Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 07:50
Behavioral task
behavioral1
Sample
a3eef08e2c65ed9b534aa8b15e5178f0N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a3eef08e2c65ed9b534aa8b15e5178f0N.exe
-
Size
143KB
-
MD5
a3eef08e2c65ed9b534aa8b15e5178f0
-
SHA1
dd2e6ba715e171f6219dd7085ecc3187644da45f
-
SHA256
5b34bbf518bd3fc681dcd1b231405977c86398ed962a6e769e2215bcca73acaf
-
SHA512
9c047b439e7cae9d57592673b3a013a5d51836cf3b1669c3164567ad9a6038291f1d88b59e0aea8291f10ff71758a20859198acb25e67f61b0f83f77f925e6d1
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH4to1odt1:kcm4FmowdHoSphraHcpOFltH4to1st1
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1336-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/992-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/664-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/848-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-606-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-636-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4684 dpdvj.exe 3580 bbnttb.exe 3068 djppv.exe 2220 xfxrxrx.exe 4024 nttbbb.exe 4644 pvvjd.exe 3248 hntnhn.exe 2608 ddppj.exe 1632 vjpjd.exe 1056 7bnnnh.exe 4508 jvppv.exe 1544 ffrrxfl.exe 3576 hnnhbh.exe 2036 djvjv.exe 5016 fffxxfx.exe 3284 bnbttt.exe 3316 vdppp.exe 944 nbbhhn.exe 4352 nthbtt.exe 4692 ntbbtt.exe 4040 7ntbbh.exe 2792 llxxxlf.exe 1048 hbhtnb.exe 8 djvvv.exe 3696 ffrrfrx.exe 2148 bhnbhn.exe 2052 lffrffl.exe 5100 djjvj.exe 4548 fllfflr.exe 1724 bthtth.exe 992 dpjvp.exe 1016 rxxfflr.exe 3356 tbbhnt.exe 2020 pdvpj.exe 664 rllfxfx.exe 5072 tbhthb.exe 2120 vvppp.exe 2840 rrrxlll.exe 4328 7xllxfr.exe 4856 tttnhb.exe 2168 djddd.exe 60 rlfrrxr.exe 3228 bhthtb.exe 556 jpjjd.exe 3508 rrxxrrl.exe 848 hthnth.exe 2096 bnttnn.exe 3240 ppvpp.exe 1568 rrlfxxl.exe 2076 tbttbb.exe 4236 1hnnbb.exe 3292 jdvpj.exe 4068 vjpvj.exe 516 5rfxlrf.exe 1512 bnhhtn.exe 1064 7dpjv.exe 3576 ffxfrxr.exe 1200 rfffflr.exe 3932 nbthhn.exe 5016 djddj.exe 1948 xxrlrfl.exe 4552 fffxrrf.exe 3720 bttnhh.exe 1936 vpjdd.exe -
resource yara_rule behavioral2/memory/1336-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023467-3.dat upx behavioral2/memory/1336-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4684-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234c7-10.dat upx behavioral2/memory/4684-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3580-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c8-17.dat upx behavioral2/memory/3068-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234c9-24.dat upx behavioral2/files/0x00070000000234ca-28.dat upx behavioral2/memory/2220-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4024-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cb-36.dat upx behavioral2/memory/4644-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cc-40.dat upx behavioral2/memory/3248-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cd-46.dat upx behavioral2/files/0x00070000000234ce-51.dat upx behavioral2/memory/2608-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234cf-57.dat upx behavioral2/files/0x00070000000234d1-62.dat upx behavioral2/memory/1056-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d2-68.dat