Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe
-
Size
453KB
-
MD5
1f19ac3b94d3d65b58ab29ed24606db0
-
SHA1
068f6bebc60d8eaf37a9a3cbaa6ef0464defd143
-
SHA256
ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5
-
SHA512
0e46d6dea2ef5879958553c37371374df034d31b41355e042604a754735eb2e4b511813c23cf647d8e204aa94427f5a101b0d479117eaa7a2b6bbc694fc6332d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1084-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-1124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-1262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-1540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1108 9jvvp.exe 1008 5rxxrrl.exe 3052 djdvv.exe 4752 jpjjv.exe 3076 xrrrxxr.exe 2064 nbbnbb.exe 4232 hbhbtt.exe 3604 rrxrlrr.exe 3612 1btnhh.exe 3876 lrlllll.exe 2152 ppdvp.exe 3488 9fxxxlf.exe 952 lxrlfxl.exe 684 ttthhb.exe 1728 pvppp.exe 4240 jjppj.exe 2292 xxxrrff.exe 4596 9hhhhb.exe 2244 7rrxxfr.exe 4100 btbbtt.exe 3012 btttnn.exe 1308 djvdj.exe 3944 1flffff.exe 1928 1rxrrrl.exe 1100 tthbtt.exe 1780 dpvvp.exe 3016 3pjdd.exe 404 xxffxfx.exe 2928 rrxxffl.exe 2368 fffxffx.exe 1068 bnbbhh.exe 392 lrrxxxx.exe 4468 ffxxxxx.exe 1160 hbhbbb.exe 1956 ddjdd.exe 4636 xlffxxx.exe 1628 pvddp.exe 4892 vvvpj.exe 1456 rrffxxx.exe 3800 5vppj.exe 3504 xrlfrlf.exe 3588 btbtnn.exe 1516 pjpdd.exe 3592 jvpdv.exe 3308 lxrfrrf.exe 4928 nhhbnh.exe 4496 dddpd.exe 4456 rllxlfx.exe 4916 lflxlfr.exe 1512 hbthtn.exe 5108 jdvvp.exe 4384 frrlfxr.exe 5044 9flxfff.exe 3288 nttnbt.exe 4716 ppppj.exe 244 xrlfrrl.exe 2388 xxllfxr.exe 2000 7ttnnh.exe 3120 pjdpd.exe 4400 ppjdp.exe 1660 rlxrfxr.exe 3772 7tnbnh.exe 2972 7pjdp.exe 5104 vjjjj.exe -
resource yara_rule behavioral2/memory/1084-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-539-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1084 wrote to memory of 1108 1084 ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe 83 PID 1084 wrote to memory of 1108 1084 ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe 83 PID 1084 wrote to memory of 1108 1084 ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe 83 PID 1108 wrote to memory of 1008 1108 9jvvp.exe 84 PID 1108 wrote to memory of 1008 1108 9jvvp.exe 84 PID 1108 wrote to memory of 1008 1108 9jvvp.exe 84 PID 1008 wrote to memory of 3052 1008 5rxxrrl.exe 85 PID 1008 wrote to memory of 3052 1008 5rxxrrl.exe 85 PID 1008 wrote to memory of 3052 1008 5rxxrrl.exe 85 PID 3052 wrote to memory of 4752 3052 djdvv.exe 86 PID 3052 wrote to memory of 4752 3052 djdvv.exe 86 PID 3052 wrote to memory of 4752 3052 djdvv.exe 86 PID 4752 wrote to memory of 3076 4752 jpjjv.exe 87 PID 4752 wrote to memory of 3076 4752 jpjjv.exe 87 PID 4752 wrote to memory of 3076 4752 jpjjv.exe 87 PID 3076 wrote to memory of 2064 3076 xrrrxxr.exe 88 PID 3076 wrote to memory of 2064 3076 xrrrxxr.exe 88 PID 3076 wrote to memory of 2064 3076 xrrrxxr.exe 88 PID 2064 wrote to memory of 4232 2064 nbbnbb.exe 89 PID 2064 wrote to memory of 4232 2064 nbbnbb.exe 89 PID 2064 wrote to memory of 4232 2064 nbbnbb.exe 89 PID 4232 wrote to memory of 3604 4232 hbhbtt.exe 90 PID 4232 wrote to memory of 3604 4232 hbhbtt.exe 90 PID 4232 