Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 09:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe
-
Size
455KB
-
MD5
2fef0c6a30725a39961b0b0c7676c7d0
-
SHA1
a2c8252330b4acc52a5dfb291247f2a53cbfee0b
-
SHA256
91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638
-
SHA512
5b623c2234080930cbde4ad325feb77893552eb4ddc452f7b31d99cc3a3842038ceb5bddcc6c39394ac1235e4ac51b85f434cf0d3fa8a8c9224641f653a44d25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1268-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-1193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-1215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-1243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4564 nbhbtt.exe 2148 1lrxrrl.exe 4904 fxlfrrf.exe 2732 nbbtnn.exe 1604 djvpj.exe 216 9xfxrfr.exe 3780 nhhhbb.exe 3132 btbtnn.exe 4800 vvvjv.exe 4824 lfxlfxr.exe 2184 7bhhtt.exe 620 7jjjd.exe 1388 7vdpj.exe 4544 xllfxxr.exe 404 bthnhb.exe 2924 dpjdv.exe 1736 3vppd.exe 4644 5lrlrlr.exe 2456 tnbttt.exe 2004 1jjdv.exe 4916 xlrllfx.exe 1160 fxffxfx.exe 1988 tnnbtn.exe 2756 pjdvp.exe 2728 lrfxxxr.exe 3160 5llfxrl.exe 1628 hntntt.exe 1048 7vddd.exe 2856 rxfxxxl.exe 2904 5ffxxxr.exe 4884 hhhtnh.exe 804 jppjd.exe 2276 frxrlfx.exe 2088 5llfffx.exe 4104 btbthb.exe 1920 vdjdp.exe 1564 1lffxxr.exe 636 rxxfllr.exe 5040 btbttn.exe 1276 1dvpj.exe 4640 lffrrfr.exe 4516 3ffrllf.exe 4368 nbnnhh.exe 1864 7dvpp.exe 372 5xfxrrl.exe 3556 3tnnhh.exe 3256 jjjdd.exe 4844 vvjjv.exe 3940 lrffxrr.exe 220 ttnbtt.exe 3824 vvpdv.exe 1116 jvjdd.exe 1696 llrlfrl.exe 4976 nhthnh.exe 3780 5vppj.exe 2452 jvvjd.exe 3796 lfffxxr.exe 1388 7hhbbb.exe 1916 pjjdv.exe 4148 pjddv.exe 2924 lrxrlfl.exe 1640 5tthbb.exe 3092 pdjjd.exe 2440 vdjdp.exe -
resource yara_rule behavioral2/memory/1268-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-1141-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4564 1268 91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe 85 PID 1268 wrote to memory of 4564 1268 91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe 85 PID 1268 wrote to memory of 4564 1268 91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe 85 PID 4564 wrote to memory of 2148 4564 nbhbtt.exe 86 PID 4564 wrote to memory of 2148 4564 nbhbtt.exe 86 PID 4564 wrote to memory of 2148 4564 nbhbtt.exe 86 PID 2148 wrote to memory of 4904 2148 1lrxrrl.exe 87 PID 2148 wrote to memory of 4904 2148 1lrxrrl.exe 87 PID 2148 wrote to memory of 4904 2148 1lrxrrl.exe 87 PID 4904 wrote to memory of 2732 4904 fxlfrrf.exe 88 PID 4904 wrote to memory of 2732 4904 fxlfrrf.exe 88 PID 4904 wrote to memory of 2732 4904 fxlfrrf.exe 88 PID 2732 wrote to memory of 1604 2732 nbbtnn.exe 89 PID 2732 wrote to memory of 1604 2732 nbbtnn.exe 89 PID 2732 wrote to memory of 1604 2732 nbbtnn.exe 89 PID 1604 wrote to memory of 216 1604 djvpj.exe 90 PID 1604 wrote to memory of 216 1604 djvpj.exe 90 PID 1604 wrote to memory of 216 1604 djvpj.exe 90 PID 216 wrote to memory of 3780 216 9xfxrfr.exe 140 PID 216 wrote to memory of 3780 216 9xfxrfr.exe 140 PID 216 wrote to memory of 3780 216 9xfxrfr.exe 140 PID 3780 wrote to memory of 3132 3780 nhhhbb.exe 92 PID 3780 wrote to memory