Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 20:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe
-
Size
455KB
-
MD5
730024d670661855cc6d71257a5b8981
-
SHA1
619f085c62270414c08f9877756192b29ae183a6
-
SHA256
166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe
-
SHA512
793f944801d7ffa17af10f03c8c734d6c543f7704cf06284db51f003a8f89365732b0811696aac426c6ffd2ef873be406232482ba2f928b264433d5060c0f184
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+Y:q7Tc2NYHUrAwfMp3CD+Y
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/812-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-165-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1944-189-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1136-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2072-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-343-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-352-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1832-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-511-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-606-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2996-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-766-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-802-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2104-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-824-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2840-980-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1996-1007-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1824-1088-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2676 pdvdj.exe 2400 hntntn.exe 2772 pjddv.exe 840 bhhhht.exe 2788 pppdp.exe 2176 3frxlfl.exe 2896 flxfxfr.exe 2756 nnhnbh.exe 2588 pvpjj.exe 2712 1bnbnb.exe 1256 dppdd.exe 2852 bbtbhh.exe 2828 ddjpj.exe 2912 tnnbht.exe 1664 pppjv.exe 2228 llflffx.exe 2056 vpjvp.exe 792 hbtthn.exe 540 jdvdj.exe 1944 rxlxrxx.exe 1060 jjdvd.exe 1136 vpdvj.exe 1352 jpvjv.exe 772 xrxxfrr.exe 2072 rlfxrrx.exe 660 vvjvp.exe 2436 xfllrxr.exe 1696 5nttnt.exe 1432 vpdvv.exe 2428 ddvvp.exe 2952 xflfxlf.exe 1756 pjvvd.exe 1848 xxrxrfx.exe 316 5ttnht.exe 1592 vpppv.exe 1596 frlxllx.exe 2360 1nhnbn.exe 2500 ppjdv.exe 2856 xxxlxlf.exe 2796 htbntb.exe 2880 hhhnbh.exe 2876 1pjdj.exe 2872 rllrxlx.exe 2608 bhnhnh.exe 2668 1vdvd.exe 2588 1vvvd.exe 648 ffrllxx.exe 1832 tnbbtn.exe 1368 nhhthh.exe 1480 pjddp.exe 2460 lfrxlxl.exe 1916 bnbhtt.exe 1952 vppvp.exe 2152 jjdjv.exe 2112 xrfrlxf.exe 2064 nhtthn.exe 592 ttnhbh.exe 568 lrflfrl.exe 1488 xxlxlrl.exe 1068 hbnnbh.exe 3012 dvpvj.exe 1960 rllrxfr.exe 2480 hbhtht.exe 2036 7bnnbb.exe -
resource yara_rule behavioral1/memory/812-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-491-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3012-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-980-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1996-1007-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/584-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 2676 812 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 30 PID 812 wrote to memory of 2676 812 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 30 PID 812 wrote to memory of 2676 812 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 30 PID 812 wrote to memory of 2676 812 166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe 30 PID 2676 wrote to memory of 2400 2676 pdvdj.exe 31 PID 2676 wrote to memory of 