3820 wrote to memory of 1628 3820 1llflxl.exe 84 PID 3820 wrote to memory of 1628 3820 1llflxl.exe 84 PID 1628 wrote to memory of 4632 1628 9xxlxxl.exe 85 PID 1628 wrote to memory of 4632 1628 9xxlxxl.exe 85 PID 1628 wrote to memory of 4632 1628 9xxlxxl.exe 85 PID 4632 wrote to memory of 4832 4632 djvpj.exe 86 PID 4632 wrote to memory of 4832 4632 djvpj.exe 86 PID 4632 wrote to memory of 4832 4632 djvpj.exe 86 PID 4832 wrote to memory of 2208 4832 thnhbb.exe 87 PID 4832 wrote to memory of 2208 4832 thnhbb.exe 87 PID 4832 wrote to memory of 2208 4832 thnhbb.exe 87 PID 2208 wrote to memory of 2552 2208 pjvdp.exe 88 PID 2208 wrote to memory of 2552 2208 pjvdp.exe 88 PID 2208 wrote to memory of 2552 2208 pjvdp.exe 88 PID 2552 wrote to memory of 4916 2552 nhbthb.exe 89 PID 2552 wrote to memory of 4916 2552 nhbthb.exe 89 PID 2552 wrote to memory of 4916 2552 nhbthb.exe 89 PID 4916 wrote to memory of 3484 4916 jjpjv.exe 90 PID 4916 wrote to memory of 3484 4916 jjpjv.exe 90 PID 4916 wrote to memory of 3484 4916 jjpjv.exe 90 PID 3484 wrote to memory of 4528 3484 xrrlxxl.exe 91 PID 3484 wrote to memory of 4528 3484 xrrlxxl.exe 91 PID 3484 wrote to memory of 4528 3484 xrrlxxl.exe 91 PID 4528 wrote to memory of 4420 4528 pddvp.exe 92 PID 4528 wrote to memory of 4420 4528 pddvp.exe 92 PID 4528 wrote to memory of 4420 4528 pddvp.exe 92 PID 4420 wrote to memory of 2776 4420 hntntt.exe 93 PID 4420 wrote to memory of 2776 4420 hntntt.exe 93 PID 4420 wrote to memory of 2776 4420 hntntt.exe 93 PID 2776 wrote to memory of 2024 2776 dpjpv.exe 94 PID 2776 wrote to memory of 2024 2776 dpjpv.exe 94 PID 2776 wrote to memory of 2024 2776 dpjpv.exe 94 PID 2024 wrote to memory of 2200 2024 3lxrlfx.exe 95 PID 2024 wrote to memory of 2200 2024 3lxrlfx.exe 95 PID 2024 wrote to memory of 2200 2024 3lxrlfx.exe 95 PID 2200 wrote to memory of 2872 2200 nhbhbh.exe 96 PID 2200 wrote to memory of 2872 2200 nhbhbh.exe 96 PID 2200 wrote to memory of 2872 2200 nhbhbh.exe 96 PID 2872 wrote to memory of 2868 2872 9jdvj.exe 97 PID 2872 wrote to memory of 2868 2872 9jdvj.exe 97 PID 2872 wrote to memory of 2868 2872 9jdvj.exe 97 PID 2868 wrote to memory of 4144 2868 flxxxff.exe 98 PID 2868 wrote to memory of 4144 2868 flxxxff.exe 98 PID 2868 wrote to memory of 4144 2868 flxxxff.exe 98 PID 4144 wrote to memory of 3564 4144 jjvjv.exe 99 PID 4144 wrote to memory of 3564 4144 jjvjv.exe 99 PID 4144 wrote to memory of 3564 4144 jjvjv.exe 99 PID 3564 wrote to memory of 4452 3564 xrlxlfr.exe 100 PID 3564 wrote to memory of 4452 3564 xrlxlfr.exe 100 PID 3564 wrote to memory of 4452 3564 xrlxlfr.exe 100 PID 4452 wrote to memory of 3368 4452 hnnbtb.exe 101 PID 4452 wrote to memory of 3368 4452 hnnbtb.exe 101 PID 4452 wrote to memory of 3368 4452 hnnbtb.exe 101 PID 3368 wrote to memory of 1900 3368 pvvjv.exe 102 PID 3368 wrote to memory of 1900 3368 pvvjv.exe 102 PID 3368 wrote to memory of 1900 3368 pvvjv.exe 102 PID 1900 wrote to memory of 3244 1900 