Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 15:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe
-
Size
456KB
-
MD5
69082df138681363674c31f41a442980
-
SHA1
374a52e1777ffe981fba29df4ea92fe5a3742fcc
-
SHA256
16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49
-
SHA512
8e471385a2207b0b6771eb2eb14cc0fc074191399772fe8f4abb91a7689671fc34fec6f9da47b16a10dea7d1f889cb51f8ca482f4b9b513872ea1605d6e0e2e3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRN:q7Tc2NYHUrAwfMp3CDRN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4528-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-1602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4352 9nnhhn.exe 4432 vppvv.exe 612 vppjd.exe 3816 3dpjd.exe 3864 9ttnnn.exe 2284 vddvv.exe 4492 jvvdd.exe 4732 1tbhhb.exe 1432 thnhhh.exe 1696 hbbtnn.exe 3272 pjvvv.exe 1936 xxrlrrx.exe 2392 xfxrrrx.exe 4464 thnnhh.exe 4796 jjvvv.exe 5076 rrxxxxx.exe 2000 vpvpj.exe 4636 5llllrr.exe 4400 7nnnhh.exe 1704 bbhbbb.exe 1576 dppjd.exe 4452 xrxrlfx.exe 4628 5xxxllf.exe 4356 bhhbbt.exe 2716 9fxxlfx.exe 2336 btbtnh.exe 3156 tbhbbb.exe 4080 pddvv.exe 2724 5xxrllf.exe 4868 frflfff.exe 2656 nbnbbb.exe 4724 dpdjd.exe 4040 rlrxxxx.exe 3344 fxllrrx.exe 3772 hhhhhh.exe 212 vjjdd.exe 1764 3djdv.exe 2780 fxrlfff.exe 1356 thnhhh.exe 4524 7nbtnt.exe 4104 jdjjd.exe 4308 xrllffx.exe 4292 xrxxlll.exe 4272 nthbbb.exe 4460 vjvvv.exe 5028 flflfrf.exe 4892 lxllfxr.exe 4076 bhnhnh.exe 1372 ffxfxfx.exe 704 bttnnn.exe 3256 pjvvp.exe 3064 llrrllx.exe 1048 thhhbh.exe 3824 lrfrfrl.exe 1028 rllfxfx.exe 4732 hbhbbb.exe 2792 lfffxxr.exe 2428 ddppv.exe 4132 7rxrllf.exe 3272 nhhtnn.exe 4420 3dvdd.exe 5036 dddvv.exe 404 hhtttb.exe 2684 rlxrllx.exe -
resource yara_rule behavioral2/memory/4528-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-1126-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4352 4528 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 83 PID 4528 wrote to memory of 4352 4528 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 83 PID 4528 wrote to memory of 4352 4528 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 83 PID 4352 wrote to memory of 4432 4352 9nnhhn.exe 84 PID 4352 wrote to memory of 4432 4352 9nnhhn.exe 84 PID 4352 wrote to memory of 4432 4352 9nnhhn.exe 84 PID 4432 wrote to memory of 612 4432 vppvv.exe 85 PID 4432 wrote to memory of 612 4432 vppvv.exe 85 PID 4432 wrote to memory of 612 4432 vppvv.exe 85 PID 612 wrote to memory of 3816 612 vppjd.exe 86 PID 612 wrote to memory of 3816 612 vppjd.exe 86 PID 612 wrote to memory of 3816 612 vppjd.exe 86 PID 3816 wrote to memory of 3864 3816 3dpjd.exe 87 PID 3816 wrote to memory of 3864 3816 3dpjd.exe 87 PID 3816 wrote to memory of 3864 3816 3dpjd.exe 87 PID 3864 wrote to memory of 2284 3864 9ttnnn.exe 88 PID 3864 wrote to memory of 2284 3864 9ttnnn.exe 88 PID 3864 wrote to memory of 2284 3864 9ttnnn.exe 88 PID 2284 wrote to memory of 4492 2284 vddvv.exe 89 PID 2284 wrote to memory of 4492 2284 vddvv.exe 89 PID 2284 wrote to memory of 4492 2284 vddvv.exe 89 PID 4492 wrote to memory of 4732 4492 jvvdd.exe 90 PID 4492 wrote to memory of 4732 4492 