Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 03:55
Behavioral task
behavioral1
Sample
28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe
-
Size
65KB
-
MD5
852322870ee743d9424efc1451bf4f90
-
SHA1
3e7f874aa7baf702debd3fa32e371aaf773001f7
-
SHA256
28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4
-
SHA512
d9205e7253d2357f009d413741dd90b3f0a9656ba3292f001413b3c71122cfbed1ff8e8cb49a7a0ed590a1f7b7ff8517e4ca2c64ea956de03fed52630e3f9c7d
-
SSDEEP
1536:tvQBeOGtrYS3srx93UBWfwC6Ggnouy8gA2l5CcSgui36:thOmTsF93UYfwC6GIoutgVocSr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3372-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1732-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3028-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/244-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-585-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3204-671-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2292-687-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-703-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/264-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-815-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-884-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-903-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-940-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-1500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-1931-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1732 hbtbtn.exe 2084 vdpvp.exe 4824 3pdjv.exe 1172 rffllrl.exe 428 htnnbb.exe 4060 tnthhb.exe 2076 jpvpj.exe 1128 rrrllll.exe 3376 hbhbtt.exe 3028 jjjdj.exe 2740 9flfrrx.exe 4428 nhhbtt.exe 4296 pjdjv.exe 388 rxfxrrr.exe 244 nbhttb.exe 884 pvvpd.exe 4436 3rlxfff.exe 2028 ttttnt.exe 1860 bhhbtn.exe 1044 dpjjd.exe 1352 rxlrllx.exe 1616 1nnhbt.exe 3348 1nnnbb.exe 1648 jjppj.exe 4880 frfrlrr.exe 3988 7xlffxr.exe 1872 nnhbtn.exe 4468 hbtnbt.exe 3760 jpvpp.exe 1088 7rffxrr.exe 1020 lfllffx.exe 1144 nbbtnh.exe 2744 vjvpd.exe 1868 ffrfxxr.exe 476 nhhhhh.exe 2584 7nbbbb.exe 4848 ppvvd.exe 2752 pjjdp.exe 1768 rflrllr.exe 4676 llxxrrr.exe 4860 hthnnn.exe 1552 1vddv.exe 816 jppvp.exe 32 fllrffl.exe 4508 lflffff.exe 2704 hbbbbb.exe 868 jvpjd.exe 2072 ffxxxxx.exe 1460 tbhhbb.exe 2960 hnhnnn.exe 3292 dppdv.exe 1916 xrxxrxx.exe 3420 ffrrlrr.exe 4040 nhttnn.exe 4864 dppjj.exe 1372 9vddv.exe 2428 fxfxffl.exe 4924 frxxxxx.exe 3380 hbnnhn.exe 4108 ttbhbb.exe 2156 ppddv.exe 4084 rrlfxxx.exe 4348 rxxrrrr.exe 5052 nhnhhh.exe -
resource yara_rule behavioral2/memory/3372-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b81-3.dat upx behavioral2/memory/3372-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c68-12.dat upx behavioral2/memory/1732-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6c-13.dat upx behavioral2/memory/2084-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4824-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6d-22.dat upx behavioral2/memory/1172-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6e-28.dat upx behavioral2/memory/428-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6f-34.dat upx behavioral2/files/0x0007000000023c70-39.dat upx behavioral2/memory/4060-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c71-45.dat