llxlrlr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe"C:\Users\Admin\AppData\Local\Temp\9623a0c8dd321952058e70356e1ad4e7902eaf59bff20e2fd91d1b6aae0e15c5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\vjvjd.exec:\vjvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\1llflxl.exec:\1llflxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\9xxlxxl.exec:\9xxlxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\djvpj.exec:\djvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\thnhbb.exec:\thnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\pjvdp.exec:\pjvdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\nhbthb.exec:\nhbthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\jjpjv.exec:\jjpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\pddvp.exec:\pddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\hntntt.exec:\hntntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\dpjpv.exec:\dpjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\3lxrlfx.exec:\3lxrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\nhbhbh.exec:\nhbhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\9jdvj.exec:\9jdvj.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\flxxxff.exec:\flxxxff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\jjvjv.exec:\jjvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\hnnbtb.exec:\hnnbtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\pvvjv.exec:\pvvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\llxlrlr.exec:\llxlrlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\dppjd.exec:\dppjd.exe23⤵
- Executes dropped EXE
PID:3244 -
\??\c:\rflfxrr.exec:\rflfxrr.exe24⤵
- Executes dropped EXE
PID:3492 -
\??\c:\9jjjd.exec:\9jjjd.exe25⤵
- Executes dropped EXE
PID:832 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe26⤵
- Executes dropped EXE
PID:392 -
\??\c:\1bbnhb.exec:\1bbnhb.exe27⤵
- Executes dropped EXE
PID:1444 -
\??\c:\5dvjv.exec:\5dvjv.exe28⤵
- Executes dropped EXE
PID:1540 -
\??\c:\bhtnhh.exec:\bhtnhh.exe29⤵
- Executes dropped EXE
PID:4160 -
\??\c:\fffxxxf.exec:\fffxxxf.exe30⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hbttbb.exec:\hbttbb.exe31⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rrrlllf.exec:\rrrlllf.exe32⤵
- Executes dropped EXE
PID:440 -
\??\c:\lfffxxr.exec:\lfffxxr.exe33⤵
- Executes dropped EXE
PID:2720 -
\??\c:\xfrrlff.exec:\xfrrlff.exe34⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bttttt.exec:\bttttt.exe35⤵
- Executes dropped EXE
PID:4216 -
\??\c:\hnnnbb.exec:\hnnnbb.exe36⤵
- Executes dropped EXE
PID:2996 -
\??\c:\vpjdd.exec:\vpjdd.exe37⤵
- Executes dropped EXE
PID:1620 -
\??\c:\3rrrlrl.exec:\3rrrlrl.exe38⤵
- Executes dropped EXE
PID:3988 -
\??\c:\ttbhbh.exec:\ttbhbh.exe39⤵
- Executes dropped EXE
PID:2332 -
\??\c:\3tttnn.exec:\3tttnn.exe40⤵
- Executes dropped EXE
PID:4136 -
\??\c:\9rrlrrx.exec:\9rrlrrx.exe41⤵
- Executes dropped EXE
PID:2292 -
\??\c:\9thhnh.exec:\9thhnh.exe42⤵
- Executes dropped EXE
PID:2788 -
\??\c:\vjpjj.exec:\vjpjj.exe43⤵
- Executes dropped EXE
PID:1532 -
\??\c:\pjvpd.exec:\pjvpd.exe44⤵
- Executes dropped EXE
PID:3624 -
\??\c:\frrlxxr.exec:\frrlxxr.exe45⤵
- Executes dropped EXE
PID:4140 -
\??\c:\ttbbhh.exec:\ttbbhh.exe46⤵
- Executes dropped EXE
PID:4236 -
\??\c:\1ttnnh.exec:\1ttnnh.exe47⤵
- Executes dropped EXE
PID:4876 -
\??\c:\9jdvv.exec:\9jdvv.exe48⤵
- Executes dropped EXE
PID:2976 -
\??\c:\3rrrlll.exec:\3rrrlll.exe49⤵
- Executes dropped EXE
PID:4360 -
\??\c:\nttbbt.exec:\nttbbt.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:1092 -
\??\c:\fxxffrr.exec:\fxxffrr.exe52⤵
- Executes dropped EXE
PID:4208 -
\??\c:\1ttttb.exec:\1ttttb.exe53⤵
- Executes dropped EXE
PID:4464 -
\??\c:\bnttnn.exec:\bnttnn.exe54⤵
- Executes dropped EXE
PID:212 -
\??\c:\jdjdj.exec:\jdjdj.exe55⤵
- Executes dropped EXE
