Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe
-
Size
452KB
-
MD5
975c19201fb17237426cbcd542b42000
-
SHA1
3748f62e0333bf6f5bce48ca4c8c7371d7196dee
-
SHA256
b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cf
-
SHA512
a8072e820e1c893ee464931fc07af988d899e3ec6be0c2e0d147aa6852b34e43c757d0fbf9f9ae8c9609c8516096e4e2a596fe544601e3b49ec0d69c5976b9d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber:q7Tc2NYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5044-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-1138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-1504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-1701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-1747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5084 5frflfr.exe 2396 3hhnbt.exe 1312 nhbnbt.exe 3404 7ntbnh.exe 4420 tbhbbb.exe 4604 dvdvv.exe 748 rrfxrlf.exe 1816 tbbthh.exe 3384 rfrrrrl.exe 2016 thnhtt.exe 3820 5ddvp.exe 2756 bbnbtb.exe 4484 pjjdj.exe 1576 bbhbnt.exe 4908 9lrlfxx.exe 1840 3xfxxrr.exe 4268 7pjjd.exe 1996 thtntn.exe 4688 nnnhth.exe 2024 ffrlxrl.exe 4392 3lfxfxl.exe 4844 ntbhtt.exe 228 tntnbt.exe 3124 pdvjd.exe 372 vjpdv.exe 2924 jpjvd.exe 1692 xxflxrl.exe 3288 9bnbnh.exe 2328 3lxlfxl.exe 2608 5xrxrlx.exe 4848 djvjv.exe 1336 xffrlxr.exe 980 jvpdp.exe 3908 lrxlxrf.exe 1016 bbbtht.exe 1776 1vvjv.exe 2320 pdvdp.exe 5020 7lfxlff.exe 2372 htthnh.exe 440 jvpdp.exe 4664 dpvvj.exe 212 rllxfxl.exe 536 5nnbhb.exe 2264 dvpjj.exe 4696 3pjvj.exe 984 rlrlxfx.exe 3084 5hhtnb.exe 4316 5vpjv.exe 3940 xxxlxrf.exe 4780 xrrlfxr.exe 5084 vjdpd.exe 4608 vdddp.exe 916 xlrlxlf.exe 5116 nhthth.exe 5068 3vpdj.exe 2600 jvvjd.exe 4420 lxrflfx.exe 1600 5nhbnh.exe 1148 1hhttn.exe 2284 vddpd.exe 2584 llrxlfr.exe 3988 1ththb.exe 3600 5dvjd.exe 4368 ddppp.exe -
resource yara_rule behavioral2/memory/5044-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-650-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 5084 5044 b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe 84 PID 5044 wrote to memory of 5084 5044 b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe 84 PID 5044 wrote to memory of 5084 5044 b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe 84 PID 5084 wrote to memory of 2396 5084 5frflfr.exe 85 PID 5084 wrote to memory of 2396 5084 5frflfr.exe 85 PID 5084 wrote to memory of 2396 5084 5frflfr.exe 85 PID 2396 wrote to memory of 1312 2396 3hhnbt.exe 86 PID 2396 wrote to memory of 1312 2396 3hhnbt.exe 86 PID 2396 wrote to memory of 1312 2396 3hhnbt.exe 86 PID 1312 wrote to memory of 3404 1312 nhbnbt.exe 87 PID 1312 wrote to memory of 3404 1312 nhbnbt.exe 87 PID 1312 wrote to memory of 3404 1312 nhbnbt.exe 87 PID 3404 wrote to memory of 4420 3404 7ntbnh.exe 88 PID 3404 wrote to memory of 4420 3404 7ntbnh.exe 88 PID 3404 wrote to memory of 4420 3404 7ntbnh.exe 88 PID 4420 wrote to memory of 4604 4420 tbhbbb.exe 89 PID 4420 wrote to memory of 4604 4420 tbhbbb.exe 89 PID 4420 wrote to memory of 4604 4420 tbhbbb.exe 89 PID 4604 wrote to memory of 748 4604 dvdvv.exe 90 PID 4604 wrote to memory of 748 4604 dvdvv.exe 90 PID 4604 wrote to memory of 748 4604 dvdvv.exe 90 PID 748 wrote to memory of 1816 748 