Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe
-
Size
454KB
-
MD5
98a36b6efbadfb162c9385dd15051be9
-
SHA1
946f0af36c66a31e3c22bfe16a90c57a667eb0e1
-
SHA256
814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c
-
SHA512
f43b3c058475550871e80983f675d30fba1e39980a035727d19c9dc8fae34de311040cca6b95ad4ab368f0dcbed29dfaa9d0ad23ff511682702929f3f86f3989
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3744-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1516 tthhnt.exe 3648 btbttb.exe 4868 7flflxf.exe 1956 vvvvp.exe 4720 vvjdj.exe 2472 xxxrrll.exe 4804 vvvjj.exe 4556 nhnnbb.exe 1820 dpjjj.exe 3380 xrfffff.exe 4532 9hhhbh.exe 540 dvdjd.exe 4748 bhnhbh.exe 760 vpjdd.exe 4068 lfrrxrx.exe 4632 1dppd.exe 1648 1lxrfxx.exe 1288 1jddj.exe 4516 nntnbb.exe 1804 jpjjv.exe 2236 7frlllf.exe 4064 nbhhbb.exe 1312 dppjj.exe 1120 hhhhth.exe 2916 pjvdd.exe 4464 htbtnn.exe 3076 xlxrrrr.exe 4652 5djvj.exe 1864 7bbttn.exe 3136 3frllrr.exe 780 jjjdj.exe 1100 fxxrllf.exe 2208 tbhhnt.exe 4828 vdjdv.exe 1880 xlfxxxf.exe 952 dvvvv.exe 3140 ffrrxxf.exe 2004 httbbn.exe 4968 vdjdv.exe 3528 rlffxll.exe 3256 nhhbtt.exe 4860 vdpdp.exe 1916 xxfxffx.exe 2304 ddpvd.exe 2804 xxlfllf.exe 964 nntnnh.exe 4252 bbhbtn.exe 3392 vvdvp.exe 968 xllxrlf.exe 4704 7hnhbb.exe 552 pjppv.exe 3840 5rrlxfl.exe 2264 btnnnn.exe 3472 pdppj.exe 4996 nhbtth.exe 2556 jjpjj.exe 2748 lflfxrr.exe 3708 rfxrflx.exe 392 nbhbnh.exe 60 dvjdj.exe 1320 flrxxrl.exe 4804 ntnnnn.exe 1228 jvddv.exe 3348 7xfxxrf.exe -
resource yara_rule behavioral2/memory/3744-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-736-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3744 wrote to memory of 1516 3744 814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe 83 PID 3744 wrote to memory of 1516 3744 814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe 83 PID 3744 wrote to memory of 1516 3744 814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe 83 PID 1516 wrote to memory of 3648 1516 tthhnt.exe 84 PID 1516 wrote to memory of 3648 1516 tthhnt.exe 84 PID 1516 wrote to memory of 3648 1516 tthhnt.exe 84 PID 3648 wrote to memory of 4868 3648 btbttb.exe 85 PID 3648 wrote to memory of 4868 3648 btbttb.exe 85 PID 3648 wrote to memory of 4868 3648 btbttb.exe 85 PID 4868 wrote to memory of 1956 4868 7flflxf.exe 86 PID 4868 wrote to memory of 1956 4868 7flflxf.exe 86 PID 4868 wrote to memory of 1956 4868 7flflxf.exe 86 PID 1956 wrote to memory of 4720 1956 vvvvp.exe 87 PID 1956 wrote to memory of 4720 1956 vvvvp.exe 87 PID 1956 wrote to memory of 4720 1956 vvvvp.exe 87 PID 4720 wrote to memory of 2472 4720 vvjdj.exe 88 PID 4720 wrote to memory of 2472 4720 vvjdj.exe 88 PID 4720 wrote to memory of 2472 4720 vvjdj.exe 88 PID 2472 wrote to memory of 4804 2472 xxxrrll.exe 89 PID 2472 wrote to memory of 4804 2472 xxxrrll.exe 89 PID 2472 wrote to memory of 4804 2472 xxxrrll.exe 89 PID 4804 wrote to memory of 4556 4804 vvvjj.exe 90 PID 4804 wrote to memory of 4556 4804 vvvjj.exe 90 PID 4804 wrote to memory of 4556 4804 vvvjj.exe 90 PID 4556 wrote to memory of 1820 4556 nhnnbb.exe 91 PID 4556 wrote to memory of 1820 4556 nhnnbb.exe 91 PID 4556 wrote