Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 07:30 UTC
Behavioral task
behavioral1
Sample
a08d8bea53938e523b77ba5ee9f00be0N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a08d8bea53938e523b77ba5ee9f00be0N.exe
-
Size
81KB
-
MD5
a08d8bea53938e523b77ba5ee9f00be0
-
SHA1
edb2209c4287f4e1ea6f5545e6c510f1fa25e57c
-
SHA256
b88c7d0e93dddcef3c62c8fdc646e868cd9446f0d57237d988b3ca74795bb582
-
SHA512
bf531cd7ecf455efec734ac252bd26b6c2389174cde9c296b12d6654ca1432ff2fd89a179d9979ba229cc25e8bf163fd7b809680000ec2e721c8f6be48cbab0b
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADUOjgRpnzQr:9hOmTsF93UYfwC6GIoutyaVszyKd+XY+
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3456-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-570-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-594-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-667-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-830-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-952-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-910-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-1058-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-1075-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-1144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-1148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 452 tthntt.exe 5104 bthhbb.exe 1428 5ddjp.exe 4184 7lxxlff.exe 2720 lfrlffx.exe 2744 thttnh.exe 3456 pppvv.exe 1600 lfffxxx.exe 3040 tnnhbb.exe 4152 jdvpp.exe 3104 3flfxxl.exe 464 nbtbbt.exe 2496 btbbbt.exe 3936 jjjdv.exe 3128 xrrllxx.exe 3336 xxllflf.exe 2028 hhbnnt.exe 1400 vvvpp.exe 4580 xxlllfl.exe 4252 rfffxff.exe 1584 tnttbh.exe 368 dppjj.exe 4908 vpjpp.exe 1340 rlrrrrl.exe 3300 thbntt.exe 3664 tttttt.exe 3112 pjppp.exe 2400 ffffxxx.exe 3360 lflfflf.exe 2964 nnnnbh.exe 2252 hbtttt.exe 4432 pdddd.exe 2460 flfxllf.exe 2288 hhnnnn.exe 4820 nhhttb.exe 3256 dvdvp.exe 3148 rxxxllf.exe 4440 lrxrrrr.exe 5092 ntbbbb.exe 3580 hhbnht.exe 2836 jvddp.exe 2020 fxlfrrr.exe 3468 lxlxlrf.exe 4060 bnnnhh.exe 4744 vdvdp.exe 2220 pjdvj.exe 1424 xlxxflf.exe 3456 xxrllrr.exe 1608 tbbbbb.exe 744 vpjjj.exe 1772 vvddj.exe 3184 pvdjp.exe 4492 llfxxxx.exe 4412 nbtnhh.exe 2480 hhtbtt.exe 2212 ntntnn.exe 1868 jddvv.exe 4924 pjjdv.exe 3996 xrrlxxx.exe 784 xxlrfxf.exe 2800 tbbbhn.exe 4332 5nttnn.exe 2208 ppvvp.exe 876 vjvvp.exe -
resource yara_rule behavioral2/memory/3908-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023495-6.dat upx behavioral2/files/0x000700000002349e-19.dat upx behavioral2/files/0x000700000002349f-25.dat upx behavioral2/files/0x00070000000234a0-31.dat upx behavioral2/files/0x00070000000234a1-34.dat upx behavioral2/files/0x00070000000234a3-41.dat upx behavioral2/memory/3456-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a5-54.dat upx behavioral2/memory/4152-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a7-66.dat upx behavioral2/files/0x00070000000234ab-87.dat upx behavioral2/files/0x00070000000234ac-94.dat upx behavioral2/files/0x00070000000234ae-105.dat upx behavioral2/files/0x00070000000234af-109.dat upx behavioral2/files/0x00070000000234b0-117.dat upx behavioral2/memory/1584-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1340-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234b8-162.dat upx