Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe
-
Size
454KB
-
MD5
a0d8d7f0ce5d38544f0acca74aea2755
-
SHA1
9a0f1c3da93420f85459a1c8e2ba3ee2fb8873d3
-
SHA256
811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3
-
SHA512
bfef5f7e815d8e97881fecb05e99d99219ed15a722185eb67f1724b52b397a67ebb39a02253fa65608286872d410d6e386499625eb862dd5d7f3c83097ccd350
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3620-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-967-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-1088-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-1324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4084 44022.exe 2028 btbbtt.exe 212 24482.exe 1324 4228888.exe 1912 266602.exe 968 pppjj.exe 2504 462060.exe 1468 o648828.exe 4908 680004.exe 2692 hnbthh.exe 2276 1lfxrrl.exe 4124 844820.exe 4820 20644.exe 3844 bnhbtn.exe 540 vpjdv.exe 2020 6084820.exe 4152 446800.exe 5016 tnhbtt.exe 1088 frlxrlx.exe 2388 24086.exe 180 jvvjd.exe 3632 vjjdp.exe 2232 bnnhbb.exe 2960 frlxrlr.exe 4196 hnnnhb.exe 1028 2048660.exe 860 thhbnh.exe 3836 fxlfxrr.exe 4784 s6648.exe 720 088262.exe 3532 1jdpd.exe 732 1xrllfl.exe 4484 7dpdj.exe 3956 thbtnh.exe 1084 6286482.exe 4148 7bbthh.exe 1728 2282262.exe 4652 xfrfxrl.exe 2012 lxrlfxr.exe 2612 dppdd.exe 2404 frlxlfx.exe 1472 004446.exe 2964 pdvjv.exe 4504 ffxlrxl.exe 3980 rflfffh.exe 1556 tbnhbb.exe 4880 jvddd.exe 4424 rlrllll.exe 232 062666.exe 1840 8840004.exe 1128 nbhbbt.exe 3432 nthbhh.exe 5012 nbbtbb.exe 2168 80604.exe 1564 nhhhbb.exe 1568 2682884.exe 392 m2826.exe 4528 w02000.exe 1524 3jpjd.exe 2004 jjddj.exe 1824 8460888.exe 2652 xxxxffl.exe 4612 62482.exe 2416 62888.exe -
resource yara_rule behavioral2/memory/3620-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-868-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8248204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q66422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c624260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3620 wrote to memory of 4084 3620 811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe 83 PID 3620 wrote to memory of 4084 3620 811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe 83 PID 3620 wrote to memory of 4084 3620 811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe 83 PID 4084 wrote to memory of 2028 4084 44022.exe 84 PID 4084 wrote to memory of 2028 4084 44022.exe 84 PID 4084 wrote to memory of 2028 4084 44022.exe 84 PID 2028 wrote to memory of 212 2028 btbbtt.exe 85 PID 2028 wrote to memory of 212 2028 btbbtt.exe 85 PID 2028 wrote to memory of 212 2028 btbbtt.exe 85 PID 212 wrote to memory of 1324 212 24482.exe 86 PID 212 wrote to memory of 1324 212 24482.exe 86 PID 212 wrote to memory of 1324 212 24482.exe 86 PID 1324 wrote to memory of 1912 1324 4228888.exe 87 PID 1324 wrote to memory of 1912 1324 4228888.exe 87 PID 1324 wrote to memory of 1912 1324 4228888.exe 87 PID 1912 wrote to memory of 968 1912 266602.exe 88 PID 1912 wrote to memory of 968 1912 266602.exe 88 PID 1912 wrote to memory of 968 1912 266602.exe 88 PID 968 wrote to memory of 2504 968 pppjj.exe 89 PID 968 wrote to memory of 2504 968 pppjj.exe 89 PID 968 wrote to memory of 2504 968 