upx behavioral2/memory/2076-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1128-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c72-51.dat upx behavioral2/memory/3376-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c73-57.dat upx behavioral2/files/0x0007000000023c74-62.dat upx behavioral2/memory/3028-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c75-68.dat upx behavioral2/files/0x0007000000023c77-73.dat upx behavioral2/memory/4428-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-79.dat upx behavioral2/memory/4296-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/388-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c79-87.dat upx behavioral2/files/0x0007000000023c7a-91.dat upx behavioral2/memory/244-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7b-99.dat upx behavioral2/memory/884-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-103.dat upx behavioral2/memory/4436-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-110.dat upx behavioral2/memory/2028-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-114.dat upx behavioral2/memory/1860-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-121.dat upx behavioral2/memory/1044-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c80-126.dat upx behavioral2/memory/1352-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1616-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-134.dat upx behavioral2/files/0x0007000000023c82-138.dat upx behavioral2/memory/3348-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1648-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-144.dat upx behavioral2/files/0x0007000000023c84-151.dat upx behavioral2/files/0x0007000000023c86-156.dat upx behavioral2/files/0x0008000000023c69-160.dat upx behavioral2/memory/1872-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4468-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-166.dat upx behavioral2/files/0x0007000000023c88-172.dat upx behavioral2/memory/1088-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-178.dat upx behavioral2/files/0x0007000000023c8a-183.dat upx behavioral2/memory/1144-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2584-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4848-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4676-216-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 1732 3372 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 83 PID 3372 wrote to memory of 1732 3372 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 83 PID 3372 wrote to memory of 1732 3372 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 83 PID 1732 wrote to memory of 2084 1732 hbtbtn.exe 84 PID 1732 wrote to memory of 2084 1732 hbtbtn.exe 84 PID 1732 wrote to memory of 2084 1732 hbtbtn.exe 84 PID 2084 wrote to memory of 4824 2084 vdpvp.exe 85 PID 2084 wrote to memory of 4824 2084 vdpvp.exe 85 PID 2084 wrote to memory of 4824 2084 vdpvp.exe 85 PID 4824 wrote to memory of 1172 4824 3pdjv.exe 86 PID 4824 wrote to memory of 1172 4824 3pdjv.exe 86 PID 4824 wrote to memory of 1172 4824 3pdjv.exe 86 PID 1172 wrote to memory of 428 1172 rffllrl.exe 87 PID 1172 wrote to memory of 428 1172 rffllrl.exe 87 PID 1172 wrote to memory of 428 1172 rffllrl.exe 87 PID 428 