Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe
-
Size
456KB
-
MD5
0c02684a7a7b494619ecb05e101ddaca
-
SHA1
2530b6fa799b0215adefa51fa6a886241539e652
-
SHA256
86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84
-
SHA512
95ea1dbe1b9ec6c8a1f351dacf429746809531306a01cb901cc61563ced574ee0520ae38fad4b895e3044f8104727c4431fff89c8aa2c7bea6c1efb254f947d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4436-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-958-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-1196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4436 4688226.exe 1040 268228.exe 4808 htbttt.exe 1944 06064.exe 1772 242460.exe 2116 hhnbnt.exe 3096 448226.exe 900 tbbthb.exe 2108 e08860.exe 3052 9lllxlf.exe 4116 60040.exe 4892 thbnth.exe 4728 bnnhbt.exe 1324 hnbttn.exe 2928 i442082.exe 632 9hhnnn.exe 1744 5lllxfx.exe 2824 60068.exe 3724 jdpjp.exe 4460 02826.exe 1736 rflfxrx.exe 4108 62860.exe 3660 626282.exe 2200 28064.exe 2900 bbbbtn.exe 4988 bnbnbt.exe 116 042622.exe 3696 hnnhbt.exe 876 htbbtt.exe 3632 ddppd.exe 2364 jddpv.exe 2160 pvvdd.exe 4316 6460488.exe 1232 lrxrffx.exe 1180 84608.exe 4100 5lfxrrr.exe 2796 2226802.exe 3700 vjjdj.exe 2040 28082.exe 4732 pddjd.exe 3192 8688442.exe 2944 242888.exe 3172 6084020.exe 2232 3lfxxxx.exe 828 c466660.exe 4356 jjppj.exe 4364 0800262.exe 2700 04288.exe 2888 o626048.exe 4836 nnnnnn.exe 1044 m4482.exe 1448 2804660.exe 1944 0688622.exe 3996 vjdjp.exe 4484 rlxllrr.exe 1488 08826.exe 1664 rrlxlxf.exe 4084 088286.exe 3140 202488.exe 5020 xrlxrlf.exe 4676 flrfxrl.exe 2696 hbhbbt.exe 4952 ppvpj.exe 1412 8022222.exe -
resource yara_rule behavioral2/memory/4436-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-958-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4844882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 4436 2004 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe 83 PID 2004 wrote to memory of 4436 2004 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe 83 PID 2004 wrote to memory of 4436 2004 86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe 83 PID 4436 wrote to memory of 1040 4436 4688226.exe 84 PID 4436 wrote to memory of 1040 4436 4688226.exe 84 PID 4436 wrote to memory of 1040 4436 4688226.exe 84 PID 1040 wrote to memory of 4808 1040 268228.exe 85 PID 1040 wrote to memory of 4808 1040 268228.exe 85 PID 1040 wrote to memory of 4808 1040 268228.exe 85 PID 4808 wrote to memory of 1944 4808 htbttt.exe 86 PID 4808 wrote to memory of 1944 4808 htbttt.exe 86 PID 4808 wrote to memory of 1944 4808 htbttt.exe 86 PID 1944 wrote to memory of 1772 1944 06064.exe 87 PID 1944 wrote to memory of 1772 1944 06064.exe 87 PID 1944 wrote to memory of 1772 1944 06064.exe 87 PID 1772 wrote to memory of 2116 1772 242460.exe 88 PID 1772 wrote to memory of 2116 1772 242460.exe 88 PID 1772 wrote to memory of 2116 1772 242460.exe 88 PID 2116 wrote to memory of 3096 2116 hhnbnt.exe 89 PID 2116 wrote to memory of 3096 2116 hhnbnt.exe 89 PID 2116 wrote to memory of 3096 2116 hhnbnt.exe 89 PID 3096 wrote to memory of 900 3096 448226.exe 90 PID 3096 wrote to memory of 900 3096 448226.exe 90 PID 3096 wrote to memory of 900 3096 448226.exe 