Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 22:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe
-
Size
453KB
-
MD5
ba378280d904c62c413b1ac2b556d513
-
SHA1
7db4943db0f761d760a43ed3dc5e19f3f9be596e
-
SHA256
805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d
-
SHA512
18142bdd0ca43219ce0bcf84c245eef3ec09294938175604c3993eafa1a6ea563c4be576d73ba1720e84a26b60a874fc937f3abff0cb5dae88a946bf1e7bbc21
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4764-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-1241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-1308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-2672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3268 tnnhbt.exe 1480 rflffxr.exe 1172 hbhhhh.exe 2244 rlrrlll.exe 1240 jjpjv.exe 3020 rfrlxrr.exe 764 jvvjv.exe 1592 bhnnhn.exe 4904 pvpvp.exe 4548 hbnbtt.exe 2960 frxlfxr.exe 2148 llxxlxr.exe 2216 ntbtnn.exe 2408 dvvdv.exe 804 lfxrlrr.exe 2004 7bhbhh.exe 3220 5thbhh.exe 380 dvjdj.exe 2640 5djdv.exe 2892 vdppj.exe 4440 hhbhtt.exe 3688 hthbbb.exe 4696 9pjvj.exe 3300 xllrlxl.exe 1300 9dvvp.exe 2576 fxfrrll.exe 3316 bnhthb.exe 2820 pdddp.exe 1008 xxflxrl.exe 2728 hnttbb.exe 3880 pddpd.exe 4364 lxlxrlx.exe 2896 pjpdp.exe 4848 xlxxrfx.exe 4456 dpjvd.exe 4584 5bnnhh.exe 4740 pdjdp.exe 2204 rlfxrrr.exe 4240 bnbnhb.exe 2944 jvjpd.exe 4392 1llfxxr.exe 4908 rrfxrff.exe 3896 thnhhb.exe 3952 jvvjv.exe 2584 llrrlrl.exe 4228 ntbhht.exe 1428 vjjvp.exe 4832 frrfxrf.exe 1480 1ffrlfx.exe 3808 5bhbnn.exe 2980 jjpjv.exe 2232 dvjjv.exe 2628 rflxllx.exe 1176 nthbbb.exe 3020 7tbhtn.exe 4316 jvjvd.exe 3376 xlllffx.exe 3412 7hbthb.exe 4448 pdjvj.exe 4580 fxlfllr.exe 964 rllxrll.exe 1872 thnhtb.exe 2260 3jdpd.exe 2032 frlflfr.exe -
resource yara_rule behavioral2/memory/4764-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-763-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 3268 4764 805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe 82 PID 4764 wrote to memory of 3268 4764 805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe 82 PID 4764 wrote to memory of 3268 4764 805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe 82 PID 3268 wrote to memory of 1480 3268 tnnhbt.exe 83 PID 3268 wrote to memory of 1480 3268 tnnhbt.exe 83 PID 3268 wrote to memory of 1480 3268 tnnhbt.exe 83 PID 1480 wrote to memory of 1172 1480 rflffxr.exe 84 PID 1480 wrote to memory of 1172 1480 rflffxr.exe 84 PID 1480 wrote to memory of 1172 1480 rflffxr.exe 84 PID 1172 wrote to memory of 2244 1172 hbhhhh.exe 85 PID 1172 wrote to memory of 2244 1172 hbhhhh.exe 85 PID 1172 wrote to memory of 2244 1172 hbhhhh.exe 85 PID 2244 wrote to memory of 1240 2244 rlrrlll.exe 86 PID 2244 wrote to memory of 1240 2244 rlrrlll.exe 86 PID 2244 wrote to memory of 1240 2244 rlrrlll.exe 86 PID 1240 wrote to memory of 3020 1240 jjpjv.exe 87 PID 1240 wrote to memory of 3020 1240 jjpjv.exe 87 PID 1240 wrote to memory of 3020 1240 jjpjv.exe 87 PID 3020 wrote to memory of 764 3020 rfrlxrr.exe 88 PID 3020 wrote to memory of 764 3020 rfrlxrr.exe 88 PID 3020 wrote to memory of 764 3020 rfrlxrr.exe 88 PID 764 wrote to memory of 1592 764 jvvjv.exe 89 PID 764 wrote