Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe
-
Size
454KB
-
MD5
6a366e9f87e39ad6b8204d91d388c25b
-
SHA1
c30609d4b42c3f37caf982aae38cfff7bd8c8242
-
SHA256
389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec
-
SHA512
e56a94ee89da6dbd4167888328c8f6b022a35db26437ae22a34a8247cd4610e36be3604f356996d3b17dc803ecb467ac9ba502acaf551c67872a589dfe72b8ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/716-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-1086-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-1356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-1420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2884 bnnbtn.exe 3068 rrrrrlf.exe 4556 1jjdv.exe 1060 dddpp.exe 4460 nthbtt.exe 208 xfrlrlf.exe 212 bhhtnh.exe 2336 vpvjj.exe 872 vjppv.exe 2744 fflffxx.exe 3780 lxrxlfr.exe 4400 1vpvj.exe 2936 hnbbhh.exe 4084 pdjvp.exe 4808 frxlfxr.exe 4340 tbbttt.exe 3608 vddvp.exe 3288 rllfxrr.exe 4492 lfflllf.exe 2260 fxrxrfx.exe 3592 tbtnhh.exe 4080 vjjvj.exe 2360 xfxlfxx.exe 1796 hhtthb.exe 4944 bnthbt.exe 5052 9nnbtt.exe 2620 dpvpj.exe 2100 rxrrrxf.exe 4740 bhnhbb.exe 4876 jjjvp.exe 1424 pvjjd.exe 4092 xrrlfxr.exe 1552 ppvjd.exe 4120 thhbtt.exe 712 pdjvv.exe 4008 vpvpj.exe 2552 nhnhhn.exe 2984 nttttt.exe 1504 1vvvd.exe 2752 1ffxllf.exe 3412 bthbbt.exe 2544 bbbttt.exe 3220 3pvpp.exe 2044 xrfflll.exe 932 7bthbb.exe 5096 ppjjd.exe 1192 flfrrll.exe 2596 5nbbnt.exe 4388 3ttnhb.exe 1512 vjppj.exe 2380 xlrlfff.exe 2884 nhhbtt.exe 460 5pvpj.exe 4476 rlxrlll.exe 1120 rllfxxr.exe 2208 9jjjd.exe 4908 fxfrfxr.exe 3796 nhtttb.exe 5028 7vppv.exe 1972 vppjd.exe 3992 nhbthh.exe 1072 bbnhbt.exe 3264 dpjjd.exe 1608 frxrlxr.exe -
resource yara_rule behavioral2/memory/716-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-858-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 716 wrote to memory of 2884 716 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 83 PID 716 wrote to memory of 2884 716 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 83 PID 716 wrote to memory of 2884 716 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 83 PID 2884 wrote to memory of 3068 2884 bnnbtn.exe 84 PID 2884 wrote to memory of 3068 2884 bnnbtn.exe 84 PID 2884 wrote to memory of 3068 2884 bnnbtn.exe 84 PID 3068 wrote to memory of 4556 3068 rrrrrlf.exe 85 PID 3068 wrote to memory of 4556 3068 rrrrrlf.exe 85 PID 3068 wrote to memory of 4556 3068 rrrrrlf.exe 85 PID 4556 wrote to memory of 1060 4556 1jjdv.exe 86 PID 4556 wrote to memory of 1060 4556 1jjdv.exe 86 PID 4556 wrote to memory of 1060 4556 1jjdv.exe 86 PID 1060 wrote to memory of 4460 1060 dddpp.exe 87 PID 1060 wrote to memory of 4460 1060 dddpp.exe 87 PID 1060 wrote to memory of 4460 1060 dddpp.exe 87 PID 4460 wrote to memory of 208 4460 nthbtt.exe 88 PID 4460 wrote to memory of 208 4460 nthbtt.exe 88 PID 4460 wrote to memory of 208 4460 nthbtt.exe 88 PID 208 wrote to memory of 212 208 xfrlrlf.exe 89 PID 208 wrote to memory of 212 208 xfrlrlf.exe 89 PID 208 wrote to memory of 212 208 xfrlrlf.exe 89 PID 212 wrote to memory of 2336 212 bhhtnh.exe 90 PID 212 wrote to memory of 2336 212 bhhtnh.exe 90 PID 212 wrote