Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 10:45
Behavioral task
behavioral1
Sample
d4dc49068ac36bfdcf50bd11681edae0N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
d4dc49068ac36bfdcf50bd11681edae0N.exe
-
Size
223KB
-
MD5
d4dc49068ac36bfdcf50bd11681edae0
-
SHA1
5783b2c1a945b22f6894553342bc3b3128db9827
-
SHA256
1e130498c2ffc945e36d9a9a0b00f76a9c059509ffc7e82a7acf83eb6545dc47
-
SHA512
973f1162c7c4244cf44cbb59bf1fac35023113f0ca642aa2b27b89c90be01d9cd331a8060ba67984895c81258c89fefba9d9b8c816c5454f9c0a59ec250d3842
-
SSDEEP
6144:ocm4FmowdHoSGg+O7lmFAszBd+za/p1g+y/9g0tPbXxk542u:u4wFHoSGg+amF1zBR/pS+y/9g4jXxk9u
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2628-6-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2336-8-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/1208-18-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2808-22-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/5016-29-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4888-34-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2824-42-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4376-46-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4876-52-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/708-58-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2892-65-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3964-75-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4444-78-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2168-83-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/748-94-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2516-111-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/1880-116-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4024-125-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3968-134-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3968-138-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3320-144-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/452-154-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/468-172-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4224-180-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/5116-178-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2416-185-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/5096-192-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4800-199-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/408-203-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4388-208-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2628-212-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/232-219-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4056-226-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/228-233-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/448-237-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2012-241-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4516-260-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3548-285-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/324-289-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/1164-302-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3588-312-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/940-319-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4724-374-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4004-387-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4336-397-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2012-407-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3452-414-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3608-418-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3136-423-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3256-429-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/1628-456-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4084-472-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/1144-479-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