Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 18:08
Behavioral task
behavioral1
Sample
a98575878cbe576519e2cd8d5776cc90N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a98575878cbe576519e2cd8d5776cc90N.exe
-
Size
213KB
-
MD5
a98575878cbe576519e2cd8d5776cc90
-
SHA1
a83aba869f6b73f09a3a4e40eef299849d015022
-
SHA256
045d58e7af75b20c84cfa5e804cf8457a7b16118bc1c557d5ae3c664c7e1d5e6
-
SHA512
a55b65afddf455d8efcdf31b6a9b98c50f7ef00758693bbed4600dfa118e95783c021b28beda8e7d4704e6eba9af89701f5b8ab50f17777d154eb39942eadfd1
-
SSDEEP
6144:Hcm4FmowdHoSrXZf8l/ubPzYNLPf4t+ltx:V4wFHoSBK/ubLcfXx
Malware Config
Signatures
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/1688-7-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3068-20-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1708-16-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2336-29-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2460-38-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2804-47-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2740-56-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2924-81-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2632-93-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2256-109-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1432-119-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1500-128-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/772-153-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1872-162-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2220-174-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2220-182-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/1856-193-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1856-200-0x0000000000440000-0x0000000000474000-memory.dmp family_blackmoon behavioral1/memory/2228-210-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2104-218-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2104-222-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2104-220-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/848-241-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/604-284-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2016-308-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2380-317-0x0000000076E00000-0x0000000076EFA000-memory.dmp family_blackmoon behavioral1/memory/2380-316-0x0000000076CE0000-0x0000000076DFF000-memory.dmp family_blackmoon behavioral1/memory/2744-330-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2460-331-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2740-363-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2112-370-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2844-378-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2764-385-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1432-410-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2688-435-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2872-448-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2116-475-0x00000000002D0000-0x0000000000304000-memory.dmp family_blackmoon behavioral1/memory/1532-516-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/1912-529-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/3040-562-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2096-575-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2792-654-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2604-673-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1008-755-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1652-762-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2832-769-0x00000000002B0000-0x00000000002E4000-memory.dmp family_blackmoon behavioral1/memory/1312-783-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/836-832-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2232-882-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/2912-901-0x00000000002D0000-0x0000000000304000-memory.dmp