of 3132 3780 nhhhbb.exe 92 PID 3780 wrote to memory of 3132 3780 nhhhbb.exe 92 PID 3132 wrote to memory of 4800 3132 btbtnn.exe 93 PID 3132 wrote to memory of 4800 3132 btbtnn.exe 93 PID 3132 wrote to memory of 4800 3132 btbtnn.exe 93 PID 4800 wrote to memory of 4824 4800 vvvjv.exe 94 PID 4800 wrote to memory of 4824 4800 vvvjv.exe 94 PID 4800 wrote to memory of 4824 4800 vvvjv.exe 94 PID 4824 wrote to memory of 2184 4824 lfxlfxr.exe 95 PID 4824 wrote to memory of 2184 4824 lfxlfxr.exe 95 PID 4824 wrote to memory of 2184 4824 lfxlfxr.exe 95 PID 2184 wrote to memory of 620 2184 7bhhtt.exe 96 PID 2184 wrote to memory of 620 2184 7bhhtt.exe 96 PID 2184 wrote to memory of 620 2184 7bhhtt.exe 96 PID 620 wrote to memory of 1388 620 7jjjd.exe 97 PID 620 wrote to memory of 1388 620 7jjjd.exe 97 PID 620 wrote to memory of 1388 620 7jjjd.exe 97 PID 1388 wrote to memory of 4544 1388 7vdpj.exe 98 PID 1388 wrote to memory of 4544 1388 7vdpj.exe 98 PID 1388 wrote to memory of 4544 1388 7vdpj.exe 98 PID 4544 wrote to memory of 404 4544 xllfxxr.exe 99 PID 4544 wrote to memory of 404 4544 xllfxxr.exe 99 PID 4544 wrote to memory of 404 4544 xllfxxr.exe 99 PID 404 wrote to memory of 2924 404 bthnhb.exe 100 PID 404 wrote to memory of 2924 404 bthnhb.exe 100 PID 404 wrote to memory of 2924 404 bthnhb.exe 100 PID 2924 wrote to memory of 1736 2924 dpjdv.exe 101 PID 2924 wrote to memory of 1736 2924 dpjdv.exe 101 PID 2924 wrote to memory of 1736 2924 dpjdv.exe 101 PID 1736 wrote to memory of 4644 1736 3vppd.exe 102 PID 1736 wrote to memory of 4644 1736 3vppd.exe 102 PID 1736 wrote to memory of 4644 1736 3vppd.exe 102 PID 4644 wrote to memory of 2456 4644 5lrlrlr.exe 103 PID 4644 wrote to memory of 2456 4644 5lrlrlr.exe 103 PID 4644 wrote to memory of 2456 4644 5lrlrlr.exe 103 PID 2456 wrote to memory of 2004 2456 tnbttt.exe 104 PID 2456 wrote to memory of 2004 2456 tnbttt.exe 104 PID 2456 wrote to memory of 2004 2456 tnbttt.exe 104 PID 2004 wrote to memory of 4916 2004 1jjdv.exe 105 PID 2004 wrote to memory of 4916 2004 1jjdv.exe 105 PID 2004 wrote to memory of 4916 2004 1jjdv.exe 105 PID 4916 wrote to memory of 1160 4916 xlrllfx.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe"C:\Users\Admin\AppData\Local\Temp\91992c9c171d7aaa336e9b8cc90fc4784f58fdd2bb1083248fa39bd9b67d6638N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\nbhbtt.exec:\nbhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\1lrxrrl.exec:\1lrxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\fxlfrrf.exec:\fxlfrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\nbbtnn.exec:\nbbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\djvpj.exec:\djvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\9xfxrfr.exec:\9xfxrfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\nhhhbb.exec:\nhhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\btbtnn.exec:\btbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\vvvjv.exec:\vvvjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\7bhhtt.exec:\7bhhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\7jjjd.exec:\7jjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\7vdpj.exec:\7vdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\xllfxxr.exec:\xllfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\bthnhb.exec:\bthnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\dpjdv.exec:\dpjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\3vppd.exec:\3vppd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\5lrlrlr.exec:\5lrlrlr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\tnbttt.exec:\tnbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\1jjdv.exec:\1jjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\xlrllfx.exec:\xlrllfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\fxffxfx.exec:\fxffxfx.exe23⤵
- Executes dropped EXE
PID:1160 -
\??\c:\tnnbtn.exec:\tnnbtn.exe24⤵
- Executes dropped EXE
PID:1988 -
\??\c:\pjdvp.exec:\pjdvp.exe25⤵
- Executes dropped EXE
PID:2756 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe26⤵
- Executes dropped EXE
PID:2728 -
\??\c:\5llfxrl.exec:\5llfxrl.exe27⤵
- Executes dropped EXE
PID:3160 -
\??\c:\hntntt.exec:\hntntt.exe28⤵
- Executes dropped EXE
PID:1628 -
\??\c:\7vddd.exec:\7vddd.exe29⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rxfxxxl.exec:\rxfxxxl.exe30⤵
- Executes dropped EXE
PID:2856 -
\??\c:\5ffxxxr.exec:\5ffxxxr.exe31⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hhhtnh.exec:\hhhtnh.exe32⤵
- Executes dropped EXE
PID:4884 -
\??\c:\jppjd.exec:\jppjd.exe33⤵
- Executes dropped EXE
PID:804 -
\??\c:\frxrlfx.exec:\frxrlfx.exe34⤵
- Executes dropped EXE
PID:2276 -
\??\c:\5llfffx.exec:\5llfffx.exe35⤵
- Executes dropped EXE
PID:2088 -
\??\c:\btbthb.exec:\btbthb.exe36⤵
- Executes dropped EXE
PID:4104 -
\??\c:\vdjdp.exec:\vdjdp.exe37⤵
- Executes dropped EXE
PID:1920 -
\??\c:\1lffxxr.exec:\1lffxxr.exe38⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rxxfllr.exec:\rxxfllr.exe39⤵
- Executes dropped EXE
PID:636 -
\??\c:\btbttn.exec:\btbttn.exe40⤵
- Executes dropped EXE
PID:5040 -
\??\c:\1dvpj.exec:\1dvpj.exe41⤵
- Executes dropped EXE
PID:1276 -
\??\c:\lffrrfr.exec:\lffrrfr.exe42⤵
- Executes dropped EXE
PID:4640 -
\??\c:\3ffrllf.exec:\3ffrllf.exe43⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nbnnhh.exec:\nbnnhh.exe44⤵
- Executes dropped EXE
PID:4368 -
\??\c:\7dvpp.exec:\7dvpp.exe45⤵
- Executes dropped EXE
PID:1864 -
\??\c:\5jdvp.exec:\5jdvp.exe46⤵PID:3464
-
\??\c:\5xfxrrl.exec:\5xfxrrl.exe47⤵
- Executes dropped EXE
PID:372 -
\??\c:\3tnnhh.exec:\3tnnhh.exe48⤵
- Executes dropped EXE
PID:3556 -
\??\c:\jjjdd.exec:\jjjdd.exe49⤵
- Executes dropped EXE
PID:3256 -
\??\c:\vvjjv.exec:\vvjjv.exe50⤵
- Executes dropped EXE
PID:4844 -
\??\c:\lrffxrr.exec:\lrffxrr.exe51⤵
- Executes dropped EXE
PID:3940 -
\??\c:\ttnbtt.exec:\ttnbtt.exe52⤵
- Executes dropped EXE
PID:220 -
\??\c:\vvpdv.exec:\vvpdv.exe53⤵
- Executes dropped EXE
PID:3824 -
\??\c:\jvjdd.exec:\jvjdd.exe54⤵
- Executes dropped EXE
PID:1116 -
\??\c:\llrlfrl.exec:\llrlfrl.exe55⤵
- Executes dropped EXE
PID:1696 -
\??\c:\nhthnh.exec:\nhthnh.exe56⤵
- Executes dropped EXE
PID:4976 -
\??\c:\5vppj.exec:\5vppj.exe57⤵
- Executes dropped EXE
PID:3780 -
\??\c:\jvvjd.exec:\jvvjd.exe58⤵
- Executes dropped EXE
PID:2452 -
\??\c:\lfffxxr.exec:\lfffxxr.exe59⤵
- Executes dropped EXE
