Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 01:48 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe
-
Size
454KB
-
MD5
f8f6ec6fadaf04363fd0418180be5de2
-
SHA1
38e5b815fa41c5809c14e98a5ea577ed524661a9
-
SHA256
a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c
-
SHA512
99f2e9b4e8db08abe7a1ee59ae39871863bbb04fbeed8799f1883d242791492bfd60470878c1c52152775ce3ffa86452df8cac4d92c581e16358543a7d877e82
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/964-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-1303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-1349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-1455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1360 9tbntt.exe 3556 bnthnh.exe 1068 jddpv.exe 2056 frlfffx.exe 4132 tnhtnh.exe 3940 vvpjp.exe 1116 bbtnnt.exe 1696 fxxrllf.exe 2736 9jpjd.exe 2724 pjjjd.exe 3716 thhbnn.exe 1800 5lxfxxr.exe 2948 vvdjd.exe 4464 nbbthh.exe 2516 ddvpp.exe 4644 nnttbt.exe 4804 lrxrlxr.exe 2920 ddvpd.exe 3468 rfrxrrr.exe 1788 hbbtnh.exe 5008 1fxlffx.exe 2768 httnbt.exe 4160 vjdvp.exe 4676 pjdvd.exe 3880 nntntn.exe 3284 llrlfff.exe 3064 xffxllf.exe 1380 xlrrlxr.exe 548 bnhtnh.exe 4016 5jpjj.exe 2128 bttnnn.exe 1924 jpvpj.exe 3720 3vvjd.exe 4240 rrrfxrl.exe 2044 ntbbtt.exe 1376 pvvpd.exe 3532 dvdpd.exe 3384 lfflffx.exe 4344 bthbnn.exe 452 frlxffl.exe 4700 ttthbn.exe 4560 btbttn.exe 3556 rflllll.exe 3512 bhhbhh.exe 380 tnnnhn.exe 2056 jvddv.exe 4584 9xxlffx.exe 4520 3ttnhb.exe 4132 nnnbhh.exe 4300 vpvjd.exe 1980 rxfrxxr.exe 2792 hbbthb.exe 3016 pjjdv.exe 2060 3rrlffx.exe 828 rxrxlfx.exe 1996 htthbt.exe 1696 vdvjd.exe 1532 xlllfxr.exe 1608 nntbtt.exe 3492 1jddj.exe 1388 dpjdp.exe 1632 9ttnhh.exe 3224 hhbtnh.exe 3916 jpdvp.exe -
resource yara_rule behavioral2/memory/964-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-907-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 1360 964 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 83 PID 964 wrote to memory of 1360 964 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 83 PID 964 wrote to memory of 1360 964 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 83 PID 1360 wrote to memory of 3556 1360 9tbntt.exe 84 PID 1360 wrote to memory of 3556 1360 9tbntt.exe 84 PID 1360 wrote to memory of 3556 1360 9tbntt.exe 84 PID 3556 wrote to memory of 1068 3556 bnthnh.exe 85 PID 3556 wrote to memory of 1068 3556 bnthnh.exe 85 PID 3556 wrote to memory of 1068 3556 bnthnh.exe 85 PID 1068 wrote to memory of 2056 1068 jddpv.exe 86 PID 1068 wrote to memory of 2056 1068 jddpv.exe 86 PID 1068 wrote to memory of 2056 1068 jddpv.exe 86 PID 2056 wrote to memory of 4132 2056 frlfffx.exe 87 PID 2056 wrote to memory of 4132 2056 frlfffx.exe 87 PID 2056 wrote to memory of 4132 2056 frlfffx.exe 87 PID 4132 wrote to memory of 3940 4132 tnhtnh.exe 88 PID 4132 wrote to memory of 3940 4132 tnhtnh.exe 88 PID 4132 wrote to memory of 3940 4132 tnhtnh.exe 88 PID 3940 wrote to memory of 1116 3940 vvpjp.exe 89 PID 3940 wrote to memory of 1116 3940 vvpjp.exe 89 PID 3940 wrote to memory of 1116 3940 vvpjp.exe 89 PID 1116 wrote to memory of 1696 1116 bbtnnt.exe 90 PID 1116 wrote to memory of 