behavioral2/memory/3256-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3580-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2836-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3996-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2800-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2236-310-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1820-436-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4256-440-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3856-465-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2300-489-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1616-541-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1200-560-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/636-570-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3048-617-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4440-641-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3516-634-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3340-627-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3560-607-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2400-594-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1496-575-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4248-571-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3956-479-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/812-478-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3820-459-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2852-454-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2208-447-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2936-411-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2936-407-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5024-400-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5024-396-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4624-392-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2320-385-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5092-369-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4464-362-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2220-667-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4852-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/60-327-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4004-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/876-300-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1868-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2480-270-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4412-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-259-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-246-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4744-239-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3908 wrote to memory of 452 3908 a08d8bea53938e523b77ba5ee9f00be0N.exe 84 PID 3908 wrote to memory of 452 3908 a08d8bea53938e523b77ba5ee9f00be0N.exe 84 PID 3908 wrote to memory of 452 3908 a08d8bea53938e523b77ba5ee9f00be0N.exe 84 PID 452 wrote to memory of 5104 452 tthntt.exe 85 PID 452 wrote to memory of 5104 452 tthntt.exe 85 PID 452 wrote to memory of 5104 452 tthntt.exe 85 PID 5104 wrote to memory of 1428 5104 bthhbb.exe 86 PID 5104 wrote to memory of 1428 5104 bthhbb.exe 86 PID 5104 wrote to memory of 1428 5104 bthhbb.exe 86 PID 1428 wrote to memory of 4184 1428 5ddjp.exe 87 PID 1428 wrote to memory of 4184 1428 5ddjp.exe 87 PID 1428 