PID:4308 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe56⤵
- Executes dropped EXE
PID:1652 -
\??\c:\bthbbt.exec:\bthbbt.exe57⤵
- Executes dropped EXE
PID:3924 -
\??\c:\btbttt.exec:\btbttt.exe58⤵
- Executes dropped EXE
PID:5048 -
\??\c:\jdddd.exec:\jdddd.exe59⤵
- Executes dropped EXE
PID:4200 -
\??\c:\frrlrrl.exec:\frrlrrl.exe60⤵
- Executes dropped EXE
PID:1384 -
\??\c:\btbbtt.exec:\btbbtt.exe61⤵
- Executes dropped EXE
PID:1584 -
\??\c:\vpvpp.exec:\vpvpp.exe62⤵
- Executes dropped EXE
PID:456 -
\??\c:\pvjvj.exec:\pvjvj.exe63⤵
- Executes dropped EXE
PID:4016 -
\??\c:\ffxrllf.exec:\ffxrllf.exe64⤵
- Executes dropped EXE
PID:1436 -
\??\c:\bntnhb.exec:\bntnhb.exe65⤵
- Executes dropped EXE
PID:4920 -
\??\c:\jdpjp.exec:\jdpjp.exe66⤵PID:3416
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe67⤵PID:1616
-
\??\c:\ffllfff.exec:\ffllfff.exe68⤵PID:1248
-
\??\c:\bnnnhh.exec:\bnnnhh.exe69⤵PID:4496
-
\??\c:\pjjdp.exec:\pjjdp.exe70⤵PID:3132
-
\??\c:\pjvpp.exec:\pjvpp.exe71⤵PID:4156
-
\??\c:\xrrfrrl.exec:\xrrfrrl.exe72⤵PID:1916
-
\??\c:\9ntnbb.exec:\9ntnbb.exe73⤵PID:3420
-
\??\c:\9jpjd.exec:\9jpjd.exe74⤵PID:1820
-
\??\c:\pvddd.exec:\pvddd.exe75⤵PID:3356
-
\??\c:\flfxxxx.exec:\flfxxxx.exe76⤵PID:924
-
\??\c:\bntnnn.exec:\bntnnn.exe77⤵PID:3452
-
\??\c:\vpvpv.exec:\vpvpv.exe78⤵PID:2288
-
\??\c:\pdjjp.exec:\pdjjp.exe79⤵PID:5028
-
\??\c:\1lrlflf.exec:\1lrlflf.exe80⤵PID:4660
-
\??\c:\7nbtnn.exec:\7nbtnn.exe81⤵PID:5052
-
\??\c:\vjpjv.exec:\vjpjv.exe82⤵PID:2624
-
\??\c:\7ppjp.exec:\7ppjp.exe83⤵PID:3716
-
\??\c:\fxrrrrl.exec:\fxrrrrl.exe84⤵PID:2592
-
\??\c:\nbbnhb.exec:\nbbnhb.exe85⤵PID:4060
-
\??\c:\jjpvp.exec:\jjpvp.exe86⤵PID:748
-
\??\c:\9llrlrr.exec:\9llrlrr.exe87⤵PID:5088
-
\??\c:\9ffxlfx.exec:\9ffxlfx.exe88⤵PID:4224
-
\??\c:\nbhbnh.exec:\nbhbnh.exe89⤵PID:5112
-
\??\c:\pjpdj.exec:\pjpdj.exe90⤵PID:4940
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe91⤵PID:1704
-
\??\c:\frlxrlf.exec:\frlxrlf.exe92⤵PID:2884
-
\??\c:\tnhbnh.exec:\tnhbnh.exe93⤵PID:2652
-
\??\c:\vdvjp.exec:\vdvjp.exe94⤵PID:3380
-
\??\c:\pdvpd.exec:\pdvpd.exe95⤵PID:2364
-
\??\c:\lffrfxl.exec:\lffrfxl.exe96⤵PID:4216
-
\??\c:\xxrxrlx.exec:\xxrxrlx.exe97⤵PID:2968
-
\??\c:\1nbtnh.exec:\1nbtnh.exe98⤵PID:2140
-
\??\c:\jvvjv.exec:\jvvjv.exe99⤵PID:5008
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe100⤵PID:1852
-
\??\c:\httnbt.exec:\httnbt.exe101⤵PID:396
-
\??\c:\jvjpv.exec:\jvjpv.exe102⤵PID:2292
-
\??\c:\vvvvp.exec:\vvvvp.exe103⤵PID:3904
-
\??\c:\7llxrrf.exec:\7llxrrf.exe104⤵PID:4444
-
\??\c:\thtbtn.exec:\thtbtn.exe105⤵PID:3624
-
\??\c:\9tthbn.exec:\9tthbn.exe106⤵PID:4976
-
\??\c:\vvdvj.exec:\vvdvj.exe107⤵PID:2896
-
\??\c:\1vvjv.exec:\1vvjv.exe108⤵PID:4300
-
\??\c:\1fxrfxr.exec:\1fxrfxr.exe109⤵PID:1180
-
\??\c:\btnhbn.exec:\btnhbn.exe110⤵
- System Location Discovery: System Language Discovery
PID:372 -
\??\c:\btbnhb.exec:\btbnhb.exe111⤵PID:1076
-
\??\c:\vpvpp.exec:\vpvpp.exe112⤵PID:3820
-
\??\c:\1jddp.exec:\1jddp.exe113⤵PID:4992
-
\??\c:\1ffrrlf.exec:\1ffrrlf.exe114⤵PID:1912
-
\??\c:\ttbtnh.exec:\ttbtnh.exe115⤵PID:936
-
\??\c:\5hbthh.exec:\5hbthh.exe116⤵PID:2484
-
\??\c:\jppjp.exec:\jppjp.exe117⤵PID:2700
-
\??\c:\lfxrflf.exec:\lfxrflf.exe118⤵PID:348
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe119⤵PID:316
-
\??\c:\9btnbt.exec:\9btnbt.exe120⤵PID:3488
-
\??\c:\vdjdp.exec:\vdjdp.exe121⤵PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-