1696 1116 bbtnnt.exe 90 PID 1116 wrote to memory of 1696 1116 bbtnnt.exe 90 PID 1696 wrote to memory of 2736 1696 fxxrllf.exe 91 PID 1696 wrote to memory of 2736 1696 fxxrllf.exe 91 PID 1696 wrote to memory of 2736 1696 fxxrllf.exe 91 PID 2736 wrote to memory of 2724 2736 9jpjd.exe 92 PID 2736 wrote to memory of 2724 2736 9jpjd.exe 92 PID 2736 wrote to memory of 2724 2736 9jpjd.exe 92 PID 2724 wrote to memory of 3716 2724 pjjjd.exe 93 PID 2724 wrote to memory of 3716 2724 pjjjd.exe 93 PID 2724 wrote to memory of 3716 2724 pjjjd.exe 93 PID 3716 wrote to memory of 1800 3716 thhbnn.exe 94 PID 3716 wrote to memory of 1800 3716 thhbnn.exe 94 PID 3716 wrote to memory of 1800 3716 thhbnn.exe 94 PID 1800 wrote to memory of 2948 1800 5lxfxxr.exe 95 PID 1800 wrote to memory of 2948 1800 5lxfxxr.exe 95 PID 1800 wrote to memory of 2948 1800 5lxfxxr.exe 95 PID 2948 wrote to memory of 4464 2948 vvdjd.exe 96 PID 2948 wrote to memory of 4464 2948 vvdjd.exe 96 PID 2948 wrote to memory of 4464 2948 vvdjd.exe 96 PID 4464 wrote to memory of 2516 4464 nbbthh.exe 97 PID 4464 wrote to memory of 2516 4464 nbbthh.exe 97 PID 4464 wrote to memory of 2516 4464 nbbthh.exe 97 PID 2516 wrote to memory of 4644 2516 ddvpp.exe 98 PID 2516 wrote to memory of 4644 2516 ddvpp.exe 98 PID 2516 wrote to memory of 4644 2516 ddvpp.exe 98 PID 4644 wrote to memory of 4804 4644 nnttbt.exe 99 PID 4644 wrote to memory of 4804 4644 nnttbt.exe 99 PID 4644 wrote to memory of 4804 4644 nnttbt.exe 99 PID 4804 wrote to memory of 2920 4804 lrxrlxr.exe 100 PID 4804 wrote to memory of 2920 4804 lrxrlxr.exe 100 PID 4804 wrote to memory of 2920 4804 lrxrlxr.exe 100 PID 2920 wrote to memory of 3468 2920 ddvpd.exe 101 PID 2920 wrote to memory of 3468 2920 ddvpd.exe 101 PID 2920 wrote to memory of 3468 2920 ddvpd.exe 101 PID 3468 wrote to memory of 1788 3468 rfrxrrr.exe 102 PID 3468 wrote to memory of 1788 3468 rfrxrrr.exe 102 PID 3468 wrote to memory of 1788 3468 rfrxrrr.exe 102 PID 1788 wrote to memory of 5008 1788 hbbtnh.exe 103 PID 1788 wrote to memory of 5008 1788 hbbtnh.exe 103 PID 1788 wrote to memory of 5008 1788 hbbtnh.exe 103 PID 5008 wrote to memory of 2768 5008 1fxlffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe"C:\Users\Admin\AppData\Local\Temp\a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\9tbntt.exec:\9tbntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\bnthnh.exec:\bnthnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\jddpv.exec:\jddpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\frlfffx.exec:\frlfffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\tnhtnh.exec:\tnhtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\vvpjp.exec:\vvpjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\bbtnnt.exec:\bbtnnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\fxxrllf.exec:\fxxrllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\9jpjd.exec:\9jpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\pjjjd.exec:\pjjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\thhbnn.exec:\thhbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\5lxfxxr.exec:\5lxfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