Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 00:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe
-
Size
453KB
-
MD5
8a455a6a7bb854e7e369d5eb6ec931c5
-
SHA1
06f45e7a87c7436b4332601af212dd7cd7d4c746
-
SHA256
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf
-
SHA512
7c17fd0cce4f88854ea25251ec838c51616c4518b54e99265f27cef5ef7fdedeb6c9cf512efb08a502e756fa78232cb78f7f95400fd8aef3024251db603ff124
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbety:q7Tc2NYHUrAwfMp3CDty
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3832-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-1116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 bnttnt.exe 4340 5pjvp.exe 4768 dvppj.exe 3084 jjjvj.exe 3944 9btnhh.exe 4596 5ppjj.exe 3024 htbtnn.exe 868 rrrlffr.exe 4188 7hnhbh.exe 3664 3rrlxrf.exe 2336 xfffrlr.exe 2076 ntnbth.exe 2108 pvdvp.exe 1344 lrxlfxl.exe 4368 ppdvd.exe 3972 xrxlffx.exe 5020 dvjdv.exe 4260 7xrlxxr.exe 728 xrxlfxr.exe 2812 hhbntn.exe 852 vvpdv.exe 956 vppdp.exe 4736 5lfxrrr.exe 3272 9bhbhh.exe 1952 1nnhtt.exe 5028 jjdvv.exe 4628 lrrlllf.exe 1140 fffrlfr.exe 3180 nbbnht.exe 2276 dpvpj.exe 936 dvdpd.exe 3064 9xrrrrf.exe 4556 xrrlxrl.exe 4904 7thbnh.exe 1396 dvvjd.exe 8 jddpj.exe 2056 xflxrfx.exe 2232 9hbntn.exe 4504 9tnhbt.exe 3056 ddjjv.exe 704 fflxrlf.exe 4604 rxxrlxr.exe 3584 nbbbth.exe 2800 1pjdp.exe 2972 vpdpv.exe 3016 fxflffx.exe 2616 tntbbt.exe 4352 3jjvj.exe 2352 rxfxlfx.exe 5060 rllfrrf.exe 4340 hnnhbb.exe 1896 3ppjv.exe 4140 rllffff.exe 2688 tnnhhh.exe 3124 fffxrrf.exe 2032 hhhtnn.exe 4512 9ppjd.exe 3612 rflxlfx.exe 372 hhtbhn.exe 2568 dpdvv.exe 2356 3lxrfxl.exe 1404 nhnhbn.exe 1840 9ppvp.exe 664 lxllxxf.exe -
resource yara_rule behavioral2/memory/3832-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-685-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3832 wrote to memory of 2352 3832 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 82 PID 3832 wrote to memory of 2352 3832 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 82 PID 3832 wrote to memory of 2352 3832 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 82 PID 2352 wrote to memory of 4340 2352 bnttnt.exe 83 PID 2352 wrote to memory of 4340 2352 bnttnt.exe 83 PID 2352 wrote to memory of 4340 2352 bnttnt.exe 83 PID 4340 wrote to memory of 4768 4340 5pjvp.exe 84 PID 4340 wrote to memory of 4768 4340 5pjvp.exe 84 PID 4340 wrote to memory of 4768 4340 5pjvp.exe 84 PID 4768 wrote to memory of 3084 4768 dvppj.exe 85 PID 4768 wrote to memory of 3084 4768 dvppj.exe 85 PID 4768 wrote to memory of 3084 4768 dvppj.exe 85 PID 3084 wrote to memory of 3944 3084 jjjvj.exe 86 PID 3084 wrote to memory of 3944 3084 jjjvj.exe 86 PID 3084 wrote to memory of 3944 3084 jjjvj.exe 86 PID 3944 wrote to memory of 4596 3944 9btnhh.exe 87 PID 3944 wrote to memory of 4596 3944 9btnhh.exe 87 PID 3944 wrote to memory of 4596 3944 9btnhh.exe 87 PID 4596 wrote to memory of 3024 4596 5ppjj.exe 88 PID 4596 wrote to memory of 3024 4596 5ppjj.exe 88 PID 4596 wrote to memory of 3024 4596 5ppjj.exe 88 PID 3024 wrote to memory of 868 3024 htbtnn.exe 89 PID 3024 wrote to memory