pppjj.exe 89 PID 2504 wrote to memory of 1468 2504 462060.exe 90 PID 2504 wrote to memory of 1468 2504 462060.exe 90 PID 2504 wrote to memory of 1468 2504 462060.exe 90 PID 1468 wrote to memory of 4908 1468 o648828.exe 91 PID 1468 wrote to memory of 4908 1468 o648828.exe 91 PID 1468 wrote to memory of 4908 1468 o648828.exe 91 PID 4908 wrote to memory of 2692 4908 680004.exe 92 PID 4908 wrote to memory of 2692 4908 680004.exe 92 PID 4908 wrote to memory of 2692 4908 680004.exe 92 PID 2692 wrote to memory of 2276 2692 hnbthh.exe 93 PID 2692 wrote to memory of 2276 2692 hnbthh.exe 93 PID 2692 wrote to memory of 2276 2692 hnbthh.exe 93 PID 2276 wrote to memory of 4124 2276 1lfxrrl.exe 94 PID 2276 wrote to memory of 4124 2276 1lfxrrl.exe 94 PID 2276 wrote to memory of 4124 2276 1lfxrrl.exe 94 PID 4124 wrote to memory of 4820 4124 844820.exe 95 PID 4124 wrote to memory of 4820 4124 844820.exe 95 PID 4124 wrote to memory of 4820 4124 844820.exe 95 PID 4820 wrote to memory of 3844 4820 20644.exe 96 PID 4820 wrote to memory of 3844 4820 20644.exe 96 PID 4820 wrote to memory of 3844 4820 20644.exe 96 PID 3844 wrote to memory of 540 3844 bnhbtn.exe 97 PID 3844 wrote to memory of 540 3844 bnhbtn.exe 97 PID 3844 wrote to memory of 540 3844 bnhbtn.exe 97 PID 540 wrote to memory of 2020 540 vpjdv.exe 98 PID 540 wrote to memory of 2020 540 vpjdv.exe 98 PID 540 wrote to memory of 2020 540 vpjdv.exe 98 PID 2020 wrote to memory of 4152 2020 6084820.exe 99 PID 2020 wrote to memory of 4152 2020 6084820.exe 99 PID 2020 wrote to memory of 4152 2020 6084820.exe 99 PID 4152 wrote to memory of 5016 4152 446800.exe 100 PID 4152 wrote to memory of 5016 4152 446800.exe 100 PID 4152 wrote to memory of 5016 4152 446800.exe 100 PID 5016 wrote to memory of 1088 5016 tnhbtt.exe 101 PID 5016 wrote to memory of 1088 5016 tnhbtt.exe 101 PID 5016 wrote to memory of 1088 5016 tnhbtt.exe 101 PID 1088 wrote to memory of 2388 1088 frlxrlx.exe 102 PID 1088 wrote to memory of 2388 1088 frlxrlx.exe 102 PID 1088 wrote to memory of 2388 1088 frlxrlx.exe 102 PID 2388 wrote to memory of 180 2388 24086.exe 103 PID 2388 wrote to memory of 180 2388 24086.exe 103 PID 2388 wrote to memory of 180 2388 24086.exe 103 PID 180 wrote to memory of 3632 180 jvvjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe"C:\Users\Admin\AppData\Local\Temp\811972e64e629fa120c01a7ffceea6ba264308daefe4ab0c0e05c430ff0d20e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\44022.exec:\44022.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\btbbtt.exec:\btbbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\24482.exec:\24482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\4228888.exec:\4228888.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\266602.exec:\266602.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\pppjj.exec:\pppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\462060.exec:\462060.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\o648828.exec:\o648828.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\680004.exec:\680004.