upx behavioral2/memory/1544-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d3-74.dat upx behavioral2/memory/3576-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d4-82.dat upx behavioral2/memory/2036-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d5-88.dat upx behavioral2/memory/5016-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d6-94.dat upx behavioral2/files/0x00080000000234c5-98.dat upx behavioral2/files/0x00070000000234d7-102.dat upx behavioral2/memory/3316-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/944-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234d8-110.dat upx behavioral2/files/0x00070000000234d9-117.dat upx behavioral2/memory/4352-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4692-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234da-121.dat upx behavioral2/memory/4692-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4040-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234db-128.dat upx behavioral2/files/0x00070000000234dc-134.dat upx behavioral2/memory/2792-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1048-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234dd-140.dat upx behavioral2/files/0x00070000000234de-145.dat upx behavioral2/memory/3696-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3696-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234df-153.dat upx behavioral2/memory/2148-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e0-160.dat upx behavioral2/memory/2052-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e1-164.dat upx behavioral2/memory/2052-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5100-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e2-171.dat upx behavioral2/memory/5100-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0002000000022a93-178.dat upx behavioral2/memory/4548-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e3-184.dat upx behavioral2/memory/1724-182-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 4684 1336 a3eef08e2c65ed9b534aa8b15e5178f0N.exe 84 PID 1336 wrote to memory of 4684 1336 a3eef08e2c65ed9b534aa8b15e5178f0N.exe 84 PID 1336 wrote to memory of 4684 1336 a3eef08e2c65ed9b534aa8b15e5178f0N.exe 84 PID 4684 wrote to memory of 3580 4684 dpdvj.exe 86 PID 4684 wrote to memory of 3580 4684 dpdvj.exe 86 PID 4684 wrote to memory of 3580 4684 dpdvj.exe 86 PID 3580 wrote to memory of 3068 3580 bbnttb.exe 87 PID 3580 wrote to memory of 3068 3580 bbnttb.exe 87 PID 3580 wrote to memory of 3068 3580 bbnttb.exe 87 PID 3068 wrote to memory of 2220 3068 djppv.exe 88 PID 3068 wrote to memory of 2220 3068 djppv.exe 88 PID 3068 wrote to memory of 2220 3068 djppv.exe 88 PID 2220 wrote to memory of 4024 2220 xfxrxrx.exe 89 PID 2220 wrote to memory of 4024 2220 xfxrxrx.exe 89 PID 2220 wrote to memory of 4024 2220 xfxrxrx.exe 89 PID 4024 wrote to memory of 4644 4024 nttbbb.exe 90 PID 4024 wrote to memory of 4644 4024 nttbbb.exe 90 PID 4024 wrote to memory of 4644 4024 nttbbb.exe 90 PID 4644 wrote to memory of 3248 4644 pvvjd.exe 91 PID 4644 wrote to memory of 3248 4644 pvvjd.exe 91 PID 4644 wrote to memory of 3248 4644 pvvjd.exe 91 PID 3248 