of 868 3024 htbtnn.exe 89 PID 3024 wrote to memory of 868 3024 htbtnn.exe 89 PID 868 wrote to memory of 4188 868 rrrlffr.exe 90 PID 868 wrote to memory of 4188 868 rrrlffr.exe 90 PID 868 wrote to memory of 4188 868 rrrlffr.exe 90 PID 4188 wrote to memory of 3664 4188 7hnhbh.exe 91 PID 4188 wrote to memory of 3664 4188 7hnhbh.exe 91 PID 4188 wrote to memory of 3664 4188 7hnhbh.exe 91 PID 3664 wrote to memory of 2336 3664 3rrlxrf.exe 92 PID 3664 wrote to memory of 2336 3664 3rrlxrf.exe 92 PID 3664 wrote to memory of 2336 3664 3rrlxrf.exe 92 PID 2336 wrote to memory of 2076 2336 xfffrlr.exe 93 PID 2336 wrote to memory of 2076 2336 xfffrlr.exe 93 PID 2336 wrote to memory of 2076 2336 xfffrlr.exe 93 PID 2076 wrote to memory of 2108 2076 ntnbth.exe 94 PID 2076 wrote to memory of 2108 2076 ntnbth.exe 94 PID 2076 wrote to memory of 2108 2076 ntnbth.exe 94 PID 2108 wrote to memory of 1344 2108 pvdvp.exe 95 PID 2108 wrote to memory of 1344 2108 pvdvp.exe 95 PID 2108 wrote to memory of 1344 2108 pvdvp.exe 95 PID 1344 wrote to memory of 4368 1344 lrxlfxl.exe 96 PID 1344 wrote to memory of 4368 1344 lrxlfxl.exe 96 PID 1344 wrote to memory of 4368 1344 lrxlfxl.exe 96 PID 4368 wrote to memory of 3972 4368 ppdvd.exe 97 PID 4368 wrote to memory of 3972 4368 ppdvd.exe 97 PID 4368 wrote to memory of 3972 4368 ppdvd.exe 97 PID 3972 wrote to memory of 5020 3972 xrxlffx.exe 98 PID 3972 wrote to memory of 5020 3972 xrxlffx.exe 98 PID 3972 wrote to memory of 5020 3972 xrxlffx.exe 98 PID 5020 wrote to memory of 4260 5020 dvjdv.exe 99 PID 5020 wrote to memory of 4260 5020 dvjdv.exe 99 PID 5020 wrote to memory of 4260 5020 dvjdv.exe 99 PID 4260 wrote to memory of 728 4260 7xrlxxr.exe 100 PID 4260 wrote to memory of 728 4260 7xrlxxr.exe 100 PID 4260 wrote to memory of 728 4260 7xrlxxr.exe 100 PID 728 wrote to memory of 2812 728 xrxlfxr.exe 101 PID 728 wrote to memory of 2812 728 xrxlfxr.exe 101 PID 728 wrote to memory of 2812 728 xrxlfxr.exe 101 PID 2812 wrote to memory of 852 2812 hhbntn.exe 102 PID 2812 wrote to memory of 852 2812 hhbntn.exe 102 PID 2812 wrote to memory of 852 2812 hhbntn.exe 102 PID 852 wrote to memory of 956 852 vvpdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe"C:\Users\Admin\AppData\Local\Temp\9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\bnttnt.exec:\bnttnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\5pjvp.exec:\5pjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\dvppj.exec:\dvppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\jjjvj.exec:\jjjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\9btnhh.exec:\9btnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\5ppjj.exec:\5ppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\htbtnn.exec:\htbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\rrrlffr.exec:\rrrlffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\7hnhbh.exec:\7hnhbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\3rrlxrf.exec:\3rrlxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\xfffrlr.exec:\xfffrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\ntnbth.exec:\ntnbