Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe
-
Size
453KB
-
MD5
1df35bc50c0ee817910fd9f6f2693f9f
-
SHA1
375124745971c2cbf9f203be91d9f08af788a7b6
-
SHA256
85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c
-
SHA512
ee463eb30139c1ea77a50ae01ff12c83a4355053933d1ea04f187295926582ee3f77ac8b3f3255f9c001ce3706eb9066102a1ab1603138337096148aed81d7a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4412-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-1094-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-1205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1760 6242842.exe 1008 48262.exe 4944 20022.exe 216 btttht.exe 2476 0048426.exe 2880 btbhhn.exe 3284 ffrxrfr.exe 3412 3lxxxff.exe 800 fxrflrf.exe 3864 26266.exe 3772 xfllrxf.exe 1128 bbhtht.exe 1584 680662.exe 4656 2460066.exe 1436 rlffxrr.exe 2528 rlfxrlf.exe 4516 nnnttt.exe 640 26008.exe 764 624024.exe 860 48442.exe 4612 02822.exe 2312 tnnnnt.exe 4084 648608.exe 1368 24604.exe 4588 060044.exe 2348 bhnhbb.exe 4004 6402044.exe 3436 hnbtnh.exe 1992 pjvpd.exe 4928 284826.exe 4464 462862.exe 3272 648000.exe 2028 llxxrxr.exe 5012 9ntttt.exe 3484 rlrxffl.exe 4896 042288.exe 2376 xrlffxr.exe 3812 m2062.exe 1432 6426008.exe 4640 nnbbbb.exe 5032 422622.exe 552 6828404.exe 2680 rfxfrrf.exe 224 4086200.exe 3148 3jjjp.exe 4032 hbbtnn.exe 412 46626.exe 2868 w84822.exe 2184 nhnnnn.exe 3580 xlrxlfr.exe 3996 26660.exe 1124 60662.exe 4476 006662.exe 2032 40462.exe 4488 8662862.exe 4268 3jvvv.exe 3328 lffxrrr.exe 452 8460244.exe 4904 464000.exe 4736 dvpjj.exe 1424 06488.exe 1408 bhtttb.exe 4632 vpdvp.exe 220 xlxxrrl.exe -
resource yara_rule behavioral2/memory/4412-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-713-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c060448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2800004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c282604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2460066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0646604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 1760 4412 85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe 83 PID 4412 wrote to memory of 1760 4412 85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe 83 PID 4412 wrote to memory of 1760 4412 85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe 83 PID 1760 wrote to memory of 1008 1760 6242842.exe 84 PID 1760 wrote to memory of 1008 1760 6242842.exe 84 PID 1760 wrote to memory of 1008 1760 6242842.exe 84 PID 1008 wrote to memory of 4944 1008 48262.exe 85 PID 1008 wrote to memory of 4944 1008 48262.exe 85 PID 1008 wrote to memory of 4944 1008 48262.exe 85 PID 4944 wrote to memory of 216 4944 20022.exe 86 PID 4944 wrote to memory of 216 4944 20022.exe 86 PID 4944 wrote to memory of 216 4944 20022.exe 86 PID 216 wrote to memory of 2476 216 btttht.exe 87 PID 216 wrote to memory of 2476 216 btttht.exe 87 PID 216 wrote to memory of 2476 216 btttht.exe 87 PID 2476 wrote to memory of 2880 2476 0048426.exe 149 PID 2476 wrote to memory of 2880 2476 0048426.exe 149 PID 2476 wrote to memory of 2880 2476 0048426.exe 149 PID 2880 wrote to memory of 3284 2880 btbhhn.exe 89 PID 2880 