2400 2676 pdvdj.exe 31 PID 2676 wrote to memory of 2400 2676 pdvdj.exe 31 PID 2676 wrote to memory of 2400 2676 pdvdj.exe 31 PID 2400 wrote to memory of 2772 2400 hntntn.exe 32 PID 2400 wrote to memory of 2772 2400 hntntn.exe 32 PID 2400 wrote to memory of 2772 2400 hntntn.exe 32 PID 2400 wrote to memory of 2772 2400 hntntn.exe 32 PID 2772 wrote to memory of 840 2772 pjddv.exe 33 PID 2772 wrote to memory of 840 2772 pjddv.exe 33 PID 2772 wrote to memory of 840 2772 pjddv.exe 33 PID 2772 wrote to memory of 840 2772 pjddv.exe 33 PID 840 wrote to memory of 2788 840 bhhhht.exe 34 PID 840 wrote to memory of 2788 840 bhhhht.exe 34 PID 840 wrote to memory of 2788 840 bhhhht.exe 34 PID 840 wrote to memory of 2788 840 bhhhht.exe 34 PID 2788 wrote to memory of 2176 2788 pppdp.exe 35 PID 2788 wrote to memory of 2176 2788 pppdp.exe 35 PID 2788 wrote to memory of 2176 2788 pppdp.exe 35 PID 2788 wrote to memory of 2176 2788 pppdp.exe 35 PID 2176 wrote to memory of 2896 2176 3frxlfl.exe 36 PID 2176 wrote to memory of 2896 2176 3frxlfl.exe 36 PID 2176 wrote to memory of 2896 2176 3frxlfl.exe 36 PID 2176 wrote to memory of 2896 2176 3frxlfl.exe 36 PID 2896 wrote to memory of 2756 2896 flxfxfr.exe 37 PID 2896 wrote to memory of 2756 2896 flxfxfr.exe 37 PID 2896 wrote to memory of 2756 2896 flxfxfr.exe 37 PID 2896 wrote to memory of 2756 2896 flxfxfr.exe 37 PID 2756 wrote to memory of 2588 2756 nnhnbh.exe 38 PID 2756 wrote to memory of 2588 2756 nnhnbh.exe 38 PID 2756 wrote to memory of 2588 2756 nnhnbh.exe 38 PID 2756 wrote to memory of 2588 2756 nnhnbh.exe 38 PID 2588 wrote to memory of 2712 2588 pvpjj.exe 39 PID 2588 wrote to memory of 2712 2588 pvpjj.exe 39 PID 2588 wrote to memory of 2712 2588 pvpjj.exe 39 PID 2588 wrote to memory of 2712 2588 pvpjj.exe 39 PID 2712 wrote to memory of 1256 2712 1bnbnb.exe 40 PID 2712 wrote to memory of 1256 2712 1bnbnb.exe 40 PID 2712 wrote to memory of 1256 2712 1bnbnb.exe 40 PID 2712 wrote to memory of 1256 2712 1bnbnb.exe 40 PID 1256 wrote to memory of 2852 1256 dppdd.exe 41 PID 1256 wrote to memory of 2852 1256 dppdd.exe 41 PID 1256 wrote to memory of 2852 1256 dppdd.exe 41 PID 1256 wrote to memory of 2852 1256 dppdd.exe 41 PID 2852 wrote to memory of 2828 2852 bbtbhh.exe 42 PID 2852 wrote to memory of 2828 2852 bbtbhh.exe 42 PID 2852 wrote to memory of 2828 2852 bbtbhh.exe 42 PID 2852 wrote to memory of 2828 2852 bbtbhh.exe 42 PID 2828 wrote to memory of 2912 2828 ddjpj.exe 43 PID 2828 wrote to memory of 2912 2828 ddjpj.exe 43 PID 2828 wrote to memory of 2912 2828 ddjpj.exe 43 PID 2828 wrote to memory of 2912 2828 ddjpj.exe 43 PID 2912 wrote to memory of 1664 2912 tnnbht.exe 44 PID 2912 wrote to memory of 1664 2912 tnnbht.exe 44 PID 2912 wrote to memory of 1664 2912 tnnbht.exe 44 PID 2912 wrote to memory of 1664 2912 tnnbht.exe 44 PID 1664 wrote to memory of 2228 1664 pppjv.exe 45 PID 1664 wrote to memory of 2228 1664 pppjv.exe 45 PID 1664 wrote to memory of 2228 1664 pppjv.exe 45 PID 1664 wrote to memory of 2228 1664 pppjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe"C:\Users\Admin\AppData\Local\Temp\166d075e0dfeb7618231a5da3953ff9abf01a83c664f5a757b67d48ff6bebebe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\pdvdj.exec:\pdvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\hntntn.exec:\hntntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\pjddv.exec:\pjddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\bhhhht.exec:\bhhhht.