Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 21:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe
-
Size
453KB
-
MD5
fc7b93dbd66e828432c3a505895ed990
-
SHA1
463c1a1419477edc9cb14574b93e586c3d47ec1d
-
SHA256
09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50
-
SHA512
a75b5c69126dc64949b7547d0f89e8a14741ab64f9899d4cdecf58e55e4ab39efff5e300d7b29d8f0dd2394b4a2220115e87ef72df83eb64f0b8c0d0ab1d12ea
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4940-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-969-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1013-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1484 pddvp.exe 4100 lfxrlfx.exe 2620 hbbttn.exe 1836 hnttbb.exe 3704 pjppp.exe 1308 jppjj.exe 2076 frxrllf.exe 3396 pvdvv.exe 3928 1tbnhb.exe 3612 5vddd.exe 2432 5jjdv.exe 4460 5nnntt.exe 980 vppjd.exe 4440 llrlrlx.exe 4372 7pppj.exe 1548 rlrlfff.exe 3784 9hnhbb.exe 1844 5hhbbb.exe 1412 pdjdv.exe 1500 7xlfffl.exe 468 1xxrlrl.exe 1556 rflffff.exe 3720 3bhbtb.exe 3388 rlxrxxf.exe 4596 3lfxrxr.exe 4072 btntnb.exe 3628 3jddv.exe 3308 9nnhtn.exe 2348 nhtnnh.exe 1936 9xfllll.exe 3096 hbhhnn.exe 3336 1xrxrrl.exe 4472 hbttnh.exe 3020 vjpjj.exe 2844 rxrlxrr.exe 2736 lllxrfx.exe 1132 tnhnbn.exe 4432 3jvjp.exe 952 pddpd.exe 5084 rxrflfr.exe 4764 hnhbnh.exe 636 nhhtht.exe 1264 dpjvj.exe 1124 1lfrxrr.exe 4644 httbnh.exe 4996 pdjdd.exe 3552 rlrfxfr.exe 3736 3llfrlf.exe 3636 ttthth.exe 3544 3djjd.exe 4620 rflfxxr.exe 4076 djvpv.exe 2192 1frrlxx.exe 4188 xxfrxlr.exe 3840 nhhbtt.exe 1180 vppvv.exe 856 1lxrfxr.exe 2680 5bbtnn.exe 4524 1nhbnn.exe 1184 5dvpd.exe 2076 9xxlxrf.exe 2872 httnbt.exe 4844 ttbbnn.exe 3868 vppjd.exe -
resource yara_rule behavioral2/memory/4940-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-649-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1484 4940 09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe 84 PID 4940 wrote to memory of 1484 4940 09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe 84 PID 4940 wrote to memory of 1484 4940 09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe 84 PID 1484 wrote to memory of 4100 1484 pddvp.exe 85 PID 1484 wrote to memory of 4100 1484 pddvp.exe 85 PID 1484 wrote to memory of 4100 1484 pddvp.exe 85 PID 4100 wrote to memory of 2620 4100 lfxrlfx.exe 86 PID 4100 wrote to memory of 2620 4100 lfxrlfx.exe 86 PID 4100 wrote to memory of 2620 4100 lfxrlfx.exe 86 PID 2620 wrote to memory of 1836 2620 hbbttn.exe 87 PID 2620 wrote to memory of 1836 2620 hbbttn.exe 87 PID 2620 wrote to memory of 1836 2620 hbbttn.exe 87 PID 1836 wrote to memory of 3704 1836 hnttbb.exe 88 PID 1836 wrote to memory of 3704 1836 hnttbb.exe 88 PID 1836 wrote to memory of 3704 1836 hnttbb.exe 88 PID 3704 wrote to memory of 1308 3704 pjppp.exe 89 PID 3704 wrote to memory of 1308 3704 pjppp.exe 89 PID 3704 wrote to memory of 1308 3704 pjppp.exe 89 PID 1308 wrote to memory of 2076 1308 jppjj.exe 90 PID 1308 wrote to memory of 2076 1308 jppjj.exe 90 PID 1308 wrote to memory of 2076 1308 jppjj.exe 90 PID 2076 wrote to memory of 3396 2076 frxrllf.exe 91 PID 2076 wrote to memory of 3396 2076 frxrllf.exe 91 