to memory of 1820 4556 nhnnbb.exe 91 PID 1820 wrote to memory of 3380 1820 dpjjj.exe 92 PID 1820 wrote to memory of 3380 1820 dpjjj.exe 92 PID 1820 wrote to memory of 3380 1820 dpjjj.exe 92 PID 3380 wrote to memory of 4532 3380 xrfffff.exe 93 PID 3380 wrote to memory of 4532 3380 xrfffff.exe 93 PID 3380 wrote to memory of 4532 3380 xrfffff.exe 93 PID 4532 wrote to memory of 540 4532 9hhhbh.exe 94 PID 4532 wrote to memory of 540 4532 9hhhbh.exe 94 PID 4532 wrote to memory of 540 4532 9hhhbh.exe 94 PID 540 wrote to memory of 4748 540 dvdjd.exe 95 PID 540 wrote to memory of 4748 540 dvdjd.exe 95 PID 540 wrote to memory of 4748 540 dvdjd.exe 95 PID 4748 wrote to memory of 760 4748 bhnhbh.exe 96 PID 4748 wrote to memory of 760 4748 bhnhbh.exe 96 PID 4748 wrote to memory of 760 4748 bhnhbh.exe 96 PID 760 wrote to memory of 4068 760 vpjdd.exe 97 PID 760 wrote to memory of 4068 760 vpjdd.exe 97 PID 760 wrote to memory of 4068 760 vpjdd.exe 97 PID 4068 wrote to memory of 4632 4068 lfrrxrx.exe 98 PID 4068 wrote to memory of 4632 4068 lfrrxrx.exe 98 PID 4068 wrote to memory of 4632 4068 lfrrxrx.exe 98 PID 4632 wrote to memory of 1648 4632 1dppd.exe 99 PID 4632 wrote to memory of 1648 4632 1dppd.exe 99 PID 4632 wrote to memory of 1648 4632 1dppd.exe 99 PID 1648 wrote to memory of 1288 1648 1lxrfxx.exe 100 PID 1648 wrote to memory of 1288 1648 1lxrfxx.exe 100 PID 1648 wrote to memory of 1288 1648 1lxrfxx.exe 100 PID 1288 wrote to memory of 4516 1288 1jddj.exe 101 PID 1288 wrote to memory of 4516 1288 1jddj.exe 101 PID 1288 wrote to memory of 4516 1288 1jddj.exe 101 PID 4516 wrote to memory of 1804 4516 nntnbb.exe 102 PID 4516 wrote to memory of 1804 4516 nntnbb.exe 102 PID 4516 wrote to memory of 1804 4516 nntnbb.exe 102 PID 1804 wrote to memory of 2236 1804 jpjjv.exe 103 PID 1804 wrote to memory of 2236 1804 jpjjv.exe 103 PID 1804 wrote to memory of 2236 1804 jpjjv.exe 103 PID 2236 wrote to memory of 4064 2236 7frlllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe"C:\Users\Admin\AppData\Local\Temp\814d978bde9b22a623eb91b1062d62f0173bd0fcdf439c9dcef44a6e51407f4c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\tthhnt.exec:\tthhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\btbttb.exec:\btbttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\7flflxf.exec:\7flflxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\vvvvp.exec:\vvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\vvjdj.exec:\vvjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\xxxrrll.exec:\xxxrrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\vvvjj.exec:\vvvjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\nhnnbb.exec:\nhnnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\dpjjj.exec:\dpjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\xrfffff.exec:\xrfffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\9hhhbh.exec:\9hhhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\dvdjd.exec:\dvdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\bhnhbh.exec:\bhnhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\vpjdd.exec:\vpjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\lfrrxrx.exec:\lfrrxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\1dppd.exec:\1dppd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\1lxrfxx.exec:\1lxrfxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\1jddj.exec:\1jddj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\nntnbb.exec:\nntnbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\jpjjv.exec:\jpjjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\7frlllf.exec:\7frlllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\nbhhbb.exec:\nbhhbb.exe23⤵
- Executes dropped EXE
PID:4064 -
\??\c:\dppjj.exec:\dppjj.exe24⤵
- Executes dropped EXE
PID:1312 -
\??\c:\hhhhth.exec:\hhhhth.exe25⤵
- Executes dropped EXE
PID:1120 -
\??\c:\pjvdd.exec:\pjvdd.exe26⤵
- Executes dropped EXE
PID:2916 -
\??\c:\htbtnn.exec:\htbtnn.exe27⤵
- Executes dropped EXE
PID:4464 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe28⤵
- Executes dropped EXE
PID:3076 -
\??\c:\5djvj.exec:\5djvj.exe29⤵
- Executes dropped EXE
PID:4652 -
\??\c:\7bbttn.exec:\7bbttn.exe30⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3frllrr.exec:\3frllrr.exe31⤵
- Executes dropped EXE
PID:3136 -
\??\c:\jjjdj.exec:\jjjdj.exe32⤵
- Executes dropped EXE
PID:780 -
\??\c:\fxxrllf.exec:\fxxrllf.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
\??\c:\tbhhnt.exec:\tbhhnt.exe34⤵
- Executes dropped EXE
PID:2208 -
\??\c:\vdjdv.exec:\vdjdv.exe35⤵
- Executes dropped EXE
PID:4828 -
\??\c:\xlfxxxf.exec:\xlfxxxf.exe36⤵
- Executes dropped EXE
PID:1880 -
\??\c:\dvvvv.exec:\dvvvv.exe37⤵
- Executes dropped EXE
PID:952 -
\??\c:\ffrrxxf.exec:\ffrrxxf.exe38⤵
- Executes dropped EXE
PID:3140 -
\??\c:\httbbn.exec:\httbbn.exe39⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vdjdv.exec:\vdjdv.exe40⤵
- Executes dropped EXE
PID:4968 -
\??\c:\rlffxll.exec:\rlffxll.exe41⤵
- Executes dropped EXE
PID:3528 -
\??\c:\nhhbtt.exec:\nhhbtt.exe42⤵
- Executes dropped EXE
PID:3256 -
\??\c:\vdpdp.exec:\vdpdp.exe43⤵
- Executes dropped EXE
PID:4860 -
\??\c:\xxfxffx.exec:\xxfxffx.exe44⤵
- Executes dropped EXE
PID:1916 -
\??\c:\ddpvd.exec:\ddpvd.exe45⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xxlfllf.exec:\xxlfllf.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nntnnh.exec:\nntnnh.exe47⤵
- Executes dropped EXE
PID:964 -
\??\c:\bbhbtn.exec:\bbhbtn.exe48⤵
- Executes dropped EXE
PID:4252 -
\??\c:\vvdvp.exec:\vvdvp.exe49⤵
- Executes dropped EXE
PID:3392 -
\??\c:\xllxrlf.exec:\xllxrlf.exe50⤵
- Executes dropped EXE
PID:968 -
\??\c:\7hnhbb.exec:\7hnhbb.exe51⤵
- Executes dropped EXE
PID:4704 -
\??\c:\pjppv.exec:\pjppv.exe52⤵
- Executes dropped EXE
PID:552 -
\??\c:\5rrlxfl.exec:\5rrlxfl.exe53⤵
- Executes dropped EXE
PID:3840 -
\??\c:\btnnnn.exec:\btnnnn.exe54⤵
- Executes dropped EXE
PID:2264 -
\??\c:\pdppj.exec:\pdppj.exe55⤵
- Executes dropped EXE
PID:3472 -
\??\c:\nhbtth.exec:\nhbtth.exe56⤵
- Executes dropped EXE
PID:4996 -
\??\c:\jjpjj.exec:\jjpjj.exe57⤵
- Executes dropped EXE
PID:2556 -
\??\c:\lflfxrr.exec:\lflfxrr.exe58⤵
- Executes dropped EXE
PID:2748 -
\??\c:\rfxrflx.exec:\rfxrflx.exe59⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nbhbnh.exec:\nbhbnh.exe60⤵
- Executes dropped EXE
