Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:43
Behavioral task
behavioral1
Sample
9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe
-
Size
130KB
-
MD5
e4af08a9a62ca02d025365c1da35ad20
-
SHA1
31c7ec90fa011ee884bf32889b60d9814f3fa01f
-
SHA256
9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498b
-
SHA512
7c2b5da67f65ec44f6546c36fabd6e6400626772958a1d1213cbd57c04b9831055b1d906d8eacfaed91eddda74863730e44733466f9374b92417ba974e6ac1fe
-
SSDEEP
3072:0hOmTsF93UYfwC6GIoutX8Kikz9qI+fPl/f:0cm4FmowdHoSH5L+Zf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4876-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1100-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/892-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1412-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/988-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-613-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/988-738-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-1013-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4692 xxxlxrr.exe 5100 hnnhnh.exe 3408 dvpjd.exe 1176 lrrfxlf.exe 3280 tntnhb.exe 4920 pjjpj.exe 1120 rxxrffr.exe 1696 dpvvj.exe 968 xrllxxr.exe 1296 hntnnh.exe 3440 pjppd.exe 4064 vdpdv.exe 4800 9nhhnn.exe 1304 vjvpp.exe 4080 ffrlfrl.exe 4420 1ntntb.exe 2892 jddvj.exe 2248 xllxlfr.exe 1752 7ttnhb.exe 4088 dvdpp.exe 1324 fflfrlf.exe 2344 bnnhbb.exe 4176 tbbthb.exe 4612 1ppjd.exe 2960 jpjjd.exe 3512 rffxrxr.exe 1100 hbtbnh.exe 892 fllfxxr.exe 3144 bnhthb.exe 5008 jvvpd.exe 2612 5bnhtn.exe 4568 7dpdp.exe 4700 rxxlxrf.exe 2544 1ppjj.exe 3712 lfxlxrr.exe 4288 nnhbnn.exe 4068 pjdpj.exe 2112 pdjdp.exe 2296 fxfxxxx.exe 1044 bhhbhb.exe 208 vppdv.exe 1936 lxfrxrr.exe 4528 3hnbth.exe 4876 nnhtnh.exe 3580 dvdvv.exe 4340 rrfrrll.exe 8 lffrflx.exe 5060 bnthhh.exe 4464 dvvpj.exe 1380 rlffxrr.exe 3280 rffxrrl.exe 4372 tbbtnt.exe 976 dvjvv.exe 1412 vddjd.exe 1972 rlrlffx.exe 3504 hhbntb.exe 376 tthhtn.exe 1144 5pjvv.exe 2056 llxlxfx.exe 4064 3bnhtt.exe 4436 jvdvd.exe 4492 9vdvd.exe 632 rxlfxrf.exe 1360 bnhtnt.exe -
resource yara_rule behavioral2/memory/4876-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b27-3.dat upx behavioral2/memory/4876-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b7a-9.dat upx behavioral2/memory/4692-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-13.dat upx behavioral2/memory/3408-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5100-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3408-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-21.dat upx behavioral2/files/0x000a000000023b81-27.dat upx behavioral2/memory/1176-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-33.dat upx behavioral2/memory/3280-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-39.dat upx behavioral2/memory/4920-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-45.dat upx behavioral2/memory/1120-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-50.dat upx behavioral2/memory/1696-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/968-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-56.dat upx behavioral2/files/0x000a000000023b87-62.dat upx