wrote to memory of 2608 3248 hntnhn.exe 92 PID 3248 wrote to memory of 2608 3248 hntnhn.exe 92 PID 3248 wrote to memory of 2608 3248 hntnhn.exe 92 PID 2608 wrote to memory of 1632 2608 ddppj.exe 93 PID 2608 wrote to memory of 1632 2608 ddppj.exe 93 PID 2608 wrote to memory of 1632 2608 ddppj.exe 93 PID 1632 wrote to memory of 1056 1632 vjpjd.exe 95 PID 1632 wrote to memory of 1056 1632 vjpjd.exe 95 PID 1632 wrote to memory of 1056 1632 vjpjd.exe 95 PID 1056 wrote to memory of 4508 1056 7bnnnh.exe 96 PID 1056 wrote to memory of 4508 1056 7bnnnh.exe 96 PID 1056 wrote to memory of 4508 1056 7bnnnh.exe 96 PID 4508 wrote to memory of 1544 4508 jvppv.exe 97 PID 4508 wrote to memory of 1544 4508 jvppv.exe 97 PID 4508 wrote to memory of 1544 4508 jvppv.exe 97 PID 1544 wrote to memory of 3576 1544 ffrrxfl.exe 98 PID 1544 wrote to memory of 3576 1544 ffrrxfl.exe 98 PID 1544 wrote to memory of 3576 1544 ffrrxfl.exe 98 PID 3576 wrote to memory of 2036 3576 hnnhbh.exe 99 PID 3576 wrote to memory of 2036 3576 hnnhbh.exe 99 PID 3576 wrote to memory of 2036 3576 hnnhbh.exe 99 PID 2036 wrote to memory of 5016 2036 djvjv.exe 100 PID 2036 wrote to memory of 5016 2036 djvjv.exe 100 PID 2036 wrote to memory of 5016 2036 djvjv.exe 100 PID 5016 wrote to memory of 3284 5016 fffxxfx.exe 101 PID 5016 wrote to memory of 3284 5016 fffxxfx.exe 101 PID 5016 wrote to memory of 3284 5016 fffxxfx.exe 101 PID 3284 wrote to memory of 3316 3284 bnbttt.exe 103 PID 3284 wrote to memory of 3316 3284 bnbttt.exe 103 PID 3284 wrote to memory of 3316 3284 bnbttt.exe 103 PID 3316 wrote to memory of 944 3316 vdppp.exe 104 PID 3316 wrote to memory of 944 3316 vdppp.exe 104 PID 3316 wrote to memory of 944 3316 vdppp.exe 104 PID 944 wrote to memory of 4352 944 nbbhhn.exe 105 PID 944 wrote to memory of 4352 944 nbbhhn.exe 105 PID 944 wrote to memory of 4352 944 nbbhhn.exe 105 PID 4352 wrote to memory of 4692 4352 nthbtt.exe 106 PID 4352 wrote to memory of 4692 4352 nthbtt.exe 106 PID 4352 wrote to memory of 4692 4352 nthbtt.exe 106 PID 4692 wrote to memory of 4040 4692 ntbbtt.exe 107 PID 4692 wrote to memory of 4040 4692 ntbbtt.exe 107 PID 4692 wrote to memory of 4040 4692 ntbbtt.exe 107 PID 4040 wrote to memory of 2792 4040 7ntbbh.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3eef08e2c65ed9b534aa8b15e5178f0N.exe"C:\Users\Admin\AppData\Local\Temp\a3eef08e2c65ed9b534aa8b15e5178f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\dpdvj.exec:\dpdvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\bbnttb.exec:\bbnttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\djppv.exec:\djppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\xfxrxrx.exec:\xfxrxrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\nttbbb.exec:\nttbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\pvvjd.exec:\pvvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\hntnhn.exec:\hntnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\ddppj.exec:\ddppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\vjpjd.exec:\vjpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\7bnnnh.exec:\7bnnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\jvppv.exec:\jvppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\ffrrxfl.exec:\ffrrxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\hnnhbh.exec:\hnnhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\djvjv.exec:\djvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\fffxxfx.exec:\fffxxfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\bnbttt.exec:\bnbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\vdppp.exec:\vdppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\nbbhhn.exec:\nbbhhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\nthbtt.exec:\nthbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\ntbbtt.exec:\ntbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\7ntbbh.exec:\7ntbbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\llxxxlf.exec:\llxxxlf.exe23⤵
- Executes dropped EXE
PID:2792 -
\??\c:\hbhtnb.exec:\hbhtnb.exe24⤵
- Executes dropped EXE
PID:1048 -
\??\c:\djvvv.exec:\djvvv.exe25⤵
- Executes dropped EXE
PID:8 -
\??\c:\ffrrfrx.exec:\ffrrfrx.exe26⤵
- Executes dropped EXE
PID:3696 -
\??\c:\bhnbhn.exec:\bhnbhn.exe27⤵
- Executes dropped EXE
PID:2148 -
\??\c:\lffrffl.exec:\lffrffl.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\djjvj.exec:\djjvj.exe29⤵
- Executes dropped EXE
PID:5100 -
\??\c:\fllfflr.exec:\fllfflr.exe30⤵
- Executes dropped EXE
PID:4548 -
\??\c:\bthtth.exec:\bthtth.exe31⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dpjvp.exec:\dpjvp.exe32⤵
- Executes dropped EXE
PID:992 -
\??\c:\rxxfflr.exec:\rxxfflr.exe33⤵
- Executes dropped EXE
PID:1016 -
\??\c:\tbbhnt.exec:\tbbhnt.exe34⤵
- Executes dropped EXE
PID:3356 -
\??\c:\pdvpj.exec:\pdvpj.exe35⤵
- Executes dropped EXE
PID:2020 -
\??\c:\rllfxfx.exec:\rllfxfx.exe36⤵
- Executes dropped EXE
PID:664 -
\??\c:\tbhthb.exec:\tbhthb.exe37⤵
- Executes dropped EXE
PID:5072 -
\??\c:\vvppp.exec:\vvppp.exe38⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rrrxlll.exec:\rrrxlll.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\7xllxfr.exec:\7xllxfr.exe40⤵
- Executes dropped EXE
PID:4328 -
\??\c:\tttnhb.exec:\tttnhb.exe41⤵
- Executes dropped EXE
PID:4856 -
\??\c:\djddd.exec:\djddd.exe42⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rlfrrxr.exec:\rlfrrxr.exe43⤵
- Executes dropped EXE
PID:60 -
\??\c:\bhthtb.exec:\bhthtb.exe44⤵
- Executes dropped EXE
PID:3228 -
\??\c:\jpjjd.exec:\jpjjd.exe45⤵
- Executes dropped EXE
PID:556 -
\??\c:\rrxxrrl.exec:\rrxxrrl.exe46⤵
- Executes dropped EXE
PID:3508 -
\??\c:\hthnth.exec:\hthnth.exe47⤵
- Executes dropped EXE
PID:848 -
\??\c:\bnttnn.exec:\bnttnn.exe48⤵
- Executes dropped EXE
PID:2096 -
\??\c:\ppvpp.exec:\ppvpp.exe49⤵
- Executes dropped EXE
PID:3240 -
\??\c:\rrlfxxl.exec:\rrlfxxl.exe50⤵
- Executes dropped EXE
PID:1568 -
\??\c:\tbttbb.exec:\tbttbb.exe51⤵
- Executes dropped EXE
PID:2076 -
\??\c:\1hnnbb.exec:\1hnnbb.exe52⤵
- Executes dropped EXE
PID:4236 -
\??\c:\jdvpj.exec:\jdvpj.exe53⤵
- Executes dropped EXE
PID:3292 -
\??\c:\vjpvj.exec:\vjpvj.exe54⤵
- Executes dropped EXE
PID:4068 -
\??\c:\5rfxlrf.exec:\5rfxlrf.exe55⤵
- Executes dropped EXE
PID:516 -
\??\c:\bnhhtn.exec:\bnhhtn.exe56⤵
- Executes dropped EXE
PID:1512 -
\??\c:\7dpjv.exec:\7dpjv.exe57⤵
- Executes dropped EXE
PID:1064 -