PID 2076 wrote to memory of 3396 2076 frxrllf.exe 91 PID 3396 wrote to memory of 3928 3396 pvdvv.exe 92 PID 3396 wrote to memory of 3928 3396 pvdvv.exe 92 PID 3396 wrote to memory of 3928 3396 pvdvv.exe 92 PID 3928 wrote to memory of 3612 3928 1tbnhb.exe 93 PID 3928 wrote to memory of 3612 3928 1tbnhb.exe 93 PID 3928 wrote to memory of 3612 3928 1tbnhb.exe 93 PID 3612 wrote to memory of 2432 3612 5vddd.exe 94 PID 3612 wrote to memory of 2432 3612 5vddd.exe 94 PID 3612 wrote to memory of 2432 3612 5vddd.exe 94 PID 2432 wrote to memory of 4460 2432 5jjdv.exe 95 PID 2432 wrote to memory of 4460 2432 5jjdv.exe 95 PID 2432 wrote to memory of 4460 2432 5jjdv.exe 95 PID 4460 wrote to memory of 980 4460 5nnntt.exe 96 PID 4460 wrote to memory of 980 4460 5nnntt.exe 96 PID 4460 wrote to memory of 980 4460 5nnntt.exe 96 PID 980 wrote to memory of 4440 980 vppjd.exe 97 PID 980 wrote to memory of 4440 980 vppjd.exe 97 PID 980 wrote to memory of 4440 980 vppjd.exe 97 PID 4440 wrote to memory of 4372 4440 llrlrlx.exe 98 PID 4440 wrote to memory of 4372 4440 llrlrlx.exe 98 PID 4440 wrote to memory of 4372 4440 llrlrlx.exe 98 PID 4372 wrote to memory of 1548 4372 7pppj.exe 99 PID 4372 wrote to memory of 1548 4372 7pppj.exe 99 PID 4372 wrote to memory of 1548 4372 7pppj.exe 99 PID 1548 wrote to memory of 3784 1548 rlrlfff.exe 100 PID 1548 wrote to memory of 3784 1548 rlrlfff.exe 100 PID 1548 wrote to memory of 3784 1548 rlrlfff.exe 100 PID 3784 wrote to memory of 1844 3784 9hnhbb.exe 101 PID 3784 wrote to memory of 1844 3784 9hnhbb.exe 101 PID 3784 wrote to memory of 1844 3784 9hnhbb.exe 101 PID 1844 wrote to memory of 1412 1844 5hhbbb.exe 102 PID 1844 wrote to memory of 1412 1844 5hhbbb.exe 102 PID 1844 wrote to memory of 1412 1844 5hhbbb.exe 102 PID 1412 wrote to memory of 1500 1412 pdjdv.exe 103 PID 1412 wrote to memory of 1500 1412 pdjdv.exe 103 PID 1412 wrote to memory of 1500 1412 pdjdv.exe 103 PID 1500 wrote to memory of 468 1500 7xlfffl.exe 104 PID 1500 wrote to memory of 468 1500 7xlfffl.exe 104 PID 1500 wrote to memory of 468 1500 7xlfffl.exe 104 PID 468 wrote to memory of 1556 468 1xxrlrl.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe"C:\Users\Admin\AppData\Local\Temp\09b27f95fbc34aa014ec03547b9d8c14bc02ceb2e757e92f90b6e9b23dc58d50N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\pddvp.exec:\pddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\hbbttn.exec:\hbbttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\hnttbb.exec:\hnttbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\pjppp.exec:\pjppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\jppjj.exec:\jppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\frxrllf.exec:\frxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\pvdvv.exec:\pvdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\1tbnhb.exec:\1tbnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\5vddd.exec:\5vddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\5jjdv.exec:\5jjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\5nnntt.exec:\5nnntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\vppjd.exec:\vppjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\llrlrlx.exec:\llrlrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\7pppj.exec:\7pppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\rlrlfff.exec:\rlrlfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\9hnhbb.exec:\9hnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\5hhbbb.exec:\5hhbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\pdjdv.exec:\pdjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\7xlfffl.exec:\7xlfffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\1xxrlrl.exec:\1xxrlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\rflffff.exec:\rflffff.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
\??\c:\3bhbtb.exec:\3bhbtb.exe24⤵
- Executes dropped EXE
PID:3720 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe25⤵
- Executes dropped EXE
PID:3388 -
\??\c:\3lfxrxr.exec:\3lfxrxr.exe26⤵
- Executes dropped EXE
PID:4596 -
\??\c:\btntnb.exec:\btntnb.exe27⤵
- Executes dropped EXE
PID:4072 -
\??\c:\3jddv.exec:\3jddv.exe28⤵
- Executes dropped EXE
PID:3628 -
\??\c:\9nnhtn.exec:\9nnhtn.exe29⤵
- Executes dropped EXE
PID:3308 -
\??\c:\nhtnnh.exec:\nhtnnh.exe30⤵
- Executes dropped EXE
PID:2348 -
\??\c:\9xfllll.exec:\9xfllll.exe31⤵
- Executes dropped EXE
PID:1936 -
\??\c:\hbhhnn.exec:\hbhhnn.exe32⤵
- Executes dropped EXE
PID:3096 -
\??\c:\1xrxrrl.exec:\1xrxrrl.exe33⤵
- Executes dropped EXE
PID:3336 -
\??\c:\hbttnh.exec:\hbttnh.exe34⤵
- Executes dropped EXE
PID:4472 -
\??\c:\vjpjj.exec:\vjpjj.exe35⤵
- Executes dropped EXE
PID:3020 -
\??\c:\rxrlxrr.exec:\rxrlxrr.exe36⤵
- Executes dropped EXE
PID:2844 -
\??\c:\lllxrfx.exec:\lllxrfx.exe37⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tnhnbn.exec:\tnhnbn.exe38⤵
- Executes dropped EXE
PID:1132 -
\??\c:\3jvjp.exec:\3jvjp.exe39⤵
- Executes dropped EXE
PID:4432 -
\??\c:\pddpd.exec:\pddpd.exe40⤵
- Executes dropped EXE
PID:952 -
\??\c:\rxrflfr.exec:\rxrflfr.exe41⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hnhbnh.exec:\hnhbnh.exe42⤵
- Executes dropped EXE
PID:4764 -
\??\c:\nhhtht.exec:\nhhtht.exe43⤵
- Executes dropped EXE
PID:636 -
\??\c:\dpjvj.exec:\dpjvj.exe44⤵
- Executes dropped EXE
PID:1264 -
\??\c:\1lfrxrr.exec:\1lfrxrr.exe45⤵
- Executes dropped EXE
PID:1124 -
\??\c:\httbnh.exec:\httbnh.exe46⤵
- Executes dropped EXE
PID:4644 -
\??\c:\pdjdd.exec:\pdjdd.exe47⤵
- Executes dropped EXE
PID:4996 -
\??\c:\rlrfxfr.exec:\rlrfxfr.exe48⤵
- Executes dropped EXE
PID:3552 -
\??\c:\3llfrlf.exec:\3llfrlf.exe49⤵
- Executes dropped EXE
PID:3736 -
\??\c:\ttthth.exec:\ttthth.exe50⤵
- Executes dropped EXE
PID:3636 -
\??\c:\3djjd.exec:\3djjd.exe51⤵
- Executes dropped EXE
PID:3544 -
\??\c:\xllfrxr.exec:\xllfrxr.exe52⤵PID:2704
-
\??\c:\rflfxxr.exec:\rflfxxr.exe53⤵
- Executes dropped EXE
PID:4620 -
\??\c:\djvpv.exec:\djvpv.exe54⤵
- Executes dropped EXE
PID:4076 -
\??\c:\1frrlxx.exec:\1frrlxx.exe55⤵
- Executes dropped EXE
PID:2192 -
\??\c:\xxfrxlr.exec:\xxfrxlr.exe56⤵
- Executes dropped EXE
PID:4188 -
\??\c:\nhhbtt.exec:\nhhbtt.exe57⤵
- Executes dropped EXE
PID:3840 -
\??\c:\vppvv.exec:\vppvv.exe58⤵
- Executes dropped EXE
PID:1180 -
\??\c:\1lxrfxr.exec:\1lxrfxr.exe59⤵