behavioral2/memory/3440-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-69.dat upx behavioral2/memory/4064-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1296-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-75.dat upx behavioral2/memory/4064-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-83.dat upx behavioral2/memory/4800-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-87.dat upx behavioral2/memory/1304-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-93.dat upx behavioral2/files/0x000a000000023b8e-98.dat upx behavioral2/memory/4420-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-104.dat upx behavioral2/files/0x000a000000023b90-109.dat upx behavioral2/memory/1752-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2248-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-117.dat upx behavioral2/files/0x000b000000023b7b-121.dat upx behavioral2/files/0x000a000000023b92-127.dat upx behavioral2/files/0x000a000000023b93-132.dat upx behavioral2/memory/4176-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-136.dat upx behavioral2/files/0x000a000000023b95-142.dat upx behavioral2/memory/4612-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2960-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-151.dat upx behavioral2/files/0x000a000000023b97-154.dat upx behavioral2/memory/3512-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1100-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-162.dat upx behavioral2/files/0x000a000000023b99-166.dat upx behavioral2/files/0x000b000000023b9a-176.dat upx behavioral2/memory/3144-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3144-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/892-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9b-181.dat upx behavioral2/memory/5008-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2612-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4568-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9c-188.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4692 4876 9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe 82 PID 4876 wrote to memory of 4692 4876 9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe 82 PID 4876 wrote to memory of 4692 4876 9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe 82 PID 4692 wrote to memory of 5100 4692 xxxlxrr.exe 83 PID 4692 wrote to memory of 5100 4692 xxxlxrr.exe 83 PID 4692 wrote to memory of 5100 4692 xxxlxrr.exe 83 PID 5100 wrote to memory of 3408 5100 hnnhnh.exe 84 PID 5100 wrote to memory of 3408 5100 hnnhnh.exe 84 PID 5100 wrote to memory of 3408 5100 hnnhnh.exe 84 PID 3408 wrote to memory of 1176 3408 dvpjd.exe 85 PID 3408 wrote to memory of 1176 3408 dvpjd.exe 85 PID 3408 wrote to memory of 1176 3408 dvpjd.exe 85 PID 1176 wrote to memory of 3280 1176 lrrfxlf.exe 86 PID 1176 wrote to memory of 3280 1176 lrrfxlf.exe 86 PID 1176 wrote to memory of 3280 1176 lrrfxlf.exe 86 PID 3280 wrote to memory of 4920 3280 tntnhb.exe 87 PID 3280 wrote to memory of 4920 3280 tntnhb.exe 87 PID 3280 wrote to memory of 4920 3280 tntnhb.exe 87 PID 4920 wrote to memory of 1120 4920 pjjpj.exe 88 PID 4920 wrote to memory of 1120 4920 pjjpj.exe 88 PID 4920 wrote to memory of 