Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 03:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe
-
Size
453KB
-
MD5
b70d25eed3d9ed33864f62e5090b2583
-
SHA1
a31aa27f72b9f48c7e80ea5dac32f99653c35063
-
SHA256
3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568
-
SHA512
65b962fa8f481d7867f1a7cc9e46f170b1a68b87c1ba7ab482360dc190041c8e997d8cd807b3e092ad8395dc1762226512737c7799691ffd60bec999b5b8cd69
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/336-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-1149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 336 lflrlll.exe 4692 1bthtt.exe 2556 bbbnbt.exe 2692 ffxrlfx.exe 2832 9ppvj.exe 3640 vvpjj.exe 2108 jjpjd.exe 1852 jdvpj.exe 680 ththtn.exe 5056 7vpdp.exe 2956 pvpjj.exe 2148 rxffrlf.exe 2340 nbhbtt.exe 3084 pjjdp.exe 4256 ththbt.exe 4820 bnhhbt.exe 3920 vjjjv.exe 3052 5flfxxr.exe 208 tnttht.exe 2476 vpvvp.exe 1632 3lllxxx.exe 2384 xllflff.exe 2648 btbtbb.exe 1152 jppjd.exe 3960 jvdvp.exe 856 lxxrllf.exe 1220 tnnhbt.exe 3404 vpvpj.exe 1808 dvvpj.exe 4912 3rlfxxr.exe 2488 xfrrlll.exe 3888 hbnbhh.exe 3892 jddvp.exe 2308 vjvpp.exe 4764 xflfxrr.exe 428 nbbtnh.exe 4716 bthhnn.exe 4232 7ddjd.exe 4844 pjvpv.exe 1588 fflffff.exe 2320 nhnhbt.exe 4620 3tttnn.exe 4736 vdpjd.exe 4872 1fxrllf.exe 3752 7xrlffx.exe 852 bnhnhh.exe 4076 jddvv.exe 1924 fllfrlf.exe 3340 fxfxrlf.exe 4628 bthbnn.exe 4584 9ppjj.exe 2800 1ffxxxr.exe 1684 nnnhhh.exe 1532 lxlfxxx.exe 4792 1hhbtt.exe 1292 dvvvp.exe 3840 9rllfff.exe 2444 tnbbhh.exe 4284 djjdv.exe 324 jvddp.exe 3472 fxlxfxf.exe 228 5tttnt.exe 3836 vdjdp.exe 1212 3hnbtt.exe -
resource yara_rule behavioral2/memory/336-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-1149-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 336 1276 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 83 PID 1276 wrote to memory of 336 1276 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 83 PID 1276 wrote to memory of 336 1276 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 83 PID 336 wrote to memory of 4692 336 lflrlll.exe 84 PID 336 wrote to memory of 4692 336 lflrlll.exe 84 PID 336 wrote to memory of 4692 336 lflrlll.exe 84 PID 4692 wrote to memory of 2556 4692 1bthtt.exe 85 PID 4692 wrote to memory of 2556 4692 1bthtt.exe 85 PID 4692 wrote to memory of 2556 4692 1bthtt.exe 85 PID 2556 wrote to memory of 2692 2556 bbbnbt.exe 86 PID 2556 wrote to memory of 2692 2556 bbbnbt.exe 86 PID 2556 wrote to memory of 2692 2556 bbbnbt.exe 86 PID 2692 wrote to memory of 2832 2692 ffxrlfx.exe 87 PID 2692 wrote to memory of 2832 2692 ffxrlfx.exe 87 PID 2692 wrote to memory of 2832 2692 ffxrlfx.exe 87 PID 2832 wrote to memory of 3640 2832 9ppvj.exe 88 PID 2832 wrote to memory of 3640 2832 9ppvj.exe 88 PID 2832 wrote to memory of 3640 2832 9ppvj.exe 88 PID 3640 wrote to memory of 2108 3640 vvpjj.exe 89 PID 3640 wrote to memory of 2108 3640 vvpjj.exe 89 PID 3640 wrote to memory of 2108 3640 vvpjj.exe 89 PID 2108 wrote to memory of 1852 2108 jjpjd.exe 90 PID 2108 wrote to memory of 1852 2108 jjpjd.exe 90 PID 2108 wrote to memory of 1852 2108 