Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe
-
Size
333KB
-
MD5
7c6e7b29f0132e1a57d9e08f5246076a
-
SHA1
5b72eed62c110d4b5d22562e83e705faf4fb53ff
-
SHA256
9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3
-
SHA512
faeb515a321d231797f5184a0c6a246455cc284d3f321221aa2f9b3d52beb8b5894c6eccfe447ddee935d1d1e30088e59251d4289f504a99fc86608f1741ed51
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPho:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTY
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3540-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1684 xrrlfxr.exe 3600 ttbnbb.exe 4868 nhhbtn.exe 2636 7pvvp.exe 2884 djpvj.exe 2556 tntntn.exe 1512 dddvj.exe 2100 xxxlfrf.exe 4372 nbnhtt.exe 1860 5pvvp.exe 2096 flxlrxf.exe 2092 nhnhhb.exe 760 vpjdv.exe 3048 xxxrllf.exe 4064 jvjvv.exe 3268 pddvv.exe 636 lllfxrl.exe 4128 tttbnn.exe 1708 pjjvj.exe 4924 rrxlxrf.exe 3596 nbhbbt.exe 3688 httnhb.exe 1036 pjpjd.exe 3964 9xxlxlf.exe 2256 bnhtht.exe 1244 3dvjv.exe 3496 hhbnbh.exe 640 jjdpd.exe 4444 frlxfxl.exe 2900 7tnbbt.exe 4664 pppdj.exe 4796 fflxlxf.exe 2312 tbbthh.exe 1516 pvpdp.exe 5080 xrrlfxl.exe 4260 hbnnbt.exe 3876 dpdpv.exe 232 xlfrfrf.exe 2544 lllxrfx.exe 2972 bhtthb.exe 3208 1jdpd.exe 1712 xlrfxlr.exe 4028 nnhhtn.exe 2268 jvpvj.exe 4472 9pjvj.exe 1324 xlfrxlx.exe 2328 7nthnh.exe 4328 9pdpd.exe 1784 dvvdj.exe 3244 rllrfrf.exe 2372 hthhtn.exe 4180 thnbtn.exe 2360 1dvjv.exe 3992 rrlxfxl.exe 1720 1nhnbn.exe 956 7thnth.exe 4408 jdvjj.exe 2484 lxfflff.exe 4204 thnbbb.exe 1104 ntthnb.exe 1056 jvpdj.exe 4252 1rfrflx.exe 3204 htnbnb.exe 4000 jppvj.exe -
resource yara_rule behavioral2/memory/3540-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-670-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3540 wrote to memory of 1684 3540 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 84 PID 3540 wrote to memory of 1684 3540 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 84 PID 3540 wrote to memory of 1684 3540 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 84 PID 1684 wrote to memory of 3600 1684 xrrlfxr.exe 85 PID 1684 wrote to memory of 3600 1684 xrrlfxr.exe 85 PID 1684 wrote to memory of 3600 1684 xrrlfxr.exe 85 PID 3600 wrote to memory of 4868 3600 ttbnbb.exe 86 PID 3600 wrote to memory of 4868 3600 ttbnbb.exe 86 PID 3600 wrote to memory of 4868 3600 ttbnbb.exe 86 PID 4868 wrote to memory of 2636 4868 nhhbtn.exe 87 PID 4868 wrote to memory of 2636 4868 nhhbtn.exe 87 PID 4868 wrote to memory of 2636 4868 nhhbtn.exe 87 PID 2636 wrote to memory of 2884 2636 7pvvp.exe 88 PID 2636 wrote to memory of 2884 2636 7pvvp.exe 88 PID 2636 wrote to memory of 2884 2636 7pvvp.exe 88 PID 2884 wrote to memory of 2556 2884 djpvj.exe 89 PID 2884 wrote to memory of 2556 2884 djpvj.exe 89 PID 2884 wrote to memory of 2556 2884 djpvj.exe 89 PID 2556 wrote to memory of 1512 2556 tntntn.exe 90 PID 2556 wrote to memory of 1512 2556 tntntn.exe 90 PID 2556 wrote to memory of 1512 2556 tntntn.exe 90 PID 1512 wrote to memory of 2100 1512 dddvj.exe 91 PID 1512 wrote to memory of 2100 1512 dddvj.exe 91 