family_blackmoon behavioral1/memory/2912-922-0x00000000002D0000-0x0000000000304000-memory.dmp family_blackmoon behavioral1/memory/2028-966-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2028-988-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2208-1068-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1708 5rlrxrf.exe 3068 nhtbtb.exe 2336 nhtnbh.exe 2460 jdpjp.exe 2804 9jpvj.exe 2740 1bhnhn.exe 3000 9btbtt.exe 2924 jvjpv.exe 2648 hbtttb.exe 2632 dvdpp.exe 2256 dvjvd.exe 1432 btntbb.exe 1500 nnhbbt.exe 1084 jdjpv.exe 2920 lxrrrxx.exe 772 3hhbnn.exe 1872 bthnnn.exe 1576 pjvpv.exe 2220 rxrxrxf.exe 2832 rlfrfrl.exe 1856 9bnnbb.exe 2228 jdjvd.exe 2104 lflxfxx.exe 3032 9bbntb.exe 848 pjjjp.exe 1988 jjvdp.exe 1660 5htntt.exe 1544 5dpvd.exe 2016 lfxxllx.exe 604 fxllrxf.exe 1848 9ttttt.exe 1644 1btthb.exe 1688 1vppv.exe 2108 xrlxffr.exe 2380 bntbbh.exe 2744 jjvdj.exe 2460 rfrlrrx.exe 1600 nhtbnh.exe 2748 nhhhbb.exe 2808 vpdpd.exe 2740 dpvvd.exe 2112 fxlfxxl.exe 2844 bbtbhn.exe 2764 hhbhnn.exe 2616 1pdvd.exe 2216 ffllffx.exe 2176 1rlxxlr.exe 1676 1nntth.exe 1432 btntbb.exe 2932 ppjpp.exe 1500 1jdjp.exe 2688 1lflxff.exe 2668 bnhhbh.exe 2872 nnthbh.exe 388 jdvvv.exe 1032 pjjdd.exe 2332 5frlrrx.exe 2116 1rrffll.exe 2960 5hnttt.exe 1540 1ttnnh.exe 1532 ddpjp.exe 752 5rlxxrf.exe 2204 rflrrxl.exe 1896 hbhnbb.exe -
resource yara_rule behavioral1/memory/1688-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00080000000120f8-5.dat upx behavioral1/memory/1688-7-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3068-20-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000015dca-18.dat upx behavioral1/memory/1708-16-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000015e4f-36.dat upx behavioral1/memory/2336-29-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0007000000015e46-27.dat upx behavioral1/memory/2460-38-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2804-47-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0007000000015f55-45.dat upx behavioral1/files/0x0007000000015fa3-53.dat upx behavioral1/memory/2740-56-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0007000000016108-64.dat upx behavioral1/memory/3000-63-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000016148-73.dat upx behavioral1/memory/2924-81-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00080000000162d8-82.dat upx behavioral1/files/0x000600000001904f-91.dat upx behavioral1/memory/2632-93-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00050000000191fe-99.dat upx behavioral1/memory/2256-100-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019221-108.dat upx behavioral1/memory/1432-110-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2256-109-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1432-119-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001923a-118.dat upx behavioral1/files/0x0005000000019246-127.dat upx behavioral1/memory/1084-129-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1500-128-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019249-137.dat upx behavioral1/files/0x0005000000019253-144.dat upx behavioral1/files/0x0005000000019256-154.dat upx behavioral1/memory/772-153-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1872-162-0x0000000000220000-0x0000000000254000-memory.dmp upx behavioral1/files/0x000500000001925b-165.dat upx behavioral1/memory/1576-164-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2220-174-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019272-173.dat upx behavioral1/files/0x00050000000192fe-184.dat upx behavioral1/memory/2220-181-0x0000000000220000-0x0000000000254000-memory.dmp upx behavioral1/files/0x0005000000019309-191.dat upx behavioral1/memory/1856-193-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019346-201.dat upx behavioral1/memory/2228-210-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019358-211.dat