\??\c:\ffxfrxr.exec:\ffxfrxr.exe58⤵
- Executes dropped EXE
PID:3576 -
\??\c:\rfffflr.exec:\rfffflr.exe59⤵
- Executes dropped EXE
PID:1200 -
\??\c:\nbthhn.exec:\nbthhn.exe60⤵
- Executes dropped EXE
PID:3932 -
\??\c:\djddj.exec:\djddj.exe61⤵
- Executes dropped EXE
PID:5016 -
\??\c:\xxrlrfl.exec:\xxrlrfl.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\fffxrrf.exec:\fffxrrf.exe63⤵
- Executes dropped EXE
PID:4552 -
\??\c:\bttnhh.exec:\bttnhh.exe64⤵
- Executes dropped EXE
PID:3720 -
\??\c:\vpjdd.exec:\vpjdd.exe65⤵
- Executes dropped EXE
PID:1936 -
\??\c:\jppjp.exec:\jppjp.exe66⤵PID:3244
-
\??\c:\rfxllfx.exec:\rfxllfx.exe67⤵PID:1536
-
\??\c:\bnnhhn.exec:\bnnhhn.exe68⤵PID:3996
-
\??\c:\7vpjd.exec:\7vpjd.exe69⤵PID:4804
-
\??\c:\frrrlxx.exec:\frrrlxx.exe70⤵PID:2396
-
\??\c:\hntbhn.exec:\hntbhn.exe71⤵PID:3880
-
\??\c:\jjpdv.exec:\jjpdv.exe72⤵PID:2764
-
\??\c:\vjdjd.exec:\vjdjd.exe73⤵PID:2356
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe74⤵PID:1596
-
\??\c:\vjpjd.exec:\vjpjd.exe75⤵PID:2732
-
\??\c:\rflrllf.exec:\rflrllf.exe76⤵PID:392
-
\??\c:\xfrlffr.exec:\xfrlffr.exe77⤵PID:2836
-
\??\c:\nbbnhn.exec:\nbbnhn.exe78⤵PID:4360
-
\??\c:\jdjdp.exec:\jdjdp.exe79⤵PID:2304
-
\??\c:\xfflffr.exec:\xfflffr.exe80⤵PID:4076
-
\??\c:\bnbhtt.exec:\bnbhtt.exe81⤵PID:4980
-
\??\c:\7nnnbn.exec:\7nnnbn.exe82⤵PID:1852
-
\??\c:\vdvjv.exec:\vdvjv.exe83⤵PID:4536
-
\??\c:\1vdvv.exec:\1vdvv.exe84⤵PID:5008
-
\??\c:\lfxfrlr.exec:\lfxfrlr.exe85⤵PID:864
-
\??\c:\bnthnt.exec:\bnthnt.exe86⤵PID:4780
-
\??\c:\pddvj.exec:\pddvj.exe87⤵PID:3356
-
\??\c:\xlllfff.exec:\xlllfff.exe88⤵PID:2024
-
\??\c:\hbhhht.exec:\hbhhht.exe89⤵PID:664
-
\??\c:\thhttn.exec:\thhttn.exe90⤵PID:4540
-
\??\c:\ddvpv.exec:\ddvpv.exe91⤵PID:2120
-
\??\c:\rllxrrf.exec:\rllxrrf.exe92⤵PID:4400
-
\??\c:\lrrflff.exec:\lrrflff.exe93⤵PID:4788
-
\??\c:\tbhtbt.exec:\tbhtbt.exe94⤵PID:2908
-
\??\c:\1jvjd.exec:\1jvjd.exe95⤵PID:2168
-
\??\c:\jdjvd.exec:\jdjvd.exe96⤵PID:904
-
\??\c:\fxxxxfl.exec:\fxxxxfl.exe97⤵PID:1480
-
\??\c:\fxlxxxx.exec:\fxlxxxx.exe98⤵PID:2220
-
\??\c:\bntnnn.exec:\bntnnn.exe99⤵PID:1660
-
\??\c:\ddvvj.exec:\ddvvj.exe100⤵
- System Location Discovery: System Language Discovery
PID:5096 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe101⤵PID:4516
-
\??\c:\flllflf.exec:\flllflf.exe102⤵PID:1436
-
\??\c:\btthnt.exec:\btthnt.exe103⤵PID:3368
-
\??\c:\dvvpj.exec:\dvvpj.exe104⤵PID:1136
-
\??\c:\ppvpd.exec:\ppvpd.exe105⤵PID:4112
-
\??\c:\xxflllx.exec:\xxflllx.exe106⤵PID:1904
-
\??\c:\lxllrrr.exec:\lxllrrr.exe107⤵PID:2252
-
\??\c:\3btbnn.exec:\3btbnn.exe108⤵PID:3860
-
\??\c:\tnnhhn.exec:\tnnhhn.exe109⤵PID:3836
-
\??\c:\ppppp.exec:\ppppp.exe110⤵PID:4964
-
\??\c:\xfrllll.exec:\xfrllll.exe111⤵PID:1612
-
\??\c:\hnhhhb.exec:\hnhhhb.exe112⤵PID:4072
-
\??\c:\bnbbhh.exec:\bnbbhh.exe113⤵PID:4124
-
\??\c:\dpvpj.exec:\dpvpj.exe114⤵PID:4472
-
\??\c:\vjjjd.exec:\vjjjd.exe115⤵PID:5020
-
\??\c:\xfrxxxl.exec:\xfrxxxl.exe116⤵PID:4884
-
\??\c:\rlfllxr.exec:\rlfllxr.exe117⤵PID:1716
-
\??\c:\btnhtt.exec:\btnhtt.exe118⤵PID:344
-
\??\c:\pvdpd.exec:\pvdpd.exe119⤵PID:2780
-
\??\c:\pjjvp.exec:\pjjvp.exe120⤵PID:3236
-
\??\c:\xrrlrll.exec:\xrrlrll.exe121⤵PID:4352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-