Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 11:13
Behavioral task
behavioral1
Sample
8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe
-
Size
66KB
-
MD5
a078da0526331894b183eeea15ffc350
-
SHA1
a6495ed91c1edb436366a3b3b94b8bf4b23227f3
-
SHA256
8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289
-
SHA512
2abb02022ab53fe10fe49be4698f0a3209753ec1573e8e73f74d62d9fa3d8cf8468c611c04dccc4e6e8b13ad43d9cc636b5e5059ad60df0dbbf896cb12484249
-
SSDEEP
1536:/vQBeOGtrYS3srx93UBWfwC6Ggnouy8jb5DiLKrb0d:/hOmTsF93UYfwC6GIoutcKbi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/376-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1940-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2604-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-70-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2768-80-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2668-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-88-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1672-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-119-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2280-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-137-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2460-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2460-127-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2376-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-162-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1872-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1420-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1104-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/756-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-197-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1104-187-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/2468-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2200-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1028-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1368-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1712-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2684-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-545-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1312-572-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-588-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2740-598-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2620-633-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-676-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1072-837-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/824-864-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2784-870-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/824-868-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2188-1042-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2208-1047-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1580-1184-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2640-1177-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2284-1465-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1940 pppvj.exe 2884 dpdjp.exe 2172 bbhnbn.exe 2828 hnbntb.exe 2604 3dpvj.exe 2272 1pvvd.exe 2128 fxrrlrr.exe 2768 bbhtbn.exe 2668 hbnnbb.exe 2376 rrfrfrf.exe 404 rxfxflr.exe 1672 llxrxxl.exe 2460 hnbbhh.exe 2280 jdvvd.exe 1960 1lxxxlr.exe 1872 llxfxxl.exe 2468 bbbhtt.exe 1420 tntbhn.exe 1104 ppvpv.exe 2356 fxxlrll.exe 2144 rrxxlfl.exe 952 nhbbnn.exe 2176 nhtbnn.exe 756 vpvjv.exe 1028 pdjpp.exe 2200 rrxfrxf.exe 1712 ttbbhn.exe 1368 3jpdd.exe 1876 rxxllff.exe 2012 3vvjp.exe 464 jjjpp.exe 1496 5thnbt.exe 2452 ddppv.exe 2320 rrxfrfr.exe 2808 rlllxfl.exe 2740 tbhnhb.exe 2828 ddpjp.exe 2684 ppdjv.exe 2632 xxrfrlf.exe 2136 xfxlxrx.exe 2612 9tnbnb.exe 2768 pdjpp.exe 2652 xxllrfr.exe 2076 rxrxfrf.exe 2376 tbbbnt.exe 2224 nbntth.exe 2900 5vvpd.exe 1120 5lxflrl.exe 1704 7lfrfxl.exe 2280 nnhbth.exe 2160 tthnht.exe 1960 vjdjv.exe 2116 vdvpd.exe 2464 xlxfrfx.exe 1632 frlxrfx.exe 2692 9tntht.exe 2984 tbbbtb.exe 1548 3vvvj.exe 1916 pvdvd.exe 1016 7lxflrx.exe 1800 bbbbnn.exe 2512 ttbhnb.exe 2852 1nbhnt.exe 840 djvvd.exe -