upx behavioral1/files/0x0005000000019368-223.dat upx behavioral1/memory/2104-222-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/848-232-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019385-229.dat upx behavioral1/files/0x0005000000019394-242.dat upx behavioral1/memory/848-241-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00050000000193a2-248.dat upx behavioral1/memory/1660-250-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00050000000193c3-258.dat upx behavioral1/files/0x0009000000015da2-266.dat upx behavioral1/memory/2016-274-0x0000000000220000-0x0000000000254000-memory.dmp upx behavioral1/files/0x00050000000193cf-277.dat upx behavioral1/files/0x00050000000193e5-285.dat upx behavioral1/memory/604-284-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019412-291.dat upx behavioral1/memory/1644-294-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2380-316-0x0000000076CE0000-0x0000000076DFF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1708 1688 a98575878cbe576519e2cd8d5776cc90N.exe 30 PID 1688 wrote to memory of 1708 1688 a98575878cbe576519e2cd8d5776cc90N.exe 30 PID 1688 wrote to memory of 1708 1688 a98575878cbe576519e2cd8d5776cc90N.exe 30 PID 1688 wrote to memory of 1708 1688 a98575878cbe576519e2cd8d5776cc90N.exe 30 PID 1708 wrote to memory of 3068 1708 5rlrxrf.exe 31 PID 1708 wrote to memory of 3068 1708 5rlrxrf.exe 31 PID 1708 wrote to memory of 3068 1708 5rlrxrf.exe 31 PID 1708 wrote to memory of 3068 1708 5rlrxrf.exe 31 PID 3068 wrote to memory of 2336 3068 nhtbtb.exe 32 PID 3068 wrote to memory of 2336 3068 nhtbtb.exe 32 PID 3068 wrote to memory of 2336 3068 nhtbtb.exe 32 PID 3068 wrote to memory of 2336 3068 nhtbtb.exe 32 PID 2336 wrote to memory of 2460 2336 nhtnbh.exe 33 PID 2336 wrote to memory of 2460 2336 nhtnbh.exe 33 PID 2336 wrote to memory of 2460 2336 nhtnbh.exe 33 PID 2336 wrote to memory of 2460 2336 nhtnbh.exe 33 PID 2460 wrote to memory of 2804 2460 jdpjp.exe 34 PID 2460 wrote to memory of 2804 2460 jdpjp.exe 34 PID 2460 wrote to memory of 2804 2460 jdpjp.exe 34 PID 2460 wrote to memory of 2804 2460 jdpjp.exe 34 PID 2804 wrote to memory of 2740 2804 9jpvj.exe 35 PID 2804 wrote to memory of 2740 2804 9jpvj.exe 35 PID 2804 wrote to memory of 2740 2804 9jpvj.exe 35 PID 2804 wrote to memory of 2740 2804 9jpvj.exe 35 PID 2740 wrote to memory of 3000 2740 1bhnhn.exe 36 PID 2740 wrote to memory of 3000 2740 1bhnhn.exe 36 PID 2740 wrote to memory of 3000 2740 1bhnhn.exe 36 PID 2740 wrote to memory of 3000 2740 1bhnhn.exe 36 PID 3000 wrote to memory of 2924 3000 9btbtt.exe 37 PID 3000 wrote to memory of 2924 3000 9btbtt.exe 37 PID 3000 wrote to memory of 2924 3000 9btbtt.exe 37 PID 3000 wrote to memory of 2924 3000 9btbtt.exe 37 PID 2924 wrote to memory of 2648 2924 jvjpv.exe 38 PID 2924 wrote to memory of 2648 2924 jvjpv.exe 38 PID 2924 wrote to memory of 2648 2924 jvjpv.exe 38 PID 2924 wrote to memory of 2648 2924 jvjpv.exe 38 PID 2648 wrote to memory of 2632 2648 hbtttb.exe 39 PID 2648 wrote to memory of 2632 2648 hbtttb.exe 39 PID 2648 wrote to memory of 2632 2648 hbtttb.exe 39 PID 2648 wrote to memory of 2632 2648 hbtttb.exe 39 PID 2632 wrote to memory of 2256 2632 dvdpp.exe 40 PID 2632 wrote to memory of 2256 2632 dvdpp.exe 40 PID 2632 wrote to memory of 2256 2632 dvdpp.exe 40 PID 2632 wrote to memory of 2256 2632 dvdpp.exe 40 PID 2256 wrote to memory of 1432 2256 dvjvd.exe 41 PID 2256 wrote to memory of 1432 2256 dvjvd.exe 41 PID 2256 wrote to memory of 1432 2256 dvjvd.exe 41 PID 2256 wrote to memory of 1432 2256 dvjvd.exe 41 PID 1432 wrote to memory of 1500 1432 btntbb.exe 42 PID 1432 wrote to memory of 1500 1432 btntbb.exe 42 PID 1432 wrote to memory of 1500 1432 btntbb.exe 42 PID 1432 wrote to memory of 1500 1432 btntbb.exe 42 PID 1500 wrote to memory of 1084 1500 nnhbbt.exe 43 PID 1500 wrote to memory of 1084 1500 nnhbbt.exe 43 PID 1500 wrote to memory of 1084 1500 