Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 03:27
Behavioral task
behavioral1
Sample
8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe
-
Size
335KB
-
MD5
fffbebd419419d68fa919b6d8095e437
-
SHA1
8a9fb1b714eee344992b92923e0096ffcb1baea9
-
SHA256
8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1
-
SHA512
6a8b882c13f184a0f6c4f1243d37c16c9140e8016a405f5fd2cf8fcf21ccf02c366c38a04f7c0d05769837516d0052f706b7f5ce87c5da93c45c5887cee270e9
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRt:R4wFHoSHYHUrAwfMp3CDRt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1068-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/896-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/956-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-737-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-742-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-799-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-905-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3116 dvjdv.exe 3092 fffrrlx.exe 2772 tthttn.exe 1380 5ppvp.exe 1264 tnttnn.exe 1992 3nnbtt.exe 3108 xrrllff.exe 4756 tnhtht.exe 3056 pdvpd.exe 3532 3xxrfxr.exe 8 5fxlrlf.exe 4928 5tbbtt.exe 3304 djjdj.exe 3548 lllfxxr.exe 2408 jjdvv.exe 1996 5ddvv.exe 4972 ntbttn.exe 5112 vjvpp.exe 4184 rrlxrxr.exe 3104 xxfxxxr.exe 5104 ddpvv.exe 1352 rfxffxr.exe 5016 hhhhhn.exe 3760 1jjjj.exe 3892 rlxxfff.exe 2064 5hbbtn.exe 2720 ppvpd.exe 1376 dvddd.exe 3000 rlrlrrx.exe 1048 bhhnhh.exe 544 pvpvv.exe 464 xxrlxxr.exe 3936 ffrllrr.exe 412 tnnhhn.exe 1580 frlxrlf.exe 3988 frxrrlr.exe 2876 bbbttt.exe 3840 vddvp.exe 2592 7xrlxxl.exe 3392 bbnhtt.exe 1800 jdvpj.exe 620 pdvjj.exe 3032 nbnhhh.exe 3752 dpjpp.exe 3064 1rlxlfr.exe 3240 hnthhn.exe 4860 rfrxffl.exe 928 7nthnh.exe 3400 vjdjj.exe 4376 rxxllff.exe 1528 ntbbbh.exe 3036 bthhhh.exe 1016 jdpdp.exe 4456 rxxlrxx.exe 4644 xxfxrrx.exe 3024 tnhbtn.exe 1120 jdjdj.exe 4000 llfrlxl.exe 4816 bhbnhb.exe 2276 pjvpj.exe 2860 llllxrl.exe 4368 frrlffx.exe 3004 1htntt.exe 1060 1jppv.exe -
resource yara_rule behavioral2/memory/1068-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b18-5.dat upx behavioral2/memory/1068-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b6d-8.dat upx behavioral2/memory/3116-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-13.dat upx behavioral2/memory/2772-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-19.dat upx behavioral2/memory/3092-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-23.dat upx behavioral2/memory/1380-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-28.dat upx behavioral2/memory/1264-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-33.dat upx behavioral2/files/0x000a000000023b7b-37.dat upx behavioral2/memory/3108-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-42.dat upx behavioral2/memory/4756-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-47.dat upx behavioral2/memory/3532-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-52.dat upx behavioral2/files/0x000a000000023b7f-56.dat upx behavioral2/memory/4928-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-62.dat upx