resource yara_rule behavioral1/memory/376-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1940-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b00000001225e-6.dat upx behavioral1/files/0x00060000000186c6-18.dat upx behavioral1/memory/2884-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000186ca-25.dat upx behavioral1/memory/1940-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186d9-36.dat upx behavioral1/memory/2828-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2172-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018710-54.dat upx behavioral1/files/0x0009000000018718-61.dat upx behavioral1/memory/2128-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2604-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186dd-45.dat upx behavioral1/files/0x0007000000019240-72.dat upx behavioral1/files/0x0005000000019605-78.dat upx behavioral1/files/0x0005000000019606-91.dat upx behavioral1/memory/2668-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1672-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960a-107.dat upx behavioral1/memory/1672-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960c-120.dat upx behavioral1/files/0x000500000001961e-140.dat upx behavioral1/memory/2280-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961c-130.dat upx behavioral1/memory/2460-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019608-99.dat upx behavioral1/memory/2376-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019667-150.dat upx behavioral1/memory/1872-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196a1-159.dat upx behavioral1/memory/2468-162-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1872-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1960-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019926-170.dat upx behavioral1/memory/1420-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1420-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c34-180.dat upx behavioral1/memory/1104-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c3e-199.dat upx behavioral1/files/0x0005000000019cca-227.dat upx behavioral1/memory/756-235-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d8e-234.dat upx behavioral1/files/0x0005000000019cba-219.dat upx behavioral1/files/0x0005000000019c57-210.dat upx behavioral1/memory/2144-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2356-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c3c-190.dat upx behavioral1/memory/2468-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019dbf-245.dat upx behavioral1/files/0x0005000000019f8a-253.dat upx behavioral1/memory/2200-252-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1028-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019f94-262.dat upx behavioral1/files/0x000500000001a075-271.dat upx behavioral1/memory/1368-270-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1712-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a07e-281.dat upx behavioral1/memory/2012-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a09e-288.dat upx behavioral1/files/0x0009000000016e09-296.dat upx