wrote to memory of 3284 2880 btbhhn.exe 89 PID 2880 wrote to memory of 3284 2880 btbhhn.exe 89 PID 3284 wrote to memory of 3412 3284 ffrxrfr.exe 90 PID 3284 wrote to memory of 3412 3284 ffrxrfr.exe 90 PID 3284 wrote to memory of 3412 3284 ffrxrfr.exe 90 PID 3412 wrote to memory of 800 3412 3lxxxff.exe 91 PID 3412 wrote to memory of 800 3412 3lxxxff.exe 91 PID 3412 wrote to memory of 800 3412 3lxxxff.exe 91 PID 800 wrote to memory of 3864 800 fxrflrf.exe 92 PID 800 wrote to memory of 3864 800 fxrflrf.exe 92 PID 800 wrote to memory of 3864 800 fxrflrf.exe 92 PID 3864 wrote to memory of 3772 3864 26266.exe 93 PID 3864 wrote to memory of 3772 3864 26266.exe 93 PID 3864 wrote to memory of 3772 3864 26266.exe 93 PID 3772 wrote to memory of 1128 3772 xfllrxf.exe 94 PID 3772 wrote to memory of 1128 3772 xfllrxf.exe 94 PID 3772 wrote to memory of 1128 3772 xfllrxf.exe 94 PID 1128 wrote to memory of 1584 1128 bbhtht.exe 95 PID 1128 wrote to memory of 1584 1128 bbhtht.exe 95 PID 1128 wrote to memory of 1584 1128 bbhtht.exe 95 PID 1584 wrote to memory of 4656 1584 680662.exe 96 PID 1584 wrote to memory of 4656 1584 680662.exe 96 PID 1584 wrote to memory of 4656 1584 680662.exe 96 PID 4656 wrote to memory of 1436 4656 2460066.exe 160 PID 4656 wrote to memory of 1436 4656 2460066.exe 160 PID 4656 wrote to memory of 1436 4656 2460066.exe 160 PID 1436 wrote to memory of 2528 1436 rlffxrr.exe 98 PID 1436 wrote to memory of 2528 1436 rlffxrr.exe 98 PID 1436 wrote to memory of 2528 1436 rlffxrr.exe 98 PID 2528 wrote to memory of 4516 2528 rlfxrlf.exe 99 PID 2528 wrote to memory of 4516 2528 rlfxrlf.exe 99 PID 2528 wrote to memory of 4516 2528 rlfxrlf.exe 99 PID 4516 wrote to memory of 640 4516 nnnttt.exe 100 PID 4516 wrote to memory of 640 4516 nnnttt.exe 100 PID 4516 wrote to memory of 640 4516 nnnttt.exe 100 PID 640 wrote to memory of 764 640 26008.exe 101 PID 640 wrote to memory of 764 640 26008.exe 101 PID 640 wrote to memory of 764 640 26008.exe 101 PID 764 wrote to memory of 860 764 624024.exe 102 PID 764 wrote to memory of 860 764 624024.exe 102 PID 764 wrote to memory of 860 764 624024.exe 102 PID 860 wrote to memory of 4612 860 48442.exe 103 PID 860 wrote to memory of 4612 860 48442.exe 103 PID 860 wrote to memory of 4612 860 48442.exe 103 PID 4612 wrote to memory of 2312 4612 02822.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe"C:\Users\Admin\AppData\Local\Temp\85e87e390e47689ae3053d7018b0b9728b615399aafc8be0e341400589ab788c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\6242842.exec:\6242842.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\48262.exec:\48262.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\20022.exec:\20022.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\btttht.exec:\btttht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\0048426.exec:\0048426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\btbhhn.exec:\btbhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\ffrxrfr.exec:\ffrxrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\3lxxxff.exec:\3lxxxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\fxrflrf.exec:\fxrflrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\26266.exec:\26266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\xfllrxf.exec:\xfllrxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\bbhtht.exec:\bbhtht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\680662.exec:\680662.