behavioral2/memory/8-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3304-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-66.dat upx behavioral2/files/0x000a000000023b82-71.dat upx behavioral2/memory/2408-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-77.dat upx behavioral2/files/0x000a000000023b84-80.dat upx behavioral2/memory/1996-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4972-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-86.dat upx behavioral2/files/0x000a000000023b86-91.dat upx behavioral2/files/0x000a000000023b87-94.dat upx behavioral2/memory/4184-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3104-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-99.dat upx behavioral2/files/0x000c000000023b72-104.dat upx behavioral2/memory/1352-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-110.dat upx behavioral2/memory/5016-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-114.dat upx behavioral2/files/0x000a000000023b8b-119.dat upx behavioral2/memory/3760-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3892-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-123.dat upx behavioral2/memory/2064-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-130.dat upx behavioral2/files/0x000a000000023b90-139.dat upx behavioral2/files/0x000a000000023b91-142.dat upx behavioral2/files/0x000a000000023b92-147.dat upx behavioral2/files/0x000a000000023b93-151.dat upx behavioral2/memory/544-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3936-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/412-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1580-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3988-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1048-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2720-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-133.dat upx behavioral2/memory/2876-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1800-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 3116 1068 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 82 PID 1068 wrote to memory of 3116 1068 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 82 PID 1068 wrote to memory of 3116 1068 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 82 PID 3116 wrote to memory of 3092 3116 dvjdv.exe 83 PID 3116 wrote to memory of 3092 3116 dvjdv.exe 83 PID 3116 wrote to memory of 3092 3116 dvjdv.exe 83 PID 3092 wrote to memory of 2772 3092 fffrrlx.exe 84 PID 3092 wrote to memory of 2772 3092 fffrrlx.exe 84 PID 3092 wrote to memory of 2772 3092 fffrrlx.exe 84 PID 2772 wrote to memory of 1380 2772 tthttn.exe 85 PID 2772 wrote to memory of 1380 2772 tthttn.exe 85 PID 2772 wrote to memory of 1380 2772 tthttn.exe 85 PID 1380 wrote to memory of 1264 1380 5ppvp.exe 86 PID 1380 wrote to memory of 1264 1380 5ppvp.exe 86 PID 1380 wrote to memory of 1264 1380 5ppvp.exe 86 PID 1264 wrote to memory of 1992 1264 tnttnn.exe 87 PID 1264 wrote to memory of 1992 1264 tnttnn.exe 87 PID 1264 wrote to memory of 1992 1264 tnttnn.exe 87 PID 1992 wrote to memory of 3108 1992 3nnbtt.exe 88 PID 1992 wrote to memory of 3108 1992 