behavioral1/memory/2684-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2632-347-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrlf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 376 wrote to memory of 1940 376 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 30 PID 376 wrote to memory of 1940 376 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 30 PID 376 wrote to memory of 1940 376 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 30 PID 376 wrote to memory of 1940 376 8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe 30 PID 1940 wrote to memory of 2884 1940 pppvj.exe 31 PID 1940 wrote to memory of 2884 1940 pppvj.exe 31 PID 1940 wrote to memory of 2884 1940 pppvj.exe 31 PID 1940 wrote to memory of 2884 1940 pppvj.exe 31 PID 2884 wrote to memory of 2172 2884 dpdjp.exe 32 PID 2884 wrote to memory of 2172 2884 dpdjp.exe 32 PID 2884 wrote to memory of 2172 2884 dpdjp.exe 32 PID 2884 wrote to memory of 2172 2884 dpdjp.exe 32 PID 2172 wrote to memory of 2828 2172 bbhnbn.exe 33 PID 2172 wrote to memory of 2828 2172 bbhnbn.exe 33 PID 2172 wrote to memory of 2828 2172 bbhnbn.exe 33 PID 2172 wrote to memory of 2828 2172 bbhnbn.exe 33 PID 2828 wrote to memory of 2604 2828 hnbntb.exe 34 PID 2828 wrote to memory of 2604 2828 hnbntb.exe 34 PID 2828 wrote to memory of 2604 2828 hnbntb.exe 34 PID 2828 wrote to memory of 2604 2828 hnbntb.exe 34 PID 2604 wrote to memory of 2272 2604 3dpvj.exe 35 PID 2604 wrote to memory of 2272 2604 3dpvj.exe 35 PID 2604 wrote to memory of 2272 2604 3dpvj.exe 35 PID 2604 wrote to memory of 2272 2604 3dpvj.exe 35 PID 2272 wrote to memory of 2128 2272 1pvvd.exe 36 PID 2272 wrote to memory of 2128 2272 1pvvd.exe 36 PID 2272 wrote to memory of 2128 2272 1pvvd.exe 36 PID 2272 wrote to memory of 2128 2272 1pvvd.exe 36 PID 2128 wrote to memory of 2768 2128 fxrrlrr.exe 37 PID 2128 wrote to memory of 2768 2128 fxrrlrr.exe 37 PID 2128 wrote to memory of 2768 2128 fxrrlrr.exe 37 PID 2128 wrote to memory of 2768 2128 fxrrlrr.exe 37 PID 2768 wrote to memory of 2668 2768 bbhtbn.exe 38 PID 2768 wrote to memory of 2668 2768 bbhtbn.exe 38 PID 2768 wrote to memory of 2668 2768 bbhtbn.exe 38 PID 2768 wrote to memory of 2668 2768 bbhtbn.exe 38 PID 2668 wrote to memory of 2376 2668 hbnnbb.exe 39 PID 2668 wrote to memory of 2376 2668 hbnnbb.exe 39 PID 2668 wrote to memory of 2376 2668 hbnnbb.exe 39 PID 2668 wrote to memory of 2376 2668 hbnnbb.exe 39 PID 2376 wrote to memory of 404 2376 rrfrfrf.exe 40 PID 2376 wrote to memory of 404 2376 rrfrfrf.exe 40 PID 2376 wrote to memory of 404 2376 rrfrfrf.exe 40 PID 2376 wrote to memory of 404 2376 rrfrfrf.exe 40 PID 404 wrote to memory of 1672 404 rxfxflr.exe 41 PID 404 wrote to memory of 1672 404 rxfxflr.exe 41 PID 404 wrote to memory of 1672 404 rxfxflr.exe 41 PID 404 wrote to memory of 1672 404 rxfxflr.exe 41 PID 1672 wrote to memory of 2460 1672 llxrxxl.exe 42 PID 1672 wrote to memory of 2460 1672 llxrxxl.exe 42 PID 1672 wrote to memory of 2460 1672 llxrxxl.exe 42 PID 1672 wrote to memory of 2460 1672 llxrxxl.exe 42 PID 2460 wrote to memory of 2280 2460 hnbbhh.exe 43 PID 2460 wrote to memory of 2280 2460 hnbbhh.exe 43 PID 2460 wrote to memory of 2280 2460 hnbbhh.exe 43 PID 2460 wrote to memory of 2280 2460 hnbbhh.exe 43 PID 2280 wrote to memory of 1960 2280 jdvvd.exe 44 PID 2280 wrote to memory of 1960 2280 jdvvd.exe 44 PID 2280 wrote to memory of 1960 2280 jdvvd.exe 44 PID 2280 wrote to memory of 1960 2280 jdvvd.exe 44 PID 1960 wrote to memory of 1872 1960 1lxxxlr.exe 45 PID 1960 wrote to memory of 1872 1960 1lxxxlr.exe 45 PID 1960 wrote to memory of 1872 1960 1lxxxlr.exe 45 PID 1960 wrote to memory of 1872 1960 