90 PID 900 wrote to memory of 2108 900 tbbthb.exe 91 PID 900 wrote to memory of 2108 900 tbbthb.exe 91 PID 900 wrote to memory of 2108 900 tbbthb.exe 91 PID 2108 wrote to memory of 3052 2108 e08860.exe 92 PID 2108 wrote to memory of 3052 2108 e08860.exe 92 PID 2108 wrote to memory of 3052 2108 e08860.exe 92 PID 3052 wrote to memory of 4116 3052 9lllxlf.exe 93 PID 3052 wrote to memory of 4116 3052 9lllxlf.exe 93 PID 3052 wrote to memory of 4116 3052 9lllxlf.exe 93 PID 4116 wrote to memory of 4892 4116 60040.exe 94 PID 4116 wrote to memory of 4892 4116 60040.exe 94 PID 4116 wrote to memory of 4892 4116 60040.exe 94 PID 4892 wrote to memory of 4728 4892 thbnth.exe 95 PID 4892 wrote to memory of 4728 4892 thbnth.exe 95 PID 4892 wrote to memory of 4728 4892 thbnth.exe 95 PID 4728 wrote to memory of 1324 4728 bnnhbt.exe 96 PID 4728 wrote to memory of 1324 4728 bnnhbt.exe 96 PID 4728 wrote to memory of 1324 4728 bnnhbt.exe 96 PID 1324 wrote to memory of 2928 1324 hnbttn.exe 97 PID 1324 wrote to memory of 2928 1324 hnbttn.exe 97 PID 1324 wrote to memory of 2928 1324 hnbttn.exe 97 PID 2928 wrote to memory of 632 2928 i442082.exe 98 PID 2928 wrote to memory of 632 2928 i442082.exe 98 PID 2928 wrote to memory of 632 2928 i442082.exe 98 PID 632 wrote to memory of 1744 632 9hhnnn.exe 99 PID 632 wrote to memory of 1744 632 9hhnnn.exe 99 PID 632 wrote to memory of 1744 632 9hhnnn.exe 99 PID 1744 wrote to memory of 2824 1744 5lllxfx.exe 100 PID 1744 wrote to memory of 2824 1744 5lllxfx.exe 100 PID 1744 wrote to memory of 2824 1744 5lllxfx.exe 100 PID 2824 wrote to memory of 3724 2824 60068.exe 101 PID 2824 wrote to memory of 3724 2824 60068.exe 101 PID 2824 wrote to memory of 3724 2824 60068.exe 101 PID 3724 wrote to memory of 4460 3724 jdpjp.exe 102 PID 3724 wrote to memory of 4460 3724 jdpjp.exe 102 PID 3724 wrote to memory of 4460 3724 jdpjp.exe 102 PID 4460 wrote to memory of 1736 4460 02826.exe 103 PID 4460 wrote to memory of 1736 4460 02826.exe 103 PID 4460 wrote to memory of 1736 4460 02826.exe 103 PID 1736 wrote to memory of 4108 1736 rflfxrx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe"C:\Users\Admin\AppData\Local\Temp\86ce64183879b612c64af37bb9f348c7eb005f69c06bbccfc613f874dd6d1f84.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\4688226.exec:\4688226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\268228.exec:\268228.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\htbttt.exec:\htbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\06064.exec:\06064.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\242460.exec:\242460.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\hhnbnt.exec:\hhnbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\448226.exec:\448226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\tbbthb.exec:\tbbthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\e08860.exec:\e08860.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\9lllxlf.exec:\9lllxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\60040.exec:\60040.