jvvdd.exe 90 PID 4492 wrote to memory of 4732 4492 jvvdd.exe 90 PID 4732 wrote to memory of 1432 4732 1tbhhb.exe 91 PID 4732 wrote to memory of 1432 4732 1tbhhb.exe 91 PID 4732 wrote to memory of 1432 4732 1tbhhb.exe 91 PID 1432 wrote to memory of 1696 1432 thnhhh.exe 92 PID 1432 wrote to memory of 1696 1432 thnhhh.exe 92 PID 1432 wrote to memory of 1696 1432 thnhhh.exe 92 PID 1696 wrote to memory of 3272 1696 hbbtnn.exe 93 PID 1696 wrote to memory of 3272 1696 hbbtnn.exe 93 PID 1696 wrote to memory of 3272 1696 hbbtnn.exe 93 PID 3272 wrote to memory of 1936 3272 pjvvv.exe 94 PID 3272 wrote to memory of 1936 3272 pjvvv.exe 94 PID 3272 wrote to memory of 1936 3272 pjvvv.exe 94 PID 1936 wrote to memory of 2392 1936 xxrlrrx.exe 95 PID 1936 wrote to memory of 2392 1936 xxrlrrx.exe 95 PID 1936 wrote to memory of 2392 1936 xxrlrrx.exe 95 PID 2392 wrote to memory of 4464 2392 xfxrrrx.exe 96 PID 2392 wrote to memory of 4464 2392 xfxrrrx.exe 96 PID 2392 wrote to memory of 4464 2392 xfxrrrx.exe 96 PID 4464 wrote to memory of 4796 4464 thnnhh.exe 97 PID 4464 wrote to memory of 4796 4464 thnnhh.exe 97 PID 4464 wrote to memory of 4796 4464 thnnhh.exe 97 PID 4796 wrote to memory of 5076 4796 jjvvv.exe 98 PID 4796 wrote to memory of 5076 4796 jjvvv.exe 98 PID 4796 wrote to memory of 5076 4796 jjvvv.exe 98 PID 5076 wrote to memory of 2000 5076 rrxxxxx.exe 99 PID 5076 wrote to memory of 2000 5076 rrxxxxx.exe 99 PID 5076 wrote to memory of 2000 5076 rrxxxxx.exe 99 PID 2000 wrote to memory of 4636 2000 vpvpj.exe 100 PID 2000 wrote to memory of 4636 2000 vpvpj.exe 100 PID 2000 wrote to memory of 4636 2000 vpvpj.exe 100 PID 4636 wrote to memory of 4400 4636 5llllrr.exe 101 PID 4636 wrote to memory of 4400 4636 5llllrr.exe 101 PID 4636 wrote to memory of 4400 4636 5llllrr.exe 101 PID 4400 wrote to memory of 1704 4400 7nnnhh.exe 102 PID 4400 wrote to memory of 1704 4400 7nnnhh.exe 102 PID 4400 wrote to memory of 1704 4400 7nnnhh.exe 102 PID 1704 wrote to memory of 1576 1704 bbhbbb.exe 103 PID 1704 wrote to memory of 1576 1704 bbhbbb.exe 103 PID 1704 wrote to memory of 1576 1704 bbhbbb.exe 103 PID 1576 wrote to memory of 4452 1576 dppjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe"C:\Users\Admin\AppData\Local\Temp\16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\9nnhhn.exec:\9nnhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\vppvv.exec:\vppvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\vppjd.exec:\vppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:612 -
\??\c:\3dpjd.exec:\3dpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\9ttnnn.exec:\9ttnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\vddvv.exec:\vddvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\jvvdd.exec:\jvvdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\1tbhhb.exec:\1tbhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\thnhhh.exec:\thnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\hbbtnn.exec:\hbbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\pjvvv.exec:\pjvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\xxrlrrx.exec:\xxrlrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\xfxrrrx.exec:\xfxrrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\thnnhh.exec:\thnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\jjvvv.exec:\jjvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\vpvpj.exec:\vpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\5llllrr.exec:\5llllrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\7nnnhh.exec:\7nnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\bbhbbb.exec:\bbhbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\dppjd.exec:\dppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe23⤵
- Executes dropped EXE
PID:4452 -
\??\c:\5xxxllf.exec:\5xxxllf.exe24⤵
- Executes dropped EXE
PID:4628 -
\??\c:\bhhbbt.exec:\bhhbbt.exe25⤵
- Executes dropped EXE
PID:4356 -
\??\c:\9fxxlfx.exec:\9fxxlfx.exe26⤵
- Executes dropped EXE
PID:2716 -
\??\c:\btbtnh.exec:\btbtnh.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\tbhbbb.exec:\tbhbbb.exe28⤵
- Executes dropped EXE
PID:3156 -
\??\c:\pddvv.exec:\pddvv.exe29⤵
- Executes dropped EXE
PID:4080 -
\??\c:\5xxrllf.exec:\5xxrllf.exe30⤵
- Executes dropped EXE
PID:2724 -
\??\c:\frflfff.exec:\frflfff.exe31⤵
- Executes dropped EXE
PID:4868 -
\??\c:\nbnbbb.exec:\nbnbbb.exe32⤵
- Executes dropped EXE
PID:2656 -
\??\c:\dpdjd.exec:\dpdjd.exe33⤵
- Executes dropped EXE
PID:4724 -
\??\c:\rlrxxxx.exec:\rlrxxxx.exe34⤵
- Executes dropped EXE
PID:4040 -
\??\c:\fxllrrx.exec:\fxllrrx.exe35⤵
- Executes dropped EXE
PID:3344 -
\??\c:\hhhhhh.exec:\hhhhhh.exe36⤵
- Executes dropped EXE
PID:3772 -
\??\c:\vjjdd.exec:\vjjdd.exe37⤵
- Executes dropped EXE
PID:212 -
\??\c:\3djdv.exec:\3djdv.exe38⤵
- Executes dropped EXE
PID:1764 -
\??\c:\fxrlfff.exec:\fxrlfff.exe39⤵
- Executes dropped EXE
PID:2780 -
\??\c:\thnhhh.exec:\thnhhh.exe40⤵
- Executes dropped EXE
PID:1356 -
\??\c:\7nbtnt.exec:\7nbtnt.exe41⤵
- Executes dropped EXE
PID:4524 -
\??\c:\jdjjd.exec:\jdjjd.exe42⤵
- Executes dropped EXE
PID:4104 -
\??\c:\xrllffx.exec:\xrllffx.exe43⤵
- Executes dropped EXE
PID:4308 -
\??\c:\xrxxlll.exec:\xrxxlll.exe44⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nthbbb.exec:\nthbbb.exe45⤵
- Executes dropped EXE
PID:4272 -
\??\c:\vjvvv.exec:\vjvvv.exe46⤵
- Executes dropped EXE
PID:4460 -
\??\c:\flflfrf.exec:\flflfrf.exe47⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lxllfxr.exec:\lxllfxr.exe48⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bhnhnh.exec:\bhnhnh.exe49⤵
- Executes dropped EXE
PID:4076 -
\??\c:\ffxfxfx.exec:\ffxfxfx.exe50⤵
- Executes dropped EXE
PID:1372 -
\??\c:\bttnnn.exec:\bttnnn.exe51⤵
- Executes dropped EXE
PID:704 -
\??\c:\pjvvp.exec:\pjvvp.exe52⤵
- Executes dropped EXE
PID:3256 -
\??\c:\llrrllx.exec:\llrrllx.exe53⤵
- Executes dropped EXE
PID:3064 -
\??\c:\thhhbh.exec:\thhhbh.exe54⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lrfrfrl.exec:\lrfrfrl.exe55⤵
- Executes dropped EXE
PID:3824 -
\??\c:\rllfxfx.exec:\rllfxfx.exe56⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hbhbbb.exec:\hbhbbb.exe57⤵
- Executes dropped EXE
PID:4732 -
\??\c:\lfffxxr.exec:\lfffxxr.exe58⤵
- Executes dropped EXE