2472-507-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4364-514-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/1848-548-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2984-603-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4288-667-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4748-674-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/3024-720-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4112-751-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4436-1007-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4848-1033-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/4516-1132-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2336 pdvvv.exe 1208 nhhtnb.exe 2808 jvvvv.exe 5016 lxfxrlx.exe 4888 tthhnt.exe 2824 dpvpj.exe 4376 rxlfxxl.exe 4876 bbhbtn.exe 708 xlrlfrl.exe 2892 htnhht.exe 1792 xffrflx.exe 3964 rlfxrlf.exe 4444 bthhbn.exe 2168 9djdv.exe 748 flrlffx.exe 4412 vdvpj.exe 4952 frrlfxf.exe 2516 bthbhh.exe 1880 ddjdp.exe 4216 bhbhtn.exe 4024 vvjpp.exe 940 jjdvp.exe 3968 tntnbt.exe 3320 hhhhnt.exe 5088 lrxxxxf.exe 452 nnhhhh.exe 4152 jjjdv.exe 1380 vpvpp.exe 468 3flrrll.exe 4224 hbhbtt.exe 5116 ddjdv.exe 2416 xxflrrx.exe 5096 rxxfxfx.exe 3236 ppvvp.exe 4800 dvjjv.exe 408 7llrrfx.exe 4388 hthttt.exe 652 jdppd.exe 2628 dvddd.exe 232 xlrrlff.exe 4332 rlllffx.exe 4056 nhnnnn.exe 4336 dvppj.exe 228 pvvvv.exe 448 rrrlfxr.exe 2012 bnttbb.exe 4736 hnttnn.exe 4136 vpjdp.exe 3608 fxrxlll.exe 4760 xlrlllf.exe 3024 hnnnhh.exe 4516 tnnhhb.exe 2600 9jjjj.exe 1516 rffxxxl.exe 4708 rxfxrxr.exe 4400 bnbhbb.exe 2260 ppjdd.exe 1544 1dvvp.exe 956 rfllffx.exe 3548 fxffxxx.exe 324 7bbttt.exe 2900 dddvp.exe 1856 djdvd.exe 532 fxxrfxr.exe -
resource yara_rule behavioral2/memory/2628-0-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/2628-6-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0009000000023404-4.dat upx behavioral2/memory/2336-8-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000a000000023464-12.dat upx behavioral2/memory/1208-13-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023468-14.dat upx behavioral2/memory/1208-18-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/2808-22-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023469-23.dat upx behavioral2/files/0x000700000002346a-27.dat upx behavioral2/memory/5016-29-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002346b-33.dat upx behavioral2/memory/4888-34-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002346c-39.dat upx behavioral2/memory/2824-42-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002346d-44.dat upx behavioral2/memory/4376-46-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002346f-50.dat upx behavioral2/memory/4876-52-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/708-58-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023470-56.dat upx behavioral2/files/0x0008000000023465-62.dat upx behavioral2/memory/2892-65-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023471-68.dat upx behavioral2/memory/3964-75-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023472-76.dat upx behavioral2/memory/4444-78-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023473-80.dat upx behavioral2/memory/2168-83-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023474-87.dat upx behavioral2/files/0x0007000000023475-91.dat upx behavioral2/memory/748-94-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023476-97.dat upx behavioral2/files/0x0007000000023477-102.dat upx behavioral2/files/0x0007000000023478-108.dat upx behavioral2/memory/1880-109-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/2516-111-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/1880-116-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023479-114.dat upx behavioral2/files/0x000700000002347a-120.dat upx behavioral2/memory/4024-125-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002347b-127.dat upx