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\thbnth.exec:\thbnth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\bnnhbt.exec:\bnnhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\hnbttn.exec:\hnbttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\i442082.exec:\i442082.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\9hhnnn.exec:\9hhnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\5lllxfx.exec:\5lllxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\60068.exec:\60068.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\jdpjp.exec:\jdpjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\02826.exec:\02826.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\rflfxrx.exec:\rflfxrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\62860.exec:\62860.exe23⤵
- Executes dropped EXE
PID:4108 -
\??\c:\626282.exec:\626282.exe24⤵
- Executes dropped EXE
PID:3660 -
\??\c:\28064.exec:\28064.exe25⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bbbbtn.exec:\bbbbtn.exe26⤵
- Executes dropped EXE
PID:2900 -
\??\c:\bnbnbt.exec:\bnbnbt.exe27⤵
- Executes dropped EXE
PID:4988 -
\??\c:\042622.exec:\042622.exe28⤵
- Executes dropped EXE
PID:116 -
\??\c:\hnnhbt.exec:\hnnhbt.exe29⤵
- Executes dropped EXE
PID:3696 -
\??\c:\htbbtt.exec:\htbbtt.exe30⤵
- Executes dropped EXE
PID:876 -
\??\c:\ddppd.exec:\ddppd.exe31⤵
- Executes dropped EXE
PID:3632 -
\??\c:\jddpv.exec:\jddpv.exe32⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pvvdd.exec:\pvvdd.exe33⤵
- Executes dropped EXE
PID:2160 -
\??\c:\6460488.exec:\6460488.exe34⤵
- Executes dropped EXE
PID:4316 -
\??\c:\lrxrffx.exec:\lrxrffx.exe35⤵
- Executes dropped EXE
PID:1232 -
\??\c:\84608.exec:\84608.exe36⤵
- Executes dropped EXE
PID:1180 -
\??\c:\5lfxrrr.exec:\5lfxrrr.exe37⤵
- Executes dropped EXE
PID:4100 -
\??\c:\2226802.exec:\2226802.exe38⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vjjdj.exec:\vjjdj.exe39⤵
- Executes dropped EXE
PID:3700 -
\??\c:\28082.exec:\28082.exe40⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pddjd.exec:\pddjd.exe41⤵
- Executes dropped EXE
PID:4732 -
\??\c:\8688442.exec:\8688442.exe42⤵
- Executes dropped EXE
PID:3192 -
\??\c:\242888.exec:\242888.exe43⤵
- Executes dropped EXE
PID:2944 -
\??\c:\6084020.exec:\6084020.exe44⤵
- Executes dropped EXE
PID:3172 -
\??\c:\3lfxxxx.exec:\3lfxxxx.exe45⤵
- Executes dropped EXE
PID:2232 -
\??\c:\c466660.exec:\c466660.exe46⤵
- Executes dropped EXE
PID:828 -
\??\c:\jjppj.exec:\jjppj.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\0800262.exec:\0800262.exe48⤵
- Executes dropped EXE
PID:4364 -
\??\c:\04288.exec:\04288.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\o626048.exec:\o626048.exe50⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nnnnnn.exec:\nnnnnn.exe51⤵
- Executes dropped EXE
PID:4836 -
\??\c:\m4482.exec:\m4482.exe52⤵
- Executes dropped EXE
PID:1044 -
\??\c:\2804660.exec:\2804660.exe53⤵
- Executes dropped EXE
PID:1448 -
\??\c:\0688622.exec:\0688622.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vjdjp.exec:\vjdjp.exe55⤵
- Executes dropped EXE
PID:3996 -
\??\c:\rlxllrr.exec:\rlxllrr.exe56⤵
- Executes dropped EXE
PID:4484 -
\??\c:\08826.exec:\08826.exe57⤵
- Executes dropped EXE
PID:1488 -
\??\c:\rrlxlxf.exec:\rrlxlxf.exe58⤵
- Executes dropped EXE
PID:1664 -
\??\c:\088286.exec:\088286.exe59⤵