1lxxxlr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe"C:\Users\Admin\AppData\Local\Temp\8062e1e649cca853619912509d389a18e0402d0bf43a65ecb41db99c04b3e289N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\pppvj.exec:\pppvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\dpdjp.exec:\dpdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\bbhnbn.exec:\bbhnbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\hnbntb.exec:\hnbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\3dpvj.exec:\3dpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\1pvvd.exec:\1pvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\fxrrlrr.exec:\fxrrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\bbhtbn.exec:\bbhtbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\hbnnbb.exec:\hbnnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\rrfrfrf.exec:\rrfrfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\rxfxflr.exec:\rxfxflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\llxrxxl.exec:\llxrxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\hnbbhh.exec:\hnbbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\jdvvd.exec:\jdvvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\1lxxxlr.exec:\1lxxxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\llxfxxl.exec:\llxfxxl.exe17⤵
- Executes dropped EXE
PID:1872 -
\??\c:\bbbhtt.exec:\bbbhtt.exe18⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tntbhn.exec:\tntbhn.exe19⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ppvpv.exec:\ppvpv.exe20⤵
- Executes dropped EXE
PID:1104 -
\??\c:\fxxlrll.exec:\fxxlrll.exe21⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rrxxlfl.exec:\rrxxlfl.exe22⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nhbbnn.exec:\nhbbnn.exe23⤵
- Executes dropped EXE
PID:952 -
\??\c:\nhtbnn.exec:\nhtbnn.exe24⤵
- Executes dropped EXE
PID:2176 -
\??\c:\vpvjv.exec:\vpvjv.exe25⤵
- Executes dropped EXE
PID:756 -
\??\c:\pdjpp.exec:\pdjpp.exe26⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rrxfrxf.exec:\rrxfrxf.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ttbbhn.exec:\ttbbhn.exe28⤵
- Executes dropped EXE
PID:1712 -
\??\c:\3jpdd.exec:\3jpdd.exe29⤵
- Executes dropped EXE
PID:1368 -
\??\c:\rxxllff.exec:\rxxllff.exe30⤵
- Executes dropped EXE
PID:1876 -
\??\c:\3vvjp.exec:\3vvjp.exe31⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jjjpp.exec:\jjjpp.exe32⤵
- Executes dropped EXE
PID:464 -
\??\c:\5thnbt.exec:\5thnbt.exe33⤵
- Executes dropped EXE
PID:1496 -
\??\c:\ddppv.exec:\ddppv.exe34⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rrxfrfr.exec:\rrxfrfr.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rlllxfl.exec:\rlllxfl.exe36⤵
- Executes dropped EXE
PID:2808 -
\??\c:\tbhnhb.exec:\tbhnhb.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\ddpjp.exec:\ddpjp.exe38⤵
- Executes dropped EXE
PID:2828 -
\??\c:\ppdjv.exec:\ppdjv.exe39⤵
- Executes dropped EXE
PID:2684 -
\??\c:\xxrfrlf.exec:\xxrfrlf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
\??\c:\xfxlxrx.exec:\xfxlxrx.exe41⤵
- Executes dropped EXE
PID:2136 -
\??\c:\9tnbnb.exec:\9tnbnb.exe42⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pdjpp.exec:\pdjpp.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
\??\c:\xxllrfr.exec:\xxllrfr.exe44⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rxrxfrf.exec:\rxrxfrf.exe45⤵
- Executes dropped EXE
PID:2076 -
\??\c:\tbbbnt.exec:\tbbbnt.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbntth.exec:\nbntth.exe47⤵
- Executes dropped EXE
PID:2224 -
\??\c:\5vvpd.exec:\5vvpd.exe48⤵
- Executes dropped EXE
PID:2900 -
\??\c:\5lxflrl.exec:\5lxflrl.exe49⤵
- Executes dropped EXE
PID:1120 -
\??\c:\7lfrfxl.exec:\7lfrfxl.exe50⤵