3nnbtt.exe 88 PID 1992 wrote to memory of 3108 1992 3nnbtt.exe 88 PID 3108 wrote to memory of 4756 3108 xrrllff.exe 89 PID 3108 wrote to memory of 4756 3108 xrrllff.exe 89 PID 3108 wrote to memory of 4756 3108 xrrllff.exe 89 PID 4756 wrote to memory of 3056 4756 tnhtht.exe 90 PID 4756 wrote to memory of 3056 4756 tnhtht.exe 90 PID 4756 wrote to memory of 3056 4756 tnhtht.exe 90 PID 3056 wrote to memory of 3532 3056 pdvpd.exe 91 PID 3056 wrote to memory of 3532 3056 pdvpd.exe 91 PID 3056 wrote to memory of 3532 3056 pdvpd.exe 91 PID 3532 wrote to memory of 8 3532 3xxrfxr.exe 92 PID 3532 wrote to memory of 8 3532 3xxrfxr.exe 92 PID 3532 wrote to memory of 8 3532 3xxrfxr.exe 92 PID 8 wrote to memory of 4928 8 5fxlrlf.exe 93 PID 8 wrote to memory of 4928 8 5fxlrlf.exe 93 PID 8 wrote to memory of 4928 8 5fxlrlf.exe 93 PID 4928 wrote to memory of 3304 4928 5tbbtt.exe 94 PID 4928 wrote to memory of 3304 4928 5tbbtt.exe 94 PID 4928 wrote to memory of 3304 4928 5tbbtt.exe 94 PID 3304 wrote to memory of 3548 3304 djjdj.exe 95 PID 3304 wrote to memory of 3548 3304 djjdj.exe 95 PID 3304 wrote to memory of 3548 3304 djjdj.exe 95 PID 3548 wrote to memory of 2408 3548 lllfxxr.exe 96 PID 3548 wrote to memory of 2408 3548 lllfxxr.exe 96 PID 3548 wrote to memory of 2408 3548 lllfxxr.exe 96 PID 2408 wrote to memory of 1996 2408 jjdvv.exe 97 PID 2408 wrote to memory of 1996 2408 jjdvv.exe 97 PID 2408 wrote to memory of 1996 2408 jjdvv.exe 97 PID 1996 wrote to memory of 4972 1996 5ddvv.exe 98 PID 1996 wrote to memory of 4972 1996 5ddvv.exe 98 PID 1996 wrote to memory of 4972 1996 5ddvv.exe 98 PID 4972 wrote to memory of 5112 4972 ntbttn.exe 99 PID 4972 wrote to memory of 5112 4972 ntbttn.exe 99 PID 4972 wrote to memory of 5112 4972 ntbttn.exe 99 PID 5112 wrote to memory of 4184 5112 vjvpp.exe 100 PID 5112 wrote to memory of 4184 5112 vjvpp.exe 100 PID 5112 wrote to memory of 4184 5112 vjvpp.exe 100 PID 4184 wrote to memory of 3104 4184 rrlxrxr.exe 101 PID 4184 wrote to memory of 3104 4184 rrlxrxr.exe 101 PID 4184 wrote to memory of 3104 4184 rrlxrxr.exe 101 PID 3104 wrote to memory of 5104 3104 xxfxxxr.exe 102 PID 3104 wrote to memory of 5104 3104 xxfxxxr.exe 102 PID 3104 wrote to memory of 5104 3104 xxfxxxr.exe 102 PID 5104 wrote to memory of 1352 5104 ddpvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe"C:\Users\Admin\AppData\Local\Temp\8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\dvjdv.exec:\dvjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\fffrrlx.exec:\fffrrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\tthttn.exec:\tthttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\5ppvp.exec:\5ppvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\tnttnn.exec:\tnttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\3nnbtt.exec:\3nnbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\xrrllff.exec:\xrrllff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\tnhtht.exec:\tnhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\pdvpd.exec:\pdvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\3xxrfxr.exec:\3xxrfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