to memory of 1592 764 jvvjv.exe 89 PID 764 wrote to memory of 1592 764 jvvjv.exe 89 PID 1592 wrote to memory of 4904 1592 bhnnhn.exe 90 PID 1592 wrote to memory of 4904 1592 bhnnhn.exe 90 PID 1592 wrote to memory of 4904 1592 bhnnhn.exe 90 PID 4904 wrote to memory of 4548 4904 pvpvp.exe 91 PID 4904 wrote to memory of 4548 4904 pvpvp.exe 91 PID 4904 wrote to memory of 4548 4904 pvpvp.exe 91 PID 4548 wrote to memory of 2960 4548 hbnbtt.exe 92 PID 4548 wrote to memory of 2960 4548 hbnbtt.exe 92 PID 4548 wrote to memory of 2960 4548 hbnbtt.exe 92 PID 2960 wrote to memory of 2148 2960 frxlfxr.exe 93 PID 2960 wrote to memory of 2148 2960 frxlfxr.exe 93 PID 2960 wrote to memory of 2148 2960 frxlfxr.exe 93 PID 2148 wrote to memory of 2216 2148 llxxlxr.exe 94 PID 2148 wrote to memory of 2216 2148 llxxlxr.exe 94 PID 2148 wrote to memory of 2216 2148 llxxlxr.exe 94 PID 2216 wrote to memory of 2408 2216 ntbtnn.exe 95 PID 2216 wrote to memory of 2408 2216 ntbtnn.exe 95 PID 2216 wrote to memory of 2408 2216 ntbtnn.exe 95 PID 2408 wrote to memory of 804 2408 dvvdv.exe 96 PID 2408 wrote to memory of 804 2408 dvvdv.exe 96 PID 2408 wrote to memory of 804 2408 dvvdv.exe 96 PID 804 wrote to memory of 2004 804 lfxrlrr.exe 97 PID 804 wrote to memory of 2004 804 lfxrlrr.exe 97 PID 804 wrote to memory of 2004 804 lfxrlrr.exe 97 PID 2004 wrote to memory of 3220 2004 7bhbhh.exe 98 PID 2004 wrote to memory of 3220 2004 7bhbhh.exe 98 PID 2004 wrote to memory of 3220 2004 7bhbhh.exe 98 PID 3220 wrote to memory of 380 3220 5thbhh.exe 99 PID 3220 wrote to memory of 380 3220 5thbhh.exe 99 PID 3220 wrote to memory of 380 3220 5thbhh.exe 99 PID 380 wrote to memory of 2640 380 dvjdj.exe 100 PID 380 wrote to memory of 2640 380 dvjdj.exe 100 PID 380 wrote to memory of 2640 380 dvjdj.exe 100 PID 2640 wrote to memory of 2892 2640 5djdv.exe 101 PID 2640 wrote to memory of 2892 2640 5djdv.exe 101 PID 2640 wrote to memory of 2892 2640 5djdv.exe 101 PID 2892 wrote to memory of 4440 2892 vdppj.exe 102 PID 2892 wrote to memory of 4440 2892 vdppj.exe 102 PID 2892 wrote to memory of 4440 2892 vdppj.exe 102 PID 4440 wrote to memory of 3688 4440 hhbhtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe"C:\Users\Admin\AppData\Local\Temp\805f18e19464015ea5b53754323ffb0c29223bf207f3baab3cfa6d550262539d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\tnnhbt.exec:\tnnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\rflffxr.exec:\rflffxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\hbhhhh.exec:\hbhhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\rlrrlll.exec:\rlrrlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\jjpjv.exec:\jjpjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\rfrlxrr.exec:\rfrlxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\jvvjv.exec:\jvvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\bhnnhn.exec:\bhnnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\pvpvp.exec:\pvpvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\hbnbtt.exec:\hbnbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\frxlfxr.exec:\frxlfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\llxxlxr.exec:\llxxlxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\ntbtnn.exec:\ntbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\dvvdv.exec:\dvvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\lfxrlrr.exec:\lfxrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\7bhbhh.exec:\7bhbhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\5thbhh.exec:\5thbhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\dvjdj.exec:\dvjdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\5djdv.exec:\5djdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\vdppj.exec:\vdppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\hhbhtt.exec:\hhbhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\hthbbb.exec:\hthbbb.exe23⤵
- Executes dropped EXE
PID:3688 -
\??\c:\9pjvj.exec:\9pjvj.exe24⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xllrlxl.exec:\xllrlxl.exe25⤵
- Executes dropped EXE
PID:3300 -
\??\c:\9dvvp.exec:\9dvvp.exe26⤵
- Executes dropped EXE
PID:1300 -
\??\c:\fxfrrll.exec:\fxfrrll.exe27⤵
- Executes dropped EXE
PID:2576 -
\??\c:\bnhthb.exec:\bnhthb.exe28⤵
- Executes dropped EXE
PID:3316 -
\??\c:\pdddp.exec:\pdddp.exe29⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xxflxrl.exec:\xxflxrl.exe30⤵
- Executes dropped EXE
PID:1008 -
\??\c:\hnttbb.exec:\hnttbb.exe31⤵
- Executes dropped EXE
PID:2728 -
\??\c:\pddpd.exec:\pddpd.exe32⤵
- Executes dropped EXE
PID:3880 -
\??\c:\lxlxrlx.exec:\lxlxrlx.exe33⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pjpdp.exec:\pjpdp.exe34⤵
- Executes dropped EXE
PID:2896 -
\??\c:\xlxxrfx.exec:\xlxxrfx.exe35⤵
- Executes dropped EXE
PID:4848 -
\??\c:\dpjvd.exec:\dpjvd.exe36⤵
- Executes dropped EXE
PID:4456 -
\??\c:\5bnnhh.exec:\5bnnhh.exe37⤵
- Executes dropped EXE
PID:4584 -
\??\c:\pdjdp.exec:\pdjdp.exe38⤵
- Executes dropped EXE
PID:4740 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe39⤵
- Executes dropped EXE
PID:2204 -
\??\c:\bnbnhb.exec:\bnbnhb.exe40⤵
- Executes dropped EXE
PID:4240 -
\??\c:\jvjpd.exec:\jvjpd.exe41⤵
- Executes dropped EXE
PID:2944 -
\??\c:\1llfxxr.exec:\1llfxxr.exe42⤵
- Executes dropped EXE
PID:4392 -
\??\c:\rrfxrff.exec:\rrfxrff.exe43⤵
- Executes dropped EXE
PID:4908 -
\??\c:\thnhhb.exec:\thnhhb.exe44⤵
- Executes dropped EXE
PID:3896 -
\??\c:\jvvjv.exec:\jvvjv.exe45⤵
- Executes dropped EXE
PID:3952 -
\??\c:\llrrlrl.exec:\llrrlrl.exe46⤵
- Executes dropped EXE
PID:2584 -
\??\c:\7hnhhh.exec:\7hnhhh.exe47⤵PID:1832
-
\??\c:\ntbhht.exec:\ntbhht.exe48⤵
- Executes dropped EXE
PID:4228 -
\??\c:\vjjvp.exec:\vjjvp.exe49⤵
- Executes dropped EXE
PID:1428 -
\??\c:\frrfxrf.exec:\frrfxrf.exe50⤵
- Executes dropped EXE
PID:4832 -
\??\c:\1ffrlfx.exec:\1ffrlfx.exe51⤵
- Executes dropped EXE
PID:1480 -
\??\c:\5bhbnn.exec:\5bhbnn.exe52⤵
- Executes dropped EXE
PID:3808 -
\??\c:\jjpjv.exec:\jjpjv.exe53⤵
- Executes dropped EXE
PID:2980 -
\??\c:\dvjjv.exec:\dvjjv.exe54⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rflxllx.exec:\rflxllx.exe55⤵
- Executes dropped EXE
PID:2628 -
\??\c:\nthbbb.exec:\nthbbb.exe56⤵
- Executes dropped EXE
PID:1176 -
\??\c:\7tbhtn.exec:\7tbhtn.exe57⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jvjvd.exec:\jvjvd.exe58⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xlllffx.exec:\xlllffx.exe59⤵