PID:392 -
\??\c:\dvjdj.exec:\dvjdj.exe61⤵
- Executes dropped EXE
PID:60 -
\??\c:\flrxxrl.exec:\flrxxrl.exe62⤵
- Executes dropped EXE
PID:1320 -
\??\c:\ntnnnn.exec:\ntnnnn.exe63⤵
- Executes dropped EXE
PID:4804 -
\??\c:\jvddv.exec:\jvddv.exe64⤵
- Executes dropped EXE
PID:1228 -
\??\c:\7xfxxrf.exec:\7xfxxrf.exe65⤵
- Executes dropped EXE
PID:3348 -
\??\c:\ntnnhh.exec:\ntnnhh.exe66⤵PID:628
-
\??\c:\1vvpd.exec:\1vvpd.exe67⤵PID:2784
-
\??\c:\pjjvv.exec:\pjjvv.exe68⤵PID:3208
-
\??\c:\rxxlxfr.exec:\rxxlxfr.exe69⤵PID:2816
-
\??\c:\nhbtbb.exec:\nhbtbb.exe70⤵PID:3784
-
\??\c:\jdppv.exec:\jdppv.exe71⤵PID:4988
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe72⤵PID:2640
-
\??\c:\xxlflll.exec:\xxlflll.exe73⤵PID:1700
-
\??\c:\nhnhnh.exec:\nhnhnh.exe74⤵PID:4076
-
\??\c:\pjpdv.exec:\pjpdv.exe75⤵PID:5040
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe76⤵PID:2016
-
\??\c:\7xrllfx.exec:\7xrllfx.exe77⤵PID:1436
-
\??\c:\bttnnh.exec:\bttnnh.exe78⤵PID:2176
-
\??\c:\pvjdv.exec:\pvjdv.exe79⤵PID:4060
-
\??\c:\xxflfrl.exec:\xxflfrl.exe80⤵PID:5116
-
\??\c:\htbttt.exec:\htbttt.exe81⤵PID:1804
-
\??\c:\dvvvp.exec:\dvvvp.exe82⤵PID:4540
-
\??\c:\ffffffl.exec:\ffffffl.exe83⤵PID:2008
-
\??\c:\lflffff.exec:\lflffff.exe84⤵PID:3416
-
\??\c:\hnbttb.exec:\hnbttb.exe85⤵PID:3172
-
\??\c:\tnntnb.exec:\tnntnb.exe86⤵PID:768
-
\??\c:\5djdd.exec:\5djdd.exe87⤵PID:2628
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe88⤵PID:4712
-
\??\c:\bthbht.exec:\bthbht.exe89⤵PID:5088
-
\??\c:\jppjp.exec:\jppjp.exe90⤵PID:3928
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe91⤵PID:3076
-
\??\c:\7ttttt.exec:\7ttttt.exe92⤵PID:2064
-
\??\c:\pjvjp.exec:\pjvjp.exe93⤵PID:2708
-
\??\c:\3llfxfx.exec:\3llfxfx.exe94⤵PID:1600
-
\??\c:\tthbhh.exec:\tthbhh.exe95⤵
- System Location Discovery: System Language Discovery
PID:3532 -
\??\c:\nhhbbn.exec:\nhhbbn.exe96⤵PID:4488
-
\??\c:\ddvjd.exec:\ddvjd.exe97⤵PID:1260
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe98⤵PID:4936
-
\??\c:\3ttbtt.exec:\3ttbtt.exe99⤵PID:4888
-
\??\c:\jdddj.exec:\jdddj.exe100⤵PID:1840
-
\??\c:\xfxrrlr.exec:\xfxrrlr.exe101⤵PID:4356
-
\??\c:\hhhbbb.exec:\hhhbbb.exe102⤵PID:1412
-
\??\c:\vvdpd.exec:\vvdpd.exe103⤵PID:3444
-
\??\c:\lrfrrff.exec:\lrfrrff.exe104⤵PID:2004
-
\??\c:\rlllflf.exec:\rlllflf.exe105⤵PID:3640
-
\??\c:\tbhhhh.exec:\tbhhhh.exe106⤵PID:1244
-
\??\c:\djppv.exec:\djppv.exe107⤵PID:3256
-
\??\c:\lrffrrx.exec:\lrffrrx.exe108⤵PID:4860
-
\??\c:\bnthth.exec:\bnthth.exe109⤵PID:4756
-
\??\c:\jjppp.exec:\jjppp.exe110⤵PID:2304
-
\??\c:\fffxrrx.exec:\fffxrrx.exe111⤵PID:2804
-
\??\c:\lfxfxxx.exec:\lfxfxxx.exe112⤵PID:964
-
\??\c:\9hbnbt.exec:\9hbnbt.exe113⤵PID:1452
-
\??\c:\9pvpd.exec:\9pvpd.exe114⤵PID:4444
-
\??\c:\7fxxrrr.exec:\7fxxrrr.exe115⤵PID:3408
-
\??\c:\ttbhbb.exec:\ttbhbb.exe116⤵PID:3744
-
\??\c:\tthnnn.exec:\tthnnn.exe117⤵
- System Location Discovery: System Language Discovery
PID:4296 -
\??\c:\pppdp.exec:\pppdp.exe118⤵PID:3836
-
\??\c:\xxfxffl.exec:\xxfxffl.exe119⤵
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\5fxxrxr.exec:\5fxxrxr.exe120⤵PID:3932
-
\??\c:\djjjd.exec:\djjjd.exe121⤵PID:1328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-