\5fxlrlf.exec:\5fxlrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\5tbbtt.exec:\5tbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\djjdj.exec:\djjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\lllfxxr.exec:\lllfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\jjdvv.exec:\jjdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\5ddvv.exec:\5ddvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\ntbttn.exec:\ntbttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\vjvpp.exec:\vjvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\rrlxrxr.exec:\rrlxrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\ddpvv.exec:\ddpvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rfxffxr.exec:\rfxffxr.exe23⤵
- Executes dropped EXE
PID:1352 -
\??\c:\hhhhhn.exec:\hhhhhn.exe24⤵
- Executes dropped EXE
PID:5016 -
\??\c:\1jjjj.exec:\1jjjj.exe25⤵
- Executes dropped EXE
PID:3760 -
\??\c:\rlxxfff.exec:\rlxxfff.exe26⤵
- Executes dropped EXE
PID:3892 -
\??\c:\5hbbtn.exec:\5hbbtn.exe27⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ppvpd.exec:\ppvpd.exe28⤵
- Executes dropped EXE
PID:2720 -
\??\c:\dvddd.exec:\dvddd.exe29⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe30⤵
- Executes dropped EXE
PID:3000 -
\??\c:\bhhnhh.exec:\bhhnhh.exe31⤵
- Executes dropped EXE
PID:1048 -
\??\c:\pvpvv.exec:\pvpvv.exe32⤵
- Executes dropped EXE
PID:544 -
\??\c:\xxrlxxr.exec:\xxrlxxr.exe33⤵
- Executes dropped EXE
PID:464 -
\??\c:\ffrllrr.exec:\ffrllrr.exe34⤵
- Executes dropped EXE
PID:3936 -
\??\c:\tnnhhn.exec:\tnnhhn.exe35⤵
- Executes dropped EXE
PID:412 -
\??\c:\frlxrlf.exec:\frlxrlf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\frxrrlr.exec:\frxrrlr.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988 -
\??\c:\bbbttt.exec:\bbbttt.exe38⤵
- Executes dropped EXE
PID:2876 -
\??\c:\vddvp.exec:\vddvp.exe39⤵
- Executes dropped EXE
PID:3840 -
\??\c:\7xrlxxl.exec:\7xrlxxl.exe40⤵
- Executes dropped EXE
PID:2592 -
\??\c:\bbnhtt.exec:\bbnhtt.exe41⤵
- Executes dropped EXE
PID:3392 -
\??\c:\jdvpj.exec:\jdvpj.exe42⤵
- Executes dropped EXE
PID:1800 -
\??\c:\pdvjj.exec:\pdvjj.exe43⤵
- Executes dropped EXE
PID:620 -
\??\c:\nbnhhh.exec:\nbnhhh.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\dpjpp.exec:\dpjpp.exe45⤵
- Executes dropped EXE
PID:3752 -
\??\c:\1rlxlfr.exec:\1rlxlfr.exe46⤵
- Executes dropped EXE
PID:3064 -
\??\c:\hnthhn.exec:\hnthhn.exe47⤵
- Executes dropped EXE
PID:3240 -
\??\c:\rfrxffl.exec:\rfrxffl.exe48⤵
- Executes dropped EXE
PID:4860 -
\??\c:\7nthnh.exec:\7nthnh.exe49⤵
- Executes dropped EXE
PID:928 -
\??\c:\vjdjj.exec:\vjdjj.exe50⤵
- Executes dropped EXE
PID:3400 -
\??\c:\rxxllff.exec:\rxxllff.exe51⤵
- Executes dropped EXE
PID:4376 -
\??\c:\ntbbbh.exec:\ntbbbh.exe52⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bthhhh.exec:\bthhhh.exe53⤵
- Executes dropped EXE
PID:3036 -
\??\c:\jdpdp.exec:\jdpdp.exe54⤵
- Executes dropped EXE
PID:1016 -
\??\c:\rxxlrxx.exec:\rxxlrxx.exe55⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xxfxrrx.exec:\xxfxrrx.exe56⤵
- Executes dropped EXE
PID:4644 -
\??\c:\tnhbtn.exec:\tnhbtn.exe57⤵