wrote to memory of 4184 1428 5ddjp.exe 87 PID 4184 wrote to memory of 2720 4184 7lxxlff.exe 88 PID 4184 wrote to memory of 2720 4184 7lxxlff.exe 88 PID 4184 wrote to memory of 2720 4184 7lxxlff.exe 88 PID 2720 wrote to memory of 2744 2720 lfrlffx.exe 89 PID 2720 wrote to memory of 2744 2720 lfrlffx.exe 89 PID 2720 wrote to memory of 2744 2720 lfrlffx.exe 89 PID 2744 wrote to memory of 3456 2744 thttnh.exe 90 PID 2744 wrote to memory of 3456 2744 thttnh.exe 90 PID 2744 wrote to memory of 3456 2744 thttnh.exe 90 PID 3456 wrote to memory of 1600 3456 pppvv.exe 91 PID 3456 wrote to memory of 1600 3456 pppvv.exe 91 PID 3456 wrote to memory of 1600 3456 pppvv.exe 91 PID 1600 wrote to memory of 3040 1600 lfffxxx.exe 93 PID 1600 wrote to memory of 3040 1600 lfffxxx.exe 93 PID 1600 wrote to memory of 3040 1600 lfffxxx.exe 93 PID 3040 wrote to memory of 4152 3040 tnnhbb.exe 94 PID 3040 wrote to memory of 4152 3040 tnnhbb.exe 94 PID 3040 wrote to memory of 4152 3040 tnnhbb.exe 94 PID 4152 wrote to memory of 3104 4152 jdvpp.exe 95 PID 4152 wrote to memory of 3104 4152 jdvpp.exe 95 PID 4152 wrote to memory of 3104 4152 jdvpp.exe 95 PID 3104 wrote to memory of 464 3104 3flfxxl.exe 96 PID 3104 wrote to memory of 464 3104 3flfxxl.exe 96 PID 3104 wrote to memory of 464 3104 3flfxxl.exe 96 PID 464 wrote to memory of 2496 464 nbtbbt.exe 97 PID 464 wrote to memory of 2496 464 nbtbbt.exe 97 PID 464 wrote to memory of 2496 464 nbtbbt.exe 97 PID 2496 wrote to memory of 3936 2496 btbbbt.exe 98 PID 2496 wrote to memory of 3936 2496 btbbbt.exe 98 PID 2496 wrote to memory of 3936 2496 btbbbt.exe 98 PID 3936 wrote to memory of 3128 3936 jjjdv.exe 99 PID 3936 wrote to memory of 3128 3936 jjjdv.exe 99 PID 3936 wrote to memory of 3128 3936 jjjdv.exe 99 PID 3128 wrote to memory of 3336 3128 xrrllxx.exe 100 PID 3128 wrote to memory of 3336 3128 xrrllxx.exe 100 PID 3128 wrote to memory of 3336 3128 xrrllxx.exe 100 PID 3336 wrote to memory of 2028 3336 xxllflf.exe 101 PID 3336 wrote to memory of 2028 3336 xxllflf.exe 101 PID 3336 wrote to memory of 2028 3336 xxllflf.exe 101 PID 2028 wrote to memory of 1400 2028 hhbnnt.exe 102 PID 2028 wrote to memory of 1400 2028 hhbnnt.exe 102 PID 2028 wrote to memory of 1400 2028 hhbnnt.exe 102 PID 1400 wrote to memory of 4580 1400 vvvpp.exe 103 PID 1400 wrote to memory of 4580 1400 vvvpp.exe 103 PID 1400 wrote to memory of 4580 1400 vvvpp.exe 103 PID 4580 wrote to memory of 4252 4580 xxlllfl.exe 105 PID 4580 wrote to memory of 4252 4580 xxlllfl.exe 105 PID 4580 wrote to memory of 4252 4580 xxlllfl.exe 105 PID 4252 wrote to memory of 1584 4252 rfffxff.exe 106 PID 4252 wrote to memory of 1584 4252 rfffxff.exe 106 PID 4252 wrote to memory of 1584 4252 rfffxff.exe 106 PID 1584 wrote to memory of 368 1584 tnttbh.exe 280
Processes
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\a08d8bea53938e523b77ba5ee9f00be0N.exe"C:\Users\Admin\AppData\Local\Temp\a08d8bea53938e523b77ba5ee9f00be0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\tthntt.exec:\tthntt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\bthhbb.exec:\bthhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\5ddjp.exec:\5ddjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\7lxxlff.exec:\7lxxlff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\lfrlffx.exec:\lfrlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