PID 1512 wrote to memory of 2100 1512 dddvj.exe 91 PID 2100 wrote to memory of 4372 2100 xxxlfrf.exe 92 PID 2100 wrote to memory of 4372 2100 xxxlfrf.exe 92 PID 2100 wrote to memory of 4372 2100 xxxlfrf.exe 92 PID 4372 wrote to memory of 1860 4372 nbnhtt.exe 93 PID 4372 wrote to memory of 1860 4372 nbnhtt.exe 93 PID 4372 wrote to memory of 1860 4372 nbnhtt.exe 93 PID 1860 wrote to memory of 2096 1860 5pvvp.exe 94 PID 1860 wrote to memory of 2096 1860 5pvvp.exe 94 PID 1860 wrote to memory of 2096 1860 5pvvp.exe 94 PID 2096 wrote to memory of 2092 2096 flxlrxf.exe 95 PID 2096 wrote to memory of 2092 2096 flxlrxf.exe 95 PID 2096 wrote to memory of 2092 2096 flxlrxf.exe 95 PID 2092 wrote to memory of 760 2092 nhnhhb.exe 96 PID 2092 wrote to memory of 760 2092 nhnhhb.exe 96 PID 2092 wrote to memory of 760 2092 nhnhhb.exe 96 PID 760 wrote to memory of 3048 760 vpjdv.exe 97 PID 760 wrote to memory of 3048 760 vpjdv.exe 97 PID 760 wrote to memory of 3048 760 vpjdv.exe 97 PID 3048 wrote to memory of 4064 3048 xxxrllf.exe 98 PID 3048 wrote to memory of 4064 3048 xxxrllf.exe 98 PID 3048 wrote to memory of 4064 3048 xxxrllf.exe 98 PID 4064 wrote to memory of 3268 4064 jvjvv.exe 99 PID 4064 wrote to memory of 3268 4064 jvjvv.exe 99 PID 4064 wrote to memory of 3268 4064 jvjvv.exe 99 PID 3268 wrote to memory of 636 3268 pddvv.exe 100 PID 3268 wrote to memory of 636 3268 pddvv.exe 100 PID 3268 wrote to memory of 636 3268 pddvv.exe 100 PID 636 wrote to memory of 4128 636 lllfxrl.exe 101 PID 636 wrote to memory of 4128 636 lllfxrl.exe 101 PID 636 wrote to memory of 4128 636 lllfxrl.exe 101 PID 4128 wrote to memory of 1708 4128 tttbnn.exe 102 PID 4128 wrote to memory of 1708 4128 tttbnn.exe 102 PID 4128 wrote to memory of 1708 4128 tttbnn.exe 102 PID 1708 wrote to memory of 4924 1708 pjjvj.exe 103 PID 1708 wrote to memory of 4924 1708 pjjvj.exe 103 PID 1708 wrote to memory of 4924 1708 pjjvj.exe 103 PID 4924 wrote to memory of 3596 4924 rrxlxrf.exe 104 PID 4924 wrote to memory of 3596 4924 rrxlxrf.exe 104 PID 4924 wrote to memory of 3596 4924 rrxlxrf.exe 104 PID 3596 wrote to memory of 3688 3596 nbhbbt.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe"C:\Users\Admin\AppData\Local\Temp\9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ttbnbb.exec:\ttbnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\nhhbtn.exec:\nhhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\7pvvp.exec:\7pvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\djpvj.exec:\djpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\tntntn.exec:\tntntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\dddvj.exec:\dddvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\xxxlfrf.exec:\xxxlfrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\nbnhtt.exec:\nbnhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\5pvvp.exec:\5pvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\flxlrxf.exec:\flxlrxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\nhnhhb.exec:\nhnhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\vpjdv.exec:\vpjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\xxxrllf.exec:\xxxrllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\jvjvv.exec:\jvjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\pddvv.exec:\pddvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\lllfxrl.exec:\lllfxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\tttbnn.exec:\tttbnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\pjjvj.exec:\pjjvj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\nbhbbt.exec:\nbhbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\httnhb.exec:\httnhb.exe23⤵
- Executes dropped EXE
PID:3688 -
\??\c:\pjpjd.exec:\pjpjd.exe24⤵
- Executes dropped EXE
PID:1036 -
\??\c:\9xxlxlf.exec:\9xxlxlf.exe25⤵
- Executes dropped EXE
PID:3964 -
\??\c:\bnhtht.exec:\bnhtht.exe26⤵
- Executes dropped EXE
PID:2256 -
\??\c:\3dvjv.exec:\3dvjv.exe27⤵
- Executes dropped EXE
PID:1244 -
\??\c:\hhbnbh.exec:\hhbnbh.exe28⤵
- Executes dropped EXE
PID:3496 -
\??\c:\jjdpd.exec:\jjdpd.exe29⤵
- Executes dropped EXE
PID:640 -
\??\c:\frlxfxl.exec:\frlxfxl.exe30⤵
- Executes dropped EXE
PID:4444 -
\??\c:\7tnbbt.exec:\7tnbbt.exe31⤵
- Executes dropped EXE
PID:2900 -
\??\c:\pppdj.exec:\pppdj.exe32⤵
- Executes dropped EXE
PID:4664 -
\??\c:\fflxlxf.exec:\fflxlxf.exe33⤵
- Executes dropped EXE
PID:4796 -
\??\c:\tbbthh.exec:\tbbthh.exe34⤵
- Executes dropped EXE
PID:2312 -
\??\c:\pvpdp.exec:\pvpdp.exe35⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xrrlfxl.exec:\xrrlfxl.exe36⤵
- Executes dropped EXE
PID:5080 -
\??\c:\hbnnbt.exec:\hbnnbt.exe37⤵
- Executes dropped EXE
PID:4260 -
\??\c:\dpdpv.exec:\dpdpv.exe38⤵
- Executes dropped EXE
PID:3876 -
\??\c:\xlfrfrf.exec:\xlfrfrf.exe39⤵
- Executes dropped EXE
PID:232 -
\??\c:\lllxrfx.exec:\lllxrfx.exe40⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bhtthb.exec:\bhtthb.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1jdpd.exec:\1jdpd.exe42⤵
- Executes dropped EXE
PID:3208 -
\??\c:\xlrfxlr.exec:\xlrfxlr.exe43⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nnhhtn.exec:\nnhhtn.exe44⤵
- Executes dropped EXE
PID:4028 -
\??\c:\jvpvj.exec:\jvpvj.exe45⤵
- Executes dropped EXE
PID:2268 -
\??\c:\9pjvj.exec:\9pjvj.exe46⤵
- Executes dropped EXE
PID:4472 -
\??\c:\xlfrxlx.exec:\xlfrxlx.exe47⤵
- Executes dropped EXE
PID:1324 -
\??\c:\7nthnh.exec:\7nthnh.exe48⤵
- Executes dropped EXE
PID:2328 -
\??\c:\9pdpd.exec:\9pdpd.exe49⤵
- Executes dropped EXE
PID:4328 -
\??\c:\dvvdj.exec:\dvvdj.exe50⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rllrfrf.exec:\rllrfrf.exe51⤵
- Executes dropped EXE
PID:3244 -
\??\c:\hthhtn.exec:\hthhtn.exe52⤵
- Executes dropped EXE
PID:2372 -
\??\c:\thnbtn.exec:\thnbtn.exe53⤵
- Executes dropped EXE
PID:4180 -
\??\c:\1dvjv.exec:\1dvjv.exe54⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rrlxfxl.exec:\rrlxfxl.exe55⤵
- Executes dropped EXE
PID:3992 -
\??\c:\1nhnbn.exec:\1nhnbn.exe56⤵
- Executes dropped EXE
PID:1720 -
\??\c:\7thnth.exec:\7thnth.exe57⤵
- Executes dropped EXE
PID:956 -
\??\c:\jdvjj.exec:\jdvjj.exe58⤵
- Executes dropped EXE
PID:4408 -
\??\c:\lxfflff.exec:\lxfflff.exe59⤵