behavioral2/files/0x000700000002347c-132.dat upx behavioral2/memory/3968-134-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/3968-138-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002347d-139.dat upx behavioral2/files/0x000700000002347e-143.dat upx behavioral2/memory/3320-144-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000700000002347f-149.dat upx behavioral2/memory/452-154-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023480-155.dat upx behavioral2/files/0x0007000000023481-159.dat upx behavioral2/files/0x0007000000023482-165.dat upx behavioral2/files/0x0007000000023483-169.dat upx behavioral2/memory/468-172-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0007000000023484-176.dat upx behavioral2/memory/4224-180-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/5116-178-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x000c000000023398-182.dat upx behavioral2/memory/2416-185-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/5096-192-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/4800-199-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/408-203-0x0000000000400000-0x0000000000437000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2336 2628 d4dc49068ac36bfdcf50bd11681edae0N.exe 86 PID 2628 wrote to memory of 2336 2628 d4dc49068ac36bfdcf50bd11681edae0N.exe 86 PID 2628 wrote to memory of 2336 2628 d4dc49068ac36bfdcf50bd11681edae0N.exe 86 PID 2336 wrote to memory of 1208 2336 pdvvv.exe 87 PID 2336 wrote to memory of 1208 2336 pdvvv.exe 87 PID 2336 wrote to memory of 1208 2336 pdvvv.exe 87 PID 1208 wrote to memory of 2808 1208 nhhtnb.exe 88 PID 1208 wrote to memory of 2808 1208 nhhtnb.exe 88 PID 1208 wrote to memory of 2808 1208 nhhtnb.exe 88 PID 2808 wrote to memory of 5016 2808 jvvvv.exe 89 PID 2808 wrote to memory of 5016 2808 jvvvv.exe 89 PID 2808 wrote to memory of 5016 2808 jvvvv.exe 89 PID 5016 wrote to memory of 4888 5016 lxfxrlx.exe 90 PID 5016 wrote to memory of 4888 5016 lxfxrlx.exe 90 PID 5016 wrote to memory of 4888 5016 lxfxrlx.exe 90 PID 4888 wrote to memory of 2824 4888 tthhnt.exe 91 PID 4888 wrote to memory of 2824 4888 tthhnt.exe 91 PID 4888 wrote to memory of 2824 4888 tthhnt.exe 91 PID 2824 wrote to memory of 4376 2824 dpvpj.exe 92 PID 2824 wrote to memory of 4376 2824 dpvpj.exe 92 PID 2824 wrote to memory of 4376 2824 dpvpj.exe 92 PID 4376 wrote to memory of 4876 4376 rxlfxxl.exe 93 PID 4376 wrote to memory of 4876 4376 rxlfxxl.exe 93 PID 4376 wrote to memory of 4876 4376 rxlfxxl.exe 93 PID 4876 wrote to memory of 708 4876 bbhbtn.exe 94 PID 4876 wrote to memory of 708 4876 bbhbtn.exe 94 PID 4876 wrote to memory of 708 4876 bbhbtn.exe 94 PID 708 wrote to memory of 2892 708 xlrlfrl.exe 95 PID 708 wrote to memory of 2892 708 xlrlfrl.exe 95 PID 708 wrote to memory of 2892 708 xlrlfrl.exe 95 PID 2892 wrote to memory of 1792 2892 htnhht.exe 97 PID 2892 wrote to memory of 1792 2892 htnhht.exe 97 PID 2892 wrote to memory of 1792 2892 htnhht.exe 97 PID 1792 wrote to memory of 3964 1792 xffrflx.exe 98 PID 1792 wrote to memory of 3964 1792 xffrflx.exe 98 PID 1792 wrote to memory of 3964 1792 xffrflx.exe 98 PID 3964 wrote to memory of 4444 3964 rlfxrlf.exe 99 PID 3964 wrote to memory of 4444 3964 rlfxrlf.exe 99 PID 3964 wrote to memory of 4444 3964 rlfxrlf.exe 99 PID 4444 wrote to memory of 2168 4444 bthhbn.exe 100 PID 4444 wrote to memory of 2168 4444 bthhbn.exe 100 PID 4444 wrote to memory of 2168 4444 bthhbn.exe 100 PID 2168 wrote to memory of 748 2168 9djdv.exe 101 PID 2168 wrote to memory of 748 2168 9djdv.exe 101 PID 2168 wrote to memory of 748 2168 9djdv.exe 101 PID 748 wrote to memory of 4412 748 flrlffx.exe 102 PID 748 wrote to memory of 4412 748 flrlffx.exe 102 PID 748 wrote to memory of 4412 748 flrlffx.exe 102 PID 4412 wrote to memory of 4952 4412 vdvpj.exe 104 PID 4412 wrote to memory of 4952 4412 vdvpj.exe 104 PID 4412 wrote to memory of 4952 4412 vdvpj.exe 104 PID 4952 wrote to memory of 2516 4952 