1120 4920 pjjpj.exe 88 PID 1120 wrote to memory of 1696 1120 rxxrffr.exe 89 PID 1120 wrote to memory of 1696 1120 rxxrffr.exe 89 PID 1120 wrote to memory of 1696 1120 rxxrffr.exe 89 PID 1696 wrote to memory of 968 1696 dpvvj.exe 90 PID 1696 wrote to memory of 968 1696 dpvvj.exe 90 PID 1696 wrote to memory of 968 1696 dpvvj.exe 90 PID 968 wrote to memory of 1296 968 xrllxxr.exe 91 PID 968 wrote to memory of 1296 968 xrllxxr.exe 91 PID 968 wrote to memory of 1296 968 xrllxxr.exe 91 PID 1296 wrote to memory of 3440 1296 hntnnh.exe 92 PID 1296 wrote to memory of 3440 1296 hntnnh.exe 92 PID 1296 wrote to memory of 3440 1296 hntnnh.exe 92 PID 3440 wrote to memory of 4064 3440 pjppd.exe 93 PID 3440 wrote to memory of 4064 3440 pjppd.exe 93 PID 3440 wrote to memory of 4064 3440 pjppd.exe 93 PID 4064 wrote to memory of 4800 4064 vdpdv.exe 94 PID 4064 wrote to memory of 4800 4064 vdpdv.exe 94 PID 4064 wrote to memory of 4800 4064 vdpdv.exe 94 PID 4800 wrote to memory of 1304 4800 9nhhnn.exe 95 PID 4800 wrote to memory of 1304 4800 9nhhnn.exe 95 PID 4800 wrote to memory of 1304 4800 9nhhnn.exe 95 PID 1304 wrote to memory of 4080 1304 vjvpp.exe 96 PID 1304 wrote to memory of 4080 1304 vjvpp.exe 96 PID 1304 wrote to memory of 4080 1304 vjvpp.exe 96 PID 4080 wrote to memory of 4420 4080 ffrlfrl.exe 97 PID 4080 wrote to memory of 4420 4080 ffrlfrl.exe 97 PID 4080 wrote to memory of 4420 4080 ffrlfrl.exe 97 PID 4420 wrote to memory of 2892 4420 1ntntb.exe 98 PID 4420 wrote to memory of 2892 4420 1ntntb.exe 98 PID 4420 wrote to memory of 2892 4420 1ntntb.exe 98 PID 2892 wrote to memory of 2248 2892 jddvj.exe 99 PID 2892 wrote to memory of 2248 2892 jddvj.exe 99 PID 2892 wrote to memory of 2248 2892 jddvj.exe 99 PID 2248 wrote to memory of 1752 2248 xllxlfr.exe 100 PID 2248 wrote to memory of 1752 2248 xllxlfr.exe 100 PID 2248 wrote to memory of 1752 2248 xllxlfr.exe 100 PID 1752 wrote to memory of 4088 1752 7ttnhb.exe 101 PID 1752 wrote to memory of 4088 1752 7ttnhb.exe 101 PID 1752 wrote to memory of 4088 1752 7ttnhb.exe 101 PID 4088 wrote to memory of 1324 4088 dvdpp.exe 102 PID 4088 wrote to memory of 1324 4088 dvdpp.exe 102 PID 4088 wrote to memory of 1324 4088 dvdpp.exe 102 PID 1324 wrote to memory of 2344 1324 fflfrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe"C:\Users\Admin\AppData\Local\Temp\9aea6b8cfdb629d27b7b4dcab3cf5e81eafb5aac2be8d49df2886775f9fd498bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\xxxlxrr.exec:\xxxlxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\hnnhnh.exec:\hnnhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\dvpjd.exec:\dvpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\lrrfxlf.exec:\lrrfxlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\tntnhb.exec:\tntnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\pjjpj.exec:\pjjpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\rxxrffr.exec:\rxxrffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\dpvvj.exec:\dpvvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\xrllxxr.exec:\xrllxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\hntnnh.exec:\hntnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\pjppd.exec