wrote to memory of 4060 428 htnnbb.exe 88 PID 428 wrote to memory of 4060 428 htnnbb.exe 88 PID 428 wrote to memory of 4060 428 htnnbb.exe 88 PID 4060 wrote to memory of 2076 4060 tnthhb.exe 89 PID 4060 wrote to memory of 2076 4060 tnthhb.exe 89 PID 4060 wrote to memory of 2076 4060 tnthhb.exe 89 PID 2076 wrote to memory of 1128 2076 jpvpj.exe 90 PID 2076 wrote to memory of 1128 2076 jpvpj.exe 90 PID 2076 wrote to memory of 1128 2076 jpvpj.exe 90 PID 1128 wrote to memory of 3376 1128 rrrllll.exe 91 PID 1128 wrote to memory of 3376 1128 rrrllll.exe 91 PID 1128 wrote to memory of 3376 1128 rrrllll.exe 91 PID 3376 wrote to memory of 3028 3376 hbhbtt.exe 92 PID 3376 wrote to memory of 3028 3376 hbhbtt.exe 92 PID 3376 wrote to memory of 3028 3376 hbhbtt.exe 92 PID 3028 wrote to memory of 2740 3028 jjjdj.exe 93 PID 3028 wrote to memory of 2740 3028 jjjdj.exe 93 PID 3028 wrote to memory of 2740 3028 jjjdj.exe 93 PID 2740 wrote to memory of 4428 2740 9flfrrx.exe 94 PID 2740 wrote to memory of 4428 2740 9flfrrx.exe 94 PID 2740 wrote to memory of 4428 2740 9flfrrx.exe 94 PID 4428 wrote to memory of 4296 4428 nhhbtt.exe 95 PID 4428 wrote to memory of 4296 4428 nhhbtt.exe 95 PID 4428 wrote to memory of 4296 4428 nhhbtt.exe 95 PID 4296 wrote to memory of 388 4296 pjdjv.exe 96 PID 4296 wrote to memory of 388 4296 pjdjv.exe 96 PID 4296 wrote to memory of 388 4296 pjdjv.exe 96 PID 388 wrote to memory of 244 388 rxfxrrr.exe 97 PID 388 wrote to memory of 244 388 rxfxrrr.exe 97 PID 388 wrote to memory of 244 388 rxfxrrr.exe 97 PID 244 wrote to memory of 884 244 nbhttb.exe 98 PID 244 wrote to memory of 884 244 nbhttb.exe 98 PID 244 wrote to memory of 884 244 nbhttb.exe 98 PID 884 wrote to memory of 4436 884 pvvpd.exe 99 PID 884 wrote to memory of 4436 884 pvvpd.exe 99 PID 884 wrote to memory of 4436 884 pvvpd.exe 99 PID 4436 wrote to memory of 2028 4436 3rlxfff.exe 100 PID 4436 wrote to memory of 2028 4436 3rlxfff.exe 100 PID 4436 wrote to memory of 2028 4436 3rlxfff.exe 100 PID 2028 wrote to memory of 1860 2028 ttttnt.exe 101 PID 2028 wrote to memory of 1860 2028 ttttnt.exe 101 PID 2028 wrote to memory of 1860 2028 ttttnt.exe 101 PID 1860 wrote to memory of 1044 1860 bhhbtn.exe 102 PID 1860 wrote to memory of 1044 1860 bhhbtn.exe 102 PID 1860 wrote to memory of 1044 1860 bhhbtn.exe 102 PID 1044 wrote to memory of 1352 1044 dpjjd.exe 103 PID 1044 wrote to memory of 1352 1044 dpjjd.exe 103 PID 1044 wrote to memory of 1352 1044 dpjjd.exe 103 PID 1352 wrote to memory of 1616 1352 rxlrllx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe"C:\Users\Admin\AppData\Local\Temp\28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\hbtbtn.exec:\hbtbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\vdpvp.exec:\vdpvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\3pdjv.exec:\3pdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\rffllrl.exec:\rffllrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\htnnbb.exec:\htnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\tnthhb.exec:\tnthhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\jpvpj.exec:\jpvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\rrrllll.exec:\rrrllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\hbhbtt.exec:\hbhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\jjjdj.exec:\jjjdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\9flfrrx.exec:\9flfrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nhhbtt.exec:\nhhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\pjdjv.exec:\pjdjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\nbhttb.exec:\nbhttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\pvvpd.exec:\pvvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\3rlxfff.exec:\3rlxfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\ttttnt.exec:\ttttnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\bhhbtn.exec:\bhhbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\dpjjd.exec:\dpjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\rxlrllx.exec:\rxlrllx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\1nnhbt.exec:\1nnhbt.exe23⤵
- Executes dropped EXE
PID:1616 -
\??\c:\1nnnbb.exec:\1nnnbb.exe24⤵
- Executes dropped EXE
PID:3348 -
\??\c:\jjppj.exec:\jjppj.exe25⤵
- Executes dropped EXE
PID:1648 -
\??\c:\frfrlrr.exec:\frfrlrr.exe26⤵
- Executes dropped EXE
PID:4880 -
\??\c:\7xlffxr.exec:\7xlffxr.exe27⤵
- Executes dropped EXE
PID:3988 -
\??\c:\nnhbtn.exec:\nnhbtn.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hbtnbt.exec:\hbtnbt.exe29⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jpvpp.exec:\jpvpp.exe30⤵
- Executes dropped EXE
PID:3760 -
\??\c:\7rffxrr.exec:\7rffxrr.exe31⤵
- Executes dropped EXE
PID:1088 -
\??\c:\lfllffx.exec:\lfllffx.exe32⤵
- Executes dropped EXE
PID:1020 -
\??\c:\nbbtnh.exec:\nbbtnh.exe33⤵
- Executes dropped EXE
PID:1144 -
\??\c:\vjvpd.exec:\vjvpd.exe34⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ffrfxxr.exec:\ffrfxxr.exe35⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nhhhhh.exec:\nhhhhh.exe36⤵
- Executes dropped EXE
PID:476 -
\??\c:\7nbbbb.exec:\7nbbbb.exe37⤵
- Executes dropped EXE
PID:2584 -
\??\c:\ppvvd.exec:\ppvvd.exe38⤵
- Executes dropped EXE
PID:4848 -
\??\c:\pjjdp.exec:\pjjdp.exe39⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rflrllr.exec:\rflrllr.exe40⤵
- Executes dropped EXE
PID:1768 -
\??\c:\llxxrrr.exec:\llxxrrr.exe41⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hthnnn.exec:\hthnnn.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1vddv.exec:\1vddv.exe43⤵
- Executes dropped EXE
PID:1552 -
\??\c:\jppvp.exec:\jppvp.exe44⤵
- Executes dropped EXE
PID:816 -
\??\c:\fllrffl.exec:\fllrffl.exe45⤵
- Executes dropped EXE
PID:32 -
\??\c:\lflffff.exec:\lflffff.exe46⤵
- Executes dropped EXE
PID:4508 -
\??\c:\hbbbbb.exec:\hbbbbb.exe47⤵
- Executes dropped EXE
PID:2704 -
\??\c:\jvpjd.exec:\jvpjd.exe48⤵
- Executes dropped EXE
PID:868 -
\??\c:\dpppj.exec:\dpppj.exe49⤵PID:2644
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe50⤵
- Executes dropped EXE
PID:2072 -
\??\c:\tbhhbb.exec:\tbhhbb.exe51⤵
- Executes dropped EXE
PID:1460 -
\??\c:\hnhnnn.exec:\hnhnnn.exe52⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dppdv.exec:\dppdv.exe53⤵
- Executes dropped EXE
PID:3292 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe54⤵
- Executes dropped EXE
PID:1916 -
\??\c:\ffrrlrr.exec:\ffrrlrr.exe55⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nhttnn.exec:\nhttnn.exe56⤵
- Executes dropped EXE
PID:4040 -