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\hnbthh.exec:\hnbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\1lfxrrl.exec:\1lfxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\844820.exec:\844820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\20644.exec:\20644.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\bnhbtn.exec:\bnhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\vpjdv.exec:\vpjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\6084820.exec:\6084820.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\446800.exec:\446800.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\tnhbtt.exec:\tnhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\frlxrlx.exec:\frlxrlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\24086.exec:\24086.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\jvvjd.exec:\jvvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\vjjdp.exec:\vjjdp.exe23⤵
- Executes dropped EXE
PID:3632 -
\??\c:\bnnhbb.exec:\bnnhbb.exe24⤵
- Executes dropped EXE
PID:2232 -
\??\c:\frlxrlr.exec:\frlxrlr.exe25⤵
- Executes dropped EXE
PID:2960 -
\??\c:\hnnnhb.exec:\hnnnhb.exe26⤵
- Executes dropped EXE
PID:4196 -
\??\c:\2048660.exec:\2048660.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\thhbnh.exec:\thhbnh.exe28⤵
- Executes dropped EXE
PID:860 -
\??\c:\fxlfxrr.exec:\fxlfxrr.exe29⤵
- Executes dropped EXE
PID:3836 -
\??\c:\s6648.exec:\s6648.exe30⤵
- Executes dropped EXE
PID:4784 -
\??\c:\088262.exec:\088262.exe31⤵
- Executes dropped EXE
PID:720 -
\??\c:\1jdpd.exec:\1jdpd.exe32⤵
- Executes dropped EXE
PID:3532 -
\??\c:\1xrllfl.exec:\1xrllfl.exe33⤵
- Executes dropped EXE
PID:732 -
\??\c:\7dpdj.exec:\7dpdj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484 -
\??\c:\thbtnh.exec:\thbtnh.exe35⤵
- Executes dropped EXE
PID:3956 -
\??\c:\6286482.exec:\6286482.exe36⤵
- Executes dropped EXE
PID:1084 -
\??\c:\7bbthh.exec:\7bbthh.exe37⤵
- Executes dropped EXE
PID:4148 -
\??\c:\2282262.exec:\2282262.exe38⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xfrfxrl.exec:\xfrfxrl.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4652 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe40⤵
- Executes dropped EXE
PID:2012 -
\??\c:\dppdd.exec:\dppdd.exe41⤵
- Executes dropped EXE
PID:2612 -
\??\c:\frlxlfx.exec:\frlxlfx.exe42⤵
- Executes dropped EXE
PID:2404 -
\??\c:\004446.exec:\004446.exe43⤵
- Executes dropped EXE
PID:1472 -
\??\c:\pdvjv.exec:\pdvjv.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ffxlrxl.exec:\ffxlrxl.exe45⤵
- Executes dropped EXE
PID:4504 -
\??\c:\rflfffh.exec:\rflfffh.exe46⤵
- Executes dropped EXE
PID:3980 -
\??\c:\tbnhbb.exec:\tbnhbb.exe47⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jvddd.exec:\jvddd.exe48⤵
- Executes dropped EXE
PID:4880 -
\??\c:\rlrllll.exec:\rlrllll.exe49⤵
- Executes dropped EXE
PID:4424 -
\??\c:\062666.exec:\062666.exe50⤵
- Executes dropped EXE
PID:232 -
\??\c:\26268.exec:\26268.exe51⤵PID:3620
-
\??\c:\8840004.exec:\8840004.exe52⤵
- Executes dropped EXE
PID:1840 -
\??\c:\nbhbbt.exec:\nbhbbt.exe53⤵
- Executes dropped EXE
PID:1128 -
\??\c:\nthbhh.exec:\nthbhh.exe54⤵
- Executes dropped EXE
PID:3432 -
\??\c:\nbbtbb.exec:\nbbtbb.exe55⤵
- Executes dropped EXE
PID:5012 -
\??\c:\80604.exec:\80604.exe56⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nhhhbb.exec:\nhhhbb.exe57⤵