wrote to memory of 3604 4232 hbhbtt.exe 90 PID 3604 wrote to memory of 3612 3604 rrxrlrr.exe 91 PID 3604 wrote to memory of 3612 3604 rrxrlrr.exe 91 PID 3604 wrote to memory of 3612 3604 rrxrlrr.exe 91 PID 3612 wrote to memory of 3876 3612 1btnhh.exe 92 PID 3612 wrote to memory of 3876 3612 1btnhh.exe 92 PID 3612 wrote to memory of 3876 3612 1btnhh.exe 92 PID 3876 wrote to memory of 2152 3876 lrlllll.exe 93 PID 3876 wrote to memory of 2152 3876 lrlllll.exe 93 PID 3876 wrote to memory of 2152 3876 lrlllll.exe 93 PID 2152 wrote to memory of 3488 2152 ppdvp.exe 94 PID 2152 wrote to memory of 3488 2152 ppdvp.exe 94 PID 2152 wrote to memory of 3488 2152 ppdvp.exe 94 PID 3488 wrote to memory of 952 3488 9fxxxlf.exe 95 PID 3488 wrote to memory of 952 3488 9fxxxlf.exe 95 PID 3488 wrote to memory of 952 3488 9fxxxlf.exe 95 PID 952 wrote to memory of 684 952 lxrlfxl.exe 96 PID 952 wrote to memory of 684 952 lxrlfxl.exe 96 PID 952 wrote to memory of 684 952 lxrlfxl.exe 96 PID 684 wrote to memory of 1728 684 ttthhb.exe 97 PID 684 wrote to memory of 1728 684 ttthhb.exe 97 PID 684 wrote to memory of 1728 684 ttthhb.exe 97 PID 1728 wrote to memory of 4240 1728 pvppp.exe 98 PID 1728 wrote to memory of 4240 1728 pvppp.exe 98 PID 1728 wrote to memory of 4240 1728 pvppp.exe 98 PID 4240 wrote to memory of 2292 4240 jjppj.exe 99 PID 4240 wrote to memory of 2292 4240 jjppj.exe 99 PID 4240 wrote to memory of 2292 4240 jjppj.exe 99 PID 2292 wrote to memory of 4596 2292 xxxrrff.exe 100 PID 2292 wrote to memory of 4596 2292 xxxrrff.exe 100 PID 2292 wrote to memory of 4596 2292 xxxrrff.exe 100 PID 4596 wrote to memory of 2244 4596 9hhhhb.exe 101 PID 4596 wrote to memory of 2244 4596 9hhhhb.exe 101 PID 4596 wrote to memory of 2244 4596 9hhhhb.exe 101 PID 2244 wrote to memory of 4100 2244 7rrxxfr.exe 102 PID 2244 wrote to memory of 4100 2244 7rrxxfr.exe 102 PID 2244 wrote to memory of 4100 2244 7rrxxfr.exe 102 PID 4100 wrote to memory of 3012 4100 btbbtt.exe 103 PID 4100 wrote to memory of 3012 4100 btbbtt.exe 103 PID 4100 wrote to memory of 3012 4100 btbbtt.exe 103 PID 3012 wrote to memory of 1308 3012 btttnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe"C:\Users\Admin\AppData\Local\Temp\ed2c7f64ab992a408410fd67fe23f2072ca25dec65a75ab6d0976171863ecfd5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\9jvvp.exec:\9jvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\djdvv.exec:\djdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\jpjjv.exec:\jpjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\xrrrxxr.exec:\xrrrxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\nbbnbb.exec:\nbbnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\hbhbtt.exec:\hbhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\rrxrlrr.exec:\rrxrlrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\1btnhh.exec:\1btnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\lrlllll.exec:\lrlllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\ppdvp.exec:\ppdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\9fxxxlf.exec:\9fxxxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\lxrlfxl.exec:\lxrlfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