\??\c:\dppjj.exec:\dppjj.exe57⤵
- Executes dropped EXE
PID:4864 -
\??\c:\9vddv.exec:\9vddv.exe58⤵
- Executes dropped EXE
PID:1372 -
\??\c:\fxfxffl.exec:\fxfxffl.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\frxxxxx.exec:\frxxxxx.exe60⤵
- Executes dropped EXE
PID:4924 -
\??\c:\hbnnhn.exec:\hbnnhn.exe61⤵
- Executes dropped EXE
PID:3380 -
\??\c:\ttbhbb.exec:\ttbhbb.exe62⤵
- Executes dropped EXE
PID:4108 -
\??\c:\ppddv.exec:\ppddv.exe63⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rrlfxxx.exec:\rrlfxxx.exe64⤵
- Executes dropped EXE
PID:4084 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe65⤵
- Executes dropped EXE
PID:4348 -
\??\c:\nhnhhh.exec:\nhnhhh.exe66⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vjjdp.exec:\vjjdp.exe67⤵PID:4808
-
\??\c:\dvddp.exec:\dvddp.exe68⤵PID:2384
-
\??\c:\rffxlll.exec:\rffxlll.exe69⤵PID:4976
-
\??\c:\nhbbtn.exec:\nhbbtn.exe70⤵PID:1672
-
\??\c:\bthbnn.exec:\bthbnn.exe71⤵PID:884
-
\??\c:\jjjjd.exec:\jjjjd.exe72⤵PID:2016
-
\??\c:\pvdjd.exec:\pvdjd.exe73⤵PID:4068
-
\??\c:\ffxrllf.exec:\ffxrllf.exe74⤵PID:1572
-
\??\c:\ntttnt.exec:\ntttnt.exe75⤵PID:3936
-
\??\c:\rffxrxr.exec:\rffxrxr.exe76⤵PID:3656
-
\??\c:\btbbnh.exec:\btbbnh.exe77⤵PID:4928
-
\??\c:\pdpdv.exec:\pdpdv.exe78⤵PID:932
-
\??\c:\5jdjd.exec:\5jdjd.exe79⤵PID:1148
-
\??\c:\rrrfxxx.exec:\rrrfxxx.exe80⤵PID:1644
-
\??\c:\ttnnnh.exec:\ttnnnh.exe81⤵PID:1640
-
\??\c:\9jvjv.exec:\9jvjv.exe82⤵PID:3664
-
\??\c:\xrlllll.exec:\xrlllll.exe83⤵PID:3464
-
\??\c:\bbbbtt.exec:\bbbbtt.exe84⤵PID:1588
-
\??\c:\ddjjd.exec:\ddjjd.exe85⤵PID:1832
-
\??\c:\pdddd.exec:\pdddd.exe86⤵PID:4796
-
\??\c:\frrrfll.exec:\frrrfll.exe87⤵PID:1112
-
\??\c:\3tbbtt.exec:\3tbbtt.exe88⤵PID:464
-
\??\c:\jvppj.exec:\jvppj.exe89⤵PID:4376
-
\??\c:\vjjjv.exec:\vjjjv.exe90⤵PID:2736
-
\??\c:\3rllxxx.exec:\3rllxxx.exe91⤵PID:3080
-
\??\c:\xllrrxx.exec:\xllrrxx.exe92⤵PID:2576
-
\??\c:\pddvp.exec:\pddvp.exe93⤵PID:2936
-
\??\c:\3xfxrrr.exec:\3xfxrrr.exe94⤵PID:1868
-
\??\c:\lfxxllr.exec:\lfxxllr.exe95⤵PID:3260
-
\??\c:\tbthbt.exec:\tbthbt.exe96⤵PID:4716
-
\??\c:\vvdvj.exec:\vvdvj.exe97⤵PID:4292
-
\??\c:\lxfrfrr.exec:\lxfrfrr.exe98⤵PID:2372
-
\??\c:\fllfffx.exec:\fllfffx.exe99⤵PID:2684
-
\??\c:\nhbbnn.exec:\nhbbnn.exe100⤵PID:1360
-
\??\c:\jppjj.exec:\jppjj.exe101⤵PID:3624
-
\??\c:\dddvj.exec:\dddvj.exe102⤵PID:1096
-
\??\c:\7ffxxxl.exec:\7ffxxxl.exe103⤵PID:2344
-
\??\c:\rllllll.exec:\rllllll.exe104⤵PID:4600
-
\??\c:\bttnhn.exec:\bttnhn.exe105⤵PID:4732
-
\??\c:\bbnhnn.exec:\bbnhnn.exe106⤵PID:2888
-
\??\c:\jpvvj.exec:\jpvvj.exe107⤵PID:4364
-
\??\c:\flrlfff.exec:\flrlfff.exe108⤵PID:868
-
\??\c:\rlrllll.exec:\rlrllll.exe109⤵PID:2644
-
\??\c:\htbnhh.exec:\htbnhh.exe110⤵PID:2072
-
\??\c:\9djpj.exec:\9djpj.exe111⤵PID:1560
-
\??\c:\pddvp.exec:\pddvp.exe112⤵PID:2960
-
\??\c:\flllxff.exec:\flllxff.exe113⤵PID:3900
-
\??\c:\hhnhbb.exec:\hhnhbb.exe114⤵PID:1916
-
\??\c:\vvpjv.exec:\vvpjv.exe115⤵PID:2420
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe116⤵PID:3044
-
\??\c:\5lxxrff.exec:\5lxxrff.exe117⤵PID:4456
-
\??\c:\3bbbtt.exec:\3bbbtt.exe118⤵PID:1912
-
\??\c:\nnhhbb.exec:\nnhhbb.exe119⤵PID:4748
-
\??\c:\pvvjv.exec:\pvvjv.exe120⤵PID:4920
-
\??\c:\frxxlll.exec:\frxxlll.exe121⤵PID:648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-