frrlfxf.exe 105 PID 4952 wrote to memory of 2516 4952 frrlfxf.exe 105 PID 4952 wrote to memory of 2516 4952 frrlfxf.exe 105 PID 2516 wrote to memory of 1880 2516 bthbhh.exe 107 PID 2516 wrote to memory of 1880 2516 bthbhh.exe 107 PID 2516 wrote to memory of 1880 2516 bthbhh.exe 107 PID 1880 wrote to memory of 4216 1880 ddjdp.exe 108 PID 1880 wrote to memory of 4216 1880 ddjdp.exe 108 PID 1880 wrote to memory of 4216 1880 ddjdp.exe 108 PID 4216 wrote to memory of 4024 4216 bhbhtn.exe 109 PID 4216 wrote to memory of 4024 4216 bhbhtn.exe 109 PID 4216 wrote to memory of 4024 4216 bhbhtn.exe 109 PID 4024 wrote to memory of 940 4024 vvjpp.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4dc49068ac36bfdcf50bd11681edae0N.exe"C:\Users\Admin\AppData\Local\Temp\d4dc49068ac36bfdcf50bd11681edae0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\pdvvv.exec:\pdvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\nhhtnb.exec:\nhhtnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\jvvvv.exec:\jvvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\lxfxrlx.exec:\lxfxrlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\tthhnt.exec:\tthhnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\dpvpj.exec:\dpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\rxlfxxl.exec:\rxlfxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\bbhbtn.exec:\bbhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\htnhht.exec:\htnhht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xffrflx.exec:\xffrflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\bthhbn.exec:\bthhbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\9djdv.exec:\9djdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\flrlffx.exec:\flrlffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\vdvpj.exec:\vdvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\frrlfxf.exec:\frrlfxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\bthbhh.exec:\bthbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\ddjdp.exec:\ddjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\bhbhtn.exec:\bhbhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\vvjpp.exec:\vvjpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\jjdvp.exec:\jjdvp.exe23⤵
- Executes dropped EXE
PID:940 -
\??\c:\tntnbt.exec:\tntnbt.exe24⤵
- Executes dropped EXE
PID:3968 -
\??\c:\hhhhnt.exec:\hhhhnt.exe25⤵
- Executes dropped EXE
PID:3320 -
\??\c:\lrxxxxf.exec:\lrxxxxf.exe26⤵
- Executes dropped EXE
PID:5088 -
\??\c:\nnhhhh.exec:\nnhhhh.exe27⤵
- Executes dropped EXE
PID:452 -
\??\c:\jjjdv.exec:\jjjdv.exe28⤵
- Executes dropped EXE
PID:4152 -
\??\c:\vpvpp.exec:\vpvpp.exe29⤵
- Executes dropped EXE
PID:1380 -
\??\c:\3flrrll.exec:\3flrrll.exe30⤵
- Executes dropped EXE
PID:468 -
\??\c:\hbhbtt.exec:\hbhbtt.exe31⤵
- Executes dropped EXE
PID:4224 -
\??\c:\ddjdv.exec:\ddjdv.exe32⤵
- Executes dropped EXE
PID:5116 -
\??\c:\xxflrrx.exec:\xxflrrx.exe33⤵
- Executes dropped EXE
PID:2416 -
\??\c:\rxxfxfx.exec:\rxxfxfx.exe34⤵
- Executes dropped EXE
PID:5096 -
\??\c:\ppvvp.exec:\ppvvp.exe35⤵
- Executes dropped EXE
PID:3236 -
\??\c:\dvjjv.exec:\dvjjv.exe36⤵
- Executes dropped EXE
PID:4800 -
\??\c:\7llrrfx.exec:\7llrrfx.exe37⤵
- Executes dropped EXE
PID:408 -
\??\c:\hthttt.exec:\hthttt.exe38⤵
- Executes dropped EXE
PID:4388 -
\??\c:\jdppd.exec:\jdppd.exe39⤵
- Executes dropped EXE
PID:652 -
\??\c:\dvddd.exec:\dvddd.exe40⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xlrrlff.exec:\xlrrlff.exe41⤵
- Executes dropped EXE
PID:232 -
\??\c:\rlllffx.exec:\rlllffx.exe42⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nhnnnn.exec:\nhnnnn.exe43⤵
- Executes dropped EXE
PID:4056 -
\??\c:\dvppj.exec:\dvppj.exe44⤵
- Executes dropped EXE
PID:4336 -
\??\c:\pvvvv.exec:\pvvvv.exe45⤵
- Executes dropped EXE
PID:228 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe46⤵
- Executes dropped EXE
PID:448 -