PID:2792 -
\??\c:\ddppv.exec:\ddppv.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\7rxrllf.exec:\7rxrllf.exe60⤵
- Executes dropped EXE
PID:4132 -
\??\c:\nhhtnn.exec:\nhhtnn.exe61⤵
- Executes dropped EXE
PID:3272 -
\??\c:\3dvdd.exec:\3dvdd.exe62⤵
- Executes dropped EXE
PID:4420 -
\??\c:\dddvv.exec:\dddvv.exe63⤵
- Executes dropped EXE
PID:5036 -
\??\c:\hhtttb.exec:\hhtttb.exe64⤵
- Executes dropped EXE
PID:404 -
\??\c:\rlxrllx.exec:\rlxrllx.exe65⤵
- Executes dropped EXE
PID:2684 -
\??\c:\pdpvp.exec:\pdpvp.exe66⤵PID:1976
-
\??\c:\jdjdv.exec:\jdjdv.exe67⤵PID:2384
-
\??\c:\7fxxffl.exec:\7fxxffl.exe68⤵PID:3952
-
\??\c:\nnbthh.exec:\nnbthh.exe69⤵PID:2596
-
\??\c:\pvdvd.exec:\pvdvd.exe70⤵PID:4704
-
\??\c:\5ddvp.exec:\5ddvp.exe71⤵PID:4340
-
\??\c:\lrlfxrr.exec:\lrlfxrr.exe72⤵PID:2004
-
\??\c:\5hnnhn.exec:\5hnnhn.exe73⤵PID:2056
-
\??\c:\5djdp.exec:\5djdp.exe74⤵PID:1704
-
\??\c:\rlrllll.exec:\rlrllll.exe75⤵PID:5072
-
\??\c:\1hbbnt.exec:\1hbbnt.exe76⤵PID:4532
-
\??\c:\7pvpv.exec:\7pvpv.exe77⤵PID:3760
-
\??\c:\jpdvj.exec:\jpdvj.exe78⤵PID:1208
-
\??\c:\frrrlrr.exec:\frrrlrr.exe79⤵PID:4188
-
\??\c:\3bbbhh.exec:\3bbbhh.exe80⤵PID:396
-
\??\c:\ppvpj.exec:\ppvpj.exe81⤵PID:5012
-
\??\c:\jvjdv.exec:\jvjdv.exe82⤵PID:2716
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe83⤵PID:3196
-
\??\c:\btbbbh.exec:\btbbbh.exe84⤵PID:1580
-
\??\c:\5vddv.exec:\5vddv.exe85⤵PID:4176
-
\??\c:\lxxfxlf.exec:\lxxfxlf.exe86⤵PID:4508
-
\??\c:\3nttnt.exec:\3nttnt.exe87⤵PID:4040
-
\??\c:\hntnnn.exec:\hntnnn.exe88⤵PID:2972
-
\??\c:\dvvpj.exec:\dvvpj.exe89⤵
- System Location Discovery: System Language Discovery
PID:3416 -
\??\c:\xxffxxx.exec:\xxffxxx.exe90⤵PID:3852
-
\??\c:\1frllll.exec:\1frllll.exe91⤵PID:2780
-
\??\c:\ttbbbb.exec:\ttbbbb.exe92⤵PID:2912
-
\??\c:\1dddv.exec:\1dddv.exe93⤵PID:428
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe94⤵PID:2028
-
\??\c:\3hntbh.exec:\3hntbh.exe95⤵PID:1548
-
\??\c:\dvvvj.exec:\dvvvj.exe96⤵PID:3436
-
\??\c:\5xflfff.exec:\5xflfff.exe97⤵PID:4540
-
\??\c:\frfxrrr.exec:\frfxrrr.exe98⤵PID:5112
-
\??\c:\nhhbtn.exec:\nhhbtn.exe99⤵PID:4308
-
\??\c:\7vdvd.exec:\7vdvd.exe100⤵PID:4804
-
\??\c:\vpjdv.exec:\vpjdv.exe101⤵PID:4272
-
\??\c:\lxffllf.exec:\lxffllf.exe102⤵PID:3068
-
\??\c:\hhhhhh.exec:\hhhhhh.exe103⤵PID:224
-
\??\c:\hnttnn.exec:\hnttnn.exe104⤵PID:916
-
\??\c:\jpdvp.exec:\jpdvp.exe105⤵PID:3636
-
\??\c:\rrlfffl.exec:\rrlfffl.exe106⤵PID:4892
-
\??\c:\bbnntb.exec:\bbnntb.exe107⤵PID:2344
-
\??\c:\jdjdd.exec:\jdjdd.exe108⤵PID:1276
-
\??\c:\dpdpp.exec:\dpdpp.exe109⤵PID:1076
-
\??\c:\rlllxxx.exec:\rlllxxx.exe110⤵PID:3200
-
\??\c:\hhhntb.exec:\hhhntb.exe111⤵PID:3808
-
\??\c:\pdpvp.exec:\pdpvp.exe112⤵PID:1932
-
\??\c:\dddjj.exec:\dddjj.exe113⤵PID:4312
-
\??\c:\7hntnn.exec:\7hntnn.exe114⤵PID:1188
-
\??\c:\vjvdv.exec:\vjvdv.exe115⤵PID:3576
-
\??\c:\rlrffff.exec:\rlrffff.exe116⤵PID:1028
-
\??\c:\tntnnn.exec:\tntnnn.exe117⤵PID:952
-
\??\c:\hhnhbt.exec:\hhnhbt.exe118⤵PID:3956
-
\??\c:\pvjdv.exec:\pvjdv.exe119⤵PID:924
-
\??\c:\1xlfflf.exec:\1xlfflf.exe120⤵PID:2952
-
\??\c:\thtttt.exec:\thtttt.exe121⤵PID:1708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-