\vvdjd.exec:\vvdjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\nbbthh.exec:\nbbthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\ddvpp.exec:\ddvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\nnttbt.exec:\nnttbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\lrxrlxr.exec:\lrxrlxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\ddvpd.exec:\ddvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rfrxrrr.exec:\rfrxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\hbbtnh.exec:\hbbtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\1fxlffx.exec:\1fxlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\httnbt.exec:\httnbt.exe23⤵
- Executes dropped EXE
PID:2768 -
\??\c:\vjdvp.exec:\vjdvp.exe24⤵
- Executes dropped EXE
PID:4160 -
\??\c:\pjdvd.exec:\pjdvd.exe25⤵
- Executes dropped EXE
PID:4676 -
\??\c:\nntntn.exec:\nntntn.exe26⤵
- Executes dropped EXE
PID:3880 -
\??\c:\llrlfff.exec:\llrlfff.exe27⤵
- Executes dropped EXE
PID:3284 -
\??\c:\xffxllf.exec:\xffxllf.exe28⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xlrrlxr.exec:\xlrrlxr.exe29⤵
- Executes dropped EXE
PID:1380 -
\??\c:\bnhtnh.exec:\bnhtnh.exe30⤵
- Executes dropped EXE
PID:548 -
\??\c:\5jpjj.exec:\5jpjj.exe31⤵
- Executes dropped EXE
PID:4016 -
\??\c:\bttnnn.exec:\bttnnn.exe32⤵
- Executes dropped EXE
PID:2128 -
\??\c:\jpvpj.exec:\jpvpj.exe33⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3vvjd.exec:\3vvjd.exe34⤵
- Executes dropped EXE
PID:3720 -
\??\c:\rrrfxrl.exec:\rrrfxrl.exe35⤵
- Executes dropped EXE
PID:4240 -
\??\c:\ntbbtt.exec:\ntbbtt.exe36⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pvvpd.exec:\pvvpd.exe37⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dvdpd.exec:\dvdpd.exe38⤵
- Executes dropped EXE
PID:3532 -
\??\c:\lfflffx.exec:\lfflffx.exe39⤵
- Executes dropped EXE
PID:3384 -
\??\c:\bthbnn.exec:\bthbnn.exe40⤵
- Executes dropped EXE
PID:4344 -
\??\c:\frlxffl.exec:\frlxffl.exe41⤵
- Executes dropped EXE
PID:452 -
\??\c:\ttthbn.exec:\ttthbn.exe42⤵
- Executes dropped EXE
PID:4700 -
\??\c:\btbttn.exec:\btbttn.exe43⤵
- Executes dropped EXE
PID:4560 -
\??\c:\rflllll.exec:\rflllll.exe44⤵
- Executes dropped EXE
PID:3556 -
\??\c:\bhhbhh.exec:\bhhbhh.exe45⤵
- Executes dropped EXE
PID:3512 -
\??\c:\tnnnhn.exec:\tnnnhn.exe46⤵
- Executes dropped EXE
PID:380 -
\??\c:\jvddv.exec:\jvddv.exe47⤵
- Executes dropped EXE
PID:2056 -
\??\c:\9xxlffx.exec:\9xxlffx.exe48⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3ttnhb.exec:\3ttnhb.exe49⤵
- Executes dropped EXE
PID:4520 -
\??\c:\nnnbhh.exec:\nnnbhh.exe50⤵
- Executes dropped EXE
PID:4132 -
\??\c:\vpvjd.exec:\vpvjd.exe51⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rxfrxxr.exec:\rxfrxxr.exe52⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hbbthb.exec:\hbbthb.exe53⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pjjdv.exec:\pjjdv.exe54⤵
- Executes dropped EXE
PID:3016 -
\??\c:\3rrlffx.exec:\3rrlffx.exe55⤵
- Executes dropped EXE
PID:2060 -
\??\c:\rxrxlfx.exec:\rxrxlfx.exe56⤵
- Executes dropped EXE
PID:828 -
\??\c:\htthbt.exec:\htthbt.exe57⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vdvjd.exec:\vdvjd.exe58⤵