- Executes dropped EXE
PID:4084 -
\??\c:\202488.exec:\202488.exe60⤵
- Executes dropped EXE
PID:3140 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe61⤵
- Executes dropped EXE
PID:5020 -
\??\c:\flrfxrl.exec:\flrfxrl.exe62⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hbhbbt.exec:\hbhbbt.exe63⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ppvpj.exec:\ppvpj.exe64⤵
- Executes dropped EXE
PID:4952 -
\??\c:\8022222.exec:\8022222.exe65⤵
- Executes dropped EXE
PID:1412 -
\??\c:\068682.exec:\068682.exe66⤵PID:3504
-
\??\c:\42482.exec:\42482.exe67⤵PID:2912
-
\??\c:\nhtnhh.exec:\nhtnhh.exe68⤵PID:3180
-
\??\c:\httbhh.exec:\httbhh.exe69⤵PID:2144
-
\??\c:\2842640.exec:\2842640.exe70⤵PID:3196
-
\??\c:\624482.exec:\624482.exe71⤵PID:2928
-
\??\c:\480444.exec:\480444.exe72⤵PID:632
-
\??\c:\rflllll.exec:\rflllll.exe73⤵PID:3528
-
\??\c:\262222.exec:\262222.exe74⤵PID:3644
-
\??\c:\862824.exec:\862824.exe75⤵PID:4144
-
\??\c:\26288.exec:\26288.exe76⤵PID:2440
-
\??\c:\lfrlrrl.exec:\lfrlrrl.exe77⤵PID:1536
-
\??\c:\224826.exec:\224826.exe78⤵PID:2436
-
\??\c:\k64820.exec:\k64820.exe79⤵PID:2236
-
\??\c:\2684468.exec:\2684468.exe80⤵PID:3448
-
\??\c:\26262.exec:\26262.exe81⤵PID:5100
-
\??\c:\bthbbb.exec:\bthbbb.exe82⤵PID:2592
-
\??\c:\5vjdd.exec:\5vjdd.exe83⤵PID:2576
-
\??\c:\fffxffl.exec:\fffxffl.exe84⤵PID:5080
-
\??\c:\vdpjj.exec:\vdpjj.exe85⤵PID:216
-
\??\c:\00660.exec:\00660.exe86⤵PID:228
-
\??\c:\pjvdv.exec:\pjvdv.exe87⤵PID:3312
-
\??\c:\628604.exec:\628604.exe88⤵PID:700
-
\??\c:\ppppj.exec:\ppppj.exe89⤵
- System Location Discovery: System Language Discovery
PID:4272 -
\??\c:\2848882.exec:\2848882.exe90⤵PID:2368
-
\??\c:\lfrfxxx.exec:\lfrfxxx.exe91⤵PID:3632
-
\??\c:\pdjvp.exec:\pdjvp.exe92⤵PID:4692
-
\??\c:\8484004.exec:\8484004.exe93⤵PID:2164
-
\??\c:\thbtnn.exec:\thbtnn.exe94⤵PID:2488
-
\??\c:\tbnhhh.exec:\tbnhhh.exe95⤵PID:5084
-
\??\c:\8284844.exec:\8284844.exe96⤵PID:2676
-
\??\c:\hbtbhh.exec:\hbtbhh.exe97⤵PID:2616
-
\??\c:\jvddd.exec:\jvddd.exe98⤵PID:2920
-
\??\c:\w40048.exec:\w40048.exe99⤵PID:4556
-
\??\c:\lffxxxr.exec:\lffxxxr.exe100⤵PID:3960
-
\??\c:\0682660.exec:\0682660.exe101⤵PID:2040
-
\??\c:\jjjdd.exec:\jjjdd.exe102⤵PID:4732
-
\??\c:\80220.exec:\80220.exe103⤵PID:1392
-
\??\c:\tnbntn.exec:\tnbntn.exe104⤵PID:4340
-
\??\c:\484262.exec:\484262.exe105⤵PID:4772
-
\??\c:\ttnhbt.exec:\ttnhbt.exe106⤵PID:4968
-
\??\c:\640440.exec:\640440.exe107⤵PID:2608
-
\??\c:\8248444.exec:\8248444.exe108⤵PID:1500
-
\??\c:\bbhhbb.exec:\bbhhbb.exe109⤵PID:4452
-
\??\c:\hhnhbb.exec:\hhnhbb.exe110⤵PID:1556
-
\??\c:\vdjvp.exec:\vdjvp.exe111⤵PID:3648
-
\??\c:\tnnttt.exec:\tnnttt.exe112⤵PID:688
-
\??\c:\5rfrrff.exec:\5rfrrff.exe113⤵PID:4808
-
\??\c:\84000.exec:\84000.exe114⤵PID:3664
-
\??\c:\088644.exec:\088644.exe115⤵PID:1620
-
\??\c:\vvddj.exec:\vvddj.exe116⤵PID:4504
-
\??\c:\frxrlfx.exec:\frxrlfx.exe117⤵
- System Location Discovery: System Language Discovery
PID:4776 -
\??\c:\vppdv.exec:\vppdv.exe118⤵PID:4484
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe119⤵PID:4696
-
\??\c:\644666.exec:\644666.exe120⤵PID:4756
-
\??\c:\lffxrrl.exec:\lffxrrl.exe121⤵PID:3420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-