Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 10:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cffc491868d2fdf6ed8414241a49270N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
0cffc491868d2fdf6ed8414241a49270N.exe
-
Size
453KB
-
MD5
0cffc491868d2fdf6ed8414241a49270
-
SHA1
0fd14b92094bb0e64cdd5e2922b9bb0aaf6bd593
-
SHA256
f943e3d3e16616c54c22b3418aa51e073374ad0c9ca521e0993c00a3f43f6fbb
-
SHA512
5ba7f6bc219b342d3d87ca15bd51a742c8ef581100722b0cb8ddf95ddae0411ce809d331548fd692f893db1bfeb16ff80882883c3c940ea3b0e3b0897f7c5e5d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4284-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-1051-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-1283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-1296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4536 7xxrlrl.exe 4284 7thbbb.exe 3404 dvdvp.exe 3808 bthnnh.exe 4476 nhhbtt.exe 904 9pjjv.exe 4288 xrlxfrx.exe 2196 frlfxxr.exe 1628 nnnhbb.exe 2556 rlxrlfx.exe 992 nntnht.exe 212 hhthtt.exe 4188 djpjv.exe 2188 tntnbt.exe 1340 thnhtt.exe 4500 frxrffx.exe 1792 vjvpp.exe 3412 lxlffxx.exe 2224 jdpjd.exe 3304 3flfrrf.exe 4996 thbtnn.exe 4272 jjdvj.exe 4828 lxxrfxr.exe 2788 dvvvv.exe 2260 rflxllf.exe 1728 xrrllll.exe 2060 nhhbtt.exe 1644 jdpjj.exe 3240 lxrlxxr.exe 1148 1hhbbb.exe 4384 xlxrfff.exe 4568 tnbtnb.exe 3488 dpddv.exe 3992 lfllfxf.exe 3944 7rxrlrl.exe 4900 9hnhnb.exe 4948 pdpjd.exe 3700 lrrllff.exe 3788 nnhbnn.exe 3464 3lfxrrl.exe 1676 3hhhbb.exe 552 bnnhtn.exe 4260 vjddp.exe 3520 rxfrllx.exe 1116 thbhbh.exe 1052 pppjv.exe 820 lffxrrr.exe 64 hhbttt.exe 4784 7hthtt.exe 2084 1djjj.exe 2196 9fflllr.exe 4644 nhhntt.exe 3772 vvvpj.exe 2556 llfxfxx.exe 112 bttnbh.exe 3336 jdvjd.exe 1604 dvvpj.exe 2612 1hnhbh.exe 116 vpvpj.exe 1996 xfllrxf.exe 744 tntntn.exe 5012 9pjvp.exe 4972 xllfxxr.exe 4368 ntbthh.exe -
resource yara_rule behavioral2/memory/4284-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-746-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 4536 2204 0cffc491868d2fdf6ed8414241a49270N.exe 83 PID 2204 wrote to memory of 4536 2204 0cffc491868d2fdf6ed8414241a49270N.exe 83 PID 2204 wrote to memory of 4536 2204 0cffc491868d2fdf6ed8414241a49270N.exe 83 PID 4536 wrote to memory of 4284 4536 7xxrlrl.exe 84 PID 4536 wrote to memory of 4284 4536 7xxrlrl.exe 84 PID 4536 wrote to memory of 4284 4536 7xxrlrl.exe 84 PID 4284 wrote to memory of 3404 4284 7thbbb.exe 85 PID 4284 wrote to memory of 3404 4284 7thbbb.exe 85 PID 4284 wrote to memory of 3404 4284 7thbbb.exe 85 PID 3404 wrote to memory of 3808 3404 dvdvp.exe 86 PID 3404 wrote to memory of 3808 3404 dvdvp.exe 86 PID 3404 wrote to memory of 3808 3404 dvdvp.exe 86 PID 3808 wrote to memory of 4476 3808 bthnnh.exe 87 PID 3808 wrote to memory of 4476 3808 bthnnh.exe 87 PID 3808 wrote to memory of 4476 3808 bthnnh.exe 87 PID 4476 wrote to memory of 904 4476 nhhbtt.exe 88 PID 4476 wrote to memory of 904 4476 nhhbtt.exe 88 PID 4476 wrote to memory of 904 4476 nhhbtt.exe 88 PID 904 wrote to memory of 4288 904 9pjjv.exe 89 PID 904 wrote to memory of 4288 904 9pjjv.exe 89 PID 904 wrote to memory of 4288 904 9pjjv.exe 89 PID 4288 wrote