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\2460066.exec:\2460066.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\rlffxrr.exec:\rlffxrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\nnnttt.exec:\nnnttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\26008.exec:\26008.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\624024.exec:\624024.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\48442.exec:\48442.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\02822.exec:\02822.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\tnnnnt.exec:\tnnnnt.exe23⤵
- Executes dropped EXE
PID:2312 -
\??\c:\648608.exec:\648608.exe24⤵
- Executes dropped EXE
PID:4084 -
\??\c:\24604.exec:\24604.exe25⤵
- Executes dropped EXE
PID:1368 -
\??\c:\060044.exec:\060044.exe26⤵
- Executes dropped EXE
PID:4588 -
\??\c:\bhnhbb.exec:\bhnhbb.exe27⤵
- Executes dropped EXE
PID:2348 -
\??\c:\6402044.exec:\6402044.exe28⤵
- Executes dropped EXE
PID:4004 -
\??\c:\hnbtnh.exec:\hnbtnh.exe29⤵
- Executes dropped EXE
PID:3436 -
\??\c:\pjvpd.exec:\pjvpd.exe30⤵
- Executes dropped EXE
PID:1992 -
\??\c:\284826.exec:\284826.exe31⤵
- Executes dropped EXE
PID:4928 -
\??\c:\462862.exec:\462862.exe32⤵
- Executes dropped EXE
PID:4464 -
\??\c:\648000.exec:\648000.exe33⤵
- Executes dropped EXE
PID:3272 -
\??\c:\llxxrxr.exec:\llxxrxr.exe34⤵
- Executes dropped EXE
PID:2028 -
\??\c:\9ntttt.exec:\9ntttt.exe35⤵
- Executes dropped EXE
PID:5012 -
\??\c:\rlrxffl.exec:\rlrxffl.exe36⤵
- Executes dropped EXE
PID:3484 -
\??\c:\042288.exec:\042288.exe37⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xrlffxr.exec:\xrlffxr.exe38⤵
- Executes dropped EXE
PID:2376 -
\??\c:\m2062.exec:\m2062.exe39⤵
- Executes dropped EXE
PID:3812 -
\??\c:\6426008.exec:\6426008.exe40⤵
- Executes dropped EXE
PID:1432 -
\??\c:\nnbbbb.exec:\nnbbbb.exe41⤵
- Executes dropped EXE
PID:4640 -
\??\c:\422622.exec:\422622.exe42⤵
- Executes dropped EXE
PID:5032 -
\??\c:\6828404.exec:\6828404.exe43⤵
- Executes dropped EXE
PID:552 -
\??\c:\rfxfrrf.exec:\rfxfrrf.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\4086200.exec:\4086200.exe45⤵
- Executes dropped EXE
PID:224 -
\??\c:\3jjjp.exec:\3jjjp.exe46⤵
- Executes dropped EXE
PID:3148 -
\??\c:\hbbtnn.exec:\hbbtnn.exe47⤵
- Executes dropped EXE
PID:4032 -
\??\c:\46626.exec:\46626.exe48⤵
- Executes dropped EXE
PID:412 -
\??\c:\w84822.exec:\w84822.exe49⤵
- Executes dropped EXE
PID:2868 -
\??\c:\nhnnnn.exec:\nhnnnn.exe50⤵
- Executes dropped EXE
PID:2184 -
\??\c:\xlrxlfr.exec:\xlrxlfr.exe51⤵
- Executes dropped EXE
PID:3580 -
\??\c:\26660.exec:\26660.exe52⤵
- Executes dropped EXE
PID:3996 -
\??\c:\60662.exec:\60662.exe53⤵
- Executes dropped EXE
PID:1124 -
\??\c:\006662.exec:\006662.exe54⤵
- Executes dropped EXE
PID:4476 -
\??\c:\40462.exec:\40462.exe55⤵
- Executes dropped EXE
PID:2032 -
\??\c:\8662862.exec:\8662862.exe56⤵
- Executes dropped EXE
PID:4488 -
\??\c:\3jvvv.exec:\3jvvv.exe57⤵