- Executes dropped EXE
PID:1564 -
\??\c:\2682884.exec:\2682884.exe58⤵
- Executes dropped EXE
PID:1568 -
\??\c:\m2826.exec:\m2826.exe59⤵
- Executes dropped EXE
PID:392 -
\??\c:\w02000.exec:\w02000.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\3jpjd.exec:\3jpjd.exe61⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jjddj.exec:\jjddj.exe62⤵
- Executes dropped EXE
PID:2004 -
\??\c:\8460888.exec:\8460888.exe63⤵
- Executes dropped EXE
PID:1824 -
\??\c:\xxxxffl.exec:\xxxxffl.exe64⤵
- Executes dropped EXE
PID:2652 -
\??\c:\62482.exec:\62482.exe65⤵
- Executes dropped EXE
PID:4612 -
\??\c:\62888.exec:\62888.exe66⤵
- Executes dropped EXE
PID:2416 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe67⤵PID:3092
-
\??\c:\80004.exec:\80004.exe68⤵PID:3852
-
\??\c:\hnhntb.exec:\hnhntb.exe69⤵PID:5076
-
\??\c:\884460.exec:\884460.exe70⤵PID:4924
-
\??\c:\pdjdj.exec:\pdjdj.exe71⤵PID:4516
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe72⤵PID:3736
-
\??\c:\hbbtnn.exec:\hbbtnn.exe73⤵PID:464
-
\??\c:\3ffrflx.exec:\3ffrflx.exe74⤵PID:3784
-
\??\c:\jvvpj.exec:\jvvpj.exe75⤵PID:3252
-
\??\c:\xxrlllf.exec:\xxrlllf.exe76⤵PID:1792
-
\??\c:\jvjdp.exec:\jvjdp.exe77⤵PID:3648
-
\??\c:\e02666.exec:\e02666.exe78⤵PID:4308
-
\??\c:\s0264.exec:\s0264.exe79⤵PID:3308
-
\??\c:\k84888.exec:\k84888.exe80⤵PID:180
-
\??\c:\nnhttt.exec:\nnhttt.exe81⤵PID:2852
-
\??\c:\xrrrrrl.exec:\xrrrrrl.exe82⤵PID:4052
-
\??\c:\pjvjd.exec:\pjvjd.exe83⤵PID:1624
-
\??\c:\bbnnhh.exec:\bbnnhh.exe84⤵PID:3200
-
\??\c:\o288260.exec:\o288260.exe85⤵PID:1396
-
\??\c:\06444.exec:\06444.exe86⤵PID:2564
-
\??\c:\6406244.exec:\6406244.exe87⤵PID:4992
-
\??\c:\2686222.exec:\2686222.exe88⤵PID:1740
-
\??\c:\62226.exec:\62226.exe89⤵PID:4520
-
\??\c:\662600.exec:\662600.exe90⤵PID:4952
-
\??\c:\7ntbtt.exec:\7ntbtt.exe91⤵PID:3140
-
\??\c:\428266.exec:\428266.exe92⤵PID:4088
-
\??\c:\s4822.exec:\s4822.exe93⤵PID:3032
-
\??\c:\888482.exec:\888482.exe94⤵PID:2820
-
\??\c:\3pjdj.exec:\3pjdj.exe95⤵PID:2880
-
\??\c:\4220820.exec:\4220820.exe96⤵PID:1376
-
\??\c:\dpvvp.exec:\dpvvp.exe97⤵PID:1680
-
\??\c:\c866880.exec:\c866880.exe98⤵PID:3192
-
\??\c:\jvdpj.exec:\jvdpj.exe99⤵PID:4348
-
\??\c:\00042.exec:\00042.exe100⤵PID:3408
-
\??\c:\bnnbtn.exec:\bnnbtn.exe101⤵PID:4652
-
\??\c:\dvvvv.exec:\dvvvv.exe102⤵PID:4620
-
\??\c:\7lrrrfl.exec:\7lrrrfl.exe103⤵PID:2332
-
\??\c:\8222660.exec:\8222660.exe104⤵PID:3604
-
\??\c:\80482.exec:\80482.exe105⤵PID:2856
-
\??\c:\4888260.exec:\4888260.exe106⤵PID:3512
-
\??\c:\9tbttt.exec:\9tbttt.exe107⤵PID:4236
-
\??\c:\60648.exec:\60648.exe108⤵PID:4780
-
\??\c:\frfrrll.exec:\frfrrll.exe109⤵PID:4864
-
\??\c:\jvjdv.exec:\jvjdv.exe110⤵PID:4408
-
\??\c:\bbttnn.exec:\bbttnn.exe111⤵PID:4852
-
\??\c:\pjdjv.exec:\pjdjv.exe112⤵PID:2396
-
\??\c:\42820.exec:\42820.exe113⤵PID:4084
-
\??\c:\860422.exec:\860422.exe114⤵PID:1752
-
\??\c:\4248822.exec:\4248822.exe115⤵PID:544
-
\??\c:\rffrlfx.exec:\rffrlfx.exe116⤵PID:4404
-
\??\c:\lflxlfx.exec:\lflxlfx.exe117⤵PID:212
-
\??\c:\hnnhhb.exec:\hnnhhb.exe118⤵PID:4832
-
\??\c:\tnhbtb.exec:\tnhbtb.exe119⤵PID:1904
-
\??\c:\pddvj.exec:\pddvj.exe120⤵PID:2208
-
\??\c:\2848604.exec:\2848604.exe121⤵PID:3144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-