PID:3796 -
\??\c:\7hhbbb.exec:\7hhbbb.exe60⤵
- Executes dropped EXE
PID:1388 -
\??\c:\pjjdv.exec:\pjjdv.exe61⤵
- Executes dropped EXE
PID:1916 -
\??\c:\pjddv.exec:\pjddv.exe62⤵
- Executes dropped EXE
PID:4148 -
\??\c:\lrxrlfl.exec:\lrxrlfl.exe63⤵
- Executes dropped EXE
PID:2924 -
\??\c:\5tthbb.exec:\5tthbb.exe64⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pdjjd.exec:\pdjjd.exe65⤵
- Executes dropped EXE
PID:3092 -
\??\c:\vdjdp.exec:\vdjdp.exe66⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rflfxxr.exec:\rflfxxr.exe67⤵PID:4804
-
\??\c:\tnnhnn.exec:\tnnhnn.exe68⤵PID:3744
-
\??\c:\hnbtnh.exec:\hnbtnh.exe69⤵
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\7flllxx.exec:\7flllxx.exe70⤵PID:736
-
\??\c:\vvdjd.exec:\vvdjd.exe71⤵PID:1472
-
\??\c:\rllfxrl.exec:\rllfxrl.exe72⤵PID:1592
-
\??\c:\btbtnt.exec:\btbtnt.exe73⤵PID:1180
-
\??\c:\jjjdd.exec:\jjjdd.exe74⤵PID:4968
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe75⤵PID:1704
-
\??\c:\1nnnhn.exec:\1nnnhn.exe76⤵PID:1380
-
\??\c:\ddvpj.exec:\ddvpj.exe77⤵PID:2884
-
\??\c:\xrfxrlf.exec:\xrfxrlf.exe78⤵PID:2344
-
\??\c:\htbbth.exec:\htbbth.exe79⤵PID:4444
-
\??\c:\vjvjd.exec:\vjvjd.exe80⤵PID:4408
-
\??\c:\5lrrrxf.exec:\5lrrrxf.exe81⤵PID:1920
-
\??\c:\fxfrflr.exec:\fxfrflr.exe82⤵PID:5024
-
\??\c:\btnhhh.exec:\btnhhh.exe83⤵PID:4452
-
\??\c:\ppjjd.exec:\ppjjd.exe84⤵PID:4272
-
\??\c:\rxxfxll.exec:\rxxfxll.exe85⤵PID:3564
-
\??\c:\hntnnh.exec:\hntnnh.exe86⤵PID:4364
-
\??\c:\7pvvd.exec:\7pvvd.exe87⤵PID:5012
-
\??\c:\xfrlffx.exec:\xfrlffx.exe88⤵PID:392
-
\??\c:\ttthht.exec:\ttthht.exe89⤵PID:4560
-
\??\c:\hhhbbt.exec:\hhhbbt.exe90⤵PID:3420
-
\??\c:\jdvpp.exec:\jdvpp.exe91⤵PID:1620
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe92⤵PID:372
-
\??\c:\nhbttn.exec:\nhbttn.exe93⤵PID:384
-
\??\c:\jvjvp.exec:\jvjvp.exe94⤵PID:4844
-
\??\c:\ffrrxxr.exec:\ffrrxxr.exe95⤵PID:4700
-
\??\c:\1ttnnn.exec:\1ttnnn.exe96⤵PID:4876
-
\??\c:\9dppv.exec:\9dppv.exe97⤵PID:4796
-
\??\c:\3rffrrf.exec:\3rffrrf.exe98⤵PID:1256
-
\??\c:\nhhbhh.exec:\nhhbhh.exe99⤵PID:4588
-
\??\c:\thtnhb.exec:\thtnhb.exe100⤵PID:3008
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe101⤵PID:1732
-
\??\c:\lfrllll.exec:\lfrllll.exe102⤵PID:3136
-
\??\c:\pddvp.exec:\pddvp.exe103⤵PID:1716
-
\??\c:\dddvp.exec:\dddvp.exe104⤵PID:2328
-
\??\c:\llfxrrr.exec:\llfxrrr.exe105⤵PID:1388
-
\??\c:\7jppp.exec:\7jppp.exe106⤵PID:1436
-
\??\c:\dvppj.exec:\dvppj.exe107⤵PID:1872
-
\??\c:\lllllll.exec:\lllllll.exe108⤵
- System Location Discovery: System Language Discovery
PID:3212 -
\??\c:\dpvvp.exec:\dpvvp.exe109⤵PID:2924
-
\??\c:\xxxxrff.exec:\xxxxrff.exe110⤵PID:2508
-
\??\c:\9flflll.exec:\9flflll.exe111⤵PID:2768
-
\??\c:\tnthbh.exec:\tnthbh.exe112⤵PID:3436
-
\??\c:\fxllfff.exec:\fxllfff.exe113⤵PID:5080
-
\??\c:\9nhhbh.exec:\9nhhbh.exe114⤵PID:2456
-
\??\c:\7vdvp.exec:\7vdvp.exe115⤵PID:2272
-
\??\c:\lrffffx.exec:\lrffffx.exe116⤵PID:2652
-
\??\c:\rfxrlrl.exec:\rfxrlrl.exe117⤵PID:3804
-
\??\c:\5jjjd.exec:\5jjjd.exe118⤵PID:884
-
\??\c:\1lrrlll.exec:\1lrrlll.exe119⤵PID:1980
-
\??\c:\5hbttt.exec:\5hbttt.exe120⤵PID:3712
-
\??\c:\ddjdj.exec:\ddjdj.exe121⤵PID:4196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-