rrfxrlf.exe 91 PID 748 wrote to memory of 1816 748 rrfxrlf.exe 91 PID 748 wrote to memory of 1816 748 rrfxrlf.exe 91 PID 1816 wrote to memory of 3384 1816 tbbthh.exe 92 PID 1816 wrote to memory of 3384 1816 tbbthh.exe 92 PID 1816 wrote to memory of 3384 1816 tbbthh.exe 92 PID 3384 wrote to memory of 2016 3384 rfrrrrl.exe 93 PID 3384 wrote to memory of 2016 3384 rfrrrrl.exe 93 PID 3384 wrote to memory of 2016 3384 rfrrrrl.exe 93 PID 2016 wrote to memory of 3820 2016 thnhtt.exe 94 PID 2016 wrote to memory of 3820 2016 thnhtt.exe 94 PID 2016 wrote to memory of 3820 2016 thnhtt.exe 94 PID 3820 wrote to memory of 2756 3820 5ddvp.exe 95 PID 3820 wrote to memory of 2756 3820 5ddvp.exe 95 PID 3820 wrote to memory of 2756 3820 5ddvp.exe 95 PID 2756 wrote to memory of 4484 2756 bbnbtb.exe 96 PID 2756 wrote to memory of 4484 2756 bbnbtb.exe 96 PID 2756 wrote to memory of 4484 2756 bbnbtb.exe 96 PID 4484 wrote to memory of 1576 4484 pjjdj.exe 97 PID 4484 wrote to memory of 1576 4484 pjjdj.exe 97 PID 4484 wrote to memory of 1576 4484 pjjdj.exe 97 PID 1576 wrote to memory of 4908 1576 bbhbnt.exe 98 PID 1576 wrote to memory of 4908 1576 bbhbnt.exe 98 PID 1576 wrote to memory of 4908 1576 bbhbnt.exe 98 PID 4908 wrote to memory of 1840 4908 9lrlfxx.exe 99 PID 4908 wrote to memory of 1840 4908 9lrlfxx.exe 99 PID 4908 wrote to memory of 1840 4908 9lrlfxx.exe 99 PID 1840 wrote to memory of 4268 1840 3xfxxrr.exe 100 PID 1840 wrote to memory of 4268 1840 3xfxxrr.exe 100 PID 1840 wrote to memory of 4268 1840 3xfxxrr.exe 100 PID 4268 wrote to memory of 1996 4268 7pjjd.exe 101 PID 4268 wrote to memory of 1996 4268 7pjjd.exe 101 PID 4268 wrote to memory of 1996 4268 7pjjd.exe 101 PID 1996 wrote to memory of 4688 1996 thtntn.exe 102 PID 1996 wrote to memory of 4688 1996 thtntn.exe 102 PID 1996 wrote to memory of 4688 1996 thtntn.exe 102 PID 4688 wrote to memory of 2024 4688 nnnhth.exe 103 PID 4688 wrote to memory of 2024 4688 nnnhth.exe 103 PID 4688 wrote to memory of 2024 4688 nnnhth.exe 103 PID 2024 wrote to memory of 4392 2024 ffrlxrl.exe 104 PID 2024 wrote to memory of 4392 2024 ffrlxrl.exe 104 PID 2024 wrote to memory of 4392 2024 ffrlxrl.exe 104 PID 4392 wrote to memory of 4844 4392 3lfxfxl.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe"C:\Users\Admin\AppData\Local\Temp\b3c949ec785b5189fe376fcb915d5f1c923f9de3eb19b3b0891f909b619e10cfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\5frflfr.exec:\5frflfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\3hhnbt.exec:\3hhnbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\nhbnbt.exec:\nhbnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\7ntbnh.exec:\7ntbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\tbhbbb.exec:\tbhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\dvdvv.exec:\dvdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\rrfxrlf.exec:\rrfxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\tbbthh.exec:\tbbthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\rfrrrrl.exec:\rfrrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\thnhtt.exec:\thnhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\5ddvp.exec:\5ddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\bbnbtb.exec:\bbnbtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pjjdj.exec:\pjjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\bbhbnt.exec:\bbhbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\9lrlfxx.exec:\9lrlfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\3xfxxrr.exec:\3xfxxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\7pjjd.exec:\7pjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\thtntn.exec:\thtntn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\nnnhth.exec:\nnnhth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\ffrlxrl.exec:\ffrlxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\3lfxfxl.exec:\3lfxfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\ntbhtt.exec:\ntbhtt.exe23⤵
- Executes dropped EXE
PID:4844 -
\??\c:\tntnbt.exec:\tntnbt.exe24⤵
- Executes dropped EXE
PID:228 -
\??\c:\pdvjd.exec:\pdvjd.exe25⤵
- Executes dropped EXE
PID:3124 -
\??\c:\vjpdv.exec:\vjpdv.exe26⤵
- Executes dropped EXE
PID:372 -
\??\c:\jpjvd.exec:\jpjvd.exe27⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xxflxrl.exec:\xxflxrl.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\9bnbnh.exec:\9bnbnh.exe29⤵
- Executes dropped EXE
PID:3288 -
\??\c:\3lxlfxl.exec:\3lxlfxl.exe30⤵
- Executes dropped EXE
PID:2328 -
\??\c:\5xrxrlx.exec:\5xrxrlx.exe31⤵
- Executes dropped EXE
PID:2608 -
\??\c:\djvjv.exec:\djvjv.exe32⤵
- Executes dropped EXE
PID:4848 -
\??\c:\xffrlxr.exec:\xffrlxr.exe33⤵
- Executes dropped EXE
PID:1336 -
\??\c:\jvpdp.exec:\jvpdp.exe34⤵
- Executes dropped EXE
PID:980 -
\??\c:\lrxlxrf.exec:\lrxlxrf.exe35⤵
- Executes dropped EXE
PID:3908 -
\??\c:\bbbtht.exec:\bbbtht.exe36⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1vvjv.exec:\1vvjv.exe37⤵
- Executes dropped EXE
PID:1776 -
\??\c:\pdvdp.exec:\pdvdp.exe38⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7lfxlff.exec:\7lfxlff.exe39⤵
- Executes dropped EXE
PID:5020 -
\??\c:\htthnh.exec:\htthnh.exe40⤵
- Executes dropped EXE
PID:2372 -
\??\c:\jvpdp.exec:\jvpdp.exe41⤵
- Executes dropped EXE
PID:440 -
\??\c:\dpvvj.exec:\dpvvj.exe42⤵
- Executes dropped EXE
PID:4664 -
\??\c:\rllxfxl.exec:\rllxfxl.exe43⤵
- Executes dropped EXE
PID:212 -
\??\c:\5nnbhb.exec:\5nnbhb.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\dvpjj.exec:\dvpjj.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\3pjvj.exec:\3pjvj.exe46⤵
- Executes dropped EXE
PID:4696 -
\??\c:\rlrlxfx.exec:\rlrlxfx.exe47⤵
- Executes dropped EXE
PID:984 -
\??\c:\5hhtnb.exec:\5hhtnb.exe48⤵
- Executes dropped EXE
PID:3084 -
\??\c:\5vpjv.exec:\5vpjv.exe49⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe50⤵
- Executes dropped EXE
PID:3940 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe51⤵
- Executes dropped EXE
PID:4780 -
\??\c:\vjdpd.exec:\vjdpd.exe52⤵
- Executes dropped EXE
PID:5084 -
\??\c:\vdddp.exec:\vdddp.exe53⤵
- Executes dropped EXE
PID:4608 -
\??\c:\xlrlxlf.exec:\xlrlxlf.exe54⤵
- Executes dropped EXE
PID:916 -
\??\c:\nhthth.exec:\nhthth.exe55⤵
- Executes dropped EXE
PID:5116 -
\??\c:\3vpdj.exec:\3vpdj.exe56⤵
- Executes dropped EXE
PID:5068 -
\??\c:\jvvjd.exec:\jvvjd.exe57⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lxrflfx.exec:\lxrflfx.exe58⤵
- Executes dropped EXE
PID:4420 -
\??\c:\5nhbnh.exec:\5nhbnh.exe59⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1hhttn.exec:\1hhttn.exe60⤵
- Executes dropped EXE
PID:1148 -
\??\c:\vddpd.exec:\vddpd.exe61⤵
- Executes dropped EXE
PID:2284 -
\??\c:\llrxlfr.exec:\llrxlfr.exe62⤵
- Executes dropped EXE
PID:2584 -
\??\c:\1ththb.exec:\1ththb.exe63⤵
- Executes dropped EXE
PID:3988 -
\??\c:\5dvjd.exec:\5dvjd.exe64⤵
- Executes dropped EXE
PID:3600 -
\??\c:\ddppp.exec:\ddppp.exe65⤵
- Executes dropped EXE
PID:4368 -
\??\c:\lfxlrlx.exec:\lfxlrlx.exe66⤵PID:3860
-
\??\c:\hhhthb.exec:\hhhthb.exe67⤵PID:2792
-
\??\c:\dpdpv.exec:\dpdpv.exe68⤵
- System Location Discovery: System Language Discovery
PID:1348 -
\??\c:\djjdp.exec:\djjdp.exe69⤵PID:4672
-
\??\c:\nbthtn.exec:\nbthtn.exe70⤵PID:4668
-
\??\c:\1djvp.exec:\1djvp.exe71⤵PID:3960
-
\??\c:\lrrfrfr.exec:\lrrfrfr.exe72⤵PID:1424
-
\??\c:\rfffrlf.exec:\rfffrlf.exe73⤵PID:2616
-
\??\c:\tbbnht.exec:\tbbnht.exe74⤵PID:4464
-
\??\c:\pdvjv.exec:\pdvjv.exe75⤵PID:184
-
\??\c:\xrxfrlx.exec:\xrxfrlx.exe76⤵PID:1996
-
\??\c:\7tnhtn.exec:\7tnhtn.exe77⤵PID:4360
-
\??\c:\bbbnbn.exec:\bbbnbn.exe78⤵PID:884
-
\??\c:\vvdpd.exec:\vvdpd.exe79⤵PID:2632
-
\??\c:\lrlxfxr.exec:\lrlxfxr.exe80⤵PID:4960
-
\??\c:\nnnhtn.exec:\nnnhtn.exe81⤵PID:4820
-
\??\c:\9bnbnh.exec:\9bnbnh.exe82⤵PID:4240
-
\??\c:\dppdp.exec:\dppdp.exe83⤵PID:2596
-
\??\c:\9lxlrll.exec:\9lxlrll.exe84⤵PID:1220
-
\??\c:\3htnbt.exec:\3htnbt.exe85⤵PID:3124
-
\??\c:\1vjvd.exec:\1vjvd.exe86⤵PID:372
-
\??\c:\5jvjv.exec:\5jvjv.exe87⤵PID:3004
-
\??\c:\frlxfxl.exec:\frlxfxl.exe88⤵PID:2180
-
\??\c:\hnnhbt.exec:\hnnhbt.exe89⤵PID:3680
-
\??\c:\bnhtht.exec:\bnhtht.exe90⤵PID:3288
-
\??\c:\jddpd.exec:\jddpd.exe91⤵PID:2580
-
\??\c:\frlfrrf.exec:\frlfrrf.exe92⤵PID:1708
-
\??\c:\rxrfrlf.exec:\rxrfrlf.exe93⤵PID:4684
-
\??\c:\nhhtht.exec:\nhhtht.exe94⤵PID:4984
-
\??\c:\dpjpd.exec:\dpjpd.exe95⤵PID:4848
-
\??\c:\vvvpv.exec:\vvvpv.exe96⤵PID:1336
-
\??\c:\5xfrxrx.exec:\5xfrxrx.exe97⤵PID:980
-
\??\c:\bbbbnh.exec:\bbbbnh.exe98⤵PID:4784
-
\??\c:\dpdpd.exec:\dpdpd.exe99⤵PID:648
-
\??\c:\1ddjd.exec:\1ddjd.exe100⤵PID:4588
-
\??\c:\xlfrfxl.exec:\xlfrfxl.exe101⤵PID:2320
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe102⤵PID:3132
-
\??\c:\htbbbt.exec:\htbbbt.exe103⤵PID:4912
-
\??\c:\djdvj.exec:\djdvj.exe104⤵PID:1944
-
\??\c:\pjdpv.exec:\pjdpv.exe105⤵PID:3184
-
\??\c:\xllxfxl.exec:\xllxfxl.exe106⤵PID:3644
-
\??\c:\1hhbhb.exec:\1hhbhb.exe107⤵PID:1988
-
\??\c:\nnnthb.exec:\nnnthb.exe108⤵PID:3080
-
\??\c:\vvppp.exec:\vvppp.exe109⤵PID:1288
-
\??\c:\lflxflf.exec:\lflxflf.exe110⤵PID:4300
-
\??\c:\3fxlfxr.exec:\3fxlfxr.exe111⤵PID:4280
-
\??\c:\ntbnbt.exec:\ntbnbt.exe112⤵PID:4316
-
\??\c:\3ppjp.exec:\3ppjp.exe113⤵PID:4220
-
\??\c:\fxflxrf.exec:\fxflxrf.exe114⤵PID:4780
-
\??\c:\hbnbnh.exec:\hbnbnh.exe115⤵PID:4888
-
\??\c:\tbhtnh.exec:\tbhtnh.exe116⤵PID:3852
-
\??\c:\pvvjv.exec:\pvvjv.exe117⤵PID:2728
-
\??\c:\xxxlxlx.exec:\xxxlxlx.exe118⤵PID:1720
-
\??\c:\1rxrlxr.exec:\1rxrlxr.exe119⤵PID:1556
-
\??\c:\tnhbnh.exec:\tnhbnh.exe120⤵PID:2056
-
\??\c:\jppdv.exec:\jppdv.exe121⤵PID:1152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-