\thttnh.exec:\thttnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\pppvv.exec:\pppvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\lfffxxx.exec:\lfffxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\tnnhbb.exec:\tnnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\jdvpp.exec:\jdvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\3flfxxl.exec:\3flfxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\nbtbbt.exec:\nbtbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\btbbbt.exec:\btbbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\xrrllxx.exec:\xrrllxx.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\xxllflf.exec:\xxllflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\hhbnnt.exec:\hhbnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\vvvpp.exec:\vvvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\xxlllfl.exec:\xxlllfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\rfffxff.exec:\rfffxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\tnttbh.exec:\tnttbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\dppjj.exec:\dppjj.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368 -
\??\c:\vpjpp.exec:\vpjpp.exe24⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe25⤵
- Executes dropped EXE
PID:1340 -
\??\c:\thbntt.exec:\thbntt.exe26⤵
- Executes dropped EXE
PID:3300 -
\??\c:\tttttt.exec:\tttttt.exe27⤵
- Executes dropped EXE
PID:3664 -
\??\c:\pjppp.exec:\pjppp.exe28⤵
- Executes dropped EXE
PID:3112 -
\??\c:\ffffxxx.exec:\ffffxxx.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lflfflf.exec:\lflfflf.exe30⤵
- Executes dropped EXE
PID:3360 -
\??\c:\nnnnbh.exec:\nnnnbh.exe31⤵
- Executes dropped EXE
PID:2964 -
\??\c:\hbtttt.exec:\hbtttt.exe32⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pdddd.exec:\pdddd.exe33⤵
- Executes dropped EXE
PID:4432 -
\??\c:\flfxllf.exec:\flfxllf.exe34⤵
- Executes dropped EXE
PID:2460 -
\??\c:\hhnnnn.exec:\hhnnnn.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\nhhttb.exec:\nhhttb.exe36⤵
- Executes dropped EXE
PID:4820 -
\??\c:\dvdvp.exec:\dvdvp.exe37⤵
- Executes dropped EXE
PID:3256 -
\??\c:\rxxxllf.exec:\rxxxllf.exe38⤵
- Executes dropped EXE
PID:3148 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe39⤵
- Executes dropped EXE
PID:4440 -
\??\c:\ntbbbb.exec:\ntbbbb.exe40⤵
- Executes dropped EXE
PID:5092 -
\??\c:\hhbnht.exec:\hhbnht.exe41⤵
- Executes dropped EXE
PID:3580 -
\??\c:\jvddp.exec:\jvddp.exe42⤵
- Executes dropped EXE
PID:2836 -
\??\c:\fxlfrrr.exec:\fxlfrrr.exe43⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lxlxlrf.exec:\lxlxlrf.exe44⤵
- Executes dropped EXE
PID:3468 -
\??\c:\bnnnhh.exec:\bnnnhh.exe45⤵
- Executes dropped EXE
PID:4060 -
\??\c:\vdvdp.exec:\vdvdp.exe46⤵
- Executes dropped EXE
PID:4744 -
\??\c:\pjdvj.exec:\pjdvj.exe47⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xlxxflf.exec:\xlxxflf.exe48⤵
- Executes dropped EXE
PID:1424 -
\??\c:\xxrllrr.exec:\xxrllrr.exe49⤵
- Executes dropped EXE
PID:3456 -
\??\c:\tbbbbb.exec:\tbbbbb.exe50⤵
- Executes dropped EXE
PID:1608 -
\??\c:\vpjjj.exec:\vpjjj.exe51⤵
- Executes dropped EXE
PID:744 -
\??\c:\vvddj.exec:\vvddj.exe52⤵
- Executes dropped EXE
PID:1772 -
\??\c:\pvdjp.exec:\pvdjp.exe53⤵
- Executes dropped EXE
PID:3184 -
\??\c:\llfxxxx.exec:\llfxxxx.exe54⤵
- Executes dropped EXE
PID:4492 -
\??\c:\nbtnhh.exec:\nbtnhh.exe55⤵