to memory of 2336 212 bhhtnh.exe 90 PID 2336 wrote to memory of 872 2336 vpvjj.exe 91 PID 2336 wrote to memory of 872 2336 vpvjj.exe 91 PID 2336 wrote to memory of 872 2336 vpvjj.exe 91 PID 872 wrote to memory of 2744 872 vjppv.exe 92 PID 872 wrote to memory of 2744 872 vjppv.exe 92 PID 872 wrote to memory of 2744 872 vjppv.exe 92 PID 2744 wrote to memory of 3780 2744 fflffxx.exe 93 PID 2744 wrote to memory of 3780 2744 fflffxx.exe 93 PID 2744 wrote to memory of 3780 2744 fflffxx.exe 93 PID 3780 wrote to memory of 4400 3780 lxrxlfr.exe 94 PID 3780 wrote to memory of 4400 3780 lxrxlfr.exe 94 PID 3780 wrote to memory of 4400 3780 lxrxlfr.exe 94 PID 4400 wrote to memory of 2936 4400 1vpvj.exe 95 PID 4400 wrote to memory of 2936 4400 1vpvj.exe 95 PID 4400 wrote to memory of 2936 4400 1vpvj.exe 95 PID 2936 wrote to memory of 4084 2936 hnbbhh.exe 96 PID 2936 wrote to memory of 4084 2936 hnbbhh.exe 96 PID 2936 wrote to memory of 4084 2936 hnbbhh.exe 96 PID 4084 wrote to memory of 4808 4084 pdjvp.exe 97 PID 4084 wrote to memory of 4808 4084 pdjvp.exe 97 PID 4084 wrote to memory of 4808 4084 pdjvp.exe 97 PID 4808 wrote to memory of 4340 4808 frxlfxr.exe 98 PID 4808 wrote to memory of 4340 4808 frxlfxr.exe 98 PID 4808 wrote to memory of 4340 4808 frxlfxr.exe 98 PID 4340 wrote to memory of 3608 4340 tbbttt.exe 99 PID 4340 wrote to memory of 3608 4340 tbbttt.exe 99 PID 4340 wrote to memory of 3608 4340 tbbttt.exe 99 PID 3608 wrote to memory of 3288 3608 vddvp.exe 100 PID 3608 wrote to memory of 3288 3608 vddvp.exe 100 PID 3608 wrote to memory of 3288 3608 vddvp.exe 100 PID 3288 wrote to memory of 4492 3288 rllfxrr.exe 101 PID 3288 wrote to memory of 4492 3288 rllfxrr.exe 101 PID 3288 wrote to memory of 4492 3288 rllfxrr.exe 101 PID 4492 wrote to memory of 2260 4492 lfflllf.exe 102 PID 4492 wrote to memory of 2260 4492 lfflllf.exe 102 PID 4492 wrote to memory of 2260 4492 lfflllf.exe 102 PID 2260 wrote to memory of 3592 2260 fxrxrfx.exe 103 PID 2260 wrote to memory of 3592 2260 fxrxrfx.exe 103 PID 2260 wrote to memory of 3592 2260 fxrxrfx.exe 103 PID 3592 wrote to memory of 4080 3592 tbtnhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe"C:\Users\Admin\AppData\Local\Temp\389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\bnnbtn.exec:\bnnbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\rrrrrlf.exec:\rrrrrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\1jjdv.exec:\1jjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\dddpp.exec:\dddpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\nthbtt.exec:\nthbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\xfrlrlf.exec:\xfrlrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\bhhtnh.exec:\bhhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\vpvjj.exec:\vpvjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\vjppv.exec:\vjppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\fflffxx.exec:\fflffxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\lxrxlfr.exec:\lxrxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\1vpvj.exec:\1vpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\hnbbhh.exec:\hnbbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\pdjvp.exec:\pdjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\frxlfxr.exec:\frxlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\tbbttt.exec:\tbbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\vddvp.exec:\vddvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\rllfxrr.exec:\rllfxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\lfflllf.exec:\lfflllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\fxrxrfx.exec:\fxrxrfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\tbtnhh.exec:\tbtnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\vjjvj.exec:\vjjvj.exe23⤵
- Executes dropped EXE
PID:4080 -
\??\c:\xfxlfxx.exec:\xfxlfxx.exe24⤵
- Executes dropped EXE
PID:2360 -
\??\c:\hhtthb.exec:\hhtthb.exe25⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bnthbt.exec:\bnthbt.exe26⤵
- Executes dropped EXE
PID:4944 -
\??\c:\9nnbtt.exec:\9nnbtt.exe27⤵
- Executes dropped EXE
PID:5052 -
\??\c:\dpvpj.exec:\dpvpj.exe28⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rxrrrxf.exec:\rxrrrxf.exe29⤵
- Executes dropped EXE
PID:2100 -
\??\c:\bhnhbb.exec:\bhnhbb.exe30⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jjjvp.exec:\jjjvp.exe31⤵
- Executes dropped EXE
PID:4876 -
\??\c:\pvjjd.exec:\pvjjd.exe32⤵
- Executes dropped EXE
PID:1424 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe33⤵
- Executes dropped EXE
PID:4092 -
\??\c:\ppvjd.exec:\ppvjd.exe34⤵
- Executes dropped EXE
PID:1552 -
\??\c:\thhbtt.exec:\thhbtt.exe35⤵
- Executes dropped EXE
PID:4120 -
\??\c:\pdjvv.exec:\pdjvv.exe36⤵
- Executes dropped EXE
PID:712 -
\??\c:\vpvpj.exec:\vpvpj.exe37⤵
- Executes dropped EXE
PID:4008 -
\??\c:\nhnhhn.exec:\nhnhhn.exe38⤵
- Executes dropped EXE
PID:2552 -
\??\c:\nttttt.exec:\nttttt.exe39⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1vvvd.exec:\1vvvd.exe40⤵
- Executes dropped EXE
PID:1504 -
\??\c:\1ffxllf.exec:\1ffxllf.exe41⤵
- Executes dropped EXE
PID:2752 -
\??\c:\bthbbt.exec:\bthbbt.exe42⤵
- Executes dropped EXE
PID:3412 -
\??\c:\bbbttt.exec:\bbbttt.exe43⤵
- Executes dropped EXE
PID:2544 -
\??\c:\3pvpp.exec:\3pvpp.exe44⤵
- Executes dropped EXE
PID:3220 -
\??\c:\xrfflll.exec:\xrfflll.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\7bthbb.exec:\7bthbb.exe46⤵
- Executes dropped EXE
PID:932 -
\??\c:\ppjjd.exec:\ppjjd.exe47⤵
- Executes dropped EXE
PID:5096 -
\??\c:\flfrrll.exec:\flfrrll.exe48⤵
- Executes dropped EXE
PID:1192 -
\??\c:\5nbbnt.exec:\5nbbnt.exe49⤵
- Executes dropped EXE
PID:2596 -
\??\c:\3ttnhb.exec:\3ttnhb.exe50⤵
- Executes dropped EXE
PID:4388 -
\??\c:\vjppj.exec:\vjppj.exe51⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xlrlfff.exec:\xlrlfff.exe52⤵
- Executes dropped EXE
PID:2380 -
\??\c:\nhhbtt.exec:\nhhbtt.exe53⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5pvpj.exec:\5pvpj.exe54⤵
- Executes dropped EXE
PID:460 -
\??\c:\rlxrlll.exec:\rlxrlll.exe55⤵
- Executes dropped EXE
PID:4476 -
\??\c:\rllfxxr.exec:\rllfxxr.exe56⤵
- Executes dropped EXE
PID:1120 -
\??\c:\9jjjd.exec:\9jjjd.exe57⤵
- Executes dropped EXE
PID:2208 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe58⤵