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\pppdp.exec:\pppdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\3frxlfl.exec:\3frxlfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\flxfxfr.exec:\flxfxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\nnhnbh.exec:\nnhnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pvpjj.exec:\pvpjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\1bnbnb.exec:\1bnbnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\dppdd.exec:\dppdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\bbtbhh.exec:\bbtbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\ddjpj.exec:\ddjpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tnnbht.exec:\tnnbht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\pppjv.exec:\pppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\llflffx.exec:\llflffx.exe17⤵
- Executes dropped EXE
PID:2228 -
\??\c:\vpjvp.exec:\vpjvp.exe18⤵
- Executes dropped EXE
PID:2056 -
\??\c:\hbtthn.exec:\hbtthn.exe19⤵
- Executes dropped EXE
PID:792 -
\??\c:\jdvdj.exec:\jdvdj.exe20⤵
- Executes dropped EXE
PID:540 -
\??\c:\rxlxrxx.exec:\rxlxrxx.exe21⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jjdvd.exec:\jjdvd.exe22⤵
- Executes dropped EXE
PID:1060 -
\??\c:\vpdvj.exec:\vpdvj.exe23⤵
- Executes dropped EXE
PID:1136 -
\??\c:\jpvjv.exec:\jpvjv.exe24⤵
- Executes dropped EXE
PID:1352 -
\??\c:\xrxxfrr.exec:\xrxxfrr.exe25⤵
- Executes dropped EXE
PID:772 -
\??\c:\rlfxrrx.exec:\rlfxrrx.exe26⤵
- Executes dropped EXE
PID:2072 -
\??\c:\vvjvp.exec:\vvjvp.exe27⤵
- Executes dropped EXE
PID:660 -
\??\c:\xfllrxr.exec:\xfllrxr.exe28⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5nttnt.exec:\5nttnt.exe29⤵
- Executes dropped EXE
PID:1696 -
\??\c:\vpdvv.exec:\vpdvv.exe30⤵
- Executes dropped EXE
PID:1432 -
\??\c:\ddvvp.exec:\ddvvp.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\xflfxlf.exec:\xflfxlf.exe32⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pjvvd.exec:\pjvvd.exe33⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xxrxrfx.exec:\xxrxrfx.exe34⤵
- Executes dropped EXE
PID:1848 -
\??\c:\5ttnht.exec:\5ttnht.exe35⤵
- Executes dropped EXE
PID:316 -
\??\c:\vpppv.exec:\vpppv.exe36⤵
- Executes dropped EXE
PID:1592 -
\??\c:\frlxllx.exec:\frlxllx.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\1nhnbn.exec:\1nhnbn.exe38⤵
- Executes dropped EXE
PID:2360 -
\??\c:\ppjdv.exec:\ppjdv.exe39⤵
- Executes dropped EXE
PID:2500 -
\??\c:\xxxlxlf.exec:\xxxlxlf.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\htbntb.exec:\htbntb.exe41⤵
- Executes dropped EXE
PID:2796 -
\??\c:\hhhnbh.exec:\hhhnbh.exe42⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1pjdj.exec:\1pjdj.exe43⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rllrxlx.exec:\rllrxlx.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bhnhnh.exec:\bhnhnh.exe45⤵
- Executes dropped EXE
PID:2608 -
\??\c:\1vdvd.exec:\1vdvd.exe46⤵
- Executes dropped EXE
PID:2668 -
\??\c:\1vvvd.exec:\1vvvd.exe47⤵
- Executes dropped EXE
PID:2588 -
\??\c:\ffrllxx.exec:\ffrllxx.exe48⤵
- Executes dropped EXE
PID:648 -
\??\c:\tnbbtn.exec:\tnbbtn.exe49⤵
- Executes dropped EXE
PID:1832 -
\??\c:\nhhthh.exec:\nhhthh.exe50⤵
- Executes dropped EXE
PID:1368 -
\??\c:\pjddp.exec:\pjddp.exe51⤵
- Executes dropped EXE
PID:1480 -
\??\c:\lfrxlxl.exec:\lfrxlxl.exe52⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bnbhtt.exec:\bnbhtt.exe53⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vppvp.exec:\vppvp.exe54⤵