\ttthhb.exec:\ttthhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\pvppp.exec:\pvppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\jjppj.exec:\jjppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\xxxrrff.exec:\xxxrrff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\9hhhhb.exec:\9hhhhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\7rrxxfr.exec:\7rrxxfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\btbbtt.exec:\btbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\btttnn.exec:\btttnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\djvdj.exec:\djvdj.exe23⤵
- Executes dropped EXE
PID:1308 -
\??\c:\1flffff.exec:\1flffff.exe24⤵
- Executes dropped EXE
PID:3944 -
\??\c:\1rxrrrl.exec:\1rxrrrl.exe25⤵
- Executes dropped EXE
PID:1928 -
\??\c:\tthbtt.exec:\tthbtt.exe26⤵
- Executes dropped EXE
PID:1100 -
\??\c:\dpvvp.exec:\dpvvp.exe27⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3pjdd.exec:\3pjdd.exe28⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xxffxfx.exec:\xxffxfx.exe29⤵
- Executes dropped EXE
PID:404 -
\??\c:\rrxxffl.exec:\rrxxffl.exe30⤵
- Executes dropped EXE
PID:2928 -
\??\c:\fffxffx.exec:\fffxffx.exe31⤵
- Executes dropped EXE
PID:2368 -
\??\c:\bnbbhh.exec:\bnbbhh.exe32⤵
- Executes dropped EXE
PID:1068 -
\??\c:\lrrxxxx.exec:\lrrxxxx.exe33⤵
- Executes dropped EXE
PID:392 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe34⤵
- Executes dropped EXE
PID:4468 -
\??\c:\hbhbbb.exec:\hbhbbb.exe35⤵
- Executes dropped EXE
PID:1160 -
\??\c:\ddjdd.exec:\ddjdd.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\xlffxxx.exec:\xlffxxx.exe37⤵
- Executes dropped EXE
PID:4636 -
\??\c:\pvddp.exec:\pvddp.exe38⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vvvpj.exec:\vvvpj.exe39⤵
- Executes dropped EXE
PID:4892 -
\??\c:\rrffxxx.exec:\rrffxxx.exe40⤵
- Executes dropped EXE
PID:1456 -
\??\c:\5vppj.exec:\5vppj.exe41⤵
- Executes dropped EXE
PID:3800 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe42⤵
- Executes dropped EXE
PID:3504 -
\??\c:\btbtnn.exec:\btbtnn.exe43⤵
- Executes dropped EXE
PID:3588 -
\??\c:\pjpdd.exec:\pjpdd.exe44⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jvpdv.exec:\jvpdv.exe45⤵
- Executes dropped EXE
PID:3592 -
\??\c:\lxrfrrf.exec:\lxrfrrf.exe46⤵
- Executes dropped EXE
PID:3308 -
\??\c:\nhhbnh.exec:\nhhbnh.exe47⤵
- Executes dropped EXE
PID:4928 -
\??\c:\dddpd.exec:\dddpd.exe48⤵
- Executes dropped EXE
PID:4496 -
\??\c:\rllxlfx.exec:\rllxlfx.exe49⤵
- Executes dropped EXE
PID:4456 -
\??\c:\lflxlfr.exec:\lflxlfr.exe50⤵
- Executes dropped EXE
PID:4916 -
\??\c:\hbthtn.exec:\hbthtn.exe51⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jdvvp.exec:\jdvvp.exe52⤵
- Executes dropped EXE
PID:5108 -
\??\c:\frrlfxr.exec:\frrlfxr.exe53⤵
- Executes dropped EXE
PID:4384 -
\??\c:\9flxfff.exec:\9flxfff.exe54⤵
- Executes dropped EXE
PID:5044 -
\??\c:\nttnbt.exec:\nttnbt.exe55⤵
- Executes dropped EXE
PID:3288 -
\??\c:\ppppj.exec:\ppppj.exe56⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xrlfrrl.exec:\xrlfrrl.exe57⤵
- Executes dropped EXE
PID:244 -
\??\c:\xxllfxr.exec:\xxllfxr.exe58⤵
- Executes dropped EXE