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\pvdvp.exec:\pvdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\lrxlfxl.exec:\lrxlfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\ppdvd.exec:\ppdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\xrxlffx.exec:\xrxlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\dvjdv.exec:\dvjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\7xrlxxr.exec:\7xrlxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\hhbntn.exec:\hhbntn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\vvpdv.exec:\vvpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\vppdp.exec:\vppdp.exe23⤵
- Executes dropped EXE
PID:956 -
\??\c:\5lfxrrr.exec:\5lfxrrr.exe24⤵
- Executes dropped EXE
PID:4736 -
\??\c:\9bhbhh.exec:\9bhbhh.exe25⤵
- Executes dropped EXE
PID:3272 -
\??\c:\1nnhtt.exec:\1nnhtt.exe26⤵
- Executes dropped EXE
PID:1952 -
\??\c:\jjdvv.exec:\jjdvv.exe27⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lrrlllf.exec:\lrrlllf.exe28⤵
- Executes dropped EXE
PID:4628 -
\??\c:\fffrlfr.exec:\fffrlfr.exe29⤵
- Executes dropped EXE
PID:1140 -
\??\c:\nbbnht.exec:\nbbnht.exe30⤵
- Executes dropped EXE
PID:3180 -
\??\c:\dpvpj.exec:\dpvpj.exe31⤵
- Executes dropped EXE
PID:2276 -
\??\c:\dvdpd.exec:\dvdpd.exe32⤵
- Executes dropped EXE
PID:936 -
\??\c:\9xrrrrf.exec:\9xrrrrf.exe33⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe34⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7thbnh.exec:\7thbnh.exe35⤵
- Executes dropped EXE
PID:4904 -
\??\c:\dvvjd.exec:\dvvjd.exe36⤵
- Executes dropped EXE
PID:1396 -
\??\c:\jddpj.exec:\jddpj.exe37⤵
- Executes dropped EXE
PID:8 -
\??\c:\xflxrfx.exec:\xflxrfx.exe38⤵
- Executes dropped EXE
PID:2056 -
\??\c:\9hbntn.exec:\9hbntn.exe39⤵
- Executes dropped EXE
PID:2232 -
\??\c:\9tnhbt.exec:\9tnhbt.exe40⤵
- Executes dropped EXE
PID:4504 -
\??\c:\ddjjv.exec:\ddjjv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
\??\c:\fflxrlf.exec:\fflxrlf.exe42⤵
- Executes dropped EXE
PID:704 -
\??\c:\rxxrlxr.exec:\rxxrlxr.exe43⤵
- Executes dropped EXE
PID:4604 -
\??\c:\nbbbth.exec:\nbbbth.exe44⤵
- Executes dropped EXE
PID:3584 -
\??\c:\1pjdp.exec:\1pjdp.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vpdpv.exec:\vpdpv.exe46⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fxflffx.exec:\fxflffx.exe47⤵
- Executes dropped EXE
PID:3016 -
\??\c:\tntbbt.exec:\tntbbt.exe48⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btbttt.exec:\btbttt.exe49⤵PID:4320
-
\??\c:\3jjvj.exec:\3jjvj.exe50⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe51⤵
- Executes dropped EXE
PID:2352 -
\??\c:\rllfrrf.exec:\rllfrrf.exe52⤵
- Executes dropped EXE
PID:5060 -
\??\c:\hnnhbb.exec:\hnnhbb.exe53⤵
- Executes dropped EXE
PID:4340 -
\??\c:\3ppjv.exec:\3ppjv.exe54⤵
- Executes dropped EXE
PID:1896 -
\??\c:\rllffff.exec:\rllffff.exe55⤵
- Executes dropped EXE
PID:4140 -
\??\c:\tnnhhh.exec:\tnnhhh.exe56⤵
- Executes dropped EXE
PID:2688 -
\??\c:\fffxrrf.exec:\fffxrrf.exe57⤵
- Executes dropped EXE
PID:3124 -
\??\c:\hhhtnn.exec:\hhhtnn.exe58⤵
- Executes dropped EXE
PID:2032 -
\??\c:\9ppjd.exec:\9ppjd.exe59⤵
- Executes dropped EXE