nnhbbt.exe 43 PID 1500 wrote to memory of 1084 1500 nnhbbt.exe 43 PID 1084 wrote to memory of 2920 1084 jdjpv.exe 44 PID 1084 wrote to memory of 2920 1084 jdjpv.exe 44 PID 1084 wrote to memory of 2920 1084 jdjpv.exe 44 PID 1084 wrote to memory of 2920 1084 jdjpv.exe 44 PID 2920 wrote to memory of 772 2920 lxrrrxx.exe 45 PID 2920 wrote to memory of 772 2920 lxrrrxx.exe 45 PID 2920 wrote to memory of 772 2920 lxrrrxx.exe 45 PID 2920 wrote to memory of 772 2920 lxrrrxx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a98575878cbe576519e2cd8d5776cc90N.exe"C:\Users\Admin\AppData\Local\Temp\a98575878cbe576519e2cd8d5776cc90N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\5rlrxrf.exec:\5rlrxrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\nhtbtb.exec:\nhtbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\nhtnbh.exec:\nhtnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\jdpjp.exec:\jdpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\9jpvj.exec:\9jpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\1bhnhn.exec:\1bhnhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\9btbtt.exec:\9btbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\jvjpv.exec:\jvjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\hbtttb.exec:\hbtttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\dvdpp.exec:\dvdpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\dvjvd.exec:\dvjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\btntbb.exec:\btntbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\nnhbbt.exec:\nnhbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\jdjpv.exec:\jdjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\lxrrrxx.exec:\lxrrrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\3hhbnn.exec:\3hhbnn.exe17⤵
- Executes dropped EXE
PID:772 -
\??\c:\bthnnn.exec:\bthnnn.exe18⤵
- Executes dropped EXE
PID:1872 -
\??\c:\pjvpv.exec:\pjvpv.exe19⤵
- Executes dropped EXE
PID:1576 -
\??\c:\rxrxrxf.exec:\rxrxrxf.exe20⤵
- Executes dropped EXE
PID:2220 -
\??\c:\rlfrfrl.exec:\rlfrfrl.exe21⤵
- Executes dropped EXE
PID:2832 -
\??\c:\9bnnbb.exec:\9bnnbb.exe22⤵
- Executes dropped EXE
PID:1856 -
\??\c:\jdjvd.exec:\jdjvd.exe23⤵
- Executes dropped EXE
PID:2228 -
\??\c:\lflxfxx.exec:\lflxfxx.exe24⤵
- Executes dropped EXE
PID:2104 -
\??\c:\9bbntb.exec:\9bbntb.exe25⤵
- Executes dropped EXE
PID:3032 -
\??\c:\pjjjp.exec:\pjjjp.exe26⤵
- Executes dropped EXE
PID:848 -
\??\c:\jjvdp.exec:\jjvdp.exe27⤵
- Executes dropped EXE
PID:1988 -
\??\c:\5htntt.exec:\5htntt.exe28⤵
- Executes dropped EXE
PID:1660 -
\??\c:\5dpvd.exec:\5dpvd.exe29⤵
- Executes dropped EXE
PID:1544 -
\??\c:\lfxxllx.exec:\lfxxllx.exe30⤵
- Executes dropped EXE
PID:2016 -
\??\c:\fxllrxf.exec:\fxllrxf.exe31⤵
- Executes dropped EXE
PID:604 -
\??\c:\9ttttt.exec:\9ttttt.exe32⤵
- Executes dropped EXE
PID:1848 -
\??\c:\1btthb.exec:\1btthb.exe33⤵
- Executes dropped EXE
PID:1644 -
\??\c:\1vppv.exec:\1vppv.exe34⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xrlxffr.exec:\xrlxffr.exe35⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bntbbh.exec:\bntbbh.exe36⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hbnbnt.exec:\hbnbnt.exe37⤵PID:2788
-
\??\c:\jjvdj.exec:\jjvdj.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe39⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nhtbnh.exec:\nhtbnh.exe40⤵
- Executes dropped EXE
PID:1600 -
\??\c:\nhhhbb.exec:\nhhhbb.exe41⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vpdpd.exec:\vpdpd.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dpvvd.exec:\dpvvd.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fxlfxxl.exec:\fxlfxxl.exe44⤵
- Executes dropped EXE
PID:2112 -
\??\c:\bbtbhn.exec:\bbtbhn.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\hhbhnn.exec:\hhbhnn.exe46⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1pdvd.exec:\1pdvd.exe47⤵
- Executes dropped EXE
PID:2616 -
\??\c:\ffllffx.exec:\ffllffx.exe48⤵