- Executes dropped EXE
PID:4268 -
\??\c:\lffxrrr.exec:\lffxrrr.exe58⤵
- Executes dropped EXE
PID:3328 -
\??\c:\ttnnhh.exec:\ttnnhh.exe59⤵PID:4784
-
\??\c:\8460244.exec:\8460244.exe60⤵
- Executes dropped EXE
PID:452 -
\??\c:\464000.exec:\464000.exe61⤵
- Executes dropped EXE
PID:4904 -
\??\c:\dvpjj.exec:\dvpjj.exe62⤵
- Executes dropped EXE
PID:4736 -
\??\c:\06488.exec:\06488.exe63⤵
- Executes dropped EXE
PID:1424 -
\??\c:\bhtttb.exec:\bhtttb.exe64⤵
- Executes dropped EXE
PID:1408 -
\??\c:\vpdvp.exec:\vpdvp.exe65⤵
- Executes dropped EXE
PID:4632 -
\??\c:\xlxxrrl.exec:\xlxxrrl.exe66⤵
- Executes dropped EXE
PID:220 -
\??\c:\0226000.exec:\0226000.exe67⤵PID:624
-
\??\c:\8444400.exec:\8444400.exe68⤵PID:2880
-
\??\c:\00848.exec:\00848.exe69⤵PID:3492
-
\??\c:\bnhhnn.exec:\bnhhnn.exe70⤵PID:4060
-
\??\c:\06648.exec:\06648.exe71⤵PID:1560
-
\??\c:\lfxlrxf.exec:\lfxlrxf.exe72⤵PID:1112
-
\??\c:\fxxffff.exec:\fxxffff.exe73⤵PID:1620
-
\??\c:\o088626.exec:\o088626.exe74⤵PID:1720
-
\??\c:\06440.exec:\06440.exe75⤵PID:2720
-
\??\c:\dddvv.exec:\dddvv.exe76⤵PID:4356
-
\??\c:\xrxxxff.exec:\xrxxxff.exe77⤵PID:3452
-
\??\c:\44006.exec:\44006.exe78⤵PID:1400
-
\??\c:\u848226.exec:\u848226.exe79⤵PID:1436
-
\??\c:\dvdjv.exec:\dvdjv.exe80⤵PID:5060
-
\??\c:\2468404.exec:\2468404.exe81⤵PID:3020
-
\??\c:\tbnhtt.exec:\tbnhtt.exe82⤵PID:2448
-
\??\c:\htbthb.exec:\htbthb.exe83⤵PID:5084
-
\??\c:\6882666.exec:\6882666.exe84⤵PID:3720
-
\??\c:\608288.exec:\608288.exe85⤵PID:4848
-
\??\c:\bhnnhb.exec:\bhnnhb.exe86⤵PID:2036
-
\??\c:\042400.exec:\042400.exe87⤵PID:2384
-
\??\c:\xrfrrrl.exec:\xrfrrrl.exe88⤵PID:2856
-
\??\c:\rlrlllf.exec:\rlrlllf.exe89⤵PID:5056
-
\??\c:\nnnnnn.exec:\nnnnnn.exe90⤵PID:4900
-
\??\c:\fllrrfx.exec:\fllrrfx.exe91⤵PID:4452
-
\??\c:\lxfxllf.exec:\lxfxllf.exe92⤵PID:4464
-
\??\c:\840200.exec:\840200.exe93⤵PID:2300
-
\??\c:\frlrxxx.exec:\frlrxxx.exe94⤵PID:3728
-
\??\c:\xxllxrf.exec:\xxllxrf.exe95⤵PID:4520
-
\??\c:\xlrllll.exec:\xlrllll.exe96⤵PID:4896
-
\??\c:\262822.exec:\262822.exe97⤵PID:2752
-
\??\c:\vdvvp.exec:\vdvvp.exe98⤵PID:2172
-
\??\c:\0804686.exec:\0804686.exe99⤵PID:1668
-
\??\c:\1nbnnn.exec:\1nbnnn.exe100⤵PID:4768
-
\??\c:\xlrxllr.exec:\xlrxllr.exe101⤵PID:3264
-
\??\c:\ntnnbb.exec:\ntnnbb.exe102⤵PID:1828
-
\??\c:\64042.exec:\64042.exe103⤵PID:1140
-
\??\c:\086642.exec:\086642.exe104⤵PID:4292
-
\??\c:\tbbtbt.exec:\tbbtbt.exe105⤵PID:688
-
\??\c:\66068.exec:\66068.exe106⤵PID:2112
-
\??\c:\5ddvp.exec:\5ddvp.exe107⤵PID:3548
-
\??\c:\3xxrllf.exec:\3xxrllf.exe108⤵PID:3984
-
\??\c:\264406.exec:\264406.exe109⤵PID:4580
-
\??\c:\frxfxfr.exec:\frxfxfr.exe110⤵PID:1864
-
\??\c:\pddvv.exec:\pddvv.exe111⤵PID:1232
-
\??\c:\djdvj.exec:\djdvj.exe112⤵PID:4000
-
\??\c:\8682822.exec:\8682822.exe113⤵PID:3552
-
\??\c:\rfllffx.exec:\rfllffx.exe114⤵PID:4068
-
\??\c:\6480686.exec:\6480686.exe115⤵PID:4268
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe116⤵PID:3328
-
\??\c:\8684844.exec:\8684844.exe117⤵PID:4916
-
\??\c:\82628.exec:\82628.exe118⤵PID:5008
-
\??\c:\8626060.exec:\8626060.exe119⤵PID:1760
-
\??\c:\fxrlllf.exec:\fxrlllf.exe120⤵PID:516
-
\??\c:\rlxrllr.exec:\rlxrllr.exe121⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-