- Executes dropped EXE
PID:4908 -
\??\c:\nhtttb.exec:\nhtttb.exe59⤵
- Executes dropped EXE
PID:3796 -
\??\c:\7vppv.exec:\7vppv.exe60⤵
- Executes dropped EXE
PID:5028 -
\??\c:\vppjd.exec:\vppjd.exe61⤵
- Executes dropped EXE
PID:1972 -
\??\c:\nhbthh.exec:\nhbthh.exe62⤵
- Executes dropped EXE
PID:3992 -
\??\c:\bbnhbt.exec:\bbnhbt.exe63⤵
- Executes dropped EXE
PID:1072 -
\??\c:\dpjjd.exec:\dpjjd.exe64⤵
- Executes dropped EXE
PID:3264 -
\??\c:\frxrlxr.exec:\frxrlxr.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nnnnnt.exec:\nnnnnt.exe66⤵PID:2744
-
\??\c:\vjjdp.exec:\vjjdp.exe67⤵PID:3900
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe68⤵PID:1884
-
\??\c:\1hhhbh.exec:\1hhhbh.exe69⤵PID:2656
-
\??\c:\nhnnnn.exec:\nhnnnn.exe70⤵PID:4620
-
\??\c:\pvdjj.exec:\pvdjj.exe71⤵PID:4084
-
\??\c:\rfllfxx.exec:\rfllfxx.exe72⤵PID:4068
-
\??\c:\bhtnhn.exec:\bhtnhn.exe73⤵PID:4340
-
\??\c:\hntttb.exec:\hntttb.exe74⤵PID:2540
-
\??\c:\7rlxxrl.exec:\7rlxxrl.exe75⤵PID:4152
-
\??\c:\7lfxllr.exec:\7lfxllr.exe76⤵PID:4920
-
\??\c:\nnnhhb.exec:\nnnhhb.exe77⤵PID:2704
-
\??\c:\pdjvp.exec:\pdjvp.exe78⤵PID:4492
-
\??\c:\rrfxffx.exec:\rrfxffx.exe79⤵PID:2648
-
\??\c:\7rfxfrl.exec:\7rfxfrl.exe80⤵PID:1672
-
\??\c:\1hhbtn.exec:\1hhbtn.exe81⤵PID:376
-
\??\c:\1djdv.exec:\1djdv.exe82⤵PID:3124
-
\??\c:\xrrlrrr.exec:\xrrlrrr.exe83⤵PID:4452
-
\??\c:\flxxxxr.exec:\flxxxxr.exe84⤵PID:4464
-
\??\c:\tbhhbb.exec:\tbhhbb.exe85⤵PID:4508
-
\??\c:\jvvpv.exec:\jvvpv.exe86⤵PID:3864
-
\??\c:\flfxrlf.exec:\flfxrlf.exe87⤵PID:3248
-
\??\c:\hnbtnn.exec:\hnbtnn.exe88⤵PID:2720
-
\??\c:\vvjpp.exec:\vvjpp.exe89⤵PID:2796
-
\??\c:\1vpjp.exec:\1vpjp.exe90⤵PID:3056
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe91⤵PID:632
-
\??\c:\ntbbtn.exec:\ntbbtn.exe92⤵PID:688
-
\??\c:\9nnbtb.exec:\9nnbtb.exe93⤵PID:4320
-
\??\c:\ppvpp.exec:\ppvpp.exe94⤵PID:880
-
\??\c:\lffxrrl.exec:\lffxrrl.exe95⤵PID:1820
-
\??\c:\7bbbtt.exec:\7bbbtt.exe96⤵PID:4968
-
\??\c:\vpvpp.exec:\vpvpp.exe97⤵PID:1900
-
\??\c:\rffxxrl.exec:\rffxxrl.exe98⤵PID:4324
-
\??\c:\lflflfl.exec:\lflflfl.exe99⤵PID:3088
-
\??\c:\bhnhnn.exec:\bhnhnn.exe100⤵PID:1896
-
\??\c:\pjppp.exec:\pjppp.exe101⤵PID:4516
-
\??\c:\1ppjd.exec:\1ppjd.exe102⤵
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\lflrxrl.exec:\lflrxrl.exe103⤵PID:2484
-
\??\c:\bntbtn.exec:\bntbtn.exe104⤵PID:1632
-
\??\c:\nbhbhh.exec:\nbhbhh.exe105⤵PID:3412
-
\??\c:\pjppd.exec:\pjppd.exe106⤵PID:1956
-
\??\c:\rrxlffr.exec:\rrxlffr.exe107⤵PID:1428
-
\??\c:\bnttnh.exec:\bnttnh.exe108⤵PID:4956
-
\??\c:\ppddv.exec:\ppddv.exe109⤵PID:932
-
\??\c:\dvjdj.exec:\dvjdj.exe110⤵PID:5096
-
\??\c:\lrxrllf.exec:\lrxrllf.exe111⤵PID:2112
-
\??\c:\hhhhbh.exec:\hhhhbh.exe112⤵PID:740
-
\??\c:\jdpjj.exec:\jdpjj.exe113⤵PID:4388
-
\??\c:\rlfxrll.exec:\rlfxrll.exe114⤵PID:4396
-
\??\c:\rxrlxxr.exec:\rxrlxxr.exe115⤵PID:404
-
\??\c:\btbtbb.exec:\btbtbb.exe116⤵PID:3368
-
\??\c:\1ddvp.exec:\1ddvp.exe117⤵PID:3588
-
\??\c:\lfxlfxl.exec:\lfxlfxl.exe118⤵PID:460
-
\??\c:\thnhtt.exec:\thnhtt.exe119⤵PID:1060
-
\??\c:\jpvjd.exec:\jpvjd.exe120⤵PID:4676
-
\??\c:\dvvpj.exec:\dvvpj.exe121⤵PID:1120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-