:\pjppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\vdpdv.exec:\vdpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\9nhhnn.exec:\9nhhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\vjvpp.exec:\vjvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\ffrlfrl.exec:\ffrlfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\1ntntb.exec:\1ntntb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\jddvj.exec:\jddvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xllxlfr.exec:\xllxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\7ttnhb.exec:\7ttnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\dvdpp.exec:\dvdpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\fflfrlf.exec:\fflfrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\bnnhbb.exec:\bnnhbb.exe23⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tbbthb.exec:\tbbthb.exe24⤵
- Executes dropped EXE
PID:4176 -
\??\c:\1ppjd.exec:\1ppjd.exe25⤵
- Executes dropped EXE
PID:4612 -
\??\c:\jpjjd.exec:\jpjjd.exe26⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rffxrxr.exec:\rffxrxr.exe27⤵
- Executes dropped EXE
PID:3512 -
\??\c:\hbtbnh.exec:\hbtbnh.exe28⤵
- Executes dropped EXE
PID:1100 -
\??\c:\fllfxxr.exec:\fllfxxr.exe29⤵
- Executes dropped EXE
PID:892 -
\??\c:\bnhthb.exec:\bnhthb.exe30⤵
- Executes dropped EXE
PID:3144 -
\??\c:\jvvpd.exec:\jvvpd.exe31⤵
- Executes dropped EXE
PID:5008 -
\??\c:\5bnhtn.exec:\5bnhtn.exe32⤵
- Executes dropped EXE
PID:2612 -
\??\c:\7dpdp.exec:\7dpdp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe34⤵
- Executes dropped EXE
PID:4700 -
\??\c:\1ppjj.exec:\1ppjj.exe35⤵
- Executes dropped EXE
PID:2544 -
\??\c:\lfxlxrr.exec:\lfxlxrr.exe36⤵
- Executes dropped EXE
PID:3712 -
\??\c:\nnhbnn.exec:\nnhbnn.exe37⤵
- Executes dropped EXE
PID:4288 -
\??\c:\pjdpj.exec:\pjdpj.exe38⤵
- Executes dropped EXE
PID:4068 -
\??\c:\pdjdp.exec:\pdjdp.exe39⤵
- Executes dropped EXE
PID:2112 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe40⤵
- Executes dropped EXE
PID:2296 -
\??\c:\bhhbhb.exec:\bhhbhb.exe41⤵
- Executes dropped EXE
PID:1044 -
\??\c:\vppdv.exec:\vppdv.exe42⤵
- Executes dropped EXE
PID:208 -
\??\c:\lxfrxrr.exec:\lxfrxrr.exe43⤵
- Executes dropped EXE
PID:1936 -
\??\c:\3hnbth.exec:\3hnbth.exe44⤵
- Executes dropped EXE
PID:4528 -
\??\c:\nnhtnh.exec:\nnhtnh.exe45⤵
- Executes dropped EXE
PID:4876 -
\??\c:\dvdvv.exec:\dvdvv.exe46⤵
- Executes dropped EXE
PID:3580 -
\??\c:\rrfrrll.exec:\rrfrrll.exe47⤵
- Executes dropped EXE
PID:4340 -
\??\c:\lffrflx.exec:\lffrflx.exe48⤵
- Executes dropped EXE
PID:8 -
\??\c:\bnthhh.exec:\bnthhh.exe49⤵
- Executes dropped EXE
PID:5060 -
\??\c:\dvvpj.exec:\dvvpj.exe50⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rlffxrr.exec:\rlffxrr.exe51⤵
- Executes dropped EXE
PID:1380 -
\??\c:\rffxrrl.exec:\rffxrrl.exe52⤵
- Executes dropped EXE
PID:3280 -
\??\c:\tbbtnt.exec:\tbbtnt.exe53⤵
- Executes dropped EXE
PID:4372 -
\??\c:\dvjvv.exec:\dvjvv.exe54⤵
- Executes dropped EXE
PID:976 -
\??\c:\vddjd.exec:\vddjd.exe55⤵
- Executes dropped EXE
PID:1412 -
\??\c:\rlrlffx.exec:\rlrlffx.exe56⤵
- Executes dropped EXE
PID:1972 -
\??\c:\hhbntb.exec:\hhbntb.exe57⤵
- Executes dropped EXE
PID:3504 -