- Executes dropped EXE
PID:3376 -
\??\c:\7hbthb.exec:\7hbthb.exe60⤵
- Executes dropped EXE
PID:3412 -
\??\c:\pdjvj.exec:\pdjvj.exe61⤵
- Executes dropped EXE
PID:4448 -
\??\c:\fxlfllr.exec:\fxlfllr.exe62⤵
- Executes dropped EXE
PID:4580 -
\??\c:\rllxrll.exec:\rllxrll.exe63⤵
- Executes dropped EXE
PID:964 -
\??\c:\thnhtb.exec:\thnhtb.exe64⤵
- Executes dropped EXE
PID:1872 -
\??\c:\3jdpd.exec:\3jdpd.exe65⤵
- Executes dropped EXE
PID:2260 -
\??\c:\frlflfr.exec:\frlflfr.exe66⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5ththn.exec:\5ththn.exe67⤵PID:1652
-
\??\c:\djpdd.exec:\djpdd.exe68⤵PID:376
-
\??\c:\vdjvv.exec:\vdjvv.exe69⤵PID:2356
-
\??\c:\1ffrffr.exec:\1ffrffr.exe70⤵PID:3120
-
\??\c:\xllxxrl.exec:\xllxxrl.exe71⤵PID:5028
-
\??\c:\httnbt.exec:\httnbt.exe72⤵PID:3320
-
\??\c:\1pvjd.exec:\1pvjd.exe73⤵PID:1840
-
\??\c:\fffxlrr.exec:\fffxlrr.exe74⤵PID:4260
-
\??\c:\hbhttt.exec:\hbhttt.exe75⤵PID:2228
-
\??\c:\nnbhbt.exec:\nnbhbt.exe76⤵PID:2872
-
\??\c:\5ppdp.exec:\5ppdp.exe77⤵
- System Location Discovery: System Language Discovery
PID:4412 -
\??\c:\5ffrllx.exec:\5ffrllx.exe78⤵PID:216
-
\??\c:\5flfxfx.exec:\5flfxfx.exe79⤵PID:4728
-
\??\c:\7bnbbt.exec:\7bnbbt.exe80⤵PID:4868
-
\??\c:\pdpjv.exec:\pdpjv.exe81⤵PID:3328
-
\??\c:\7rfrrll.exec:\7rfrrll.exe82⤵PID:4980
-
\??\c:\1fflxfx.exec:\1fflxfx.exe83⤵PID:4712
-
\??\c:\3hnnhh.exec:\3hnnhh.exe84⤵PID:3336
-
\??\c:\vpdpp.exec:\vpdpp.exe85⤵PID:448
-
\??\c:\7xrfxrl.exec:\7xrfxrl.exe86⤵PID:4004
-
\??\c:\nttnbt.exec:\nttnbt.exe87⤵PID:3944
-
\??\c:\nthbtb.exec:\nthbtb.exe88⤵PID:2160
-
\??\c:\jvjvv.exec:\jvjvv.exe89⤵PID:1276
-
\??\c:\3lrfffr.exec:\3lrfffr.exe90⤵PID:1700
-
\??\c:\tttnht.exec:\tttnht.exe91⤵PID:1900
-
\??\c:\ntthth.exec:\ntthth.exe92⤵PID:1184
-
\??\c:\pddvd.exec:\pddvd.exe93⤵PID:2708
-
\??\c:\xrffrrl.exec:\xrffrrl.exe94⤵PID:2296
-
\??\c:\tnbhth.exec:\tnbhth.exe95⤵PID:4848
-
\??\c:\ppjdv.exec:\ppjdv.exe96⤵PID:4456
-
\??\c:\pjvjj.exec:\pjvjj.exe97⤵PID:2436
-
\??\c:\xxxrfxl.exec:\xxxrfxl.exe98⤵PID:2956
-
\??\c:\bbnbtn.exec:\bbnbtn.exe99⤵PID:4196
-
\??\c:\jdpdp.exec:\jdpdp.exe100⤵PID:4804
-
\??\c:\jvjvv.exec:\jvjvv.exe101⤵PID:1500
-
\??\c:\7xxxllx.exec:\7xxxllx.exe102⤵PID:4892
-
\??\c:\bnnthb.exec:\bnnthb.exe103⤵PID:4940
-
\??\c:\7jpdp.exec:\7jpdp.exe104⤵PID:1528
-
\??\c:\9lrfxrf.exec:\9lrfxrf.exe105⤵PID:2920
-
\??\c:\nnhbnh.exec:\nnhbnh.exe106⤵PID:4332
-
\??\c:\pjjdp.exec:\pjjdp.exe107⤵PID:2460
-
\??\c:\1vjdd.exec:\1vjdd.exe108⤵PID:3092
-
\??\c:\frxrrrl.exec:\frxrrrl.exe109⤵PID:3904
-
\??\c:\hntnbt.exec:\hntnbt.exe110⤵PID:3512
-
\??\c:\vvdjd.exec:\vvdjd.exe111⤵PID:5036
-
\??\c:\jvvjp.exec:\jvvjp.exe112⤵PID:2724
-
\??\c:\xlrfrfr.exec:\xlrfrfr.exe113⤵PID:1132
-
\??\c:\lfffrxl.exec:\lfffrxl.exe114⤵PID:1240
-
\??\c:\btthbt.exec:\btthbt.exe115⤵PID:3128
-
\??\c:\pdpjj.exec:\pdpjj.exe116⤵PID:316
-
\??\c:\1flxrfx.exec:\1flxrfx.exe117⤵PID:3868
-
\??\c:\xflxlfr.exec:\xflxlfr.exe118⤵PID:1680
-
\??\c:\jjvdd.exec:\jjvdd.exe119⤵PID:3380
-
\??\c:\dpjjv.exec:\dpjjv.exe120⤵PID:2732
-
\??\c:\lrrflfr.exec:\lrrflfr.exe121⤵PID:2796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-