jjpjd.exe 90 PID 1852 wrote to memory of 680 1852 jdvpj.exe 91 PID 1852 wrote to memory of 680 1852 jdvpj.exe 91 PID 1852 wrote to memory of 680 1852 jdvpj.exe 91 PID 680 wrote to memory of 5056 680 ththtn.exe 92 PID 680 wrote to memory of 5056 680 ththtn.exe 92 PID 680 wrote to memory of 5056 680 ththtn.exe 92 PID 5056 wrote to memory of 2956 5056 7vpdp.exe 93 PID 5056 wrote to memory of 2956 5056 7vpdp.exe 93 PID 5056 wrote to memory of 2956 5056 7vpdp.exe 93 PID 2956 wrote to memory of 2148 2956 pvpjj.exe 94 PID 2956 wrote to memory of 2148 2956 pvpjj.exe 94 PID 2956 wrote to memory of 2148 2956 pvpjj.exe 94 PID 2148 wrote to memory of 2340 2148 rxffrlf.exe 95 PID 2148 wrote to memory of 2340 2148 rxffrlf.exe 95 PID 2148 wrote to memory of 2340 2148 rxffrlf.exe 95 PID 2340 wrote to memory of 3084 2340 nbhbtt.exe 96 PID 2340 wrote to memory of 3084 2340 nbhbtt.exe 96 PID 2340 wrote to memory of 3084 2340 nbhbtt.exe 96 PID 3084 wrote to memory of 4256 3084 pjjdp.exe 97 PID 3084 wrote to memory of 4256 3084 pjjdp.exe 97 PID 3084 wrote to memory of 4256 3084 pjjdp.exe 97 PID 4256 wrote to memory of 4820 4256 ththbt.exe 98 PID 4256 wrote to memory of 4820 4256 ththbt.exe 98 PID 4256 wrote to memory of 4820 4256 ththbt.exe 98 PID 4820 wrote to memory of 3920 4820 bnhhbt.exe 99 PID 4820 wrote to memory of 3920 4820 bnhhbt.exe 99 PID 4820 wrote to memory of 3920 4820 bnhhbt.exe 99 PID 3920 wrote to memory of 3052 3920 vjjjv.exe 100 PID 3920 wrote to memory of 3052 3920 vjjjv.exe 100 PID 3920 wrote to memory of 3052 3920 vjjjv.exe 100 PID 3052 wrote to memory of 208 3052 5flfxxr.exe 101 PID 3052 wrote to memory of 208 3052 5flfxxr.exe 101 PID 3052 wrote to memory of 208 3052 5flfxxr.exe 101 PID 208 wrote to memory of 2476 208 tnttht.exe 102 PID 208 wrote to memory of 2476 208 tnttht.exe 102 PID 208 wrote to memory of 2476 208 tnttht.exe 102 PID 2476 wrote to memory of 1632 2476 vpvvp.exe 103 PID 2476 wrote to memory of 1632 2476 vpvvp.exe 103 PID 2476 wrote to memory of 1632 2476 vpvvp.exe 103 PID 1632 wrote to memory of 2384 1632 3lllxxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe"C:\Users\Admin\AppData\Local\Temp\3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\lflrlll.exec:\lflrlll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\1bthtt.exec:\1bthtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\bbbnbt.exec:\bbbnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\9ppvj.exec:\9ppvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\vvpjj.exec:\vvpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\jjpjd.exec:\jjpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jdvpj.exec:\jdvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\ththtn.exec:\ththtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\7vpdp.exec:\7vpdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\pvpjj.exec:\pvpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\rxffrlf.exec:\rxffrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\nbhbtt.exec:\nbhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\pjjdp.exec:\pjjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\ththbt.exec:\ththbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\bnhhbt.exec:\bnhhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\vjjjv.exec:\vjjjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\5flfxxr.exec:\5flfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\tnttht.exec:\tnttht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\vpvvp.exec:\vpvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\3lllxxx.exec:\3lllxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\xllflff.exec:\xllflff.exe23⤵
- Executes dropped EXE
PID:2384 -
\??\c:\btbtbb.exec:\btbtbb.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
\??\c:\jppjd.exec:\jppjd.exe25⤵
- Executes dropped EXE
PID:1152 -
\??\c:\jvdvp.exec:\jvdvp.exe26⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lxxrllf.exec:\lxxrllf.exe27⤵
- Executes dropped EXE
PID:856 -
\??\c:\tnnhbt.exec:\tnnhbt.exe28⤵
- Executes dropped EXE
PID:1220 -
\??\c:\vpvpj.exec:\vpvpj.exe29⤵
- Executes dropped EXE
PID:3404 -
\??\c:\dvvpj.exec:\dvvpj.exe30⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe31⤵
- Executes dropped EXE
PID:4912 -
\??\c:\xfrrlll.exec:\xfrrlll.exe32⤵
- Executes dropped EXE
PID:2488 -
\??\c:\hbnbhh.exec:\hbnbhh.exe33⤵
- Executes dropped EXE
PID:3888 -
\??\c:\jddvp.exec:\jddvp.exe34⤵
- Executes dropped EXE
PID:3892 -
\??\c:\vjvpp.exec:\vjvpp.exe35⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xflfxrr.exec:\xflfxrr.exe36⤵
- Executes dropped EXE
PID:4764 -
\??\c:\nbbtnh.exec:\nbbtnh.exe37⤵
- Executes dropped EXE
PID:428 -
\??\c:\bthhnn.exec:\bthhnn.exe38⤵
- Executes dropped EXE
PID:4716 -
\??\c:\7ddjd.exec:\7ddjd.exe39⤵
- Executes dropped EXE
PID:4232 -
\??\c:\pjvpv.exec:\pjvpv.exe40⤵
- Executes dropped EXE
PID:4844 -
\??\c:\fflffff.exec:\fflffff.exe41⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nhnhbt.exec:\nhnhbt.exe42⤵
- Executes dropped EXE
PID:2320 -
\??\c:\3tttnn.exec:\3tttnn.exe43⤵
- Executes dropped EXE
PID:4620 -
\??\c:\vdpjd.exec:\vdpjd.exe44⤵
- Executes dropped EXE
PID:4736 -
\??\c:\1fxrllf.exec:\1fxrllf.exe45⤵
- Executes dropped EXE
PID:4872 -
\??\c:\7xrlffx.exec:\7xrlffx.exe46⤵
- Executes dropped EXE
PID:3752 -
\??\c:\bnhnhh.exec:\bnhnhh.exe47⤵
- Executes dropped EXE
PID:852 -
\??\c:\jddvv.exec:\jddvv.exe48⤵
- Executes dropped EXE
PID:4076 -
\??\c:\fllfrlf.exec:\fllfrlf.exe49⤵
- Executes dropped EXE
PID:1924 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe50⤵
- Executes dropped EXE
PID:3340 -
\??\c:\bthbnn.exec:\bthbnn.exe51⤵
- Executes dropped EXE
PID:4628 -
\??\c:\9ppjj.exec:\9ppjj.exe52⤵
- Executes dropped EXE
PID:4584 -
\??\c:\1ffxxxr.exec:\1ffxxxr.exe53⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nnnhhh.exec:\nnnhhh.exe54⤵
- Executes dropped EXE
PID:1684 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe55⤵
- Executes dropped EXE
PID:1532 -
\??\c:\1hhbtt.exec:\1hhbtt.exe56⤵
- Executes dropped EXE
PID:4792 -
\??\c:\dvvvp.exec:\dvvvp.exe57⤵
- Executes dropped EXE
PID:1292 -
\??\c:\9rllfff.exec:\9rllfff.exe58⤵
- Executes dropped EXE
PID:3840 -