- Executes dropped EXE
PID:1704 -
\??\c:\nnhbth.exec:\nnhbth.exe51⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tthnht.exec:\tthnht.exe52⤵
- Executes dropped EXE
PID:2160 -
\??\c:\vjdjv.exec:\vjdjv.exe53⤵
- Executes dropped EXE
PID:1960 -
\??\c:\vdvpd.exec:\vdvpd.exe54⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xlxfrfx.exec:\xlxfrfx.exe55⤵
- Executes dropped EXE
PID:2464 -
\??\c:\frlxrfx.exec:\frlxrfx.exe56⤵
- Executes dropped EXE
PID:1632 -
\??\c:\9tntht.exec:\9tntht.exe57⤵
- Executes dropped EXE
PID:2692 -
\??\c:\tbbbtb.exec:\tbbbtb.exe58⤵
- Executes dropped EXE
PID:2984 -
\??\c:\3vvvj.exec:\3vvvj.exe59⤵
- Executes dropped EXE
PID:1548 -
\??\c:\pvdvd.exec:\pvdvd.exe60⤵
- Executes dropped EXE
PID:1916 -
\??\c:\7lxflrx.exec:\7lxflrx.exe61⤵
- Executes dropped EXE
PID:1016 -
\??\c:\bbbbnn.exec:\bbbbnn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
\??\c:\ttbhnb.exec:\ttbhnb.exe63⤵
- Executes dropped EXE
PID:2512 -
\??\c:\1nbhnt.exec:\1nbhnt.exe64⤵
- Executes dropped EXE
PID:2852 -
\??\c:\djvvd.exec:\djvvd.exe65⤵
- Executes dropped EXE
PID:840 -
\??\c:\vvdjv.exec:\vvdjv.exe66⤵PID:1212
-
\??\c:\xxlrrrf.exec:\xxlrrrf.exe67⤵PID:2528
-
\??\c:\7rfffff.exec:\7rfffff.exe68⤵PID:1884
-
\??\c:\hhbhtb.exec:\hhbhtb.exe69⤵PID:2184
-
\??\c:\1nnbhh.exec:\1nnbhh.exe70⤵PID:2372
-
\??\c:\djvvj.exec:\djvvj.exe71⤵PID:2508
-
\??\c:\9djpv.exec:\9djpv.exe72⤵PID:2944
-
\??\c:\rxlrxxl.exec:\rxlrxxl.exe73⤵PID:1500
-
\??\c:\hhhntb.exec:\hhhntb.exe74⤵PID:2012
-
\??\c:\tnhbtt.exec:\tnhbtt.exe75⤵PID:1768
-
\??\c:\1pjvj.exec:\1pjvj.exe76⤵PID:464
-
\??\c:\vdjpp.exec:\vdjpp.exe77⤵PID:1312
-
\??\c:\lfrflxl.exec:\lfrflxl.exe78⤵PID:2776
-
\??\c:\xrxxflr.exec:\xrxxflr.exe79⤵PID:2700
-
\??\c:\3nnhtn.exec:\3nnhtn.exe80⤵PID:2724
-
\??\c:\pvpjv.exec:\pvpjv.exe81⤵PID:2740
-
\??\c:\pvjdj.exec:\pvjdj.exe82⤵PID:2044
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe83⤵PID:2684
-
\??\c:\1xlllrx.exec:\1xlllrx.exe84⤵PID:2844
-
\??\c:\bhntbt.exec:\bhntbt.exe85⤵PID:2608
-
\??\c:\tttttn.exec:\tttttn.exe86⤵PID:2620
-
\??\c:\dpjvp.exec:\dpjvp.exe87⤵PID:2660
-
\??\c:\llxfrfr.exec:\llxfrfr.exe88⤵PID:2616
-
\??\c:\rflxfxf.exec:\rflxfxf.exe89⤵PID:2244
-
\??\c:\5tbhnb.exec:\5tbhnb.exe90⤵PID:1364
-
\??\c:\vpdpv.exec:\vpdpv.exe91⤵PID:1944
-
\??\c:\ddpjp.exec:\ddpjp.exe92⤵PID:1956
-
\??\c:\frxflrr.exec:\frxflrr.exe93⤵PID:2516
-
\??\c:\xrfrflx.exec:\xrfrflx.exe94⤵PID:1920
-
\??\c:\3thtbb.exec:\3thtbb.exe95⤵PID:2056
-
\??\c:\nbbhhb.exec:\nbbhhb.exe96⤵PID:1860
-
\??\c:\jjvjp.exec:\jjvjp.exe97⤵PID:1960
-
\??\c:\fllxfrr.exec:\fllxfrr.exe98⤵PID:2580
-
\??\c:\rrffllr.exec:\rrffllr.exe99⤵PID:2464
-
\??\c:\nttbhh.exec:\nttbhh.exe100⤵PID:264
-
\??\c:\hnbnbn.exec:\hnbnbn.exe101⤵PID:1060
-
\??\c:\vvjpv.exec:\vvjpv.exe102⤵PID:2984
-
\??\c:\pvppv.exec:\pvppv.exe103⤵PID:1548
-
\??\c:\rrrrxfl.exec:\rrrrxfl.exe104⤵PID:1916
-
\??\c:\lrfflrx.exec:\lrfflrx.exe105⤵PID:1756
-
\??\c:\htbhbb.exec:\htbhbb.exe106⤵PID:1800
-
\??\c:\7hnnnn.exec:\7hnnnn.exe107⤵PID:564
-
\??\c:\3djjv.exec:\3djjv.exe108⤵PID:1432
-
\??\c:\pvjjj.exec:\pvjjj.exe109⤵PID:2216
-
\??\c:\jdppd.exec:\jdppd.exe110⤵PID:1212
-
\??\c:\llfflrx.exec:\llfflrx.exe111⤵PID:3012
-
\??\c:\5rxxffl.exec:\5rxxffl.exe112⤵PID:1180
-
\??\c:\9bnntb.exec:\9bnntb.exe113⤵PID:2184
-
\??\c:\ttbhtt.exec:\ttbhtt.exe114⤵PID:2936
-
\??\c:\pvjdj.exec:\pvjdj.exe115⤵PID:1480
-
\??\c:\jjjpv.exec:\jjjpv.exe116⤵PID:1440
-
\??\c:\1rxfflr.exec:\1rxfflr.exe117⤵PID:868
-
\??\c:\rrrlxfl.exec:\rrrlxfl.exe118⤵PID:1908
-
\??\c:\ttbtbb.exec:\ttbtbb.exe119⤵PID:1072
-
\??\c:\5htbtt.exec:\5htbtt.exe120⤵PID:1972
-
\??\c:\dvddd.exec:\dvddd.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-