to memory of 2196 4288 xrlxfrx.exe 91 PID 4288 wrote to memory of 2196 4288 xrlxfrx.exe 91 PID 4288 wrote to memory of 2196 4288 xrlxfrx.exe 91 PID 2196 wrote to memory of 1628 2196 frlfxxr.exe 92 PID 2196 wrote to memory of 1628 2196 frlfxxr.exe 92 PID 2196 wrote to memory of 1628 2196 frlfxxr.exe 92 PID 1628 wrote to memory of 2556 1628 nnnhbb.exe 93 PID 1628 wrote to memory of 2556 1628 nnnhbb.exe 93 PID 1628 wrote to memory of 2556 1628 nnnhbb.exe 93 PID 2556 wrote to memory of 992 2556 rlxrlfx.exe 94 PID 2556 wrote to memory of 992 2556 rlxrlfx.exe 94 PID 2556 wrote to memory of 992 2556 rlxrlfx.exe 94 PID 992 wrote to memory of 212 992 nntnht.exe 95 PID 992 wrote to memory of 212 992 nntnht.exe 95 PID 992 wrote to memory of 212 992 nntnht.exe 95 PID 212 wrote to memory of 4188 212 hhthtt.exe 97 PID 212 wrote to memory of 4188 212 hhthtt.exe 97 PID 212 wrote to memory of 4188 212 hhthtt.exe 97 PID 4188 wrote to memory of 2188 4188 djpjv.exe 98 PID 4188 wrote to memory of 2188 4188 djpjv.exe 98 PID 4188 wrote to memory of 2188 4188 djpjv.exe 98 PID 2188 wrote to memory of 1340 2188 tntnbt.exe 99 PID 2188 wrote to memory of 1340 2188 tntnbt.exe 99 PID 2188 wrote to memory of 1340 2188 tntnbt.exe 99 PID 1340 wrote to memory of 4500 1340 thnhtt.exe 101 PID 1340 wrote to memory of 4500 1340 thnhtt.exe 101 PID 1340 wrote to memory of 4500 1340 thnhtt.exe 101 PID 4500 wrote to memory of 1792 4500 frxrffx.exe 102 PID 4500 wrote to memory of 1792 4500 frxrffx.exe 102 PID 4500 wrote to memory of 1792 4500 frxrffx.exe 102 PID 1792 wrote to memory of 3412 1792 vjvpp.exe 103 PID 1792 wrote to memory of 3412 1792 vjvpp.exe 103 PID 1792 wrote to memory of 3412 1792 vjvpp.exe 103 PID 3412 wrote to memory of 2224 3412 lxlffxx.exe 104 PID 3412 wrote to memory of 2224 3412 lxlffxx.exe 104 PID 3412 wrote to memory of 2224 3412 lxlffxx.exe 104 PID 2224 wrote to memory of 3304 2224 jdpjd.exe 105 PID 2224 wrote to memory of 3304 2224 jdpjd.exe 105 PID 2224 wrote to memory of 3304 2224 jdpjd.exe 105 PID 3304 wrote to memory of 4996 3304 3flfrrf.exe 106 PID 3304 wrote to memory of 4996 3304 3flfrrf.exe 106 PID 3304 wrote to memory of 4996 3304 3flfrrf.exe 106 PID 4996 wrote to memory of 4272 4996 thbtnn.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cffc491868d2fdf6ed8414241a49270N.exe"C:\Users\Admin\AppData\Local\Temp\0cffc491868d2fdf6ed8414241a49270N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\7xxrlrl.exec:\7xxrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\7thbbb.exec:\7thbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\dvdvp.exec:\dvdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\bthnnh.exec:\bthnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\nhhbtt.exec:\nhhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\9pjjv.exec:\9pjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\xrlxfrx.exec:\xrlxfrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\frlfxxr.exec:\frlfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\nnnhbb.exec:\nnnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\nntnht.exec:\nntnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\hhthtt.exec:\hhthtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\djpjv.exec:\djpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\tntnbt.exec:\tntnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\thnhtt.exec:\thnhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\frxrffx.exec:\frxrffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\vjvpp.exec:\vjvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\lxlffxx.exec:\lxlffxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\jdpjd.exec:\jdpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\3flfrrf.exec:\3flfrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\thbtnn.exec:\thbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\jjdvj.exec:\jjdvj.exe23⤵
- Executes dropped EXE
PID:4272 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe24⤵
- Executes dropped EXE
PID:4828 -
\??\c:\dvvvv.exec:\dvvvv.exe25⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rflxllf.exec:\rflxllf.exe26⤵
- Executes dropped EXE
PID:2260 -
\??\c:\xrrllll.exec:\xrrllll.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nhhbtt.exec:\nhhbtt.exe28⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jdpjj.exec:\jdpjj.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe30⤵
- Executes dropped EXE
PID:3240 -
\??\c:\1hhbbb.exec:\1hhbbb.exe31⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xlxrfff.exec:\xlxrfff.exe32⤵
- Executes dropped EXE
PID:4384 -
\??\c:\tnbtnb.exec:\tnbtnb.exe33⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dpddv.exec:\dpddv.exe34⤵
- Executes dropped EXE
PID:3488 -
\??\c:\lfllfxf.exec:\lfllfxf.exe35⤵
- Executes dropped EXE
PID:3992 -
\??\c:\7rxrlrl.exec:\7rxrlrl.exe36⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9hnhnb.exec:\9hnhnb.exe37⤵
- Executes dropped EXE
PID:4900 -
\??\c:\pdpjd.exec:\pdpjd.exe38⤵
- Executes dropped EXE
PID:4948 -
\??\c:\lrrllff.exec:\lrrllff.exe39⤵
- Executes dropped EXE
PID:3700 -
\??\c:\nnhbnn.exec:\nnhbnn.exe40⤵
- Executes dropped EXE
PID:3788 -
\??\c:\vdjdp.exec:\vdjdp.exe41⤵PID:3192
-
\??\c:\3lfxrrl.exec:\3lfxrrl.exe42⤵
- Executes dropped EXE
PID:3464 -
\??\c:\3hhhbb.exec:\3hhhbb.exe43⤵
- Executes dropped EXE
PID:1676 -
\??\c:\bnnhtn.exec:\bnnhtn.exe44⤵
- Executes dropped EXE
PID:552 -
\??\c:\vjddp.exec:\vjddp.exe45⤵
- Executes dropped EXE
PID:4260 -
\??\c:\rxfrllx.exec:\rxfrllx.exe46⤵
- Executes dropped EXE
PID:3520 -
\??\c:\thbhbh.exec:\thbhbh.exe47⤵
- Executes dropped EXE
PID:1116 -
\??\c:\pppjv.exec:\pppjv.exe48⤵
- Executes dropped EXE
PID:1052 -
\??\c:\lffxrrr.exec:\lffxrrr.exe49⤵
- Executes dropped EXE
PID:820 -
\??\c:\hhbttt.exec:\hhbttt.exe50⤵
- Executes dropped EXE
PID:64 -
\??\c:\7hthtt.exec:\7hthtt.exe51⤵
- Executes dropped EXE
PID:4784 -
\??\c:\1djjj.exec:\1djjj.exe52⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9fflllr.exec:\9fflllr.exe53⤵
- Executes dropped EXE
PID:2196 -
\??\c:\nhhntt.exec:\nhhntt.exe54⤵
- Executes dropped EXE
PID:4644 -
\??\c:\vvvpj.exec:\vvvpj.exe55⤵
- Executes dropped EXE
PID:3772 -
\??\c:\llfxfxx.exec:\llfxfxx.exe56⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bttnbh.exec:\bttnbh.exe57⤵
- Executes dropped EXE
PID:112 -
\??\c:\jdvjd.exec:\jdvjd.exe58⤵