- Executes dropped EXE
PID:2484 -
\??\c:\thnbbb.exec:\thnbbb.exe60⤵
- Executes dropped EXE
PID:4204 -
\??\c:\ntthnb.exec:\ntthnb.exe61⤵
- Executes dropped EXE
PID:1104 -
\??\c:\jvpdj.exec:\jvpdj.exe62⤵
- Executes dropped EXE
PID:1056 -
\??\c:\1rfrflx.exec:\1rfrflx.exe63⤵
- Executes dropped EXE
PID:4252 -
\??\c:\htnbnb.exec:\htnbnb.exe64⤵
- Executes dropped EXE
PID:3204 -
\??\c:\jppvj.exec:\jppvj.exe65⤵
- Executes dropped EXE
PID:4000 -
\??\c:\fffrfrf.exec:\fffrfrf.exe66⤵PID:4452
-
\??\c:\nbbnnn.exec:\nbbnnn.exe67⤵PID:2092
-
\??\c:\hnhtht.exec:\hnhtht.exe68⤵PID:2480
-
\??\c:\9dvpd.exec:\9dvpd.exe69⤵PID:3296
-
\??\c:\7rflxrx.exec:\7rflxrx.exe70⤵PID:4140
-
\??\c:\ntthnb.exec:\ntthnb.exe71⤵PID:1004
-
\??\c:\hbhbhh.exec:\hbhbhh.exe72⤵PID:4564
-
\??\c:\pdjvp.exec:\pdjvp.exe73⤵PID:3756
-
\??\c:\xffrxrr.exec:\xffrxrr.exe74⤵PID:4364
-
\??\c:\3rxfrlr.exec:\3rxfrlr.exe75⤵PID:636
-
\??\c:\ntnbhb.exec:\ntnbhb.exe76⤵PID:1496
-
\??\c:\jjdpd.exec:\jjdpd.exe77⤵PID:864
-
\??\c:\9xrflff.exec:\9xrflff.exe78⤵PID:1892
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe79⤵PID:4960
-
\??\c:\ntthtn.exec:\ntthtn.exe80⤵PID:4952
-
\??\c:\pppdj.exec:\pppdj.exe81⤵PID:4516
-
\??\c:\xlllxfx.exec:\xlllxfx.exe82⤵PID:4692
-
\??\c:\rfrfrlx.exec:\rfrfrlx.exe83⤵PID:4932
-
\??\c:\ntnhth.exec:\ntnhth.exe84⤵PID:732
-
\??\c:\vvdpd.exec:\vvdpd.exe85⤵PID:4536
-
\??\c:\rxrfrlf.exec:\rxrfrlf.exe86⤵PID:4688
-
\??\c:\xlrfxlf.exec:\xlrfxlf.exe87⤵PID:1840
-
\??\c:\bnnbnn.exec:\bnnbnn.exe88⤵PID:3248
-
\??\c:\5djpd.exec:\5djpd.exe89⤵PID:2856
-
\??\c:\ddvjv.exec:\ddvjv.exe90⤵
- System Location Discovery: System Language Discovery
PID:64 -
\??\c:\lxrrfrf.exec:\lxrrfrf.exe91⤵PID:2904
-
\??\c:\bnnntn.exec:\bnnntn.exe92⤵PID:2756
-
\??\c:\ttthtn.exec:\ttthtn.exe93⤵PID:3656
-
\??\c:\pdvjp.exec:\pdvjp.exe94⤵PID:2664
-
\??\c:\fllxlfr.exec:\fllxlfr.exe95⤵PID:3700
-
\??\c:\fxfrfrf.exec:\fxfrfrf.exe96⤵PID:2232
-
\??\c:\thbthh.exec:\thbthh.exe97⤵PID:3560
-
\??\c:\pjjvd.exec:\pjjvd.exe98⤵PID:4808
-
\??\c:\jvpdp.exec:\jvpdp.exe99⤵PID:3676
-
\??\c:\xlfrfxx.exec:\xlfrfxx.exe100⤵PID:32
-
\??\c:\1rfrfrf.exec:\1rfrfrf.exe101⤵PID:4780
-
\??\c:\bttnnb.exec:\bttnnb.exe102⤵PID:2608
-
\??\c:\jppvd.exec:\jppvd.exe103⤵PID:2544
-
\??\c:\pvvvd.exec:\pvvvd.exe104⤵PID:2104
-
\??\c:\fllrxfr.exec:\fllrxfr.exe105⤵PID:4212
-
\??\c:\tnbnhb.exec:\tnbnhb.exe106⤵PID:1540
-
\??\c:\djjvp.exec:\djjvp.exe107⤵PID:1428
-
\??\c:\jppdp.exec:\jppdp.exe108⤵PID:4432
-
\??\c:\pdvdp.exec:\pdvdp.exe109⤵PID:2184
-
\??\c:\xfrfrfr.exec:\xfrfrfr.exe110⤵PID:2156
-
\??\c:\7bnbhb.exec:\7bnbhb.exe111⤵PID:1856
-
\??\c:\pjjvp.exec:\pjjvp.exe112⤵PID:1140
-
\??\c:\1xrlxrl.exec:\1xrlxrl.exe113⤵PID:3704
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe114⤵PID:3224
-
\??\c:\bnthbt.exec:\bnthbt.exe115⤵PID:1916
-
\??\c:\ttnbnh.exec:\ttnbnh.exe116⤵PID:4868
-
\??\c:\jpjpd.exec:\jpjpd.exe117⤵PID:932
-
\??\c:\lllxlfr.exec:\lllxlfr.exe118⤵PID:3160
-
\??\c:\1ffrllx.exec:\1ffrllx.exe119⤵PID:1832
-
\??\c:\ttnhth.exec:\ttnhth.exe120⤵PID:5016
-
\??\c:\dpjvp.exec:\dpjvp.exe121⤵PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-