- Executes dropped EXE
PID:3024 -
\??\c:\jdjdj.exec:\jdjdj.exe58⤵
- Executes dropped EXE
PID:1120 -
\??\c:\llfrlxl.exec:\llfrlxl.exe59⤵
- Executes dropped EXE
PID:4000 -
\??\c:\bhbnhb.exec:\bhbnhb.exe60⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pjvpj.exec:\pjvpj.exe61⤵
- Executes dropped EXE
PID:2276 -
\??\c:\llllxrl.exec:\llllxrl.exe62⤵
- Executes dropped EXE
PID:2860 -
\??\c:\frrlffx.exec:\frrlffx.exe63⤵
- Executes dropped EXE
PID:4368 -
\??\c:\1htntt.exec:\1htntt.exe64⤵
- Executes dropped EXE
PID:3004 -
\??\c:\1jppv.exec:\1jppv.exe65⤵
- Executes dropped EXE
PID:1060 -
\??\c:\7lrfrlf.exec:\7lrfrlf.exe66⤵PID:3956
-
\??\c:\hnttbh.exec:\hnttbh.exe67⤵PID:2632
-
\??\c:\nhnbhb.exec:\nhnbhb.exe68⤵PID:776
-
\??\c:\jjvpd.exec:\jjvpd.exe69⤵PID:3440
-
\??\c:\fffrfxl.exec:\fffrfxl.exe70⤵PID:8
-
\??\c:\fxrlfll.exec:\fxrlfll.exe71⤵PID:4948
-
\??\c:\nnnhbt.exec:\nnnhbt.exe72⤵PID:4172
-
\??\c:\7vjdd.exec:\7vjdd.exe73⤵PID:3052
-
\??\c:\xlfrlfx.exec:\xlfrlfx.exe74⤵PID:640
-
\??\c:\1xxrffx.exec:\1xxrffx.exe75⤵PID:4716
-
\??\c:\ntbttn.exec:\ntbttn.exe76⤵PID:4788
-
\??\c:\3ddvv.exec:\3ddvv.exe77⤵PID:636
-
\??\c:\vppvp.exec:\vppvp.exe78⤵PID:3164
-
\??\c:\5fxrxxr.exec:\5fxrxxr.exe79⤵PID:1936
-
\??\c:\hhhhtt.exec:\hhhhtt.exe80⤵PID:3572
-
\??\c:\vppjd.exec:\vppjd.exe81⤵PID:4204
-
\??\c:\vddvp.exec:\vddvp.exe82⤵PID:4336
-
\??\c:\5flxrrf.exec:\5flxrrf.exe83⤵PID:2280
-
\??\c:\hbbtnh.exec:\hbbtnh.exe84⤵PID:628
-
\??\c:\jjddp.exec:\jjddp.exe85⤵PID:1332
-
\??\c:\llfxrrr.exec:\llfxrrr.exe86⤵PID:4492
-
\??\c:\bttbtb.exec:\bttbtb.exe87⤵PID:3676
-
\??\c:\btbthb.exec:\btbthb.exe88⤵PID:3760
-
\??\c:\jvpjd.exec:\jvpjd.exe89⤵PID:4128
-
\??\c:\flrlfxr.exec:\flrlfxr.exe90⤵PID:2028
-
\??\c:\lrfrlfx.exec:\lrfrlfx.exe91⤵PID:3484
-
\??\c:\tnbnbn.exec:\tnbnbn.exe92⤵PID:2580
-
\??\c:\vdvpj.exec:\vdvpj.exe93⤵PID:4688
-
\??\c:\dpjvp.exec:\dpjvp.exe94⤵PID:2184
-
\??\c:\frlfrlf.exec:\frlfrlf.exe95⤵PID:3000
-
\??\c:\hnhhbn.exec:\hnhhbn.exe96⤵PID:3576
-
\??\c:\tnnhtt.exec:\tnnhtt.exe97⤵PID:316
-
\??\c:\5vpdv.exec:\5vpdv.exe98⤵PID:1648
-
\??\c:\flffxfx.exec:\flffxfx.exe99⤵PID:1532
-
\??\c:\rfxrllf.exec:\rfxrllf.exe100⤵PID:4284
-
\??\c:\9ntbtt.exec:\9ntbtt.exe101⤵PID:3160
-
\??\c:\1djdv.exec:\1djdv.exe102⤵PID:3844
-
\??\c:\jjjpj.exec:\jjjpj.exe103⤵PID:2300
-
\??\c:\ffxlfxl.exec:\ffxlfxl.exe104⤵PID:3988
-
\??\c:\hnbbbn.exec:\hnbbbn.exe105⤵PID:2876
-
\??\c:\thhbnn.exec:\thhbnn.exe106⤵PID:760
-
\??\c:\jdvjj.exec:\jdvjj.exe107⤵PID:2884
-
\??\c:\dvvjd.exec:\dvvjd.exe108⤵PID:4472
-
\??\c:\xlxlffr.exec:\xlxlffr.exe109⤵PID:536
-
\??\c:\bhbhnt.exec:\bhbhnt.exe110⤵PID:896
-
\??\c:\pjvvv.exec:\pjvvv.exe111⤵PID:4252
-
\??\c:\5ppdv.exec:\5ppdv.exe112⤵PID:2084
-
\??\c:\lxrxlfr.exec:\lxrxlfr.exe113⤵PID:2240
-
\??\c:\ntnhtt.exec:\ntnhtt.exe114⤵PID:1616
-
\??\c:\btnhbt.exec:\btnhbt.exe115⤵PID:2724
-
\??\c:\pjdvj.exec:\pjdvj.exe116⤵PID:2688
-
\??\c:\llrllll.exec:\llrllll.exe117⤵PID:2964
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe118⤵PID:4484
-
\??\c:\nbhbhh.exec:\nbhbhh.exe119⤵PID:232
-
\??\c:\1pvpp.exec:\1pvpp.exe120⤵PID:1528
-
\??\c:\xflfrrl.exec:\xflfrrl.exe121⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-