\??\c:\tthhtn.exec:\tthhtn.exe58⤵
- Executes dropped EXE
PID:376 -
\??\c:\5pjvv.exec:\5pjvv.exe59⤵
- Executes dropped EXE
PID:1144 -
\??\c:\llxlxfx.exec:\llxlxfx.exe60⤵
- Executes dropped EXE
PID:2056 -
\??\c:\3bnhtt.exec:\3bnhtt.exe61⤵
- Executes dropped EXE
PID:4064 -
\??\c:\jvdvd.exec:\jvdvd.exe62⤵
- Executes dropped EXE
PID:4436 -
\??\c:\9vdvd.exec:\9vdvd.exe63⤵
- Executes dropped EXE
PID:4492 -
\??\c:\rxlfxrf.exec:\rxlfxrf.exe64⤵
- Executes dropped EXE
PID:632 -
\??\c:\bnhtnt.exec:\bnhtnt.exe65⤵
- Executes dropped EXE
PID:1360 -
\??\c:\3jdvj.exec:\3jdvj.exe66⤵PID:4188
-
\??\c:\pvpjv.exec:\pvpjv.exe67⤵PID:4204
-
\??\c:\fffxrrf.exec:\fffxrrf.exe68⤵PID:4500
-
\??\c:\7xrlxfl.exec:\7xrlxfl.exe69⤵PID:4544
-
\??\c:\htbbnh.exec:\htbbnh.exe70⤵PID:2256
-
\??\c:\bhnbtt.exec:\bhnbtt.exe71⤵PID:4468
-
\??\c:\djdpj.exec:\djdpj.exe72⤵PID:4128
-
\??\c:\xfffxfr.exec:\xfffxfr.exe73⤵PID:1368
-
\??\c:\fxlfrlf.exec:\fxlfrlf.exe74⤵PID:2236
-
\??\c:\tnnhbt.exec:\tnnhbt.exe75⤵PID:988
-
\??\c:\bhhthb.exec:\bhhthb.exe76⤵PID:1400
-
\??\c:\dvvpd.exec:\dvvpd.exe77⤵PID:4472
-
\??\c:\rffxffr.exec:\rffxffr.exe78⤵PID:1588
-
\??\c:\3nnhth.exec:\3nnhth.exe79⤵PID:3404
-
\??\c:\3bhtnb.exec:\3bhtnb.exe80⤵PID:1992
-
\??\c:\9vjdv.exec:\9vjdv.exe81⤵PID:5004
-
\??\c:\jpvjv.exec:\jpvjv.exe82⤵PID:1404
-
\??\c:\7rrlxxl.exec:\7rrlxxl.exe83⤵PID:3160
-
\??\c:\7nnbnh.exec:\7nnbnh.exe84⤵PID:3044
-
\??\c:\ppjdd.exec:\ppjdd.exe85⤵PID:4840
-
\??\c:\fxxrlrl.exec:\fxxrlrl.exe86⤵PID:724
-
\??\c:\ntthtn.exec:\ntthtn.exe87⤵PID:4108
-
\??\c:\hbhbnn.exec:\hbhbnn.exe88⤵PID:4888
-
\??\c:\dvvpd.exec:\dvvpd.exe89⤵PID:3736
-
\??\c:\7rxrxxl.exec:\7rxrxxl.exe90⤵PID:4796
-
\??\c:\fffxrrf.exec:\fffxrrf.exe91⤵PID:2340
-
\??\c:\nhnhbb.exec:\nhnhbb.exe92⤵PID:556
-
\??\c:\vvjvp.exec:\vvjvp.exe93⤵PID:4196
-
\??\c:\pdjjj.exec:\pdjjj.exe94⤵PID:4656
-
\??\c:\llrfrrl.exec:\llrfrrl.exe95⤵PID:3140
-
\??\c:\tbhbnn.exec:\tbhbnn.exe96⤵PID:2092
-
\??\c:\3ddpj.exec:\3ddpj.exe97⤵PID:3684
-
\??\c:\rxrxxrr.exec:\rxrxxrr.exe98⤵PID:4404
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe99⤵PID:4520
-
\??\c:\nhhhbt.exec:\nhhhbt.exe100⤵PID:5024
-
\??\c:\3jvjv.exec:\3jvjv.exe101⤵PID:2244
-
\??\c:\vddvp.exec:\vddvp.exe102⤵
- System Location Discovery: System Language Discovery
PID:3260 -
\??\c:\rrxlfxl.exec:\rrxlfxl.exe103⤵PID:1552
-
\??\c:\3nhhbt.exec:\3nhhbt.exe104⤵PID:4344
-
\??\c:\bnnbnn.exec:\bnnbnn.exe105⤵PID:3312
-
\??\c:\vvdvp.exec:\vvdvp.exe106⤵PID:3944
-
\??\c:\lffrlfr.exec:\lffrlfr.exe107⤵PID:3376
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe108⤵PID:3028
-
\??\c:\nbbbtt.exec:\nbbbtt.exe109⤵PID:3472
-
\??\c:\7jdvj.exec:\7jdvj.exe110⤵PID:1216
-
\??\c:\ffxrllx.exec:\ffxrllx.exe111⤵PID:976
-
\??\c:\rllffxf.exec:\rllffxf.exe112⤵PID:1860
-
\??\c:\tnthhb.exec:\tnthhb.exe113⤵PID:1624
-
\??\c:\5bhtnh.exec:\5bhtnh.exe114⤵PID:2884
-
\??\c:\pjppp.exec:\pjppp.exe115⤵PID:1128
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe116⤵PID:3440
-
\??\c:\lffxllf.exec:\lffxllf.exe117⤵PID:1612
-
\??\c:\thttnb.exec:\thttnb.exe118⤵PID:1488
-
\??\c:\htbthh.exec:\htbthh.exe119⤵PID:868
-
\??\c:\pdpdd.exec:\pdpdd.exe120⤵PID:3316
-
\??\c:\fxrllfx.exec:\fxrllfx.exe121⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-