- Executes dropped EXE
PID:1952 -
\??\c:\jjdjv.exec:\jjdjv.exe55⤵
- Executes dropped EXE
PID:2152 -
\??\c:\xrfrlxf.exec:\xrfrlxf.exe56⤵
- Executes dropped EXE
PID:2112 -
\??\c:\nhtthn.exec:\nhtthn.exe57⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ttnhbh.exec:\ttnhbh.exe58⤵
- Executes dropped EXE
PID:592 -
\??\c:\lrflfrl.exec:\lrflfrl.exe59⤵
- Executes dropped EXE
PID:568 -
\??\c:\xxlxlrl.exec:\xxlxlrl.exe60⤵
- Executes dropped EXE
PID:1488 -
\??\c:\hbnnbh.exec:\hbnnbh.exe61⤵
- Executes dropped EXE
PID:1068 -
\??\c:\dvpvj.exec:\dvpvj.exe62⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rllrxfr.exec:\rllrxfr.exe63⤵
- Executes dropped EXE
PID:1960 -
\??\c:\hbhtht.exec:\hbhtht.exe64⤵
- Executes dropped EXE
PID:2480 -
\??\c:\7bnnbb.exec:\7bnnbb.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\jdvdv.exec:\jdvdv.exe66⤵PID:1388
-
\??\c:\3rllrxf.exec:\3rllrxf.exe67⤵PID:1656
-
\??\c:\nhtbtt.exec:\nhtbtt.exe68⤵PID:892
-
\??\c:\ntnthn.exec:\ntnthn.exe69⤵PID:612
-
\??\c:\dvvjp.exec:\dvvjp.exe70⤵PID:2000
-
\??\c:\xrlrlrf.exec:\xrlrlrf.exe71⤵PID:2552
-
\??\c:\tnbhth.exec:\tnbhth.exe72⤵PID:1936
-
\??\c:\7ppdj.exec:\7ppdj.exe73⤵PID:556
-
\??\c:\vdvpp.exec:\vdvpp.exe74⤵PID:2016
-
\??\c:\lfflrfx.exec:\lfflrfx.exe75⤵PID:2444
-
\??\c:\ttnnnh.exec:\ttnnnh.exe76⤵PID:3024
-
\??\c:\dpjvj.exec:\dpjvj.exe77⤵PID:1680
-
\??\c:\7dvdp.exec:\7dvdp.exe78⤵
- System Location Discovery: System Language Discovery
PID:2520 -
\??\c:\frxxffl.exec:\frxxffl.exe79⤵PID:1556
-
\??\c:\hbthnt.exec:\hbthnt.exe80⤵PID:1716
-
\??\c:\7dddv.exec:\7dddv.exe81⤵PID:2260
-
\??\c:\7dddv.exec:\7dddv.exe82⤵PID:2988
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe83⤵PID:2696
-
\??\c:\7tntht.exec:\7tntht.exe84⤵PID:2996
-
\??\c:\vppdj.exec:\vppdj.exe85⤵PID:2784
-
\??\c:\dddpj.exec:\dddpj.exe86⤵PID:2892
-
\??\c:\xfxxlrf.exec:\xfxxlrf.exe87⤵PID:2620
-
\??\c:\5nthtb.exec:\5nthtb.exe88⤵PID:2800
-
\??\c:\vvvvj.exec:\vvvvj.exe89⤵PID:2596
-
\??\c:\rffllxx.exec:\rffllxx.exe90⤵PID:1252
-
\??\c:\5lxflrf.exec:\5lxflrf.exe91⤵PID:2868
-
\??\c:\bhbttb.exec:\bhbttb.exe92⤵PID:2644
-
\??\c:\jdpvj.exec:\jdpvj.exe93⤵PID:1632
-
\??\c:\7djjv.exec:\7djjv.exe94⤵PID:668
-
\??\c:\xxrfxfl.exec:\xxrfxfl.exe95⤵PID:1948
-
\??\c:\tbnhhb.exec:\tbnhhb.exe96⤵PID:2900
-
\??\c:\7thnth.exec:\7thnth.exe97⤵PID:2356
-
\??\c:\vdpjp.exec:\vdpjp.exe98⤵PID:1072
-
\??\c:\5rrfrxr.exec:\5rrfrxr.exe99⤵PID:1428
-
\??\c:\btbnbn.exec:\btbnbn.exe100⤵PID:1452
-
\??\c:\7pjvv.exec:\7pjvv.exe101⤵PID:2556
-
\??\c:\3frxlxl.exec:\3frxlxl.exe102⤵PID:2020
-
\??\c:\3tnnnt.exec:\3tnnnt.exe103⤵PID:2092
-
\??\c:\7hhtnn.exec:\7hhtnn.exe104⤵PID:1500
-
\??\c:\ddvdv.exec:\ddvdv.exe105⤵PID:392
-
\??\c:\bthnbh.exec:\bthnbh.exe106⤵PID:3008
-
\??\c:\ppddj.exec:\ppddj.exe107⤵PID:3004
-
\??\c:\7jdjj.exec:\7jdjj.exe108⤵PID:1320
-
\??\c:\xrxxlrf.exec:\xrxxlrf.exe109⤵PID:2688
-
\??\c:\hbbbhn.exec:\hbbbhn.exe110⤵PID:1804
-
\??\c:\7vdpd.exec:\7vdpd.exe111⤵PID:1824
-
\??\c:\3rrfrrr.exec:\3rrfrrr.exe112⤵PID:1648
-
\??\c:\hhnbbn.exec:\hhnbbn.exe113⤵PID:756
-
\??\c:\nntbnn.exec:\nntbnn.exe114⤵PID:2104
-
\??\c:\vddjd.exec:\vddjd.exe115⤵PID:2436
-
\??\c:\lllfrxl.exec:\lllfrxl.exe116⤵PID:2192
-
\??\c:\hbbnhn.exec:\hbbnhn.exe117⤵PID:1492
-
\??\c:\vjpvp.exec:\vjpvp.exe118⤵PID:2412
-
\??\c:\9rlxlxx.exec:\9rlxlxx.exe119⤵PID:884
-
\??\c:\ffrfxfr.exec:\ffrfxfr.exe120⤵PID:2444
-
\??\c:\5nthtb.exec:\5nthtb.exe121⤵PID:3024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-