PID:4512 -
\??\c:\rflxlfx.exec:\rflxlfx.exe60⤵
- Executes dropped EXE
PID:3612 -
\??\c:\hhtbhn.exec:\hhtbhn.exe61⤵
- Executes dropped EXE
PID:372 -
\??\c:\dpdvv.exec:\dpdvv.exe62⤵
- Executes dropped EXE
PID:2568 -
\??\c:\3lxrfxl.exec:\3lxrfxl.exe63⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhnhbn.exec:\nhnhbn.exe64⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9ppvp.exec:\9ppvp.exe65⤵
- Executes dropped EXE
PID:1840 -
\??\c:\lxllxxf.exec:\lxllxxf.exe66⤵
- Executes dropped EXE
PID:664 -
\??\c:\3nbthh.exec:\3nbthh.exe67⤵PID:1792
-
\??\c:\bbnbtt.exec:\bbnbtt.exe68⤵PID:916
-
\??\c:\hnhbnh.exec:\hnhbnh.exe69⤵PID:4548
-
\??\c:\pdvjv.exec:\pdvjv.exe70⤵
- System Location Discovery: System Language Discovery
PID:4636 -
\??\c:\fffxrrl.exec:\fffxrrl.exe71⤵PID:396
-
\??\c:\3rlrlfx.exec:\3rlrlfx.exe72⤵PID:4996
-
\??\c:\htthhb.exec:\htthhb.exe73⤵PID:3972
-
\??\c:\1jjdp.exec:\1jjdp.exe74⤵PID:5112
-
\??\c:\vvpdp.exec:\vvpdp.exe75⤵PID:424
-
\??\c:\frrlxff.exec:\frrlxff.exe76⤵PID:1076
-
\??\c:\htbttn.exec:\htbttn.exe77⤵PID:1188
-
\??\c:\pdjdp.exec:\pdjdp.exe78⤵PID:428
-
\??\c:\pdpdp.exec:\pdpdp.exe79⤵PID:3896
-
\??\c:\flxlrrf.exec:\flxlrrf.exe80⤵PID:3772
-
\??\c:\bhnnhh.exec:\bhnnhh.exe81⤵PID:3632
-
\??\c:\jjppv.exec:\jjppv.exe82⤵PID:1044
-
\??\c:\jdvpj.exec:\jdvpj.exe83⤵PID:4628
-
\??\c:\5xxlfrl.exec:\5xxlfrl.exe84⤵PID:4776
-
\??\c:\hhnbtt.exec:\hhnbtt.exe85⤵PID:4816
-
\??\c:\dvvpj.exec:\dvvpj.exe86⤵PID:3212
-
\??\c:\3xxxxxx.exec:\3xxxxxx.exe87⤵PID:3176
-
\??\c:\3nhbnn.exec:\3nhbnn.exe88⤵PID:5108
-
\??\c:\dpvpd.exec:\dpvpd.exe89⤵PID:3204
-
\??\c:\xflxlfx.exec:\xflxlfx.exe90⤵PID:460
-
\??\c:\btttnn.exec:\btttnn.exe91⤵PID:316
-
\??\c:\dvppd.exec:\dvppd.exe92⤵PID:736
-
\??\c:\dppdd.exec:\dppdd.exe93⤵PID:2944
-
\??\c:\7xrlffx.exec:\7xrlffx.exe94⤵PID:1428
-
\??\c:\7bhbhh.exec:\7bhbhh.exe95⤵PID:704
-
\??\c:\jjpjp.exec:\jjpjp.exe96⤵PID:5008
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe97⤵PID:700
-
\??\c:\lxlflfl.exec:\lxlflfl.exe98⤵PID:960
-
\??\c:\1nnhtt.exec:\1nnhtt.exe99⤵PID:848
-
\??\c:\dddvv.exec:\dddvv.exe100⤵PID:3608
-
\??\c:\xffxllf.exec:\xffxllf.exe101⤵PID:4648
-
\??\c:\tbnbtn.exec:\tbnbtn.exe102⤵PID:4080
-
\??\c:\pvjvp.exec:\pvjvp.exe103⤵PID:2616
-
\??\c:\vvjvj.exec:\vvjvj.exe104⤵PID:4320
-
\??\c:\frxxrrr.exec:\frxxrrr.exe105⤵PID:4876
-
\??\c:\hhhbtt.exec:\hhhbtt.exe106⤵PID:1980
-
\??\c:\vpdvv.exec:\vpdvv.exe107⤵PID:1012
-
\??\c:\7xlfxrr.exec:\7xlfxrr.exe108⤵PID:4332
-
\??\c:\frlxxrl.exec:\frlxxrl.exe109⤵PID:1444
-
\??\c:\tntnhh.exec:\tntnhh.exe110⤵PID:1328
-
\??\c:\pddpj.exec:\pddpj.exe111⤵PID:4340
-
\??\c:\lxfffxf.exec:\lxfffxf.exe112⤵PID:4620
-
\??\c:\tnbtnh.exec:\tnbtnh.exe113⤵PID:1728
-
\??\c:\vjvpp.exec:\vjvpp.exe114⤵PID:1708
-
\??\c:\3jdvp.exec:\3jdvp.exe115⤵PID:1500
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe116⤵PID:444
-
\??\c:\tnnbnh.exec:\tnnbnh.exe117⤵PID:1452
-
\??\c:\djjdv.exec:\djjdv.exe118⤵PID:4404
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe119⤵PID:2484
-
\??\c:\thhbnn.exec:\thhbnn.exe120⤵PID:3612
-
\??\c:\7nhthh.exec:\7nhthh.exe121⤵PID:3436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-