\??\c:\bnttbb.exec:\bnttbb.exe47⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hnttnn.exec:\hnttnn.exe48⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vpjdp.exec:\vpjdp.exe49⤵
- Executes dropped EXE
PID:4136 -
\??\c:\fxrxlll.exec:\fxrxlll.exe50⤵
- Executes dropped EXE
PID:3608 -
\??\c:\xlrlllf.exec:\xlrlllf.exe51⤵
- Executes dropped EXE
PID:4760 -
\??\c:\hnnnhh.exec:\hnnnhh.exe52⤵
- Executes dropped EXE
PID:3024 -
\??\c:\tnnhhb.exec:\tnnhhb.exe53⤵
- Executes dropped EXE
PID:4516 -
\??\c:\9jjjj.exec:\9jjjj.exe54⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rffxxxl.exec:\rffxxxl.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
\??\c:\rxfxrxr.exec:\rxfxrxr.exe56⤵
- Executes dropped EXE
PID:4708 -
\??\c:\bnbhbb.exec:\bnbhbb.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400 -
\??\c:\ppjdd.exec:\ppjdd.exe58⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1dvvp.exec:\1dvvp.exe59⤵
- Executes dropped EXE
PID:1544 -
\??\c:\rfllffx.exec:\rfllffx.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956 -
\??\c:\fxffxxx.exec:\fxffxxx.exe61⤵
- Executes dropped EXE
PID:3548 -
\??\c:\7bbttt.exec:\7bbttt.exe62⤵
- Executes dropped EXE
PID:324 -
\??\c:\dddvp.exec:\dddvp.exe63⤵
- Executes dropped EXE
PID:2900 -
\??\c:\djdvd.exec:\djdvd.exe64⤵
- Executes dropped EXE
PID:1856 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe65⤵
- Executes dropped EXE
PID:532 -
\??\c:\1btnhn.exec:\1btnhn.exe66⤵PID:1164
-
\??\c:\tnthhb.exec:\tnthhb.exe67⤵PID:3560
-
\??\c:\jvdjv.exec:\jvdjv.exe68⤵PID:4216
-
\??\c:\5vjvp.exec:\5vjvp.exe69⤵PID:3588
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe70⤵PID:3132
-
\??\c:\hbtthb.exec:\hbtthb.exe71⤵PID:940
-
\??\c:\tnnhhb.exec:\tnnhhb.exe72⤵PID:1540
-
\??\c:\jdjpj.exec:\jdjpj.exe73⤵PID:2252
-
\??\c:\frrrfxr.exec:\frrrfxr.exe74⤵PID:3320
-
\??\c:\nbhbnn.exec:\nbhbnn.exe75⤵PID:3172
-
\??\c:\5bbthh.exec:\5bbthh.exe76⤵PID:2156
-
\??\c:\vdvjd.exec:\vdvjd.exe77⤵PID:1480
-
\??\c:\5xxrfxf.exec:\5xxrfxf.exe78⤵PID:1840
-
\??\c:\7bbtnn.exec:\7bbtnn.exe79⤵PID:1888
-
\??\c:\hbtntt.exec:\hbtntt.exe80⤵PID:4944
-
\??\c:\jpddv.exec:\jpddv.exe81⤵PID:4460
-
\??\c:\jpjvj.exec:\jpjvj.exe82⤵PID:4696
-
\??\c:\rfllrrl.exec:\rfllrrl.exe83⤵PID:2104
-
\??\c:\ntbbnb.exec:\ntbbnb.exe84⤵PID:2472
-
\??\c:\hnnhbb.exec:\hnnhbb.exe85⤵PID:4552
-
\??\c:\pdvpj.exec:\pdvpj.exe86⤵PID:4744
-
\??\c:\vdjdj.exec:\vdjdj.exe87⤵
- System Location Discovery: System Language Discovery
PID:2980 -
\??\c:\fllfxrl.exec:\fllfxrl.exe88⤵PID:4384
-
\??\c:\5rrlffx.exec:\5rrlffx.exe89⤵PID:4724
-
\??\c:\bnhbtt.exec:\bnhbtt.exe90⤵PID:3756
-
\??\c:\pdjvp.exec:\pdjvp.exe91⤵PID:4904
-
\??\c:\pvdvp.exec:\pvdvp.exe92⤵PID:2628
-
\??\c:\lrlxrrf.exec:\lrlxrrf.exe93⤵PID:4004
-
\??\c:\rxllrxr.exec:\rxllrxr.exe94⤵PID:5048
-
\??\c:\nbnhbb.exec:\nbnhbb.exe95⤵PID:3280
-
\??\c:\9bhhnt.exec:\9bhhnt.exe96⤵PID:4336
-
\??\c:\vdpvp.exec:\vdpvp.exe97⤵PID:880
-
\??\c:\5rxxllf.exec:\5rxxllf.exe98⤵PID:4376
-
\??\c:\nhnhnn.exec:\nhnhnn.exe99⤵PID:2012
-
\??\c:\9bnbtt.exec:\9bnbtt.exe100⤵PID:1744
-
\??\c:\vdppv.exec:\vdppv.exe101⤵PID:3452
-
\??\c:\dppjj.exec:\dppjj.exe102⤵PID:3608
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe103⤵PID:3136
-
\??\c:\lflxxxr.exec:\lflxxxr.exe104⤵PID:3252
-
\??\c:\hhhnnb.exec:\hhhnnb.exe105⤵PID:3256
-
\??\c:\djpvd.exec:\djpvd.exe106⤵PID:4444
-
\??\c:\jdvpp.exec:\jdvpp.exe107⤵PID:4628
-
\??\c:\1lrrffr.exec:\1lrrffr.exe108⤵PID:2168
-
\??\c:\nhnhhb.exec:\nhnhhb.exe109⤵PID:1816
-
\??\c:\tbtnnh.exec:\tbtnnh.exe110⤵PID:748
-
\??\c:\djpjd.exec:\djpjd.exe111⤵PID:1092
-
\??\c:\jvddd.exec:\jvddd.exe112⤵PID:2528
-
\??\c:\flxxxff.exec:\flxxxff.exe113⤵PID:1628
-
\??\c:\nbhbtt.exec:\nbhbtt.exe114⤵PID:2684
-
\??\c:\btnbtt.exec:\btnbtt.exe115⤵PID:4396
-
\??\c:\ddvpd.exec:\ddvpd.exe116⤵PID:1400
-
\??\c:\llfffff.exec:\llfffff.exe117⤵PID:3564
-
\??\c:\1xffxll.exec:\1xffxll.exe118⤵PID:4084
-
\??\c:\hbbnhb.exec:\hbbnhb.exe119⤵PID:1636
-
\??\c:\jdpjp.exec:\jdpjp.exe120⤵PID:1144
-
\??\c:\vdjdj.exec:\vdjdj.exe121⤵PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-