- Executes dropped EXE
PID:4412 -
\??\c:\hhtbtt.exec:\hhtbtt.exe56⤵
- Executes dropped EXE
PID:2480 -
\??\c:\ntntnn.exec:\ntntnn.exe57⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jddvv.exec:\jddvv.exe58⤵
- Executes dropped EXE
PID:1868 -
\??\c:\pjjdv.exec:\pjjdv.exe59⤵
- Executes dropped EXE
PID:4924 -
\??\c:\xrrlxxx.exec:\xrrlxxx.exe60⤵
- Executes dropped EXE
PID:3996 -
\??\c:\xxlrfxf.exec:\xxlrfxf.exe61⤵
- Executes dropped EXE
PID:784 -
\??\c:\tbbbhn.exec:\tbbbhn.exe62⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5nttnn.exec:\5nttnn.exe63⤵
- Executes dropped EXE
PID:4332 -
\??\c:\ppvvp.exec:\ppvvp.exe64⤵
- Executes dropped EXE
PID:2208 -
\??\c:\vjvvp.exec:\vjvvp.exe65⤵
- Executes dropped EXE
PID:876 -
\??\c:\7rxxrrr.exec:\7rxxrrr.exe66⤵PID:748
-
\??\c:\rxrlxrf.exec:\rxrlxrf.exe67⤵PID:2236
-
\??\c:\nbhbhn.exec:\nbhbhn.exe68⤵PID:4004
-
\??\c:\bthbbb.exec:\bthbbb.exe69⤵PID:2316
-
\??\c:\nbhbbh.exec:\nbhbbh.exe70⤵PID:3744
-
\??\c:\ppvpv.exec:\ppvpv.exe71⤵PID:4392
-
\??\c:\jjddv.exec:\jjddv.exe72⤵PID:4508
-
\??\c:\rxxxrxx.exec:\rxxxrxx.exe73⤵PID:60
-
\??\c:\5xxrlrl.exec:\5xxrlrl.exe74⤵PID:1376
-
\??\c:\tnhhbh.exec:\tnhhbh.exe75⤵PID:4832
-
\??\c:\ttthbh.exec:\ttthbh.exe76⤵PID:3476
-
\??\c:\vddvv.exec:\vddvv.exe77⤵PID:4852
-
\??\c:\ppdjj.exec:\ppdjj.exe78⤵PID:2416
-
\??\c:\7fxxxfx.exec:\7fxxxfx.exe79⤵PID:2300
-
\??\c:\rrlrflf.exec:\rrlrflf.exe80⤵PID:1956
-
\??\c:\nthtbn.exec:\nthtbn.exe81⤵PID:1604
-
\??\c:\hhhhnb.exec:\hhhhnb.exe82⤵PID:3544
-
\??\c:\dvjjj.exec:\dvjjj.exe83⤵PID:4464
-
\??\c:\ttnhbt.exec:\ttnhbt.exe84⤵PID:3148
-
\??\c:\hnthhb.exec:\hnthhb.exe85⤵PID:4440
-
\??\c:\jjppj.exec:\jjppj.exe86⤵PID:5092
-
\??\c:\jdddv.exec:\jdddv.exe87⤵PID:2796
-
\??\c:\fxfffff.exec:\fxfffff.exe88⤵PID:2628
-
\??\c:\llrlflf.exec:\llrlflf.exe89⤵PID:3828
-
\??\c:\7hnnhh.exec:\7hnnhh.exe90⤵PID:444
-
\??\c:\tbtnhn.exec:\tbtnhn.exe91⤵PID:2320
-
\??\c:\jvppp.exec:\jvppp.exe92⤵PID:4592
-
\??\c:\rfxxffl.exec:\rfxxffl.exe93⤵PID:4624
-
\??\c:\xffllll.exec:\xffllll.exe94⤵PID:5024
-
\??\c:\nhhbtt.exec:\nhhbtt.exe95⤵PID:1252
-
\??\c:\bbhhtb.exec:\bbhhtb.exe96⤵PID:1056
-
\??\c:\dpdpp.exec:\dpdpp.exe97⤵PID:2936
-
\??\c:\ddpjj.exec:\ddpjj.exe98⤵PID:4120
-
\??\c:\lfffxxx.exec:\lfffxxx.exe99⤵PID:4916
-
\??\c:\frxrxxl.exec:\frxrxxl.exe100⤵PID:3168
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe101⤵PID:1952
-
\??\c:\hhntnh.exec:\hhntnh.exe102⤵PID:3972
-
\??\c:\bbbttt.exec:\bbbttt.exe103⤵PID:1864
-
\??\c:\1jjvv.exec:\1jjvv.exe104⤵PID:2028
-
\??\c:\jvdjj.exec:\jvdjj.exe105⤵PID:2088
-
\??\c:\3lrllll.exec:\3lrllll.exe106⤵PID:1820
-
\??\c:\lxxrrll.exec:\lxxrrll.exe107⤵PID:4256
-
\??\c:\ttnnnt.exec:\ttnnnt.exe108⤵PID:2208
-
\??\c:\nhtthh.exec:\nhtthh.exe109⤵PID:876
-
\??\c:\pjjjd.exec:\pjjjd.exe110⤵PID:2852
-
\??\c:\jjjpp.exec:\jjjpp.exe111⤵PID:3820
-
\??\c:\lxrrllx.exec:\lxrrllx.exe112⤵PID:2968
-
\??\c:\hbbtnn.exec:\hbbtnn.exe113⤵PID:4508
-
\??\c:\htthhb.exec:\htthhb.exe114⤵PID:3856
-
\??\c:\jpdvv.exec:\jpdvv.exe115⤵PID:3124
-
\??\c:\jdppd.exec:\jdppd.exe116⤵PID:3216
-
\??\c:\lllxrrl.exec:\lllxrrl.exe117⤵PID:812
-
\??\c:\bttnhh.exec:\bttnhh.exe118⤵PID:3956
-
\??\c:\bnnhnh.exec:\bnnhnh.exe119⤵
- System Location Discovery: System Language Discovery
PID:2416 -
\??\c:\pjjdv.exec:\pjjdv.exe120⤵PID:2300
-
\??\c:\vjjjd.exec:\vjjjd.exe121⤵PID:1348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-