\??\c:\tnbbhh.exec:\tnbbhh.exe59⤵
- Executes dropped EXE
PID:2444 -
\??\c:\djjdv.exec:\djjdv.exe60⤵
- Executes dropped EXE
PID:4284 -
\??\c:\jvddp.exec:\jvddp.exe61⤵
- Executes dropped EXE
PID:324 -
\??\c:\fxlxfxf.exec:\fxlxfxf.exe62⤵
- Executes dropped EXE
PID:3472 -
\??\c:\5tttnt.exec:\5tttnt.exe63⤵
- Executes dropped EXE
PID:228 -
\??\c:\vdjdp.exec:\vdjdp.exe64⤵
- Executes dropped EXE
PID:3836 -
\??\c:\3hnbtt.exec:\3hnbtt.exe65⤵
- Executes dropped EXE
PID:1212 -
\??\c:\7dddv.exec:\7dddv.exe66⤵PID:680
-
\??\c:\rllfxxr.exec:\rllfxxr.exe67⤵PID:3172
-
\??\c:\tnbnnh.exec:\tnbnnh.exe68⤵PID:2700
-
\??\c:\5pppp.exec:\5pppp.exe69⤵PID:2608
-
\??\c:\vvpjp.exec:\vvpjp.exe70⤵PID:2620
-
\??\c:\bbtthh.exec:\bbtthh.exe71⤵PID:4524
-
\??\c:\dvdjd.exec:\dvdjd.exe72⤵PID:3588
-
\??\c:\fxfxffx.exec:\fxfxffx.exe73⤵PID:3600
-
\??\c:\bnbbtt.exec:\bnbbtt.exe74⤵PID:4052
-
\??\c:\vvvpv.exec:\vvvpv.exe75⤵PID:3900
-
\??\c:\lflfrrr.exec:\lflfrrr.exe76⤵PID:2836
-
\??\c:\hhhhhh.exec:\hhhhhh.exe77⤵PID:1520
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe78⤵PID:1980
-
\??\c:\dvvpj.exec:\dvvpj.exe79⤵PID:2152
-
\??\c:\xlxrrlf.exec:\xlxrrlf.exe80⤵PID:4368
-
\??\c:\nhhnht.exec:\nhhnht.exe81⤵PID:1180
-
\??\c:\bttnht.exec:\bttnht.exe82⤵PID:508
-
\??\c:\rllfxfr.exec:\rllfxfr.exe83⤵PID:1328
-
\??\c:\lxlffff.exec:\lxlffff.exe84⤵PID:4680
-
\??\c:\jjpdv.exec:\jjpdv.exe85⤵PID:908
-
\??\c:\fllrlfr.exec:\fllrlfr.exe86⤵PID:4464
-
\??\c:\5hbtnn.exec:\5hbtnn.exe87⤵PID:1220
-
\??\c:\1jjdd.exec:\1jjdd.exe88⤵PID:2092
-
\??\c:\xxllfff.exec:\xxllfff.exe89⤵PID:1808
-
\??\c:\5hhhhn.exec:\5hhhhn.exe90⤵PID:528
-
\??\c:\bbbttn.exec:\bbbttn.exe91⤵PID:3048
-
\??\c:\vjvpv.exec:\vjvpv.exe92⤵PID:4772
-
\??\c:\nbhhhb.exec:\nbhhhb.exe93⤵PID:1812
-
\??\c:\jjpjj.exec:\jjpjj.exe94⤵PID:1620
-
\??\c:\ppvpp.exec:\ppvpp.exe95⤵PID:3332
-
\??\c:\3xfxrlf.exec:\3xfxrlf.exe96⤵PID:1580
-
\??\c:\ttnnhb.exec:\ttnnhb.exe97⤵PID:3444
-
\??\c:\9djdp.exec:\9djdp.exe98⤵PID:3576
-
\??\c:\1xxxxxx.exec:\1xxxxxx.exe99⤵PID:3636
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe100⤵PID:2636
-
\??\c:\bntbbh.exec:\bntbbh.exe101⤵PID:3956
-
\??\c:\3pdvv.exec:\3pdvv.exe102⤵PID:4736
-
\??\c:\ppppp.exec:\ppppp.exe103⤵PID:2268
-
\??\c:\rfrlrll.exec:\rfrlrll.exe104⤵PID:2960
-
\??\c:\7nhnht.exec:\7nhnht.exe105⤵PID:4316
-
\??\c:\htnhbb.exec:\htnhbb.exe106⤵PID:3744
-
\??\c:\5pppj.exec:\5pppj.exe107⤵PID:3508
-
\??\c:\lrlxrrl.exec:\lrlxrrl.exe108⤵PID:4548
-
\??\c:\xrxrffx.exec:\xrxrffx.exe109⤵PID:3340
-
\??\c:\nhbthh.exec:\nhbthh.exe110⤵PID:3336
-
\??\c:\9pvdv.exec:\9pvdv.exe111⤵PID:4968
-
\??\c:\bnnhbt.exec:\bnnhbt.exe112⤵PID:4412
-
\??\c:\3jjjd.exec:\3jjjd.exe113⤵PID:1032
-
\??\c:\pdpjj.exec:\pdpjj.exe114⤵PID:1836
-
\??\c:\btbtnn.exec:\btbtnn.exe115⤵PID:2064
-
\??\c:\btthbh.exec:\btthbh.exe116⤵PID:3904
-
\??\c:\jdvpp.exec:\jdvpp.exe117⤵PID:668
-
\??\c:\lflfxlr.exec:\lflfxlr.exe118⤵PID:3816
-
\??\c:\5hhbtt.exec:\5hhbtt.exe119⤵PID:4804
-
\??\c:\pjpjp.exec:\pjpjp.exe120⤵
- System Location Discovery: System Language Discovery
PID:3840 -
\??\c:\pvjvj.exec:\pvjvj.exe121⤵PID:2164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-