- Executes dropped EXE
PID:1696 -
\??\c:\xlllfxr.exec:\xlllfxr.exe59⤵
- Executes dropped EXE
PID:1532 -
\??\c:\nntbtt.exec:\nntbtt.exe60⤵
- Executes dropped EXE
PID:1608 -
\??\c:\1jddj.exec:\1jddj.exe61⤵
- Executes dropped EXE
PID:3492 -
\??\c:\dpjdp.exec:\dpjdp.exe62⤵
- Executes dropped EXE
PID:1388 -
\??\c:\9ttnhh.exec:\9ttnhh.exe63⤵
- Executes dropped EXE
PID:1632 -
\??\c:\hhbtnh.exec:\hhbtnh.exe64⤵
- Executes dropped EXE
PID:3224 -
\??\c:\jpdvp.exec:\jpdvp.exe65⤵
- Executes dropped EXE
PID:3916 -
\??\c:\frxlflf.exec:\frxlflf.exe66⤵PID:2924
-
\??\c:\tntthh.exec:\tntthh.exe67⤵PID:1620
-
\??\c:\1dppj.exec:\1dppj.exe68⤵
- System Location Discovery: System Language Discovery
PID:5116 -
\??\c:\rrrrlrf.exec:\rrrrlrf.exe69⤵PID:4696
-
\??\c:\1rrrrrr.exec:\1rrrrrr.exe70⤵PID:4208
-
\??\c:\htbtnn.exec:\htbtnn.exe71⤵PID:4664
-
\??\c:\pddvj.exec:\pddvj.exe72⤵PID:3436
-
\??\c:\llrrxrr.exec:\llrrxrr.exe73⤵PID:1196
-
\??\c:\ntbttn.exec:\ntbttn.exe74⤵PID:2292
-
\??\c:\vvddv.exec:\vvddv.exe75⤵PID:1988
-
\??\c:\7vppj.exec:\7vppj.exe76⤵PID:2900
-
\??\c:\llllllf.exec:\llllllf.exe77⤵PID:4972
-
\??\c:\9nhbtt.exec:\9nhbtt.exe78⤵PID:2256
-
\??\c:\5jvvp.exec:\5jvvp.exe79⤵PID:2092
-
\??\c:\vjvpv.exec:\vjvpv.exe80⤵PID:3304
-
\??\c:\rxrxlxl.exec:\rxrxlxl.exe81⤵PID:464
-
\??\c:\bttbnn.exec:\bttbnn.exe82⤵PID:1912
-
\??\c:\dppjp.exec:\dppjp.exe83⤵PID:1256
-
\??\c:\lflxlfx.exec:\lflxlfx.exe84⤵PID:2568
-
\??\c:\7bbbth.exec:\7bbbth.exe85⤵PID:5052
-
\??\c:\djppd.exec:\djppd.exe86⤵PID:3944
-
\??\c:\9xxrfxr.exec:\9xxrfxr.exe87⤵PID:4944
-
\??\c:\fxlfrxr.exec:\fxlfrxr.exe88⤵PID:4852
-
\??\c:\thbhbt.exec:\thbhbt.exe89⤵PID:2448
-
\??\c:\jdvpp.exec:\jdvpp.exe90⤵PID:3696
-
\??\c:\9lrlffx.exec:\9lrlffx.exe91⤵PID:4572
-
\??\c:\rllfrlf.exec:\rllfrlf.exe92⤵PID:2404
-
\??\c:\tnbnhh.exec:\tnbnhh.exe93⤵PID:5012
-
\??\c:\5vdvj.exec:\5vdvj.exe94⤵PID:3068
-
\??\c:\rrxrfxr.exec:\rrxrfxr.exe95⤵PID:1516
-
\??\c:\xfrlffx.exec:\xfrlffx.exe96⤵PID:5068
-
\??\c:\bttnnb.exec:\bttnnb.exe97⤵PID:4388
-
\??\c:\pjpvp.exec:\pjpvp.exe98⤵PID:3968
-
\??\c:\9ppjj.exec:\9ppjj.exe99⤵PID:1276
-
\??\c:\3lfxrrx.exec:\3lfxrrx.exe100⤵PID:5100
-
\??\c:\hbnhtt.exec:\hbnhtt.exe101⤵PID:4368
-
\??\c:\pjddv.exec:\pjddv.exe102⤵PID:372
-
\??\c:\lxxrllx.exec:\lxxrllx.exe103⤵PID:2688
-
\??\c:\bnhbnh.exec:\bnhbnh.exe104⤵PID:2148
-
\??\c:\bntntt.exec:\bntntt.exe105⤵PID:4088
-
\??\c:\jjjdd.exec:\jjjdd.exe106⤵PID:4560
-
\??\c:\rffxrlf.exec:\rffxrlf.exe107⤵PID:1604
-
\??\c:\7tnhbb.exec:\7tnhbb.exe108⤵PID:5056
-
\??\c:\jddvp.exec:\jddvp.exe109⤵PID:1356
-
\??\c:\rllxrlx.exec:\rllxrlx.exe110⤵PID:2028
-
\??\c:\fxlxfxf.exec:\fxlxfxf.exe111⤵PID:2436
-
\??\c:\7hntnt.exec:\7hntnt.exe112⤵PID:3132
-
\??\c:\7bttnh.exec:\7bttnh.exe113⤵PID:1744
-
\??\c:\dpdvj.exec:\dpdvj.exe114⤵PID:3812
-
\??\c:\llffxfl.exec:\llffxfl.exe115⤵PID:3316
-
\??\c:\1thhhh.exec:\1thhhh.exe116⤵PID:1116
-
\??\c:\pdjdd.exec:\pdjdd.exe117⤵PID:4832
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe118⤵PID:2440
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe119⤵PID:1576
-
\??\c:\htbtnn.exec:\htbtnn.exe120⤵PID:4824
-
\??\c:\dvjdp.exec:\dvjdp.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-