PID:2388 -
\??\c:\7ttnnh.exec:\7ttnnh.exe59⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pjdpd.exec:\pjdpd.exe60⤵
- Executes dropped EXE
PID:3120 -
\??\c:\ppjdp.exec:\ppjdp.exe61⤵
- Executes dropped EXE
PID:4400 -
\??\c:\rlxrfxr.exec:\rlxrfxr.exe62⤵
- Executes dropped EXE
PID:1660 -
\??\c:\7tnbnh.exec:\7tnbnh.exe63⤵
- Executes dropped EXE
PID:3772 -
\??\c:\7pjdp.exec:\7pjdp.exe64⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vjjjj.exec:\vjjjj.exe65⤵
- Executes dropped EXE
PID:5104 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe66⤵PID:1316
-
\??\c:\bbthnb.exec:\bbthnb.exe67⤵PID:1420
-
\??\c:\3jvpp.exec:\3jvpp.exe68⤵PID:2672
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe69⤵PID:4640
-
\??\c:\xrrxxfx.exec:\xrrxxfx.exe70⤵PID:3936
-
\??\c:\7ppjj.exec:\7ppjj.exe71⤵PID:552
-
\??\c:\lxxrfxf.exec:\lxxrfxf.exe72⤵PID:2568
-
\??\c:\hhhhhh.exec:\hhhhhh.exe73⤵PID:1728
-
\??\c:\tbtnbt.exec:\tbtnbt.exe74⤵PID:464
-
\??\c:\vjpdv.exec:\vjpdv.exe75⤵PID:2108
-
\??\c:\7vjjd.exec:\7vjjd.exe76⤵PID:2264
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe77⤵PID:4432
-
\??\c:\nnnhbb.exec:\nnnhbb.exe78⤵PID:1020
-
\??\c:\jpjjd.exec:\jpjjd.exe79⤵PID:384
-
\??\c:\lrfxrlx.exec:\lrfxrlx.exe80⤵PID:3860
-
\??\c:\7ttbbb.exec:\7ttbbb.exe81⤵PID:1092
-
\??\c:\3bthbt.exec:\3bthbt.exe82⤵PID:1184
-
\??\c:\jjdpd.exec:\jjdpd.exe83⤵PID:3760
-
\??\c:\rxrrrrf.exec:\rxrrrrf.exe84⤵PID:4732
-
\??\c:\hbtnhb.exec:\hbtnhb.exe85⤵PID:3500
-
\??\c:\hhbttt.exec:\hhbttt.exe86⤵PID:3320
-
\??\c:\vjpdd.exec:\vjpdd.exe87⤵PID:3940
-
\??\c:\rffxlfr.exec:\rffxlfr.exe88⤵PID:4200
-
\??\c:\xfxrlfl.exec:\xfxrlfl.exe89⤵PID:4036
-
\??\c:\btthbt.exec:\btthbt.exe90⤵PID:4624
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵PID:904
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe92⤵PID:3632
-
\??\c:\xxfxxxr.exec:\xxfxxxr.exe93⤵PID:4488
-
\??\c:\nnbthb.exec:\nnbthb.exe94⤵PID:4296
-
\??\c:\vdvjd.exec:\vdvjd.exe95⤵PID:4268
-
\??\c:\rrrlrll.exec:\rrrlrll.exe96⤵PID:1656
-
\??\c:\7lrrlrf.exec:\7lrrlrf.exe97⤵PID:2032
-
\??\c:\dpvpd.exec:\dpvpd.exe98⤵PID:2468
-
\??\c:\3pjvp.exec:\3pjvp.exe99⤵PID:368
-
\??\c:\5flxfrx.exec:\5flxfrx.exe100⤵PID:3176
-
\??\c:\tnnhtn.exec:\tnnhtn.exe101⤵PID:3244
-
\??\c:\ppvpd.exec:\ppvpd.exe102⤵PID:4892
-
\??\c:\djjdp.exec:\djjdp.exe103⤵PID:432
-
\??\c:\xxfffxf.exec:\xxfffxf.exe104⤵PID:2820
-
\??\c:\9nttbt.exec:\9nttbt.exe105⤵PID:2692
-
\??\c:\pjpjd.exec:\pjpjd.exe106⤵PID:3628
-
\??\c:\9xrlllf.exec:\9xrlllf.exe107⤵PID:3748
-
\??\c:\tnttnn.exec:\tnttnn.exe108⤵PID:1180
-
\??\c:\dvjdp.exec:\dvjdp.exe109⤵PID:4492
-
\??\c:\pjpvp.exec:\pjpvp.exe110⤵PID:2536
-
\??\c:\fxrlffx.exec:\fxrlffx.exe111⤵PID:1000
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe112⤵PID:2764
-
\??\c:\ttnhtn.exec:\ttnhtn.exe113⤵PID:4420
-
\??\c:\dddvv.exec:\dddvv.exe114⤵PID:1644
-
\??\c:\jpvpd.exec:\jpvpd.exe115⤵PID:5088
-
\??\c:\xrrrllf.exec:\xrrrllf.exe116⤵PID:5012
-
\??\c:\bbtntn.exec:\bbtntn.exe117⤵PID:3280
-
\??\c:\vpppj.exec:\vpppj.exe118⤵PID:5044
-
\??\c:\xrxxrfx.exec:\xrxxrfx.exe119⤵PID:224
-
\??\c:\xfffffr.exec:\xfffffr.exe120⤵PID:5064
-
\??\c:\ttbbhb.exec:\ttbbhb.exe121⤵PID:4796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-