- Executes dropped EXE
PID:3336 -
\??\c:\dvvpj.exec:\dvvpj.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
\??\c:\1hnhbh.exec:\1hnhbh.exe60⤵
- Executes dropped EXE
PID:2612 -
\??\c:\vpvpj.exec:\vpvpj.exe61⤵
- Executes dropped EXE
PID:116 -
\??\c:\xfllrxf.exec:\xfllrxf.exe62⤵
- Executes dropped EXE
PID:1996 -
\??\c:\tntntn.exec:\tntntn.exe63⤵
- Executes dropped EXE
PID:744 -
\??\c:\9pjvp.exec:\9pjvp.exe64⤵
- Executes dropped EXE
PID:5012 -
\??\c:\xllfxxr.exec:\xllfxxr.exe65⤵
- Executes dropped EXE
PID:4972 -
\??\c:\ntbthh.exec:\ntbthh.exe66⤵
- Executes dropped EXE
PID:4368 -
\??\c:\vpvvd.exec:\vpvvd.exe67⤵PID:4712
-
\??\c:\pvdvj.exec:\pvdvj.exe68⤵PID:4692
-
\??\c:\xrfxxrx.exec:\xrfxxrx.exe69⤵PID:2560
-
\??\c:\tbbnhb.exec:\tbbnhb.exe70⤵PID:1920
-
\??\c:\jddvd.exec:\jddvd.exe71⤵PID:2272
-
\??\c:\ffrrlrr.exec:\ffrrlrr.exe72⤵PID:3980
-
\??\c:\3nhhht.exec:\3nhhht.exe73⤵PID:1612
-
\??\c:\thtnhb.exec:\thtnhb.exe74⤵PID:2696
-
\??\c:\vddvp.exec:\vddvp.exe75⤵PID:372
-
\??\c:\fllfrlf.exec:\fllfrlf.exe76⤵PID:3148
-
\??\c:\3fxrffx.exec:\3fxrffx.exe77⤵PID:4472
-
\??\c:\btnbtn.exec:\btnbtn.exe78⤵PID:1708
-
\??\c:\lxxllff.exec:\lxxllff.exe79⤵PID:1524
-
\??\c:\rffxrlf.exec:\rffxrlf.exe80⤵PID:4904
-
\??\c:\nttnhh.exec:\nttnhh.exe81⤵PID:3144
-
\??\c:\5dvdv.exec:\5dvdv.exe82⤵PID:1740
-
\??\c:\vjjdd.exec:\vjjdd.exe83⤵PID:5076
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe84⤵PID:312
-
\??\c:\7bbbtb.exec:\7bbbtb.exe85⤵PID:4488
-
\??\c:\dpvdj.exec:\dpvdj.exe86⤵PID:3460
-
\??\c:\flrlllf.exec:\flrlllf.exe87⤵PID:4416
-
\??\c:\tnnnhb.exec:\tnnnhb.exe88⤵PID:4008
-
\??\c:\3hthht.exec:\3hthht.exe89⤵PID:332
-
\??\c:\3pppj.exec:\3pppj.exe90⤵PID:436
-
\??\c:\rllfrrl.exec:\rllfrrl.exe91⤵PID:1796
-
\??\c:\flrlfxx.exec:\flrlfxx.exe92⤵PID:628
-
\??\c:\btnnhh.exec:\btnnhh.exe93⤵PID:2852
-
\??\c:\9ppdd.exec:\9ppdd.exe94⤵PID:4740
-
\??\c:\vjpjv.exec:\vjpjv.exe95⤵PID:4412
-
\??\c:\rlrlffx.exec:\rlrlffx.exe96⤵PID:3032
-
\??\c:\thnhbt.exec:\thnhbt.exe97⤵PID:3932
-
\??\c:\bbbttt.exec:\bbbttt.exe98⤵PID:1980
-
\??\c:\vdpjj.exec:\vdpjj.exe99⤵PID:4396
-
\??\c:\3xrlxfr.exec:\3xrlxfr.exe100⤵PID:4860
-
\??\c:\hbnhbb.exec:\hbnhbb.exe101⤵PID:1852
-
\??\c:\hnttnt.exec:\hnttnt.exe102⤵PID:1348
-
\??\c:\dpvvp.exec:\dpvvp.exe103⤵PID:872
-
\??\c:\ttthbn.exec:\ttthbn.exe104⤵PID:4220
-
\??\c:\pdppd.exec:\pdppd.exe105⤵PID:3852
-
\??\c:\xllxrrx.exec:\xllxrrx.exe106⤵PID:4292
-
\??\c:\nbhbtn.exec:\nbhbtn.exe107⤵
- System Location Discovery: System Language Discovery
PID:4640 -
\??\c:\9hhbbb.exec:\9hhbbb.exe108⤵PID:1384
-
\??\c:\3vvpj.exec:\3vvpj.exe109⤵PID:3044
-
\??\c:\7lllrrr.exec:\7lllrrr.exe110⤵PID:116
-
\??\c:\fxrrllf.exec:\fxrrllf.exe111⤵PID:1996
-
\??\c:\1tbbhh.exec:\1tbbhh.exe112⤵PID:744
-
\??\c:\pjvvv.exec:\pjvvv.exe113⤵PID:5012
-
\??\c:\rlrlffr.exec:\rlrlffr.exe114⤵PID:3668
-
\??\c:\nhhbtt.exec:\nhhbtt.exe115⤵PID:4944
-
\??\c:\btnhhb.exec:\btnhhb.exe116⤵PID:452
-
\??\c:\dvpvj.exec:\dvpvj.exe117⤵PID:5072
-
\??\c:\ffxrllf.exec:\ffxrllf.exe118⤵PID:3628
-
\??\c:\bnttnn.exec:\bnttnn.exe119⤵PID:4996
-
\??\c:\btbhhb.exec:\btbhhb.exe120⤵PID:4688
-
\??\c:\djpdp.exec:\djpdp.exe121⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-