- Executes dropped EXE
PID:856 -
\??\c:\5bbtnn.exec:\5bbtnn.exe60⤵
- Executes dropped EXE
PID:2680 -
\??\c:\1nhbnn.exec:\1nhbnn.exe61⤵
- Executes dropped EXE
PID:4524 -
\??\c:\5dvpd.exec:\5dvpd.exe62⤵
- Executes dropped EXE
PID:1184 -
\??\c:\9xxlxrf.exec:\9xxlxrf.exe63⤵
- Executes dropped EXE
PID:2076 -
\??\c:\httnbt.exec:\httnbt.exe64⤵
- Executes dropped EXE
PID:2872 -
\??\c:\ttbbnn.exec:\ttbbnn.exe65⤵
- Executes dropped EXE
PID:4844 -
\??\c:\vppjd.exec:\vppjd.exe66⤵
- Executes dropped EXE
PID:3868 -
\??\c:\flffxrl.exec:\flffxrl.exe67⤵PID:2184
-
\??\c:\hnttbn.exec:\hnttbn.exe68⤵PID:3940
-
\??\c:\thbbnn.exec:\thbbnn.exe69⤵PID:4052
-
\??\c:\vpdjd.exec:\vpdjd.exe70⤵PID:4832
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe71⤵PID:2188
-
\??\c:\fxrllll.exec:\fxrllll.exe72⤵PID:3168
-
\??\c:\1hbthb.exec:\1hbthb.exe73⤵PID:1268
-
\??\c:\jpvjv.exec:\jpvjv.exe74⤵PID:3668
-
\??\c:\lxrlxrf.exec:\lxrlxrf.exe75⤵PID:3556
-
\??\c:\hntnhh.exec:\hntnhh.exe76⤵PID:1548
-
\??\c:\dpdpv.exec:\dpdpv.exe77⤵PID:4348
-
\??\c:\1jvpj.exec:\1jvpj.exe78⤵PID:3660
-
\??\c:\lfxrlll.exec:\lfxrlll.exe79⤵PID:1460
-
\??\c:\hnnhbb.exec:\hnnhbb.exe80⤵PID:3432
-
\??\c:\ppvpp.exec:\ppvpp.exe81⤵PID:1000
-
\??\c:\llxrrrl.exec:\llxrrrl.exe82⤵PID:2912
-
\??\c:\5lfxrfx.exec:\5lfxrfx.exe83⤵PID:3592
-
\??\c:\btbttn.exec:\btbttn.exe84⤵PID:1192
-
\??\c:\pjjvp.exec:\pjjvp.exe85⤵PID:1312
-
\??\c:\9rrxlfr.exec:\9rrxlfr.exe86⤵PID:3836
-
\??\c:\frrfrlx.exec:\frrfrlx.exe87⤵PID:3744
-
\??\c:\nhbthb.exec:\nhbthb.exe88⤵PID:4596
-
\??\c:\vpjvj.exec:\vpjvj.exe89⤵PID:1768
-
\??\c:\pdjdp.exec:\pdjdp.exe90⤵PID:4072
-
\??\c:\fffxlfx.exec:\fffxlfx.exe91⤵PID:2300
-
\??\c:\7bhbnh.exec:\7bhbnh.exe92⤵PID:2364
-
\??\c:\thhbbt.exec:\thhbbt.exe93⤵PID:1692
-
\??\c:\9jvpv.exec:\9jvpv.exe94⤵PID:1408
-
\??\c:\djjdj.exec:\djjdj.exe95⤵PID:2776
-
\??\c:\3fxlxxl.exec:\3fxlxxl.exe96⤵PID:3116
-
\??\c:\bbthtn.exec:\bbthtn.exe97⤵PID:1320
-
\??\c:\hbthth.exec:\hbthth.exe98⤵PID:4140
-
\??\c:\5vpdv.exec:\5vpdv.exe99⤵PID:3884
-
\??\c:\xxrfrlf.exec:\xxrfrlf.exe100⤵PID:3936
-
\??\c:\thbthn.exec:\thbthn.exe101⤵PID:2360
-
\??\c:\jjdpd.exec:\jjdpd.exe102⤵PID:4872
-
\??\c:\pdvjv.exec:\pdvjv.exe103⤵PID:1984
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe104⤵PID:3468
-
\??\c:\nthbtn.exec:\nthbtn.exe105⤵
- System Location Discovery: System Language Discovery
PID:1300 -
\??\c:\dpjdp.exec:\dpjdp.exe106⤵PID:5084
-
\??\c:\ppppd.exec:\ppppd.exe107⤵PID:2096
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe108⤵PID:1892
-
\??\c:\bnhthb.exec:\bnhthb.exe109⤵PID:4952
-
\??\c:\7vvjdv.exec:\7vvjdv.exe110⤵PID:5012
-
\??\c:\jdjvv.exec:\jdjvv.exe111⤵PID:3076
-
\??\c:\lxlxfrl.exec:\lxlxfrl.exe112⤵PID:3064
-
\??\c:\bnnhhb.exec:\bnnhhb.exe113⤵PID:1964
-
\??\c:\ttthbh.exec:\ttthbh.exe114⤵PID:2240
-
\??\c:\vddvd.exec:\vddvd.exe115⤵PID:4480
-
\??\c:\xfrflff.exec:\xfrflff.exe116⤵PID:3544
-
\??\c:\hnhtnh.exec:\hnhtnh.exe117⤵PID:4856
-
\??\c:\thhthb.exec:\thhthb.exe118⤵PID:3796
-
\??\c:\3pdpd.exec:\3pdpd.exe119⤵PID:936
-
\??\c:\vpjvj.exec:\vpjvj.exe120⤵PID:3356
-
\??\c:\rfxxlrf.exec:\rfxxlrf.exe121⤵PID:1836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-