- Executes dropped EXE
PID:2216 -
\??\c:\1rlxxlr.exec:\1rlxxlr.exe49⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1nntth.exec:\1nntth.exe50⤵
- Executes dropped EXE
PID:1676 -
\??\c:\btntbb.exec:\btntbb.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432 -
\??\c:\ppjpp.exec:\ppjpp.exe52⤵
- Executes dropped EXE
PID:2932 -
\??\c:\1jdjp.exec:\1jdjp.exe53⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1lflxff.exec:\1lflxff.exe54⤵
- Executes dropped EXE
PID:2688 -
\??\c:\bnhhbh.exec:\bnhhbh.exe55⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nnthbh.exec:\nnthbh.exe56⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jdvvv.exec:\jdvvv.exe57⤵
- Executes dropped EXE
PID:388 -
\??\c:\pjjdd.exec:\pjjdd.exe58⤵
- Executes dropped EXE
PID:1032 -
\??\c:\5frlrrx.exec:\5frlrrx.exe59⤵
- Executes dropped EXE
PID:2332 -
\??\c:\1rrffll.exec:\1rrffll.exe60⤵
- Executes dropped EXE
PID:2116 -
\??\c:\5hnttt.exec:\5hnttt.exe61⤵
- Executes dropped EXE
PID:2960 -
\??\c:\1ttnnh.exec:\1ttnnh.exe62⤵
- Executes dropped EXE
PID:1540 -
\??\c:\ddpjp.exec:\ddpjp.exe63⤵
- Executes dropped EXE
PID:1532 -
\??\c:\5rlxxrf.exec:\5rlxxrf.exe64⤵
- Executes dropped EXE
PID:752 -
\??\c:\rflrrxl.exec:\rflrrxl.exe65⤵
- Executes dropped EXE
PID:2204 -
\??\c:\hbhnbb.exec:\hbhnbb.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
\??\c:\thhbth.exec:\thhbth.exe67⤵PID:1080
-
\??\c:\1jdpj.exec:\1jdpj.exe68⤵PID:1912
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe69⤵PID:2308
-
\??\c:\7frxlrr.exec:\7frxlrr.exe70⤵PID:924
-
\??\c:\hbntbh.exec:\hbntbh.exe71⤵PID:2084
-
\??\c:\9bnnnh.exec:\9bnnnh.exe72⤵PID:3036
-
\??\c:\dpdjj.exec:\dpdjj.exe73⤵PID:3040
-
\??\c:\vdjvp.exec:\vdjvp.exe74⤵PID:2016
-
\??\c:\xfrrlfr.exec:\xfrrlfr.exe75⤵PID:2096
-
\??\c:\hnthtt.exec:\hnthtt.exe76⤵PID:1908
-
\??\c:\5bnnhb.exec:\5bnnhb.exe77⤵PID:2452
-
\??\c:\dpvvv.exec:\dpvvv.exe78⤵PID:1732
-
\??\c:\vpvvp.exec:\vpvvp.exe79⤵PID:1688
-
\??\c:\9rlxffr.exec:\9rlxffr.exe80⤵PID:2108
-
\??\c:\5rlfxff.exec:\5rlfxff.exe81⤵PID:2912
-
\??\c:\bnntbh.exec:\bnntbh.exe82⤵PID:2296
-
\??\c:\bnbtth.exec:\bnbtth.exe83⤵PID:2692
-
\??\c:\9djpv.exec:\9djpv.exe84⤵PID:1584
-
\??\c:\5vvvp.exec:\5vvvp.exe85⤵PID:1592
-
\??\c:\frxxfxf.exec:\frxxfxf.exe86⤵PID:2608
-
\??\c:\7fxxxxr.exec:\7fxxxxr.exe87⤵PID:2828
-
\??\c:\nbnhtb.exec:\nbnhtb.exe88⤵PID:2752
-
\??\c:\dvjjj.exec:\dvjjj.exe89⤵PID:2792
-
\??\c:\7vdvv.exec:\7vdvv.exe90⤵PID:2624
-
\??\c:\1xfffff.exec:\1xfffff.exe91⤵PID:2604
-
\??\c:\frfrrrf.exec:\frfrrrf.exe92⤵PID:2672
-
\??\c:\bbttnn.exec:\bbttnn.exe93⤵PID:2240
-
\??\c:\nhbtnb.exec:\nhbtnb.exe94⤵PID:668
-
\??\c:\jvppp.exec:\jvppp.exe95⤵PID:1012
-
\??\c:\jpjpj.exec:\jpjpj.exe96⤵PID:2944
-
\??\c:\9rflrxf.exec:\9rflrxf.exe97⤵PID:284
-
\??\c:\thttbb.exec:\thttbb.exe98⤵
- System Location Discovery: System Language Discovery
PID:576 -
\??\c:\htnnhn.exec:\htnnhn.exe99⤵PID:2588
-
\??\c:\jdpjd.exec:\jdpjd.exe100⤵PID:1620
-
\??\c:\vpjvv.exec:\vpjvv.exe101⤵PID:1652
-
\??\c:\rxfrfrx.exec:\rxfrfrx.exe102⤵PID:1252
-
\??\c:\hbtbbb.exec:\hbtbbb.exe103⤵PID:2952
-
\??\c:\hhthtb.exec:\hhthtb.exe104⤵PID:1008
-
\??\c:\9vvpd.exec:\9vvpd.exe105⤵PID:2364
-
\??\c:\3vjjv.exec:\3vjjv.exe106⤵PID:2832
-
\??\c:\5lrxxrx.exec:\5lrxxrx.exe107⤵PID:2144
-
\??\c:\fxfllxx.exec:\fxfllxx.exe108⤵PID:1312
-
\??\c:\btnhtt.exec:\btnhtt.exe109⤵PID:1028
-
\??\c:\nhbhnt.exec:\nhbhnt.exe110⤵PID:752
-
\??\c:\dpvvp.exec:\dpvvp.exe111⤵PID:956
-
\??\c:\pppdp.exec:\pppdp.exe112⤵PID:2468
-
\??\c:\9rfxrxf.exec:\9rfxrxf.exe113⤵PID:1080
-
\??\c:\7bnnhh.exec:\7bnnhh.exe114⤵PID:1912
-
\??\c:\7nbnhb.exec:\7nbnhb.exe115⤵PID:1940
-
\??\c:\pjvdj.exec:\pjvdj.exe116⤵PID:836
-
\??\c:\vjdvv.exec:\vjdvv.exe117⤵PID:2084
-
\??\c:\5xlxxfl.exec:\5xlxxfl.exe118⤵PID:3008
-
\??\c:\rrfrlff.exec:\rrfrlff.exe119⤵PID:1936
-
\??\c:\htbbnh.exec:\htbbnh.exe120⤵PID:1864
-
\??\c:\3hhhbb.exec:\3hhhbb.exe121⤵PID:1972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-